Wednesday, January 22, 2014

HOWTO : Chatting in Freenode Anonymously with NightHawk

NightHawk is running Tor (The Onion Router) transparently as a middle box. You can chatting in Freenode anonymously with Nighthawk with a little bit change in the configuration.

Start up the NightHawk and running it behind a router. Then configure the IRC Client as the following :

(1) The address of the chat.freenode.net is replaced by one of the following urls :

frxleqtzgvwkv7oz.onion
p567hbjdstqvg7xw.onion
2hktdmgt6bg2hjuc.onion
l4wvhvf666nifnpg.onion

The first one is the most used and you may find that you cannot login to the Freenode often especially in the peak hours. You can then select the others.

(2) Disable the Proxy setting.

(3) You can use normal port (e.g. 6667) or SSL port (e.g. 6697).

(4) Make sure you use SASL for the server. Therefore, you need to register your username. For the Freenode configuration, please refer to her official site or user manual.

That's all! See you.

HOWTO : Browsing Anonymously with Google Nexus 5 (Android)

In order to browse internet anonymously with Android, you need to run Tor (The Onion Router) and Firefox with some other related Firefox Add-ons.

Hardware

Google Nexus 5 (or other Android mobile phone)

Software

(1) Firefox Browser for Android
(2) Orbot
(3) Proxy Mobile (Firefox Add-ons)
(4) Phony (Firefox Add-ons)
(5) Clear Quit (Firefox Add-ons)
(6) Self-Destructing Cookies (Firefox Add-ons)
(7) DuckDuckgo (TOR) (Firefox Add-ons)

Orbot

You can get the Orbot from Google Play Store. It can install to any Android mobile phone (with or without rooted). It will run the Tor. Once the Tor is running, your browser will not functioning properly. You need to install Proxy Mobile. When the browser is working, your Google search engine will refuse to work. It is because Google Search Engine banned the Tor network. You are required to install DuckDuckgo Search Engine. Make sure Orbot is set to active when boot if you want to browse the internet forever.

Firefox Browser for Android

You can get the Firefox Browser for Android from Google Play Store.

Proxy Mobile

You can get the Proxy Mobile from Google Play Store. After the installation, you need to configure it to make it function with the Firefox.

Use Proxy - Enable
SOCKS Proxy host - 127.0.0.1
SOCKS Proxy Port - 9050
SOCKS Remote DNS - Enable

Phony

You can get the Phony from Google Play Store. You can change the User Agent of the Firefox when you like or leave it untouched as default.

Clear Quit and Self-Destructing Cookies

You can get them from the following link.

Guardian Project

DuckDuckgo (TOR)

You can get the DuckDuckgo (TOR) from Google Play Store. Make sure you set it as default search engine or enable to list all the available engines. When search, you should select DuckDuckgo to carry out the search.

When all the required softwares and add-ons have been installed, you are required to reboot the Google Nexus 5 if it cannot browse the internet properly.

One of the drawback is the speed. The speed of the browsing will be slightly deducted. If your mobile phone plan is a slow one, you will be suffer and it is not recommended to run Tor.

When you are going to browse the internet, start the Firefox with "New Private Tab" after the Orbot is started.

That's all! See you.

Sunday, January 19, 2014

Catch Me If You Can 2

Last year, I was talking about how to use 3G/4G pre-paid SIM card to do malicious things. The full article is here. However, many countries required to register the buyer's personal particulars when they purchase 3G/4G pre-paid SIM card. Today, I will introduce another method that you can use wired or mobile network to do malicious things untraceable.

First of all, you need a virtual machine (VMWare, VirtualBox or Parallels, etc) or a standalone computer. A router when you are connecting to the internet in wire. Otherwise, a pocket 3G/4G WiFi router is a must for mobile connection.

I prefer virtual machine if you have a suitable hardware (for example, more than 4GB RAM and a large hard drive or SSD).

Secondary, you need to install Ubuntu Server 12.04 LTS (x86 or x86_64) with openssh installed on the virtual machine (or a standalone computer if your prefer).

Thirdly, after installed Ubuntu server 12.04 LTS, you need to install NightHawk. Make sure your MAC address of the network interface (NIC) is changed or customized by macchanger. I recommended not to use the default MAC address even you are using virtual machine.

Fourthly, you connect to the virtual machine (NightHawk) with PPTP VPN and then you can do everything (including maliciously) untraceable. Make sure you change the DNS to others (not your real ISP) in your host computer (PPTP setting).

Finally, if you are using Kali Linux, you can install the VPN client as the following :

apt-get install network-manager-pptp-gnome network-manager-pptp
/etc/init.d/network-manager restart


For the setup of NightHawk, please refer to here.

Two things you should remember, one is to change the MAC address of the NIC at virtual machine; and the other is to change the DNS entries of PPTP configuration. By the way, do NOT use reverse connection or you need to use hidden services (I am not tried yet). Javascript and Flash should be disabled on browser too. Otherwise, you will be traced.

Final thought, after the successful and amazing malicious attack, you can securely and completely delete the virtual machine. In addition, you are recommended to fully encrypt your Kali Linux box and implement the self-destruction. Then, you can destroy your Kali Linux box with "nuke" passphrase in case you are being caught. Nice?

That's all! See you.

See Also

Catch Me If You Can
Catch Me If You Can 3
Catch Me If You Can 4

Sunday, January 12, 2014

HOWTO : Update Kali Linux 1.0.5



Copy the code to file namely "update_kali".

chmod +x update_kali

./update_kali


That's all! See you.

Tuesday, January 07, 2014

HOWTO : Linux Malware Detect on Ubuntu 12.04 LTS 64-bit

What is Linux Malware Detect?

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

Shared Hosting Environments Only?

Although LMD is designed for Red Hat based system on shared hosting environments with Apache, it can run on Debian or Ubuntu server and desktop editions without any problem. Running Hiawatha is no problem too.

Installation

Step 1 :

sudo apt-get install libc6-i386

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvzf maldetect-current.tar.gz
cd maldetect-*
sudo ./install.sh


Step 2 :

sudo maldet -d -u

Step 3 :

sudo nano /usr/local/maldetect/conf.maldet

change the value of the following variables :

email_alert=1
email_addr="samiux@samiux.com"

* change to your email address

quar_hits=1
maxfilesize="10240k"
string_length_scan="1"

clamav_scan=0

* if ClamAV is not installed.

clamav_scan=1
* if ClamAV is installed.

Step 4 :

sudo nano /etc/rc.local

Append one of the following lines in front of "exit 0" :

/usr/local/maldetect/maldet -m /tmp,/run/shm,/var
* if you are running server edition

/usr/local/maldetect/maldet -m /tmp,/run/shm,/home
* if you are running desktop edition

Step 5 :

sudo maldet -m /tmp,/run/shm,/var
* if you are running server edition

sudo maldet -m /tmp,/run/shm,/home
* if you are running desktop edition

Step 6 :

Make sure the LMD is running properly :

sudo ps aux | grep maldet
sudo ps aux | grep inotify


How it works?

The signature will be updated on daily basis. LMD is monitoring the directories that you entered at Step 4 or 5. Once the malware is detected, you will be informed by email if you set it at Step 3. The detected malware will be quarantine and deleted too.

If you are running Apache, you may consider to install mod_security and mod_evasive in order to enhance the security of the web server. If you installed them, you need to set "public_scan=1".

You may also consider to install ClamAV when it is necessary.

Remarks

Please note that any signature based scanner or defense can be bypassed.

That's all. See you!

Monday, January 06, 2014

The Truth About Exercise - BBC Horizons

This time I will not discuss about IT or InfoSec but health. The following is a video, which was produced by BBC in 2012, talking about keeping fit with HIT (High Intensive Training) and LIT (Low Intensive Training) without sweating. Ideal for busy people like us.

BBC Horizons (January 2012) - The Truth About Exercise from Henry Dimaano on Vimeo.