HackerTarget.com https://hackertarget.com Security Vulnerability Scanners and Assessments Wed, 23 May 2018 04:13:49 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.6 Wireshark Tutorial and Cheat Sheet https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/ Sat, 19 May 2018 23:54:42 +0000 http://hackertarget.com/?p=808 Examples to Understand the Power of Wireshark Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases: Troubleshooting Network Connectivity Visually understand packet loss Review TCP retransmission Graph high latency packet responses Examination of Application Layer Sessions (even when […]

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>

Master network analysis with our Wireshark Tutorial and Cheat Sheet. Find immediate value with this powerful open source tool. Once you have everything up and running, read through the tips and tricks to understand ways to troubleshoot problems, find security issues and impress your colleagues.

Even a basic understanding of Wireshark usage and filters can be a time saver when you are troubleshooting network or application layer issues on the wire (or WIFI).

Examples to Understand the Power of Wireshark

Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases:

Troubleshooting Network Connectivity

  • Visually understand packet loss
  • Review TCP retransmission
  • Graph high latency packet responses

Examination of Application Layer Sessions (even when encrypted by SSL/TLS see below)

  • View full HTTP session, seeing all headers and data for both requests and responses
  • View Telnet sessions, see passwords, commands entered and responses
  • View SMTP or POP3 traffic, reading emails off the wire

Troubleshoot DHCP issues with packet level data

  • Examine DHCP client broadcast
  • DHCP offer with address and options
  • Client requests for offered address
  • Ack of server acknowledging the request

Extract files from HTTP sessions

  • Export objects from HTTP such as javascript, images, or even executables.

Extract file from SMB sessions

  • Similar to the HTTP export option but able to extract files transferred over SMB, the ever present Microsoft File Sharing protocol.

Detect and Examination of Malware

  • Detect anomalous behaviour that could indicate malware
  • Search for unusual domains or IP address endpoints
  • Use IO graphs to discover regular connections (beacons) to command and control servers
  • Filter out the "normal" and find the unusual
  • Extract large DNS responses and other oddness which may indicate malware

Examination of Port Scans and Other Vulnerability Scan types

  • Understand what network traffic the vulnerability scanner is sending
  • Troubleshoot vulnerability checks to understand false positives and false negatives

These examples only scratch the surface of the possibilities. Continue reading through the tutorial and start getting more from this powerful tool.

Installation of Wireshark

Wireshark will run on a variety of operating systems and is not difficult to get up and running. We will touch on Ubuntu Linux, Centos and Windows.

Install on Ubuntu or Debian

#apt-get update
#apt-get install wireshark tshark

Install on Fedora or CentOS

#yum install wireshark-gnome

Install on Windows

Head over to the Wireshark Download page, grab the installation executable and run it to install. Pretty straight forward, you will also be installing a packet capture driver. This allows the network card to enter promiscuous mode.

Getting Started with Filters

After running an initial capture you will see the standard layout and the packet details that can be viewed through the interface.

Once you have captured a HTTP session, stop the capture and try playing with some basic filters and the Analyze | Follow | HTTP Stream options.

The filters are easy to read and self explanatory. You simply enter these expressions into the filter bar (or on the command line if using tshark). A primary benefit of the filters is to remove the noise (traffic you don't want to see). As can be seen here you can filter on MAC address, IP address, Subnet or protocol. The easiest filter is to simply type http into the filter bar, only HTTP (tcp port 80) traffic will now be shown.

IP Address Filter Examples

ip.addr == 192.168.0.5
!(ip.addr == 192.168.0.0/24)

Protocol Filter Examples

tcp
udp
tcp.port == 80 || udp.port == 80
http
not arp and not (udp.port == 53)

Try generating a filter combination that shows all non HTTP and HTTPS traffic leaving your local system that is not destined for the local network. This is a good way to find software (malware even) that is communicating with the Internet using unusual protocols.

Follow the White Rabbit Stream

Once you have a number of packets showing HTTP you can select one and then Analyze | Follow | HTTP Stream from the drop down menu. This will show you an assembled HTTP session. In this new window you can see the HTTP request from the browser and HTTP response from the web server. Goal! You are now winning at Wireshark. Continue reading our Wireshark Tutorial for more advanced tips.

Wireshark Follow Stream Example Screenshot

Resolve DNS in Wireshark

By default Wireshark won't resolve the network address that it is displaying in the console. Only showing IP addresses, by changing an option in the preferences you can enable the resolution of IP addresses to network names. This will just as it does when using tcpdump slow down the display of packets as the resolution has to take place. It is also important to understand that if you are doing a live capture the DNS requests from your Wireshark host will be additional traffic that you then might be capturing.

Edit | Preferences | Name Resolution | Enable Network Name Resolution

Tshark for the Command Line

If you haven't had a play with tshark, take a look at our tshark tutorial and filter examples. This program is often overlooked but is a great way to capture application layer sessions on a remote system. The advantage over tcpdump is the fact that you can capture and view application layer sessions on the fly, as the protocol decoders included in Wireshark are also available to tshark.

Build Firewall Rules

A quick way to generate command line firewall rules, this can save a few minutes Googling for different firewall syntax. Select a rule, and then head up to the Tools | Firewall ACL Rules. Different firewall products such as Cisco IOS (standard and extended), ipfilter, ipfw, iptables, pf and even Windows firewall using netsh.

Wireshark Firewall Rules generator screenshot

Wireshark GeoIP Mapping

As long as Wireshark has been compiled with GeoIP support and you have the Free Maxmind databases available you are able to resolve IP addresses to locations. Take a look at About | Wireshark to see what has been compiled with the version you are using. If you see GeoIP listed, make sure you have the GeoLite City, Country and ASNum databases in a directory on your system running Wireshark. Point to the location of the databases in Edit | Preferences | Name Resolution.

Test it by loading a capture and selecting Statsitcs | Endpoints | IPv4. The columns on the right should show the location and ASN information for the IP address.

Wireshark GeoIP example

Another function of the GeoIP feature is to filter traffic based on location using the ip.geoip display filter.

For example to exclude traffic from an ASN you could use this filter. ASN 63949 is the Linode block so the filter now displays only IP traffic not coming from this netblock.

ip and not ip.geoip.asnum == 63949

Of course you can apply the same filter to city and country based queries. Removing noise from your capture display and allowing you to focus in on the packets you care about.

Decrypt SSL/TLS sessions

One way of decrypting SSL/TLS sessions is using the Private Key from the server that is being connected to by the client. Using this key, you are able to decrypt the session and view the protocol under the SSL/TLS layer (for example a browser session you could see the plain text HTTP).

Now you are not always going to have access to the servers private key. In this case there is another option for easily viewing the browser SSL/TLS traffic from your local system. If Firefox or Chrome are loaded using a special environment variable, then the individual SSL/TLS session symmetric keys will be logged to a file that Wireshark can read. With the keys Wireshark can show you the session fully decrypted for the win!

1. Configure the Environment Variable

Linux / Mac

export SSLKEYLOGFILE=~/sslkeylogfile.log

Windows

Under advanced system settings, select Environment Variables and add the variable name (SSLKEYLOGFILE) with the variable value as the path to where you want the file saved.

2. Configure Wireshark

From the drop down menu select Edit | Preferences | Protocols | SSL | (Pre)-Master-Secret Log Filename -- Browse to the log file you placed in your environment variable.

Start a capturing on your local system.

3. Restart Firefox or Chrome

After browsing to a HTTPS site. The log file should start to increase in size as it logs the symmetric session keys.

Take a look at the Wireshark session that was previously started. You should see something resembling the image below showing the decrypted sessions. You can see the decrypted packets in the tab in the bottom pane.

Wireshark Follow SSL Stream Screenshot

Another way to view the session is to use the analysis drop down and follow the stream. If the session has successfully been decrypted you will see the option for SSL under Stream.

Analysis | Follow | Stream | SSL

It goes without saying, but use caution when logging these keys and pcaps. Someone with access to the key log file and your pcap might very well find your passwords and authentication cookies within the pcap.

Another option for getting at the underlying HTTP traffic is using Burp Suite with its CA loaded in your browser. In this case the proxy decrypts the connection on the client side and then establishes a new SSL/TLS session to the server. There are many ways to man in the middle (mitm) yourself, these are two of the most straightforward.

Extract files from PCAP using Export (HTTP or SMB)

It is quite easy to extract files from a Wireshark capture using the export option.

File | Export Objects | HTTP

The new Window will show any files that were found. In this new Window you can save the individual files or save them all to a folder. A similar method can be used to extract files from SMB sessions. This is the Microsoft Server Message Block protocol that allows Windows File Sharing.

Screenshot showing the Wireshark export file object Window

Right Hand Status Bar

Quickly jump to packets based on the color of the main display. For example to find Red - Errors you can see the red line noted in the right hand side status bar and jump to that location with a click.

Wireshark Right Status Bar Screen shot

Sample PCAP's are readily available

If you are getting started with Wireshark and you are looking for interesting packet captures to explore. The Wireshark Samples page is a great place to start. Enough sample protocols to keep you busy for months and a number of worm / exploit samples for those digging into Network Security Monitoring.

Setting up your Environment

A handy tip is to remember that the default console is highly configurable. You can add or remove columns, even adding something as simple as a UTC time column. Which might be immediately useful if you are looking at historical pcaps.

The columns can be configured by going to Edit | Preferences | Appearance | Columns. In this area you can also change the layout, font and colors if you desire.

This video has good configuration tips for the environment. Including troubleshooting tips and configurations for identifying issues through TCP sequence numbers.

Wrapping Up

This post was originally published in 2011, it has undergone a major and much needed refresh. If you have any comments, improvements or tips to add to the Cheat Sheet drop me a line on the Contact Page. Wireshark is one of those indispensable tools that many use but few actually master. The rabbit hole goes deep on this one.

Know Your Network
Hosted Nmap for external port scanning

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>
Maltego Transforms https://hackertarget.com/maltego-transforms/ Fri, 30 Mar 2018 01:49:32 +0000 https://hackertarget.com/?p=10036 Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain. What is Maltego? Maltego is a cross platform application, for performing link analysis. […]

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.

What is Maltego?

Maltego is a cross platform application, for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout. A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis. It is possible to understand the relationship between infrastructure, services and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego, one runs on servers remotely the other can run locally on the system running Maltego. Of course as is the case with the Hacker Target Transforms while it runs locally the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform you will need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to our GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

  • GetHostNames.py - search against a domain and pull known subdomains
  • GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
  • GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server

Obviously this can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo

Have Fun

Maltego is a fun way to explore targets. Whether you are penetration testing, running down bug bounties, researching an organisations infrastructure or simply curious you can get a lot of value from even the community version of Maltego (CE) and our Free access to the API.

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Cowrie Honeypot on Ubuntu https://hackertarget.com/cowrie-honeypot-ubuntu/ Tue, 20 Mar 2018 00:28:21 +0000 https://hackertarget.com/?p=9891 Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber […]

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber Defence and Incident Response.

Our setup will be very close to a default installation of Cowrie. The hosts SSH daemon will run on a high port (22222), Cowrie will run on 2222 and port 22 (default SSH) will be redirected to 2222 using iptables. So the SSH bot or attacker will connect to port 22 be redirected to our honeypot on 2222. Confused? Take a look at the diagram.

A warning before we proceed. Honeypots are designed to allow access to a system by an attacker. This could result in compromise of the host if the honeypot has vulnerabilities or is mis-configured. Understand what you are doing and be very careful if running a honeypot anywhere near production kit.

Change Default SSH Port

Before installing cowrie and our dependencies lets move SSH to port 22222.

 root@cowrie:~# vi /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22222

root@cowrie1:~# systemctl restart ssh
root@cowrie1:~# systemctl status ssh
? ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-03-19 23:21:05 UTC; 5s ago
 Main PID: 9242 (sshd)
    Tasks: 1
   Memory: 1.3M
      CPU: 5ms
   CGroup: /system.slice/ssh.service
           ??9242 /usr/sbin/sshd -D

Mar 19 23:21:05 cowrie1 systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 19 23:21:05 cowrie1 systemd[1]: Starting OpenBSD Secure Shell server...
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on 0.0.0.0 port 22222.
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on :: port 22222.
Mar 19 23:21:05 cowrie1 systemd[1]: Started OpenBSD Secure Shell server.

root@cowrie1:~# netstat -nap | grep 2222
tcp        0      0 0.0.0.0:22222            0.0.0.0:*               LISTEN      9242/sshd
tcp6       0      0 :::22222                 :::*                    LISTEN      9242/sshd

We can see SSH is now listening on port 22222 from both the systemctl status as well as the netstat output.

Installation of Cowrie Honeypot on Ubuntu

Firstly we will run apt udpate as we are on a brand new Digital Ocean VPS. Then we will install dependencies and create a Cowrie user. Running a Honeypot as root would be a bad idea.

 root@cowrie:~# apt update
root@cowrie:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@cowrie:~# adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1000) ...
Adding new user `cowrie' (1000) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@cowrie1:~# su - cowrie
cowrie@cowrie1:~$

Ok, now lets grab the code for Cowrie using git.

cowrie@cowrie1:~$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 9340, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9340 (delta 3), reused 2 (delta 0), pack-reused 9330
Receiving objects: 100% (9340/9340), 7.43 MiB | 2.32 MiB/s, done.
Resolving deltas: 100% (6415/6415), done.
Checking connectivity... done.
cowrie@cowrie1:~$

Now we will create a virtual environment for Python and Cowrie to run from:

cowrie@cowrie1:~$ cd cowrie
cowrie@cowrie:~/cowrie$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
cowrie@cowrie1:~$

Next step is to activate the Python virtual environment and install the python packages that Cowrie needs to run.

cowrie@cowrie1:~/cowrie$ source cowrie-env/bin/activate                                                                             
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade pip                                                                     
Requirement already up-to-date: pip in ./cowrie-env/lib/python2.7/site-packages                                                     
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade -r requirements.txt                                                     
Collecting twisted>=17.1.0 (from -r requirements.txt (line 1))                                                                      
  Downloading Twisted-17.9.0.tar.bz2 (3.0MB)                                                                                        
    100% |????????????????????????????????| 3.0MB 403kB/s                                                                           
Collecting cryptography>=0.9.1 (from -r requirements.txt (line 2))                                                                  
  Downloading cryptography-2.2-cp27-cp27mu-manylinux1_x86_64.whl (2.2MB)                                                            
    100% |????????????????????????????????| 2.2MB 544kB/s                                                                           
Collecting configparser (from -r requirements.txt (line 3))                                                                         
  Downloading configparser-3.5.0.tar.gz                                                                                             
Collecting pyopenssl (from -r requirements.txt (line 4))                                                                            
  Downloading pyOpenSSL-17.5.0-py2.py3-none-any.whl (53kB)                                                                          
    100% |????????????????????????????????| 61kB 9.8MB/s                                                                            
Collecting pyparsing (from -r requirements.txt (line 5))                                                                            
  Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)                                                                           
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting packaging (from -r requirements.txt (line 6))                                                                            
  Downloading packaging-17.1-py2.py3-none-any.whl                                                                                   
Collecting appdirs>=1.4.0 (from -r requirements.txt (line 7))                                                                       
  Downloading appdirs-1.4.3-py2.py3-none-any.whl                                                                                    
Collecting pyasn1_modules (from -r requirements.txt (line 8))                                                                       
  Downloading pyasn1_modules-0.2.1-py2.py3-none-any.whl (60kB)                                                                      
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting attrs (from -r requirements.txt (line 9))
  Downloading attrs-17.4.0-py2.py3-none-any.whl
Collecting service_identity (from -r requirements.txt (line 10))
  Downloading service_identity-17.0.0-py2.py3-none-any.whl
Collecting python-dateutil (from -r requirements.txt (line 11))
  Downloading python_dateutil-2.7.0-py2.py3-none-any.whl (207kB)
    100% |????????????????????????????????| 215kB 5.4MB/s
Collecting tftpy (from -r requirements.txt (line 12))
  Downloading tftpy-0.6.2.tar.gz
Collecting zope.interface>=3.6.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading zope.interface-4.4.3-cp27-cp27mu-manylinux1_x86_64.whl (170kB)
    100% |????????????????????????????????| 174kB 4.1MB/s
Collecting constantly>=15.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading constantly-15.1.0-py2.py3-none-any.whl
Collecting incremental>=16.10.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading incremental-17.5.0-py2.py3-none-any.whl
Collecting Automat>=0.3.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading Automat-0.6.0-py2.py3-none-any.whl
Collecting hyperlink>=17.1.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading hyperlink-18.0.0-py2.py3-none-any.whl
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading cffi-1.11.5-cp27-cp27mu-manylinux1_x86_64.whl (407kB)
    100% |????????????????????????????????| 409kB 3.0MB/s
Collecting enum34; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |????????????????????????????????| 102kB 9.7MB/s
Collecting idna>=2.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading idna-2.6-py2.py3-none-any.whl (56kB)
    100% |????????????????????????????????| 61kB 9.5MB/s
Collecting six>=1.4.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading six-1.11.0-py2.py3-none-any.whl
Collecting ipaddress; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading ipaddress-1.0.19.tar.gz
Collecting pyasn1<0.5.0,>=0.4.1 (from pyasn1_modules->-r requirements.txt (line 8))
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |????????????????????????????????| 71kB 9.4MB/s
Requirement already up-to-date: setuptools in ./cowrie-env/lib/python2.7/site-packages (from zope.interface>=3.6.0->twisted>=17.1.0->-r requirements.txt (line 1))
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading pycparser-2.18.tar.gz (245kB)
    100% |????????????????????????????????| 256kB 4.5MB/s
Building wheels for collected packages: twisted, configparser, tftpy, ipaddress, pycparser
  Running setup.py bdist_wheel for twisted ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/91/c7/95/0bb4d45bc4ed91375013e9b5f211ac3ebf4138d8858f84abbc
  Running setup.py bdist_wheel for configparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/1c/bd/b4/277af3f6c40645661b4cd1c21df26aca0f2e1e9714a1d4cda8
  Running setup.py bdist_wheel for tftpy ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/b6/6b/9a/4536837177d943f2aede676c74488f1dd6f2c3c7ef80f8c094
  Running setup.py bdist_wheel for ipaddress ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/d7/6b/69/666188e8101897abb2e115d408d139a372bdf6bfa7abb5aef5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/95/14/9a/5e7b9024459d2a6600aaa64e0ba485325aff7a9ac7489db1b6
Successfully built twisted configparser tftpy ipaddress pycparser
Installing collected packages: zope.interface, constantly, incremental, attrs, six, Automat, idna, hyperlink, twisted, pycparser, cffi, enum34, asn1crypto, ipaddress, cryptography, configparser, pyopenssl, pyparsing, packaging, appdirs, pyasn1, pyasn1-modules, service-identity, python-dateutil, tftpy
Successfully installed Automat-0.6.0 appdirs-1.4.3 asn1crypto-0.24.0 attrs-17.4.0 cffi-1.11.5 configparser-3.5.0 constantly-15.1.0 cryptography-2.2 enum34-1.1.6 hyperlink-18.0.0 idna-2.6 incremental-17.5.0 ipaddress-1.0.19 packaging-17.1 pyasn1-0.4.2 pyasn1-modules-0.2.1 pycparser-2.18 pyopenssl-17.5.0 pyparsing-2.2.0 python-dateutil-2.7.0 service-identity-17.0.0 six-1.11.0 tftpy-0.6.2 twisted-17.9.0 zope.interface-4.4.3

Ok, thats the initial setup out of the way. Now we need to configure the Cowrie daemon and get started.

cp cowrie.cfg.dist cowrie.cfg

This creates a config file that we can edit and it won't be overwritten by updates.

Editing the configuration file we will make a few changes from the defaults. Firstly I will change the hostname seen by a successul login by an attacker, keep it generic and non obvious. Use vim or your favorite text editor to make these changes.

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = testserver5

The second change I will make is to enable telnet. SSH is enabled by default.

# Enable Telnet support, disabled by default
enabled = true

As you can see in the configuration there are many options and things to play with, from logging and alerting to fake addresses and file downloads.

Finally we are ready to start the daemon.

cowrie@cowrie:~/cowrie$ bin/cowrie start                                             
Using default Python virtual environment "/home/cowrie/cowrie/cowrie-env"             
Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...

cowrie@cowrie:~/cowrie$ netstat -an                  
Active Internet connections (servers and established)                                 
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2223            0.0.0.0:*               LISTEN

From the netstat we can see the SSH and Telnet daemons of our honeypot listening on 2222 and 2223 respectively.

Last step is to redirect traffic to 22 and 23 to the high ports 2222 and 2223 using iptables.

root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222                                          
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223   

Now it is just a waiting game. However, due to the amount of SSH scanning that takes place on the Internet you will not have to wait long.

cowrie@cowrie:~/cowrie$ tail -f log/cowrie.log

Within 5 minutes I could see SSH connections logging in and running commands within my Honeypot.

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
OSSEC Introduction and Installation Guide https://hackertarget.com/ossec-introduction-and-installation-guide/ Sat, 17 Mar 2018 08:20:53 +0000 http://hackertarget.com/?p=355 OSSEC is a Host Based Intrusion Detection and Prevention system. Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place […]

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
OSSEC is a Host Based Intrusion Detection and Prevention system.

Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place on a server.

The latest version of OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort.

OSSEC provides a number of functions:

  • Real time log monitoring
  • File integrity checking - detects changes to files and system paths
  • Rootkit detection
  • Changes to the system / running services (netstat) / disk space / password file changes
  • Real time blocking of detected attacks through firewall rule modification
  • Execute arbitrary commands based on specific events

At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

Full installation instructions are available here https://ossec.github.io/docs/manual/installation/install-source.html

While the following information is for an older version, nothing has changed in the process of the latest version. Download the tar archive from the ossec site and get started.

Updated March 2018 to include the latest version of OSSEC. Our original OSSEC installation guide was released in 2009. It is still a favourite open source security tool, that does what it is supposed do really well.

A quick guide to installing on Ubuntu follows:

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

tar zxvf 2.9.3.tar.gz
cd ossec-hids-2.9.3
sudo ./install.sh


1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select 'local'.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

   - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]:
  - What's your e-mail address?   -- enter your email address here

 - We found your SMTP server as: example.test.com.
  - Do you want to use it? (y/n) [y]: n

  - What's your SMTP server ip/host? enter your preffered smtp server here

 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   (this is for file integrity checking, alerts you to changes to
files on your system)

  - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
  (this checks for rootkits on a regular basis)

  - Running rootcheck (rootkit detection).

 3.4- Active response allows you to execute a specific
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.
      More information at:
      http://www.ossec.net/en/manual.html#active-response

  - Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select yes for Active response you are adding Intrusion Prevention capability, this is a good thing but keep in mind it is a good idea to white list your own IP's as you don't want active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a
vulnerability scan against your IP - as ossec would detect this as an attack. So your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
               /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
               /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at contact@ossec.net or using our public maillist at
   ossec-list@ossec.net
   ( http://www.ossec.net/main/support/ ).

   More information can be found at http://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

That's it your done. Just start it up with:

       /var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts (assuming your smtp is configured correctly). Agent starting up, new user logged in and that sort of thing.

So for 15 minutes work you now have real time security monitoring of your server, if you would like to test active response try our online vulnerability scans and test your hosts defence.

If you active response enabled vulnerability scanners will likely get blocked and the scan will not be completed. To run a full scan against your system with active response enabled try adding the scanning host to the OSSEC white-list (preferred) or disable ossec for the duration of the scan (not recommended), make sure you re-enable your protection after the scan completes.

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
DataSploit Tutorial https://hackertarget.com/datasploit-tutorial/ Sat, 17 Feb 2018 06:01:27 +0000 https://hackertarget.com/?p=9491 DataSploit Installation Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process. Ensure you have git and pip installed. test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit test@ubuntu:~/$ cd datasploit test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS test@ubuntu:~/datasploit/$ mv sample-config.py config.py test@ubuntu:~/datasploit/$ python datasploit.py -h True usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f […]

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>

What is DataSploit?

DataSploit is an open source intelligence collection tool. It is a simple way to dump data for a domain or other piece of metadata.

Running DataSploit from the command line you simply enter an input to search on or you can choose to import search data from a text file.

A tutorial for getting started with DataSploit

DataSploit Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process.

Ensure you have git and pip installed.

test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit
test@ubuntu:~/$ cd datasploit
test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS
test@ubuntu:~/datasploit/$ mv sample-config.py config.py
test@ubuntu:~/datasploit/$ python datasploit.py -h
True
usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f FILE_TARGET] [-a] [-q]
                     [-o OUTPUT]

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info

optional arguments:
  -h, --help            show this help message and exit
  -i SINGLE_TARGET, --input SINGLE_TARGET
                        Provide Input
  -f FILE_TARGET, --file FILE_TARGET
                        Provide Input
  -a, --active          Run Active Scan attacks
  -q, --quiet           Run scans in automated manner accepting default
                        answers
  -o OUTPUT, --output OUTPUT
                        Provide Destination Directory

              Connect at Social Media: @datasploit
                

Similar to recon-ng you will need to configure API keys to get the full value from this tool. As different Internet resources are searched, the API key will allow you get additional and more detailed data.

To add the API keys you need to add them to config.py file.

DataSploit as Python Module

A nice feature of this tool is the ability to load it as a Python module for use in your own Python tools. pip install datasploit will get you started then head over to the Help Pages for more information.

Using DataSploit

From the command line you can simply run the tool with an single target parameter to find information on a single domain.

Rather than selecting with modules to use this tool simply has a go at whatever modules are available and configured.

~/datasploit$ python datasploit.py -i microsoft.com
True

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info


Target: microsoft.com
Looks like a DOMAIN, running domainOsint...

[-] Skipping Googlepdf because it is marked as disabled.
[-] Skipping Zoomeye because it is marked as disabled.
---> Finding subdomains, will be back soon with list. 

 [+] Extracting subdomains from DNS Dumpster

 [+] Extracting subdomains Netcraft

 [+] Extracting subdomains from Certificate Transparency Reports

As you can see there is a sub domain search module for our own project DNSDumpster.

With a configured Shodan API key, we can dump subdomains for the target domain and these will then be searched for open ports and other scan data through the Shodan API.

** results snipped **
---> Wapplyzing web page of base domain:

Hitting HTTP and HTTPS:
[+] Third party libraries in Use for HTTP:
  Apache
  Google Analytics
  Google AdSense
  CentOS
[+] Third party libraries in Use for HTTPS:
  Apache
  Google Analytics
  Google AdSense
  CentOS

-----------------------------


---> Searching in Shodan:

IP: 77.xx.44.55
Hosts: [u'test.microsoft.com']
Domain: [u'test.microsoft.com']
Port: 80
Content-Type: text/html; charset=UTF-8
Location: {u'city': u'Fremont', u'region_code': u'CA', u'area_code': 510, u'longitude': -121.9829, u'country_code3': u'USA', u'country_name': u'United States', u'postal_code': u'94536', u'dma_code': 807, u'country_code': u'US', u'latitude': 37.56700000000001}

** results snipped **

While I have snipped most of the results above there are a couple of Interesting things to keep in mind.

In particular the fact that the Wapplyzing module has pulled some data on HTML/Javascript libraries of the main domain. These results have been gathered by querying the domain from your current Internet connection.

Active vs Passive vs Semi-Passive

Definitions can vary but I generally categorize these types of reconnasance as follows:

Active involves active probes against the target, including such things as Port Scanning. That is sending traffic to the target that is not "normal". Normal being a browser viewing a legitimate web page.

Passive indicates no packets are sent to the target network. All data collection is done through third party sites. These of course may then perform the query on your behalf depending on the service.

Semi-Passive is the category I would place this tool in. That being it does send traffic to the target but it is a standard web browser request as seen in the wappalyzer results.

The key takeaway here is that if you are doing OSINT research for incident response and wish to keep your local IP address from target web server logs you should use a VPS or other layer of anonymity.

Conclusion

DataSploit is a fast and easy tool that can gather a range of data very quickly with minimal configuration.

Go and grab the latest version and start testing. A good place to start testing is various bug bounty programs. By selecting a range of bug bounty programs you will be able to test the tool against a number of varied targets and you may even stumble upon an item of interest.

If you have any suggestions for improvement or have any questions related to this DataSploit Tutorial please get in contact.

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>
Recon-NG Tutorial https://hackertarget.com/recon-ng-tutorial/ Fri, 16 Feb 2018 23:22:28 +0000 https://hackertarget.com/?p=9480 The interactive console provides a number of helpful features such as command completion and contextual help. Recon-ng Installation Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng. For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make […]

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>
In this recon-ng tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is Recon-ng?

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.

OSINT with our Recon-NG Tutorial
The interactive console provides a number of helpful features such as command completion and contextual help.

Recon-ng Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng.

For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make sure you have git and pip installed.

test@ubuntu:~/$ git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
test@ubuntu:~/recon-ng/$ ./recon-ng

You should now be up and running, with the Recon-NG console loaded.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[75] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] > 

Above the splash screen you will get a screen of red errors, these are simply warnings that the API keys for those services are not populated. Many of the modules within recon-ng use web services that require an API key for full access to the data. On the recon-ng wiki is a quick run down of the keys are where to get them. This will save you time fussing about on each of the sites looking for the API signup page.

Using recon-ng

From the console it is easy to get help and get started with your recon.

Getting help is obvious, then help is available different options by typing help -option-.

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

To use a module the syntax is use recon/$category/$module as seen below.

[recon-ng][default] > use recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][default][hackertarget] > set SOURCE teslamotors.com
SOURCE => teslamotors.com

I am using teslamotors.com as an exmaple domain because they have a published bug bounty program and Tesla's are cool. Simply type run to execute the module.

[recon-ng][default][hackertarget] > run

---------------
TESLAMOTORS.COM
---------------
[*] [host] email1.teslamotors.com (192.28.144.15)
[*] [host] originwww45.teslamotors.com (205.234.27.211)
[*] [host] storetest5.teslamotors.com (209.11.133.41)
[*] [host] lync.teslamotors.com (209.11.133.11)
[*] [host] epc.teslamotors.com (209.11.133.110)
[*] [host] upload.teslamotors.com (205.234.27.250)
[*] [host] evprd.teslamotors.com (205.234.27.199)
[*] [host] mta.e.teslamotors.com (68.232.192.245)
[*] [host] service.teslamotors.com (209.11.133.37)
[*] [host] extconfluence.teslamotors.com (209.11.133.50)
[*] [host] leaseappde.teslamotors.com (64.125.183.134)
[*] [host] rav4garage.teslamotors.com (209.11.133.16)
[*] [host] energystorage.teslamotors.com (209.10.208.24)
[*] [host] quickbase.teslamotors.com (205.234.27.246)
[*] [host] seg.teslamotors.com (209.10.208.32)
[*] [host] myteslastg.teslamotors.com (209.11.133.54)
[*] [host] cn.auth.teslamotors.com (211.147.80.202)
[*] [host] us.auth.teslamotors.com (209.10.208.27)
[*] [host] extconfl.teslamotors.com (209.11.133.50)
[*] [host] xmail.teslamotors.com (209.11.133.61)
[*] [host] externalssl.teslamotors.com (209.11.133.19)
[*] [host] storagesim.teslamotors.com (209.10.208.39)
[*] [host] japan.teslamotors.com (204.74.99.100)
[*] [host] xmailcn.teslamotors.com (211.147.80.203)
[*] [host] cnorigin.teslamotors.com (211.147.80.201)
[*] [host] wwworigin.teslamotors.com (209.11.133.106)
[*] [host] vpn.teslamotors.com (205.234.27.218)
[*] [host] sdlcvpn.teslamotors.com (209.10.208.55)
[*] [host] hkvpn.teslamotors.com (14.136.104.118)
[*] [host] cnvpn.teslamotors.com (211.147.88.104)
[*] [host] euvpn.teslamotors.com (149.14.82.93)
[*] [host] shop.teslamotors.com (205.234.27.221)
[*] [host] sftp.teslamotors.com (205.234.27.226)
[*] [host] externalsmtp.teslamotors.com (205.234.27.238)
[*] [host] supercharger.teslamotors.com (209.11.133.36)
[*] [host] ipaddocs.teslamotors.com (205.234.27.252)
[*] [host] extissues.teslamotors.com (209.11.133.35)
[*] [host] adfs.teslamotors.com (205.234.27.243)
[*] [host] mobileapps.teslamotors.com (205.234.27.196)
[*] [host] suppliers.teslamotors.com (209.10.208.37)
[*] [host] wechat.teslamotors.com (211.147.80.205)
[*] [host] myteslawduat.teslamotors.com (209.11.133.43)
[*] [host] wwwuat.teslamotors.com (205.234.27.225)
[*] [host] trt.teslamotors.com (209.10.208.20)
[*] [host] origintest.teslamotors.com (205.234.27.221)
[*] [host] wsext.teslamotors.com (209.11.133.49)
[*] [host] fleetview.teslamotors.com (209.10.208.31)
[*] [host] toolbox.teslamotors.com (209.11.133.107)
[*] [host] mobility.teslamotors.com (209.10.208.14)
[*] [host] eumobility.teslamotors.com (82.199.92.7)
[*] [host] wsproxy.teslamotors.com (205.234.27.212)
[*] [host] smswsproxy.teslamotors.com (205.234.27.197)

-------
SUMMARY
-------
[*] 52 total (52 new) hosts found.

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api < insert shodan api key here > 

Recon-ng Modules

Typing show modules will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file
    import/list

  Recon
  -----
    recon/companies-contacts/bing_linkedin_cache
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-multi/github_miner
    recon/companies-multi/whois_miner
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/domains-contacts/metacrawler
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/account_creds
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_creds
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/certificate_transparency
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/hackertarget
    recon/domains-hosts/mx_spf_ip
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/threatcrowd
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/hosts-hosts/ssltools
    recon/hosts-locations/migrate_hosts
    recon/hosts-ports/shodan_ip
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/netblocks-ports/censysio
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/github_users
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter_mentioned
    recon/profiles-profiles/twitter_mentions
    recon/profiles-repositories/github_repos
    recon/repositories-profiles/github_commits
    recon/repositories-vulnerabilities/gists_search
    recon/repositories-vulnerabilities/github_dorks

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

Conclusion

Recon-ng is a powerful tool that can be further explored by looking through the list of modules above. The help within the console is very clear and with a bit of playing around it wont take long to become an expert.

Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and simple go explore organizations Internet facing footprint. Have fun. Don't break the rules.

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>
Internet Wide Scanning – Remote access granted https://hackertarget.com/remote-access-granted/ Sun, 26 Nov 2017 12:41:34 +0000 http://hackertarget.com/?p=5479 In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level. Google dorks work because Google happened […]

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]>
In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level.

Google dorks work because Google happened to index the admin login screen of the device. Since the majority of devices still had the default credentials it was then possible to view security cameras in offices around the world, print random junk to unknown printers and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.

The folowing techniques for finding insecure devices connected to the Internet are much more accurate, comprehensive and accessible.

Shodan the Google of network services

Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012

2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.

Zmap and Masscan

Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is pretty damn quick. Yet another extremely fast port scanner was released soon after known as Masscan.

Project Sonar

Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and datasets from the Zmap project have been made available on line for researchers to explore.

Censys

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.

VNC pwnage

Most recently a security researcher has scanned a specific TCP port across the IPv4 address space and taken a screenshot of VNC (remote control software) services that have no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

Now go Port Scan your Internet facing networks

As seen from the projects, data and articles linked above, all too often networks go untested for services that should not be there or at least not be accessible from anywhere in the world over the Internet.

Here are three steps that will help you stay secure and it might even just make the world a safer place:

Port Scan your Internet facing IP addresses with Nmap

  • Nmap is simply the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
  • Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
  • Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.
Firewall, block or restrict access to services that should not be accessible from the Internet

  • Make the necessary changes and get it fixed.
  • Implement a change control process for firewall changes and systems on the perimeter.
Schedule the port scan to be performed on a regular basis

  • Select a schedule based on your risk model, perhaps weekly, daily or monthly.
  • Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
  • Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.

Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.

The post Internet Wide Scanning – Remote access granted appeared first on HackerTarget.com.

]]> 15 Essential Open Source Security Tools https://hackertarget.com/10-open-source-security-tools/ Wed, 27 Sep 2017 11:30:15 +0000 http://hackertarget.com/?p=3793 There are thousands of open source security tools with both defensive and offensive security capabilities.  Updated in 2017 to include an additional 5 essential security tools. The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating […]

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>
There are thousands of open source security tools with both defensive and offensive security capabilities.

 Updated in 2017 to include an additional 5 essential security tools.

The following are 10 15 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating due to the fact that they are effective, well supported and easy to start getting value from.

1. Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.

2. OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.

3. OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.

4. Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.

5. Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

6. OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.

7. Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.

8. Kali Linux was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.

9. Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss. To get started try the Nikto Tutorial or the online hosted version.

10. Trucecrypt As of 2014, the TrueCrypt product is no longer being maintained. Two new security tools, CipherShed and VeraCrypt were forked and have been through extensive security audits.

Updated 2017 to include another 5 high quality open source security tools. These additional projects are all very much focused on the defenders side. With in depth traffic analysis, intrusion detection and incident response all covered. Interesting to see sponsors of these projects include Facebook, Cisco and Google.

11. Moloch is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.

12. Bro IDS totes itself as more than an Intrusion Detection System, and it is hard to argue with this statement. The IDS component is powerful, but rather than focusing on signatures as seen in traditional IDS systems. This tool decodes protocols and looks for anomalies within the traffic.

13. Snort is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.

14. OSQuery monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.

15. GRR - Google Rapid Response a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.

Find Holes in Your Defence
Hosted open source security testing.

The post 15 Essential Open Source Security Tools appeared first on HackerTarget.com.

]]>
100K WordPress Powered Sites https://hackertarget.com/100k-top-wordpress-powered-sites/ Sat, 02 Sep 2017 15:03:17 +0000 http://hackertarget.com/?p=2997 Analysis of the 100K Top WordPress Sites provides us with insight into the technology and the security posture of these Internet properties. While WordPress Powered sites number in the millions around the world, the focus here are sites that have significant Internet traffic. Web Servers of the Top WordPress Powered Sites These statistics are based […]

The post 100K WordPress Powered Sites appeared first on HackerTarget.com.

]]>
Analysis of the 100K Top WordPress Sites provides us with insight into the technology and the security posture of these Internet properties. While WordPress Powered sites number in the millions around the world, the focus here are sites that have significant Internet traffic.

The methodology used to determine a WordPress powered site is to search for specific strings within the HTML or the HTTP Headers provided by the web server. It was a matter of downloading the headers and page source from the Alexa top 1 million sites and then searching for /wp-json/, /wp-includes/ or /wp-content/.

The number of WordPress powered sites gets thrown around quite often. It is nice to see that the often quoted 25% figure is close even when counting high traffic sites.

WordPress in the Alexa Top 1 Million

Web Servers of the Top WordPress Powered Sites

These statistics are based on the front end web server that is delivering the WordPress site to the browser. The results are based on the initial HTTP header (Server:). In the following chart the total number for the web server technology is the focus.

Web Servers of WordPress Powered Sites

Nginx has a solid lead with just under 50% (49460) of the websites. Keep in mind that since our methodology only looked at the initial Server: HTTP Header, there are likely nginx sites that are acting as a reverse proxy in front of other web servers.

In addition sites that are being delivered by CloudFlare or other content delivery networks are included in the server numbers. See the following chart for a break down of the CloudFlare numbers.

More than a handful of sites are running on Microsoft based IIS servers (1788), included in this number is Microsoft Corporate properties such as Visual Studio.

A closer look at the Nginx statistics

In this breakdown of the nginx powered sites, we can see that CloudFlare is a significant part of that number.

With 19826 of the sites, CloudFlare is close to delivering 20% of the Top 100000 WordPress websites.

See the web hosting and IP address block analysis for more detail on other content delivery networks that are serving up the WordPress sites.

Nginx Web Servers

Examination of the WordPress Version

Looking into the WordPress version goes hand in hand with understanding the security posture of a site. Since WordPress 3.7 automatic updates are available for WordPress installations to ensure that sites are kept up to date. WordPress Security recommendations outline the need for always running that latest version of WordPress core to ensure that that security fixes are applied.

There are different ways to determine the version of a WordPress installation; for simplicity only sites with the default Meta Generator banner are included in this break down of versions found. The default generator tag was found on 52515 of the WordPress sites.

WordPress Versions and Updates in Top Sites

Quite a spread of versions can be seen, those WordPress 2.x sites really do exist. There are currently 56 sites running 2.x and 821 sites running WordPress 3.x.

Just over half of all the sites are running the latest version 4.8.1 (this was latest version at time of analysis).

Having only 53.8% of these high traffic sites running the latest version, shows an absence of standard maintenance procedures on the remaining sites. Owners still need to make improvements in adopting best practice security maintenance processes.

Latest Version of Core in Top WordPress Sites

WordPress Hosting Providers

Digging into the hosting providers of WordPress sites, meant resolving the IP address of the site. From the IP address the network owner was determined by running a simple ASN lookup. The result revealed the owner of the hosting net block which is often the hosting provider. Please note that some hosting companies may not own the IP block, in these cases large networks such as Amazon may actually include smaller hosting companies.

WordPress Hosting Providers of the Top Web Sites

Hosting Locations

Everyone loves a good map. So utilizing the Maxmind GeoLite data the IP address locations were plotted against the list of 100'000 top WordPress powered sites. As you can see there are either a few sites running on submarines or the IP Geo data is not 100% accurate. The general distribution of sites around the world is interesting, with expected clusters in the USA and Europe.

WordPress Hosting Providers of the Top Web Sites

WordPress SEO Plugin Showdown

When it comes to improving the SEO of a WordPress site, there are two plugins that come to mind; 1. WordPress SEO by Yoast and 2. All in One SEO. The nice thing about these plugins is they put a comment in the HTML source allowing it to be identified.

Using the default comment it was possible to quickly determine the number of sites (that have the default comment enabled). Of course it is possible that some sites have removed the comment.

And the winner is Yoast!.

WordPress SEO Plugins

WordPress Caching Plugin Showdown

Fast sites make users happy and recently has made Google happy with an update to the search algorithm that provides search weighting based on site speed. Understandably these factor make WordPress Caching Plugins essential for most serious sites.

The most popular caching plugins include comments in the HTML (by default) identifying the plugin in use. By searching for these comments it was possible to gather numbers for the most popular caching plugins.

Of course it is possible some have been missed, but like all of the data on this page the sample size is pretty good.

And the winner is Autoptimize!.

WordPress Caching Plugins

Top 25 WordPress Plugins

The numbers become a bit rougher when determining the plugins in use. Unless the plugin has a default comment in the code such as the SEO plugins or caching plugins, it gets a bit harder to determine plugins in use.

Many plugins load resources from the plugin folder (css or js), and this is the best way to identify plugins used passively. A more aggressive way to find plugins in use is to brute force the path, obviously when doing a survey such as this that is not an option.

So to determine the Top 25 plugins listed below the HTML was searched for /wp-content/plugins/$plugin/ and the plugin names were extracted simply using the path. An additional caveat is that it is now common for javascript and css to be minified, to improve site performance. If minified code is in use this method of identifying plugins no longer works.

WordPress Plugins in the Top 100K Plugins

Top 25 WordPress Themes

Using similar methodology as the above plugin identification we were able to identify the WordPress theme in use. Searching for the path /wp-content/themes/$theme/ in HTML and counting the most common occurrences. Many sites will use custom plugins, and have changed the path, however identification of the most common should be fairly accurate using the large sample size.

WordPress Themes in the Top 100K WordPress Sites
  Where's your site in the list?
Download full list of 100K WordPress Sites in .csv.
Format of the csv file is comma separated with columns $rank,$alexarank,$site.

 Article first published in 2012. This a complete 2017 update on original 2012 data.

Test WordPress and Server side with Security Vulnerability Scanners. Trusted tools. Hosted for easy access.

Have you seen our new WordPress Monitoring Service.
Simple, Uptime and Security Alerts.

The post 100K WordPress Powered Sites appeared first on HackerTarget.com.

]]>
OpenVAS 9 install on Ubuntu 16.04 https://hackertarget.com/openvas-9-install-ubuntu-1604/ Sat, 20 May 2017 10:54:44 +0000 https://hackertarget.com/?p=8943 If you are installing OpenVAS into an Ubuntu virtual machine I suggest adding as much CPU as you can as this will speed up your scan times. A suggested minimum is 8GB of RAM and 4 cores. An interesting new feature mentioned in the latest release is the development towards build a distributed system for […]

The post OpenVAS 9 install on Ubuntu 16.04 appeared first on HackerTarget.com.

]]>

To install OpenVAS 9 on Ubuntu 16.04 we will use the third party binary package method. While we could build from source the packages allow us to get OpenVAS up and running quickly and with minimal fuss.

For on going management and troubleshooting tips check out the OpenVAS Tutorial.

OpenVAS installation

If you are installing OpenVAS into an Ubuntu virtual machine I suggest adding as much CPU as you can as this will speed up your scan times. A suggested minimum is 8GB of RAM and 4 cores. An interesting new feature mentioned in the latest release is the development towards build a distributed system for large scale deployments. Having a central console (and manager) that can delegate scans to multiple scanners is an excellent architecture for those wanting to scan large numbers of targets.

Install OpenVAS

First step is to add the PPA repository to our Ubuntu build. In this example I am using a clean server build on VMware Workstation. After running the app-apt-repository command you will receive a notice that gives a good summary of the installation process.

root@ubuntu:~# add-apt-repository ppa:mrazavi/openvas

Next apt update and install the main packages.

root@ubuntu:~# apt update
root@ubuntu:~# apt install sqlite3
root@ubuntu:~# apt install openvas9

There are a ton of packages to be installed, on my clean Ubuntu Server build a total of 175 packages and 581mb of disk space is to be used. A couple of additional packages are required for the PDF reports to work.

root@ubuntu:~# apt install texlive-latex-extra --no-install-recommends

Now some extra fonts to make those pdf's look pretty.

root@ubuntu:~# apt-get install texlive-fonts-recommended

The libopenvas9-dev package installs the openvas-nasl utility that allows you to run single OpenVAS nasl scripts, great for quick checks and troubleshooting. In the next step we are also adding the vulnerability data by syncing with the feeds.

root@ubuntu:~# apt install libopenvas9-dev
root@ubuntu:~# greenbone-nvt-sync
root@ubuntu:~# greenbone-scapdata-sync
root@ubuntu:~# greenbone-certdata-sync

Time to start the OpenVAS scanner process.

root@ubuntu:~# service openvas-scanner restart

Now a check of the running processes will show our scanner loading the NVT's.

root@ubuntu:~# ps -ef | grep openvas
root      34149      1  0 00:22 ?        00:00:00 gpg-agent --homedir /var/lib/openvas/openvasmd/gnupg --use-standard-socket --daemon
root      34241      1  0 00:22 ?        00:00:01 openvasmd
root      37861      1 55 02:01 ?        00:00:02 openvassd: Reloaded 8550 of 53269 NVTs (16% / ETA: 00:20)
root      37862  37861  0 02:01 ?        00:00:00 openvassd (Loading Handler)
root      37864  25921  0 02:01 pts/1    00:00:00 grep --color=auto openvas

Using netstat -an we can see that gsad is now running on port 4000. Another thing to notice is that openvasmd and openvassd are running on sockets rather listening on TCP ports.

An extra package is required if we want to be able to test Microsoft SMB services for critical vulnerabilities such as MS17-010. This particular Microsoft Patch is of note as it fixes the vulnerability that has been keeping IT staff busy since the wannacry ransomware attack started spreading around the world. Of course any penetration tester will be familiar with MS08-067, a previous favourite vulnerability for attacking Windows 2003 systems.

apt install smbclient

Now lets restart the openvas-manager and rebuild the cache. Rebuilding the cache ensures the feed that we synced is all loaded up into the manager and we are ready to start testing.

root@ubuntu:~# service openvas-manager restart
root@ubuntu:~# openvasmd --rebuild --progress
Rebuilding NVT cache... done.

If you have any issues the log files contain the information for troubleshooting. OpenVAS logs can be found in the following location.

/var/log/openvas
/var/log/openvas/gsad.log
/var/log/openvas/openvasmd.log
/var/log/openvas/openvassd.dump
/var/log/openvas/openvassd.messages

We should be now all ready to load up the web interface and start testing. Don't forget we are on a new port number. The default user and password is admin / admin.

https://192.168.1.254:4000

Getting Started with OpenVAS 9

After completing the installation and syncing the vulnerability feed. Login to the web interface using the default credentials (don't forget to change your password!).

1. Add a target

Using the web interface select Configuration | Targets to add a new target to scan. Note the little star icon in the top left corner is the "add" button (this follows through on the other screens as well.

2. Add a task

Select Scans | Tasks option to now add a new task. For your first scan you can stick with the defaults, simply select the scan target that you added in step 1 and hit create.

3. Start Scan

Now it is simply a matter of hitting the play button for the task to kick the scan off. Once the scan has completed you will be able to review results under Scans | Reports. Reports can be downloaded in HTML / XML / PDF and other formats or you can review the results in the web interface.

Sample OpenVAS Reports

Each of the following tests were conducted using a black box approach. In such a test the vulnerability scanner is ran against a target with no prior knowledge or credentialed access to the system.


Windows 2003
End of life and an impressive list of vulnerabilities in a default install. Probably should upgrade.
Download


Windows 7
In this test the firewall has been disabled. Multiple issues discovered including MS17-010.
Download


Metasploitable
This target is a deliberately insecure system. It is used for testing and has many critical vulnerabilities.
Download

Wrapping Up

The installation of OpenVAS 9 on Ubuntu was found to be a smooth process, with no hiccups or gotchas encountered. The OpenVAS project is heavily supported and developed by Greenbone Networks, if you are after a comprehensive vulnerability scanning solution you should check them out. Complement their appliances for testing your Internal corporate networks with our hosted vulnerability scanners to secure the network perimeter.

Have you seen our Free IP and Network Reconnaissance tools.
Discover, Explore, Learn.

Use our hosted OpenVAS service for securing your Internet facing systems.

The post OpenVAS 9 install on Ubuntu 16.04 appeared first on HackerTarget.com.

]]>