Hacking, Security

While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean.

While there are great guides like:
My First 10 Minutes On a Server – Primer for Securing Ubuntu
My First 5 Minutes On A Server; Or, Essential Security for Linux Servers

I do not have the time to manually follow these guides on a server I may shut down in an hour so I have slowly been building a shell script to do a lot of this for me.

Now the first thing I do when I log into a box is:
curl -sSL https://raw.githubusercontent.com/jgamblin/quickinstall/master/quickinstall.sh | sh

Screen Shot 2016-07-13 at 8.20.56 AMThe script does the following:
Enables UFW and denies all inbound traffic except for SSH.
Sets the timezone to Universal Coordinated Time
Installs  Python, Ruby, nodejs, Docker.io, Fail2Ban and unattended-upgrades
Launches a PCAP docker container to capture all server traffic in a PCAPs.

While it is not pretty it does what I need:

#Install and configure firewall
echo -e "\nInstalling and configuring firewall\n"
apt-get install ufw -y
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh

cat /etc/ufw/ufw.conf | sed 's/ENABLED=no/ENABLED=yes/g' > ~/ufw.conf
chmod 0644 ~/ufw.conf
mv -f ~/ufw.conf /etc/ufw/ufw.conf

# set timezone to Universal Coordinated Time
sudo timedatectl set-timezone UTC

# Upgrade installed packages to latest
apt-get update && apt-get dist-upgrade -y

#Install stuff I use all the time
apt-get install -y build-essential checkinstall docker.io fail2ban git git-core libbz2-dev libc6-dev libgdbm-dev libncursesw5-dev libreadline-gplv2-dev libsqlite3-dev libssl-dev nikto nmap nodejs python-dev python-numpy python-scipy python-setuptools tk-dev unattended-upgrades 

#Install Ruby
curl -L https://get.rvm.io | bash -s stable --ruby

#PCAP Everything
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump

I will continue to build this out in this github repo .

Career, Hacking, Security

There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.

I am a huge fan of  the Streisand privacy stack because it includes and  L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.

The problem with Streisand though is the install is amazingly complicated using  ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).

The steps are as follows:

Create a new  digitalocean Ubuntu 14.04 droplet named streisand with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).

Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5

Download and configure strisand with the follwoing commnads: 
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html
(This takes between 10 and 15 minutes to complete. )

Use streisand for safer internet: 
Copy generated-docs/streisand.html to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html) and it will have all the information you need to use your new privacy server on almost every device you own.  You can also share this information with your family or team as one server should support 4 or 5 users.
Screen Shot 2016-07-10 at 3.59.57 PM

If you trust me (and you shouldnt) here is a bash script to automate the install:

Career, Security

I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information.

Screen Shot 2016-07-08 at 8.03.22 PMTom Steele has done an amazing job with the project  but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance with 7 simple commands on a clean (digitalocean) Ubuntu 16.04 install:

curl -sSL https://get.docker.com/ | sh
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
git clone https://github.com/ryhanson/lair-docker.git
cd lair-docker
docker-compose build
docker-compose up

From there you can start importing data with drones or entering it manually but with the installation bar lowered you  do not have a reason to not give this amazing tool a try!


One of the tips that security professionals love to give is to use a VPN on public wifi networks.   This is great advice and  (I personally like PrivateInternetAccess and NordVPN). Recently I noticed nike.com blocks traffic from TOR and VPN providers:

Screen Shot 2016-07-06 at 6.36.19 AM

That got me wondering what other websites were  blocking traffic from these sources so I decided to test the Alexa Top 1000 websites.

First I needed to get a list of the Top 1000 websites.   To do this I used this line of command line kung fu that grabs a CSV of the top 1 million websites and puts the top 1000 in a urls.txt file:

curl -s -O s3.amazonaws.com/alexa-static/top-1m.csv.zip ; unzip -q -o top-1m.csv.zip top-1m.csv ; head -1000 top-1m.csv | cut -d, -f2 | cut -d/ -f1 > urls.txt

Here is the output from this command.

I now needed to automatically take a screenshot of 1000 websites.   I had started to write my own terrible python script using selenium until Chris Truncer pointed me to his amazing project called EyeWitness.

The command I used was:
./Eyewitness.py --web -f urls.txt

Screen Shot 2016-07-06 at 8.45.38 AM

During my first test using  PrivateInternetAccess I found  11 of 1000* blocked access with a 401/404:


With craigslist.org, nike.com, ticketmaster.com and hilton.com being the most inpactful websites on that list:

This slideshow requires JavaScript.

I then ran the test again through tor (using the tor container I built) and found 40 of 1000* blocked access with a 401/404: :


With many more asking for a captcha before gaining access:


Epilogue:  I play defense in my day job.  I understand the need stop malicious traffic from reaching your website.  This isn’t an indictment just an academic exercise although if more and more websites take this  approach tools like TOR and commercial VPNs will become less useful.

Final Notes: 
I was surprised at how many porn websites are in the top 1000 overall websites.
It takes 1.8 gigs of storage to screenshot the top 1000 websites.
*Your results will vary on what is blocked based on exit node,  VPN, time you test and what color shirt you have one.


I had a 2014 Dell Chromebook 11 I was not doing anything so I decided to turn it into a stand alone Kali box using the Chromium OS Universal Chroot Environment.

The installation steps are pretty simple:

Add a l33t hacker sticker:

2016-07-04 08.00.52

 Enable Developer Mode (this will wipe the device).

 Login and download the latest crouton

Access the terminal by pressing:

Run the following commands:
sudo sh -e ~/Downloads/crouton -r sana -t xfce

Go eat lunch (it takes about 30 minutes to pull down the image).

Hack (legally) all the things:
You have a couple of options on how to use Kali on  the ChromeBook.  The option I will use the most is just  the terminal option.  You can access it by typing: sudo enter-chroot -n sana

Screenshot 2016-07-04 at 09.40.02

You can also access a full gui by typing:  sudo startxfce4 -n sana

Couple of notes:
Kali-Rolling is working on crouton right now due to an abandoned package issue.  They are working on it.
The install of Kali is super light weight.  The meta-packages will be your friend when building your image.

Career, Hacking

A picture started floating around the internet of  Mark Zuckerberg holding an Instagram cutout:


People almost instantly started to notice that his webcam and mic were taped over.   While Mark Zuckerberg isnt exactly known for having great security practices,  all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you via your webcam.  So being a huge fan of the POC||GTFO model of security I put together a quick POC using a 10 line bash script and imagesnap and put it on github.

Simply Running ./capture.sh & takes a photo every 60 seconds.

160623073527- 160623074642-

While I dont shower with my mac (that much) I will be  Zuckerberging my webcam from now so hackers can not see the strange faces I make at my computer when trying to figure out how to get a bash script to work correctly.

Career, Hacking

While rebuilding my iPad this weekend I noticed that I could name it an emoji.  So I named my iPad 📱(U+1F4F1):

Screen Shot 2016-06-19 at 7.41.30 PM


While  I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname.

Screen Shot 2016-06-19 at 7.54.13 PM

From there I renamed all of my lab machines emojis.  Mostly  variations of 💩 (U+1F4A9) because I am sophomoric:

In case you were wondering this is all totally illegally according to RFC 952 (that was written in 1985)  and shouldn’t be allowed but I have not found an OS the enforces it.

While doing some research on hostnames and emojis  I read that .ws (Samoa) and .tk (Tokelau) allow emoji domains with the help on punycoder so I registered  http://☠💻💩.ws which is either going to be the waste of $6 or the start of a $10B security startup.  I have not decided yet.

Screen Shot 2016-06-19 at 4.37.50 PM

If all of this isn’t ridiculous enough for you can even name your wireless network with emojis:

Screen Shot 2016-06-19 at 7.59.19 PM

…emojis: they just aren’t for 12 year olds anymore.  😎