Security summer camp is about a week away so I spent some time this afternoon trying to figure out what talks and events I want to make sure I attend. BSides Las Vegas: A Day in the Life of a Product Security Incident Response Manager From SOC to CSIRT Hadoop Safari : Hunting For Vulnerabilities Introduction to Reversing and Pwning YARA-as-a-Service (YaaS): Real-Time Serverless Malware Detection Abusing Webhooks for Command and Control BSides Las Vegas Full Schedule
I recently saw this SSH/HTTP(S) multiplexer on Github and tweeted that it looked amazing: https://twitter.com/JGamblin/status/881465336196988928 A couple of people responded that you should be able to do the samething with HAProxy or something similar but my experience with HAProxy has been that is temperamental so I didn't want to mess with it. After some more research I found a tool called SSLH that did what I wanted so I built a demo site at sshttps.jgamblin.com that is running SSH and HTTPS on port 443.
How To Build It Yourself:To demo this I used a $5 Ubuntu AWS lightsail instance with a valid DNS record (sshttps.jgamblin.com)
Base Out The System:These commands will update the system, install SSLH and Apache, and install a valid TLS certificate from LetsEncrypt:
sudo apt update && sudo apt upgrade sudo apt install sslh build-essential apache2 wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto ./certbot-auto
Configure SSHL:You need to edit the config so that
<ETH0 IP>is the local (not public) IP:
sudo nano /etc/default/sslh DAEMON_OPTS="--user sslh --listen <ETH0 IP>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
Configure Apache:You just need to change
sudo nano /etc/apache2/ports.conf <IfModule ssl_module> Listen 127.0.0.1:443 </IfModule> <IfModule mod_gnutls.c> Listen 127.0.0.1:443 </IfModule>
Reboot and Enjoy:You can probably restart services but a
sudo rebootworks here and you are good to go. If you visit with a web browser you get the page: ...*but* you can now ssh into the box on port 443 using
ssh firstname.lastname@example.org -p 443
Closing Thoughts:NMap only knows it is SSH if you use
-sV: I am looking forward to using this method in the future to stack services. Let me know on twitter @jgamblin if you have any thoughts.
Often while doing research I need temporary access to a bunch of different virtual machines. While it is possible to do this on my Macbook using VMWare Fusion or Virtualbox the overhead seems unnecessary for something I will delete in under a week. My goto solution is a virtualization stack of: 16GB DigitalOcean Droplet + Wok + Kimchi Here is the shell script I use to build it:
#!/bin/bash apt-get update && apt-get upgrade -y apt-get -y install qemu qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils nginx python-cherrypy3 python-jsonschema python-m2crypto nginx python-ldap python-psutil fonts-font-awesome texlive-fonts-extra python-configobj python-parted sosreport python-imaging websockify novnc nfs-common python-ethtool open-iscsi python-guestfs libguestfs-tools spice-html5 python-paramiko wget http://kimchi-project.github.io/kimchi/downloads/latest/kimchi.noarch.deb wget http://kimchi-project.github.io/wok/downloads/latest/wok.noarch.deb wget http://kimchi-project.github.io/gingerbase/downloads/latest/ginger-base.noarch.deb dpkg -i wok.noarch.deb apt-get install -f -y dpkg -i ginger-base.noarch.deb apt-get install -f -y dpkg -i kimchi.noarch.deb apt-get install -f -y reboot #You will need to know the root password for the web interface (passwd lets you reset it).After the server is rebooted you can access the web interface at https://ip:8001: The next step is to add the templates you want to build VMs for: You can use these commands to grab newer isos (there is a feature request to automate this):
cd /var/lib/kimchi/isos wget -c http://cdimage.kali.org/kali-2017.1/kali-linux-2017.1-amd64.iso wget -c http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-amd64.iso wget -c http://releases.ubuntu.com/17.04/ubuntu-17.04-server-amd64.iso wget -c http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso wget -c http://releases.ubuntu.com/16.04/ubuntu-16.04.2-server-amd64.iso wget -c ftp://opensuse.mirrors.ovh.net/opensuse/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.iso wget -c http://slackware.mirrors.ovh.net/ftp.slackware.com/slackware64-14.2-iso/slackware64-14.2-install-dvd.iso wget -c http://archlinux.mirrors.ovh.net/archlinux/iso/2016.09.03/archlinux-2016.09.03-dual.iso wget -c https://download.fedoraproject.org/pub/fedora/linux/releases/25/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-25-1.3.iso wget -c https://az792536.vo.msecnd.net/vms/VMBuild_20150801/VirtualBox/MSEdge/Windows/Microsoft%20Edge.Win10.For.Windows.VirtualBox.zipOnce you are done with that is is amazingly easy to spin up VMs and manage them in the browser: I use this virtualization stack a lot in my research and it is amazing. If you have any questions feel free to reach out to me on twitter.
I love OWASP (I wanted to get that out of the way) but they let their TLS certificate expire yesterday: Should it have happened to an organization whose whole goal is to secure web applications? No. There are a million reasons why their TLS certificate could have expired and plenty of reasons it shouldn't have (OWASP uses letsencrypt for their TLS certificate which can automatically renew certificates and sends you email when they are close to expiring). Is it forgivable? Yes. Expired certificates, missing patches and unknown cloud services haunt every security organization. Some people look at these things as *easy* to fix and if you miss them you dont care about security... most of those people have usually never worked in operational security. Why did it happen? Operational Security Is Hard. Being perfect is impossible. Stephen Curry (Arguably the best shooter in the NBA) only makes 90% on his free throws. So everyone is going to miss a patch, let a certificate expire and have unknown cloud services. It.Is.Going.To.Happen. What can we learn from this? A lot. How would your organization have handled this on Saturday morning? Would you have been able to update your certificate in an hour on a Saturday morning? If you know the answer to those questions you can pick a tweet from @badthingsdaily and work through it with your team. Let me know your thoughts on twitter.
Have you ever wanted to control a
vast medium small network of Honeypots but only had an hour and about $40 a month to spend on your project? So did I! So with the help of Digital Ocean and Anomali's Modern Honey Network we can now do it!
For a basic distributed Cowrie network you will need:
1 - $20 a month Digital Ocean Droplet for the MHN Server.
4 - $5 a month Digital Ocean Droplets for the Cowrie honeypots.
Configuring The MHN Server:Setting up the server is eas easy as running these commands on your controller droplet and and waiting 10 minutes:
sudo apt update sudo apt upgrade -y cd /opt/ sudo git clone https://github.com/threatstream/mhn.git cd mhn/ sudo ./install.shAfter it installs everything it needs it will ask you the following questions:
Do you wish to run in Debug mode?: y/n n Superuser email: email@example.com Superuser password: Superuser password: (again): Server base url ["http://honeypot.jgamblin.com"]: Honeymap url [":3000"]: http://honeypot.jgamblin.com:3000 Mail server address ["localhost"]: Mail server port : Use TLS for email?: y/n n Use SSL for email?: y/n n Mail server username [""]: Mail server password [""]: Mail default sender [""]: Path for log file ["/var/log/mhn/mhn.log"]: Would you like to integrate with Splunk? (y/n)n Would you like to install ELK? (y/n)nOnce that is done you now have a working MHN server:
Configuring The HoneyPots:At this time MHN supports 17 honeypots for easy deployment: I have used cowrie in the past and like it a lot so decided to use it for this blog post. You can deploy cowrie honeypots to your MHN server with the following commands:
sudo apt update sudo apt upgrade -y sudo apt install python -y wget "https://gist.githubusercontent.com/jgamblin/e2c5432fa4518876c0536b625f90f8da/raw/67f792b549198a9bff15fd863e4e0cca6ae50b37/cowrie.sh" -O deploy.sh && sudo bash deploy.sh http://yourmhnserver yourcode #An update broke the deployment script and there is a proposed fix. #I copied the proposed fix to the gist used here. #wget "http://yourmhnserver/api/script/?text=true&script_id=14" -O deploy.sh && sudo bash deploy.sh http://honeypot.jgamblin.com yourcode wgetThis scripts moves your *real* ssh port to 2222 and starts the honeypot on port 22 (SSH) and 23 (Telnet). Once the script is complete they show up in your MHN server: