I always do this… I wrote KaliBrowser over the weekend and today at lunch I was thinking this same setup would be really handy to use with Burp so I put together BurpBrowser that lets you run Burp and Firefox in a browser.
It runs the following packages:
Ubuntu 16.04
Burp Proxy
Firefox
OpenBox
NoVNC
Getting started is as easy as:
docker run --name burpbrowser -d -t -i -p 80:6080 jgamblin/burpbrowser
and then point your favorite browser to:
http://ip
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
git \
xvfb \
x11vnc \
wget \
python \
python-numpy \
unzip \
menu \
geany \
openbox \
net-tools \
geany \
menu \
openjdk-8-jre \
firefox
Run cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD burpsuite_pro_v1.7.03.jar /root
ADD burpsuite_free_v1.7.03.jar /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoclean && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*
CMD /startup.sh
Here is what is in the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900
If you have any questions or comments reach out to me on twitter at @jgamblin
Happy Burping! : )
Month: May 2016
I have been spending some time recently getting up to speed on Docker so this weekend I built KaliBrowser:
It runs the following packages:
Kali Docker
OpenBox
NoVNC
Getting started is as easy as:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser
and then point your favorite browser to:
http://ip:6080
To keep this image as small as I could (and it is still 841MB) I only included the base if you want to grab a “ready to go” version I built jgamblin/kalibrowser-top10 (2GB) that has the Kali Top 10 metapackage pre installed so if you want that run:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser-top10
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM kalilinux/kali-linux-docker
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
net-tools \
openbox \
git \
x11vnc \
xvfb \
wget \
python \
python-numpy \
unzip \
geany \
iceweasel
menu && \
cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*
#The Kali Docker Image Is Out Of Date. : (
RUN apt-get update -y && apt-get dist-upgrade -y
CMD /startup.sh
and the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900
If you have any questions or comments reach out to me on twitter at @jgamblin
Yesterday I was in a situation where I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.
Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
(Not An Actual Docker Container.)
So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.
So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdumpand the pcaps will save in their home directory.
If you want to build your own copy here is everything I have in the dockerfile:
FROM debian
RUN apt-get update && apt-get install -y \
tcpdump
RUN mkdir /pcap
RUN cd /pcap
WORKDIR /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apacheand all files captured will be displayed at http://hostip:1337.
Happy tcpdumping!
At work we are moving to slack as a communication method and since I am spending so much time in the tool I decided it was time to start building in some of the tools I use on a regular basis. So far I have put together the following tools:
/NMAP
Nmap-For-Slack runs a basic scan (nmap –top-ports 50 –open) against a host and returns the results. I have to do such a basic scan because the timeout is 3000ms so it limits what I can do.
/DNSRECON
DNSRecon-for-slack allows your to run a basic DNSRecon scan from inside of Slack.
/IPINFO
ipinfo-for-slack looks up and displays information from ipinfo.io.
/HOSTLOOKUP
Hostlookup-for-slack grabs all the A records for a domain and displays them.
Technical Configuration:
This configuration needs the following:
Slack team.
Publically Accessible Web Server Running:
Apache
PHP
Valid DNS Record and TLS Cert
I really like a $5 DigitalOcean droplet for this.
A list of APIs you want to query or installed local security tools (nmap, dnsrecon) you want to run.
To Do List:
Figure out how to display json blobs as flat text in html.
Figure out how to bypass 3000 ms timeout to run more complex commands.
Build a bunch more of these tools (nessus, shodan, censys.io are on the list).
If you want to help me on any of these please reach out to me on twitter at @jgamblin or via email.
The TV in my hotel room this week advertised how easy it is to control it with the stayconnect app. So I downloaded it and was pretty impressed by how well it worked…. until I remembered my phone was still on 4G and VPNed through a server in Europe.
So I fired up Burp Suite to see exactly what was going on. To my surprise the app wasn’t posting the data like it should it was passing it as part of the URL string:
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
Here is a terrible proof of concept video I shot in my room:
Here are some of the commands I found to control the tv:
TV Power Off:
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
TV Power On:
https://rci.lodgenet.com/mobile.php?method=tvOn&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
Mute Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=0
Max Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=30
Change Channel:
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=8
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=7
While not a major vulnerability and to exploit it you would have to capture traffic from your victim’s phone it does show really poor programming practices.
Last week I saw this 3.5″ Touchscreen LCD and case on Amazon for $20 so I ordered it thinking it would be fairly easy to install and get to work. I was wrong and spent the better part of a Saturday looking at this:
After spending 5 or 6 hours digging through forums, reddit posts and reinstalling my Raspberry Pi 3 times I finally got it to work:
Hoping that no one else has to go through this I put together instructions and posted them on GitHub.
Now I have a cool desk clock (sudo apt-get install tty-clock) that on the backend can be doing all kinds of amazing stuff (like being a persistent reverse SSH tunnel):
