Thursday, July 02, 2015

HOWTO : Protect My Home Network With Croissants 2



What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10Gbps traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low power consumption x86 computer, such as Intel Avoton C2750 Octa-Core CPU with 8GB RAM or more. This CPU is only running at 20W. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use Asrock Rack C2750D4I motherboard with one more Intel Gigabit Desktop LAN card as my IPS.

Since Asrock Rack C2750D4I motherboard comes with 2 network interfaces, I need one more Intel Gigabit Desktop network interface on each box for monitoring purpose.

I installed 32GB RAM and 320GB Hard Drive on each box as IPS.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of Asrock Rack C2750D4I are Intel i210, the name of the interfaces on Ubuntu 14.04 is p119p1 and p121p1. While the Intel Gigabit Desktop network interface is eth0.

Install Ubuntu Server on the Asrock Rack C2750D4I as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables. Then, reboot the box. One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the Intel Gigabit Desktop network interfaces). The p119p1 and p121p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two boxes are in IDS mode. How to enable it to IPS mode?

You may need to change the name of the Intel Gigabit Desktop network interfaces when they are changed unexpected. You can change the name back to eth0 with the following command :

sudo nano /etc/udev/rules.d/70-persistent-net.rules

How To Configure To IPS?

Log in to the two boxes via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.

Wednesday, June 24, 2015

HOWTO : Use NightHawk More Safety

I developed NightHawk which allows users to use Tor Network in transparent mode. NightHawk has more advantage than Tor Browser. You not only can surfing the internet via Tor Network with your favorite browser but also can use any application software to connection to internet via Tor Network.

However, there are some restrictions to use NightHawk (or even Tor) safety in order to prevent your IP address from being leaked. First of all, you need to prevent DNS leaking by not using your ISP DNS. Secondary, you are advised not to install Flash on your browser as it has potential to leak your IP address when you visit a malicious website. Thirdly, make sure you do not use Google Search Engine as you may be banned by Google. Fourthly, make sure you disable javascript when possible. However, it is not possible to do so in modern websites. Javascript web pages are heavily implemented. Lastly, do not download as well as do not reverse connect back to your box via the Tor Network.

I think that there are only five restrictions to use Tor Network. When I seeing Chloe's research, I realized that there is one more restriction. It is, you make sure do not login to any website via Tor Network. According to the research, some exit nodes are sniffing traffic even some exit nodes are running for a very long time that granted "Guard" flag in the Tor Network.

In my opinion, HTTPS is also not safe for surfing via Tor Network with bad exit nodes. Chloe's project - BADONIONS - Honeypot the Honeypot can find exit nodes that sniffing traffic. I am waiting for the final result of the project and hope Chloe can release the bad exit nodes list to the public.

That's all! See you.


Monday, June 22, 2015

HOWTO : Flush IP Address From Network Interface On Ubuntu 14.04.2 LTS Server

I am running Croissants - Intrusion Detection and Prevention System on Ubuntu 14.04.2 LTS Server. Recently Ubuntu update kills the networking features that making no IP address interface to fetch IP address. Even making the interface in promiscuous mode still fetches IP address on that mode. That would drop the performance of the Croissants with more than one IP address with the same subnet in the same system. After try and error, the workaround is as the following.

sudo nano /etc/network/flush-ip

ip addr flush dev p2p1
ip addr flush dev p4p1
ip -6 addr flush dev p2p1
ip -6 addr flush dev p4p1


* where p2p1 and p4p1 are the incoming and outgoing interfaces for Croissants

sudo chmod +x /etc/network/flush-ip

Create a cron job to flush the ipv4 and ipv6 address on every 15 minutes interval :

sudo crontab -e

Append the following line to the file :

*/5 * * * * /etc/network/flush-ip

To double check the cron job entry :

sudo crontab -l

The interfaces should be looking like this :



The ipv4 and ipv6 addresses of p2p1 and p4p1 have been deleted.

That's all! See you.

Saturday, June 20, 2015

HOWTO : Fix Device Not Managed on Kali Linux 1.1.0a

When the Kali cannot ping the internet on every boot up in VirtualBox, or the network interfaces is "Device Not Managed", or you cannot connect to PPTP VPN or similar, you can :

cp /etc/network/interfaces /etc/network/interfaces-original

nano /etc/network/interfaces

Make it looks like the following, yes, only loopback interface :

# This file decribes the network interfaces available on you system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interace
auto lo
iface lo inet loopback


Then reboot the Kali or run the following command :

service networking restart

That's all! See you.

Monday, June 15, 2015

REVIEW : Shield - Intrusion Prevention System for Home Users






What is Shield?

Shield is a very small device that can protect your home and small business network from being attack by malicious hackers. The attacks include viruses, scams, phishing, website and browser exploits as well as operating system and application exploits. Shield protects your incoming and outgoing traffic. Even your system or network is compromised before using Shield, malicious hackers cannot control and access your system or network any further when Shield is implemented. Shield is also protecting your system or network from being scanning of vulnerabilities. That is excellent for preventing your system or network from being attack.

Shield acts as Intrusion Prevention System (IPS) or Unified Threat Management System (UTM). When it acts as IPS, the core engine is Suricata (Intrusion Detection and Prevention System). It is the simplest way to implement the device and its throughput is more than 1 Gbps. When it acts as UTM, its core engine is Snort (Intrusion Detection and Prevention System). This mode has a lot of features, such as web content filtering, anti-virus, VPN, QoS and etc. However, the slower throughput is the drawback for UTM mode.

Suricata and Snort are using Emerging Threats Open Rules for the operation. Emerging Threats Open Rules include malicious IP addresses, virus signatures, exploit signatures and attack signatures. It also include scanner signatures. According to Suricata developers, the maximum throughput of Suricata is more then 30 Gbps.

Shield includes a free lifetime subscription to stay up-to-date against the latest threats with automatic essential security updates. There is no number of user limitation in the device. It is designed for general users with no professional training in Information Security. It is very easy to setup and use. Plug, Play and Forget!

Business or DIY

There are some UTM or IDS/IPS available in the market. Those devices are developed for business and the prices are not reasonable for home or small business users. The cost will be over $1,000-USD. Meanwhile, the power consumption of those devices would be higher than Shield. Shield is only between 10W and 15W. Commercial UTM or IDS/IPS will have number of users restriction as well as cost for subscription annually of the rules and services.

On the other hand, we can build an UTM with Untangle; or, we can build a Suricata or Snort based IDS/IPS without paying for the software. However, the cost of hardware would be higher than the Shield for sure. For example, this motherboard costs about $399.99-USD. You also need to purchase hard drive, memory and computer case too. The power consumption for this hardware is between 35W to 80W. Shield would be cost around $300-USD only.

Recommended Setup

We suggest to plug Shield between your modem (if any) or Internet Service Provider (ISP) and router (wired or wireless) in Bridge Mode for excellent performance and protection.

If you do not have any router or you have a slower internet connection and the speed of the intranet is less than 1 Gbps, Router Mode can be implemented. The setup for Bridge and Router Modes are very easy and simple. No skill is required, believe me.

IPS (Bridge Mode)



UTM (Router Mode)




Technical Specifications
- 2 x 1.0 GHz MIPS64 CPU
- 1 GB DDR3 RAM
- 4 GB eMMC
- 3 x 1 GB Ethernet
- 1 x RJ45 Serial console port
- 5 x 3.5 x 1 inches
- between 10W and 15W power consumption


Features

Router Mode and Gateway Mode (UTM)
- Snort Engine
- Emerging Threats Rules
- Intrusion Prevention
- Network Anti-Virus
- NAT Firewall
- Content Filtering
- Web Proxying
- Dynamic DNS
- SSLVPN
- Quality of Service
- Graphical Web User Interface
- Realtime Traffic Monitor
- Realtime Connection Monitor
- Advanced and Basic Mode
- Between 50 and 150 Mbps throughput
- Plus More!

Bridge Mode (IPS)
- Suricata Engine
- Emerging Threats Rules
- Intrusion Prevention
- Graphical Web User Interface
- Realtime Traffic Monitor
- Realtime Connection Monitor
- Advanced and Basic Mode
- More than 1 Gbps throughput

Conclusion

Shield is well designed and the performance will not worse than other similar devices in the market. However, the price is rivalry. It is the first IDS/IPS/UTM for home users and small business. Being a Shield beta tester and developer of Croissants, I am fully satisfied with the performance, price, size and power consumption of Shield. It is really can be "Plug, Play and Forget!". Recommended!

That's all! See you.

Review in Chinese version

Friday, June 12, 2015

HOWTO : VirtualBox Headless with PHPVirtualBox

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 14.04.2 LTS
Virtual Machine : VirtualBox 4.3.28
Front End : PHPVirtualBox 4.3-3
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1


Make sure to change /etc/network/interfaces :

From "auto p119p1" to "allow-hotplug p119p1".

Part C.2 - VirtualBox Installation

After the Ubuntu Server 14.04.2 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian trusty contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-4.3


wget http://download.virtualbox.org/virtualbox/4.3.28/Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.2/cmake-3.2.3.tar.gz
tar -xvzf cmake-3.2.3.tar.gz
cd cmake-3.2.3
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-9.13.tar.gz
tar -xzvf hiawatha-9.13.tar.gz
cd hiawatha-9.13/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_9.13_amd64.deb


sudo nano /etc/php5/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6


Append the following to the php-fpm.conf.

sudo nano /etc/php5/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php5-fpm.sock
pm = static
pm.max_children = 100
chdir = /


sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites


sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted.

wget "http://sourceforge.net/projects/phpvirtualbox/files/phpvirtualbox-4.3-3.zip/download" -O phpvirtualbox-4.3-3.zip
sudo unzip phpvirtualbox-4.3-3.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-4.3-3 /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php


Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line :

VBOXWEB_USER=vbox

sudo cp /var/log/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults


sudo /etc/init.d/vboxweb-service start

Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

If the network interface occassionally cannot be detected, you can :

sudo cp /etc/network/interfaces /etc/network/interfaces-original

sudo nano /etc/network/interfaces


Make sure only the lo interface is there :

# This file describes the network interfaces available on you system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interace
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug p119p1
iface p119p1 inet dhcp



That's all! See you.

Thursday, May 28, 2015

REVIEW : RouterCheck - Android Apps for Router Security

RouterCheck is an Android security tool for your router. It is very easy to install and use. It can test up to 3 router vulnerabilities at the moment, such as LinkBleed and Kafeine as well as ShellShock.

This tool cannot fix your problem (if any), but it will advise you how to fix it. Good tool, recommended!



That's all! See you.

Monday, April 27, 2015

Secure Or You Will Loss Your Reputation

Recently, a Hong Kong based company carrying out a KickStarter Campaign for a coffee machine (Arist). Their goal is $120,000-USD and it is funded over 580% ($845,139-USD). The design of the coffee machine gets an ICT Awards 2015 in Hong Kong too.

However, the backers messages or questions have not been answered since it is funded. Many backers asked for refund and they lost their faiths too. The creator of the campaign posts recently that their server has been hacked and sensitive data have been stolen. The creator believed that it was done by some of the backers. Meanwhile, some backers created a Arist Scam to gather the evidence of the "scam". According to the comments of KickStarter, the mother company of Arist is a Windows Phone Apps development company namely nBition Development.

Arist claims to change the specifications of the coffee machine after the "hack" according to some of the backers who find "Subject to be Changed" in the web site. This is what the backers most unsatisfied.

I wonder if the creator of the campaign is a scammer or their server is really being hacked? I then carry out a quick and dirty check on the server.

First of all, the CEO and founder of Arist, Mr. Benson CHIU is an ex-staff of Microsoft (source is in Traditional Chinese). According to the article, Mr. Benson is doing programming work. His brother Nelson is running a new company after the campaign, namely Kick Start HK.

What I find so far? The web site of Arist is hosting on Cloud Server at RackSpace. The web application is running Wordpress 4.1.1, Microsoft IIS 8.0 and PHP 5.4.38. The shopping cart application is WooCommerce. It is a plugin for Wordpress. The shopping cart part is running SSL/TLS. The site is believed to be protected by Cloudflare as I find Cloudflare javascript on the site.

So, what's wrong with the web site? We know that Wordpress 4.1.1 has vulnerabilities on Same-Origin Method Execution and Unauthenticate Stored Cross-Site Scripting. There is also a SQL injection vulnerability on WooCommerce recently (dated March, 2015). Meanwhile, the most interesting thing is that the site is running a private SSL certificate for the shopping cart part. In addition, the site is running quite slow and the WooCommerce do not accept PayPal. It accepts credit cards only.

After my quick and dirty test on Arist web site, it is believed that the site may vulnerable to (1) Same-Origin Method Execution and (2) Unauthenticate Stored Cross-Site Scripting on Wordpress as well as (3) SQL injection on WooCommerce. Those vulnerabilities may lead to data abuse and loss.

Finally, if the Arist is not a scammer, their web site may properly being hacked and suffering from sensitive data loss. However, it is still unknown that the reason why the design and patent have been stolen too. They are keeping those confidential data in a web server? Or, the network of Arist can be pivot to other servers for the "data loss"? May be the Arist is a scammer?

Anyway, I am not going to comment that why Arist do not response to their backers' questions and queries. I am not going to comment if Arist is a scammer or not. However, I doubt that why an IT guy (Mr. Benson CHIU) will overlook this fault. In my opinion, businessmen should not overlook Information Security or you will lost your reputation very easily.

That's all! See you.

Update on April 28

I find something weird on Arist.

Benson and Nelson are running their web sites for their companies, nBition Development and Kick Start HK, with Tengine web server. However, Arist is running on Microsoft IIS.

Meanwhile, nBition Development and Kick Start HK are protected by WAF (Akamai Technologies Inc). The web applications of those sites cannot be detected easily. However, Arist is not protected by any WAF although Cloudflare javascript is found on the site. The web application can be identified very easily and it is hosting at RackSpace.

I believe that Kick Start HK web site should be built later than Arist's.

My question is that Arist is not as important as nBition Development and Kick Start HK? Or, it is really a scam? We need to wait until the October this year for the product delivery.


Update on April 28 (Part 2)

The Arist web site has been checked again and the captioned said vulnerabilities are still there.

I almost read all the comments by Benson and Arist team on the KickStarter and they are summarized as the following :

- During the campaign, they often answer questions and urge others to be backers.
- They said they will release the video to all arist backers personally. However, they failed to do so. It is because of the patent pending. However, they show the video to the reporters of unwire.hk. Why not backers?
- They said that they will update the backers often several times, but it is failed too.
- They said the arist is in production, but who knows. It is April 2015 now.
- Later, they even do not answer any questions.
- They claimed that their web site has been hacked and confidential data have been stolen. They suspect it was done by backers.
- They stated that the delivery will be delayed till October 2015. Why not deliver the products batch by batch????

Source from Arist Scam : Is Arist planning to defraud the Hong Kong government?

They post a "Statement of Clarification" on their web site :

It has come to our attention that there has been posting and circulation of articles with untrue and false information about Arist originated from Hong Kong media groups and individuals since 26 April 2015 (HKT). Given the situation has already led to unnecessary speculation on the capacity and integrity of the Arist Team, we are obliged to clarify as below:

1) Our website and cloud storage account were hacked in mid-April 2015. Being a responsible developer, we have reported the case to the U.S. Police. A notice of such had been posted on our Kickstarter campaign site to notify our backers.

2) We have no plans to delay the planned launch date, which is from October 2015 onwards. As promised, if we cannot ship Arist 3 months after your expected ship date, you will have the option to request a full refund. We stick to this promise with no exceptions.

Despite the recent hacking, and circulation of untrue and biased online messages, we have no intention to stop the work with Arist. As of today, we have more than 25,000+ retail orders to consider as well. We will not stop until we deliver Arist to everyone.

We continue our mission to change the world of coffee. We have come a long way and we are almost there. To those of you who have been with us since the beginning, we thank you most sincerely. We truly appreciate your support, concern and attention.



Update April 28 (Part 3)

Scanomat states that Arist steal their concept and design. He posted the first comment on KickStarter which is dated October 24, 2014.

First comment

Here is the answer of Arist which is also on the same day :

Reply by Arist

It seems that all backers missed this comment due to the design of the KickStarter.

I have reported to Arist Scam and they stated that KickStarter has paused the campaign until Arist redesigned the smartphone apps as it is looking very similar to Scanomat one. Meanwhile, Benson states in the comment in KickStarter that they are applying patent to all over the world.

However, Scanomat's coffee maker is in the market at the moment and they may have patented already. Does Benson telling lie? In addition, Nelson states in the recent unwire.hk interview that they also do the manufacturing matter. They are smartphone application development company. Suspicious!


Update April 29 (Part 4)

Nelson said that the Arist was in the market 3 months before the ICT Awards 2015 Competition. The Startup Beat has a report on this (source is in Traditional Chinese). If the coffee maker is already in the market, why they need to change the specifications and delay the delivery for the backers? Another lie?

Meanwhile, it is confirmed that they juice the number of KickStarter backers, please see Arist Scam article.


Update April 29 (Part 5)

After further checking, the WooCommerce plugin version may be 2.3.7 and it is not vulnerable to aforesaid SQL Injection. Therefore, the previous assumption of data leak and data loss may not be occurred. The current version of WooCommerce is 2.3.8 at this time of writing. Meanwhile, the web application does not updated since April 27 even they claimed that they have been hacked. Weird enough.

After reviewing the other manual and auto coffee makers, I suspect that Arist cannot fulfill all the features in a so small footprint machine. The size should be much larger than these designs (version 1 and 2).


Update April 29 (Part 6)

It is very interesting that Benson starts to communicate with the backers at KickStarter since 4 hours ago (about 1700 hours HKT). He failed to do so since the end of the Campaign. He said he need to 'step in" for the matter. Why? Scare?


Update April 30 (Part 7)

Does Benson steals the other's concept and idea? If yes, how can he get the patent? It should be already patented. The following video is posted on Jan 16, 2012 when nBition Development may not be formed :




The protocol of the captioned video is here.


Update April 30 (Part 8)

I doubt that the Jura (the so-called Arist Version 1) has been shown by Benson to the judges of ICT Awards 2015 and the video to shown to the reporter of unwire.hk.

The protocol of the Jura is available. It is the reason why Benson and Nelson told to the reporter of unwire.hk that the cost of the development and manufacturing are not so high as expected by the public. It is because they stole other's idea, concept and work. They even wanted to apply patent as their work too. It is also the reason why they are unwilling to show the working Arist (Version 1) to the backers or public.

Meanwhile, they stole others idea, concept and work to have Hong Kong Government funding.

In addition, it is an impossible project for Arist (Version 2). The awesome features in a so small footprint device is impossible in physic, I think. Where is the water tank? Where is the two bean containers? Where is the milk container? Where is the syrup capsule container? Where is coco powder container? They are the features that stated in Arist project.


Update April 30 (Part 9)

Benson and Nelson are also running a cafe shop at Causeway Bay, Hong Kong, namely Tosavour Cafe (Facebook). I wonder if they use their Arist (Version 1) in their shop or not.

I also wonder why they need to employ Barista as Arist can make a wonderful and professional coffee.

Why I say that? It is because the Arist (Version 1) has been sold over 1,000 units 3 months prior to the ICT Awards 2015 Competition (Source).

Please note that I mean Arist (Version 1) is the Arist on KickStarter while Version 2 is at the ICT Awards 2015 Competition.


Update May 1 (Part 10)

All of sudden, Benson "step in" the backers comment (on April 29, 2015, HKT) and Matthew Lam (later known as Matt Lam, who stated he is buddy of Benson in the early stage of the comment of KickStarter) starts to fire at some backers in order to keep them silent on April 30, 2015 (HKT). Interesting .... Interesting .... Very interesting ....


Update May 1 (Part 11)

It is really surprised me that the web site of Arist still not yet updated/upgrade even they claimed to be hacked.

The initial quick test may have some errors on April 27, 2015. Hereby, I attached the version findings which is conducted today :




Update May 5 (Part 12)

According to PC Market (PCM, Issue 1136 dated May 5, 2015) Page 26 and 27, Nelson told the reporter of PCM that they have sold out 1,000 units of Arist Version 1 to Baristas all over the world in July 2014. Those units are assembled by hand. Those buyers are required to sign a Not-Disclosure Agreement (NDA). (Please also read Update April 29 (Part 4) and April 30 (Part 9) as well as Arist Scam in conjunction.)

I wonder how many buyer will sign an NDA when they paid for the product. Meanwhile, Benson and Nelson should have UL and CE certifications before selling the units, which is mentioned by one of the backers, Dan_R, in KickStarter comments.

In addition, why Benson and Nelson do not deliver the Arist Version 1 to backers when the there are only about 2,000 backers in KickStarter? The Arist Version 1 does not exist?


Update May 8 (Part 13)

According to anonymous source (I have seen the evidence but I will not post them here in order to protect the contributor) that Benson was doing Netduino/Arduino things around July 2014 in which he claimed that Arist Version 1 had been sold 1,000 units to Baristas all over the world.

Is he still inventing the machine? If yes, why he said Version 1 had been sold over 1,000 units? If no, why he cannot show the demo video to backers? Or, is he telling lie? Or, is he thinking too big in the early beginning that he realized today that it is an project impossible?


Update May 17 (Part 14)

The owner of Arist Scam, Jake, states that he has been refunded this morning and he is no longer can post to KickStarter due to the refund. Meanwhile, another backer, Dax, states that he also got his refund this morning. It is confirmed that Benson dislikes Jake and Dax very much and make them shut up.

It is interesting that, Benson starts to post to the KickStarter since then. He states that he cannot reply to backers these days due to busy to response to the media about the false reports. For real?

Benson just posts to the KickStarter a few minutes ago that he denied to refund to anyone when someone else asks for his refund after reading Jake's site (link). Benson says that they (Jake and Dax) may be kicked by KickStarter. Really? Does Jake and Dax do any harm to KickStarter? No! But to you, Benson!!!

Benson fears to open the refund flood gate!


Update May 18 (Part 15)

Benson is arguing and insulting to the backers who lost their faiths on the project.

Benson and Nelson CHIU are starting to issue refunds to everyone who complains about their scam!

After you, backer, receive your refund, please contact info@aristscam.com, so that they can build a community and bring justice to the Benson and Nelson.

Meanwhile, the web site of the AristCafe is updated to Wordpress 4.2.1 but it still has a private SSL certificate. In addition, the web site is vulnerable to DoS.

Benson sent 2 emails to Jake (the owner of the Arist Scam web site) to threaten Jake to shut down the web site (link). Meanwhile, the proof of refund from Benson is here.

From anonymous source that Hong Kong Identity card numbers and addresses of Benson and Nelson have been obtained. I think they will be published to public very soon.

Benson, Benson, you have a very wrong and dead move!

Facebook Group is online


Update May 19 (Part 16)

Nice article from SCMP on Arist today. The following sentence makes me laugh :

"Chiu demonstrated Arist for the Post using the accompanying iPhone app to produce two espressos after engineers had made a few tweaks to the prototype using screwdrivers and a black and yellow pencil."

Did Benson say that they already sold over 1,000 units of Arist all over the world to Baristas in July 2014? Does every Barista, who purchased the said Arist, requires to use screwdrivers and pencil to tweak the Arist and then produce coffee?

Benson and Nelson are scammers for sure in my opinion!

Meanwhile, I have Benson and Nelson's HKID card numbers.

Ah, I forgot to mention that Benson posted the link of the article of SCMP to KickStarter to proof something. However, he is suicide as he overlook the last sentence of the article.


Update May 21 (Part 17)

More evidence on Benson cheats at Kickstarter launch at here (Read with "Update April 29 (Part 4)"). It is not ethical.


Update May 24 (Part 18)

aristcafe.com is now well protected by Cloudflare and it has valid SSL certificate now. However, it used private SSL certificate between August 6, 2014 (domain creation date) and May 21, 2015 (GoDaddy SSL certificate). Benson also claims that the site takes 25,000 pre-orders. Read with "Update May 1 (Part 11)" and "Update May 18 (Part 15)".

Although aristcafe.com is well protected by Cloudflare, I am sure that it is still vulnerable to DoS attack. It can be taken down within minutes.

AristScam.com new feature - TimeLine.


Update May 27 (Part 19)

Benson released the update #17 to his backers and asked them not to release to the public in early morning (May 27, 2015 HKT).

In the update #17, Benson stated that his team is still developing the prototype (the current is at Phase 4A). He use all backers' money to develop a prototype instead of a working prototype before the KickStarter campaign.

His website (aristcafe.com) is protected by Cloudflare recently and he has a valid SSL certificate (begins on May 21, 2015). He showed a graph of his website on the update #17 to proof his website has a lot of visitors. I doubt that those traffic are from the bot of Cloudflare or Google (I am also running a website behind Cloudflare too). It only shows the traffic between 0555 and 0655 hours on a day (which day?). Why not between August 6, 2014 and today? May be the traffic are from the one who want to see what is going on due to they read the media recently?

He also said that the engineer use "screwdriver" and pencil to turn off the sensor in order to brew the coffee when the cover is removed. I doubt that why he needs to take off the cover to brew the coffee. To show to the SCMP reporter that the machine is so complicate? Or, it needs to remove the cover to brew the coffee?

In conclusion, Benson is telling lie that he had shipped 1,000 units of Arist to the Baristas all over the world. He uses backers' money to develop the prototype. He also spent all the backers' money too. He cannot proof that he has 25,000 pre-orders. He is still telling lie in the update #17 again.


Thursday, April 16, 2015

How Secure Your Networks And Systems Are?

Almost all Intrusion Detection and Prevention Systems (IDS/IPS) can be bypassed. No matter it is commercial or open source, they can be bypassed by any skilled attacker. I am running my home brewed Intrusion Prevention System for over 2 years. It becomes mature and I decided to carry out a bypass test against it.

My plan is to conduct the Application Layer (Layer 7) exploitation behind my IPS. Normally, almost all attacks are from the external. However, I am trying to do it from internal to external.

I picked up one live web site which is vulnerable to Wordpress vulnerability. I carried out the exploitation from the internal and it is not surprised that I can dump the database from the said site. I successfully bypass the IPS from my internal network. I know that there are different rules for external and internal traffic. At least I know that I can do it from internal and it is not very hard from external, I think.

The following are the database that dumped from the said site (some characters are masked in order to protect the victim) :



Several years ago, I conducted an exploitation test to see if the system can log down the attack or not. The final result is that it cannot. You can watch the video at here. Similarly, I also conducted a test to bypass some famous Anti-Virus programs. The final result is that it can be bypassed very easily. You can watch the video at here.

In conclusion, those security measures are just like our lock on the door and metal gate in front of our houses. They should be there but they cannot fully protect you from being burgled if intruder find a way in. Therefore, we should not fully relying on those security devices and/or programs as well as log checking. Make sure your networks or systems are in excellent security condition. Be remember that the strongest security is at the weakest point. 99 percent secure is a 100 percent insecure. The most dangerous is that you believe it is secured.

That's all! See you.

Monday, March 30, 2015

HOWTO : Trouble Shooting for Croissants

There may be a chance that your Croissants not working. We now talking about how to trouble shoot it.

Step 1 :

To see if "suricata", "pigsty" and "snorby" are working (existing) or not.

sudo ps aux | grep suricata
sudo ps aux | grep pigsty
sudo ps aux | grep delayed


Step 2 :

If you encounter no alert on the Snorby, you can check if the "unified2.alert.*" is there. Please also note that it should be only one "unified2.alert.*" file.

ls /var/log/suricata

If you find more than one unified2.alert.*, delete the oldest and keep the current. Or simply delete all and then reboot.

Step 2a :

One more area to check for no alert is at Snorby.

Open the browser and point to the Snorby. "Administration" -- "Worker & Job Queue" is showing "OK" at the "Status".





Step 3 :

If you encounter any error, you can try to reboot the sensor (Croissants) to see if the problem is gone or not.

Step 4 :

To check the suricata.log to see if there is any error.

nano /var/log/suricata.log

That's all! See you.

Thursday, March 26, 2015

HOWTO : Protect My Home Network With Croissants

*** THE CURRENT VERSION OF CROISSANTS IS 0.1.2 (CROISSANTS-20150701.TAR.GZ) which is released on July 01, 2015 ***


What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10GB traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low-end x86 computer, such as Intel ATOM D2550 CPU with 4GB or 8GB RAM. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use MINIX Mini HD PC as my IPS. You can watch its unboxing at YouTube.

Since MINIX Mini HD PC comes with 2 network interfaces, I need one more USB Gigabit Network interface on each box for monitoring purpose. You can either choose Level One USB-0401 USB Gigabit Ethernet Adapter or PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 as they are fully compatible to Linux.

I installed 8GB RAM and 4GB RAM on IPS for experiment purpose. I suggest you to install 8GB RAM as MINIX Mini HD PC supports up to 8GB RAM even the official does not claimed that.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

For better performance, I suggest you to use this motherboard with one more Intel LAN card and at least 8 GB RAM.

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of MINIX Mini HD PC are Broadcom, the name of the interfaces on Ubuntu 14.04 is p2p1 and p4p1. While the USB Gigabit network interface is eth0.

Install Ubuntu Server on the MINIX Mini HD PC as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables and the USB network interface. Then, reboot the MINIX Mini HD PC(s). One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the USB Gigabit network interfaces). The p2p1 and p4p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two MINIX Mini HD PC are in IDS mode. How to enable it to IPS mode?

How To Configure To IPS?

Log in to the MINIX Mini HD PC via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.

HOWTO : ArpON on Kali Linux 1.1.0

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

apt-get update
apt-get install arpon


Step 2 :

nano /etc/default/arpon

Uncomment the DARPI and RUN, makes it looking as :

DAEMON_OPTS='-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"


Step 3 :

Add the following line before the "exit 0" at /etc/rc.local :

/etc/init.d/arpon start

Reboot your Kali Linux.

REFERENCE

ArpON - ARP Handler Inspection
Protect you from being ARP spoofing

That's all! See you.

Wednesday, March 11, 2015

HOWTO : Clean Memory on Kali Linux 1.1.0

You have tune the performance of your Kali Linux by this method. This method will use lesser SWAP as possible. Therefore, all the caches will be in the memory.
It can be dropped those caches when the caches are no longer use by the following method. It will drop the unused caches on every 15 minutes :


echo "sync && echo 3 | tee /proc/sys/vm/drop_caches" > /usr/bin/kali_drop_caches
chmod +x /usr/bin/kali_drop_caches


(crontab -l ; echo "*/15 * * * * /usr/bin/kali_drop_caches") | crontab -

That's all! See you.

Tuesday, March 10, 2015

HOWTO : Apparmor with Iceweasel on Kali Linux 1.1.0

It is not effective to use "NoScript" Add-ons on Iceweasel as almost all web pages are using javascript. However, you still need "NoScript" for XSS protection on Iceweasel. You just need to allow it globally and XSS will still in force. To protect your browser from being compromised, an alternative way is to implement the Apparmor. Apparmor for Iceweasel can be used in penetration testing and daily use.

apt-get install apparmor apparmor-docs apparmor-notify apparmor-profiles apparmor-utils dh-apparmor python-libapparmor

Edit the /etc/default/grub to make apparmor to active after boot.

nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

To make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

Then run the following command :

update-grub

After that, create a file namely usr.lib.iceweasel.iceweasel at /etc/apparmor.d/ :

nano /etc/apparmor.d/usr.lib.iceweasel.iceweasel

Copy the following content to the file and save it.



Then change the mode of iceweasel apparmor to enforce by using the following command :

aa-enforce /etc/apparmor.d/usr.lib.iceweasel.iceweasel

To update the rule of apparmor, just run the following command and ask some questions. Most likely, you just need to answer "Allow".

aa-logprof

Iceweasel Add-ons

You may need to install "FoxyProxy" Add-ons to Iceweasel.

apt-get install xul-ext-foxyproxy-standard

You can install any available Add-ons by searching the database :

apt-cache search xul-ext

That's all! See you.

Thursday, February 26, 2015

Chameleon - Website IP Address Seeker (CDN Unhidden)


What is CDN?

A content delivery network or content distribution network (CDN) is a large distributed system of servers deployed in multiple data centers across the Internet. The goal of a CDN is to serve content to end-users with high availability and high performance. CDNs serve a large fraction of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.

Content providers such as media companies and e-commerce vendors pay CDN operators to deliver their content to their audience of end-users. In turn, a CDN pays ISPs, carriers, and network operators for hosting its servers in their data centers. Besides better performance and availability, CDNs also offload the traffic served directly from the content provider's origin infrastructure, resulting in possible cost savings for the content provider. In addition, CDNs provide the content provider a degree of protection from DoS attacks by using their large distributed server infrastructure to absorb the attack traffic. While most early CDNs served content using dedicated servers owned and operated by the CDN, there is a recent trend to use a hybrid model that uses P2P technology. In the hybrid model, content is served using both dedicated servers and other peer-user-owned computers as applicable.

*** Quote from Wikipedia

When the websites are using CDN, such as Cloudflare, their IP addresses may be hidden. However, those IP addresses can be retrieved by the following methods :

(We take Cloudflare as an example)
(1) CloudFlare-Watch
(2) Netcracft.net
(3) Fierce Domain Scan
(4) NoCloudAllowed by Allison Nixon
(5) Chameleon (this article)

Introduction

Chameleon is an Open Source project by Samiux under GPLv3. Chameleon is developing based on NoCloudAllowed.

As same as NoCloudAllowed (Perl script), Chameleon (Python script) assumes that the target website is within an IP address range(s). The IP address range(s) of a certain country can be obtained via IP2Location. Once you get a CIDR list of the country, you need to extract it to the IP addresses list.

For the comparsion, you need an *unique* string from the target site. Once the string is found, the findings will be recorded in a file for further processing.

For extracting the IP addresses from CIDR list that obtained from IP2Location, I use prips. prips is not installed in Kali Linux by default.

Chameleon is well tested on Kali Linux 1.1.0 and Ubuntu 14.04 LTS.

Limitation

If the IP address and/or the domain is not pointed to the web root directory, Chameleon cannot find the site as expected. Do NOT set the "--thread" too large as it will consume all your RAM.






Download

wget http://www.infosec-ninjas.com/files/chameleon-0.0.3.tar.gz

tar -xvzf chameleon-0.0.3.tar.gz

sha1sum : dab2486c72d2745075d06698be0f693254dae0da    chameleon-0.0.3.tar.gz

Please note that version 0.0.4 is released!

Changelog

FEB 22, 2015 - Version 0.0.1 (sha1sum : c2a7af574e0132ab19a8597ded97c13b5f94dece    chameleon-0.0.1.tar.gz)
[+] First release

FEB 25, 2015 - Version 0.0.2 (sha1sum : 8714d5a8ef8566ff6d36adbbbbfaee65bff8a728    chameleon-0.0.2.tar.gz)
[+] Add input file for the ip address comparison
[+] Add timeout option
[-] Drop the single ip address for comparison

FEB 26, 2015 - Version 0.0.3 (sha1sum : dab2486c72d2745075d06698be0f693254dae0da    chameleon-0.0.3.tar.gz)
[+] Add exceptional error handling
[+] Add threading option
[+] Add output file option
[+] Add batch of IP address per thread option
 

Usage

Usage: chameleon.py [options]

Options:
  -h, --help            show this help message and exit
  -s SEARCHSTRING, --string=SEARCHSTRING
                        specify the unique string to search
  -f INFILE, --file=INFILE
                        input file contains ip addresses for comparison
  -p PROTO, --proto=PROTO
                        protocol to use, http or https
  -o TIMEOUT, --timeout=TIMEOUT
                        timeout, default 2 seconds
  -t NUMTHREAD, --thread=NUMTHREAD
                        number of threading, default is 1
  -w OUTFILE, --write=OUTFILE
                        output file for findings, default is find.txt
  -b BATCH, --batch=BATCH
                        batch of IP address per thread, default is 1

Example : python chameleon.py -s github -f ip-addresses.txt -p https -b 10 -t 1000 -w github.txt -o 3


Original link

That's all! See you.

Thursday, February 12, 2015

HOWTO : OTR with Pidgin on Kali Linux 1.1.0

Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.

The primary motivation behind the protocol was providing deniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing.


apt-get install pidgin pidgin-otr pidgin-plugin-pack

That's all! See you.

HOWTO : nVidia CUDA with Kali Linux 1.1.0

Hardware

CPU : Intel i7-3930K
RAM : 32GB DDR3
Hard Drive : 3TB
Display Card : Two nVidia GeForce GTX 590

Install Kali

Install Kali Linux 1.1.0 on the box as usual. Make sure "secure boot" is disabled in your BIOS before installing. After that, you update the Kali accordingly.

apt-get update
apt-get dist-upgrade


Install nVidia Driver

apt-get install -y linux-headers-$(uname -r)
apt-get install nvidia-kernel-dkms nvidia-driver nvidia-cuda-toolkit nvidia-xconfig

nvidia-xconfig

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot


Please note that Kali official does not recommend to compile applications yourself as they think that it will damage the Kali.

Install cudaHashcat

mkdir hacking
cd hacking

wget http://hashcat.net/files-legacy/cudaHashcat-1.31.7z

7za x cudaHashcat-1.31.7z


(Please noted that the current version 1.32 does not compatible to Kali 1.1.0's nVidia driver 340.x).

Test the cudaHashcat

cd /root/hacking/cudaHashcat-1.31/
./cudaExample0.sh

cd /root/hacking/cudaHashcat-1.31/
./cudaExample400.sh

cd /root/hacking/cudaHashcat-1.31/
./cudaExample500.sh


Install John the Ripper

apt-get install libssl-dev

cd hacking

wget http://www.openwall.com/john/g/john-1.8.0-jumbo-1.tar.gz
tar -xvzf john-1.8.0-jumbo-1.tar.gz
cd john-1.8.0-jumbo-1/src

./configure
make
make


** If your hashes or passwords are longer than 8 characters, you need to change the following before compiling the John.

cd john-1.8.0-jumbo-1/src
nano params.h


Then change from "8" to "18" or "20" and etc.

#define CHARSET_LENGTH 8

Test the John the Ripper

cd /root/hacking/john-1.8.0-jumbo-1/run

./john --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow


* since I have 4 GPUs, so the --device should be 4.

*** When you changed the CHARSET_LENGTH, you need to generate a new charset. Do it once only.

wget http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
bunzip2 -d rockyou.txt.bz2
cp rockyou.txt /root/hacking/john-1.8.0-jumbo-1/run

cd /root/hacking/john-1.8.0-jumbo-1/run

cat rockyou.txt | sed 's/^/:/' > rockyou.pot

mv all.chr all.chr-original
mv alnum.chr alnum.chr-original
mv alpha.chr alpha.chr-original
mv digits.chr digits.chr-original
mv lanman.chr lanman.chr-original

./john --pot=rockyou.pot --make-charset=all.chr
./john --pot=rockyou.pot --make-charset=alnum.chr --external=filter_alnum
./john --pot=rockyou.pot --make-charset=alpha.chr --external=filter_alpha
./john --pot=rockyou.pot --make-charset=digits.chr --external=filter_digits
./john --pot=rockyou.pot --make-charset=lanman.chr --external=filter_lanman


Then your cracking command will be :

./john --pot=rockyou.pot --device=0,1,2,3 --format=sha512crypt-cuda /etc/shadow

Install and Test Cryptohaze

cd hacking
wget http://sourceforge.net/projects/cryptohaze/files/Cryptohaze-Linux_x64_1_31a.tar.bz2/download -O Cryptohaze-Linux_x64_1_31a.tar.bz2

tar xjvf Cryptohaze-Linux_x64_1_31a.tar.bz2

cd /root/hacking/Cryptohaze-Linux
./Cryptohaze-Multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt


That's all! See you.

HOWTO : Kali Linux 1.1.0 on Optimus Laptop

Step 1 :

apt-get install linux-headers-$(uname -r)
apt-get install nvidia-kernel-dkms nvidia-cuda-toolkit nvidia-driver


After that, reboot your Kali. Then, we need to install bumblebee.

Step 2 :

apt-get install bumblebee-nvidia primus

If you need to support i386 architecture 3D software in 64-bit Kali, you may need to install the following :

dpkg --add-architecture i386
apt-get update
apt-get install bumblebee-nvidia primus primus-libs:i386


Step 3 :

Now, you need to add you (e.g. root) to the bumblebee group.

adduser $USER bumblebee

Step 4 :

To run your application with the discrete nVidia card :

optirun iceweasel

If optirun displays the following error :

[ERROR]Cannot access secondary GPU - error: Could not load GPU driver

You need to edit the following :

sed 's/KernelDriver=nvidia/KernelDriver=nvidia-current/g' -i /etc/bumblebee/bumblebee.conf

The following are optional :

If you want to run glxgears with the discrete nVidia card, you need to install VirtualGL

32-bit Kali Linux -
wget http://sourceforge.net/projects/virtualgl/files/2.3.90%20%282.4beta1%29/virtualgl_2.3.90_i386.deb/download -O virtualgl_2.3.90_i386.deb

64-bit Kali Linux -
wget http://sourceforge.net/projects/virtualgl/files/2.3.90%20%282.4beta1%29/virtualgl_2.3.90_amd64.deb/download -O virtualgl_2.3.90_amd64.deb

dpkg -i virtualgl_2.3.90_i386.deb

or
h
dpkg -i virtualgl_2.3.90_amd64.deb

Then run :

optirun glxgears -info

or

optirun glxgears

The following are CUDA applications :

Please note that the Kali official does not recommend to compile applications yourself for Kali as they think that it would damage kali.

The next steps are to install cudaHashcat, john, Cryptohaze and pyrit.

(1) cudaHashcat installation

Grab the source code and extract it. The current version is 1.31 at this writing.

wget http://hashcat.net/files-legacy/cudaHashcat-1.31.7z
7za x cudahashcat-1.31.7z


(Please noted that the current version of cudaHashcat 1.32 does not compatible with Kali 1.1.0's nVidia 340.x driver).

Then run the sample scripts to test the cudahashcat by the following commands.

cd cudaHashcat-1.31
optirun ./cudaExample0.sh
optirun ./cudaExample400.sh
optirun ./cudaExample500.sh


When it is your first time to run cudaHashcat, you will be prompted for the license and you just answer "YES" to continue.

(2) John the Ripper Installation

Install the required package before going further.

apt-get install libssl-dev

Grab the current version of john (the current version at this writing is 1.8.0-jumbo-1) and compile it.

wget http://www.openwall.com/john/j/john-1.8.0-jumbo-1.tar.gz
tar -xvzf john-1.8.0-jumbo-1.tar.gz
cd john-1.8.0-jumbo-1/src
./configure
make clean
make


To run john, you can execute the following command.

cd ../run
optirun ./john --format=sha512crypt-cuda /etc/shadow


Please note that the captioned command will have fruitless result when your password is longer than 8 characters which is the default for john. If requires, you can make some changes on "params.h". However, it is out of the scope of this guide.

(3) Cryptohaze Installation

Grab the current version of Cryptohaze (the current version is 1.3a at this writing).

wget http://sourceforge.net/projects/cryptohaze/files/Cryptohaze-Linux_x64_1_31a.tar.bz2/download -O Cryptohaze-Linux_x64_1_31a.tar.bz2
tar xjvf Cryptohaze-Linux_x64_1_31a.tar.bz2
cd Cryptohaze-Linux


To perform the sample run, you can execute the following command.

optirun ./Cryptohaze-Multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt

(4) pyrit Installation

The first step is to install the required packages.

apt-get install libssl-dev libpcap0.8-dev python-dev

Grab the current version of pyrit. However, pyrit is not updated for a long time.

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit

Compile it with the following commands.

cd pyrit/pyrit
python setup.py build
python setup.py install

cd ../cpyrit_cuda
python setup.py build
python setup.py install


To test it, you can execute the following commands.

optirun pyrit list_cores
optirun pyrit benchmark


That's all! See you.

HOWTO : Performance Tuning on Kali Linux 1.1.0

Kali Linux 1.1.0 is released recently. It is much faster than before. However, we can tune it for better performance too. Here we go!

Step 1 :

nano /etc/sysctl.conf

Append the following to the sysctl.conf :



sysctl -p

Step 2 :

nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 256 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


If your device is not sda, please change it accordingly.

Step 3 :

It is very danger for this step. Make sure you do NOT have any typing error; otherwise, you cannot boot your Kali up.

nano /etc/fstab

Locate "ext4" and add the following before "errors=remount-ro" :

noatime,nodiratime,norelatime

If you are using LVM, it will look like :

/dev/mapper/kali-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

After that, run :

mount -a
mount -o remount /


If no error message, then reboot. If there is any error message, double check if you have any typing error or not.

That's all! See you.

Wednesday, February 11, 2015

HOWTO : Minor fix on Kali Linux 1.1.0

Kali Linux 1.1.0 is released recently. Some bugs had been fixed and the performance is improved a lot.

However, you may encounter that you need to set the volume of the sound device every time when you boot up. You can solve this problem by the following :

apt-get install alsa-base alsa-utils

amixer sset Master unmute

Then adjust the volume when necessary.

Secondary, when your hard driver or SSD is fully encrypted, your GRUB screen is in blue. You can get the awesome Kali GRUB screen back by the following :

If you are using BIOS -

apt-get --purge remove grub-pc
apt-get install grub-pc


* select the GRUB to be installed at /dev/sda, if you have only one hard driver or SSD.

If you are using UEFI -

apt-get --purge remove grub-efi
apt-get install grub-efi


The GRUB screen is already Kali GRUB awesome screen.

Thirdly, OpenJDK 6 and 7 are installed in Kali Linux 1.1.0. However, only OpenJDK 6 (1.6.x) is enabled. If your application requires OpenJDK 7 (1.7.x), you need to enable it. You can :

update-alternatives --config java

Then select OpenJDK 7. I select 2 in my case.

Fourthly, Transmission is dropped in this version. You need to install yourself.

apt-get install transmission-gtk

Known Issue

If you are running virtual machine, such as Virtualbox or VMWare and the guest network interface is running on NAT and/or bridged mode, you cannot access internet on every boot up. You can issue the following command to gain internet access :

dhclient

That's all! See you.