Wednesday, June 21, 2017

Firefox Focus

I like my privacy, it is something I value and when I saw that Mozilla produced Firefox Focus, a browser for Android that does a better job for your privacy I wanted to test it out.

I installed it and went as usual straight for the settings, where I had a little disappointment. The default search engine is Yahoo and not Duckduckgo and instead of an opt-in you have an opt-out for sending anonymous data. For the rest I turned all options on to block as much as possible.

I visited a couple of websites and must say that it ran smoothly and if you think about it, you are pulling down less from the Internet so that means that you will consume less of your data plan.

If I run in any trouble I will write a follow-up but up till now, there were no issues.

Thursday, April 20, 2017

Docker behind a proxy

Docker is a useful tool in my toolbox. I especially recommend the remnux contributions by Lenny Zeltser. Recently I needed a VM with an Ubuntu guest OS to run docker instances of container but the issue was that the pull had to go through a authenticated proxy.

Docker has given this scenario thought and this is what I did:

sudo mkdir /etc/systemd/system/docker.service.d
sudo touch /etc/systemd/system/docker.service.d/http-proxy.conf
sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf

In this file you put:
[Service]
Environment="HTTP_PROXY=http://user:password@proxyserver:port/"

Flush the changes:
sudo systemctl daemon-reload

Test if it worked:
sudo systemctl show --property=Environment docker

This should result in the proxy you entered

Restart docker
sudo systemctl restart docker

Thursday, April 6, 2017

Dockerized recon-ng

OSINT is very important in what I do and thus I've spent some time getting familiarized with recon-ng in the past. Since I like my toys as much as the next IT guy I decided to run it in a container so that I can spin it up exactly how I like it in every environment.

The dockerfile

# Based on ubuntu
FROM ubuntu:16.04
Maintainer Erik Vanderhasselt

# Set environment variables
ENV DEBIAN_FRONTEND noninteractive

# Set the mirror to the country mirror
RUN sed -i 's/archive/be.archive/g' /etc/apt/sources.list

# Upgrade Ubuntu
RUN apt-get update
RUN apt-get install -f
RUN apt-get dist-upgrade -y

# Set the timezone
# bug in ubuntu 16.04:
# https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1554806
RUN ln -fs /usr/share/zoneinfo/Europe/Brussels /etc/localtime
RUN dpkg-reconfigure -f noninteractive tzdata

# installation of git
RUN apt-get install -y git

# Clone the recon-ng from bitbucket
RUN git clone https://bitbucket.org/LaNMaSteR53/recon-ng.git

# Remove git
RUN apt-get remove -y git

# installation of python and pip
RUN apt-get install -y python
RUN apt-get install -y python-pip

WORKDIR /recon-ng
RUN pip install -r REQUIREMENTS

# Cleaning up
RUN apt-get autoremove -y
RUN apt-get clean -y

# Execute recon-ng framework
ENTRYPOINT ["./recon-ng"]


I am spinning this container up in Belgium thus that is why the mirror is the be mirror. If you work in another country it might be a good idea to change the value. This will make the downloads a bit faster.

To make the build a bit easier I wrote a small build script
#! /bin/bash

# creation of the output directory and subdirectories
mkdir -p output

# build of the docker script
DATE=`date +%y%m%d%H%M%S`
sudo docker build -t recon-ng:$DATE -t recon-ng:latest .



And since spinning it up requires the -v to simplify the output I wrote a little script

#! /bin/bash

# create the variables
IMAGE='recon-ng'
PATH_RECON=`pwd`

# creation of the output directory
mkdir -p output

# run the build
sudo docker run --rm -it -v $PATH_RECON/output/:/root/.recon-ng/ $IMAGE


Finally while I as at it I wrote a little script to archive the result so that I am sure I don't mix databases while working on different projects in parallel.

#! /bin/bash

# archive the output directory
sudo tar cvf recon-ng.tar output/

# delete the output directory
sudo rm -Rf output/



Monday, March 20, 2017

Github

Hello,

I stumbled on github tagging recently. It is a feature I was not aware of.

For example if I am very interested in RAT (remote access trojans) I can find these projects with https://github.com/search?q=topic%3Atrojan&type=Repositories and https://github.com/search?q=topic%3Arat&type=Repositories.

The syntax of the repo list is thus:
https://github.com/search?q=topic%3&type=Repositories

This a list of interesting keywords I've been looking at:
  • trojan
  • rat
  • keylogger
  • spyware
  • malware-research
  • malware-development
  • steganography
  • pentesting
  • blacklist
  • code-injection
  • virus
  • persistence
  • meterpreter
  • reverse-shell
  • malware
  • threat
  • bypass-av
  • powershell
  • sniffer
  • scanner
  • xss
  • sql-injection
  • sqli
  • denial-of-service
  • phishing
  • man-in-the-middle
  • exploit
  • fuzzer
  • poc
  • attacker

One should of course not jump to conclusions and understand that a knife can be used for killing but I used one this morning to cut my bread.

Powershell try catch, quick demo

This post is for the person to whom I explained try catch today ;)

When you do things in powershell you will need try-catch blocks to handle your errors.

Try, catch and finally
The try block contains the things you want to do. The catch block handles the error types, the generic catch is a catch all (usually not the right solution) and finally is what to do when you are finished.

$error
The $error variable is the variable that will be your friend. When you run a script the $error.count() should be 0. When you are running in an IDE this can be different so as a matter of safety to avoid headache you might want to put as first lines of your script:

# clearing output and $error
clear-host
$error.clear()
 
Making errors
To demo the try catch I did a division by zero, as we all know this will give error and is thus an excellent candidate to learn try-catch.

$a = 1
$b = 0
$a / $b

Getting the errors from $error
Now that we have an error we can ask $error what type of error we created.

$error[0].Exception.GetType().Fullname

This returned [System.Management.Automation.RuntimeException]

When you are developing, check $error.count() to see if you handled all errors and did not forget one. During development, you can put as last line

write-host $error

To check if you handled everything.

Handling the error
Now that we know the error type we can handle it:

try {
    $a = 1
    $b = 0
    $a / $b
}
catch [System.Management.Automation.RuntimeException]{
   write-host "You caught your an error"
   break
}
finally{
   write-host "This is the finally block"
   $error.clear()
}

The break statement instructs the catch block to go to the finally block and the $error.clear() in the finally block is cleaning up after yourself.

Monday, November 28, 2016

makepasswd generating passwords on linux

I was writing a script the other day and had to generate a password and found the nifty tool call makepasswd.

makepasswd is a command that generate true random passwords using /dev/random.

To install you do
sudo apt-get install makepasswd

To generate a password you do

makepasswd

and if you want a 16 character password you do

makepasswd --chars 16

Monday, November 14, 2016

FIR (fast incident response) in docker

FIR (Fast Incident Response) is a project by CERT Société Générale. It is a nice system to do incident tracking and I use it on a regular basis for over a year now. After a year of daily use, I gathered the users and a series of issues and wanted features where expressed.

To make things go forward in an easy way I decided it was time to dockerize the installation so the end users can give quick feedback on features under development.

Although there is a Dockerfile in the repo, I decided to make my own based on the existing one:

# Dockerfile to build FIR container
# Original Dockerfile by Kyle Maxwell https://github.com/certsocietegenerale/FIR/blob/master/docker/Dockerfile
#
# to build: docker build -t fir .
# to run: docker run -d p 8000:8000 fir
# webinterface: http://x.x.x.x.:8000
#
# default administrator: admin
# default password:  admin

# Based on ubuntu:latest
FROM ubuntu:16.04
MAINTAINER Erik Vanderhasselt

# Set environment variables
ENV DEBIAN_FRONTEND noninteractive

# Upgrade Ubuntu
RUN \
  apt-get update && \
  apt-get dist-upgrade -y && \
  apt-get autoremove -y && \
  apt-get clean

# Set the timezone

# https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1554806
RUN ln -fs /usr/share/zoneinfo/Europe/Brussels /etc/localtime

RUN dpkg-reconfigure -f noninteractive tzdata

# Install dependencies
RUN apt-get install -y python-dev
RUN apt-get install -y python-pip
RUN apt-get install -y python-lxml
RUN apt-get install -y git
RUN apt-get install -y libxml2-dev
RUN apt-get install -y libxslt1-dev
RUN apt-get install -y libz-dev

# Install the latest version of pip
RUN pip install --upgrade pip

# create the user and group
RUN groupadd -r fir
RUN useradd -r -g fir -d /home/fir -s /usr/sbin/nologin -c "FIR user" fir

# Download FIR from Github
WORKDIR /home
RUN mkdir /home/fir
RUN cd /home/fir
RUN git clone https://github.com/certsocietegenerale/FIR.git
RUN mv FIR fir
RUN chown -R fir:fir /home/fir

# install the requirements
WORKDIR /home/fir/FIR
# remove psycopg2==2.6.2 from requirements.txt since we are not using PostgreSQL
RUN sed '/^psycopg2/d' /home/fir/FIR/requirements.txt > /home/fir/FIR/req1.txt
# run pip
RUN pip install -r /home/fir/FIR/req1.txt

# prepare to run
USER fir
ENV HOME /home/fir
ENV USER fir
WORKDIR /home/fir/FIR
RUN ./manage.py migrate
RUN ./manage.py loaddata incidents/fixtures/seed_data.json
RUN ./manage.py loaddata incidents/fixtures/dev_users.json

###############################################################################

# make it run
EXPOSE 8000
ENTRYPOINT ["/home/fir/FIR/manage.py"]
CMD ["runserver", "0.0.0.0:8000"]




To build the container you do sudo docker build -t fir .
To run the container you do sudo docker run -d p 8000:8000 fir
To access fir you point your browser to http://localhost:8000, the default login is admin and the default password is admin too.

Now you have a nice system to record your incidents which is a good start but you need incident response procedures. If you got no idea what I am talking about I recommend you read up on the documents written by ENISA, NIST, CERT.org, etc.