Friday, December 27, 2019
Check if HTTPS service got any vulnerability with its Cipher Suite
#nmap -Pn --script ssl-enum-ciphers -p 443 IP_ADDRESS/HOSTNAME
Thursday, December 26, 2019
Online Malware Analysis Resource updated on 20191226
Sandbox:
https://malwareanalyser.io/
https://www.hybrid-analysis.com/
https://malware.sekoia.fr/new
https://s.threatbook.cn/
Multi-Scan:
https://www.virustotal.com/
https://metadefender.opswat.com/
Office Files Scan:
https://labs.inquest.net/dfi
PCAP Scan:
https://www.networktotal.com/index.html
Web Service Preview:
https://urlscan.io/
Web Service Risk Assessment:
https://zulu.zscaler.com/
https://www.ssllabs.com/
Black List Lookup:
https://talosintelligence.com/
SPAM Lookup:
https://www.spamhaus.org/lookup/
https://malwareanalyser.io/
https://www.hybrid-analysis.com/
https://malware.sekoia.fr/new
https://s.threatbook.cn/
Multi-Scan:
https://www.virustotal.com/
https://metadefender.opswat.com/
Office Files Scan:
https://labs.inquest.net/dfi
PCAP Scan:
https://www.networktotal.com/index.html
Web Service Preview:
https://urlscan.io/
Web Service Risk Assessment:
https://zulu.zscaler.com/
https://www.ssllabs.com/
Black List Lookup:
https://talosintelligence.com/
SPAM Lookup:
https://www.spamhaus.org/lookup/
Monday, December 23, 2019
The ngrep command makes NIDS become NIPS
1) Suppose the source sending out malicious packets has been confirmed, use the ngrep command:
#ngrep -d any -q -K 10 host 192.168.1.10
#ngrep -d any -q -K 10 port 8080
#ngrep -d any -q -K 10 host 192.168.1.10 and port 22
2) If a malicious snippet of those malicious packets has been identified, leverage the ngrep command:
#ngrep -d wlan0 -q -K 10 "^GET .* HTTP/1.[01]" "host www.google.es"
#ngrep -d any -q -K 10 “abcd” icmp
Bear in mind that the parameter, -d, is followed by the network interface, and -K is followed by a value representing how many RST packets would be sent to terminate the corresponding connections. The parameter, -q, shows that the application is running on the quiet mode.
#ngrep -d any -q -K 10 host 192.168.1.10
#ngrep -d any -q -K 10 port 8080
#ngrep -d any -q -K 10 host 192.168.1.10 and port 22
2) If a malicious snippet of those malicious packets has been identified, leverage the ngrep command:
#ngrep -d wlan0 -q -K 10 "^GET .* HTTP/1.[01]" "host www.google.es"
#ngrep -d any -q -K 10 “abcd” icmp
Bear in mind that the parameter, -d, is followed by the network interface, and -K is followed by a value representing how many RST packets would be sent to terminate the corresponding connections. The parameter, -q, shows that the application is running on the quiet mode.
Utilize several commands to pinpoint DDoS in Linux environments
1) First leverage the ifstat command to confirm the presence of DDoS:
#ifstat
OR
#ifstat -i INTERFACE
2) Then utilize either the iftop or iptraf to uncover the service under the attack:
#iftop -i INTERFACE
OR
#iptraf -i INTERFACE
3) If this is a client PC, leverage the nethogs command to determine which process is ocuppying the bandwidth.
#nethogs INTERFACE
#ifstat
OR
#ifstat -i INTERFACE
2) Then utilize either the iftop or iptraf to uncover the service under the attack:
#iftop -i INTERFACE
OR
#iptraf -i INTERFACE
3) If this is a client PC, leverage the nethogs command to determine which process is ocuppying the bandwidth.
#nethogs INTERFACE
Friday, December 20, 2019
Install Open Source Intelligence (OSINT) Framework through Docker
1) Install and run OSINT-Framework:
#/etc/init.d/docker start
#docker pull pierlo1/osint-framework:latest
#docker run --rm -i -t -p 8080:8080 pierlo1/osint-framework
2) Use a browser to open http://127.0.0.1:8080/
#/etc/init.d/docker start
#docker pull pierlo1/osint-framework:latest
#docker run --rm -i -t -p 8080:8080 pierlo1/osint-framework
2) Use a browser to open http://127.0.0.1:8080/
Web-to-Onion Proxies
There is a means allowing you to explore those hidden service residing in Tor network / Dark Web / Deep Web, and it is:
tor2web (https://www.tor2web.org/) :
Add the top level domain, ".to", at the end of the onion pseudo URL.
tor2web (https://www.tor2web.org/) :
Add the top level domain, ".to", at the end of the onion pseudo URL.
Tuesday, December 10, 2019
Requirement Specification of Endpoint Response Tool
1) Information Gathering
- Read Process List
- Read Details of each process
- Read "netstat -anb" information
2) Infected Endpoint Control
- Execute commands on endpoints
- Upload/Download files between endpoints and controllers
- Capture packets on endpoints
3) Security Detection Enhancement
- Built-in Malicious Code feeds that can be updated automatically
- Upload suspicious files to an on premise sandbox to analyze
- Import YARA rules
- Import Snort rules
4) Incident Response
- Block processes from sending packets
- Stop processes
- Clean / Delete infected files
- Isolate machines
5) Threat Intelligence Integration
- Asset Information Management
- Built-in Threat Intelligece feeds that can be updated automatically
- Sending alerts to SIEM through Syslog
6) Constraint
- Being able to coexist with such Antivirus as Symantec SEP
- Read Process List
- Read Details of each process
- Read "netstat -anb" information
2) Infected Endpoint Control
- Execute commands on endpoints
- Upload/Download files between endpoints and controllers
- Capture packets on endpoints
3) Security Detection Enhancement
- Built-in Malicious Code feeds that can be updated automatically
- Upload suspicious files to an on premise sandbox to analyze
- Import YARA rules
- Import Snort rules
4) Incident Response
- Block processes from sending packets
- Stop processes
- Clean / Delete infected files
- Isolate machines
5) Threat Intelligence Integration
- Asset Information Management
- Built-in Threat Intelligece feeds that can be updated automatically
- Sending alerts to SIEM through Syslog
6) Constraint
- Being able to coexist with such Antivirus as Symantec SEP
Decision Tree by Scikit-learn
#!/usr/bin/python
#Reference #1: http://benalexkeen.com/decision-tree-classifier-in-python-using-scikit-learn/
#Reference #2: https://www.datacamp.com/community/tutorials/decision-tree-classification-python
import pandas as pd
df = pd.read_csv('./alert_fast2.csv', index_col='No.')
print "Dataset Size : ", df.shape
print(df.head(10))
#We will be using Threat, Category, Proto, Src_ip, Src_port, Dst_ip, and Dst_port to predict the Result.
#Failed: Category, Src_ip, and Dst_ip are not integer values.
#df = df[['Threat', 'Category', 'Proto', 'Src_ip', 'Src_port', 'Dst_ip', 'Dst_port', 'Result']]
df = df[['Proto', 'Src_port', 'Dst_port', 'Result']]
#We need to convert those strings into integer values.
df['Result'] = df['Result'].map({'yes': 1, 'no': 0})
df['Proto'] = df['Proto'].map({'TCP': 1, 'UDP': 2, 'ICMP': 3, 'IP': 4})
#Drop any rows with missing values.
df = df.dropna()
X = df.drop('Result', axis=1)
y = df['Result']
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, random_state=1)
from sklearn import tree
model = tree.DecisionTreeClassifier()
model.fit(X_train, y_train)
y_predict = model.predict(X_test)
from sklearn.metrics import accuracy_score
print "Accuracy : ", accuracy_score(y_test, y_predict)
# Making a Prediction On a New Sample
sample_one_pred = int(model.predict([[1, 1043, 80]]))
sample_two_pred = int(model.predict([[1, 1041, 80]]))
print "Sample_one_pred : ", sample_one_pred
print "Sample_two_pred : ", sample_two_pred
#Print out the tree
#from sklearn.tree.export import export_text
#from scikit.tree import export_text
#print(export_text(model))
#Reference #1: http://benalexkeen.com/decision-tree-classifier-in-python-using-scikit-learn/
#Reference #2: https://www.datacamp.com/community/tutorials/decision-tree-classification-python
import pandas as pd
df = pd.read_csv('./alert_fast2.csv', index_col='No.')
print "Dataset Size : ", df.shape
print(df.head(10))
#We will be using Threat, Category, Proto, Src_ip, Src_port, Dst_ip, and Dst_port to predict the Result.
#Failed: Category, Src_ip, and Dst_ip are not integer values.
#df = df[['Threat', 'Category', 'Proto', 'Src_ip', 'Src_port', 'Dst_ip', 'Dst_port', 'Result']]
df = df[['Proto', 'Src_port', 'Dst_port', 'Result']]
#We need to convert those strings into integer values.
df['Result'] = df['Result'].map({'yes': 1, 'no': 0})
df['Proto'] = df['Proto'].map({'TCP': 1, 'UDP': 2, 'ICMP': 3, 'IP': 4})
#Drop any rows with missing values.
df = df.dropna()
X = df.drop('Result', axis=1)
y = df['Result']
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, random_state=1)
from sklearn import tree
model = tree.DecisionTreeClassifier()
model.fit(X_train, y_train)
y_predict = model.predict(X_test)
from sklearn.metrics import accuracy_score
print "Accuracy : ", accuracy_score(y_test, y_predict)
# Making a Prediction On a New Sample
sample_one_pred = int(model.predict([[1, 1043, 80]]))
sample_two_pred = int(model.predict([[1, 1041, 80]]))
print "Sample_one_pred : ", sample_one_pred
print "Sample_two_pred : ", sample_two_pred
#Print out the tree
#from sklearn.tree.export import export_text
#from scikit.tree import export_text
#print(export_text(model))
Tuesday, December 3, 2019
Deploy SSL Offloading Reverse Proxy through Docker and NGINX
References:
1)https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
2)https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/?_ga=2.180791975.1262112524.1575417960-988469526.1575417960
Test NGNIX docker:
#/etc/init.d/docker start
#docker pull nginx
#docker run -it nginx /bin/bash
Install essential software:
docker#apt-get update ; apt-get install net-tools vim openssl file
Generate SSL certificate and the key:
docker#openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem
Modify the nginx.conf file:
docker#cd /etc/nginx
docker#cp ./nginx.conf ./nginx.conf.bak
docker#vi ./nginx.conf
Change the content of the nginx.conf to the content as follows:
---------------------------
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 8.8.8.8:81;
}
server {
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}
---------------------------
:wq!
docker#/etc/init.d/nginx start
Create a new docker image:
#docker commit [CONTAINER ID] demonalex/nginx
1)https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
2)https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/?_ga=2.180791975.1262112524.1575417960-988469526.1575417960
Test NGNIX docker:
#/etc/init.d/docker start
#docker pull nginx
#docker run -it nginx /bin/bash
Install essential software:
docker#apt-get update ; apt-get install net-tools vim openssl file
Generate SSL certificate and the key:
docker#openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem
Modify the nginx.conf file:
docker#cd /etc/nginx
docker#cp ./nginx.conf ./nginx.conf.bak
docker#vi ./nginx.conf
Change the content of the nginx.conf to the content as follows:
---------------------------
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 8.8.8.8:81;
}
server {
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}
---------------------------
:wq!
docker#/etc/init.d/nginx start
Create a new docker image:
#docker commit [CONTAINER ID] demonalex/nginx
Sunday, December 1, 2019
Quick Set up NGINX with Modsecurity through Docker
Reference: https://hub.docker.com/r/owasp/modsecurity-crs
1) Pull the docker image first:
#/etc/init.d/docker start
#docker pull owasp/modsecurity-crs
2) Suppose Apache2 is running on the TCP81 of the server, and execute the following commands:
#/etc/init.d/apache2 start
3) Run the image:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=[URL] owasp/modsecurity-crs
Example:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=http://8.8.8.8:81/ owasp/modsecurity-crs
4) Check Modsecurity's log:
#docker exec -it [CONTAINER NAME] tail -n 30 -f /var/log/modsec_audit.log
Example:
#docker exec -it sweet_swartz tail -n 30 -f /var/log/modsec_audit.log
1) Pull the docker image first:
#/etc/init.d/docker start
#docker pull owasp/modsecurity-crs
2) Suppose Apache2 is running on the TCP81 of the server, and execute the following commands:
#/etc/init.d/apache2 start
3) Run the image:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=[URL] owasp/modsecurity-crs
Example:
#docker run -d -p 80:80 -e PARANOIA=5 -e PROXY=1 -e PROXYLOCATION=http://8.8.8.8:81/ owasp/modsecurity-crs
4) Check Modsecurity's log:
#docker exec -it [CONTAINER NAME] tail -n 30 -f /var/log/modsec_audit.log
Example:
#docker exec -it sweet_swartz tail -n 30 -f /var/log/modsec_audit.log
Subscribe to:
Posts (Atom)