Thursday, December 29, 2016

HOWTO : Configure OpenVPN on Ubuntu 16.04

There is a very good article by Digital Ocean for setting up OpenVPN on Ubuntu 16.04. After the above setup, you are required to further configure it to make it working properly.

The following additional settings is to allow all VPN clients can use the same certificate to login the VPN server. Meanwhile, it also allow the maximum concurrent users to 100.

sudo nano /etc/openvpn/server.conf

Uncomment (remove ";") the following :

duplicate-cn

max-clients 100


That's all! See you.


Wednesday, December 28, 2016

HOWTO : Build An Affordable Intrusion Detection And Prevention System For Home Users

What is Intrusion Detection And Prevention System?

Intrusion detection and prevention system (IDPS) monitors incoming and outgoing traffic on your network and blocks the malicious traffic (packets) based on rules (blacklists).

Why home users need IDPS?

Not only big companies need IDPS but also home users as long as they are connecting to the internet. Almost all home users installed anti-virus but it is not enough. They do need more protection against the cyber criminals.

However, most IDPS appliances are very expensive for home users. Most open source solutions are also demanding for them as they do not familiar with networking and technology.

What is Almond Croissants and Why?

Almond Croissants is an open source intrusion detection and prevention system which is based on Suricata engine. Suricata is the next-generation IDPS engine with a lot of outstanding features.

Users of Almond Croissants are not required to be familiar with networking and technology. It is designed for them in mind. Not only that, it is designed for low-end hardware too. It is really "Plug, Play and Forget!".

What are the key features of Almond Croissants?

- Block ports and vulnerabilities scanning
- Block known exploitation on vulnerable systems
- Block known malicious IP addresses to access your systems
- Block known source of Secure Shell (SSH) brute forcing
- Block The Onion Router (TOR) to access your systems
- Prevent from accessing known malicious sites with Secure Sockets Layer (SSL) certificates
- Prevent from being infected by known virus and malware
- Block known annoying advertising servers
- Easy and straight forward analysis with charts on web interfaces
- Compatible with Bittorrent and 4K video streaming
- Ultra-low latency for online gaming
- Compatible with Windows, Linux, macOS, Apple iOS and Android
- Ultra-low latency throughput that drives your network to a limit
- No subscription fee
- More protection for web servers
- More protection from known malware
- Block known phishing sites
- Automatically update and upgrade
- Plug, Play and Forget!

What hardware is required?

If you have a small family with 4 members and have about 200-250Mbps bandwidth, Zotac Mini PC CI323 (Intel Celeron N3150 with 16GB RAM) is recommended. Meanwhile, you may also require a USB 3.0 Gigabit Ethernet dongle. Yes, 16GB RAM. The vendor states that it supports up to 8GB RAM, however, you can install a total of 16GB RAM on it. A 320GB hard drive is also required. It requires a total of 3 network interface cards. The price of the system is below $400-USD. It is low power consumption for long run.

More powerful CPU and more memory are recommended for demanding situation. Almond Croissants is running on dedicated hardware. The minimum requirements for Almond Croissants is 2-4 CPU threads and 16GB RAM.

How to install?

Since ultra-low latency of Almond Croissants, it is recommended to put Almond Croissants between modem and router. Furthermore, you can install it between router and switch too. However, if you have a wireless router, it is recommended to put Almond Croissants in front of the wireless router.

First of all, you need to install Ubuntu Server (LTS edition) on the box. SSH server is recommended to be installed for remote management inside your network. It may need 8 or more hours to install Almond Croissants on Zotac Mini PC CI323. Make sure the box is connecting to the internet as it fetches the packages and data from various servers in the internet.

The installation procedure is well documented on the Almond Croissants official site. It is easy but it kills time.

After the installation, you can plug the Zotac Mini PC CI323 between modem and router. The USB Ethernet Card is connecting to switch. A reboot is required. It needs about 10 minutes to let all the rules and data load into the memory once boot up.

What's next?

Make sure firewall on your router is enabled and do not allow SSH port to be accessed outside your network unless it is well protected. Anti-virus program to be installed on every computer is optional but is recommended.

For further protection on your laptop and smartphone outside your home, you are required to setup a VPN inside your network. When you are using laptop at coffee shop or using smartphone on the road, you can connect to your VPN and your connection will be protected by Almond Croissants.

All rules and upgrade will be conducted during mid-night between 0100 and 0800 hours. Therefore, the box requires running 24/7/365 and server grade hardware is recommended.

See also

Almond Croissants - Intrusion Detection And Prevention System
Zotac Mini PC C Series
Suricata IDPS Engine
Hardening Mobile Devices with Intrusion Prevention System
Know Your Enemies and Know Yourself
OpenVPN official site
How To Set Up an OpenVPN Server on Ubuntu 16.04
Configure OpenVPN on Ubuntu 16.04
Intel Celeron N3150 Specifications

That's all! See you.


Tuesday, December 13, 2016

Know Your Enemies and Know Yourself

Quotations

Sun Tzu's The Art of War (孙子兵法) says "If you know your enemies and know yourself, you will not be put at risk even in a hundred battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself." (知彼知己,百战不殆;不知彼而知己,一胜一负;不知彼,不知己,每战必殆。) [source : Wikipedia]

Sun Tzu's The Art of War also says "All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near." (兵者,诡道也。故能而示之不能,用而示之不用,近而示之远,远而示之近。) [source : Wikipedia]

Reconnaissance

Most internet attack activities based on recon on the target. Recon can be conducted by active and passive methods. Active recon will cause a lot of noise to the target as it will collect information from the target directly while passive recon does not.

Once attackers gathered valuable information about the target, such as running services and versions on the target. They will launch exploits when there are vulnerable services running on the target. Once success, the target will be compromised and under the control of the attackers.

On the other hand, if there is no running vulnerable services on the target, attackers may launch social engineering attacks against the target, such as phishing mails, phishing sites, phishing phone calls, phishing downloads and etc. Social engineering may lead to compromise of the target as a result.

The captioned mention attacks can be based on randomly selected target or targeted victim. Furthermore, some attacks are directly by botnets which randomly selecting the targets and aimed to the vulnerable running services. Botnet attacks also have active recon stage as mentioned before.

Possible Defense

Besides some of social engineering attacks, we all know that all almost all attacks are following by recon. If attackers cannot get any valuable information from us, we can delay or even prevent the attack.

We all know that nmap can obtain information of the running services on the opening ports. If we can block nmap scanning from the beginning, attackers are required to guess which ports are opened and which services and versions are running on that ports. They cannot go further when they have no valuable information about us. If so, we can delay or even prevent the attacks. However, social engineering attacks may be launched soon by the attackers.

Commercial Solution

Some anti-virus for Windows system and some Unified Threats Management System (UTM) as well as some Intrusion Prevention System (IPS) can block port scanning. However, some of them failed to detect and block the nmap scan when it is scanning with special command flags. Meanwhile, anti-virus software and UTM as well as IPS may require to subscribe the signatures annually. In addition, commercial UTM and IPS are very expensive. It may cost a lot when long run.

Open Source Solution

Suricata and Snort are very famous Intrusion Detection and Prevention engines (IDPS). They are running based on blacklisting. Those blacklists are rules to alert or block the traffic when the traffic meets the criteria. There are open rules and paid rules available in the market. Some IDPS engines users can write their own rules to meet their requirements. However, some of the rules are written wrongly that causing false positive alert or even cannot detect the activities.

Not everyone is IDPS expert. Setting up a working Suricata or Snort appliance is painful. Users are required to troubleshoot all the problems that they are encountered. Sometimes are hardware limitations. Sometimes are false positive alerts/drops. Sometimes are IDPS engines limitations.

Plug, Play and Forget!

Almond Croissants is an open source IDPS based on Suricata engine. It is released under GPLv3 by Samiux since 2012. It is well tested on Windows, macOS, Linux, Apple iOS and Android. Engine and rules are updated automatically when they are available. Users are not required to be very familiar with IDPS. It not only can detect and block nmap scanning without pain but also have many outstanding features that most IDPS omitted. It is tasty and really "Plug, Play and Forget!"

That's all! See you.


Monday, December 12, 2016

HOWTO : Traffic and Attack Map for Suricata

"Traffic & Attack Map for Suricata" is forked from Matthew May's Attack Map at GitHub

"Traffic & Attack Map for Suricata" is modified to work with Suricata's eve.json file. It shows the inbound traffic only which includes normal and attack traffic. It is designed for Python 3 and Ubuntu Server 16.04 LTS. It is also designed to install on the box of Suricata.

The map shows "DROP" or "ALERT" when the traffic is dropped or alerted by Suricata. Meanwhile, other traffic will be shown as its nature (Event Type), such as DNS, TLS, FILEINFO and etc.

License

"Traffic & Attack Map for Suricata" is released under GPLv3 by Samiux.




Requirements

(1) Working Suricata dedicate server as IDPS on Ubuntu Server
(2) Python 3.x
(3) Web server with websocket function
(4) Redis server

Package

sha256sum fda369bd246048ce883fabb16e085caa022a492a7e188b4f0c99f37ea4bc8bdb attack-map-0.0.1.tar.gz

Installation

Step 1 :

sudo apt-get install python3-pip redis-server
sudo pip3 install tornado tornado-redis redis maxminddb


sudo nano /etc/redis/redis.conf

Change from :
bind 127.0.0.1

To :
bind 0.0.0.0

Step 2 :

wget https://www.infosec-ninjas.com/files/attack-map-0.0.1.tar.gz
tar -xvzf attack-map-0.0.1.tar.gz
cd attack-map/geoip-attack-map
./db-dl.sh

cd ..
sudo cp -R geoip-attack-map /var/www


Step 3 :

cd ..
sudo cp attackmap.service /lib/systemd/system/
sudo cp dataserver.service /lib/systemd/system/

sudo systemctl enable attackmap.service
sudo systemctl enable dataserver.service


Step 4 :

cd /var/www/geoip-attack-map/DataServer
sudo nano DataServer.py


Go to :
hq_ip = '8.8.8.8' replace "hq_ip" with your external IP address.

cd /var/www/geoip-attack-map/AttackMap
sudo nano trafficline.js


Go to :
var webSock = new WebSocket("ws://192.168.20.180:8888/websocket");

replace the "192.168.20.180" with your Suricata IP.

Go to :
var hqLatLng = new L.LatLng(33.936051, -81.048565);

replace the value of L.LatLng with your location. You can go to http://latitudelongitude.org to find your Latitude and Longitude values.

Then configure your web server to point the root directory to "/var/www/geoip-attack-map/AttackMap". Make sure you have enabled "websocket" module or function on your web server. Meanwhile, the port for the websocket is 8888 by default.

*** Setting up web server to work with this project is out of scope of this guide.

Step 5 :

Since Redis server requires this setting to avoid performance issue, you need to edit the boot parameter in Grub.

sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="transparent_hugepage=never"

sudo update-grub

sudo reboot


Step 6 :

Once boot up, you can point your browser to the IP address that you entered in the above steps.

Troubleshooting

If there is no traffic on the map, it is properly the DataServer.py not working. Restart it is required.

sudo systemctl restart dataserver

*** Please note that it needs time to read the eve.json file from the beginning of the file on every restart.

Please also note that do not refresh or reload the page as it will corrupt the map. You need to restart the browser.

REFERENCE

Traffic and Attack Map for Suricata

That's all! See you!


Wednesday, November 23, 2016

HOWTO : EveBox on Almond Croissants and Danish

EveBox is a web based Suricata "eve" event viewer for ElasticSearch. ElasticSearch is installed on Almond Croissants or Danish by default. However, EveBox is not installed by default. You need to install it yourself.

Almond Croissants is an Intrusion Detection and Prevention System while Danish is an Intrusion Detection System. Almond Croissants and Danish are created based on Suricata by Samiux under GPL version 3.

In general speaking, EveBox is for advanced Almond Croissants or Danish users.

Step 1a :

wget https://github.com/jasonish/evebox/releases/download/0.5.0/evebox-0.5.0-linux-amd64.zip
unzip evebox-0.5.0-linux-amd64.zip
sudo cp evebox-0.5.0-linux-amd64/evebox /usr/bin/


OR

Step 1b :

wget https://bintray.com/jasonish/evebox-development/download_file?file_path=evebox-latest-linux-amd64.zip -O evebox-latest-linux-amd64.zip
unzip evebox-latest-linux-amd64.zip
sudo cp evebox-0.6.0dev-linux-amd64/evebox /usr/bin/


Step 2 :

sudo nano /lib/systemd/system/evebox.service

[Unit]
Description=EveBox Web Interface
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/evebox -e http://localhost:9200
Restart=always

[Install]
WantedBy=multi-user.target


Step 3 :

sudo systemctl enable evebox.service
sudo systemctl start evebox.service


To access it, use your browser to surf :

http://[Almond Croissants IP address]:5636

Update or Upgrade

sudo systemctl stop evebox.service

Repeat Step 1a or 1b.

sudo systemctl start evebox.service

That's all! See you.


Sunday, November 13, 2016

[Review] MIUI 8



To more understand the features of MIUI 8, you need to watch this video.

That's all! See you.


Wednesday, November 09, 2016

[Review] Xiaomi Redmi Note 4



Briefed Specifications

CPU : MTK Helio X20 2.1GHz (10-core)
RAM : 3GB
Storage : 64GB
GPU : Mali T880 MP4 700MHz
Display : 5.5 inches
Resolution : 1080x1920 pixels
Case : Metal
Battery : 4100mAh
Mobile : 4G/LTE (dual SIM or SIM with microSD)
OS : Android 6.0
NFC : Nil

Xiaomi Redmi Note 4 is a China brand Android smartphone which is released in October 2016. It's user interface is MIUI 8. Redmi Note 4 has the following outstanding features :

(A) Anti-Virus

It is pre-installed with anti-virus apps and you can choose either "AVL" or "Tencent" definitions. Meanwhile, you can choose both of them too. If you enabled "Scan before installing", all apps will be scanned before installing. The virus definitions will be updated automatically.

(B) Backup and Restore

By default, "Mi Account" is not enabled. You need to register an account. When you registered, your phone will be fully backup to "Mi Cloud" automatically. Meanwhile, you can restore from "Mi Cloud" when necessary.

(C) Featured tools

Some tools are pre-installed, such as real "FM Radio", barcode "Scanner", audio "Recorder", "Compass" which are grouped at "Tools" icon. Furthermore, "Mi Remote" which is an IR remote controller for TV or similar. "Mi Remote" is grouped at "More Apps" icon. In addition, "Mi Mover" which is situated at "Settings" >> "Additional settings" can move apps and data from old phone (Xiaomi for sure) to new Xiaomi phone.

(D) Blacklist

You are not required 3rd party blocker for the telephone and SMS as it is pre-installed and it is situated at "Security" icon. It can block by telephone number, telephone number prefix or contacts.

(E) Quick ball

A quick access and customizable button on the screen (you can move it anywhere on the screen). It is disabled by default. You can enable it by "Settings" >> "Additional settings" >> "Quick ball". Once it is enabled, the default "Quick ball" has "Home", "Menu", "Lock", "Screenshot" and "Back". You can customize it at your will.

(F) Other features

It has some other features, such as "Lite mode" for elderly, "Second Space" for one phone with two different settings. It likes that you have two devices on one phone. "Second Space" is situated at "Settings". You can unlock the phone with your fingerprint. In addition, it can clear the cache when the phone is locked for a certain time, such as 30 minutes by default for battery saving.

(G) Special features

You need to use default "Clock" apps instead of installing Google's one. Otherwise, the alarm will not activate automatically.

Since it will kill apps for a certain time (3 days by default) in order to free up the memory, some apps that sending notification to other device (such as sports watch) via bluetooth will be dropped after the auto-clean. Meanwhile, when your phone is locked for 30 minutes (default), the battery saving function will clear the cache. However, it will also kill the running apps that sending notifications. Therefore, you need to configure it as at here manually. By the way, it does not come with NFC.

(H) MIUI 8 Review In-Depth

The review of MIUI 8 is here

That's all! See you.


Monday, November 07, 2016

HOWTO : Redmi Note 4 with Garmin fenix 3 HR Notification



Redmi Note 4 is new released China brand Android smartphone. Since MIUI 8 user-interface will kill the Apps in the memory in a certain time (such as 3 days by default), your Garmin fenix 3 HR will not receive any notification (such as Telegram or Whatsapp) via Redmi Note 4 after the auto clean up.

However, this default settings can be changed and the notifications will working.

Option 1 (Stupid way) :

(1) Security icon >> Settings >> Cleaner >> Clean automatically >> Items to clean

Disable "Cache", "Packages" and "Residuals".

(2) Security icon >> Settings >> Scan app memory

Disable.

(3) Security icon >> Settings >> Battery usage >> Clear cache when device is locked

Set to "Never".

(4) Security icon >> Permissions >> Autostart

Enable "Connect", "Telegram" or "Whatsapp", "Voice Caller ID".

(5) Connect icon >> Settings >> Smart Notifications

Add and enable "Telegram" and/or "Whatsapp".

(6) Settings icon >> Bluetooth

Make sure fenix 3 HR is paired with the phone and bluetooth is enabled.


Option 2 (Smart Way) :

(A) Tap on the "Menu" key at the left bottom corner on the phone. Some running apps screens will be displayed. Swipe down the app screens (such as "Connect", "Telegram", "Whatsapp", "Voice Caller ID") and select "Lock" to prevent the apps from being killed by "Cleaning" feature. The "locked" apps will be running in the background unless you unlock it.

(B) Connect icon >> Settings >> Smart Notifications

Add and enable "Telegram" and/or "Whatsapp".

(C) Settings icon >> Bluetooth

You may also need to do the following for some apps :

(D) Security icon >> Permissions >> Autostart

Enable "Connect", "Telegram" or "Whatsapp", "Voice Caller ID".

Make sure fenix 3 HR is paired with the phone and bluetooth is enabled.


That's all! See you.


Monday, October 10, 2016

[RESEARCH] Cloudflare Can Be Bypassed

About two years ago, CEO of Cloudflare (cloud based Content Delivery Network, CDN) visited Hong Kong to promote their services after an unofficial referendum site (hosted by anti-government party), which is protected by Cloudflare, is under DDoS attack with about 400GB traffic. From that day, Cloudflare is well known to all anti-government parties in Hong Kong. Most of their websites are then protected by it.

This cloud based CDN service provides DDoS protection and the real IP address of the websites are hidden by purpose. Cloudflare has free and paid plans. The paid plan is equipped with Web Application Firewall (WAF). However, this plan is not cheap, so some of the anti-government websites are not in the plan.

When you google the keyword "cloudflare bypass", it returns a lot of pages that are mentioning how to find out the real IP address of the websites that protected by Cloudflare. However, most websites are configured not to present their content properly when browsing it with IP address. Therefore, to find out the real IP address of the website is not the way to bypass Cloudflare unless you want to attack the web server instead of the web application. Meanwhile, to find out the real IP address of the web servers are not easy as it is hidden properly recently.

To pentest those sites, you cannot use Web Vulnerability Scanners, that without WAF evasion feature, as they will be blocked. WAF evasion features for the scanners are not common in the market. You need to pentest those sites manually. Once you find something interesting and suspect it is vulnerable to SQL injection, you need to confirm it with other SQLi takeover tools, such as SQLMap. No matter it is pentesting by manual or SQLMap, you need WAF evasion skill to complete.

Meanwhile, Wordpress is very famous in Hong Kong too. If the target is a Wordpress site, make sure you do not use WPScan to scan it as your IP address will be banned for sure. Once your IP address is banned, you are no way to do the pentesting.

I conduct a research for bypassing Cloudflare with SQLMap and it is successfully with WAF evasion technique. No matter it is free or paid plan, Cloudflare can be bypassed for sure. I am not working for Cloudflare and I do not want to get any bounty. Therefore, I am not going to share my detailed research here as it will alert Cloudflare to improve their WAF when it is disclosed. I am sure that some other researchers out there are already bypassed Cloudflare too. Meanwhile, other OWASP Top 10 and other cloud based WAFs are not tested in this research.

REFERENCE

(1) Cloudflare
(2) OWASP Top Ten Project


That's all! See you.


Thursday, September 22, 2016

HOWTO : Hardening Mobile Devices with Intrusion Prevention System

The internet security of mobile devices (such as smartphone, tablet and laptop) becomes very important today. How to secure them is a big problem. Since the cost of anti-virus per device is not cheap per month, most users installed free version of such apps (or programs). However, free version protects the devices on demand purpose only. When you have many mobile devices, you will push your hairs out to secure them. Meanwhile, anti-virus apps (or programs) are designed to prevent your devices from being infected by malware only. They cannot protect you from being attacked by web based attacks, such as Cross-Site Scripting (XSS) and Phishing attacks.

Not all browsers can protect you from being attacked by XSS and phishing by default or by plugins. Most Unified Management Systems (UTM) (or namely Next Generation Firewall) are equipped with anti-virus, spam blocker, web filter, advertising blocker, firewall, intrusion prevention and phish blocker. However, not all UTMs have a good intrusion prevention system.

Not all Intrusion Prevention Systems (IPS) can detect XSS, Phishing, spam, virus, advertising and web filtering. If you have a UTM or IPS that have all the mentioned protection, you can secure your mobile devices by installing a VPN server, such as OpenVPN. Some UTMs have VPN but it does not allow users to connect to the internet from it.

Mobile devices connect to your network, which is hardening by UTM or IPS, via VPN. The mobile devices can surf the internet just like inside your network. As a result, the mobile devices are protected by the UTM or IPS as well.

Open Source project, Almond Croissants, is an Intrusion Prevention System that has all the captioned protection. However, it is not a silver bullet. As I always say, "The risk is not your system vulnerable, the risk is you think that your system is secured".

By the way, make sure you disable the sharing function on your mobile device if any.

REFERENCE

(1) Almond Croissants - Intrusion Detection and Prevention System
(2) How To Set Up an OpenVPN Server on Ubuntu 16.04

That's all! See you.


Saturday, September 10, 2016

Firefox 48.0 Does Not Vulnerable To Reverse Tabnabbing

What is Tabnabbing?

According to Wikipedia, Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine.

The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded.

Tabnabbing operates in reverse of most phishing attacks in that it doesn’t ask users to click on an obfuscated link but instead loads a fake page in one of the open tabs in your browser.

What's New?

Recently, security researcher(s) find a new attack vector. A lot of websites are coding their links with target="_blank" and attackers can use of this vulnerability to attack clients browser.

How to avoid from that?

If you are website administrators or developers, please correct all the code from :

target="_blank"

to :

target="_blank" rel="noopener noreferrer"

If you are users/clients, you need to use a not vulnerability browser such as Firefox 34.0 or higher.

I tested Edge, Chrome, Safari and Firefox on Android, Linux, iOS, Windows and Mac OSX. I got the following result.

Vulnerable -
Safari for Mac OSX 9.1.3 (11601.7.8)
Safari for iOS (iPad) 9.3.5
Safari for iOS (iPhone) 9.3.5
Android Browser 42.0.2311.1179 (Default browser for OnePlus One 6.0.1)
Chrome for Mac OSX 53.0.2785.101
Chrome for Android 52.0.2743.98 (Default browser of Nexus 5 6.0.1)
Chrome for Android 53.0.2785.97
Chrome for iOS (iPad) 53.0.2785.86
Firefox for iOS (iPad) 5.2 (1)*

Not Vulnerable -
Firefox for Android 48.0
Firefox for Linux 48.0
Firefox ESR for Linux 45.3.0
Firefox for Mac OSX 48.0
Edge for Windows 25.10586.0.0

Please note that Google will not fix this "vulnerability" on Chrome, please see their explanation here.

*Another thing you may note that Firefox for iOS is also vulnerable. Meanwhile, Chrome for Linux is not tested.

How do I test my browsers?

Please go to Blankshield & Reverse Tabnabbing Attacks Demo Page. If you see the following message on the first line, your browser is not vulnerable. Otherwise, your browser is vulnerable to this attack.

"You are not using a vulnerable browser."

If your browser is vulnerable to this attack, the page should be looking like this.

Demo Video

Reference

(1) https://github.com/danielstjules/blankshield
(2) https://danielstjules.github.io/blankshield/
(3) http://news.softpedia.com/news/adding-target-blank-to-your-links-opens-the-door-for-phishing-attacks-507851.shtml
(4) https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener
(5) http://davidebove.com/blog/2016/05/05/target_blank-the-vulnerability-in-your-browser/
(6) https://en.wikipedia.org/wiki/Tabnabbing

That's why I love Firefox so much!

That's all! See you.

Friday, August 19, 2016

HOWTO : Oracle Ksplice on Ubuntu 16.04 LTS

Oracle Ksplice provides kernel updates on Ubuntu and Fedora Linux without reboots free of charge. Ksplice is working properly on Desktop and Server versions as it has graphic and command line interfaces.

This guide shows you how to install Ksplice on Ubuntu 16.04 LTS (Desktop or Server version)

Step 1 :

sudo apt-get install libgtk2-perl consolekit iproute libck-connector0 libcroco3 libglade2-0 libpam-ck-connector librsvg2-2 librsvg2-common python-cairo python-dbus python-gi python-glade2 python-gobject-2 python-gtk2 python-pycurl python-yaml dbus-x11

Step 2 :

wget https://ksplice.oracle.com/uptrack/dist/xenial/ksplice-uptrack.deb

sudo dpkg -i ksplice-uptrack.deb

Step 3 :

sudo nano /etc/uptrack/uptrack.conf

Change the following as is :

autoinstall = yes

Step 4 :

Usages on CLI :

sudo uptrack-upgrade -y

Reference

User Guide

That's all! See you.


Thursday, August 18, 2016

HOWTO : Hardening and Tuning Ubuntu 16.04 LTS

This guide will lead you to hardening and tuning your Ubuntu 16.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.

Kernel Hardening and Tuning

Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.

sudo nano /etc/sysctl.conf

To make it looks like the following :



To reload it :

sudo sysctl -p

ARP Spoofing

One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.

HOWTO : ArpON on Ubuntu 16.04 LTS

Anti-Malware

Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not true. Almost all operating systems are facing to the threats.

HOWTO : ClamAV 0.99 on Ubuntu 16.04 LTS

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".

Storage Performance Tuning

(A) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".

(B) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

Firefox Hardening and Tuning

Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.

(A) Apparmor For Firefox

AppArmor is a Linux Security Module implementation of name-based access controls.

sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles


To make it looks like the following and it is compatible to Firefox 51.0.1 or later :



sudo rm /etc/apparmor.d/disable/usr.bin.firefox

Reload the rules :

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

(B) Firefox Add-ons

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin (Optional)

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

BetterPrivacy

Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

Speed Tweaks (SpeedyFox)

This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.

(C) Optional

(1) Firefox Add-ons :

User-Agent Switcher

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.

Youtube High Definition

YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.

Youtube Flash-Html5

Play YouTube Videos in Flash or HTML5 Player.

(2) Browse with "New Private Window" feature

Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Almond Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".

Reference

WebRTC IPS

IP Leak

That's all! See you.


HOWTO : ClamAV 0.99 on Ubuntu 16.04 LTS

Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses.

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.

The current version at this writing is ClamAV 0.99.

Step 1 :

sudo apt-get install clamav clamav-freshclam clamav-daemon libclamunrar7

Step 2 :

sudo nano /etc/clamav/clamd.conf

To make the entries looking like the following. Make sure to replace "samiux" with your username.


cd ~
mkdir quarantine


Step 3 :

sudo nano /etc/clamav/freshclam.conf

To make the entries looking like the following.



sudo systemctl enable clamav-daemon
sudo systemctl restart clamav-daemon
sudo freshclam


Remark :

Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log". Be aware that ClamAV may produce a lot of false positive warning in Linux.

Testing :

You can install NO harm virus testing files for testing.

sudo apt-get install clamav-testfiles

The NO harm virus testing files are located at "/usr/share/clamav-testfiles".

Reference

AppArmor Wiki

That's all! See you.


HOWTO : ArpON on Ubuntu 16.04 LTS

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

sudo apt-get update
sudo apt-get install arpon


Step 2 :

sudo nano /etc/default/arpon

Uncomment the DARPI and RUN, makes sure it is looking as :

DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -D"
RUN="yes"

Step 3 :

sudo systemctl enable arpon
sudo systemctl restart arpon


That's all! See you.


VirtualBox 5.0.x Headless with PHPVirtualBox 5.0.x

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 16.04.1 LTS
Virtual Machine : VirtualBox 5.0.30
Front End : PHPVirtualBox 5.0.5
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1


Part C.2 - VirtualBox Installation

After the Ubuntu Server 16.04.1 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian xenial contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-5.0


wget http://download.virtualbox.org/virtualbox/5.0.30/Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

To uninstall Extension Pack :

sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi apache2-utils php7.0-soap

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.6/cmake-3.6.2.tar.gz
tar -xvzf cmake-3.6.2.tar.gz
cd cmake-3.6.2
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-10.4.tar.gz
tar -xzvf hiawatha-10.4.tar.gz
cd hiawatha-10.4/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.4_amd64.deb


sudo systemctl enable hiawatha

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6
cgi.rfc2616_headers = 1


Append the following to the php-fpm.conf.

sudo nano /etc/php/7.0/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php/php7.0-fpm.sock
pm = static
pm.max_children = 100
chdir = /


sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites


sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted. Make sure you use a simple password as symbols do not accepted by VirtualBox.

wget "http://downloads.sourceforge.net/project/phpvirtualbox/phpvirtualbox-5.0-5.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpvirtualbox%2F&ts=1476606079&use_mirror=ncu" -O phpvirtualbox-5.0.5.zip
sudo unzip phpvirtualbox-5.0.5.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-5.0.5/ /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php


Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line to the empty file :

VBOXWEB_USER=vbox
VBOXWEB_HOST=127.0.0.1


sudo cp /var/www/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults


sudo systemctl enable vboxweb-service
sudo systemctl start vboxweb-service


Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

Troubleshooting

For phpvirtualbox login error when php7.0 is updated :

sudo /etc/init.d/php7.0-fpm restart

For phpvirtualbox guest vm showing "saved" or "poweroff" :

sudo systemctl restart vboxweb-service

Before upgrading VirtualBox, make sure all your virtual machines (guests) have been shut down. Then, stop the VirtualBox :

sudo systemctl stop vboxdrv
sudo systemctl stop vboxweb-service


If the Linux kernel is updated but the Virtualbox kernel module was not compiled by DRM properly, you need to run :

sudo /sbin/rcvboxdrv setup

If you encountered "Uninstalling old VirtualBox DKMS kernel modulesError! Could not locate dkms.conf file." when upgrading, you need to delete the source file of previous version :

sudo rm -rf /var/lib/dkms/vboxhost/[previous version]

e.g. /var/lib/dkms/vboxhost/5.0.28

dkms status

After that, run the following commands or reboot the box.

sudo systemctl start vboxdrv
sudo systemctl start vboxweb-service


Then, start all virtual machines in web interface.


That's all! See you.

Friday, August 05, 2016

HOWTO : Cooler CPU on Kali Linux 2016.1

In general speaking, more powerful CPU generates more heat. However, cooler CPU may provide better performance in some situations. The following guide is for Kali Linux 2016.1 or Debian Linux.

Step 1 :

apt-get install linux-cpupower cpufrequtils thermald

Step 2 :

cpupower frequency-set -g powersave

Step 3 :

nano /etc/rc.local

Place the following line right before "exit 0".

cpupower frequency-set -g powersave

Remarks :

(1) To check the result :

watch -n 1 -d sensors

(2) To reset to "performance" or "ondemand", you just replace "powersave" to "performance" or "ondemand".

That's all! See you.


Wednesday, July 20, 2016

HOWTO : Cooler CPU under Ubuntu 16.04 LTS

The faster the speed of CPU, the more heat it generates. If your computer (desktop, laptop or server) encounters CPU overheating, you need to slow the CPU speed down in order to keep the CPU more cooler. The more cooler CPU, the better performance for some situations.

Step 1 :

sudo apt-get install linux-tools-common linux-tools-generic cpufrequtils thermald

Step 2 :

Insert the following line to "/etc/rc.local" and before "exit 0" :

sudo cpupower frequency-set -g powersave

Step 3 :

sudo sed -i 's/^GOVERNOR=.*/GOVERNOR="powersave"/' /etc/init.d/cpufrequtils

Step 4 :

Reboot your box

Remark :

To rollback, just replace "powersave" to "ondemand" or "performance".

That's all! See you.


Monday, June 06, 2016

HOWTO : Downgrade from PHP7.0 to PHP5.6 on Ubuntu 16.04 LTS

When you upgrade to Ubuntu 16.04 LTS from Ubuntu 14.05 LTS, PHP5.6 will not be uninstalled or deleted. However, if you deleted yourself and your web application does not compatible to PHP7.0, you need a way to downgrade it back to PHP5.6. Here is the way but some settings will be similar to PHP7.0 for newly installed PHP5.6. Here you are :

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update

sudo apt-get install php5.6-cgi php5.6 php5.6-cli php5.6-mysql php5.6-curl php5.6-gd php5.6-intl php-imagick php5.6-imap php5.6-mcrypt php-memcache php5.6-pspell php5.6-recode php5.6-sqlite3 php5.6-tidy php5.6-xmlrpc php5.6-xsl php-xcache php5.6-fpm

That's all! See you.


Thursday, June 02, 2016

HOWTO : OwnCloud 9.0.2 and Hiawatha 10.2 on Ubuntu 16.04 LTS

Step 1 - Update Ubuntu :

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoclean
sudo apt-get --purge autoremove


Step 2 - Hiawatha Installation :

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget https://cmake.org/files/v3.5/cmake-3.5.2.tar.gz
tar -xvzf cmake-3.5.2.tar.gz
cd cmake-3.5.2
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-10.2.tar.gz
tar -xzvf hiawatha-10.2.tar.gz
cd hiawatha-10.2/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.2_amd64.deb


sudo mkdir /etc/hiawatha/enable-sites

sudo nano /etc/hiawatha/hiawatha.conf

Add "SocketSendTimeout" just before "Binding Setting" :

SocketSendTimeout = 30

Add "MaxRequestSize" to "Binding Settings" :

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    # MaxRequestSize is 100GB
    MaxRequestSize = 104857600
    MaxUploadSize = 2047
    TimeForRequest = 5,50
    MaxKeepAlive = 14400
}


Append the following line at the end of the file :

Include /etc/hiawatha/enable-sites/

Create "owncloud" file at /etc/hiawatha/enable-sites :

sudo nano /etc/hiawatha/enable-sites/owncloud

VirtualHost {
    Hostname = [your domain or IP address here]
    WebsiteRoot = /var/www/owncloud
    StartFile = index.php
    AccessLogfile = /var/log/hiawatha/owncloud-access.log
    ErrorLogfile = /var/log/hiawatha/owncloud-error.log
    TimeForCGI = 14400
    WebDAVapp = yes
    UseFastCGI = PHP70
    UseToolkit = denyData
    EnablePathInfo = yes
}

UrlToolkit {
    ToolkitID = denyData
    Match ^/data DenyAccess
}

FastCGIserver {
    FastCGIid = PHP70
    ConnectTo = /var/run/php/php7.0-fpm.sock
    Extension = php
    SessionTimeout = 14400
}


sudo nano /etc/php/7.0/fpm/php-fpm.conf

Append the following lines at the end of the file :

; for OwnCloud
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

[www]
pm.max_children=1000
pm.start_servers=50
pm.min_spare_servers=25
pm.max_spare_servers=75


Step 3 - MySQL Setting :

sudo mysql -u root -p

create database owncloud;
GRANT ALL ON owncloud.* TO owncloud@'127.0.0.1' IDENTIFIED BY '[your password here]';
flush privileges;
quit


Step 4 - OwnCloud Installation :

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

rm Release.key

sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update
sudo apt-get install owncloud-files


sudo apt-get install exim4 exim4-base exim4-config exim4-daemon-light libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 s-nail php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi

sudo nano /var/www/owncloud/.user.ini

The content of the file may looking like this one :

upload_max_filesize=100G
post_max_size=100G
memory_limit=12G
mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset='UTF-8'
output_buffering=0
max_input_time=3600
max_execution_time=3600
upload_tmp_dir='/tmp/'
max_file_upload=5000


sudo nano /var/www/owncloud/config/config.php

Insert the following line into the end of the block of the code :

'memcache.local' => '\OC\Memcache\APCu',

You may need to edit the following file at client sync program when necessary :

sudo nano /etc/ownCloud/sync-exclude.lst

To restart OwnCloud and Hiawatha services :

sudo /etc/init.d/php7.0-fpm restart
sudo /etc/init.d/hiawatha restart


Remarks :

If you want to have https connection, you need to generate the private SSL certificate or purchase one. You can also use Let's Encrypt when necessary. If so, the "binding settings" at Hiawatha should be "Port 443".

That's all! See you.

Tuesday, May 17, 2016

HOWTO : edb-debugger on Ubuntu 16.04

edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS's. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality.


Install

sudo apt-get install git build-essential libboost1.58-all-dev qt5-default libqt5xmlpatterns5-dev

cd ~
mkdir arsenal
cd arsenal
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
./travis_install_capstone.sh
qmake
make
sudo make install
cd ~
sudo edb



Update/Upgrade

cd ~/arsenal
rm -R edb-debugger


Repeat the Install procedure as previous mentioned.


Reference

Wiki


That's all! See you.


Wednesday, April 20, 2016

[RESEARCH] Banks In Hong Kong Running With What Services

After the research on SSL certificate grading on banks in Hong Kong, I am going to do another research on banks in Hong Kong to see what services they are running with, such as web server or protection. I am based on the List of banks in Hong Kong for the test. The standard site URL and personal online banking URL have been tested for the purpose. The web application vulnerability testing is not in the scope. The test is carried out on April 20, 2016.

DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 are running with Akamai which provides DDoS/DoS protection to their clients. Meanwhile, Akamai also provides Web Application Firewall (WAF) to their clients. WAF can protect the web applications from being attacked by SQLi, XSS, CSRF and etc, even the web applications have these kind of vulnerabilities. I will not discuss about the WAF bypass here. Anyway, WAF can do the job well in general speaking.

Public Bank (Hong Kong) 大眾銀行(香港) and Chong Hing Bank 創興銀行 are running with G2 Web Services which is also considered to provide secure services.

It seems that almost all the bank websites in Hong Kong are protected by firewall or/and WAF as I cannot fetch any information from some of the sites during the test. It does not mean that the sites that I can fetch information are not protected by firewall or/and WAF.

In conclusion, I am sure that DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 cannot be DDoS/DoS.

With reference to my previous research on SSL certificate, DBS Bank (Hong Kong) 星展銀行(香港) is the most secure bank in Hong Kong at the time of this writing. Their IT department is doing a great job on security. If their IT department can implement HPKP on the SSL certificate, it will be very great. Anyway, congratulations!

REFERENCE

The Personal Online Banking URL :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- System Details - Powered by: Servlet/3.0

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- System Details - Running on: AkamaiGHost

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.


The standard site URL :

China CITIC Bank International 中信銀行國際
- http://www.cncbinternational.com/home/en/index.jsp
- System Details - Powered by: Servlet/2.5

Chong Hing Bank 創興銀行
- http://www.chbank.com/en/index.shtml
- System Details - Running on: G2

Dah Sing Bank 大新銀行
- http://www.dahsing.com/en/html/index.html
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- https://www.dbs.com.hk/index/default.page
- System Details - Running on: AkamaiGHost

Fubon Bank (Hong Kong) 富邦銀行(香港)
- http://www.fubonbank.com.hk/web/html/index_e.html
- System Details - Powered by: Servlet/3.0

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- http://www.icbcasia.com/ICBC/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BA%9A%E6%B4%B2/EN/
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

Public Bank (Hong Kong) 大眾銀行(香港)
- http://www.publicbank.com.hk/en/home
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- http://www.shacombank.com.hk/eng/personal/index.jsp
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- https://www.sc.com/hk/
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- http://www.winglungbank.com/wlb_corporate/en/index.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.

That's all! See you.


Tuesday, April 19, 2016

[RESEARCH] SSL Certificate Grading of Banks in Hong Kong

In order to understand the information security condition in Hong Kong, I select website of banks in Hong Kong for SSL certificate checking. The check is aimed for testing the strength of the SSL certificate, Man-In-The-Middle attack prevention and vulnerability. The web application vulnerability and corporation online banking are not in the testing scope. However, most SSL certificates may be shared with sub-domains.

The check are based on "List of Banks In Hong Kong". I use Qualys SSL Labs online testing tool for the check.

The result of the check (the check is carried out on April 19, 2016) is rated in SSL Grade Ranking :

Grade A
DBS Bank (Hong Kong) 星展銀行(香港)

Grade A-
(1) Bank of China (Hong Kong) 中國銀行(香港)
(2) Bank of East Asia 東亞銀行
(3) China Construction Bank (Asia) 中國建設銀行(亞洲)
(4) Chong Hing Bank 創興銀行
(5) Citibank (Hong Kong) 花旗銀行
(6) Dah Sing Bank 大新銀行
(7) Fubon Bank (Hong Kong) 富邦銀行(香港)
(8) OCBC Wing Hang Bank 華僑永亨銀行
(9) Public Bank (Hong Kong) 大眾銀行(香港)
(10) Standard Chartered Bank (Hong Kong) 渣打銀行

Grade C
(1) Hang Seng Bank 恒生銀行
(2) Hongkong and Shanghai Banking Corporation 滙豐銀行
(3) Industrial and Commercial Bank of China (Asia) 工銀亞洲
(4) Shanghai Commercial Bank 上海商業銀行
(5) Wing Lung Bank 永隆銀行

Grade F
China CITIC Bank International 中信銀行國際

The following three banks are implemented HSTS (HTTP Strict Transport Security) to force the users' browser to use HTTPS connection. This has some degree of Man-In-The-Middle attack (MITM) protection. However, the HPKP (HTTP Public Key Pinning) is not implemented. Therefore, it has a risk of being attacked by MITM attack. Meanwhile, China CITIC Bank International 中信銀行國際 website has POODLE vulnerability for the SSL protocol that makes her grading down to F.

(1) China CITIC Bank International 中信銀行國際
(2) Chong Hing Bank 創興銀行
(3) Fubon Bank (Hong Kong) 富邦銀行(香港)

Even the highest ranking DBS Bank (Hong Kong) 星展銀行(香港) do not implement HPKP (HTTP Public Key Pinning), she has a risk to face Man-In-The-Middle attack even she used HSTS. Attackers can use fake SSL certificate to bypass HSTS protection when HPKP is not in force.

It is very interesting that the largest bank in Hong Kong (Hongkong and Shanghai Banking Corporation 滙豐銀行) only bearing a Grade C rank. I wonder why no website of banks in Hong Kong bearing a Grade A+ SSL certificate even my personal site is grading A+.

[Edit after several hours of the post :
I think the IT department of the banks may misunderstand or may be not fully understood the purpose of SSL certificate for a website. In addition, they may even do not know the limitation of HSTS that can be bypassed by the attackers. In my opinion, the best practice of SSL certificate implementation is to adopt the HPKP to reduce the MITM attacks risk at the moment.

The low grading of the rank is not the excuse of backward compatible to old browsers. To compatible to old or vulnerable browsers will void the security of the website for sure. Some low grading website of the banks even compatible to insecure protocol (RC4 {please refer to the bottom of this article for details}) which will place a trap to their clients.]

In conclusion, all website of banks in Hong Kong are facing a risk of being attacked by Man-In-The-Middle attack. As reference to this result, it is predicted that most websites in Hong Kong are not good at SSL Grading.

REFERENCE

I only check the licensed banks incorporated in Hong Kong. The following is the summary of the checking :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=its.bochk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Bank of East Asia 東亞銀行
- Cyberbanking - https://mobile.hkbea-cyberbanking.com/servlet/FRLogon?Lang=Eng
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=mobile.hkbea-cyberbanking.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

China CITIC Bank International 中信銀行國際
- Personal - https://ibanking.cncbinternational.com/CKWPortal/appmanager/Portal/CKWPerson?isPPB=0&displayLang=en_US
- Overall Rating - F (https://www.ssllabs.com/ssltest/analyze.html?d=ibanking.cncbinternational.com)
- Vulnerable to POODLE (TLS) and HPKP is not in force. But HSTS is in force.

China Construction Bank (Asia) 中國建設銀行(亞洲)
- Personal Banking - https://online.asia.ccb.com/PersonalHKWeb/signin/SigninController.jpf
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=online.asia.ccb.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Chong Hing Bank 創興銀行
- i-Banking - https://www.ibanking.chbank.com/index0041.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ibanking.chbank.com)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Citibank (Hong Kong) 花旗銀行
- Online - https://www.citibank.com.hk/HKGCB/JSO/signon/DisplayUsernameSignon.do?locale=en_HK
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.citibank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.dahsing.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- Overall Rating - A (https://www.ssllabs.com/ssltest/analyze.html?d=internet-banking.hk.dbs.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Fubon Bank (Hong Kong) 富邦銀行(香港)
- e-banking - https://www.ebank.fubonbank.com.hk/index0128J.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebank.fubonbank.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Hang Seng Bank 恒生銀行
- Personal e-Banking - https://e-banking1.hangseng.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zH2cTAwgAykcC5Q3CfCydDEy9LAzMDL39vNzMDGDyROh2dnf0MDH3AfLDPF0NPE2cTAxMfd0MDTyNCej288jPTdUvyA2NKHdUVAQA-SNG7A!!/dl3/d3/L2dJQSEvUUt3QS9ZQnZ3LzZfMEczVU5VMTBTRDBNSFRJN01DNDAwMDAwMDA!/
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=e-banking1.hangseng.com)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Hongkong and Shanghai Banking Corporation 滙豐銀行
- Personal Internet Banking - https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebanking.hsbc.com.hk)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- Personal/Private Banking - https://myebankasia.icbc.com.cn/icbc/perbank/index.jsp?areaCode=0110&dse_locale=en-US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=myebankasia.icbc.com.cn)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

OCBC Wing Hang Bank 華僑永亨銀行
- Personal Customer - https://ebanking.ocbcwhhk.com/jsp/chs/personal/0830/errorInvalidDevice.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.ocbcwhhk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebank.publicbank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.shacombank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ibank.standardchartered.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.winglungbank.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.


About Insecure RC4
Imperva Security Response to OpenSSL and TLS/RC4 Vulnerabilities
Killing RC4 (softly)

See Also : [RESEARCH] Banks In Hong Kong Running With What Services

That's all! See you.


Friday, April 01, 2016

HOWTO : Netdata on Ubuntu 14.04.4 LTS

netdata is a highly optimized Linux daemon providing real-time performance monitoring for Linux systems, Applications, SNMP devices, over the web!

It tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.

This is what you get:

- Beautiful out of the box bootstrap dashboards
- Custom dashboards that can be built using simple HTML (no javascript necessary)
- Blazingly fast and super efficient, written in C (for default installations, expect just 2% of a single core CPU usage and a few MB of RAM)
- Zero configuration - you just install it and it autodetects everything
- Zero dependencies, it is its own web server for its static web files and its web API
- Extensible, you can monitor anything you can get a metric for, using its Plugin API (anything can be a netdata plugin - from BASH to node.js)
- Embeddable, it can run anywhere a Linux kernel runs

Okay, what will it be looked like? Here you are.

Step 1 :

sudo apt-get update
sudo apt-get install build-essential zlib1g-dev gcc make git autoconf autogen automake pkg-config


Step 2 :

git clone https://github.com/firehol/netdata.git
cd netdata
sudo ./netdata-installer.sh


Please "Enter" to install.

Step 3 :

sudo nano /etc/init/netdata.conf

Make the file looks like :



Step 4 :

To start it :

sudo start netdata

To stop it :

sudo stop netdata

To restart it :

sudo restart netdata

Remark : it will start automatically on every reboot.

Step 5 :

Start browser and point it to :

http://192.168.0.100:19999

* where 192.168.0.100 is the IP address of the server

Upgrade/Update

cd netdata
git pull
sudo ./netdata-installer.sh


That's all! See you.

Friday, March 18, 2016

HOWTO : Ubuntu Linux Kernel 4.4.0 (Xenial) on Ubuntu 14.04.4

We can use Linux Kernel 4.4.x on Ubuntu 14.04.4 LTS. Kernel 4.x has a good feature that it can live patching the Kernel without rebooting your box. However, it seems that Ubuntu 14.04.x users need to build the kpatch module themselves. Anyway, it is a good news for all Ubuntu 14.04 LTS users.

Meanwhile, the performance of the box will be improved a lot after the upgrade.

Step 1 :

sudo apt-get update

Step 2 :

sudo apt-get install linux-generic-lts-xenial linux-headers-generic-lts-xenial linux-image-generic-lts-xenial linux-tools-generic-lts-xenial

Step 3 :

sudo apt-get remove linux-image-generic-lts-utopic linux-headers-generic-lts-utopic linux-image-generic-lts-vivid linux-headers-generic-lts-vivid

Step 4 :

sudo apt-get autoremove
sudo apt-get autoclean


Step 5 :

sudo update-grub

Step 6 :

Reboot your box.

REMARK

If you are running Croissants (IPS) on Ubuntu 14.04 LTS, you can upgrade the Kernel to 4.4.0 as well. You just follow the captioned steps.

That's all! See you.


Saturday, February 27, 2016

REVIEW : TorGuard Anonymous VPN on Ubuntu 14.04 LTS

TorGuard provides anonymous VPN and anonymous proxy as well as anonymous mail services. You can purchase dedicated IP address for your anonymous VPN service too. Anonymous VPN can be worked with Stealth Proxy in order to enhance the anonymous power. Be keep in mind that it is not related to TOR (The Onion Router). You can have up to 5 simultaneously connections on every default purchase. You can add more connections with a reasonable price.

There are 4 encryption strength for the anonymous VPN, they are none, BF-CBC (BlowFish), AES-128-CBC and AES-256-CBC. For better performance, you can select UDP instead of TCP protocol. When Stealth Proxy is applied, the protocol is limited to TCP only. The stronger the encryption strength, the slower the connection speed.

The power of CPU, the speed of the internet connection, the protocol of VPN connection and the strength of encryption of the VPN connection may affect the performance of the anonymous VPN.

Once purchased, you can find HTTP and SOCKS Proxy Server Lists in your account. You can use the proxy servers without further charges. The most important is that TorGuard to identify you with your email address only. No personal detail will be recorded or asked. There is no DNS leakage when using the TorGuard VPN client. You can install "Disable WebRTC" or similar Firefox Add-on when necessary to prevent IP address leakage.

TorGuard provides VPN clients for Windows, Linux, Mac OSX, Android and iOS. Even the interface is the same, but the VPN server list is different. Android and iOS have lesser VPN servers and encryption strength as well as no Stealth Proxy to choose. On the other hand, you can use the VPN server list in your account but you need to set it up yourself.

The current version of VPN clients at the time of this writing is v0.3.42. You can further tune for the VPN performance on Linux, such as Ubuntu, Debian, Kali and Arch, when it is using TCP protocol. Make sure to enable "Prevent IPv6 Leak" on the client when necessary.

For example, if you want to connect to USA Dallas VPN server, you can tune the TCP connection as the following :

cd ~/.local/share/VPNetworkLLC/TorGuard/configs
nano TorGuard.USA-Dallas-NO-TORRENTS-TCP.ovpn


Change from :
sndbuf 393216
rcvbuf 393216


To :
sndbuf 0
rcvbuf 0


Then connect to TorGuard Anonymous VPN and you can watch YouTube more smoother.


That's all! See you.


Monday, February 15, 2016

HOWTO : Kali Linux 2016.1 Live USB Persistence Encryption on M.2 SSD

I (Samiux) recommend to install Kali Linux 2016.1. Live USB Persistence on M.2 SSD 128GB or higher. The M.2 SSD will be installed to an enclosure with USB 3.0 interface. I will install Kali Linux 2016.1 Live USB Persistence for Encryption only.

I (Samiux) have tried to install Kali Linux 2016.1 Live USB Persistence Encryption on 32GB USB 3.0 Pendrive. It is very very slow and insufficent space for the first update. It takes over 12 hours to update Kali Linux 2016.1 and the reboot failed. May be you can use a larger size and faster USB pendrive or an external portable SSD drive for the purpose. I find Live USB Persistence on fast device is better than dual boot on Windows, Mac or Linux computers.

This guide covers how to install Kali Linux 2016.1 Live USB Persistence Encryption for Apple Macbook (Air/Pro/Pro Retina) and Lenovo ThinkPad (X201s or newer). However, this guide does not suitable for The New Macbook as it does not display "Windows" when pressing "Option" during boot up. Therefore, this guide may not work for all models of Mac machine.

Step 1 :

You need a Linux computer (such as Ubuntu) to do the following steps. If you do not have gparted install, you can install it.

If you are using Ubuntu, you can :

sudo apt-get update
sudo apt-get -y install gparted


Step 2 :

Download Kali Linux 2016.1 from official site. I download amd64 version. Install it to M.2 SSD 128GB.

Usually, M.2 SSD will be mounted at "/dev/sdb". You can confirm it when running "fdisk -l".

If you are using Ubuntu, you can :

sudo dd if=kali-linu-2016.1-amd64.iso of=/dev/sdb bs=1024k

Step 3 :

Do not unplug the M.2 SSD. Run gparted and format the remained space to ext3 (ext4 should work but not yet tested).

Step 4 :

The M.2 SSD is still inserted to USB port. Run the following commands :

If you are using Ubuntu, you can :

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 my_usb

mkfs.ext3 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence

mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb

cryptsetup luksClose /dev/mapper/my_usb


* Make sure you enter a very strong passphrase for the encryption

Step 5 :

Then reboot the M.2 SSD.

If you are using Macbook, you should long press "Option" key when boot up. Once the boot menu is displayed, select "Windows" icon to boot.

If you are using ThinkPad, you should press "F12" to launch the boot menu when boot up. Once the boot menu is displayed, select the M.2 SSD to boot.

Once Kali Linux boot menu is displayed, select "Live USB Encrypted Persistence". You will be asked for Passphrase when boot to unlock /dev/sdb3.

Step 6 :

On Kali Linux 2016.1 Live USB Persistence, you run the following commands :

apt-get update
apt-get -y install dkms linux-headers-amd64 tlp tlp-rdw

wget http://ftp.wa.co.za/pub/ubuntu/ubuntu/pool/restricted/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu2.1_amd64.deb
dpkg -i bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu2.1_amd64.deb


If you are using ThinkPad, you need this command. However, it is no harm to install it when you are using Macbook :

apt-get -y install tp-smapi-dkms acpi-call-dkms

Step 7 :

If you are using Macbook, you need this step. However, it is no harm to set it up when you are using ThinkPad.

nano /usr/local/bin/mac_keyboard

Enter the following :

#!/bin/bash

# Author : Samiux (http://samiux.blogspot.com)
# Date : Feb 15, 2016

if [ -f /sys/module/hid_apple/parameters/iso_layout ]
then
    echo 0 > /sys/module/hid_apple/parameters/iso_layout
    echo 1 > /sys/module/hid_apple/parameters/fnmode
fi


Save it with "Ctrl o" and "Ctrl x".

chmod +x /usr/local/bin/mac_keyboard

Step 8 :

If you are using Macbook, you need this step. However, it is no harm to set it up when you are using ThinkPad.

nano ~/.config/autostart/mac_keyboard.desktop

Enter the following :

[Desktop Entry]
Type=Application
Exec=/usr/local/bin/mac_keyboard
Hidden=false
X-GNOME-Autostart-enabled=true
Name[en_US]=Mac Keyboard Layout
Name=Mac Keyboard Layout
Comment[en_US]=Start Mac Keyboard Layout when GNOME starts
Comment=Start Mac Keyboad Layout when GNOME starts


Step 9 :

nano ~/update_kali

Enter the following :

apt-get update
apt-get -y dist-upgrade
apt-get autoclean
apt-get -y --purge autoremove


Save it with "Ctrl o" and "Ctrl x".

chmod +x ~/update_kali

Step 10

Then update Kali to the latest status. It takes time to update. However, when the kernel is updated, the update process will be failed as it cannot update the kernel and its related packages.

cd ~
./update_kali


Step 11

Change your time zone when necessary.

dpkg-reconfigure tzdata

Step 12

Make sure you change the root password on every boot up.

passwd

* Make sure you entered a strong password and it should be difference to the encryption passpharse

Know Issue

The New Macbook is not supported. It may not working on all models of Mac machine.

"maltego" on Kali Linux 2016.1 refuses to launch on my Macbook Air (Mid 2013), Macbook Pro Retina (Mid 2012) and ThindPad X201s even it is not in Live USB Persistence mode, maybe it is a bug for older CPU.

REFERENCE

TLP Setting
Broadcom Wireless Driver
Kali Linux Live USB Persistence


That's all! See you.

Source : Samiux's Blog


Saturday, February 13, 2016

HOWTO : Install HexChat on Kali Linux 2016.1

This guide is about to install HexChat on Kali Linux 2016.1.

apt-get update
apt-get -y install hexchat hexchat-common hexchat-plugins libsexy2


That's all! See you.


HOWTO : Install VirtualBox 5.0.14 on Kali Linux 2016.1

This guide is about to install the latest VirtualBox 5.0.14 on Kali Linux 2016.1 (amd64).

Step 1 - Download dependencies :
wget http://http.us.debian.org/debian/pool/main/libv/libvpx/libvpx1_1.3.0-3_amd64.deb
wget http://http.us.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1k-3+deb8u2_amd64.deb


Step 2 - Create Virtualbox repos :
echo "deb http://download.virtualbox.org/virtualbox/debian jessie contrib" > /etc/apt/sources.list.d/vbox.list

Step 3 - Install Virtualbox public key :
wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

Step 4 - Install it now :
dpkg -i libvpx1_1.3.0-3_amd64.deb
dpkg -i libssl1.0.0_1.0.1k-3+deb8u2_amd64.deb
apt-get update
apt-get -y install linux-headers-amd64 dkms libsdl-ttf2.0-0 virtualbox-5.0


Step 5 - Install Virtualbox Extension Pack :
wget http://download.virtualbox.org/virtualbox/5.0.14/Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack
VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack


Step 6 - Clean up :
rm *.deb
rm *.vbox-extpack


Step 7 - Reboot :
reboot

Bonus

When install Kali Linux as guest on VirtualBox, you may need to install "Guest Additions CD Image".

apt-get update
apt-get -y install dkms


Then mount the "Guest Additions CD Image" from the VirtualBox menu.

cd /media/cdrom0
cp VBoxLinuxAdditions.run /tmp/
cd /tmp
./VBoxLinuxAdditions.run



That's all! See you.


Thursday, January 14, 2016

HOWTO : Network Security for Home and SOHO Users

Never think of Intrusion Prevention System (IPS) can be deployed at home or SOHO environment because of expensive cost? I have a good news for you that you can deploy IPS at home or SOHO with a very low price.

Croissants is an Intrusion Detection and Prevention System (IDPS) which is developed by me (Samiux). Its engine is next generation IDPS - Suricata. It is a very high performance engine.

Features of Croissants :

- Plug, Play and Forget!
- Suricata as IDPS Engine which is the Next Generation IDPS
- Based on ET Open rules (can use ET Pro rules with minimal settings)
- Work with ClamAV (Open Source Anti-Virus) MD5 signatures
- Work with LMD (Linux Malware Detect) MD5 signatures
- Work with IP Reputation blacklists
- Work with SSL Certificate blacklist
- Work with Denyhost SSH blacklist
- Work with Advertising Domains blacklist
- Drop certain traffic with minimal settings
- Disable and Enable rules with minimal settings
- Auto update ET Open rules, MD5 signatures and Blacklists
- Data analysis with charts on web interface
- 4K video streaming playback capable
- Can play common online games (but not ideal for playing demanding First Person Shooting games as it may has spikes) Demo videos

Zotac CI323 Nano Plus with Windows 10 equipped with 2 wired network interfaces and 1 wireless interface as well as 4GB RAM and onboard 32GB M.2 SSD.

Zotac CI323 Nano Plus is ideal to install Croissants when you insert extra 4GB RAM or replaced it with two 8GB RAM (total 16GB). I recommend to install 16GB RAM on it for better performance. Meanwhile, you need a wireless router. Croissants (special version for CI323) can be installed on the 32GB M.2 SSD with Ubuntu 14.04 LTS Server previously installed. However, it is better to install to hard drive or SSD drive.

You can get the special version at the following (the current version is 1.0-RELEASE). Please also note that the performance of 16GB version is higher than 8GB version :

8GB RAM Zotac CI323 - https://www.infosec-ninjas.com/files/croissants-1.0/croissants-home-ci323-1.0.1-RELEASE.tar.gz
sha256sum - a12f78ae571fa93dce0ee68f383c8b5af39a903ccaac09336dcaf0b9c5fd6278 croissants-home-ci323-1.0.1-RELEASE.tar.gz

16GB RAM Zotac CI323 - https://www.infosec-ninjas.com/files/croissants-1.0/croissants-smb-ci323-1.0.1-RELEASE.tar.gz
sha256sum - 759616b21235353953ab363f6ca8f6ecbe05e48a7988b0c771675596045959ba croissants-smb-ci323-1.0.1-RELEASE.tar.gz

Please refer to the Croissants website for the installation procedure. The procedure is similar to standard version of Croissants. Meanwhile, this special version will only keep 60 days data.

Make sure you connect Zotac CI323 between ISP and wireless rotuer and the monitoring cable should be connected to the router or switch (if any).

Before installing Croissants, you need to edit nsm.conf :

WIFI_SSID - The SSID of your wireless router
WIFI_PASSWORD - The password of your wireless router

The default monitoring IP will be x.x.x.180, such as 192.168.1.180.





To extend the security of your network, you may consider to add the following OpenDNS servers to your router.

OpenDNS FamilyShield DNS servers have build-in fraud and phishing protection as well as pre-configured to block adult content :
208.67.222.123
208.67.220.123

OpenDNS Home DNS servers have the captioned features but it can customized what content to be filtered. You can register to OpenDNS Home for the customization or just use the following servers without customization. They all use the following addresses :
208.67.222.222
208.67.220.220

OpenDNS DNS servers are compatible to Croissants.


REFERENCE

5 DNS Services to Block Porn Sites without Installing Software
HOWTO : Hardening and Tuning Ubuntu 14.04 LTS

That's all! See you.