Tuesday, August 19, 2014

HOWTO : SQLMap for Cloudflare protected sites

When you suspect your target site is vulnerable to SQLi and you find out that it is protected by Cloudflare, you can still to launch SQLMap against the target.

First of all, you need to make sure the target site is protected by Cloudflare, you can add "--identify-waf" or "--check-waf" to confirm. However, do not set "--thread=" larger than 1 as the target will give you "403 Forbidden" error. Once you get the "403 error", your IP address is banned. Therefore, you are required to consider to use proxy servers or TOR to access the target.

Secondary, you need to add "--tamper='between,randomcase,space2comment'" and "-v 3", if the target is confirmed being protected by Cloudflare. You may also consider to add "--random-agent" and "--tor" when necessary.

Finally, do not use Kali Linux provided SQLMap scripts as it has no "WAF" scripts pre-installed. You are better to download the latest version of SQLMap from the official site.

git clone https://github.com/sqlmapproject/sqlmap.git

This hint can be applied to other WAFs, IDSs and IPSs, such as mod_security or other Cloudflare like service providers.

For example :

python sqlmap.py -u "https://www.cloudflare.com/" --identity-waf --tamper="between,randomcase,space2comment" -v 3 --random-agent --tor

That's all! See you.

Friday, July 18, 2014

Defense your Network and Servers

Intruders will conduct reconnaissance on your network and servers before performing the attack. After that, intruders will perform the attack based on the information in hand.

In my opinion, the best way to defense your network and servers from being attacked is to interfere with the intruders' reconnaissance. When intruders cannot get any valuable information, they cannot perform the attack properly.

Most of the intruders use automatic tools, such as vulnerability scanners, to perform the reconnaissance and they seldom do it manually as it is harder for them especially for web applications. However, a small portion of advanced intruders may do it manually.

Hiawatha, a secure and advanced web server, can be configured to block vulnerability scanners from scanning the web server. Since the vulnerability scanners do not work properly, intruders cannot get any valuable information on the web server in order to launch an attack.

Suricata, a high performance network IDS, IPS and network security monitoring engine, used with Emerging Threats rules can be configured to drop the packet of the vulnerability scanners from scanning.

Web Application Firewall (WAF) and Intrusion Detection/Prevention System (IDS/IPS) as well as firewall can be bypassed by some of the advanced intruders. Therefore, blocking the vulnerability scanners is one of the good ways to defense your network and server from being attacked.

That's all! See you.

Tuesday, July 15, 2014

Thursday, July 03, 2014

HOWTO : ECS LIVA Mini PC Kit on Ubuntu 14.04 LTS

ECS Liva Mini PC kit is the smallest x86 PC in the world so far. The BIOS is UEFI, so that only Ubuntu besides Windows 8.1 can be installed on it. I select to install with LVM.

You may need a powered USB hub to connect the keyboard and mouse as well as install device (such as USB DVD-ROM or USB pendrive). Since it comes with 32GB/64GB eMMC (SSD drive), you may required to connect to an external hard drive for more storage.

The maximum power consumption is about 12W under Ubuntu 14.04 LTS.

The sound and network device are working out of the box. However, the wireless and bluetooth devices do not work properly even you download the wireless driver from the official site (it is still beta at the moment).

After some tries and fails, I finally make the wireless device working. However, the bluetooth device does not work at the moment.

How I make the wireless device working? Here you are :

Step 1 :

Write down the MAC address of the wireless card.

Step 2 :

Download the beta driver from the official site. Extract it and go to ~/Downloads/Ubuntu/WLAN.

Rename the "brcmfmac-sdio.txt" to "brcmfmac-43241b4-sdio.txt".

mv brcmfmac-sdio.txt brcmfmac43241b4-sdio.txt

Change the "macaddr" at brcmfmac43241b4-sdio.txt to the previous written down MAC address.

e.g. macaddr=24:0a:64:4c:43:34

Step 3 :

Move the /lib/firmware/brcm directory to another place.

sudo mv /lib/firmware/brcm ~/Downloads/

Step 4 :

Install git package.

sudo apt-get install git

Download the wireless firmware.

cd ~/Downloads
git clone git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git


After that copy the ~/Downloads/linux-firmware/brcm to /lib/firmware/.

sudo cp -R ~/Downloads/linux-firmware/brcm /lib/firmware/

Copy the brcmfmac43241b4-sdio.txt to /lib/firmware/brcm/.

sudo cp ~/Downloads/Ubuntu/WLAN/brcmfmac43241b4-sdio.txt /lib/firmware/brcm/

Step 5 :

Comment out the blacklist.

sudo nano /etc/modprobe.d/blacklist.conf

Locate "blacklist bcm43xx" and make it to "#blacklist bcm43xx".

Step 6 :

Reboot the box.

However, the wifi signal is not very strong indeed.

Remarks

You may need to do some changing on the box with the following package :

sudo apt-get install libavcodec-extra
sudo apt-get install indicator-cpufreq


To increase the performance, you need to NOT to use SWAP.

sudon nano /etc/rc.local

Insert the following before "exit 0" :

sysctl -w vm.swappiness=0

Then, reboot your box.

For the video playback, you are required to install the following packages.

sudo add-apt-repository ppa:sander-vangrieken/vaapi
sudo apt-get update
sudo apt-get install mplayer-vaapi gstreamer1.0-vaapi gstreamer1.0-libav libva-intel-vaapi-driver vainfo mencoder-vaapi


That's all! See you.

Link : 10 things to do after installing Ubuntu


Wednesday, July 02, 2014

Tsunami - DNS Amplification Attack Tool

Tsunami is a DNS Amplification Attack Tool which is collected from the internet and modified by Samiux. It is designed for testing your server and/or network under the DNS Amplification Attack. Perform this test on any server and/or network without authorization is a crime and you will be put into a jail.

The number of open recursive DNS servers and the bandwidth of the attacker as well as duration may affect the traffic volume size of the attack.

Tsunami is working perfectly on Kali Linux 1.0.7 or above. The official site is at here.

Usage



To perform DNS Amplification attack :

python amplfiy.py -t 1.2.3.4 -s open_dns.txt -a domain_name.txt -c -1 --verify -v --threads=1000

*where 1.2.3.4 is the victim's IP address

To scan for the open recursive DNS server :

perl find_open_resolvers.pl '1.0.0.0 - 1.84.255.255' -q 1000

Remarks : this script just can check if the DNS server has the RA flag or not only. You need to double check with the following command to confirm the scanned DNS server is a true open recursive DNS server.

dig ANY isc.org @samsung.idv.tw

*where samsung.idv.tw is the open recursive DNS server
where isc.org is the domain to lookup

Tsunami comes with the following files :

amplfiy.py - the attack script
find_open_resolvers.pl - the scanner script
gov-uk_domain.txt - domain names of UK Government
open_dns_1.0.0.0-1.84.255.255.txt - open recursive DNS list within 1.0.0.0 and 1.84.255.255 IP range

That's all! See you.

Sunday, June 29, 2014

HOWTO : Shellter on PE files

Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created.

It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants and/or he chooses Basic Mode), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.

Shellter uses a unique dynamic approach which is based on the execution flow of the target application.



That's all! See you.

Saturday, June 28, 2014

HOWTO : The Mole on Kali Linux 1.0.7

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Features

- Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
- Command line interface. Different commands trigger different actions.
- Auto-completion for commands, command arguments and database, table and columns names.
- Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Exploits SQL Injections through GET/POST/Cookie parameters.
- Developed in python 3.
- Exploits SQL Injections that return binary data.
- Powerful command interpreter to simplify its usage.

Tutorials

Quick start
Command Usage
Exploiting injections through POST/Cookies
Filters - bypassing IDS/IPS
Exploiting injections that return binary data
Writing custom filters

Installation

apt-get update
apt-get install themole


Run it

themole -h
themole -u "http://www.samiux.com/?id=1" -n "admin"





That's all! See you.

Saturday, June 14, 2014

HOWTO : Fix the half installed package in Kali Linux/Debian

I forgot to delete the Iceweasel on my Kali Linux before installing Firefox. The firefox installation is failed as expected. I removed the sources.list entry of the firefox and conducted "apt-get update". However, I got a message of "the package firefox-mozilla-build needs to be reinstalled, but I can't find an archive for it". The apt-get command does not work properly anymore.

Later, I fixed the problem by issuing the following commands :

sudo dpkg-reconfigure firefox-mozilla-build --force
sudo dpkg --purge --force-all firefox-mozilla-build


After that, I perform "sudo apt-get update", the error message gone.

That's all! See you.

Wednesday, June 11, 2014

sysdig and Attackers

When a system is compromised, attackers usually erase the syslog and other related log files in order to hide his/her intrusion activities.

Nowadays, attackers should also erase one more log file, namely sysdig. sysdig will log all the activities in a file, namely *.scap.gz. Sysadmin can backtrack all the activities of all users (including intruders).

For more details of sysdig, you can refer to Draios Blog - Fishing for Hackers: Analysis of a Linux Server Attack.

That's all! See you.

Sunday, June 01, 2014

Facebook Vulnerability - Name by Phone Number

ubugnu discovered a vulnerability in Facebook that you can search the users in the Facebook by random generated telephone numbers. He also developed a bash script to proof his concept. The script will find all the matching telephone numbers to the owners (Facebook users who have registered their telephone number in their accounts).

For details, please read the developer's GitHub page.

That's all! See you.

BONUS

Facebook Vulnerability - Hidden Friends Crawler

Monday, May 19, 2014

Croissants - Intrusion Detection and Prevention System


INTRODUCTION

In 2013, I joined the SmoothSec project and modified it to adopt to Intrusion Detection and Prevention System by using Suricata with AF_PACKET. Since SmoothSec 3.4 is developed on Debian 7 (Wheezy), the Linux kernel 3.2.x is too old for Suricata with AF_PACKET. I used the backport kernel to complete the task. However, it makes the system not so easy to maintain.

Meanwhile, the SmoothSec project seems to be dead. The core developer does not active in the project and IRC channel. Therefore, I make up my mind to create a new project namely "Croissants" based on the SmoothSec. Croissants is designed for Ubuntu Server LTS or higher (Long Team Support only) and targeted to work with Suricata on AF_PACKET only. It is an Open Source Project under GPLv3 License by Samiux.

Croissants is a bash script instead of a Linux distribution likes SmoothSec. It downloads and compiles as well as setup the applications almost automatically. It combines with Suricata (IDPS Engine), Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager). It will use the latest verion of the software on every installation but the only drawback is requiring internet.


WHY UBUNTU AND AF_PACKET?

I am a long term user of Ubuntu since 2006 (Ubuntu 6.06). I find that Ubuntu uses newer packages and kernel. Ubuntu can be set to update the system automatically, although you can do it with cron job. It makes the system almost up-to-date in order to avoid some known vulnerabilities attack. Therefore, you can focus on your business and network security monitoring (NSM). Furthermore, Ubuntu is free forever according to the founder, Mark Richard Shuttleworth.

AF_PACKET can be running on a very low-end computer, such as Intel ATOM D2550. The performance of the AF_PACKET is very good under this CPU on my home network. I can watch 720p Youtube video without lagging on my network (10Mbit internet and Gigabit internal network with Untangle UTM and Croissants). The amount of RAM is 8GB on this default setup. However, home router will be lagged while watching 720p Youtube video. This poor performance should be caused by the home router.


WHY CROISSANTS?

Croissants (food) is delicious and common as well as cheap in price. I would like Intrusion Detection and Prevention System is common and cheap in price that everyone can affort.

Croissants can run on a low-end computer such as Intel ATOM D2550 with 3 network interface cards and 4GB RAM. This configuration is ideal for home network and home office. For business, I recommended to have a more high-end multi-core computer and more than 32GB RAM for Croissants with some tuning on Suricata engine.


INSTALLATION

Make sure your computer can access to the internet when installing. Meanwhile, the "automatically update" should also be selected when installing Ubuntu Server. Set the Ubuntu Server LTS to UTC time zone at the end of the setup; otherwise, the time stamp of Snorby (event manager web application) will be incorrect. You are required to install OpenSSH only during the installation of Ubuntu Server.

Download the Croissants from here. Extracts it and runs the script namely "nsm_install" with "sudo". After that, re-cabling the computer when necessary and then reboot. That's all! However, the installation may take hours which is depending on the power of your hardware and the internet speed.

You can even reinstall the Snorby database by running "nsm_snorby_db_reinstall" after the trial run.

When you write some local rules, you can update them to the system by running the script "nsm_rules_update". When you want to update the Ubuntu Server, you can run "update_ubuntu". When updating the Croissants, you can run "update_nsm" which will update the system by compiling from source code that download from the internet. Make sure to run those scripts with "sudo".

In addition, Croissants will update the rules file on every 4 hours automatically.


That's all! See you.

Sunday, May 04, 2014

HOWTO : Azazel on Debian Wheezy

I know this rootkit - Azazel for some time; however, I am busy to give it a test. Recently, I am bored and take it a look.

Azazel is a linux userland rookit based on original LD_PRELOAD technique from Jynx (rootkit). Azazel has some features that are very useful for attackers, such as file hidden and anti-debugging.

I set up four virutalbox guests in Debian 7 (Wheezy), Ubuntu 12.04.4 LTS, Ubuntu 14.04 LTS and CentOS 6.5.

The Azazel can be compiled without problem if you installed the required libraries. You need root privilege to install this rootkit. Once installed, you are very hard to remove it unless you re-install your system. However, the developer sugguest to remove one of the files by booting from live cd.

After a very quick test on Azazel under the above mentioned Virtualbox (version 4.3.10 r93012) guests, only Debian can run it flawlessly. Ubuntu cannot be reboot. CentOS cannot be login after the reboot. Azazel cannot be ran properly in Ubuntu and CentOS too. I think no attacker will want to destroy the victim box unless s/he really want to.

After a quick look at the developer's products, I think that the developer is running Debian and his products should be tested on Debian only.

Meanwhile, only backdoor, anti-debugging and file hidden of Azazel on Debian are tested. Plaintext backdoor and Crypthook backdoor cannot be tested successful in my lab. Once the file is hidden, you cannot undo it and it can be access by Azazel only.

If you want to port this rootkit to other Linux distributions, you need to modify the source code. One of the reasons that Linux is harder to be attacked due to too many variants.

REFERENCE

To compile Azazel on Debian or Ubuntu, you need to do the following :

apt-get install libpam0g-dev libssl-dev libpcap0.8-dev build-essential git

To compile Azazel on CentOS, you need to do the following :

yum install gcc make pam-devel openssl-devel libpcap-devel

That's all! See you.