Capanalysis Container

My favorite open source tool for analyzing PCAP files is CapAnalysis  and I have always kept a virtual machine around to run this software but I have been on a kick of containerizing all my favorite tools recently so I decided to put CapAnalysis into a container.
It allows you to easily visualize the traffic flow, statistics, geolocation and a ton of other amazing information:

To get started you just need to run:
docker run -t -i -d -p 9877:9877 jgamblin/capanalysis
From there all you have to do is create a dataset and upload the pcaps you want to analyze.
Inside the container is:
Ubuntu 15.04
Apache2
PHP5
Postgresql
The Dockerfile for this container is:

FROM ubuntu:15.04

# Install packages
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get -y install \
wget \
curl \
gdebi \
php5 \
sudo \
apache2\
apt-utils

RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \
    && echo 'exit 101' >> /usr/sbin/policy-rc.d \
    && chmod +x /usr/sbin/policy-rc.d

RUN wget http://downloads.sourceforge.net/project/capanalysis/version%201.2.0/capanalysis_1.2.0_amd64.deb

RUN apt-get update && gdebi --n capanalysis_1.2.0_amd64.deb

RUN sed -i -e 's/PRIORITY=1 #(0..20)/PRIORITY=0 #(0..20)Z/g' /etc/init.d/capanalysis

CMD sudo service postgresql restart && \
sudo service apache2 restart && \
sudo service capanalysis restart && \
tail -f /var/log/apache2/access.log

If you have any questions or comments reach out to me on twitter at @jgamblin

BurpBrowser

I always do this… I wrote KaliBrowser over the weekend and today at lunch I was thinking this same setup would be really handy to use with Burp so I put together BurpBrowser that lets you run Burp and Firefox in a browser.
Screen Shot 2016-05-31 at 3.18.23 PM
It runs the following packages:
Ubuntu 16.04
Burp Proxy
Firefox
OpenBox
NoVNC 
Getting started is as easy as:
docker run --name burpbrowser -d -t -i -p 80:6080 jgamblin/burpbrowser


and then point your favorite browser to:
http://ip
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
git \
xvfb \
x11vnc \
wget \
python \
python-numpy \
unzip \
menu \
geany \
openbox \
net-tools \
geany \
menu \
openjdk-8-jre \
firefox

Run cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD burpsuite_pro_v1.7.03.jar /root
ADD burpsuite_free_v1.7.03.jar /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoclean && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*
CMD /startup.sh
Here is what is in the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900

If you have any questions or comments reach out to me on twitter at @jgamblin
Happy Burping!  : )

KaliBrowser

I have been spending some time recently getting up to speed on Docker so this weekend I built KaliBrowser:
Screen Shot 2016-05-31 at 6.46.36 AM
It runs the following packages:
Kali Docker
OpenBox
NoVNC 
Getting started is as easy as:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser
and then point your favorite browser to:
http://ip:6080
To keep this image as small as I could (and it is still 841MB) I only included the base if you want to grab a “ready to go” version I built jgamblin/kalibrowser-top10 (2GB) that has the Kali Top 10 metapackage pre installed so if you want that  run:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser-top10 
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM kalilinux/kali-linux-docker
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
net-tools \
openbox \
git \
x11vnc \
xvfb \
wget \
python \
python-numpy \
unzip \
geany \
iceweasel
menu && \
cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*

#The Kali Docker Image Is Out Of Date. : (
RUN apt-get update -y && apt-get dist-upgrade -y

CMD /startup.sh
and the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900

If you have any questions or comments reach out to me on twitter at @jgamblin

A Docker Container To Capture All Traffic From Host.

Yesterday I was in a situation where  I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.

Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96


…but this is 2016 and we have containers!20-ft-container(Not An Actual Docker Container.)


So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.

So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump
and the pcaps will save in their home directory.
Screen Shot 2016-05-28 at 11.23.15 AM
If you want to build your own copy here is everything I have in the dockerfile:
FROM debian
RUN apt-get update && apt-get install -y \
tcpdump
RUN mkdir /pcap
RUN cd /pcap
WORKDIR /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apache
and all  files captured will be displayed at http://hostip:1337.
Screen Shot 2016-05-28 at 11.50.16 AM
Happy tcpdumping!

OSX System Information Script

This morning I needed someone who I was helping to provide me some basic information about their Macbook and realized while I knew how to get that information it wasnt all in one easy to digest place so I wrote sysinfo.sh to quickly gather that information:
Screen Shot 2016-04-29 at 9.29.52 AM
Here is the code:
https://gist.github.com/jgamblin/aa9a6eda5bce6797ab8394e0c47d3676
You will need to install iStats (gem install iStats) or comment out the lines 9, 10, 12 and 13 to get the script to run properly.

Explaining the difference between a threat, a vulnerability and a risk.

During a recent round of phone interviews while expanding my team at work I was amazed at how many security professionals have a hard time clearly answering the following question:
 “What’s the difference between a threat, a vulnerability and a risk?” 
I think being able to do so is a key to being a good security professional.   I really like to use this analogy to try to help explain these three concepts clearly:

25D3A47F00000578-0-image-a-72_1424353548514“Close the open door (vulnerability) to stop the bear (threat). If it got in we could get mauled (risk).”

Understanding and applying these three terms is the first step to being able to do great risk analysis and is the only way to effect change in most organizations.  The next step is writing risk statements.

But remember doing this exercise is as much for you as it is for who you are trying to secure.  It wouldn’t make much sense to use your limited cycles to protect yourself against bears in Dallas, Texas would it?

bear-areas-map

 

A Reverse DNS Function for Google Sheets.

Often in my job I am given spreadsheets of IP addresses that look like this:
Screen Shot 2016-04-03 at 4.16.11 PM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
One of the first things I always want to do is find if they have a FQDN.   Sadly Google keeps forgetting to build a reversedns function into sheets so with the help of a  HackerTarget API I hacked this together today:
Screen Shot 2016-04-04 at 6.45.21 AM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The configuration is pretty easy (although this took me way longer than I want to admit.)
The cells are setup like this:
A2: IP Address
B2: =“http://api.hackertarget.com/reversedns/?q=”&(A2)
C2: =IMPORTDATA(B2)
D2: =SPLIT(C2,” “)
E2: FQDN (Finally

Here is a link to the sheet so you can copy it and play with it. Hopefully this can help someone else out in the future as I know I have spent way too much time manually looking this information up.
Here is a gif of it in action:

My Guiding Quotes of 2015

At the start of every month I pick a quote I like and hang it at my desk and try to use it to guide my thought process for the month and I thought I would share them here as I was cleaning off my desk for the year.
Here are the quotes I used in 2015:
January:
There is nothing more deceptive than an obvious fact.
– Doyle

February:
Never confuse movement with action.
– Hemingway

March:
You must either modify your dreams or magnify your skills.
– Jim Rohn

April:
Courage is grace under pressure.
– Hemingway

May:
The most formidable weapon against errors of every kind is reason.
– Thomas Paine

June:
If I panic, everyone else panics.
– Kobe Bryant

July:
Take time to deliberate, but when the time for action has arrived, stop thinking and go in.
– 
Napoleon
August:
I shouldn’t be near Vegas and have money in my pocket.
-Adam Sandler

(Let’s just say I had a lot of fun at BSides, Blackhat and Defcon this year.)
September:
If you ask me anything I don’t know, I’m not going to answer.
– Yogi Berra

October:
Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.
– Marcus Aurelius

November:
In any moment of decision, the best thing you can do is the right thing. The next best thing is the wrong thing. The worst thing you can do is nothing.
– Theodore Roosevelt

December:
Have a strategic plan. It’s called doing things.
– Herb Kelleher

…and yes I know doing this now apparently makes me dumb.

Thoughts on TrueCrypt

On Wednesday night I tweeted this:


I started getting retweets and replies like this on Friday from people I respect (and a bunch from people I don’t know):


https://twitter.com/averagesecguy/status/674768017864134657
So people REALLY like TrueCrypt or I didn’t make my point articulately enough.  In case I didnt make my point well enough I will try to lay it out here.
3 Reasons Why I Think You Should Stop Using TrueCrypt:
The developer stopped maintaining it, took down the webpage and replaced it with this.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
Screen Shot 2015-12-12 at 2.51.13 PM
I think that this reason should be more than enough to get 99% of people to stop using it.
The latest version of HashCat includes support for TrueCrypt volumes.
If you are using good passphrases (most people don’t) it really isnt a big deal but it does lower the level of complexity for hacking a TrueCrypt volume with a weak password from a medium-high skill level (Think Security Professional) to downloading kali and following instructions (Think Help Desk Analyst).
The developer stopped maintaining it, took down the webpage and replaced it with this.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
Screen Shot 2015-12-12 at 2.51.13 PM
There are many other open source and paid alternatives that you can evaluate and pick the best one for you.  So unless you have an amazingly valid reason to not move off of TrueCrypt you should move off it as soon as possible. 
 

Site Footer