HOWTO : Wifi Intrusion Detection Without Tears

Wifi everywhere! When you are using wifi no matter it is a public or private hotspot, you are at the risk of being attacked.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passphrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

However, we do not know the one who at the building or parking lot opposite your home or office is a hacker. Fortunately, we can inspect the suspicious or malicious packets in the air, it is the tool namely WAIDPS which stands for Wireless Auditing, Intrusion Detection and Prevention System.

You can leave this tool running and it will report back if there is any suspicious activity in the air near you. You can even fight back to the attacker. However, in my opinion, it is too late for that as the attacker may already have your encrypted passphrase with the four-way handshake.

If you observe any attack such as deauthentication, you can reset your passphrase to a stronger one in order to stop the attack on your wifi router.

By the way, MAC address filtering and hidden SSID mean nothing to attacker. The best way to defense is to have a very strong passphrase.

Reference

[1] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[2] Kali Linux

That's all! See you.

HOWTO : Wifi Penetration Testing Without Tears

Wifi everywhere! There are a lot of private and public wifi access points around you. Almost everyone will use wifi at anytime. The security of wifi should be taken into account.

The most common wifi frequencies are 2.4GHz and 5GHz at the time of this writing. 2.4GHz frequency channel range is between 1 and 14 while 5GHz frequency channel range is between 34 and 165. That's include a/b/g/n/ac modes.

You can even find some access points still using WEP but it is not common. Almost all access points are using WPA/WPA2. To get passphrase of WEP from access point is very easy. However, WPA/WPA2 is not very hard indeed.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passhrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

To complete the capture steps, you need a tool namely Aircrack-ng. It is a very powerful wifi auditing tool. Furthermore, there is a good tool to brute forcing WPA/WPA2 key, it is Hashcat. Hashcat is very powerful tool for password recovery. Hashcat requires GPU to do the brute forcing job. The more powerful the GPU, the faster the process of brute forcing.

However, to carry out the wifi penetration testing is somehow very hard for some people. It is because it will involve a lot of steps and procedure to complete. In addition, you also need a workable wifi USB dongle or card to make the job done.

Current version of Aircrack-ng 1.2 RC4 does not fully compatible to 5GHz frequency. It is required to patch it and compile it yourself in Kali Linux.

Realtek 8812au chipset wifi USB dongle is ready for 5GHz frequency and penetration testing. The driver is required to compile and install on Kali Linux yourself too.

One of the automated tools for penetration testing wifi is WAIDPS. It also can act as intrusion detection and prevention system for wifi. It just a few keystrokes to complete the wifi penetration testing.





Reference

[1] List of WLAN channels
[2] Kali Linux
[3] Aircrack-ng Official Site
[4] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[5] Install Realtek 8812au Linux Driver
[6] Patch Aircrack-ng For 5GHz Band On Kali Linux 2017.3
[7] Hashcat Official Site
[8] Install Hashcat on Ubuntu 16.04.3
[9] TP-Link Archer T4UHP (Realtek 8812au chipset)
[10] ALFA AWUS036NH (Realtek 8812au chipset)
[11] D-Link DWA-171 Nano USB Adapter (Realtek 8812au chipset)

That's all! See you.

HOWTO : Patch AirCrack-NG For 5GHz Band On Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

The following is the best way than this as it uses the latest source of AirCrack-NG from GitHub.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

To patch for 5GHz band :

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng/src

wget https://github.com/jpmv27/aircrack-ng/commit/8199c04357ea05daaf2de2ae7eebb28d30baef87.patch

patch < 8199c04357ea05daaf2de2ae7eebb28d30baef87.patch

Step 3 :

To fix a typo :

nano bessid-ng.c

Replace line 709 where

err(1, "wi_wirte()");

to

err(1, "wi_write()");

Step 4 :

make
make install

Important

Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

Kali Linux's Aircrack-ng is installed at /usr/bin and /usr/sbin while GitHub's Aircrack-ng is installed at /usr/local/bin and /usr/local/sbin. The $PATH will search for /usr/local first. Therefore, you will run GitHub version instead of original one.

When Kali Linux updated AirCrack-ng, you can uninstall the GitHub version by the following command when the source code is still there :

cd aircrack-ng
make clean
make uninstall

Remarks :

If using WAIDPS, make sure to use v1.0 R.6d (or newer) as it fixed for the newer aireplay-ng display.

Reference

5GHz Patch
Typo Patch

That's all! See you.

HOWTO : Install HashCat on Ubuntu 16.04.3

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.




Step 1 :

sudo apt install ocl-icd-libopencl1 git build-essential

mkdir ~/infosec
cd infosec

git clone https://github.com/hashcat/hashcat
cd hashcat
git submodule update --init

make

cd ~/infosec
git clone https://github.com/hashcat/hashcat-utils
cd hashcat-utils/src

make

cp *.bin ../bin

Step 2 :

To crack WPA/WPA2 passphrase, convert cap to hccapx :

If using WAIDPS, copy the "cap" file to "~/infosec" :

cp /.SYWorks/Saved/Handshake_F92A673ED5C2_hihi_StrictFull.cap ~/infosec

cd ~/infosec
hachcat-utils/bin/cap2hccapx.bin Handshake_F92A673ED5C2_hihi_StrictFull.cap hihi.hccapx

If you are using Kali Linux 2017.3, "cap2hccapx.bin" is located at the following :

/usr/lib/hashcat-utils/cap2hccapx.bin

Step 3 :

The following are the example usgaes of hashcat to crack WPA/WPA2 passphrase:

To crack with rockyou dictionary :

cd ~/infosec/hashcat
./hashcat -m 2500 ~/infosec/hihi.hccapx ~/rockyou.txt

To crack up to 8 digits :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?d,?d?d?d?d?d?d?d?d --increment-min 1 --increment-max 8 --increment

To crack up to 8 characters for all available characters including space :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?a,?a?a?a?a?a?a?a?a --increment-min 1 --increment-max 8 --increment

To crack with rules and rockyou dictionary :

./hashcat -m 2500 -r rules/best64.rule ~/infosec/hihi.hccapx ~/rockyou.txt

The WPA/WPA2 crack on MacBook Pro (Retina Mid 2012 - NVIDIA GeForce GT 650M and Intel HD Graphics 4000) with hashcat required about half an hour for captioned first 2 examples. The third example requires over 305 years to complete on my MacBook Pro. The forth example requires 1 day and 13 hours to complete on my MacBook Pro.

Reference

How to Perform a Mask Attack Using hashcat

That's all! See you.

HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

git clone https://github.com/jpmv27/aircrack-ng

cd aircrack-ng

Step 3 :

make
make install

Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

That's all! See you.

Zotac ZBox CI549/MI549 nano for Croissants

Croissants is Intrusion Detection and Prevention System (IDPS) which requires 3 network interfaces and CPU with AVX2, Zotac ZBox CI549 or MI549 is another good choice for home and/or SOHO users. It's small footprint and Intel Core i5-7300U (Dual Core/4 Hyperthreading) is suitable for home and/or SOHO users for IDPS, like Croissants.

It comes with 2 network interfaces and one Thunderbolt 3 Type-C port which can connect to an adaptor to become another network interface. It also can install up to 32GB DDR4 memory. In my opinion, it can handle up to 1000Mbps bandwidth with low to medium traffic flow even I did not test it at my side at the moment. However, I will purchase one for the test when it is available.

On the other hand, you can install pfsense with suricata plugin on it when Hyperscan is available for FreeBSD or pfsense. pfsense requires 2 network interfaces only.

Finally, the difference between CI549 and MI549 is that CI549 is passive cooling while MI549 is active.

That's all! See you.

Reference

Zotac ZBox Comparison 2017

One More Secure Layer For Your Security Stack

Quad9 is founded by IBM, PCH and Global Cyber Alliance to provide a free DNS service to you that can block malicious websites when you are surfing the internet.

You can set it up on your router or personal computer in a few steps. It is painless to set it up as the official site provides videos and text documentation to help you to set it up.

Make sure you put "9.9.9.9" on the toppest position of your DNS list in your router or personal computer.



I have tested it and find out that the surfing speed is very fast without lagging. Finally, be keep in mind that Quad9 cannot 100% protect you from being reached all the malicious websites. However, it adds one more secure layer on your existing security stack.

That's all! See you.

VPN and IPS For Public Wifi

Many friends of mine always asking me how to protect themselves from being hacked. The most asked question is how to protect them from being hacked when using public wifi. They are asking if VPN can do it or not as they saw a lot of advertisement about it.

I recommend them to use their own VPN server with additional protestion, such as Intrusion Detection and Prevention System (IDPS), Next-Generation Firewall or Unified Thread Management System (UTM). It is because most of those products equipped with Anti-Virus/Malware, Exploit prevention and etc. It would be more better and more secure than just use commercial VPN alone.

Open source solutions will be very great for home users and small businesses. I recommend pfsense with suricata and Croissants. pfsense basically is a router and it can install suricata plugin that making it to be an inline IPS. pfsense also have build-in VPN. On the other hand, Croissants is designed for inline IPS and it does not comes with VPN. You need to setup your own.

Once the VPN and IPS are setup, when you are going to use the public wifi, you can connect to the public wifi hotspot and then connect to your VPN which is setup at your home or office. The traffic will be go through the inline IPS via VPN. As a result, you will be under the protection of the IPS. However, the downside is the battery of your mobile device (such as smartphone) will be drained out more quickly. Therefore, you can connect to your VPN when necessary.

Finally, when using pfsense with suricata, you need to fine tune the rules set in order to prevent some false positive alerts. However, Croissants is already tune for daily usage.

Reference

pfsense Official site
Youtube - Build a Router 2016 Q4 -- pfSense Build
pfsense Forum - Suricata true inline IPS mode coming with pfSense 2.3 -- here is a preview
Youtube - pfSense: Network Intrusion Detection w/Suricata (pt4)
Youtube - Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense
Croissants - Intrusion Detection and Prevention System


That's all! See you.

WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System

WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System is an open source project which is designed for both offensive and defensive purpose in mind.

This project is original created by SY Chua of SYWorks Programming. However, it is no longer maintained by him since 2014. The GitHub version is v1.0 R.6 and it is dated Oct 10, 2014. However, the demo in his tutorials and Youtube videos are displayed v1.0 R.7 dated Oct 11, 2014.

This software is a very good design in screen layout and good operation experience. Since v1.0 R.6 will crash when handshake is captured and it is not working properly on Kali Linux 2017.2, I modified the Python script to make it to work again in two days. Meanwhile, IEEE 802.11ac is also supported in my modification.

It is well tested on Kali Linux 2017.2. Other penetration testing Linux distributions may work too.

My modification is also an open source project and it is released under GPLv3.





Reference

[1] This project is forked from https://github.com/SYWorks/waidps
[2] Official tutorial - Part 1
[3] Official tutorial - Part 2
[4] Official tutorial - Part 3
[5] Official Youtube Playlist
[6] RealTek 8812AU Driver Installation
[7] TP-Link Archer T4UHP (Realtek 8812AU chipset)

That's all! See you.

HOWTO : Install RealTek 8812AU Driver with Packet Injection And Monitor Mode Support

TP-Link Archer T4UHP v1 is also supported by this driver with monitor mode and packet injection. It is a IEEE 802.11ac USB dongle.

Although Kali Linux has its own 8812au driver, I find AirCrack-ng's driver is the best.

Step 1 :

On Ubuntu Desktop 16.04.3 :

sudo apt update
sudo apt install build-essential dkms git

On Kali Linux 2017.2 :

apt update
apt install dkms

Step 2 :

git clone https://github.com/aircrack-ng/rtl8812au
cd rtl8812au

Step 3 :

On Ubuntu Desktop 16.04.3 :

Make sure to change at dkms.conf before running the following commands.

nano dkms.conf

Change all "/updates" to "/kernel/drivers/net/wireless" when using Ubuntu.

sudo bash ./dkms-install.sh

On Kali Linux 2017.2 :

bash ./dkms-install.sh

Step 4 :

To remove the dkms driver :

cd rtl8812au

Ubuntu Desktop 16.04.3 :

sudo bash ./dkms-remove.sh

Kali Linux 2017.2 :

bash ./dkms-remove.sh

Step 5 :

To control it, I suggest to use iw wireless tool.

Beware that the driver does not work properly on the following commands :

(1) airmon-ng start wlan0
(2) iw dev wlan0 interface add wlmon0 type monitor

Make sure run "airmon-ng check kill" beforehand.

Reference

AirCrack-ng RTL8812AU driver
HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3

That's all! See you.

HOWTO : Install GCC 7.x on Ubuntu 16.04.3 LTS

Some features require GCC 7.x to compile with, such as AVX-512.

sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt update
sudo apt install gcc-7

Set gcc-7 as default in order for the compilation.

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-7 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-7 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-7

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-5 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-5 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-5

Now, gcc-7 is the default compiler. To change back to gcc-5, you need to run :

sudo update-alternatives --config gcc

Then select gcc-5.

That's all! See you.

Vulnerability scanner can be trusted?

Many companies use vulnerability scanners to scan their systems, websites, products often to make sure they are secured. However, the former CEO of being hacked Equifax blamed that the system had been scanned after a week when the Apache Struts vulnerability had been announced. The scanner cannot detect the presence of un-patched Apache Struts implementations.

Please see the 8th paragraph of this articie for the captioned mention statement.

May be the vulnerability scanner signatures are not up-to-date that caused this fault. So, your vulnerability scanner should be up-to-date too!

That's all! See you.

Cloudflare-Recon Version 0.2 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection to the websites. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux.

Changlog :
Version: 0.1 - Sept 10, 2017 GMT+8
[+] Forked from Cloudflare-enum
[+] Enhancement

Version: 0.2 - Sept 12, 2017 GMT+8
[+] Improve readable foramtted output
[+] Error handling





That's all! See you.

Cloudflare-Recon version 0.1 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Enhancement











That's all! See you.

HatCloud-ng version 0.1 Demo

HatCloud-ng is forked from HatCloud which is written in Ruby. It obtains the "Real IP Address" from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

HatCloud-ng is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Bug fixes for original HatCloud dated 2017-09-10
[+] Information and error handling enhancement





That's all! See you.

HOWTO : Install Metasploit Framework on Ubuntu 16.04.3 LTS

Metasploit Framework is a exploit framework.

Step 1 :

sudo apt install curl

cd ~
mkdir infosec
cd ~/infosec
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

msfconsole

Answer "yes" when you see this prompt message :

Would you like to use and setup a new database (recommended)? yes

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

That's all! See you.

HOWTO : Install John on Ubuntu 16.04.3 LTS

John is a password cracker.

Step 1 :

sudo apt install git build-essential libssl-dev

Step 2 :

cd ~
mkdir infosec
cd infosec

git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/src
./configure
make clean
make

cd ../run
./john --help

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/JohnTheRipper
git pull origin master
cd src
./configure
make clean
make

That's all! See you.

HOWTO : Install THC-Hydra on Ubuntu 16.04.3 LTS

THC-Hydra is a password brute forcer.

Step 1 :

sudo apt install git build-essential libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev

Step 2 :

cd ~
mkdir infosec
cd infosec
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
./hydra -h
./xhydra

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/thc-hydra
git pull origin master
make clean
./configure
make

That's all! See you.

HOWTO : Install Recon-ng on Ubuntu 16.04.3 LTS

Recon-ng is a full-featured Web Reconnaissance framework.

Step 1 :

sudo apt install git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml

Step 2 :

pip install dicttoxml --upgrade

Step 3 :

cd ~
mkdir infosec
cd ~/infosec
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
./recon-ng

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

pip install dicttoxml --upgrade

cd ~/infosec/recon-ng
git pull origin master

That's all! See you.

HOWTO : Install Weevely3 on Ubuntu 16.04.3 LTS

Weevely3 is a web shell and it is hardly detected by Anti-Virus and the traffic is obfuscated within the HTTP requests.

Step 1 :

sudo apt install g++ python-pip libyaml-dev python-dev libncurses5 libncurses5-dev

mkdir infosec
git clone https://github.com/epinna/weevely3.git
cd weevely3
pip install -r requirements.txt --upgrade

Step 2 :

cd ~/infosec/weevely3
python weevely3.py -h

Update and Upgrade

sudo apt update
sudo apt dist-upgrade
cd ~/infosec/weevely3
git pull origin master
pip install -r requirements.txt --upgrade

Reference

Documentation

That's all! See you.

HOWTO : Install Vega 1.0 on Ubuntu 16.04.3 LTS

Vega is an open source web application vulnerability scanner.

Step 1 :

sudo apt install libwebkitgtk-1.0 default-jdk unzip

mkdir infosec
cd ~/infosec

wget https://dist.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
unzip VegaBuild-linux.gtk.x86_64.zip

Step 2 :

cd vega
./Vega

That's all! See you.

HOWTO : Install SpiderFoot on Ubuntu 16.04.3 LTS

SpiderFoot is an open source intelligence automation tool.

Step 1 :

sudo apt install git python-lxml python-netaddr python-m2crypto python-cherrypy3 python-mako python-requests python-bs4

Step 2 :

cd ~/
mkdir infosec
cd ~/infosec
git clone https://github.com/smicallef/spiderfoot.git

Step 3 : (Optional)

If you want to implement login feature, you need to :

echo "admin:admin" > ~/infosec/spiderfoot/passwd

Step 4 :

To run it :

cd ~/infosec/spiderfoot
python ./sf.py

Step 5 :

Open your browser and point to http://127.0.0.1:5001

* Make sure to add API Keys to the related items in the settings.

Update and Upgrade

sudo apt update
sudo apt dist-upgrade
cd ~/infosec/spiderfoot
git pull origin master

Reference

Documentation

That's all! See you.

HOWTO : Install OpenVAS 9 on Ubuntu 16.04.3 LTS

OpenVAS is an open source vulnerability scanner.

Step 1 :

sudo add-apt-repository ppa:mrazavi/openvas
sudo apt update

sudo apt install sqlite3
sudo apt install openvas9

* Make sure you install sqlite3 first, otherwise, the openvas9 will fail to install.

Step 2 :

To enable pdf reports:

sudo apt install texlive-latex-extra --no-install-recommends
sudo apt install texlive-fonts-recommended

To install openvas-nasl utility:

sudo apt-get install libopenvas9-dev

Step 3 :

sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync

Step 4 :

sudo systemctl restart openvas-scanner
sudo systemctl restart openvas-manager
sudo openvasmd --migrate (#only required when upgrading from an older version)
sudo openvasmd --rebuild --progress

Step 5 :

Default URL is https://localhost:4000
Use "admin" as username and password.

Step 6 : (Optional)

If you want to change port number, you need to :

sudo nano /etc/default/openvas-gsa
sudo systemctl restart openvas-gsa

That's all! See you.

HOWTO : Install SQLMap on Ubuntu 16.04.3 LTS

Metasploit Framework is required for SQLMap takeover process. The following is the complete SQLMap installation procedure on Ubuntu 16.04.3 LTS.

Step 1 :

sudo apt update
sudo apt dist-upgrade
sudo apt install git python-pip curl

Step 2 : Install SQLMap

cd ~/
mkdir infosec
cd ~/infosec

git clone https://github.com/sqlmapproject/sqlmap.git

Step 3 : Install Metasploit Framework

cd ~/infosec
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

msfconsole

Answer "yes" when you see this prompt message :

Would you like to use and setup a new database (recommended)? yes

Step 4 : Install SQLMap Dependencies

sudo apt install python-impacket python-ibm-db-sa python-kinterbasdb python-pyodbc python-pymssql python-pymysql python-psycopg2 python-pysqlite2 python-pymssql python-ntlm

pip install cx_Oracle --upgrade

Step 5 : Update/Upgrade

sudo apt update
sudo apt dist-upgrade

msfupdate

pip install cx_Oracle --upgrade

cd ~/infosec/sqlmap
python sqlmap.py --update

That's all! See you.

時事觀察節目-談雙學三犯只是加刑

余非：2017年8月21日，上訴庭宣判「雙學三犯」黃之鋒、羅冠聰和周永康三人加刑前，李卓人竟然在面書﹝Facebook﹞預先上載美國國會及行政當局中國委員會支持黃之鋒等人但未公布的聲明。聲明指，美國國會打算在黃之鋒等人被判入獄後，重新檢視香港在美國法例所賦予的特殊關係，明顯公然干涉香港內部事務。

余非又指，「犯罪動機高尚」，這些「搞事青年骨幹」就可以免責？「雙學三犯」黃之鋒、羅冠聰和周永康判監，余非強調是法庭對他們只是加刑，並不是重﹝重新﹞判。

請分享出去一齊聽聽余非的精闢分析！

「廣東話」原聲：余非三藩市《星島電台》時事觀察節目




余非 個人簡介：

香港中文大學中文系畢業，副修中國音樂(古箏)，於同校取得碩士學位。之後赴英國修讀出版碩士。在港長期擔任編輯工作，曾主編高錕唯一一本中文自傳《潮平岸闊──高錕自述》；業餘從事文藝寫作。2003年轉為全職作家。

引述：
余非三藩市《星島電台》談雙學三犯只是加刑

HOWTO : Upgrade Ubuntu 16.04.3 to Ubuntu Gnome 16.04.3

Since Ubuntu Unity is no longer supported after Ubuntu 18.04, Ubuntu released Gnome 3 version for Ubuntu 16.04.3. We can upgrade it without pain.

sudo apt install ubuntu-gnome-desktop^

Select "gdm3" when prompted.

sudo apt remove unity lightdm ubuntu-desktop

sudo apt autoremove
sudo apt autoclean
sudo do-release-upgrade

Now, you can force to reboot the box by long pressing the shutdown button.

That's all! See you.

Update on August 19,2017 :

After the upgrade to Firefox 55.0.2, Firefox may not working properly on decimal place in your language. It shows 100,10 instead of 100.10 in my case even it is in English. This link will show you how to change it when necessary. I select "en-US" at "general.useragent.locale" in my case.

HOWTO : Fully Upgraded From Ubuntu 16.04.2 To 16.04.3

For some unknown reason, when Ubuntu 16.04.2 is upgraded to 16.04.3, the kernel does not upgrade from 4.4.x to 4.10.x automatically. The following steps will show you how to do it manually.

Step 1 :

sudo apt update
sudo apt dist-upgrade

Step 2 :

cat /etc/lsb-release

The output would be :

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"

Step 3 :

uname -r

If the kernel is still 4.4.x, you need to upgrade it manually.

Step 4 :

sudo apt --install-recommends install linux-generic-hwe-16.04 linux-tools-generic-hwe-16.04 xserver-xorg-hwe-16.04

sudo apt remove --purge linux-generic-lts-xenial linux-tools-generic-lts-xenial xserver-xorg-lts-xenial linux-image-generic-lts-xenial linux-generic linux-tools-generic linux-image-generic xserver-xorg linux-headers-generic linux-headers-generic-lts-xenial
sudo rm /boot/*-4.4.0-*
sudo apt autoremove
sudo apt autoclean

After the fully upgrade, the kernel would be 4.10.x after reboot.

That's all! See you.

[Warning] HSBC Phishing Website

This morning, I received an SMS message which stated that my account had been locked up and asked me to login to verify with a given link (http://activation-hsbc.com/cgi).

I inspected the "login" page and found that it would redirect you to your real local HSBC Personal eBanking Login page. However, your credentials would be logged by javascript and you would be redirected to Deep Web (or Dark Web) where all your real ebanking transaction sessions would be hijacked.

The phishing website domain was registered yesterday and the data show that it is from Russia (may be fake). The IP address of the server is 185.151.245.43. The URL http://185.151.245.43/cgi will show the same content.

I think that it may be a global HSBC phishing website. Beware!

That's all! See you.


(Update) After 4 hours of the reporting : I got the following confirmation email from HSBC :

Dear Customer

Thank you for your e-mail of 17 July regarding an SMS you received claiming to be from HSBC.

We confirm that the SMS in question is NOT genuine HSBC message. We have reported this matter to our relevant department for their attention and necessary action.

To safeguard your interests, please do not reply or click the link inside the SMS. Please delete the SMS immediately.

Thank you once again for taking the time to bring your concern to our attention. We are pleased to be of service.

Yours faithfully


Cxxxxxxa Wong
Senior Customer Support Officer
Retail Banking and Wealth Management

The Hongkong and Shanghai Banking Corporation Limited

[Full Disclosure] TopLeader Is Vulnerable To SQL Injection

Recently, a new local TV advertisement catches my eyes. It is a job hunting website, namely TopLeader.

As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.

The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).

In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.

The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.

Disclosure Timeline

2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.

That's all! See you.

[REVIEW] Cyber Security Campaign 2017 (Hong Kong)

Yesterday (Jun 20, 2017), Cyber Security and Technology Crime Bureau (CSTCB) of Hong Kong Police Force announced a Cyber Security Campaign 2017 for a year in order to kill all botnets in Hong Kong. They build a website for Hong Kong citizens to download 3 famous Anti-Virus scanners (Kaspersky, Symantec and Trend Micro). The campaign commenced today. (SCMP news) However, the site could not be accessed until 1500 hours today due to too busy or something else.

I conducted a quick test on the website when the news was announced yesterday. This article is about the not professional test result.

The website is running on Windows Server 2012 and hosting at Alchemy. It is not sure that it is a dedicated server or a shared hosting server. It is possibly that it may be a dedicated server. The IP address of the server is 205.144.171.79.

Meanwhile, I find out that the server is also hosting another website Cyber Security Professional Awards which is also hosted by CSCTB.

The Server

The website is running on Microsoft IIS 8.5 with ASP.NET (Version 4.0.30319 and ASP.NET MVC version is 5.2). Ports 80, 135, 443, 445, 5666 and 49159 are opened on the Windows Server 2012. There is no Web Application Firewall (WAF) on the Microsoft IIS Web Server.

SSL Certificate

Since there is no data exchange between users and web application, the SSL certificate for the website is not required in general. However, it is equipped. It is compatible to TLS 1.0, 1.1 and 1.2. It used a weak cipher suites for the encryption (TLS_RSA_WITH_3DES_EDE_CBC_SHA) in the certificate. Meanwhile, it has a mismatched SSL certificate of www.fishingmilitia.com. In addition, there is no security headers for the website. The grading of the website is A only.

Later learnt that the mismatched SSL certificate of Fishing Militia is pointed to "Cyber Security Professional Awards" website. The SSL certificate of "Fishing Militia" is expired on Jun 16, 2017. However, the "Cyber Security Professional Awards" website is running on Port 80. It is very weird.

Web Application

It is a single page web application mainly running JavaScript. It stores all the images, including background image, on https://storage.googleapis.com. The size of the images is from 58kB to 2.7MB. That is why the website may not be accessed and displayed "Service Unavailable. HTTP Error 503. The service is unavailable." There is no database and no data exchange between users and web application.

When "Cyber Security Campaign 2017" website is loading slow or cannot be accessed, the "Cyber Security Professional Awards" website has the same response.

Conclusion

The Windows Server 2012 is hosting 2 websites, "Cyber Security professional Awards" and "Cyber Security Campaign 2017" on Pot 80 and 443 respectively. If there is a proxy server, both websites can use port 80 instead.

The response time of "Cyber Security Campaign 2017" is slow mainly because of the images are large in size and they are fetched from storage.googleapis.com. The googleapis.com is hosting JavaScript only and the upload speed may not be very high. Therefore the bottleneck is at the size of images and slow external storage.

It is very weird that the SSL certificate of "Cyber Security Professional Awards" website is pointed to another domain.

In conclusion, the website is mis-configured and it is not good in design.

That's all! See you.

HOWTO : Lower CPU Loading With ulimit on Ubuntu 16.04 LTS

ulimit can change the number of process on Linux. One of the features is to lower the CPU loading with it when you have a low end CPU. The lower the CPU loading the lower the CPU temperature.

sudo nano /etc/security/limits.conf

Append the following lines at the end of the file.

* soft nproc 10240
root soft nproc 10240

You can replace "10240" up to "65535".

That's all! See you.

HOWTO : Update Ubuntu 16.04 LTS

sudo nano ~/update_ubuntu

Append the following lines to the file :

export DEBIAN_FRONTEND=noninteractive
sudo apt update
sudo apt -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o APT::Get::Assume-Yes="true" -y dist-upgrade
sudo apt -y autoclean
sudo apt -y --purge autoremove

Save it and make it executable.

chmod +x ~/update_ubuntu

To run it :

sudo ~/update_ubuntu

That's all! See you.

HOWTO : Apache Guacamole Remote Desktop Gateway On Ubuntu 16.04 LTS

Apache Guacamole is a HTML5 remote desktop gateway. It supports VNC, RDP and SSH protocols. You can access your remote desktop or server by using standard browser. You are required a dedicate computer or virtual machine to setup the Guacamole server. This guide will use database authentication for the operation.

Step 1 :

Install Ubuntu Server 16.04.2 LTS as usual. It is recommended to install OpenSSH also.

sudo apt-get -y install libcairo2-dev libjpeg-turbo8-dev libpng12-dev libossp-uuid-dev libavcodec-dev libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libssh2-1-dev libvorbis-dev libwebp-dev autoconf autotools-dev libtool build-essential maven default-jdk mysql-common mysql-server mysql-client mysql-utilities tomcat8 tomcat8-admin tomcat8-common tomcat8-docs tomcat8-user ghostscript gsfonts gsfonts-other

Step 2 :

sudo mkdir -p /etc/guacamole
sudo mkdir -p /etc/guacamole/lib
sudo mkdir -p /etc/guacamole/extensions

Step 3 :

sudo nano /etc/default/tomcat8

Append the following lines at the end of the file :

# GUACAMOLE ENV VARIABLE
GUACAMOLE_HOME=/etc/guacamole

Step 4 :

cd ~
git clone git://github.com/apache/incubator-guacamole-server.git
cd incubator-guacamole-server
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make
sudo make install
sudo ldconfig

sudo systemctl enable guacd

Step 5 :

cd ~
git clone git://github.com/apache/incubator-guacamole-client.git
cd incubator-guacamole-client
mvn package

sudo cp ~/incubator-guacamole-client/guacamole/target/guacamole-0.9.12-incubating.war /etc/guacamole/
sudo ln -s /etc/guacamole/guacamole-0.9.12-incubating.war /var/lib/tomcat8/webapps/
sudo cp ~/incubator-guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/target/guacamole-auth-jdbc-mysql-0.9.12-incubating.jar /etc/guacamole/extensions/

Step 6 :

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.42.tar.gz
tar -xvzf mysql-connector-java-5.1.42.tar.gz
sudo cp mysql-connector-java-5.1.42/mysql-connector-java-5.1.42-bin.jar /etc/guacamole/lib/

sudo mkdir -p /usr/lib/x86_64-linux-gnu/freerdp
sudo ln -s /usr/local/lib/freerdp/* /usr/lib/x86_64-linux-gnu/freerdp/

Step 7 :

sudo mysql -u root -p
CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' identified by '[GUACAMOLE_USER_PASSWORD]';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
flush privileges;
quit

cd ~
cat ~/incubator-guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/*.sql | mysql -u root -p[MYSQL_ROOT_PASSWORD] guacamole_db

Step 8 :

sudo nano /etc/guacamole/guacamole.properties

The content of the file is :

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# MySQL Authentication
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: [GUACAMOLE_USER_PASSWORD]

Step 9 :

sudo ln -s /var/lib/tomcat8/webapps/guacamole-0.9.12-incubating.war /var/lib/tomcat8/webapps/ROOT.war

Step 10 :

sudo systemctl restart guacd
sudo systemctl restart tomcat8

Step 11 : (The following Step 11 to 14 are for setting up VNC server on Ubuntu Desktop)

The Ubuntu Desktop will be accessed via VNC. Therefore, we need to install related packages on Ubuntu Desktop.

sudo apt-get install ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal tightvncserver

nano ~/.vnc/xstartup

The file content will be looking like :

#!/bin/sh

xrdb $HOME/.Xresources
xsetroot -solid grey
#x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#x-window-manager &
# Fix to make GNOME work
export XKL_XMODMAP_DISABLE=1
/etc/X11/Xsession

unset SESSION_MANAGER
vncconfig -iconic &
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
gnome-panel &
gnome-settings-daemon &
nautilus &
metacity &
gnome-session-flashback &

Reconfigure the session manager :

sudo update-alternatives --config x-session-manager

Select :

/usr/lib/gnome-flashback/gnome-flashback-metacity

Step 12 :

sudo nano /lib/systemd/system/vncserver@.service

The file content will be looking like below. Making sure to replace "samiux" to your username :

[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=samiux
PAMName=login
PIDFile=/home/samiux/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

Step 13 :

vncserver

Enter the password of VNC server when prompt and then answer "n" to the last question.

vncserver -kill :1

sudo systemctl daemon-reload
sudo systemctl enable vncserver@1.service

To start VNC server at port 5901 :

sudo systemctl start vncserver@1

Step 14 :

For streaming audio from Ubuntu Desktop :

sudo nano /etc/pulse/default.pa

Append the following line at the end of the file :

load-module module-native-protocol-tcp auth-anonymous=1

To restart PulseAudio :

pulseaudio -k

Port 4713 should be listening for connection. However, it is not very stable at my side.

Step 15 : (The following Step 15 is for setting up RDP on Kali Linux Xfce)

Install Kali Linux Xfce version, Gnome does not work. Lxde may works.

apt-get xrdp
systemctl enable xrdp
systemctl enable xrdp-sesman
systemctl start xrdp
systemctl start xrdp-sesman

update-alternatives --config x-session-manager

Make sure it is selected :

/usr/bin/startxfce4

Step 16 :

To access the Guacamole, you point the browser to the Guacamole box, e.g. http://192.168.20.99:8080. The username and password are both "guacadmin".

When accessing the remote desktop or server, you can launch the submenu by pressing :

ctrl+alt+shift

Reference

Apache Guacamole Manual
How to install SSH ( secure shell ) service on Kali Linux

That's all! See you.

HOWTO : OwnCloud 10.0.0 and Hiawatha 10.6 on Ubuntu 16.04 LTS

Step 1 - Update Ubuntu :

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoclean
sudo apt-get --purge autoremove

Step 2 - Hiawatha Installation :

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget https://cmake.org/files/v3.5/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install

wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz
cd hiawatha-10.6/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.6_amd64.deb

sudo mkdir /etc/hiawatha/enable-sites

sudo nano /etc/hiawatha/hiawatha.conf

Add "SocketSendTimeout" just before "Binding Setting" :

SocketSendTimeout = 240

Add "MaxRequestSize" to "Binding Settings" :

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    # MaxRequestSize is 100GB
    MaxRequestSize = 104857600
    MaxUploadSize = 2047
    TimeForRequest = 24,100
    MaxKeepAlive = 72000000
}

Append the following line at the end of the file :

Include /etc/hiawatha/enable-sites/

Create "owncloud" file at /etc/hiawatha/enable-sites :

sudo nano /etc/hiawatha/enable-sites/owncloud

VirtualHost {
    Hostname = [your domain or IP address here]
    WebsiteRoot = /var/www/owncloud
    StartFile = index.php
    AccessLogfile = /var/log/hiawatha/owncloud-access.log
    ErrorLogfile = /var/log/hiawatha/owncloud-error.log
    TimeForCGI = 72000000
    WebDAVapp = yes
    UseFastCGI = PHP70
    UseToolkit = denyData
    EnablePathInfo = yes
    AllowDotFiels = yes
    HTTPAuthToCGI = yes
}

UrlToolkit {
    ToolkitID = denyData
    Match ^/data DenyAccess
}

FastCGIserver {
    FastCGIid = PHP70
    ConnectTo = /var/run/php/php7.0-fpm.sock
    Extension = php
    SessionTimeout = 72000000
}

sudo nano /etc/php/7.0/fpm/php-fpm.conf

Append the following lines at the end of the file :

; for OwnCloud
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

[www]
pm=dynamic
pm.max_children=1000
pm.start_servers=50
pm.min_spare_servers=25
pm.max_spare_servers=75

Step 3 - MySQL Setting :

sudo mysql -u root -p

create database owncloud;
GRANT ALL ON owncloud.* TO owncloud@'127.0.0.1' IDENTIFIED BY '[your password here]';
flush privileges;
quit

Step 4 - OwnCloud Installation :

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

rm Release.key

sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update
sudo apt-get install owncloud-files

sudo apt-get install exim4 exim4-base exim4-config exim4-daemon-light libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 s-nail php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi php7.0-mbstring

sudo nano /var/www/owncloud/.user.ini

The content of the file may looking like this one :

upload_max_filesize=100G
post_max_size=100G
memory_limit=12G
mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset='UTF-8'
output_buffering=0
max_input_time=3600
max_execution_time=3600
upload_tmp_dir='/tmp/'
max_file_upload=5000

Open browser and point to http://[your owncloud server IP] and create your admin user and password. Then select database on the same page. Otherwise, it will use SQLite by default.

After that, do the following :

sudo nano /var/www/owncloud/config/config.php

Insert the following line into the end of the block of the code :

'memcache.local' => '\OC\Memcache\APCu',

To restart OwnCloud and Hiawatha services :

sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha
sudo systemctl enable php7.0-fpm
sudo systemctl enable hiawatha

Then, you can install the desktop sync client to sync your desktop to ownCloud.

Remarks :

If you want to have https connection, you need to generate the private SSL certificate or purchase one. You can also use Let's Encrypt when necessary. If so, the "binding settings" at Hiawatha should be "Port 443".

That's all! See you.

[RESEARCH] How Secure of HSBC and DBS Web Sites Are?

Last year, I wrote an article about the SSL certificate grading of banks in Hong Kong. This time, I would like to choose DBS and HSBC for the research. It is because DBS was the highest SSL certificate grading at that time - Grade A while HSBC is the largest bank in Hong Kong even it was Grade C.

The Research

Since pentesting a target without written authorization is illegal, this research is only done on recon phase only. Therefore, it is an incomplete research. Be keep in mind that it is for reference only.

I have written an article about security headers of a web site, such as HSTS, HPKP and XSS Protection. You can refer to it if you do not know what securty headers are. The control web site for this research is my personal site which is consider to be secured.

DBS Bank (Hong Kong) 星展銀行（香港）

The ebanking login page (https://internet-banking.hk.dbs.com/IB/Welcome) is tested and find out that it is upgraded from A to A+ as HSTS security header is set properly this time. The cookie is also set to be secured. Meanwhile, it is still protected by Akamai (WAF/DDoS).

However, HPKP and XSS protection security headers are missing and setting not properly respectively. The site may be vulnerable to XSS and Man-In-The-Middle (MiTM) attack even HSTS is enforced.

Hongkong and Shanghai Banking Corporation (HSBC) 滙豐銀行

The ebanking login page (https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US) is tested and find out that the grading is remained unchange - Grade C as TLS 1.2 is not set and RC4 cipher is used for older protocols as well as the VeriSign, Inc / Class 3 Public Primary Certification Authority is not set properly.

Meanwhile, HSTS, HPKP and XSS protection security headers are missing. Cookie is not security set properly. Therefore, it may be vulnerable to MiTM and XSS attacks.

Conclusion

If not set properly, HPKP will cause error when browsing. Therefore, most webmasters will not touch it in order to prevent the downtime. HSTS and XSS protection security headers as well as cookie secure settings are not difficult and there is no side effect. However, most webmasters are ignored those settings due to misconcept.

In my opinion, ebanking sites should be very secured in order to prevent the attacks.

Reference

Qualys SSL Labs
Security Headers
[RESEARCH] SSL Certificate Grading of Banks in Hong Kong
HOWTO : Secure Surfing
Green PadLock is Safe?

That's all! See you.

HOWTO : Highest Secured Hiawatha Web Server 10.6 on Ubuntu Server 16.04 LTS

(A) Introduction

Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.

Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.

(B) Software Prerequisite

The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.8.1
(3) Hiawatha 10.6

(C) Installation of PHP7.0 and MySQL

sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client php7.0-mbstring

(D) Installation of Hiawatha

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

(a) Install CMake

wget https://cmake.org/files/v3.8/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install

(b) Install Hiawatha

wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz

cd hiawatha-10.6/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_10.6_amd64.deb

(E) Configuration of PHP7.0

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,

* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini

(F) Let's Encrypt on Hiawatha

(a) Configuration of Hiawatha

sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sites

Edit "cgi-wrapper.conf".

sudo nano /etc/hiawatha/cgi-wrapper.conf

Change the following as is.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Change the ownership of the log files.

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log

Change the ownership of the web application files.

cd /var/www/mysite
sudo chown -R root:root *

The following are examples of "hiawatha.conf" and "mysite.com".

/etc/hiawatha/hiawatha.conf example :


/etc/hiawatha/enable-sites/mysite.com example :


sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha
sudo systemctl enable php7.0-fpm
sudo systemctl enable hiawatha

(b) Self Signed SSL Certificate Generation

To generate SSL certificate for the web root.

openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown root:root /etc/hiawatha/tls/default.pem
sudo chmod 600 /etc/hiawatha/tls/default.pem
sudo chmod 600 -R /etc/hiawatha/tls

(c) Let's Encrypt Generation and Configuration

(1) First time install Let's Encrypt :

Make sure port 80 is workable as Let's Encrypt script will use it to generate the SSL/TLS certificates.

Change ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf :

nano ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf

Change "ACCOUNT_EMAIL_ADDRESS" to your email address. Let's Encrypt will alert you when the SSL/TLS certificate is going to expire via this email address.

ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com

Change "CERTIFICATE_RSA_KEY_SIZE" to 4096.

CERTIFICATE_RSA_KEY_SIZE = 4096

Change "RENEWAL_REUSE_KEY" to true. The server private key/public key will be used for the SSL/TLS certificate renewal.

RENEWAL_REUSE_KEY = true

Comment out the "Testing" LE_CA_HOSTNAME and uncomment "Production" LE_CA_HOSTNAME.

LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing

Run the Hiawatha 10.6 letsencrypt script to generate server private key and server certificate as well as Let's Encrypt X3 certificate :

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt register

A "account.key" will be generated at the ~/hiawatha-10.6/extra/letsencrypt. Make sure keep this "account.key" in a safe space.

Then generate the SSL/TLS certificate of your server :

sudo ./letsencrypt www.mysite.com

A "www.mysite.com.pem" will be generated at /etc/hiawatha/tls/.

Rename the generated file :

sudo -sH
cd /etc/hiawatha/tls
mv www.mysite.com.pem www.mysite.com-privkey.pem
cp www.mysite.com-privkey.pem www.mysite.com.pem

Make sure keep the private key file in a safe space and generate the server public key :

openssl rsa -in www.mysite.com-privkey.pem -pubout -out pubkey.pem

Replace pubkey.pem content to the first block of code "PRIVATE KEY" at www.mysite.com.pem.

Insert Let's Encrypt X4 certificate :

wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x4-cross-signed.pem.txt >> www.mysite.com.pem

chmod 600 www.mysite.com.pem
chmod 600 www.mysite.com-privkey.pem

Then configure VirtualHost at /etc/hiawatha/enable-sites/mysite.com.

Add the following to the VirtualHost at /etc/hiawatha/enable-sites/mysite.com :

RequireTLS = yes, 180d; includeSubDomains; preload
TLScertFile = /etc/hiawatha/tls/www.mysite.com-privkey.pem
PublicKeyPins = /etc/hiawatha/tls/www.mysite.com.pem,60d

Make sure to delete the private key at www.mysite.com.pem file

sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem

sudo systemctl restart hiawatha

(2) Renew SSL/TLS certificate :

Make sure your proxy setting is not set and port 80 can be accessed. Meanwhile, make sure disable TLS related setting before renew. You need to reset the TLS setting back after the renew.

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt renew

Make sure to delete the private key at www.mysite.com.pem file

sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem

sudo systemctl restart hiawatha

* You can consider to write an auto renew script on cronjob for automatically update.

(3) Revoke SSL/TLS certificate : (Optional)

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt revoke /etc/hiawatha/tls/www.mysite.com.pem

sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha/code>

(G) Hardening of Ubuntu Server

(a) sysctl

sudo nano /etc/sysctl.d/60-hiawatha.conf



sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p

(b) Apparmor

sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawatha



sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

(c) Linux Malware Detect (Optional)

Linux Malware Detect Installation

* the captioned link may be out-dated and it is for your reference only

(d) MySQL

Create Normal User on MySQL

(e) fail2ban

sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

(H) Storage Performance Tuning

It is recommended to use SSD for the storage instead of hard drive for the excellent performance.

(a) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local
Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler

* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /

If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(b) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests

* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /

If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(I) Redis for PHP Session

The PHP sessions are stored in the memory will increase the speed of a web site.

sudo apt-get install php-redis redis-server

sudo nano /etc/php/7.0/fpm/php.ini

Change to following to :

session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"

To restart Hiawatha and PHP :

sudo systemctl restart hiawatha
sudo systemctl restart php7.0-fpm

To confirm if it is working or not :

redis-cli
127.0.0.1:6379> keys *

The result will be similar to :

1) "PHPREDIS_SESSION:038gl83953j9bfnf02ksts52q5"
2) "PHPREDIS_SESSION:p53j1t43mbdp49cvaq1nv37o97"
3) "PHPREDIS_SESSION:kuop27qq6g6q265gu29000ee21"
4) "PHPREDIS_SESSION:84n96cba8colp73td8mslnjgq2"

Type "quit" to exit.

(J) Optional

To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).

Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha

That's all! See you.

HOWTO : Secure Surfing

According to OWASP Secure Headers Project, Secure Headers are setting response headers from the web server that can restrict modern browsers from running into easily preventable vulnerabilities.

The following are some of the Secure Headers description that from OWASP Secure Headers Project :

HTTP Strict Transport Security (HSTS)

"HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol."

Public Key Pinning Extension for HTTP (HPKP)

"HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates."

X-XSS-Protection

"This header enables the Cross-site scripting (XSS) filter in your browser."

Content-Security-Policy

"Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections."

When secure headers are set in the web servers, it is showing that the sysadmins/developers are concerning about the security of their clients/users. Most attacks, such as XSS and MITM attack, today are via browsers and targetted users.

We can learn more about the web servers response headers setting by using an online tool - Analyse your HTTP response headers. It is recommended to have Grade A or A+ for the testing. However, Grade B may be acceptable.

For the client side, it is recommended to install some add-ons or plugins for the browser security. Firefox is recommended as there are a lot of such kind of add-ons for the purpose. The following are the add-ons that to be recommended.

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

Self-Destructing Cookies

Self-Destructing Cookies automatically removes cookies when they are no longer used by open browser tabs. With the cookies, lingering sessions, as well as information used to spy on you, will be expunged. Websites will only be permitted to identify you while you actually use them and can not stalk you across the entire web. This is the closest you will get to cookieless browsing without breaking every second site or tedious micromanaging.

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

If you are a Ubnutu user, you can implement the Apparmor for Firefox to further hardening.

When both server side and client side are secured, it is very hard to be attacked by XSS and MITM attack or some other attacks.

Happy surfing!

That's all! See you.

Green PadLock is Safe?

According to Wikipedia, HTTPS is only to encrypt the communication traffic between browsers and web servers in order to prevent Man-In-The-Middle (MITM) attack. HTTPS is not indicating that the websites are bearing a green padlock being "safe".

Many people are misinterpreted that if a website is bearing a green padlock with HTTPS URL, it is a "safe" website. The "safe" here is referring to the website that not doing any malicious activities against the users.

Recently, I read an article "When the 'S' in HTTPS also stands for shady". That is also showing that even information security guys and gals may misinterpreted the purpose of the HTTPS.

Since users can revoke and regenerate the Let's Encrypt SSL certificates themselves, to revoke the SSL certificate of malicious websites by Let's Encrypt is meaningless. Without Let's Encrypt, malicious hackers can purchase SSL certificate from others sources to complete the task without any problem.

Ten odd years ago, many experts stated that if the the browser is showing a locked padlock, you are "safe" and the website is "safe". It is misleading for sure.

We should educate the users that even the websites are looking legit and bearing a valid SSL certificate, they should think more before clicking any link on the site. It is because most phishing sites are looking legit and have valid SSL certificate. They should check the URL address of the website before going further especially for banking and payment sites. Beware of the website is being redirected to other URL too.

By the way, malicious hackers can impersonate the HTTPS traffic and doing MITM attack at ease today! No system is safe!

That's all! See you.

[RESEARCH] Information Security Scammers?

What Attracted Me

Recently, Nexus Guard and Zenedge catch my eyes. They provide similar products/services, such as DDoS Protection by Content Delivery Network (CDN) and Web Application Firewall (WAF).

Nexus Guard website saying that they are the leader in the market :

"As a longtime leader in DDoS defense, Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations."

Zenedge website provides a free vulnerability and threat assessment for their potential clients :

"The report is produced by our team of cybersecurity experts bring a collective 200 years of cybersecurity experience and have been responsible for mitigating some of the largest attacks. Ever."

Basic and Fast Research

I wonder why there are so many CDN providers recently. CDN requires a lot of proxies around the world in order to absorb very large amount of DDoS traffic. They need to invest a lot on the infrastructure. Therefore, I did some basic and fast research on them.

I find out that they both use Let's Encrypt free SSL/TLS certificates on their official websites. Meanwhile, their official websites are hosting (or domains hosting on proxy) on akamaitechnologies.com.

I further find out that akamaitechnologies.com is registered by akamai.com - Akamai. Akamai provides CDN and cloud computing services which is including WAF. She is one of the famous CDN and WAF providers in the market since 1998. I confirmed that akamai.com is hosting (or hosting the domain on the proxy) on akamaitechnologies.com too on different IP address/subnet with Nexus Guard and Zenedge. Meanwhile, Nexus Guard and Zenedge are in the same subnet.

Nexus Guard

Nexus Guard conducted an unprofessional research on Android TV boxes with 3 popular anti-virus programs, such as Dr. Web and ESET in July 2014 and posted on a Hong Kong local magazine - East Week Vol. 568. They just posted the results of the scanning and misled the readers that some Android TV boxes are vulnerable to so-called backdoors. However, they did not confirm if the so-called backdoors are exploitable or not.

Nexus Guard also released an article about DDoS in May 2016 where they mentioned that DDoS by NTP is on the top of the list of the attacks. However, it seems that they do not know that the NTP attacks at that time is because of the zero day vulnerability on NTP protocol.

Most of their reports, threat advisories and whitepapers are restate the information security news that are all available in the public. Thinking of writing so many reports, threat advisories and whitepapers will make them more looking like a professional information security firm?

Zenedge

Since Zenedge provides free vulnerability and threat assessment on their website, I tried to contact the sales agent on the Zenedge site and he redirect me to contact Nelson Chen who is CISSP, CISA, CISM and Director Security Solutions of Zenedge. I requested a free vulnerability and threat assessment on my personal site on April 10, 2017 via direct email with Nelson. However, I did not have any reply from him since then (3 days at the time of this writing).

That make me thinking that they are pretending to provide free service in order to obtain information of their potential clients for their promotion purpose? Or, Neslon is thinking too much when an infosec (information security) guy is approaching them as they are thinking that their customers should be noob? Or, they do not have any professional infosec guy to do assessment on my personal site? Or, my personal site is too lame that they disdain to do the job?

Questions in Mind

If Nexus Guard and Zenedge have their own CDN and products/services, why their official websites are hosting (or hosting the domains on proxy) on Akamai? They do not believe that their products/services are better than Akamai? Nexus Guard and Zenedge are resellers/Value Added Resellers of Akamai? They are all information security scammers?

Conclusion

Think carefully before you purchase information security services or products. Do more researches on the providers/vendors of infosec before making any decision. Finally, it is difficult to determine professional and unprofessional in general.

Reference

Distributed Denial-of-Service Attack
Content Delivery Network
Web Application Firewall

(a) Nexus Guard - https://www.nexusguard.com/
Domain is registered on Sept 9, 2008
Server common name : secure0009.hubspot.com
Server domain #1 : a184-50-88-78.deploy.static.akamaitechnologies.com (184.50.88.78)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 128.177.173.177:443

(b) Zenedge - https://www.zenedge.com/
Domain is registered on Jan 7, 2013
Server common name : secure0004.hubspot.com
Server domain #1 : a184-50-88-76.deploy.static.akamaitechnologies.com (184.50.88.76)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 69.31.76.226:443

(c) Akamai - https://www.akamai.com/
(Akamai Technologies - akamaitechnologies.com)
Domain is registered on Aug 17, 1998
Server domain : a23-75-36-144.deploy.static.akamaitechnologies.com (23.75.36.144)

That's all! See you.

Catch Me If You Can 4

It is the fourth article in "Catch Me If You Can" series. The previous three articles were talking about how to prevent from being catch. However, this article is talking about once you have been arrested what can you do to prevent from being charged for hacking.

Once you have been arrested, your digital devices (such as personal computers, laptops, smartphones and other devices) should be seized. The "device" below is applied to Personal Computers and Laptops only. Laws enforcement would conduct digital forensic on all your devices in order to seek any evidence of cyber crime that you have conducted. However, if your devices are still switching on when you are arrested, laws enforcement would not turn your device off and would conduct the digital forensic right away.

You can use Bleachbit to delete all deleted files, logs and backups. However, some valuable files may not be deleted. Therefore, Bleachbit may not be a very good solution even it is good practice to use it for the purpose.

Offense Security's Kali Linux development team ported a Self-Destruction Luks encryption on Kali Linux since version 1.0.6 that allows the hard drive (or SSD) to be encrypted fully with normal and nuke passphrases. Once the nuke passphrase is entered, all the passphrase for the decryption will be deleted and the hard drive (or SSD) cannot be recovered. Therefore, the hard drive (SSD) is safe for being digital forensic. If you are not using Kali Linux for the hacking, you can apply self-destruction Luks encryption for some other Linux distributions.

It is recommended that the self-destruction nuke passphrase is much shorter than the normal passphrase in order to prevent your device from being brute forcing. Meanwhile, it is not recommended to backup your normal passphrases somewhere.

How about the device is still switching on? It is recommended to force turn off the device by long pressing the power button or unplug the power supply if you can while you are being arrested. Make sure you setup your device to turn off when the power button is long pressed instead of suspension.

Difference countries should have difference cyber crime laws. Even laws enforcement cannot get any evidence from your devices but you may be charged for other offences under the laws of your country.

That's all! See you.

Reference

Emergency Sef-destruction Luks in Kali
Luks and Nuke Key Installation on Ubuntu
Bleachbit

See Also

Catch Me If You Can
Catch Me If You Can 2
Catch Me If You Can 3

HOWTO : Highest secured Hiawatha Web Server 10.5 on Ubuntu Server 16.04 LTS

(A) Introduction

Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.

Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.

(B) Software Prerequisite

The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.7.2
(3) Hiawatha 10.5

(C) Installation of PHP7.0 and MySQL

sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client

(D) Installation of Hiawatha

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

(a) Install CMake

wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz
tar -xvzf cmake-3.7.2.tar.gz
cd cmake-3.7.2
./configure
make
sudo make install

(b) Install Hiawatha

wget http://www.hiawatha-webserver.org/files/hiawatha-10.5.tar.gz
tar -xzvf hiawatha-10.5.tar.gz

cd hiawatha-10.5/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_10.5_amd64.deb

(E) Configuration of PHP7.0

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,

* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini

(F) Let's Encrypt on Hiawatha

(a) Configuration of Hiawatha

sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sites

Edit "cgi-wrapper.conf".

sudo nano /etc/hiawatha/cgi-wrapper.conf

Change the following as is.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Change the ownership of the log files.

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log

Change the ownership of the web application files.

cd /var/www/mysite
sudo chown -R root:root *

The following are examples of "hiawatha.conf" and "mysite.com".

/etc/hiawatha/hiawatha.conf example :


/etc/hiawatha/enable-sites/mysite.com example :


(b) Self Signed SSL Certificate Generation

To generate SSL certificate for the web root.

openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown www-data:www-data /etc/hiawatha/tls/default.pem
sudo chmod 400 /etc/hiawatha/tls/default.pem
sudo chmod 400 -R /etc/hiawatha/tls

(c) Let's Encrypt Generation and Configuration

To generate SSL certificate for the www.mysite.com.

wget https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz
tar -xvzf letsencrypt.tar.gz
cd letsencrypt

nano letsencrypt.conf

Change the email "info@example.org" to your email as Let's Encrypt bot will inform you about the expire date of the certificate :
ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com

Change the RSA Key size from "2048" to "4096" :
CERTIFICATE_RSA_KEY_SIZE = 4096

Uncomment "Production" and comment out "Testing" :
LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing

Make sure Port 80 is working and run the following command.

For the first time, you need to register to Let's Encrypt. Make sure keep the generated "account.key" in a safe place. "account.key" should be in the original place when doing SSL certificate renewal.

./letsencrypt register

To generate the SSL certificate.

sudo ./letsencrypt www.mysite.com

To revoke the SSL certificate (Optional).

sudo ./letsencrypt /etc/hiawatha/tls/www.mysite.com.pem

To renew SSL certificate (Optional).

sudo ./letsencrypt renew

To get the Let's Encrypt X3 certificate at https://letsencrypt.org/certificates/ and select :

Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> www.mysite.com.pem

echo "" >> default.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> default.pem

To generate sha256 base64 hash of the certificates. The first one is the "mysite.com" SSL certification and the second one is the SSL certification for web root directory.

openssl x509 -in /etc/hiawatha/tls/www.mysite.com.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

openssl x509 -in /etc/hiawatha/tls/default.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

Then change "CustomHeaderClient = Public-Key-Pins:" values at "/etc/hiawatha/enable-sites/mysite.com". The first "pin-sha256" is for "mysite.com" and the second "pin-sha256" is for web root. The others "pin-sha256" are get from Qualys SSL Labs Test site (see below).

With the help of Qualys SSL Labs, you can further configure the HPKP and test the grading of your site. The highest grade is A+.

The grade of the site are A+ on both Qualys SSL Labs and High-Tech Bridge SSL certificate testings. Meanwhile, it is also compliance with PCI DSS 3.1 Requirements that reported by High-Tech Bridge.

The Let's Encrypt SSL Certificate will be expired about 28 days and it requires to be renewed. Make sure you update "CustomHeaderClient = Public-key-Pins:" at /etc/hiawatha/enable-sites/mysite.com (as example). The first "pin-sha256" is required to be updated. After that, restart Hiawatha.

(G) Hardening of Ubuntu Server

(a) sysctl

sudo nano /etc/sysctl.d/60-hiawatha.conf



sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p

(b) Apparmor

sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawatha



sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

(c) Linux Malware Detect (Optional)

Linux Malware Detect Installation

* the captioned link may be out-dated and it is for your reference only

(d) MySQL

Create Normal User on MySQL

(e) fail2ban

sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

(H) Storage Performance Tuning

It is recommended to use SSD for the storage instead of hard drive for the excellent performance.

(a) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local
Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler

* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /

If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(b) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests

* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /

If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(I) Optional

To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).

Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha

That's all! See you.