HOWTO : Shellter on PE files

Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created.

It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants and/or he chooses Basic Mode), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.

Shellter uses a unique dynamic approach which is based on the execution flow of the target application.



That's all! See you.

HOWTO : The Mole on Kali Linux 1.0.7

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Features

- Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
- Command line interface. Different commands trigger different actions.
- Auto-completion for commands, command arguments and database, table and columns names.
- Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Exploits SQL Injections through GET/POST/Cookie parameters.
- Developed in python 3.
- Exploits SQL Injections that return binary data.
- Powerful command interpreter to simplify its usage.

Tutorials

Quick start
Command Usage
Exploiting injections through POST/Cookies
Filters - bypassing IDS/IPS
Exploiting injections that return binary data
Writing custom filters

Installation

apt-get update
apt-get install themole

Run it

themole -h
themole -u "http://www.samiux.com/?id=1" -n "admin"




That's all! See you.

HOWTO : Fix the half installed package in Kali Linux/Debian

I forgot to delete the Iceweasel on my Kali Linux before installing Firefox. The firefox installation is failed as expected. I removed the sources.list entry of the firefox and conducted "apt-get update". However, I got a message of "the package firefox-mozilla-build needs to be reinstalled, but I can't find an archive for it". The apt-get command does not work properly anymore.

Later, I fixed the problem by issuing the following commands :

sudo dpkg-reconfigure firefox-mozilla-build --force
sudo dpkg --purge --force-all firefox-mozilla-build

After that, I perform "sudo apt-get update", the error message gone.

That's all! See you.

sysdig and Attackers

When a system is compromised, attackers usually erase the syslog and other related log files in order to hide his/her intrusion activities.

Nowadays, attackers should also erase one more log file, namely sysdig. sysdig will log all the activities in a file, namely *.scap.gz. Sysadmin can backtrack all the activities of all users (including intruders).

For more details of sysdig, you can refer to Draios Blog - Fishing for Hackers: Analysis of a Linux Server Attack.

That's all! See you.

Facebook Vulnerability - Name by Phone Number

ubugnu discovered a vulnerability in Facebook that you can search the users in the Facebook by random generated telephone numbers. He also developed a bash script to proof his concept. The script will find all the matching telephone numbers to the owners (Facebook users who have registered their telephone number in their accounts).

For details, please read the developer's GitHub page.

That's all! See you.

BONUS

Facebook Vulnerability - Hidden Friends Crawler

Croissants - Intrusion Detection and Prevention System

INTRODUCTION

In 2013, I joined the SmoothSec project and modified it to adopt to Intrusion Detection and Prevention System by using Suricata with AF_PACKET. Since SmoothSec 3.4 is developed on Debian 7 (Wheezy), the Linux kernel 3.2.x is too old for Suricata with AF_PACKET. I used the backport kernel to complete the task. However, it makes the system not so easy to maintain.

Meanwhile, the SmoothSec project seems to be dead. The core developer does not active in the project and IRC channel. Therefore, I make up my mind to create a new project namely "Croissants" based on the SmoothSec. Croissants is designed for Ubuntu Server LTS or higher (Long Team Support only) and targeted to work with Suricata on AF_PACKET only. It is an Open Source Project under GPLv3 License by Samiux.

Croissants is a bash script instead of a Linux distribution likes SmoothSec. It downloads and compiles as well as setup the applications almost automatically. It combines with Suricata (IDPS Engine), Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager). It will use the latest verion of the software on every installation but the only drawback is requiring internet.

WHY UBUNTU AND AF_PACKET?

I am a long term user of Ubuntu since 2006 (Ubuntu 6.06). I find that Ubuntu uses newer packages and kernel. Ubuntu can be set to update the system automatically, although you can do it with cron job. It makes the system almost up-to-date in order to avoid some known vulnerabilities attack. Therefore, you can focus on your business and network security monitoring (NSM). Furthermore, Ubuntu is free forever according to the founder, Mark Richard Shuttleworth.

AF_PACKET can be running on a very low-end computer, such as Intel ATOM D2550. The performance of the AF_PACKET is very good under this CPU on my home network. I can watch 720p Youtube video without lagging on my network (10Mbit internet and Gigabit internal network with Untangle UTM and Croissants). The amount of RAM is 8GB on this default setup. However, home router will be lagged while watching 720p Youtube video. This poor performance should be caused by the home router.

WHY CROISSANTS?

Croissants (food) is delicious and common as well as cheap in price. I would like Intrusion Detection and Prevention System is common and cheap in price that everyone can affort.

Croissants can run on a low-end computer such as Intel ATOM D2550 with 3 network interface cards and 4GB RAM. This configuration is ideal for home network and home office. For business, I recommended to have a more high-end multi-core computer and more than 32GB RAM for Croissants with some tuning on Suricata engine.

INSTALLATION

Make sure your computer can access to the internet when installing. Meanwhile, the "automatically update" should also be selected when installing Ubuntu Server. Set the Ubuntu Server LTS to UTC time zone at the end of the setup; otherwise, the time stamp of Snorby (event manager web application) will be incorrect. You are required to install OpenSSH only during the installation of Ubuntu Server.

Download the Croissants from here. Extracts it and runs the script namely "nsm_install" with "sudo". After that, re-cabling the computer when necessary and then reboot. That's all! However, the installation may take hours which is depending on the power of your hardware and the internet speed.

You can even reinstall the Snorby database by running "nsm_snorby_db_reinstall" after the trial run.

When you write some local rules, you can update them to the system by running the script "nsm_rules_update". When you want to update the Ubuntu Server, you can run "update_ubuntu". When updating the Croissants, you can run "update_nsm" which will update the system by compiling from source code that download from the internet. Make sure to run those scripts with "sudo".

In addition, Croissants will update the rules file on every 4 hours automatically.

That's all! See you.

HOWTO : Azazel on Debian Wheezy

I know this rootkit - Azazel for some time; however, I am busy to give it a test. Recently, I am bored and take it a look.

Azazel is a linux userland rookit based on original LD_PRELOAD technique from Jynx (rootkit). Azazel has some features that are very useful for attackers, such as file hidden and anti-debugging.

I set up four virutalbox guests in Debian 7 (Wheezy), Ubuntu 12.04.4 LTS, Ubuntu 14.04 LTS and CentOS 6.5.

The Azazel can be compiled without problem if you installed the required libraries. You need root privilege to install this rootkit. Once installed, you are very hard to remove it unless you re-install your system. However, the developer sugguest to remove one of the files by booting from live cd.

After a very quick test on Azazel under the above mentioned Virtualbox (version 4.3.10 r93012) guests, only Debian can run it flawlessly. Ubuntu cannot be reboot. CentOS cannot be login after the reboot. Azazel cannot be ran properly in Ubuntu and CentOS too. I think no attacker will want to destroy the victim box unless s/he really want to.

After a quick look at the developer's products, I think that the developer is running Debian and his products should be tested on Debian only.

Meanwhile, only backdoor, anti-debugging and file hidden of Azazel on Debian are tested. Plaintext backdoor and Crypthook backdoor cannot be tested successful in my lab. Once the file is hidden, you cannot undo it and it can be access by Azazel only.

If you want to port this rootkit to other Linux distributions, you need to modify the source code. One of the reasons that Linux is harder to be attacked due to too many variants.

REFERENCE

To compile Azazel on Debian or Ubuntu, you need to do the following :

apt-get install libpam0g-dev libssl-dev libpcap0.8-dev build-essential git

To compile Azazel on CentOS, you need to do the following :

yum install gcc make pam-devel openssl-devel libpcap-devel

That's all! See you.

Exploit-Dev : Heartbleed (CVE-2014-0160) Final

Updated the source code on April 20, 2014 to version 0.8.




Since the code that wrote at here is not working for getting the RSA Private key from the Heartbleed vulnerable server, I modified another python script at here. This script is developed by mothran. The script use his version tlslite library to write his code.

I modified his code but I have no time to test the most important feature, capture the RSA Private key. If anyone who have time to test the code that I modified for that purpose, please let me know the result. I can be reached at here.

The limitation of the script is not the power of the attacker's machine but the victim's server. If you use threading feature, the limitation for the threading may be up to 40. Meanwhile, the screen output of the script will be in a mess. However, I set a private key found flag detection in the script.

Be keep in mind that this script may have bug as it is a Proof-of-Concept code. You are reminded that this code may vulnerable to Lucky-Thirteen.

Furthermore, this code may not trigger the IDS/IPS or iptables rules that is target for the first released exploit code. Hereby, I attached the version 0.3 0.4 0.5 0.6 0.7 0.8 here.

If the code is quit unexpectedly for the first try, it is either the victim is not enabled SSL or the victim is not vulnerable. Meanwhile, it is very interesting to know that when the victim server is under the attack, the loading of the server is very low and there is no entry in the access log of the server. Wonderful, right?

REMARK :

May be I am not so lucky to capture the private key from my lab (Apache with OpenSSL). I cannot capture the private key even running the script for days against my lab virtual machine. Does the private key remains in the memory only in some situation? Or, I am not so lucky? Please let me know the reason, thanks.

UPDATE :

According to the first winner of Cloudflare Challenge, Fedor Indutny that we need some luck to get the private key even you know how to get it.

To install Node.js, please follow this link.

UPDATE 2 :

I even cannot get the private key from Nginx with OpenSSL by Fedor Indutny's code. I wonder if it is because of the Nginx and OpenSSL setting or not. I following this link to set up the Nginx Server.

Recently find the Cloudflare SSL setting on Nginx server at here. I think it is the matter. Meanwhile, according to this article, Ubuntu 13.10 was used in Cloudflare Challenge.

Found a needle in the haystack!



Version : 0.8



REFERENCE

How I obtained the private key for www.cloudflarechallenge.com - Python
Extracting server private key using Heartbleed OpenSSL vulnerability - Node.js
OpenSSL Heartbleed (CVE-2014-0160) vulnerability scanner, data miner and RSA key-restore tools - Python3

That's all! See you.

Exploit-Dev : Heartbleed (CVE-2014-0160) Reload

Please note that this method may not retrieve the RSA Private key properly but it can retrieve other information from the memory, e.g. session id, cookie, username, password and etc. A working version of the RSA Private key dump will be posted later when it is done.

I modified the Proof-of-Concept by Jared Stafford and Michael Davis at here yesterday. The code is to dump the cookie, session as well as username and password from the memory of the victim server.

If you want to dump the data other than the above mentioned, for example, private key, you need the another method. I modified the source code of Derek Callaway and then monitor the dump by using ngrep.

poc-tls-samiux.py :


exploit-heartbleed.sh :


ngrep-heartbleed.sh :


For the usage, please read the bash script files for details.



See Also :
Exploit-Dev : Heartbleed (CVE-2014-0160) Final
Modified version by Mike Baker for scanning .onion addresses

That's all! See you.

Exploit-Dev : Heartbleed (CVE-2014-0160)

Jared Stafford developed a Proof-of-Concept code at here for the bug in OpenSSL namely Heartbleed, CVE-2014-0160. You can test the site in question at Heartbleed test.

To test for the client, you need this site

Michael Davis modified the code of Jared Stafford at here to dump the cookie from the memory of the victim server.

Since some parameters in the source code of Michael Davis are hard coded, I modified his work and make the parameters more feasible. Hereby, I am going to explain how to use this piece of code.



For the default value of port (443), cookie id (session) and length of the cookie (1024) :

python heartbleed-samiux.py victim_server

For customized value of port, cookie id and length of the cookie :

python heartbleed-samiux.py victim_server -p 8080 -c sessionid -l 4096

The result will be printed out on the screen.

Please note that the format of the victim_server should be "samiux.org".

python heartbleed-samiux.py samiux.org

Update for Version 2 (dated April 11, 2014)

This version is updated for handling different version of SSL/TLS.



Related : Exploit-Dev : Heartbleed (CVE-2014-0160) Reload
See Also : Exploit-Dev : Heartbleed (CVE-2014-0160) Final


That's all! See you.

Ebury SSH Rookit/Backdoor Trojan

About 3 days ago, an Ubuntu user (aka Empire-Phoenix) shouted for help at Ubuntu Forums - Security Discussions that his server has been infected by Ebury SSH Rookit/Backdoor Trojan. In his case, his mail server IP address has been blacklisted due to the infection. His story is here.

CERT Bund has announced the details about this rootkit/backdoor and they also include the Snort rule for the detection. The link is here.

The only solution is to re-install the server(s).

However, the main question is how the intruder(s) compromise our server(s) and install the rootkit? Our server(s) is/are compromised via SSH or other vulnerabilities in the server(s)?

Even if we re-install our server(s) after the infection but leave the unknown factor(s) behind, our server(s) will be infected again. If we installed IDS, we will be notified about the infection but we also need to re-install the server(s) that in question.

I supposed that the server of the captioned Ubuntu user is up-to-date and he had nothing to do with this infection as his server is a production server and he also do not know what is the problem on his server before the infection. The defensive solution is to do penetration test on the server in a regular time and it may prevent this from happening.

Update

More news here.

That's all! See you.

To Be (In)Secure on Kali Linux?

Kali Linux is developed based on Debian 7 (Wheezy). Kali is designed for Penetration Testing and it is running in root privilege. However, almost all the Kali Linux users will also use it as a primary operating system.

When it is using as a Penetration Testing toolkit, the root privilege is in use. When it is using as a primary operating system, the non-root privilege is a good practice. Therefore, a sudoer will be a good choice. However, be keep in mind that sudoer will not guarantee your sudoer account will not be compromised if it equipped with a weak password and easy guess user name.

Penetration Testers or Information Security Researchers will use their browser most of the time as same as other general users. Kali Linux equipped with Iceweasel, which is based on Firefox, and it can use Firefox add-ons. In the BackTrack's old days, we will use "NoScript" Firefox add-on. However, almost all the web sites nowadays are using javascript. It is impossible to disable the javascript or the web broswing experience will be difference. Therefore, "NoScript" is not the solution. However, "NoScript" is blocking XSS attacks by default even the "NoScript" is set to globally allowed.

Kali Linux and tools developers cannot guarantee that their products are free from vulnerabilities. How about if we are being intruded when we are doing pentesting? So embarrassing, right?

If we enable firewall when we are doing pentesting, you will shooting on our toes. If we do not enable the firewall when we are using Kali Linux as primary operating system, we will worrying if anyone can attack our box or not.

Now, we know that what we are facing at the moment. Surfing internet with "NoScript" is not a good solution and we maybe facing vulnerabilites. I think that the best solution for Debian based Linux system is Apparmor.

"AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours." -- Quoted from Apparmor WiKi.

It is very easy to enable Apparmor on Kali Linux. Just passing some kernel parameters when boot and install related packages.

We can enable (or enforce) all the Apparmor profiles (which includes log systems and some services) as well as we can create our own profiles for Iceweasel and any internet connectivity applications, such as HexChat and VirtualBox. If we have Iceweasel Apparmor profile in action, there is no javascript/java malware can successfully attack the browser. For details, We can refer to the documention of Apparmor at here.

Meanwhile, Kali Linux does not equipped with firewall or firewall is not enabled. There is almost no running service by default setting unless you enable it. Therefore, there is no opening port leaving at the Kali Linux box. In general speaking, firewall is not required in this situation.

In conclusion, if we applying Apparmor to Kali Linux, we will not shooting on our toes when doing pentesting. Meanwhile, Apparmor will also give us some protestion on using Kali Linux as Penetration Testing toolkit and as primary operating system. So, we have the balance.

In case you need to disable Javascript, I would recommend to use Firefox Add-ons - QuickJS. One click to disable and enable Javascript on the toolbar.

Reference

HOWTO : Kali Linux 1.0.6 for All Purpose
HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

That's all! See you.

HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

IMPORTANT : DO NOT UPGRADE YOUR MAC OSX TO YOSEMITE (10.10) AS REFIND (Version 0.8.3) WILL NOT WORKING PROPERLY AND IT FAILS TO DUAL BOOT.


rEFInd version 0.8.4 is compatible with Mac OSX 10.10.x Yosemite. Existing users please refer to the official site for installation.


UPDATED FOR REFIND 0.8.3 on July 13, 2014

This tutorial is written for MacBook Air (may be other models of Apple computers) and Kali Linux users who want to dual boot Mac OSX and Kali Linux.

Pros :

(1) Use GRUB2 for EFI
(2) Simple and Easy to Use and Install
(3) Mac OSX can be Encrypted but reqires extra work (not in this HOWTO)
(4) Kali Linux can be Encrypted

Cons :

(1) Conexists with Mac OSX
(2) Kali Linux Bootable Live USB cannot be booted with rEFInd (use Option key to boot instead)

Background

Since Kali Linux 1.0.6 is based on Debian 7.0 (Wheezy) which is not EFI enabled by default, the GRUB2 (EFI) will not be installed when installing Kali Linux 1.0.6.

We need to use rEFInd which installed in Mac OSX and post-install the GRUB2 on Kali Linux. Meanwhile, the old GRUB should be removed before hand; otherwise, you will break the system.

Making of Kali Linux Install USB

Please refer to the Kali Linux Documentation of making the install USB at here.

You can also refer to this article for making a persistence USB for the installation if you do not have "Thunderbolt to Ethernet" or "USB 3.0 Gigabit USB LAN Adapter". These two devices can be recognized by Kali Linux out of the box.

Install rEFInd on MacBook Air

Boot up MacBook Air to Mac OSX. Download the rEFInd binary zip file and extract it. Go to "Downloads/refind-bin-0.7.7" "Downloads/refind-bin-0.8.3" and install the rEFInd.

cd Downloads/refind-bin-0.7.7 cd Downloads/refind-bin-0.8.3
sudo ./install.sh --alldrivers

Installation and Partitioning

At the MacBook Air with Mac OSX, execute the "Disk Utility". Create a new partition and making it as two, one is "Macintosh HD" and the new one is "Macintosh HD 2". Applied the change. Then remove the newest created partition (Macintosh HD 2). Do not format it and leave it as is. After that, shut it down.

Insert Kali Linux Live Install USB to the MacBook Air and then power on the MacBook Air with long pressing "Option" key. When the Kali Linux Boot Menu displayed. Select "Live (amd64)" and press "Tab" to append "persistence" at the end of the line. After that, press "Enter". Make sure you are connected to the internet. If not, your install will be failed.

The Kali Linux Live will be launched. Select "Install Kali Linux" from the Menu (Applications -- System Tools). Follow the instructions for the installation. Make sure you have a very strong root password. When you are prompted to do partitioning, you just select "Guided - use the largest continuous free space" for non-encryption installation. Do not select "entire disk" options as it will delete the Mac OSX partitions.

The partitioning for normal install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is biosgrub (unformatted), /etc/sda5 is / (Kali Linux) and /etc/sda6 is SWAP.

If you want to install whole disk encryption, you need to select "Manual". Do not select "entire disk" options as it will delete the Mac OSX partitions. First of all, create a 400MB to 1024MB EXT2 partition which is mount to "/boot". Then, select "Configure encrypted volumes" and name it as "encrypt_vol" for the remaining available spaces. Choose "/dev/sda free #3" for the encrypt volume. Enter the strong "Encryption passphrase". After that, select "Configure the Logical Volume Manager". Create volume group and name it as "kali". Select "/dev/mapper/sda5_crypt" for the volume group. Select "Create logical volume" and name it as "root" with desired capacity. Re-select "Create logical volume" and name it as "swap" with the remaining spaces. Set mount point "/" as EXT4 for "LVM VG kali, LV root" and "swap" as SWAP for for "LVM VG kali, LV swap".

The encrypted volume should be "sda5_crypt" and it is /dev/sda5 too. We need to get its UUID for the bug fix later. It is because Kali Linux Manual partitioning has a serious bug that not allowing you to boot the box.

The partitioning for encryption install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is /boot (Kali Linux, EXT2) and /etc/sda5 is Encrypted LVM volume which includes / and SWAP.

When asking for installing the GRUB to MBR, just skip it. We do not need it. If you do so, you will kill the system and you need to reinstall the Mac OSX. After that, wait for the installation to complete.

Install EFI on Kali Linux

When the installation is completed, it will return to the Live Kali Linux. Do not reboot it.

Open a terminal. And complete the following commands :

(A) Normal install without luks encryption

mkdir /mnt/root
mount /dev/sda5 /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub

Change from :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"

grub-install
update-grub

exit
reboot

(B) LVM with luks encryption

blkid /dev/sda5

Write down the UUID and the others for further use.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay kali

mkdir /mnt/root
mount /dev/mapper/kali-root /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mount /dev/sda4 boot/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub

Change from :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"

grub-install
update-grub
update-initramfs -u

exit
reboot

In case if the Kali Linux cannot be booted and drop you to a initramfs shell. Do not panic. We can fix it.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay
exit

The Kali Linux can be booted up fine. Upon booted up, you need to do the following :

update-initramfs -u

exit
reboot

Configuration of rEFInd

Boot to Mac OSX and configure the refind.conf.

sudo nano /EFI/refind/refind.conf

Change from :

scan_all_linux_kernels #scan_all_linux_kernels false

Change to :

#scan_all_linux_kernels scan_all_linux_kernels false

Then, you can boot to Kali Linux without problem.

Tailor-made Kali Linux

Boot to Kali Linux. Then configure it by refering to this guide and this guide.

That's all! See you.

HOWTO : Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

A better method to dual boot Kali Linux on MacBook Air with rEFInd is here.


Pros :

(1) Simple to Use and Install
(2) Straight Forward
(3) Easy to Use and Install

Cons :

(1) No GRUB on Kali Linux
(2) Need to be coexist with Mac OSX
(3) Bootloader is situated in Mac OSX
(4) Need to Edit rEFInd configure file when the Kali Linux Kernel is upgraded
(5) The Mac OSX should not be whole disk encrypted
(6) The Kali Linux cannot be full disk encryption

Step 1 :

First of all, you are required to create a bootable USB pendrive for Kali Linux. Please refer to the Kali Linux Documentation for the procedure at here. I recommend to use 4GB (or larger) USB 2.0 pendrive.

Step 2 :

Boot up Macbook Air and resize the existing partition by adding one more partition with "Disk Utilities". After applied the change, you need to delete the partition that you just created (the partition without Mac OSX). Then leave it unformated.

Step 3 :

Go to rEFInd official site and download the binary zip file. Unzip the downloaded file.

cd Download/refind-bin-0.7.7/
sudo ./install.sh --alldrivers

Step 4 :

Insert the bootable Kali Linux USB pendrive and reboot the Macbook Air with long pressing the "Option" or (alt) key. Upon the boot menu is displayed, select the "Windows" icon to boot the Kali Linux.

Make sure you are connected to the internet by "Thunderbolt to Ethernet" or "PCi USB 3.0 Gagabit LAN Adapter UE-1000T-G3". If you want to connect to internet with wifi, you are required to install the wireless driver by following this guide.

Select "Install" or "Graphical Install". When going to the partition part, select "Install on the available free space". Do not select entire disk; otherwise, you will delete the Mac OSX partitions.

Follow the instruction on screen to install. When you are prompted to select where to install the GRUB, just skip it. GRUB is not required to install.

Then finish the install. Reboot and unplug the USB pendrive.

Step 5 :

Boot to Kali Linux via rEFInd Boot Manager menu. Find out the UUID of EXT4 partition. You can find it at /etc/fstab or "System Monitor". You are also required to write down the file names of /boot. After that, reboot to Mac OSX.

Step 6 :

Boot to Mac OSX via rEFInd Boot Manager menu. Go to the /EFI/refind.

cd /EFI/refind
sudo nano refind.conf

Append the following to the end of the file :



* replace the captioned UUID with your UUID; otherwise, it will not be booted up.

* where 'volume "3:"' is the forth partition that the Kali Linux root is situated.

Step 7 :

Reboot and you will see two Linux icons. The first one is detected automatically which has no optional kernel parameters. Select the second Linux icon which is labelled "Kali Linux". If you can boot to the Kali Linux. The setup is almost completed.

Step 8 :

Reboot to Mac OSX again. Go to the /EFI/refind/refind.conf.

Locate "scan_all_linux_kernels" and comment it out with "#" in the front of the line.

Step 9 :

Reboot to Kali Linux and configure the Kali Linux by following this guide and also this guide. Do not follow the "CUDA" part if you have no nVidia display card.

Step 10 :

After done the Step 9, you can reboot to Kali Linux by selecting the only Linux icon. Now, the setup is completed. Enjoy!

Remarks :

If the Kali Linux kernel is upgraded, you need to change the kernel version at the rEFInd config file.

The full disk encryption for Kali Linux and Mac OSX are not supported.

You may consider to add "noatime, nodiratime, discard" to the /etc/fstab.

That's all! See you.

HOWTO : Kali Linux 1.0.6 for All Purpose

This article is also suit for Kali Linux 1.0.9a

Kali Linux is designed for penetration testing. I am going to make it for daily use operating system as well as for penetration testing.

Installation

Make sure you select full disk encryption when install the Kali Linux on your computer. Your root password should be as strong as possible.

(A) Sudoer

Basic user of Kali Linux is root. For daily usage, a sudoer is much better.

Login as root. Create a new user, e.g. "Samiux" at Applications -- System Tools -- Preferences -- System Settings -- User Accounts. Make sure the new user password is strong enough.

adduser samiux sudo

* where samiux is the new user name.

Then, you need to logout and re-login to make the setting effective. Now, you can use command with "sudo" with your user's password.

(B) Apparmor

It is not effective to use "NoScript" Add-ons on Iceweasel as almost all web pages are using javascript. To protect your browser from being compromised, an alternative way is to implement the Apparmor. Apparmor for Iceweasel can be used in penetration testing and daily use.

sudo apt-get install apparmor apparmor-docs apparmor-notify apparmor-profiles apparmor-utils dh-apparmor python-libapparmor

Edit the /etc/default/grub to make apparmor to active after boot.

sudo nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

To make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

Then run the following command :

sudo update-grub

After that, create a file namely usr.lib.iceweasel.iceweasel at /etc/apparmor.d/ :

sudo nano /etc/apparmor.d/usr.lib.iceweasel.iceweasel

Copy the following content to the file and save it.



Then change the mode of iceweasel apparmor to enforce by using the following command :

sudo aa-enforce /etc/apparmor.d/usr.lib.iceweasel.iceweasel

To update the rule of apparmor, just run the following command and ask some questions. Most likely, you just need to answer "Allow".

sudo aa-logprof

(C) Iceweasel Add-ons

You may need to install "FoxyProxy" Add-ons to Iceweasel.

sudo apt-get install xul-ext-foxyproxy-standard

You can install any available Add-ons by searching the database :

sudo apt-cache search xul-ext

(D) Power Saving for Laptop

Applying the following setting, your battery life of your laptop will be extended a bit, for example 2 hours battery life more. I have tested this setting on Lenovo ThinkPad X201s and Apple MacBook Air (Mid 2013) with Live USB as well as a Zotac small PC with nVidia display.

Although the i915 is for Intel display, but it is no harm to add them to your box.

nano /etc/modprobe.d/i915.conf

Append the following :

options i915 i915_enable_rc6=1
options i915 i915_enable_fbc=1
options i915 lvds_downclock=1

update-initramfs -u

This file "99macbookair6" is for USB 3.0 power saving. Download this file, "99macbookair6", make it executable and place it at /etc/pm/power.d/99macbookair6



nano /etc/rc.local

Insert the following before "exit 0".

/etc/pm/power.d/99macbookair6 true

Then install the tlp.

nano /etc/apt/sources.list

Append the following :

deb http://ppa.launchpad.net/linrunner/tlp/ubuntu lucid main

Save and exit. Then run the following :

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 02D65EFF

apt-get update
apt-get install tlp tlp-rdw

nano /etc/default/tlp

Change the following values.

DISK_IDLE_SECS_ON_AC=0
DISK_IDLE_SECS_ON_BAT=2
MAX_LOST_WORK_SECS_ON_BAT=60
CPU_SCALING_GOVERNOR_ON_BAT=powersave
DISK_APM_LEVEL_ON_BAT="1 1"
RUNTIME_PM_ALL=1
RESTORE_DEVICE_STATE_ON_STARTUP=1

* Or, leave the /etc/default/tlp settings untouch

To examine the power saving condition, you can install and run "powertop" or/and run "tlp-stat".

sudo apt-get install powertop

sudo nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

And make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet pcie_aspm=force apparmor=1 security=apparmor radeon.dpm=1 acpi_backlight=vendor"

Then run the following command :

sudo update-grub

No matter your display card is Intel, nVidia or AMD Radeon, you can apply the captioned setting. Meanwhile, you can alter the settings at the /etc/default/tlp for your display card (any) even the settings labelled as "radeon".

If your laptop is Lenovo ThinkPad, you need to install the following too. After that, restart the tlp or reboot.

sudo apt-get install tp-smapi-dkms acpi-call-tools

(E) Changing Repositories Mirror

If your Kali Linux update/upgrade is slow due to slow mirror, you can hard code the repositories mirror in order to improve the update/upgrade performance.

There is a mirror list of Kali Linux. You can change the mirror at /etc/apt/sources.list by refering to this link.

(F) nVidia CUDA

If you have an nVidia card and wanted to use CUDA to do password cracking, you can refer to this link for the installation.

(G) Some Useful Applications

There are some useful applications that you may want to install to the Kali Linux. You can refer to this link for the installation.

Apparmor for Hexchat (/etc/apparmor.d/usr.bin.hexchat) :



Apparmor for Radiotray (/etc/apparmor.d/usr.bin.radiotray) :



Apparmor for VirtualBox (/etc/apparmor.d/usr.bin.VBox) :



(H) Lenovo ThinkPad TrackPoint

nano /usr/share/X11/xorg.conf.d/20-thinkpad.conf

Copy the following to the 20-thinkpad.conf :



(I) Kali Linux GRUB Background Reborn

After the installation, the GRUB background of the Kali Linux will be blue on black. However, it should be a Kali Linux background. We are going to get it back.

sudo apt-get update
sudo apt-get remove grub-pc
sudo apt-get install grub-pc

After that, you can reboot your computer.

That's all! See you.

HOWTO : CUDA on Kali Linux 1.0.6

Step 1 :

apt-get install libcudart4 linux-headers-$(uname -r) nvidia-cuda-toolkit

Step 2 :

mkdir /etc/X11/xorg.conf.d

echo -e 'Section "Device"\n\tIdentifier "nVidia GPU"\n\tDriver "nvidia"\n\tOption "NoLogo" "1"\n\tOption "RenderAccel" "1"\n\tOption "TripleBuffr" "true"\n\tOption "MigrationHeuristic" "greedy"\nEndSection' > /etc/X11/xorg.conf.d/20-nvidia.conf

OR

apt-get install nvidia-xconfig
nvidia-xconfig

Step 3 :

Update the boot loader to disable the open source nvidia display driver.

sed 's/quiet/quiet nouveau.modeset=0/g' -i /etc/default/grub
update-grub
reboot

Step 4 (Optional) :

To test the CUDA with multiforcer.

# multiforcer for nvidia (example)
cd /usr/share/multiforcer/
multiforcer -h NTLM -c charsets/charsetall -f test_hashes/Hashes-NTLM-Full.txt --noopencl --nocpu

Step 5 (Optional) :

John the Ripper for CUDA.

# 64-bit
wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
tar -xvzf john-1.7.9-jumbo-7.tar.gz
cd john-1.7.9-jumbo-7/src
make
make clean linux-x86-64-gpu

cd ../run
./john --help

That's all! See you.

HOWTO : Kali Linux 1.0.6 on MacBook Air (Mid 2013) 13 inches

I make a persistence USB pendrive for the Kali Linux 1.0.6 (x86_64). I boot it up and find out that almost everything is working out of the box on my MacBook Air (Mid 2013) 13 inches.

The procedure of making a persistence Kali Linux USB pendrive and how to boot to persistence mode, please refer to the official site of Kali Linux.

One of the out-of-order devices is wireless. The wireless device of my MacBook Air is Broadcom 4360. Since Ubuntu is based on Debian and Kali Linux is based on Debian, I steal the Broadcom STA driver from Ubuntu and apply to Kali Linux.

Wireless

The Broadcom driver of Ubuntu is situated at here.

Step 1 :

apt-get install dkms linux-headers-$(uname -r)

Step 2 :

Download the latest version of the source file.

wget http://ftp.wa.co.za/pub/ubuntu/ubuntu/pool/restricted/b/bcmwl/bcmwl-kernel-source_6.30.223.141+bdcom-0ubuntu2_amd64.deb

dpkg -i bcmwl-kernel-source_6.30.223.141+bdcom-0ubuntu2_amd64.deb

After the installation, the wireless APs will be detected and login.

Keyboard

Step 3 :

The keyboard is not mapping correctly and the following will fix it.

nano /etc/modprobe.d/hid_apple.conf

Append the following :

options hid_apple iso_layout=0
options hid_apple fnmode=1


For reference, please refer to this article.

Power Saving

You can have more than 10 hours battery life if you apply the following.

Step 4 :

nano /etc/modprobe.d/i915.conf

Append the following :

options i915 i915_enable_rc6=1
options i915 i915_enable_fbc=1
options i915 lvds_downclock=1

Step 5 :

Download this file, "99macbookair6", make it executable and place it at /etc/pm/power.d/99macbookair6



nano /etc/rc.local

Insert the following before "exit 0".

/etc/pm/power.d/99macbookair6 true

Step 6 :

nano /etc/apt/sources.list

Append the following :

deb http://ppa.launchpad.net/linrunner/tlp/ubuntu lucid main

Save and exit. Then run the following :

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 02D65EFF

apt-get update
apt-get install tlp tlp-rdw

nano /etc/default/tlp

Change the following values.

DISK_IDLE_SECS_ON_AC=0
DISK_IDLE_SECS_ON_BAT=2
MAX_LOST_WORK_SECS_ON_BAT=60
CPU_SCALING_GOVERNOR_ON_BAT=powersave
DISK_APM_LEVEL_ON_BAT="1 1"
RUNTIME_PM_ALL=1
RESTORE_DEVICE_STATE_ON_STARTUP=1

* Or, leave the /etc/default/tlp settings untouch

Step 7 :

Reboot. Upon bootup, press <tab>, and append "persistence" to launch Kali Linux.

Step 8 :

To examine the power saving condition, you can install "powertop" and run "tlp-stat".

Remark

You can apply the power saving part to any Linux laptop.

If you want to install Kali Linux on your MacBook Air (Mid 2013), you have to fight to EFI.

By the way, this Kali Linux USB pendrive can boot from any laptop that support x86_64 CPU.

If you are using USB 3.0 pendrive, after the making the live USB or updated the live USB, you need to boot it up once on USB 2.0 computer. Otherwise, the USB 3.0 pendrive cannot be bootup on MacBook Air. It is very interesting.

If Kali Linux is installed on the MacBook Air, you need to do the following :

update-initramfs -u

Meanwhile, if Kali Linux is installed on the MacBook Air, you need to add "noatime, nodiratime" to ext4 at /etc/fstab.

For dual boot Kali Linux on MacBook Air, you can refer to this guide.

Reference

(1) Ubuntu Documentation - Apple MacBook Air (Mid 2013)
(2) Debian Documentation - Apple Keyboard
(3) TLP - Linux Advanced Power Management

That's all! See you.

Interview with a BlackHat

Robert Hansen, who is a holder of CISSP, is the Director of Product Management at WhiteHat Security. He has an interview with a BlackHat who has decided to go legit.

The following are the Blog of Robert Hansen for the interview. Worth to read if you are a law enforcement, whitehat, admin, programmer, users :

Interview with a blackhat - Part 1
Interview with a blackhat - Part 2
Interview with a blackhat - Part 3

That's all! See you.

HOWTO : Chatting in Freenode Anonymously with NightHawk

NightHawk is running Tor (The Onion Router) transparently as a middle box. You can chatting in Freenode anonymously with Nighthawk with a little bit change in the configuration.

Start up the NightHawk and running it behind a router. Then configure the IRC Client as the following :

(1) The address of the chat.freenode.net is replaced by one of the following urls :

frxleqtzgvwkv7oz.onion
p567hbjdstqvg7xw.onion
2hktdmgt6bg2hjuc.onion
l4wvhvf666nifnpg.onion

The first one is the most used and you may find that you cannot login to the Freenode often especially in the peak hours. You can then select the others.

(2) Disable the Proxy setting.

(3) You can use normal port (e.g. 6667) or SSL port (e.g. 6697).

(4) Make sure you use SASL for the server. Therefore, you need to register your username. For the Freenode configuration, please refer to her official site or user manual.

That's all! See you.

HOWTO : Browsing Anonymously with Google Nexus 5 (Android)

In order to browse internet anonymously with Android, you need to run Tor (The Onion Router) and Firefox with some other related Firefox Add-ons.

Hardware

Google Nexus 5 (or other Android mobile phone)

Software

(1) Firefox Browser for Android
(2) Orbot
(3) Proxy Mobile (Firefox Add-ons)
(4) Phony (Firefox Add-ons)
(5) Clear Quit (Firefox Add-ons)
(6) Self-Destructing Cookies (Firefox Add-ons)
(7) DuckDuckgo (TOR) (Firefox Add-ons)

Orbot

You can get the Orbot from Google Play Store. It can install to any Android mobile phone (with or without rooted). It will run the Tor. Once the Tor is running, your browser will not functioning properly. You need to install Proxy Mobile. When the browser is working, your Google search engine will refuse to work. It is because Google Search Engine banned the Tor network. You are required to install DuckDuckgo Search Engine. Make sure Orbot is set to active when boot if you want to browse the internet forever.

Firefox Browser for Android

You can get the Firefox Browser for Android from Google Play Store.

Proxy Mobile

You can get the Proxy Mobile from Google Play Store. After the installation, you need to configure it to make it function with the Firefox.

Use Proxy - Enable
SOCKS Proxy host - 127.0.0.1
SOCKS Proxy Port - 9050
SOCKS Remote DNS - Enable

Phony

You can get the Phony from Google Play Store. You can change the User Agent of the Firefox when you like or leave it untouched as default.

Clear Quit and Self-Destructing Cookies

You can get them from the following link.

Guardian Project

DuckDuckgo (TOR)

You can get the DuckDuckgo (TOR) from Google Play Store. Make sure you set it as default search engine or enable to list all the available engines. When search, you should select DuckDuckgo to carry out the search.

When all the required softwares and add-ons have been installed, you are required to reboot the Google Nexus 5 if it cannot browse the internet properly.

One of the drawback is the speed. The speed of the browsing will be slightly deducted. If your mobile phone plan is a slow one, you will be suffer and it is not recommended to run Tor.

When you are going to browse the internet, start the Firefox with "New Private Tab" after the Orbot is started.

That's all! See you.