Tuesday, April 22, 2014
Thursday, April 17, 2014
Thursday, March 20, 2014
io Solutions
Back in December I received an out of the blue, hostile email from the admins of io saying that I was ruining the Internets by posting my solutions and that my lame attempts were nothing more than weak twitter fame-whoring. It should be noted that their page doesn't mention anything about the solution sharing as being frowned upon.
My response of "Woah! It's a little early in the morning to be so hostile. Chill" when translated into German must of insulted their mother or something because their mature course of action was to ban my IPs, change the level passwords, call out random commenters on this blog, call out the company I work for, send angry complaing emails to my boss, send angry complaining emails to my former boss, and call me lame for not being able to solve all their games in a day. It should be noted that my io solutions and other posts on this blog are unrelated to my 9-5 and done completely in my spare time.
While one of them calmed down a bit after he couldn't hide behind his hacker handle anymore--even congratulating me on how far I'd gotten--I still kind of feel like they came out guns blazing when a simple, polite "hey man, nice work on our game and all, but think we could talk about taking down your solutions for the good of community?" email would of been far more productive.
Anyway, I would of loved to finish the game and post the rest of my solutions out of spite, but I've decided to take thier advice and not waste my time. They've made it abundantly clear that if I want to work my way up to the fame and fortune of an et el on an infosec celebrity's next book that playing io is not the way.
I've reposted my solutions for posterity and because fuck being Internet bullied!
My response of "Woah! It's a little early in the morning to be so hostile. Chill" when translated into German must of insulted their mother or something because their mature course of action was to ban my IPs, change the level passwords, call out random commenters on this blog, call out the company I work for, send angry complaing emails to my boss, send angry complaining emails to my former boss, and call me lame for not being able to solve all their games in a day. It should be noted that my io solutions and other posts on this blog are unrelated to my 9-5 and done completely in my spare time.
While one of them calmed down a bit after he couldn't hide behind his hacker handle anymore--even congratulating me on how far I'd gotten--I still kind of feel like they came out guns blazing when a simple, polite "hey man, nice work on our game and all, but think we could talk about taking down your solutions for the good of community?" email would of been far more productive.
Anyway, I would of loved to finish the game and post the rest of my solutions out of spite, but I've decided to take thier advice and not waste my time. They've made it abundantly clear that if I want to work my way up to the fame and fortune of an et el on an infosec celebrity's next book that playing io is not the way.
I've reposted my solutions for posterity and because fuck being Internet bullied!
Tuesday, February 11, 2014
Tuesday, December 17, 2013
Some Scribblings on Ferrets
https://www.arbornetworks.com/blog/asert/a-business-of-ferrets/
A little bit of press:
A little bit of press:
- http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226 (Threatpost)
- http://www.scmagazineuk.com/concerns-rise-on-new-ddos-bot-trojan-ferret/article/326337/ (SC Magazine UK)
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3092 (KernelMode.info thread)
- http://www.exposedbotnets.com/2014/01/googleisearchcom-ferret-ddos-botnet.html (Inside Your Botnet)
- http://doc.emergingthreats.net/bin/view/Main/2017917
- http://doc.emergingthreats.net/bin/view/Main/2017883
Friday, October 18, 2013
Citadel’s Man-in-the-Firefox: An Implementation Walk-Through
I did some Citadel work over at https://www.arbornetworks.com/threats/citadel.pdf.
It got a lil' bit of shine:
It got a lil' bit of shine:
Squert 1.1.5 on OpenBSD 5.3 with Nginx
A quick and dirty update to http://tildedennis.blogspot.com/2012/09/squert-on-openbsd.html.
Nginx with SSL and PHP
Add PHP package:
$ sudo pkg_add php-fpm
Create a self signed SSL certificate:
$ openssl genrsa -aes256 4096 > server.key
$ openssl req -sha256 -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ mv server.key /etc/ssl/private/
$ mv server.crt /etc/ssl/
Create a basic nginx configuration that redirects http to https and has PHP support:
$ cat /etc/nginx/nginx.conf
events { }
http {
error_log logs/nginx_error.log;
include mime.types;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name house.lifethreats.org;
root /var/www/htdocs;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
include fastcgi_params;
}
}
}
Nginx with SSL and PHP
Add PHP package:
$ sudo pkg_add php-fpm
Create a self signed SSL certificate:
$ openssl genrsa -aes256 4096 > server.key
$ openssl req -sha256 -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ mv server.key /etc/ssl/private/
$ mv server.crt /etc/ssl/
Create a basic nginx configuration that redirects http to https and has PHP support:
$ cat /etc/nginx/nginx.conf
events { }
http {
error_log logs/nginx_error.log;
include mime.types;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name house.lifethreats.org;
root /var/www/htdocs;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
include fastcgi_params;
}
}
}
Finishing touches (keep nginx turned off at boot due to SSL private key password prompt):
$ egrep 'nginx|php' /etc/rc.conf.local
#nginx_flags="" # for normal use: ""
pkg_scripts="php_fpm"
Snort
Snort setup is similar to before:
$ sudo pkg_add snort
$ ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
$ tar -zxvf emerging.rules.tar.gz
$ cd rules/
$ ls emerging*.rules | awk '{print "include $RULE_PATH/`hostname -s`/" $1}' > emerging.conf
$ sudo mkdir /etc/snort/rules/`hostname -s`
$ sudo cp emerging-*.rules /etc/snort/rules/`hostname -s`/
$ sudo cp emerging.conf /etc/snort/
$ sudo cp sid-msg.map /etc/snort/
$ sudo cp classification.config /etc/snort/
$ sudo cp reference.config /etc/snort/
$ cd /var/snort/
$ sudo rmdir log
$ sudo mkdir `hostname -s`
$ sudo chown _snort:_snort `hostname -s`/
The following edits should be made to /etc/snort/snort.conf:
var HOME_NET external_ip/32
var EXTERNAL_NET !$HOME_NET
include emerging.conf
Comment out the VRT includes
Everything can be tested with:
$ sudo /usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var
/snort -l /var/snort/`hostname -s`/
Configure Snort on boot:
$ grep snort /etc/rc.conf.local
pkg_scripts="php_fpm snort"
Update /etc/rc.d/snort's daemon_flags to:
daemon_flags="-c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/`hostname -s`"
Mysql
Mysql is the same.
Sguil Server
Tcl
Tcl is the same.
TclX
TclX is the same.
Mysqltcl
Mysqltcl is the same.
Tcltls
Slightly different:
$ sudo pkg_add tcltls
$ openssl req -out CA.pem -new -x509
$ openssl genrsa -out sguild.key 1024
$ openssl req -key sguild.key -new -out sguild.req
$ echo 01 > file.sr1
$ openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
$ sudo mkdir -p /etc/sguild/certs
$ sudo mv sguild.key sguild.pem /etc/sguild/certs/
Sguild
Sguild is the same except that I forgot about adding a sguil user:
$ sudo sguild -adduser sguil
Sguil Sensor
snort_agent.tcl
Snort_agent.tcl is the same.
Barnyard2
In /etc/snort/snort.conf, add a unified2 output module:
output unified2: filename snort_log, limit 128
Get barnyard2 from https://github.com/firnsy/barnyard2:
$ sudo pkg_add libtool
$ sudo pkg_add autoconf-2.69p0
$ export AUTOCONF_VERSION=2.69
$ export AUTOMAKE_VERSION=1.9
$ unzip barnyard2-master.zip
$ ./autogen.sh
$ ./configure --with-tcl=/usr/local/lib/tcl/tcl8.5
$ make
$ sudo make install
$ sudo mkdir /var/log/barnyard2
$ sudo mkdir /etc/barnyard2
$ sudo cp /usr/local/etc/barnyard2.conf /etc/barnyard2/
Edit /etc/barnyard2/barnyard2.conf:
config daemon
config hostname: `hostname -s`
config interface: `interface_name`
output sguil: agent_port=7735, sensor_name=house
Comment out non-sguil outputs
Test like this:
$ sudo /usr/local/bin/barnyard2 -c /etc/barnyard2/barnyard2.conf -d /var/snort/house/ -f snort_log
Create /etc/rc.d/barnyard2:
#!/bin/sh
daemon="/usr/local/bin/barnyard2"
. /etc/rc.d/rc.subr
rc_cmd $1
Edit /etc/rc.conf.local
barnyard2_flags="-c /etc/barnyard2/barnyard2.conf -d /var/snort/house/ -f snort_log
pkg_scripts="php_fpm snort mysqld sguild snort_agent barnyard2"
Squert
$ sudo pkg_add php-mysql-5.3.21
$ sudo ln -sf /etc/php-5.3.sample/mysql.ini /etc/php-5.3/mysql.ini
$ unzip squert-master.zip
$ sudo mv squert-master /var/www/htdocs/squert/
$ cd /var/www/htdocs/
$ sudo cp squert/.inc/config.php.sample squert/.inc/config.php
In /var/www/htdocs/squert/.inc/config.php, update:
// DB Info
// Sguild Info
// Where are the rules? If you have multiple dirs, separate each with: ||
$rulePath = "/etc/snort/rules";
// DNS server to query
$dns = "192.168.0.1";
Update /etc/my.cnf:
$ egrep 'group_concat|local-in' /etc/my.cnf
local-infile=1
group_concat_max_len = 100000
Add some indexes to the sguildb:
$ mysql -N -B --user=root -p sguildb -e "CREATE INDEX sid ON history (sid);"
$ mysql -N -B --user=root -p sguildb -e "CREATE INDEX cid ON history (cid);"
Add new tables:
$ cat squert/.scripts/squert.sql | mysql -uroot -p -U sguildb
Give sguil user privileges to ip2c table:
$ mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.ip2c TO 'sguil'@'localhost';"
To mapping table:
$ mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.mappings TO 'sguil'@'localhost';"
To filters table:
$ mysql -N -B --user=root -p -e "GRANT INSERT,UPDATE,DELETE ON sguildb.filters TO 'sguil'@'localhost';"
Populate ip2c table:
$ cd squert/.scripts/
$ ip2c.tcl
Add an index to comment table:
$ mysql -N -B --user=root -p -e "CREATE INDEX comment ON sguildb.history (comment(50));"
Give delete permissions to sguil to comment table:
$ mysql -N -B --user=root -p -e "GRANT DELETE on sguildb.history to 'sguil'@'localhost';"
Add cronjobs to keep things updated:
*/5 * * * * /usr/local/bin/php-5.3 -e /var/www/htdocs/squert/.inc/ip2c.php 1 > /dev/null 2>&1
0 0 1 * * /var/www/htdocs/squert/.scripts/ip2c.tcl > /dev/null 2>&1
Subscribe to:
Posts (Atom)