Uncategorized

I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results.  I wanted to be able to share it with a class I am teaching so I did what I  have been doing lately and put it into a docker container:

Screen Shot 2016-08-30 at 8.21.19 PM

Running it is as simple as:
docker run -ti -p 8080:8080 --name rianmap jgamblin/rainmap
Then access:
http://yourip:8080/console 

You can now run a ton of nmap scans and get the results emailed to you and your team:  Screen Shot 2016-08-30 at 7.47.54 PM Screen Shot 2016-08-30 at 7.53.10 PM

Here is the DockerFile:
FROM ubuntu:latest
RUN apt-get update && apt-get install sqlite3 git nmap python-pip  -y
RUN pip install --upgrade pip
RUN pip install lxml
RUN pip install Django
RUN git clone https://github.com/cldrn/rainmap-lite
WORKDIR /rainmap-lite/rainmap-lite/
ADD  run.sh /rainmap-lite/rainmap-lite/run.sh
RUN chmod 777 /rainmap-lite/rainmap-lite/run.sh
CMD ./run.sh

Here is the run.sh:
#!/bin/bash
sed -i "s/8000/8080/g" "nmaper-cronjob.py"
echo What is your public IP address?
read ip
sed -i "s/127.0.0.1/$ip/g" "nmaper-cronjob.py"
echo What is your SMTP user name?
read user
sed -i "s/youremail@gmail.com/$user/g" "nmaper-cronjob.py"
echo What is your SMTP password?
read pass
sed -i "s/yourpassword/$pass/g" "nmaper-cronjob.py"
echo What is your SMTP address?
read smtp
sed -i "s/smtp.gmail.com/$smtp/g" "nmaper-cronjob.py"
python manage.py migrate
python manage.py loaddata nmapprofiles
python manage.py createsuperuser
python manage.py runserver 0.0.0.0:8080 &
while true
do
python nmaper-cronjob.py
sleep 15
done

Protip:  SendGrid offers a free SMTP server. 

Career, Hacking, Security

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with  snort -dv -r test.pcap but the output is not great.

I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.

Screen Shot 2016-08-25 at 7.48.51 AM

To run it: 
docker run -d -p 8080:8080 jgamblin/websnort

If you want to build your own the  dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort

Protip:
 malware-traffic-analysis.net has great PCAPs for testing your security tools.

Hacking, Security

My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.

The build out is pretty simple, it is the  SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done. 

Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:Screen Shot 2016-08-17 at 7.01.29 AM

In order to share these findings with the community I will copy all files written to these honeypots to honeyfiles.jgamblin.com.

Screen Shot 2016-08-17 at 6.58.05 AM

I have a long way to go with this project as way too much of it is manual now.  I need to invest the time to automate notification, moving the files to the web server and starting a new container.

If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.

Uncategorized

I am at Security Summer Camp this week  and you always hear about how how dangerous these networks are with no real proof so I decided to see how dangerous they are*.  I built  the most insecure docker container I can think of. It runs SSHD with the root password set to  root* to see see what happens when I expose them to the blackhat and defcon networks.

I put the container here: jgamblin/sshoneypot

If you want to build and modify your own here is my base dockerfile:

FROM bashell/alpine-bash:latest

RUN apk update && apk upgrade

RUN apk add openssh openssh-sftp-server byobu tmux && \
/bin/sed -i -e 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
/usr/bin/ssh-keygen -A && \
echo "source /etc/profile.d/color_prompt" > /etc/skel/.bashrc && \
cp /etc/skel/.bashrc /root/.bashrc && \
echo "root:root" | chpasswd && \
su - root -c "byobu-launcher-install"

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]

I have been running on a DigitalOcean droplet for a few hours and surprisingly, none of the bots have been successful yet.

Screen Shot 2016-08-01 at 10.08.45 AMI will have a blog post next week with full pcaps and copies of the containers for any that have successful logins.

*This is like a really bad idea.  

Career, Hacking, Security

I took some time tonight and read through the Security Summer Camp  (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss.

I ended up with these 16 talks I am going to make a special point to see next week:

BSidesLV

Managing Security with the OWASP Assimilation Project.
I want to see how Alan is using this OWASP project and how it compares to commercial CMDBs.

Automation of Penetration Testing and the future.
I am really interested in this subject as security is seriously lagging behind in the automation arms race and I think it will be the hottest trend in security over the next year.

How to Get and Maintain your Compliance without ticking everyone off.
The outline for this talk is a little sparse but I am interested in seeing what these guys come up with since I know them and am interested in this subject.

How to travel to high-risk destinations as safely as possible.
Ryan will do an amazing job on this talk but I am going to go to this talk to see how many of these things I can steal for my own OpSec.

A Peek Behind Vegas Surveillance.
Um… because why not? I love Oceans 11.

Automation Plumbing.
Another automation talk…. I sense a trend.

BlackHat

An insider’s guide to cyber-insurance and security guarantees.
I am  interested in this subject in general and how it will shape security in the next few years.

Cyber war in perspective: analysis from the crisis in ukraine
I have a read a couple of books and watched winter on fire about this conflict so it will be interesting to hear about it from cyber-war perspective.

Defcon

Universal Serial aBUSe: Remote physical access attacks.
This is going to be the best and most talked about talk at Defcon.  If Dominic brings the tool outlined in the talk (and he will) you will be reading about this for the next month.

Realtime bluetooth device detection with Blue Hydra
I love hacking bluetooth devices and Blue Hydra is an amazing new tool.

BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
These guys know so much about hacking hardware and this talk and tool is going to be amazing.  I hope Joe has a kit together by Defcon so I can buy it.

101 Ways to Brick your Hardware
Joe FitzPatrick is one of the smartest guys I know and watching this talk on how his failures will be entertaining, educational and inspiring.  Amazing and truly talented people can always laugh at themselves.

Picking Bluetooth Low Energy Locks from a Quarter Mile Away
um…. are you telling me you wouldn’t want to see this?

Hacking Hotel Keys and Point of Sale systems
I am glad I will be checked out of my room by the time this talk is given.

Other

Sun, Sin, Security: IOActive
IOActive does an amazing job with their event every year and they will have some amazing talks.

Securing the Internet of Things (SIOT)
I love IOT security and I will be speaking at this event.

I will just leave this here for discussion at another time but I am probably skipping the Blackhat badge next year:

Conference Badge Cost Talks Cost Per Talk
BSidesLV $0.00 6 $0.00
BlackHat $2,295.00 2 $1,147.50
Defcon $240.00 6 $40.00
Career

Security Summer Camp  (BSidesLV, Blackhat and Defcon)  is the most important week in the security industry and as such you need to be prepared to network like a professional.

Here are 6 things you can do this week to get ready:

Freshen Up Your Social Media Profiles

Is your twitter profile picture 4 years old?  Does your twitter bio mention a meme from 3 years ago?  Do you have a blog that hasnt had a new post in 18 months?

Spend some time and do some basic upkeep on the social media channels you use and shut down the ones that you dont.

Get Some Personal Cards

It is 2016 and we should all be able to NFC our contact info securely to the person next to us in 10 seconds, but we cant.

You should invest in some  personal networking cards that you can hand to someone when you want to take that conversation about that amazing project they are working on from the Rapid7 party offline so you can really understand the technical details.

These just need your name, email and social media contact information (Moo.com is where I get mine). 

Plan Your Week

Seriously.

Sit down this week and decide which talks you want to see, who you want to meet and what parties you want to attend and be realistic about it.   Decide what is important to you and make sure you attend those things.

Defconparties.info  keeps the most up-to-date list of parties that are happening during security summer camp.

Dress The Part

Dinner at Carnevino with your favorite vendor and the pool party at bisdesLV require two totally different outfits.  You don’t want to be the jerk who shows up at the best steakhouse in Vegas in flip-flops or the jerk who goes to a pool party in a blazer.

You will need everything from workout clothes to your best “meeting with the VC firm” jeans and there is no way you are getting this all in a carry on. So pack like an adult and bring more clothes than you think you need.

 Let People Know You Are Going

If you want to meet with anyone at summer camp let them know this week that you are going.  Schedules get crazy and if you want someone to give you an hour of time you probably need to start playing calendar tag with them this week.

Polish Your Resume

You might not be looking for your next job when you head to Vegas but you should always be open to the right job.  You dont want to be scrambling around when someone wants to talk to you about the  <insert dream job title>  position at <insert dream company>.   Also a good time to make sure your linkedin profile is up-to-date.

Hacking, Security

We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)!

 

So it is time for everyone to write their annual blog posts about what you must do before you head out.  I want to be one of the cool kids so here is my list of 6 things to do before you pack:

Delete All The Saved SSID’s On Your Devices

A common attack that hackers like to do is spoof common SSIDs so that your device will connect automatically and start using their AP so they can capture all your information.   I actually wrote a script called mana-common  that spoofs the most common to demo this problem.

You should delete all the saved SSIDS on your devices to stop from falling victim to this attack.

Get A Hot Spot

Connecting to a hotel network at a Hilton in Little Rock is dangerous. Connecting to a hotel network in Las Vegas is reckless. Connecting to a hotel network in Las Vegas during Security Summer Camp is stupid.   You can pick up a mobile hotspot for about $25 a month.

Get A VPN

You could easily get a commercial VPN but if you want to go to the next step build your own streisand server or an openvpn server  and delete it when you are done with it.   It will help protect your data from anyone who may be snooping on you.

Change All Your Passwords (Before and After)

You should run your passwords managers auto-change feature before you leave for Vegas and when you get back just incase someone gets a hold of your account.  You do use a password manager right?

Turn on 2FA On All Your Accounts.

You should at a minimum enable 2FA on all your social media and  financial accounts before you head out. Twofactorauth.org has great information on how to configure your accounts to use 2FA.

PCAP All Your Traffic

This is the most paranoid of my tips but when I am at a conference I always PCAP all my data incase I do get breached I can hopefully figure out how or write a good blog post about it.

I wrote a blog post on doing this with docker earlier this summer so I now can run this to save the pcaps to my dropbox:
docker run -v ~/Dropbox/pcap:/pcap --net=host -d jgamblin/tcpdump

The truth is these 6 rules should be followed all the time if you want to have a decent operational security posture. OK, you might not need to PCAP everything, I am just paranoid…follow the first  and you will be ok.

Also while at Security Summer Camp drink plenty water, don’t sleep much and have fun!