HackerTarget.com https://hackertarget.com Security Vulnerability Scanners and Assessments Mon, 05 Nov 2018 20:11:47 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.8 Tcpdump Examples https://hackertarget.com/tcpdump-examples/ Sun, 27 May 2018 23:34:30 +0000 https://hackertarget.com/?p=10933 Practical tcpdump examples to lift your network troubleshooting and security testing game. Commands and tips to not only use tcpdump but master ways to know your network. Knowing tcpdump is an essential skill that will come in handy for any system adminstrator, network engineer or security professional.

The post Tcpdump Examples appeared first on HackerTarget.com.

]]>
tcpdump examples needle in haystackPractical tcpdump examples to lift your network troubleshooting and security testing game. Commands and tips to not only use tcpdump but master ways to know your network.

Knowing tcpdump is an essential skill that will come in handy for any system adminstrator, network engineer or security professional.

First The Basics

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.

:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80

-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.
-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.
-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.
-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information.
port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.

:~$ sudo tcpdump -A -s0 port 80

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.

:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.

:~$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.

:~$ sudo tcpdump -i eth0 dst 10.10.1.20

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.

:~$ sudo tcpdump -i eth0 -s0 -w test.pcap

Line Buffered Mode

Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.

:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combine Filters

Throughout these examples you can use standard logic to combine different filters.

and or &&
or or ||
not or !

Practical Examples

In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.

The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.

When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grep, cut or awk will often get that result. You can always go deeper into the packet if required.

For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.

This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.

1. Extract HTTP User Agents

Extract HTTP User Agent from HTTP request header.

:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

2. Capture only HTTP GET and POST packets

Going deep on the filter we can specify only packets that match GET.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

The hexadecimal being matched in these expressions matches the ascii for GET and POST.

As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.

3. Extract HTTP Request URL's

Simply parse Host and HTTP Request location from traffic. By not targeting port 80 we may find these requests on any port such as HTTP services running on high ports.

:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

4. Extract HTTP Passwords in POST Requests

Lets get some passwords from the POST data. Will include Host: and request location so we know what the password is used for.

:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1

5. Capture Cookies from Server and from Client

MMMmmm Cookies! Capture cookies from the server by searching on Set-Cookie: (from Server) and Cookie: (from Client).

:~$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: dev.example.com
Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga=GA1.2.21343434343421934; _gid=GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439

6. Capture all ICMP packets

See all ICMP packets on the wire.

:~$ sudo tcpdump -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IP 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, length 64
11:34:27.680307 IP 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115

7. Show ICMP Packets that are not ECHO/REPLY (standard ping)

Filter on the icmp type to select on icmp packets that are not standard ping packets.

:~$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 udp port 36078 unreachable, length 156

8. Capture SMTP / POP3 Email

It is possible to extract email body and other data, in this example we are only parsing the email recipients.

:~$ sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

9. Troubleshooting NTP Query and Response

In this example we see the NTP query and response.

:~$ sudo tcpdump dst port 123

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:02:19.112502 IP test33.ntp > 199.30.140.74.ntp: NTPv4, Client, length 48
21:02:19.113888 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
21:02:20.150347 IP test33.ntp > 216.239.35.0.ntp: NTPv4, Client, length 48
21:02:20.150991 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol scanner we test an SNMP service on our local network and capture the GetRequest and GetResponse. For anyone who has had the (dis)pleasure of troubleshooting SNMP, this is a great way to see exactly what is happening on the wire. You can see the OID clearly in the traffic, very helpful when wrestling with MIBS.

:~$ onesixtyone 10.10.1.10 public

Scanning 1 hosts, 1 communities
10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
:~$ sudo tcpdump -n -s0  port 161 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826:  GetResponse(109)  .1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"

11. Capture FTP Credentials and Commands

Capturing FTP commands and login details is straight forward. After the authentication is established an FTP session can be active or passive this will determine whether the data part of the session is conducted over TCP port 20 or another ephemeral port. With the following command you will USER and PASS in the output (which could be fed to grep) as well as the FTP commands such as LIST, CWD and PASSIVE.

:~$ sudo tcpdump -nn -v port ftp or ftp-data

12. Rotate Capture Files

When capturing large amounts of traffic or over a long period of time it can be helpful to automatically create new files of a fixed size. This is done using the parameters -W, -G and -C.

In this command the file capture-(hour).pcap will be created every (-G) 3600 seconds (1 hour). The files will be overwritten the following day. So you should end up with capture-{1-24}.pcap, if the hour was 15 the new file is (/tmp/capture-15.pcap).

:~$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

13. Capture IPv6 Traffic

Capture IPv6 traffic using the ip6 filter. In these examples we have specified the TCP and UDP protocols using proto 6 and proto 17.

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

14. Detect Port Scan in Network Traffic

In the following example you can see the traffic coming from a single source to a single destination. The Flags [S] and [R] can be seen and matched against a seemingly random series of destination ports. These ports are seen in the RESET that is sent when the SYN finds a closed port on the destination system. This is standard behaviour for a port scan by a tool such as Nmap.

We have another tutorial on Nmap that details captured port scans (open / closed / filtered) in a number of Wireshark captures.

:~$ tcpdump -nn

21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693626 IP 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693762 IP 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], seq 0, ack 2214070268, win 0, length 0
21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], seq 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS val 3547090334 ecr 0,nop,wscale 7], length 0
21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], seq 0, ack 3230403373, win 0, length 0
21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Flags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], seq 0, ack 3289070069, win 0, length 0
21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Flags [R.], seq 0, ack 140319148, win 0, length 0
21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Flags [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], seq 0, ack 635990432, win 0, length 0

15. Example Filter Showing Nmap NSE Script Testing

In this example the Nmap NSE script http-enum.nse is shown testing for valid urls against an open HTTP service.

On the Nmap machine:

:~$ nmap -p 80 --script=http-enum.nse targetip

On the target machine:

:~$ tcpdump -nn port 80 | grep "GET /"

GET /w3perl/ HTTP/1.1
GET /w-agora/ HTTP/1.1
GET /way-board/ HTTP/1.1
GET /web800fo/ HTTP/1.1
GET /webaccess/ HTTP/1.1
GET /webadmin/ HTTP/1.1
GET /webAdmin/ HTTP/1.1

16. Capture Start and End Packets of every non-local host

This example is straight out of the tcpdump man page. By selecting on the tcp-syn and tcp-fin packets we can show each established TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be reduced in order to focus in on the information that you care about.

:~$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

17. Capture DNS Request and Response

Outbound DNS request to Google public DNS and the A record (ip address) response can be seen in this capture.

:~$ sudo tcpdump -i wlp58s0 -s0 port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.domain: 26977+ [1au] A? play.google.com. (44)
14:19:07.022618 IP google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)

18. Capture HTTP data packets

Only capture on HTTP data packets on port 80. Avoid capturing the TCP session setup (SYN / FIN / ACK).

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

19. Capture with tcpdump and view in Wireshark

Parsing and analysis of full appliication streams such as HTTP is much easier to perform with Wireshark (or tshark) rather than tcpdump. It is often more practical to capture traffic on a remote system using tcpdump with the write file option. Then copy the pcap to the local workstation for analysis with Wireshark.

Other than manually moving the file from the remote system to the local workstation it is possible to feed the capture to Wireshark over the SSH connection in real time. This tip is a favorite, pipe the raw tcpdump output right into wireshark on your local machine. Don't forget the not port 22 so you are not capturing your SSH traffic.

:~$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Another tip is to use count -c on the remote tcpdump to allow the capture to finish otherwise hitting ctrl-c will not only kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the top talkers for a period of time or number of packets. Using simple command line field extraction to get the IP address, sort and count the occurrances. Capture is limited by the count option -c.

sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
200 packets captured
261 packets received by filter
0 packets dropped by kernel
    108 IP 10.10.211.181
     91 IP 10.10.1.30
      1 IP 10.10.1.50

21. Capture all the plaintext passwords

In this command we are focusing on standard plain text protocols and chosing to grep on anything user or password related. By selecting the -B5 option on grep the aim is to get the preceding 5 lines that may provide context around the captured password (hostname, ip address, system).

:~$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

22. DHCP Example

And our final tcpdump example is for monitoring DHCP request and reply. DHCP requests are seen on port 67 and the reply is on 68. Using the verbose parameter -v we get to see the protocol options and other details.

:~$ sudo tcpdump -v -n port 67 or 68

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:50.059662 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.059667 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.060780 IP (tos 0x0, ttl 64, id 53564, offset 0, flags [none], proto UDP (17), length 339)
    10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, length 311, xid 0xc9779c2a, Flags [none]
	  Your-IP 10.10.1.163
	  Server-IP 10.10.1.1
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: ACK
	    Server-ID Option 54, length 4: 10.10.1.1
	    Lease-Time Option 51, length 4: 86400
	    RN Option 58, length 4: 43200
	    RB Option 59, length 4: 75600
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    BR Option 28, length 4: 10.10.1.255
	    Domain-Name-Server Option 6, length 4: 10.10.1.1
	    Hostname Option 12, length 14: "test-ubuntu"
	    T252 Option 252, length 1: 10
	    Default-Gateway Option 3, length 4: 10.10.1.1

Wrapping Up

These tcpdump examples, tips and commands are intended to give you a base understanding of the possibilities. Depending on what you are trying to achieve there are many ways that you could go deeper or combine different capture filters to suit your requirements.

Combining tcpdump with Wireshark is a powerful combination, particularly when you wish to dig into full application layer sessions as the decoders can assemble the full stream. We recently did a major update to our Wireshark Tutorial.

Thanks for reading, check out the man page for more detail and if you have any comments or suggestions please drop me a note using the contact form. Happy Packet Analysis!

Know Your Attack Surface
We host the Tools and You Save Time

The post Tcpdump Examples appeared first on HackerTarget.com.

]]>
Using Nmap on Windows https://hackertarget.com/using-nmap-on-windows/ Thu, 24 May 2018 10:29:37 +0000 http://hackertarget.com/?p=3199 Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use […]

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]>
Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use it on Windows.

By installing Nmap on your Windows based systems you have access to the worlds best port scanner for security testing and troubleshooting of network connectivity. In addition you have ncat available a full featured version of netcat a virtual swiss army knife for networks. I am a big fan of ncat and encourage any system administrator or techie to explore the options.

Installing Nmap for Windows

To install the Windows version of Nmap simply download the executable installer and click through the wizard. It is your standard Next | Next | Next | finish... all done. By default the Nmap installation directory will be added to the system path. With Nmap in your system path you are able to run nmap or ncat from any command window.

Screenshot of Nmap installation on Windows

It will run on all the more modern versions of Windows including Windows 7, 2008 and Windows 10. If you are running something older such as 2K or earlier you may run into problems, but if you are still on those platforms you already have problems...

If you would like to install from the zip file, there are a few additional configuration items you will have to be aware of and apply. These are all documented on the nmap installation page for Windows.

Nmap on the Windows Command Line

During a default installation of the Nmap Windows package the installation path will be added to the system path. So you are able to simply fire up a command prompt, and launch nmap. If you installed from the standalone zip file you will need to add the installation folder to the system path manually, through system properties.

As you can see the familiar Nmap command options appear after running the command. Access to the Nmap NSE scripts is available as are all the standard options.

Zenmap on Windows

Zenmap is an excellent GUI front-end to the Nmap core scanning engine. It has some pretty nifty features that are not available with the command line version, in particular the network topology map. This rivals commercial mapping tools that perform a similar function and is a nice feature.

It is also intuitive to browse through results from different hosts using Zenmap, there are options to save the results in standard Nmap format (.nmap) or as XML (.xml) for further processing. There does not appear to be the option to save in the standard Grep format (-oG).

Zenmap is available on Windows and Linux distributions, it can be a great introduction for those less familiar with the command line.

Testing SMB Security with Nmap NSE Scripts

Bundled with Nmap are addon scripts that perform all manner of functionality. Of note to those in a Windows environment are the 34 smb- scripts that are available. These allow enumeration of entities on Windows systems remotely using the Microsoft SMB protocol (port 445). Examples include smb-os-discovery, smb-enum-users and smb-brute.

There are also vulnerability detection scripts, for testing even the most recent high profile Windows vulnerabilities. Head over to the Nmap NSE scripts page for all the documentation and a list of the scripts.

smb-vuln-ms08-067 Test Microsoft Windows systems for the very popular remote code execution vulnerability known as MS08-067. For years this was the go to exploit when using Metasploit. Note this check is dangerous and it may crash systems.
smb-vuln-ms10-054 Detect whether target machines are vulnerable to ms10-054 the SMB remote memory corruption vulnerability.
smb-vuln-ms10-061 Attempts to discover whether systems are vulnerable to ms10-061 Printer Spooler vulnerability.
smb-vuln-ms17-010 Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability ms17-010. The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

Wrapping Up

Having access to both Nmap and ncat when on a Windows system is very convenient and lots of fun. There is an amazing number of tricks that can be done with ncat, whether you are troubleshooting, security testing or just need some network-fu during a penetration test.

There are now 588 Nmap NSE scripts, the capabilities that these provide is another bonus for having Nmap installed on your Windows workstation. Using the bundled scripts there are large number of short cuts and tests that can be conducted that might otherwise be difficult without additional software installed.

Thanks for reading, we also have a tutorial and cheat sheet for those wanting to discover more about this excellent tool.

Know Your Perimeter
Trusted tools. Hosted to save you time.

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]>
Wireshark Tutorial and Cheat Sheet https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/ Sat, 19 May 2018 23:54:42 +0000 http://hackertarget.com/?p=808 Examples to Understand the Power of Wireshark Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases: Troubleshooting Network Connectivity Visually understand packet loss Review TCP retransmission Graph high latency packet responses Examination of Application Layer Sessions (even when […]

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>

Master network analysis with our Wireshark Tutorial and Cheat Sheet. Find immediate value with this powerful open source tool. Once you have everything up and running, read through the tips and tricks to understand ways to troubleshoot problems, find security issues and impress your colleagues.

Even a basic understanding of Wireshark usage and filters can be a time saver when you are troubleshooting network or application layer issues on the wire (or WIFI).

Examples to Understand the Power of Wireshark

Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases:

Troubleshooting Network Connectivity

  • Visually understand packet loss
  • Review TCP retransmission
  • Graph high latency packet responses

Examination of Application Layer Sessions (even when encrypted by SSL/TLS see below)

  • View full HTTP session, seeing all headers and data for both requests and responses
  • View Telnet sessions, see passwords, commands entered and responses
  • View SMTP or POP3 traffic, reading emails off the wire

Troubleshoot DHCP issues with packet level data

  • Examine DHCP client broadcast
  • DHCP offer with address and options
  • Client requests for offered address
  • Ack of server acknowledging the request

Extract files from HTTP sessions

  • Export objects from HTTP such as javascript, images, or even executables.

Extract file from SMB sessions

  • Similar to the HTTP export option but able to extract files transferred over SMB, the ever present Microsoft File Sharing protocol.

Detect and Examination of Malware

  • Detect anomalous behaviour that could indicate malware
  • Search for unusual domains or IP address endpoints
  • Use IO graphs to discover regular connections (beacons) to command and control servers
  • Filter out the "normal" and find the unusual
  • Extract large DNS responses and other oddness which may indicate malware

Examination of Port Scans and Other Vulnerability Scan types

  • Understand what network traffic the vulnerability scanner is sending
  • Troubleshoot vulnerability checks to understand false positives and false negatives

These examples only scratch the surface of the possibilities. Continue reading through the tutorial and start getting more from this powerful tool.

Installation of Wireshark

Wireshark will run on a variety of operating systems and is not difficult to get up and running. We will touch on Ubuntu Linux, Centos and Windows.

Install on Ubuntu or Debian

#apt-get update
#apt-get install wireshark tshark

Install on Fedora or CentOS

#yum install wireshark-gnome

Install on Windows

Head over to the Wireshark Download page, grab the installation executable and run it to install. Pretty straight forward, you will also be installing a packet capture driver. This allows the network card to enter promiscuous mode.

Getting Started with Filters

After running an initial capture you will see the standard layout and the packet details that can be viewed through the interface.

Once you have captured a HTTP session, stop the capture and try playing with some basic filters and the Analyze | Follow | HTTP Stream options.

The filters are easy to read and self explanatory. You simply enter these expressions into the filter bar (or on the command line if using tshark). A primary benefit of the filters is to remove the noise (traffic you don't want to see). As can be seen here you can filter on MAC address, IP address, Subnet or protocol. The easiest filter is to simply type http into the filter bar, only HTTP (tcp port 80) traffic will now be shown.

IP Address Filter Examples

ip.addr == 192.168.0.5
!(ip.addr == 192.168.0.0/24)

Protocol Filter Examples

tcp
udp
tcp.port == 80 || udp.port == 80
http
not arp and not (udp.port == 53)

Try generating a filter combination that shows all non HTTP and HTTPS traffic leaving your local system that is not destined for the local network. This is a good way to find software (malware even) that is communicating with the Internet using unusual protocols.

Follow the White Rabbit Stream

Once you have a number of packets showing HTTP you can select one and then Analyze | Follow | HTTP Stream from the drop down menu. This will show you an assembled HTTP session. In this new window you can see the HTTP request from the browser and HTTP response from the web server. Goal! You are now winning at Wireshark. Continue reading our Wireshark Tutorial for more advanced tips.

Wireshark Follow Stream Example Screenshot

Resolve DNS in Wireshark

By default Wireshark won't resolve the network address that it is displaying in the console. Only showing IP addresses, by changing an option in the preferences you can enable the resolution of IP addresses to network names. This will just as it does when using tcpdump slow down the display of packets as the resolution has to take place. It is also important to understand that if you are doing a live capture the DNS requests from your Wireshark host will be additional traffic that you then might be capturing.

Edit | Preferences | Name Resolution | Enable Network Name Resolution

Tshark for the Command Line

If you haven't had a play with tshark, take a look at our tshark tutorial and filter examples. This program is often overlooked but is a great way to capture application layer sessions on a remote system. The advantage over tcpdump is the fact that you can capture and view application layer sessions on the fly, as the protocol decoders included in Wireshark are also available to tshark.

Build Firewall Rules

A quick way to generate command line firewall rules, this can save a few minutes Googling for different firewall syntax. Select a rule, and then head up to the Tools | Firewall ACL Rules. Different firewall products such as Cisco IOS (standard and extended), ipfilter, ipfw, iptables, pf and even Windows firewall using netsh.

Wireshark Firewall Rules generator screenshot

Wireshark GeoIP Mapping

As long as Wireshark has been compiled with GeoIP support and you have the Free Maxmind databases available you are able to resolve IP addresses to locations. Take a look at About | Wireshark to see what has been compiled with the version you are using. If you see GeoIP listed, make sure you have the GeoLite City, Country and ASNum databases in a directory on your system running Wireshark. Point to the location of the databases in Edit | Preferences | Name Resolution.

Test it by loading a capture and selecting Statsitcs | Endpoints | IPv4. The columns on the right should show the location and ASN information for the IP address.

Wireshark GeoIP example

Another function of the GeoIP feature is to filter traffic based on location using the ip.geoip display filter.

For example to exclude traffic from an ASN you could use this filter. ASN 63949 is the Linode block so the filter now displays only IP traffic not coming from this netblock.

ip and not ip.geoip.asnum == 63949

Of course you can apply the same filter to city and country based queries. Removing noise from your capture display and allowing you to focus in on the packets you care about.

Decrypt SSL/TLS sessions

One way of decrypting SSL/TLS sessions is using the Private Key from the server that is being connected to by the client. Using this key, you are able to decrypt the session and view the protocol under the SSL/TLS layer (for example a browser session you could see the plain text HTTP).

Now you are not always going to have access to the servers private key. In this case there is another option for easily viewing the browser SSL/TLS traffic from your local system. If Firefox or Chrome are loaded using a special environment variable, then the individual SSL/TLS session symmetric keys will be logged to a file that Wireshark can read. With the keys Wireshark can show you the session fully decrypted for the win!

1. Configure the Environment Variable

Linux / Mac

export SSLKEYLOGFILE=~/sslkeylogfile.log

Windows

Under advanced system settings, select Environment Variables and add the variable name (SSLKEYLOGFILE) with the variable value as the path to where you want the file saved.

2. Configure Wireshark

From the drop down menu select Edit | Preferences | Protocols | SSL | (Pre)-Master-Secret Log Filename -- Browse to the log file you placed in your environment variable.

Start a capturing on your local system.

3. Restart Firefox or Chrome

After browsing to a HTTPS site. The log file should start to increase in size as it logs the symmetric session keys.

Take a look at the Wireshark session that was previously started. You should see something resembling the image below showing the decrypted sessions. You can see the decrypted packets in the tab in the bottom pane.

Wireshark Follow SSL Stream Screenshot

Another way to view the session is to use the analysis drop down and follow the stream. If the session has successfully been decrypted you will see the option for SSL under Stream.

Analysis | Follow | Stream | SSL

It goes without saying, but use caution when logging these keys and pcaps. Someone with access to the key log file and your pcap might very well find your passwords and authentication cookies within the pcap.

Another option for getting at the underlying HTTP traffic is using Burp Suite with its CA loaded in your browser. In this case the proxy decrypts the connection on the client side and then establishes a new SSL/TLS session to the server. There are many ways to man in the middle (mitm) yourself, these are two of the most straightforward.

Extract files from PCAP using Export (HTTP or SMB)

It is quite easy to extract files from a Wireshark capture using the export option.

File | Export Objects | HTTP

The new Window will show any files that were found. In this new Window you can save the individual files or save them all to a folder. A similar method can be used to extract files from SMB sessions. This is the Microsoft Server Message Block protocol that allows Windows File Sharing.

Screenshot showing the Wireshark export file object Window

Right Hand Status Bar

Quickly jump to packets based on the color of the main display. For example to find Red - Errors you can see the red line noted in the right hand side status bar and jump to that location with a click.

Wireshark Right Status Bar Screen shot

Sample PCAP's are readily available

If you are getting started with Wireshark and you are looking for interesting packet captures to explore. The Wireshark Samples page is a great place to start. Enough sample protocols to keep you busy for months and a number of worm / exploit samples for those digging into Network Security Monitoring.

Setting up your Environment

A handy tip is to remember that the default console is highly configurable. You can add or remove columns, even adding something as simple as a UTC time column. Which might be immediately useful if you are looking at historical pcaps.

The columns can be configured by going to Edit | Preferences | Appearance | Columns. In this area you can also change the layout, font and colors if you desire.

This video has good configuration tips for the environment. Including troubleshooting tips and configurations for identifying issues through TCP sequence numbers.

Wrapping Up

This post was originally published in 2011, it has undergone a major and much needed refresh. If you have any comments, improvements or tips to add to the Cheat Sheet drop me a line on the Contact Page. Wireshark is one of those indispensable tools that many use but few actually master. The rabbit hole goes deep on this one.

Know Your Network
Hosted Nmap for external port scanning

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>
Maltego Transforms https://hackertarget.com/maltego-transforms/ Fri, 30 Mar 2018 01:49:32 +0000 https://hackertarget.com/?p=10036 Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain. What is Maltego? Maltego is a cross platform application, for performing link analysis. […]

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.

What is Maltego?

Maltego is a cross platform application, for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout. A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis. It is possible to understand the relationship between infrastructure, services and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego, one runs on servers remotely the other can run locally on the system running Maltego. Of course as is the case with the Hacker Target Transforms while it runs locally the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform you will need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to our GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

  • GetHostNames.py - search against a domain and pull known subdomains
  • GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
  • GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server

Obviously this can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo

Have Fun

Maltego is a fun way to explore targets. Whether you are penetration testing, running down bug bounties, researching an organisations infrastructure or simply curious you can get a lot of value from even the community version of Maltego (CE) and our Free access to the API.

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Cowrie Honeypot on Ubuntu https://hackertarget.com/cowrie-honeypot-ubuntu/ Tue, 20 Mar 2018 00:28:21 +0000 https://hackertarget.com/?p=9891 Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber […]

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber Defence and Incident Response.

Our setup will be very close to a default installation of Cowrie. The hosts SSH daemon will run on a high port (22222), Cowrie will run on 2222 and port 22 (default SSH) will be redirected to 2222 using iptables. So the SSH bot or attacker will connect to port 22 be redirected to our honeypot on 2222. Confused? Take a look at the diagram.

 A warning before we proceed. Honeypots are designed to allow access to a system by an attacker. This could result in compromise of the host if the honeypot has vulnerabilities or is mis-configured. Understand what you are doing and be very careful if running a honeypot anywhere near production kit.

Change Default SSH Port

Before installing cowrie and our dependencies lets move SSH to port 22222.

 root@cowrie:~# vi /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22222

root@cowrie1:~# systemctl restart ssh
root@cowrie1:~# systemctl status ssh
? ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-03-19 23:21:05 UTC; 5s ago
 Main PID: 9242 (sshd)
    Tasks: 1
   Memory: 1.3M
      CPU: 5ms
   CGroup: /system.slice/ssh.service
           ??9242 /usr/sbin/sshd -D

Mar 19 23:21:05 cowrie1 systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 19 23:21:05 cowrie1 systemd[1]: Starting OpenBSD Secure Shell server...
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on 0.0.0.0 port 22222.
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on :: port 22222.
Mar 19 23:21:05 cowrie1 systemd[1]: Started OpenBSD Secure Shell server.

root@cowrie1:~# netstat -nap | grep 2222
tcp        0      0 0.0.0.0:22222            0.0.0.0:*               LISTEN      9242/sshd
tcp6       0      0 :::22222                 :::*                    LISTEN      9242/sshd

We can see SSH is now listening on port 22222 from both the systemctl status as well as the netstat output.

Installation of Cowrie Honeypot on Ubuntu

Firstly we will run apt udpate as we are on a brand new Digital Ocean VPS. Then we will install dependencies and create a Cowrie user. Running a Honeypot as root would be a bad idea.

 root@cowrie:~# apt update
root@cowrie:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@cowrie:~# adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1000) ...
Adding new user `cowrie' (1000) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@cowrie1:~# su - cowrie
cowrie@cowrie1:~$

Ok, now lets grab the code for Cowrie using git.

cowrie@cowrie1:~$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 9340, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9340 (delta 3), reused 2 (delta 0), pack-reused 9330
Receiving objects: 100% (9340/9340), 7.43 MiB | 2.32 MiB/s, done.
Resolving deltas: 100% (6415/6415), done.
Checking connectivity... done.
cowrie@cowrie1:~$

Now we will create a virtual environment for Python and Cowrie to run from:

cowrie@cowrie1:~$ cd cowrie
cowrie@cowrie:~/cowrie$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
cowrie@cowrie1:~$

Next step is to activate the Python virtual environment and install the python packages that Cowrie needs to run.

cowrie@cowrie1:~/cowrie$ source cowrie-env/bin/activate                                                                             
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade pip                                                                     
Requirement already up-to-date: pip in ./cowrie-env/lib/python2.7/site-packages                                                     
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade -r requirements.txt                                                     
Collecting twisted>=17.1.0 (from -r requirements.txt (line 1))                                                                      
  Downloading Twisted-17.9.0.tar.bz2 (3.0MB)                                                                                        
    100% |????????????????????????????????| 3.0MB 403kB/s                                                                           
Collecting cryptography>=0.9.1 (from -r requirements.txt (line 2))                                                                  
  Downloading cryptography-2.2-cp27-cp27mu-manylinux1_x86_64.whl (2.2MB)                                                            
    100% |????????????????????????????????| 2.2MB 544kB/s                                                                           
Collecting configparser (from -r requirements.txt (line 3))                                                                         
  Downloading configparser-3.5.0.tar.gz                                                                                             
Collecting pyopenssl (from -r requirements.txt (line 4))                                                                            
  Downloading pyOpenSSL-17.5.0-py2.py3-none-any.whl (53kB)                                                                          
    100% |????????????????????????????????| 61kB 9.8MB/s                                                                            
Collecting pyparsing (from -r requirements.txt (line 5))                                                                            
  Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)                                                                           
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting packaging (from -r requirements.txt (line 6))                                                                            
  Downloading packaging-17.1-py2.py3-none-any.whl                                                                                   
Collecting appdirs>=1.4.0 (from -r requirements.txt (line 7))                                                                       
  Downloading appdirs-1.4.3-py2.py3-none-any.whl                                                                                    
Collecting pyasn1_modules (from -r requirements.txt (line 8))                                                                       
  Downloading pyasn1_modules-0.2.1-py2.py3-none-any.whl (60kB)                                                                      
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting attrs (from -r requirements.txt (line 9))
  Downloading attrs-17.4.0-py2.py3-none-any.whl
Collecting service_identity (from -r requirements.txt (line 10))
  Downloading service_identity-17.0.0-py2.py3-none-any.whl
Collecting python-dateutil (from -r requirements.txt (line 11))
  Downloading python_dateutil-2.7.0-py2.py3-none-any.whl (207kB)
    100% |????????????????????????????????| 215kB 5.4MB/s
Collecting tftpy (from -r requirements.txt (line 12))
  Downloading tftpy-0.6.2.tar.gz
Collecting zope.interface>=3.6.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading zope.interface-4.4.3-cp27-cp27mu-manylinux1_x86_64.whl (170kB)
    100% |????????????????????????????????| 174kB 4.1MB/s
Collecting constantly>=15.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading constantly-15.1.0-py2.py3-none-any.whl
Collecting incremental>=16.10.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading incremental-17.5.0-py2.py3-none-any.whl
Collecting Automat>=0.3.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading Automat-0.6.0-py2.py3-none-any.whl
Collecting hyperlink>=17.1.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading hyperlink-18.0.0-py2.py3-none-any.whl
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading cffi-1.11.5-cp27-cp27mu-manylinux1_x86_64.whl (407kB)
    100% |????????????????????????????????| 409kB 3.0MB/s
Collecting enum34; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |????????????????????????????????| 102kB 9.7MB/s
Collecting idna>=2.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading idna-2.6-py2.py3-none-any.whl (56kB)
    100% |????????????????????????????????| 61kB 9.5MB/s
Collecting six>=1.4.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading six-1.11.0-py2.py3-none-any.whl
Collecting ipaddress; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading ipaddress-1.0.19.tar.gz
Collecting pyasn1<0.5.0,>=0.4.1 (from pyasn1_modules->-r requirements.txt (line 8))
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |????????????????????????????????| 71kB 9.4MB/s
Requirement already up-to-date: setuptools in ./cowrie-env/lib/python2.7/site-packages (from zope.interface>=3.6.0->twisted>=17.1.0->-r requirements.txt (line 1))
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading pycparser-2.18.tar.gz (245kB)
    100% |????????????????????????????????| 256kB 4.5MB/s
Building wheels for collected packages: twisted, configparser, tftpy, ipaddress, pycparser
  Running setup.py bdist_wheel for twisted ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/91/c7/95/0bb4d45bc4ed91375013e9b5f211ac3ebf4138d8858f84abbc
  Running setup.py bdist_wheel for configparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/1c/bd/b4/277af3f6c40645661b4cd1c21df26aca0f2e1e9714a1d4cda8
  Running setup.py bdist_wheel for tftpy ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/b6/6b/9a/4536837177d943f2aede676c74488f1dd6f2c3c7ef80f8c094
  Running setup.py bdist_wheel for ipaddress ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/d7/6b/69/666188e8101897abb2e115d408d139a372bdf6bfa7abb5aef5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/95/14/9a/5e7b9024459d2a6600aaa64e0ba485325aff7a9ac7489db1b6
Successfully built twisted configparser tftpy ipaddress pycparser
Installing collected packages: zope.interface, constantly, incremental, attrs, six, Automat, idna, hyperlink, twisted, pycparser, cffi, enum34, asn1crypto, ipaddress, cryptography, configparser, pyopenssl, pyparsing, packaging, appdirs, pyasn1, pyasn1-modules, service-identity, python-dateutil, tftpy
Successfully installed Automat-0.6.0 appdirs-1.4.3 asn1crypto-0.24.0 attrs-17.4.0 cffi-1.11.5 configparser-3.5.0 constantly-15.1.0 cryptography-2.2 enum34-1.1.6 hyperlink-18.0.0 idna-2.6 incremental-17.5.0 ipaddress-1.0.19 packaging-17.1 pyasn1-0.4.2 pyasn1-modules-0.2.1 pycparser-2.18 pyopenssl-17.5.0 pyparsing-2.2.0 python-dateutil-2.7.0 service-identity-17.0.0 six-1.11.0 tftpy-0.6.2 twisted-17.9.0 zope.interface-4.4.3

Ok, thats the initial setup out of the way. Now we need to configure the Cowrie daemon and get started.

cp cowrie.cfg.dist cowrie.cfg

This creates a config file that we can edit and it won't be overwritten by updates.

Editing the configuration file we will make a few changes from the defaults. Firstly I will change the hostname seen by a successul login by an attacker, keep it generic and non obvious. Use vim or your favorite text editor to make these changes.

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = testserver5

The second change I will make is to enable telnet. SSH is enabled by default.

# Enable Telnet support, disabled by default
enabled = true

As you can see in the configuration there are many options and things to play with, from logging and alerting to fake addresses and file downloads.

Finally we are ready to start the daemon.

cowrie@cowrie:~/cowrie$ bin/cowrie start                                             
Using default Python virtual environment "/home/cowrie/cowrie/cowrie-env"             
Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...

cowrie@cowrie:~/cowrie$ netstat -an                  
Active Internet connections (servers and established)                                 
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2223            0.0.0.0:*               LISTEN

From the netstat we can see the SSH and Telnet daemons of our honeypot listening on 2222 and 2223 respectively.

Last step is to redirect traffic to 22 and 23 to the high ports 2222 and 2223 using iptables.

root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222                                          
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223   

Now it is just a waiting game. However, due to the amount of SSH scanning that takes place on the Internet you will not have to wait long.

cowrie@cowrie:~/cowrie$ tail -f log/cowrie.log

Within 5 minutes I could see SSH connections logging in and running commands within my Honeypot.

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
OSSEC Introduction and Installation Guide https://hackertarget.com/ossec-introduction-and-installation-guide/ Sat, 17 Mar 2018 08:20:53 +0000 http://hackertarget.com/?p=355 OSSEC is a Host Based Intrusion Detection and Prevention system. Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place […]

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
OSSEC is a Host Based Intrusion Detection and Prevention system.

Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place on a server.

The latest version of OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort.

OSSEC provides a number of functions:
  • Real time log monitoring
  • File integrity checking - detects changes to files and system paths
  • Rootkit detection
  • Changes to the system / running services (netstat) / disk space / password file changes
  • Real time blocking of detected attacks through firewall rule modification
  • Execute arbitrary commands based on specific events

At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

Full installation instructions are available here http://www.ossec.net/docs/manual/installation/install-source.html

While the following information is for an older version, nothing has changed in the process of the latest version. Download the tar archive from the ossec site and get started.

 Updated March 2018 to include the latest version of OSSEC. Our original OSSEC installation guide was released in 2009. It is still a favourite open source security tool, that does what it is supposed do really well.

A quick guide to installing on Ubuntu follows:

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

tar zxvf 2.9.3.tar.gz
cd ossec-hids-2.9.3
sudo ./install.sh


1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select 'local'.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

   - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]:
  - What's your e-mail address?   -- enter your email address here

 - We found your SMTP server as: example.test.com.
  - Do you want to use it? (y/n) [y]: n

  - What's your SMTP server ip/host? enter your preffered smtp server here

 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   (this is for file integrity checking, alerts you to changes to
files on your system)

  - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
  (this checks for rootkits on a regular basis)

  - Running rootcheck (rootkit detection).

 3.4- Active response allows you to execute a specific
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.
      More information at:
      http://www.ossec.net/en/manual.html#active-response

  - Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select [y] yes for Active response you are adding Intrusion Prevention capability, this is a good thing but keep in mind it is a good idea to white list your own IP's as you don't want active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a
vulnerability scan against your IP - as ossec would detect this as an attack. So your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
               /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
               /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at contact@ossec.net or using our public maillist at
   ossec-list@ossec.net
   ( http://www.ossec.net/main/support/ ).

   More information can be found at http://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

That's it your done. Just start it up with:

       /var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts (assuming your smtp is configured correctly). Agent starting up, new user logged in and that sort of thing.

So for 15 minutes work you now have real time security monitoring of your server, if you would like to test active response try our online vulnerability scans and test your hosts defence.

If you active response enabled vulnerability scanners will likely get blocked and the scan will not be completed. To run a full scan against your system with active response enabled try adding the scanning host to the OSSEC white-list (preferred) or disable ossec for the duration of the scan (not recommended), make sure you re-enable your protection after the scan completes.

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
DataSploit Tutorial https://hackertarget.com/datasploit-tutorial/ Sat, 17 Feb 2018 06:01:27 +0000 https://hackertarget.com/?p=9491 DataSploit Installation Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process. Ensure you have git and pip installed. test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit test@ubuntu:~/$ cd datasploit test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS test@ubuntu:~/datasploit/$ mv sample-config.py config.py test@ubuntu:~/datasploit/$ python datasploit.py -h True usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f […]

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>

What is DataSploit?

DataSploit is an open source intelligence collection tool. It is a simple way to dump data for a domain or other piece of metadata.

Running DataSploit from the command line you simply enter an input to search on or you can choose to import search data from a text file.

A tutorial for getting started with DataSploit

DataSploit Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process.

Ensure you have git and pip installed.

test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit
test@ubuntu:~/$ cd datasploit
test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS
test@ubuntu:~/datasploit/$ mv sample-config.py config.py
test@ubuntu:~/datasploit/$ python datasploit.py -h
True
usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f FILE_TARGET] [-a] [-q]
                     [-o OUTPUT]

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info

optional arguments:
  -h, --help            show this help message and exit
  -i SINGLE_TARGET, --input SINGLE_TARGET
                        Provide Input
  -f FILE_TARGET, --file FILE_TARGET
                        Provide Input
  -a, --active          Run Active Scan attacks
  -q, --quiet           Run scans in automated manner accepting default
                        answers
  -o OUTPUT, --output OUTPUT
                        Provide Destination Directory

              Connect at Social Media: @datasploit
                

Similar to recon-ng you will need to configure API keys to get the full value from this tool. As different Internet resources are searched, the API key will allow you get additional and more detailed data.

To add the API keys you need to add them to config.py file.

DataSploit as Python Module

A nice feature of this tool is the ability to load it as a Python module for use in your own Python tools. pip install datasploit will get you started then head over to the Help Pages for more information.

Using DataSploit

From the command line you can simply run the tool with an single target parameter to find information on a single domain.

Rather than selecting with modules to use this tool simply has a go at whatever modules are available and configured.

~/datasploit$ python datasploit.py -i microsoft.com
True

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info


Target: microsoft.com
Looks like a DOMAIN, running domainOsint...

[-] Skipping Googlepdf because it is marked as disabled.
[-] Skipping Zoomeye because it is marked as disabled.
---> Finding subdomains, will be back soon with list. 

 [+] Extracting subdomains from DNS Dumpster

 [+] Extracting subdomains Netcraft

 [+] Extracting subdomains from Certificate Transparency Reports

As you can see there is a sub domain search module for our own project DNSDumpster.

With a configured Shodan API key, we can dump subdomains for the target domain and these will then be searched for open ports and other scan data through the Shodan API.

** results snipped **
---> Wapplyzing web page of base domain:

Hitting HTTP and HTTPS:
[+] Third party libraries in Use for HTTP:
  Apache
  Google Analytics
  Google AdSense
  CentOS
[+] Third party libraries in Use for HTTPS:
  Apache
  Google Analytics
  Google AdSense
  CentOS

-----------------------------


---> Searching in Shodan:

IP: 77.xx.44.55
Hosts: [u'test.microsoft.com']
Domain: [u'test.microsoft.com']
Port: 80
Content-Type: text/html; charset=UTF-8
Location: {u'city': u'Fremont', u'region_code': u'CA', u'area_code': 510, u'longitude': -121.9829, u'country_code3': u'USA', u'country_name': u'United States', u'postal_code': u'94536', u'dma_code': 807, u'country_code': u'US', u'latitude': 37.56700000000001}

** results snipped **

While I have snipped most of the results above there are a couple of Interesting things to keep in mind.

In particular the fact that the Wapplyzing module has pulled some data on HTML/Javascript libraries of the main domain. These results have been gathered by querying the domain from your current Internet connection.

Active vs Passive vs Semi-Passive

Definitions can vary but I generally categorize these types of reconnasance as follows:

Active involves active probes against the target, including such things as Port Scanning. That is sending traffic to the target that is not "normal". Normal being a browser viewing a legitimate web page.

Passive indicates no packets are sent to the target network. All data collection is done through third party sites. These of course may then perform the query on your behalf depending on the service.

Semi-Passive is the category I would place this tool in. That being it does send traffic to the target but it is a standard web browser request as seen in the wappalyzer results.

The key takeaway here is that if you are doing OSINT research for incident response and wish to keep your local IP address from target web server logs you should use a VPS or other layer of anonymity.

Conclusion

DataSploit is a fast and easy tool that can gather a range of data very quickly with minimal configuration.

Go and grab the latest version and start testing. A good place to start testing is various bug bounty programs. By selecting a range of bug bounty programs you will be able to test the tool against a number of varied targets and you may even stumble upon an item of interest.

If you have any suggestions for improvement or have any questions related to this DataSploit Tutorial please get in contact.

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>
Recon-NG Tutorial https://hackertarget.com/recon-ng-tutorial/ Fri, 16 Feb 2018 23:22:28 +0000 https://hackertarget.com/?p=9480 The interactive console provides a number of helpful features such as command completion and contextual help. Recon-ng Installation Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng. For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make […]

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>
In this recon-ng tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is Recon-ng?

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.

OSINT with our Recon-NG Tutorial
The interactive console provides a number of helpful features such as command completion and contextual help.

Recon-ng Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng.

For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make sure you have git and pip installed.

test@ubuntu:~/$ git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
test@ubuntu:~/recon-ng/$ ./recon-ng

You should now be up and running, with the Recon-NG console loaded.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[75] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] > 

Above the splash screen you will get a screen of red errors, these are simply warnings that the API keys for those services are not populated. Many of the modules within recon-ng use web services that require an API key for full access to the data. On the recon-ng wiki is a quick run down of the keys are where to get them. This will save you time fussing about on each of the sites looking for the API signup page.

Using recon-ng

From the console it is easy to get help and get started with your recon.

Getting help is obvious, then help is available different options by typing help -option-.

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

To use a module the syntax is use recon/$category/$module as seen below.

[recon-ng][default] > use recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][default][hackertarget] > set SOURCE teslamotors.com
SOURCE => teslamotors.com

I am using teslamotors.com as an exmaple domain because they have a published bug bounty program and Tesla's are cool. Simply type run to execute the module.

[recon-ng][default][hackertarget] > run

---------------
TESLAMOTORS.COM
---------------
[*] [host] email1.teslamotors.com (192.28.144.15)
[*] [host] originwww45.teslamotors.com (205.234.27.211)
[*] [host] storetest5.teslamotors.com (209.11.133.41)
[*] [host] lync.teslamotors.com (209.11.133.11)
[*] [host] epc.teslamotors.com (209.11.133.110)
[*] [host] upload.teslamotors.com (205.234.27.250)
[*] [host] evprd.teslamotors.com (205.234.27.199)
[*] [host] mta.e.teslamotors.com (68.232.192.245)
[*] [host] service.teslamotors.com (209.11.133.37)
[*] [host] extconfluence.teslamotors.com (209.11.133.50)
[*] [host] leaseappde.teslamotors.com (64.125.183.134)
[*] [host] rav4garage.teslamotors.com (209.11.133.16)
[*] [host] energystorage.teslamotors.com (209.10.208.24)
[*] [host] quickbase.teslamotors.com (205.234.27.246)
[*] [host] seg.teslamotors.com (209.10.208.32)
[*] [host] myteslastg.teslamotors.com (209.11.133.54)
[*] [host] cn.auth.teslamotors.com (211.147.80.202)
[*] [host] us.auth.teslamotors.com (209.10.208.27)
[*] [host] extconfl.teslamotors.com (209.11.133.50)
[*] [host] xmail.teslamotors.com (209.11.133.61)
[*] [host] externalssl.teslamotors.com (209.11.133.19)
[*] [host] storagesim.teslamotors.com (209.10.208.39)
[*] [host] japan.teslamotors.com (204.74.99.100)
[*] [host] xmailcn.teslamotors.com (211.147.80.203)
[*] [host] cnorigin.teslamotors.com (211.147.80.201)
[*] [host] wwworigin.teslamotors.com (209.11.133.106)
[*] [host] vpn.teslamotors.com (205.234.27.218)
[*] [host] sdlcvpn.teslamotors.com (209.10.208.55)
[*] [host] hkvpn.teslamotors.com (14.136.104.118)
[*] [host] cnvpn.teslamotors.com (211.147.88.104)
[*] [host] euvpn.teslamotors.com (149.14.82.93)
[*] [host] shop.teslamotors.com (205.234.27.221)
[*] [host] sftp.teslamotors.com (205.234.27.226)
[*] [host] externalsmtp.teslamotors.com (205.234.27.238)
[*] [host] supercharger.teslamotors.com (209.11.133.36)
[*] [host] ipaddocs.teslamotors.com (205.234.27.252)
[*] [host] extissues.teslamotors.com (209.11.133.35)
[*] [host] adfs.teslamotors.com (205.234.27.243)
[*] [host] mobileapps.teslamotors.com (205.234.27.196)
[*] [host] suppliers.teslamotors.com (209.10.208.37)
[*] [host] wechat.teslamotors.com (211.147.80.205)
[*] [host] myteslawduat.teslamotors.com (209.11.133.43)
[*] [host] wwwuat.teslamotors.com (205.234.27.225)
[*] [host] trt.teslamotors.com (209.10.208.20)
[*] [host] origintest.teslamotors.com (205.234.27.221)
[*] [host] wsext.teslamotors.com (209.11.133.49)
[*] [host] fleetview.teslamotors.com (209.10.208.31)
[*] [host] toolbox.teslamotors.com (209.11.133.107)
[*] [host] mobility.teslamotors.com (209.10.208.14)
[*] [host] eumobility.teslamotors.com (82.199.92.7)
[*] [host] wsproxy.teslamotors.com (205.234.27.212)
[*] [host] smswsproxy.teslamotors.com (205.234.27.197)

-------
SUMMARY
-------
[*] 52 total (52 new) hosts found.

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api < insert shodan api key here > 

Recon-ng Modules

Typing show modules will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file
    import/list

  Recon
  -----
    recon/companies-contacts/bing_linkedin_cache
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-multi/github_miner
    recon/companies-multi/whois_miner
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/domains-contacts/metacrawler
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/account_creds
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_creds
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/certificate_transparency
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/hackertarget
    recon/domains-hosts/mx_spf_ip
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/threatcrowd
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/hosts-hosts/ssltools
    recon/hosts-locations/migrate_hosts
    recon/hosts-ports/shodan_ip
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/netblocks-ports/censysio
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/github_users
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter_mentioned
    recon/profiles-profiles/twitter_mentions
    recon/profiles-repositories/github_repos
    recon/repositories-profiles/github_commits
    recon/repositories-vulnerabilities/gists_search
    recon/repositories-vulnerabilities/github_dorks

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

Conclusion

Recon-ng is a powerful tool that can be further explored by looking through the list of modules above. The help within the console is very clear and with a bit of playing around it wont take long to become an expert.

Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and simple go explore organizations Internet facing footprint. Have fun. Don't break the rules.

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>
Internet Wide Scanning – Remote access granted https://hackertarget.com/remote-access-granted/ Sun, 26 Nov 2017 12:41:34 +0000 http://hackertarget.com/?p=5479 In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level. Google dorks work because Google happened […]

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]>
In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level.

Google dorks work because Google happened to index the admin login screen of the device. Since the majority of devices still had the default credentials it was then possible to view security cameras in offices around the world, print random junk to unknown printers and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.

The folowing techniques for finding insecure devices connected to the Internet are much more accurate, comprehensive and accessible.

Shodan the Google of network services

Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012

2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.

Zmap and Masscan

Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is pretty damn quick. Yet another extremely fast port scanner was released soon after known as Masscan.

Project Sonar

Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and datasets from the Zmap project have been made available on line for researchers to explore.

Censys

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.

VNC pwnage

Most recently a security researcher has scanned a specific TCP port across the IPv4 address space and taken a screenshot of VNC (remote control software) services that have no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

Now go Port Scan your Internet facing networks

As seen from the projects, data and articles linked above, all too often networks go untested for services that should not be there or at least not be accessible from anywhere in the world over the Internet.

Here are three steps that will help you stay secure and it might even just make the world a safer place:

Port Scan your Internet facing IP addresses with Nmap

  • Nmap is simply the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
  • Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
  • Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.
Firewall, block or restrict access to services that should not be accessible from the Internet

  • Make the necessary changes and get it fixed.
  • Implement a change control process for firewall changes and systems on the perimeter.
Schedule the port scan to be performed on a regular basis

  • Select a schedule based on your risk model, perhaps weekly, daily or monthly.
  • Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
  • Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.

Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]> 15 Essential Open Source Security Tools https://hackertarget.com/10-open-source-security-tools/ Wed, 27 Sep 2017 11:30:15 +0000 http://hackertarget.com/?p=3793 There are thousands of open source security tools with both defensive and offensive security capabilities.  Updated in 2017 to include an additional 5 essential security tools. The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating […]

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>
There are thousands of open source security tools with both defensive and offensive security capabilities.

 Updated in 2017 to include an additional 5 essential security tools.

The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating due to the fact that they are effective, well supported and easy to start getting value from.

1. Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.

2. OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.

3. OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.

4. Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.

5. Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

6. OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.

7. Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.

8. Kali Linux was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.

9. Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss. To get started try the Nikto Tutorial or the online hosted version.

10. Trucecrypt As of 2014, the TrueCrypt product is no longer being maintained. Two new security tools, CipherShed and VeraCrypt were forked and have been through extensive security audits.

Updated 2017 to include another 5 high quality open source security tools. These additional projects are all very much focused on the defenders side. With in depth traffic analysis, intrusion detection and incident response all covered. Interesting to see sponsors of these projects include Facebook, Cisco and Google.

11. Moloch is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.

12. Bro IDS totes itself as more than an Intrusion Detection System, and it is hard to argue with this statement. The IDS component is powerful, but rather than focusing on signatures as seen in traditional IDS systems. This tool decodes protocols and looks for anomalies within the traffic.

13. Snort is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.

14. OSQuery monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.

15. GRR - Google Rapid Response a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.

Find Holes in Your Defence
Hosted open source security testing.

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>