One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with snort -dv -r test.pcap but the output is not great.
I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.
To run it:
docker run -d -p 8080:8080 jgamblin/websnortIf you want to build your own the dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort
Protip:
malware-traffic-analysis.net has great PCAPs for testing your security tools.
Category: Career
I took some time tonight and read through the Security Summer Camp (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss.
I ended up with these 16 talks I am going to make a special point to see next week:
BSidesLV
Managing Security with the OWASP Assimilation Project.
I want to see how Alan is using this OWASP project and how it compares to commercial CMDBs.
Automation of Penetration Testing and the future.
I am really interested in this subject as security is seriously lagging behind in the automation arms race and I think it will be the hottest trend in security over the next year.
How to Get and Maintain your Compliance without ticking everyone off.
The outline for this talk is a little sparse but I am interested in seeing what these guys come up with since I know them and am interested in this subject.
How to travel to high-risk destinations as safely as possible.
Ryan will do an amazing job on this talk but I am going to go to this talk to see how many of these things I can steal for my own OpSec.
A Peek Behind Vegas Surveillance.
Um… because why not? I love Oceans 11.
Automation Plumbing.
Another automation talk…. I sense a trend.
BlackHat
An insider’s guide to cyber-insurance and security guarantees.
I am interested in this subject in general and how it will shape security in the next few years.
Cyber war in perspective: analysis from the crisis in ukraine
I have a read a couple of books and watched winter on fire about this conflict so it will be interesting to hear about it from cyber-war perspective.
Defcon
Universal Serial aBUSe: Remote physical access attacks.
This is going to be the best and most talked about talk at Defcon. If Dominic brings the tool outlined in the talk (and he will) you will be reading about this for the next month.
Realtime bluetooth device detection with Blue Hydra
I love hacking bluetooth devices and Blue Hydra is an amazing new tool.
BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
These guys know so much about hacking hardware and this talk and tool is going to be amazing. I hope Joe has a kit together by Defcon so I can buy it.
101 Ways to Brick your Hardware
Joe FitzPatrick is one of the smartest guys I know and watching this talk on how his failures will be entertaining, educational and inspiring. Amazing and truly talented people can always laugh at themselves.
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
um…. are you telling me you wouldn’t want to see this?
Hacking Hotel Keys and Point of Sale systems
I am glad I will be checked out of my room by the time this talk is given.
Other
Sun, Sin, Security: IOActive
IOActive does an amazing job with their event every year and they will have some amazing talks.
Securing the Internet of Things (SIOT)
I love IOT security and I will be speaking at this event.
I will just leave this here for discussion at another time but I am probably skipping the Blackhat badge next year:
| Conference | Badge Cost | Talks | Cost Per Talk |
| BSidesLV | $0.00 | 6 | $0.00 |
| BlackHat | $2,295.00 | 2 | $1,147.50 |
| Defcon | $240.00 | 6 | $40.00 |
Security Summer Camp (BSidesLV, Blackhat and Defcon) is the most important week in the security industry and as such you need to be prepared to network like a professional.
Here are 6 things you can do this week to get ready:
Freshen Up Your Social Media Profiles
Is your twitter profile picture 4 years old? Does your twitter bio mention a meme from 3 years ago? Do you have a blog that hasnt had a new post in 18 months?
Spend some time and do some basic upkeep on the social media channels you use and shut down the ones that you dont.
Get Some Personal Cards
It is 2016 and we should all be able to NFC our contact info securely to the person next to us in 10 seconds, but we cant.
You should invest in some personal networking cards that you can hand to someone when you want to take that conversation about that amazing project they are working on from the Rapid7 party offline so you can really understand the technical details.
These just need your name, email and social media contact information (Moo.com is where I get mine).
Plan Your Week
Seriously.
Sit down this week and decide which talks you want to see, who you want to meet and what parties you want to attend and be realistic about it. Decide what is important to you and make sure you attend those things.
Defconparties.info keeps the most up-to-date list of parties that are happening during security summer camp.
Dress The Part
Dinner at Carnevino with your favorite vendor and the pool party at bisdesLV require two totally different outfits. You don’t want to be the jerk who shows up at the best steakhouse in Vegas in flip-flops or the jerk who goes to a pool party in a blazer.
You will need everything from workout clothes to your best “meeting with the VC firm” jeans and there is no way you are getting this all in a carry on. So pack like an adult and bring more clothes than you think you need.
Let People Know You Are Going
If you want to meet with anyone at summer camp let them know this week that you are going. Schedules get crazy and if you want someone to give you an hour of time you probably need to start playing calendar tag with them this week.
Polish Your Resume
You might not be looking for your next job when you head to Vegas but you should always be open to the right job. You dont want to be scrambling around when someone wants to talk to you about the <insert dream job title> position at <insert dream company>. Also a good time to make sure your linkedin profile is up-to-date.
There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.
I am a huge fan of the Streisand privacy stack because it includes and L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.
The problem with Streisand though is the install is amazingly complicated using ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).
The steps are as follows:
Create a new digitalocean Ubuntu 14.04 droplet named streisand with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).
Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5
Download and configure strisand with the follwoing commnads:
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/127.0.0.1/g' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html(This takes between 10 and 15 minutes to complete. )
Use streisand for safer internet:
Copy generated-docs/streisand.html to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html) and it will have all the information you need to use your new privacy server on almost every device you own. You can also share this information with your family or team as one server should support 4 or 5 users.
If you trust me (and you shouldnt) here is a bash script to automate the install:
https://gist.github.com/jgamblin/3100b682510119722c56f5667fa2e18b
I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information.
Tom Steele has done an amazing job with the project but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance with 7 simple commands on a clean (digitalocean) Ubuntu 16.04 install:
curl -sSL https://get.docker.com/ | sh
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
git clone https://github.com/ryhanson/lair-docker.git
cd lair-docker
docker-compose build
docker-compose up
From there you can start importing data with drones or entering it manually but with the installation bar lowered you do not have a reason to not give this amazing tool a try!
A picture started floating around the internet of Mark Zuckerberg holding an Instagram cutout:
People almost instantly started to notice that his webcam and mic were taped over. While Mark Zuckerberg isnt exactly known for having great security practices, all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you via your webcam. So being a huge fan of the POC||GTFO model of security I put together a quick POC using a 10 line bash script and imagesnap and put it on github.
Simply Running ./capture.sh & takes a photo every 60 seconds.
While I dont shower with my mac (that much) I will be Zuckerberging my webcam from now so hackers can not see the strange faces I make at my computer when trying to figure out how to get a bash script to work correctly.
While rebuilding my iPad this weekend I noticed that I could name it an emoji. So I named my iPad 📱(U+1F4F1):
While I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname.
From there I renamed all of my lab machines emojis. Mostly variations of 💩 (U+1F4A9) because I am sophomoric:
In case you were wondering this is all totally illegally according to RFC 952 (that was written in 1985) and shouldn’t be allowed but I have not found an OS the enforces it.
While doing some research on hostnames and emojis I read that .ws (Samoa) and .tk (Tokelau) allow emoji domains with the help on punycoder so I registered http://☠💻💩.ws which is either going to be the waste of $6 or the start of a $10B security startup. I have not decided yet.
If all of this isn’t ridiculous enough for you can even name your wireless network with emojis:
…emojis: they just aren’t for 12 year olds anymore. 😎
While getting ready to teach an “introduction to penetration testing with docker ” class I stumbled across the Shipyard-Project which brings an amazing web based interface to docker.
Installing on Debian on DigitalOcean is as simple as starting a droplet and running these two commands:
curl -sSL https://get.docker.com/ | sh
curl -sSL https://shipyard-project.com/deploy | bash -s
Update: Running scripts you have not read through is a really bad idea (almost as bad as suggesting you do so). Make sure you take a look at the docker and shipyard scripts before you run them.
From there you have an amazing docker interface at http://yourip:8080
You Can Pull And Manage Images:
Configure Containers:
Easily Control Containers:
Check Stats and Logs:
Access Containers Console:
While the CLI for docker isn’t hard to learn this does seem like the “Killer App” that could help people adopt containers. I know I will be using it to manage my containers from here on out and recommending it to as many people as I can.
Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous things like:
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
http://localhost:8080/?anonym=true&app=ZAP
— Jerry Gamblin (@JGamblin) June 7, 2016
…but it is 2016 and you should never run code on your machine if you don’t know what it does. These are mini-virtual machines and not magically secure little shipping containers*. At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.
Pull the container first:
docker pull jgamblin/tiny-tor
Use Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor
You will want to carefully read through that output and take time to look at these fields:
- Image The image this container is running.
- NetworkSettings The network settings for the container,
- LogPath The system path to this container’s log file.
- Name The user defined name for the container.
- Volumes Defines the volume mapping between the host system and the container.
- HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
- Config The runtime configuration options set when the docker run command was executed.
Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor
Protip: CenturylinkLabs released a tool to create a Dockerfile from a container.
Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh
After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor
If you do these basic things you can feel a little better about what you are running on your system.
* What a magically secure little shipping container might look like:
I built a simple TOR socks proxy container today to be able to easily use TOR to machines I am working on.
Getting it to run is as simple as:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
This will run it as a daemon:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
From there all you have to do is configure your browser to use port 9150 and you are using TOR.
The dockerfile for this build is fairly simple and is on Github and Docker Hub:
https://gist.github.com/jgamblin/3e1fd9aad19fcd496ed3d35d2cfe383b
As always if you are *REALLY* worried about security you should be using Tails but this works perfectly to get an “outside-in” real world look of your environment. If you have any questions please reach out to me on twitter at @jgamblin.