now browsing by month
So, admittedly, I did terribly awful at the Linux Showdown 8 at TrueAbility. It wasn’t an area, where my linux expertise has taken me in the past; so I simply gave up after 10 minutes of staring at my screen, with the challenge, looking so lonely up there, without me adding any text to it. This next installment of the linux showdown begins on Monday, April 27, 2015; so make sure you sign up at TrueAbility, and participate, so the world can see your linux skills. TrueAbility Linux Showdown 9 is upon us.
I’m expecting Linux Showdown 9 will be a much needed return to their roots challenge, as Showdown 8 seemed very specific, and very “DevOps-y.” I’m excited for this Showdown, and I expect to do much, much better at this Linux Showdown, than I did on the eighth installment.
From the TrueAbility Linux Showdown 9 page:
FragmasterX needs your help.
His competitive quake3arena team, DramaForUrLlama, has just had something of a minor civil war, which has caused the former server admin to rage /quit and shutdown all access to their private quake3 server, voip communications, and the team’s website.
The problem? The Llamas have a playoff match scheduled to start in the next 30 minutes that was supposed to be running on their server. If they don’t have something online by then, they’ll have to forfeit and if they can’t get voice communications setup they’ll get trounced in the match. They need this win to stay alive in the tournament.
FragmasterX’s brother said they could use one of his servers to run everything off of, but his brother doesn’t have the time to get it all set up. He’s ok with giving you the root password, but just wants you to be careful not to interfere with any of the sites already running on the server.
Save the DramaForUrLlamas!
So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.
I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.
As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.
Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.
The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).
Read the rest of this page »
I downloaded a copy of Cyborg Hawk Linux 1.1 several weeks ago, and unfortunately didn’t get around to actually installing it, and using it until today.
My very first impressions were about how “beautiful” the desktop; but that is about where the beauty ends.
So, on to my use of it:
There are a bunch of tools on there, a bunch of tools that I’m not familiar with, and that aren’t in Kali Linux. I visit Cyborg Hawk Linux’s homepage, to read what documentation and tutorials they have on their website, and the pages they link to, are down (see here). There are several pages up in their “Documentation” section, so I peruse through there for a bit, not really finding the info I needed. I will come back later, to the tools I’m unfamiliar with, and put in the manual research time for those.
Launching tools that I’ve either used before, or actually have a pressing need to examine (I’ve got some malware samples, that I really want to take a look at), I try and launch Cuckoo, and it fails. I’m not extremely familiar with any of the other tools, but again, I will return to those, once I can read up on them, and learn how to use them.
Now headed off to tools, that I’m extremely familiar with, including metasploit. Launch the metasploit service, then attempt to update the modules, and it fails. Attempt to register the service, and it fails, and I’m therefore unable to update/use metasploit.
So far, in a couple hours of using, all this distro has going for it, is a pretty interface, and a lot of tools. As I mentioned earlier, I will dig into those tools, as soon as I have time to search, and lookup what each of them does. Overall, not very impressed with Cyborg Hawk Linux 1.1.
Happened across a couple articles today, that I found interesting, is AES-256 vulnerable to attack? After reading the articles (IANAM – I am not a mathematician), it seems like the answer is no, for now. Should we be worried? – I don’t think so, we are constantly working on new encryption algorithms, and to say that we are going to be on AES-256 for the next 25-50 years is a little absurd.
So, yes, scientists have found a way, no matter what difficulty they have, and what hardware they have,they have found that they can “break” AES-256 3 to 5 times quicker than was thought, or that was able to do before. Just to bring you back down to Earth on this idea. The current stats of time required to break AES-256 (calculated before these current scientists gave their information, with a 256-bit key) is 3.31 x 10^56. Just using purely rough numbers, that means that it would take billions of years to crack a single key. Then, with the current details, that the scientist provides, if you divide that time, by 5, you come up with 6.6 x 10^55, which is still billions of years.
It is safe to say, at this stage in the game we are safe. We must continue to develop new encryption standards, and new encryption schemes, but not to completely freak out, and lose our minds right now, with this newly released information about AES-256. The other thing, that I’m also taking into consideration; if scientists found a way to reduce the amount of time to compute a key by 5, it is likely that sometime in the future, additional scientists will find a way to reduce the amount of time to compute, by even more. Regardless, at this time, we are safe, and as long as we keep working on new encryption standards, we will still be safe, even when AES-256 is down to hundreds of years to crack.
Don’t freak out now, but keep urging people to continue working on encryption standards to improve on current schemes.
Decided I would set up a SSH honeypot, for a bunch of reasons, and not only to poke the bear.
If you’re not familiar with what a ssh honeypot is, it is a “virtual” environment setup to replicate a ssh server, and once in, it replicates the basic look and feel of a server you would ssh into. In my example, it gives the basic outward appearance of a Debian server. Once the “bad guy” logs in, it logs all his activity, everything he tries to put on the server, everything he tries to take off the server, and it logs all the commands that he types (or has scripted out). I’m extremely interested to see what these “bad guys” are doing.
I can’t say for certain why I wanted to setup a honeypot server, more than I want to see what an attacker would do, once he gets inside the system. In the day that I’ve had the server up, that password has been guessed several times, however, no attacks have been made against the server, no login besides the initial brute force connect, to attempt to break-in to the server. So nothing really to report on, as of yet; but I am truly interested in the attacks that occur against my server, after someone logs in, and starts doing something.
There is also another pretty good looking utility to go along with the Kippo SSH honeypot, called Kippo-Graph, which presents me with the data from the honeypot, in a nice, easy to read web page format. It also has a nice little interface that steps through all the commands the “bad guy” types, and displays it with amazing detail. So, I’m also pretty excited about that.
I will report back, once I have some solid data collected, and something more happens besides the initial brute force attempt. Here’s to running an ssh honeypot. . .
It should be noted, that it would make sense to have a pretty good idea what you’re getting into, when you’re setting up a ssh honeypot. As in the title, I’m not simply doing it to poke the bear, but I want to gain the understanding of what an attacker is doing, once they see an available ssh host (ssh honeypot).
I use encryption in nearly aspect of my life. Some uses are more effective than others, admittedly, however, there is encryption everywhere. For an example:
My Android phone is encrypted
My computer’s partitions are LUKS encrypted
The website you’re reading this on, is encrypted
Encryption is an integral part of life, in assuring both security and integrity of my website, my emails, and pretty much everything I do in life. I don’t partake in any criminal acts, but I still don’t want anyone to be able to view my data, if I don’t want them to.
I found this excellent article over at TED, discussing why you should care about encryption too.
So why does encryption matter, anyway?
Well, some would have you believe that encryption is a tool for the “bad guys,” enabling terrorists to have an easy way of plotting their next crimes. In reality, banning encryption won’t stop terror attacks or end religious extremism. But such a ban could stifle democratic movements, scuttle online security, and undermine our open society.
Continuing the policy first adopted (that we know of) for North Korea’s (disputed) attack against Sony Pictures, Pres. Barack Obama has authorized the U.S. to uphold sanctions against countries that initiate cyber attacks against the U.S., and companies within the U.S.
I’m personally against this action, as it is authorizing the U.S. to perform retaliation for something, that we have had a terrible time attributing to countries. I foresee that it would lead to increased tensions against the U.S.
From the PCMag.com article:
Several months after the White House imposed sanctions on North Korea for its alleged involvement in the hack of Sony Pictures, the administration is promising to do the same to anyone else that tries to hack American targets.
President Obama signed an executive order that authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on individuals or entities believed to be involved in “malicious cyber-enabled activities” that could pose “a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.”
“Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit,” Obama said in a statement.
It was a fun little challenge, and I definitely want to give me thanks to the Infosec Institute for putting out, such a fun CTF challenge!
You can also visit the page, if you got stumped with a challenge, and you didn’t like any of my solutions, you can see everything that other people wrote on the challenge, and judge for yourself.
For anyone getting into the security or penetration testing field; I believe it is always recommended that you do as much reading, learning, and testing as possible. I highly recommend this very informative read from Mark Montague, called Attacking WordPress.
Using the tools commonly provided with Kali Linux, but are available to nearly every linux user: WPScan, Weevely, and Metasploit. What he shows in his presentation, is that he is not using anything he would consider advanced techniques, he is using basic skills, and basic tools to find vulnerabilities in WordPress and successfully exploit them.
In his presentation, Mark Montague, walks you through, running WPScan to determine versions of WordPress, and its plugins installed, using weevely to generate php code, that allows the hacker to remotely control the server, and metasploit for additional exploitation plugins.