Security Videos

Entries in tekdefense (7)


Automater - IP and URL analysis tool

Update: Automater gets its own project page http://www.tekdefense.com/automater/

One challenge I have faced, as well as seen other analyst face as well is the amount of time it takes to investigate an IP Address or URL.  If you are like most analyst you have probably used at least some if not all of the following web tools to investigate IPs or URLs involved in an incident:

As I mentioned previously to lookup an IP against all or even some of these takes more time than it should.  Additionally, as they all are formatted differently and have different options, you can not export them in a format that can be attached to a trouble ticket, evidence file, or even an email.  Noticing this issue, I attempted to fix it by creating a python program that will scrape the previously mentioned resources to pull out the information relevant to what the analyst needs.

Meet Automater:

The tool currently only queries IPVoid, Robtex, and Fortiguard currently, but I am working on adding modules from all the resources I mentioned earlier in the article.  The help option will explain where I am heading with the project, all though I am not quite there yet. 

root@bt:~/workspace/Automater# ./Automater.py -h
    -t: target ip or url.  URL must include http://
    -s: source engine (robtex, ipvoid, fortiguard)
    -a: all engines
    -h: help
    -f: import a file of IPs and/or URLs
    -o: output results to file
    -i: Interactive Mode
    ./Automater.py -t -a -o result.txt
    ./Automater.py -f hosts.txt -s robtex -o results.txt

Automater right now only takes the -t and the -h options and only works for one target at a time.  This again will change as I modify it.  URL support has not been added yet either.

I am posting this now in its pre-release form because I would like to hear from the community what types of features they would like to see added.  I would also like to know of any bugs you can find.  Lastly, I am of course interested in anyone who would like to contribute to the project.  If all goes as planned I would like to have the tool fully functional within a couple of weeks.  Once complete I will attempt to pitch the tool to Doug Burks to add to his Security Onion Distro.  I think this could be a really nice tool for analysts.

Contribute to, or download the tool on Github.

Report any Bugs or feature requests to 1aN0rmus@TekDefense.com



TekTip ep12 - Regex Basics

Description: Regular expressions are a way to match specific patterns in strings.
Demo Setup: For the demo, I am using BT5 with eclipse and pydev.  I am demonstrating with python, but there are many other methods that could be used.
Uses:  Singature creation pcre, scripting, programming
"\w": word character
"\W": Not word character
"\d" : digit
"\D" : Not digit
"\s" : space
"\S" : not space
"\" : escape 
"." : Any character except \n (new line)
"|" : or
"{}" : Range
"+" : One or more
String: Hi, my name is 1aN0rmus.  My phone number is 555-555-5555 my address is 123 Internet Lane. 
Regex: '\d\w\w\d\w\w\w\w'
Result: 1aN0rmus
Regex: '\d\w+\d\w+'
Result: 1aN0rmus
Regex: '\d{3}.\d{3}.\d{4}'
Result: 555.555.5555 
Regex: '\d{1,5}\s\w+\s\w+'
Result: 123 Internet Lane
String: saDaSDASD/forum/Themes/core/images/sdfs.exe SAdasd
Regex: '\/forum\/Themes\/core\/images\/\w+\.exe'
Result: /forum/Themes/core/images/sdfs.exe
Scripts seen on this episode can be downloaded at https://github.com/1aN0rmus/TekDefense.  Feel free to help out with either script.  I'm a beginner when it comes to python.

Thank you,



TekTip ep11 - Kippo SSH Honeypot

Description: Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker
Uses:  Alert to potiential threats, watch how hackers operate, gather exploits and malware
http://bruteforce.gr/honeybox Honeybox is a distro that contains numerous honeypot software, all on a single box.  Additionally, the distro preconfigures the honeypot to utilize some of the many enhancements Brutforce Labs have created for these honeypots.
*If at home, to make this accessible from the internet you will need to enable port forwarding at your modem, and potientially your Virtual Machine software.
kippo/kippo.cfg : Main configuration file
kippo/honeyfs :  This is the fake filesystem that wll be presented to the user.
kippo/data/userdb.txt :  This file allows us to modify the username and password combinations that will work when attackers attempt to log into the honeypot.
kippo/log/tty/ : In this directory you will find the logs for each session established by attackers.
- will start kippo
/kippo/utils/playlog.py : Replay an attacker session from the kippo/log/tty directory.
Usage: playlog.py [-bfhi] [-m secs] [-w file] <tty-log-file>
 -f             keep trying to read the log until it's closed
 -m <seconds>   maximum delay in seconds, to avoid boredom or fast-forward to the end. (default is 3.0)
-i             show the input stream instead of output
 -b             show both input and output streams
 -c             colorify the output stream based on what streams are being received
 -h             display this help
~/kippo/utils/playlog.py 20121012-115031-8544.log



TekTip ep10 - Proxychains!

ProxyChains-3.1 (http://proxychains.sf.net)
Proxychains is a tool to force connections through multiple proxies.  What makes this tool special is putting applications without native proxy capabilities through a proxy.
Config: /etc/proxychains.conf
Three main modes
1. Dynamic - All proxies chained in order listed.  Dead proxies are skipped.
2. Strict - All proxies chained in order listed.  If a proxy is dead, the chain is dropped.
3. Random - Randomly chains proxies within the list.
-If using Random, give a chain length to specify how many proxies are used.
Other Important config options:
proxy_dns: ensure this is uncommented if you want to proxy dns requests.  If you don't DNS requests will be handled in the standard manner, unproxied. 
List the proxies use the format of:
"Type address port"
Socks4 8888
proxychains "application"
proxyxhains curl ifconfig.me
proxychains firefox
proxychains ssh root@'
proxychains xhydra

TekTip ep8 - IPv6 Hacking with socat and ANYTHING

IPv6 Hacking w/ socat and ANYTHING
In this episode of TekTip we use socat to facilitate hacking with tools that don't normally support ipv6. While this demo uses nikto as the attacking tool, this methodology will work with most other tools as well.
fdf8:6fd6:7dc:ae05:f1f1:f1f1:f1f1:f1f1 - BT5 (Pentester)
fdf8:6fd6:7dc:ae05:f0f0:f0f0:f0f0:f0f0 - Web Server (Damn Vulnerable Web App, DVWA)
socat TCP-LISTEN:8080,reuseaddr,fork TCP6: [fdf8:6fd6:7dc:ae05:f0f0:f0f0:f0f0:f0f0]:80
  • TCP-Listen:  Select the port the listener will be stood up on.
  • reuseaddr:  Allows other sockets to bind to an address even if parts  of  it  (e.g. the local port) are already in use by socat.
  • fork:   After  establishing a connection, handles its channel in a child  process and keeps the parent process attempting to produce  more connections,  either  by  listening  or  by connecting in a loop
./nikto.pl -host -port 8080
  • Host:  Target ip.  In our case we will use as socat is lstening and forwarding that traffic to the IPv6 target.
  • Port: Port of the target.  We will use 8080 as this is the port we configured socat to listen on.  This is not the port of the target webserver.  Socat will forward to port 80.