Tiny Core Linux

Tiny Core Linux is a light and modular Linux distribution. Its main purpose is to allow the easy construction of simple but powerful appliance-like desktops.

Contemplating a distribution that can get you to a basic, empty desktop by booting from a 10MB ISO (you read that right), you’d be forgiven for wondering how comprehensive a Tiny Core system could be. On further investigation it turns out that Tiny Core owes its slim stature to a careful choice of lightweight components and the fact that it isn’t derived from one of the mainstream distributions. This decision by the developers brings with it both advantages and disadvantages. Tiny Core offers a very fast experience overall, with a boot time that none of the major distributions can touch. On the other hand, if something goes wrong or you couldn’t find a runnable application that you needed, the remedies that work on other Linux systems may not work with Tiny Core.

Once up and running, you are plonked into a blue desktop courtesy of the FLWM window manager with an icon-based application launcher at the bottom of the screen. By default, there are icons to access settings, add packages to the system, mount disks and to launch the file manager, but there are no substantial applications at this point.

Tiny Core uses its own package format, but rest assured, the package repository is huge with thousands of applications that are ready to go. Adding a medium-sized application such as Firefox, for example, takes only a couple of minutes. When you install applications, using the GUI package manager, they are downloaded and then added on the fly, automatically popping up on the application bar.  During the boot process, the user specifies the location of a directory to be used for settings and application packages, and on subsequent boots, Tiny Core automatically locates the files that it needs. Here again, we glimpse some intriguing technology as there are options for loading the application files into RAM or fetching them from the disk when needed



Tiny Core Linux

There are a few ways of using Tiny Core, but the approach favoured by the developers is to combine a medium such as a CDROM with writable storage such as a hard disk or USB stick. The developers cite the advantage that this makes system files incorruptible, but the problem is that I don’t think that many people will want to boot from a CDROM every time they switch the computer on. Neither will many people be interested in carrying around a CDROM and a USB stick in order to get the system working. Compounding the awkwardness of this approach, Tiny Core doesn’t support NTFS partitions for the user files folder.

A USB pen drive installation is a good compromise, and an automated script for carrying this out does exist. The script isn’t very flexible, however, and it wipes the entire drive, setting up separate partitions for the system files and user data and applications respectively.


The least well supported approach is to boot from the hard disk, and yet I suspect that this would be the most popular amongst potential users. It can be done, but the installation is far from automated and involves manual partitioning, formatting, file copying and setting up of GRUB. Bafflingly, the developers indicate, on the Tiny Core website, that they don’t see the demand for hard disk installation.

Download Tiny Core Linux

Read More

MD5 Online Password Cracking - md5cracker

MD5 Online Password Cracking: md5cracker

md5cracker.sh is a shell script that connects to various online resources to gather hash corresponding to a provided MD5 string


Installation

$ cd /usr/local/bin/
$ sudo wget http://packetstormsecurity.org/Crackers/md5cracker.sh.txt
$ sudo mv md5cracker.sh.txt md5cracker
$ sudo chmod +x md5cracker


Usage

$ md5cracker 8d3533d75ae2c3966d7e0d4fcc69216b


=> Md5 Online Cracker
=> FuRt3X ~> blkhtc0rp@yahoo.com.br


[*] www.md5crack.com: charley
[*] md5.hashcracking:   charley
[*] md5hood.com: charley
[*] md5.gromweb.com:   charley
[*] md5-db.de:  charley
[*] md5.thekaine.de:  OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">404 Not FoundNot FoundThe requested URL /decode_multi.php was not found on this server.
[*] passcracking.com:  charley
[*] md5-decrypter.com:   charley
[*] www.bigtrapeze.com:  charley

Download md5cracker

Read More

Writing Your Own Exploits

Writing Your Own Exploits

How to find vulnerabilities, write shellcode, exploit the vulnerability and finally turn it into a Metasploit exploit module! David Hoelzer is a Senior Fellow with the SANS Institute and author of the SANS Secure Coding in C/C++ course. TnX



Exploits – Part 1 – Exploit Creation in metasploit (intro)

Exploits – Part 2 – 1 – Finding Flaws (part one and two)

Exploits – Part 2 – 2 

Exploits – Part 3 – 1 – Writing Shellcode (part one and two)

Exploits – Part 4 – 1 – Conversion to metasploit (part one and two)

Read More

Encrypt Your Network Traffic - Tcpcrypt

Tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP. Install Tcpcrypt and you’ll feel no difference in your every day user experience, but yet your traffic will be more secure and you’ll have made life much harder for hackers.

So why is now the right time to turn on encryption? Here are some reasons: 

ºIntercepting communications today is simpler than ever because of wireless networks. Ask a hacker how many e-mail passwords can be intercepted at an airport by just using a wifi-enabled laptop. This unsophisticated attack is in reach of many. The times when only a few elite had the necessary skill to eavesdrop are gone.

ºComputers have now become fast enough to encrypt all Internet traffic. New computers come with special hardware crypto instructions that allow encrypted networking speeds of 10Gbit/s. How many of us even achieve those speeds on the Internet or would want to download (and watch) one movie per second? Clearly, we can encrypt fast enough.

ºResearch advances and the lessons learnt from over 10 years of experience with the web finally enabled us to design a protocol that can be used in today’s Internet, by today’s users. Our protocol is pragmatic: it requires no changes to applications, it works with NATs (i.e., compatible with your DSL router), and will work even if the other end has not yet upgraded to tcpcrypt—in which case it will gracefully fall back to using the old plain-text TCP. No user configuration is required, making it accessible to lay users—no more obscure requests like “Please generate a 2048-bit RSA-3 key and a certificate request for signing by a CA”. Tcpcrypt can be incrementally deployed today, and with time the whole Internet will become encrypted.


How Tcpcrypt works

Tcpcrypt is opportunistic encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be in clear text. Thus, Tcpcrypt alone provides no guarantees—it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.

Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical.

By default Tcpcrypt is vulnerable to active attacks—an attacker can, for example, modify a server’s response to say that Tcpcrypt is not supported (when in fact it is) so that all subsequent traffic will be clear text and can thus be eavesdropped on.

Tcpcrypt, however, is powerful enough to stop active attacks, too, if the application using it performs authentication. For example, if you log in to online banking using a password and the connection is over Tcpcrypt, it is possible to use that shared secret between you and the bank (i.e., the password) to authenticate that you are actually speaking to the bank and not some active (man-in-the-middle) attacker. The attacker cannot spoof authentication as it lacks the password. Thus, by default, Tcpcrypt will try its best to protect your traffic. Applications requiring stricter guarantees can get them by authenticating a Tcpcrypt session.


Installing tcpcrypt

$ git clone git://github.com/scslab/tcpcrypt.git
$ cd tcpcrypt
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo ./launch_tcpcryptd.sh


The launch script starts tcpcryptd and adds firewall rules to divert all TCP traffic — except that which is already encrypted, like SSH — to tcpcryptd. When the script exits (on Ctrl-C or kill), it restores your firewall config to its former state — no permanent changes are made.

On Linux, you must first install libnfnetlink, libnetfilter_queue, and libcap.

Optional: running make install will install libtcpcrypt and tcpcrypt headers, for building apps that use tcpcrypt’s session ID.


Try it out

Go to http://tcpcrypt.org/test.php with tcpcryptd running. If tcpcrypt is working, you’ll be able to join the tcpcrypt Hall of Fame and your tcpcrypt session ID will be displayed at the bottom of the page.

Now let’s examine the packets going over the wire by starting tcpdump and then reloading the URL above.

sudo tcpdump -X -s0 host tcpcrypt.org

Compare this tcpdump output, which appears encrypted (or at least unreadable), with the cleartext packets you would see without tcpcryptd running.

A final netcat example:

$ sudo ./launch_tcpcryptd.sh & 
$ nc -l 7777 &
$ sudo tcpdump -i lo -n -s0 -vvvv -X tcp port 7777 &
$ echo hello, world! | nc localhost 7777
# clean up
$ sudo killall tcpcryptd tcpdump


Troubleshooting

If it’s not working, the most likely causes are the following.

ºYour browser already had an open, non-tcpcrypted TCP connection to tcpcrypt.org before you ran the launch script. Quit and reopen your browser, wait 30 seconds, or use a different browser to retrieve the tcpcrypt.org URL.

ºThere’s a conflict with your existing firewall rules. See the firewall setup section in the install guide for your platform.

Download  Tcpcrypt

Read More

Passive Network Monitoring - lanmap2

lanmap2 is a passive network monitoring/analysis framework; no SNMP required.

It promiscuously listens to all passing data and sifts out potentially interesting factoids (addresses, names, fingerprints, unusual situations, etc.) into an sqlite database. scripts are provided to query the database and generate image graphs of network entities, overall connectivity, traffic and notable applications, operating systems and roles that systems play.

It is meant to be an extensible framework; anyone who spends time looking at network traffic and knows a little SQL should be able to contribute analysis-type ‘mappings’ (see data/*.sql) lanmap2’s components are decoupled from each other and are fairly straight-forward and flexible; you can report things to the database without having to use them and you can work on analysis-type tasks or scripts while network capture is running.

The current graphing scripts use php to query the database and generate input to graphviz; these can be modified fairly easily.


lanmap Installation

Everything is pretty much manual at this point


Passive Network Monitoring Dependencies:

ºsqlite3 and libsqlite3 (sqlite2 not acceptable!)
ºlibpcap
ºgcc
ºphp (to interface with db and generate graphviz input; plan on replacing with lua)
ºgraphviz (for graph generating)

sudo apt-get install libpcap-dev libsqlite3-dev gcc graphviz php5-cli php5-sqlite sqlite3

Run make

make

This will build and populate the database file ‘db/db’

And the parse/capture program ‘src/cap’

lanmap2 Use

1. Start capturing

cd db && sudo ../src/cap && cd -

The application has to run as root, which is a potential security hazard.

This currently produces prodigious amounts of output; sue me.

2. Generate a graph after letting the capture run for a while.

cd graph && ./graph.sh && cd -

This will generate a graph at graph/net.png

This runs a bunch of php scripts.

3. View the graph via the web/ crap


I suggest you map/symlink apache to the web/ directory if you are capable

Download lanmap2

Read More

Wireless and Wired Network Interceptor - the Interceptor

The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past. I haven’t done extensive research but all the ones I found when looking passed the copy of the traffic onto a specified wired interface which was then plugged into a machine to allow a user to monitor the traffic. The problem with this is that you have to be able to route the data from that wired port to your monitoring machine either through a direct cable or through an existing network. The direct cable method means your monitor has to be near by the location you want to tap, the network routing means you have to somehow encapsulate the data to get it across the network without it being affected on route.

The Interceptor does away with the wired monitor port and instead spits out the traffic over wireless meaning the listener can be anywhere they can make a wireless connection to the device. As the data is encrypted (actually, double encrypted, see how it works) the person placing the tap doesn’t have to worry about unauthorized users seeing the traffic.


What Hardware Is Required


This project has been built and tested on a Fon+ but should in theory work on any device which will run OpenWrt and has at least a pair of wired interfaces and a wireless one.


Wireless and Wired Network Interceptor: the Interceptor


This isn’t intended to be a permanent, in-situ device. It is designed for short term trouble shooting or information gathering on low usage networks, as such, it will work well between a printer and a switch but not between a switch and a router. Here are some possible situations for use:

ºPenetration testing – If you can gain physical access to a targets office drop the device between the office printer and switch then sit in the carpark and collect a copy of all documents printed. Or, get an appointment to see a boss and when he leaves the room to get you a drink, drop it on his computer. The relative low cost of the Fon+ means the device can almost be considered disposable and if branded with the right stickers most users wouldn’t think about an extra small box on the network.

ºTroubleshooting – For sys-admins who want to monitor an area of network from the comfort of their desks, just put it in place and fire up your wireless.


ºIDS – If you want to see what traffic is being generated from a PC without interfering with the PC simply add the Interceptor and sit back and watch. As the traffic is cloned to a virtual interface on your monitoring machine you can use any existing tools to scan the data.

Install Notes

There are two sets of install notes, a basic set and a detailed walk-through set. The basic set is the standard set of notes that comes with most packages, the detailed set is a full walk through from flashing the Fon+, installing dependencies, installing Interceptor, starting up and monitoring traffic and finally shutting it down. Most people should find the basic set sufficient but the detailed set are useful if you have any problems.


Limitations

Wireless and Wired Network InterceptorThe main limitation is bandwidth, the wired network can get up to 100Mb/s but the top speed of the wireless is 54Mb/s, add on to that the overhead of encryption and that rate drops down further. This is why the Interceptor won’t work well on high traffic parts of the network.

From tests I’ve done, under high load the network seems to stay up and stable but not all traffic ends up on the monitor interface. I haven’t done any research to find out where the traffic is being dropped, it could be DaemonLogger, the AP or at the VPN. This is good as it means the device doesn’t affect the smooth running of the network but obviously means you may miss some important data. Be aware of this when working with the device.

The software has no fail safe in case of problems. If the hardware or software fails the network connection being tapped will probably be lost. Don’t use the Interceptor in situations where uptime is critical without knowing what you are doing.

Download the Interceptor

Read More

Encrypted UDP based FTP - UFTP

Encrypted UDP based FTP with multicast

UPDATE: Version 4 of UFTP is now available! The protocol has been heavily altered to support a number of new features:

ºThe ability to send multiple files in a single session
ºAn SSL/TLS derived encryption layer to protect your data
ºMulticast tunneling
ºNAT traversal
ºAggregation of client responses, providing scalability
ºSupport for variable packet sizes, including jumbo frames
ºMore fine grained control of network timing/retransmission parameters

The code has also been completely restructured to be more readable and easier to update/support.

UFTP is an encrypted multicast file transfer program, designed to securely, reliably, and efficiently transfer files to multiple receivers simultaneously. This is useful for distributing large files to a large number of receivers, and is especially useful for data distribution over a satellite link (with two way communication), where the inherent delay makes any TCP based communication highly inefficient. The multicast encryption scheme is based on TLS with extensions to allow multiple receivers to share a common key. UFTP also has the capability to communicate over disjoint networks separated by one or more firewalls (NAT traversal) and without full end-to-end multicast capability (multicast tunneling) through the use of a UFTP proxy server. These proxies also provide scalability by aggregating responses from a group of receivers. UFTP has been used in the production process of The Wall Street Journal to send WSJ pages over satellite to their remote printing plants, and other users have used it to send to over 1000 receivers.


Encrypted UDP based FTP: UFTP Protocol Summary

A UFTP session consists of 3 main phases: The Announce/Register phase, the File Transfer phase, and the Completion/Confirmation phase. The File Transfer phase additionally consists of the File Info phase and the Data Transfer phase for each file sent.

The Announce/Register phase sets up the multicast file transfer session and negotiates all encryption parameters. The server sends out an announcement over a public multicast address which the clients are expected to be listening on. All subsequent messages from the server go over a private multicast address specified in the announcement. Allowed clients send a registration to respond to the announcement. The server will then send either a confirmation message if encryption is disabled, or the encryption keys for the session if encryption is enabled. If the client receives the encryption keys, it sends an acknowledgment back to the server.

Encrypted UDP based FTP UFTP DocumentationThe File Transfer phase starts with the File Info phase for the first file to send. The server sends a message describing the file in question. Besides the name and size of the file, this message describes how the file will be broken down. A file is divided into a number of blocks, and these blocks are grouped into sections. A block is a piece of the file that is sent in a single packet, and a section is a grouping of blocks. The total number of blocks and sections is included in this message.

Continuing the File Transfer phase is the Data Transfer phase for the first file. Data packets, each of which is a block, are sent by the server at a rate specified by the user. Because UDP does not guarantee that packets will arrive in order, each block is numbered so the client can properly reassemble the file. When the server has finished sending all data packets, it sends a message to the clients indicating this.

When a client detects the end of a section or receives an end of file message from the server, and the client has detected one or more missing blocks, the client will send back a message containing a list of NAKs (negative acknowledgments). When the server receives NAKs from one or more clients, it goes back and retransmits any blocks that were NAKed, then continues on sending any untransmitted blocks. When a client has received the entire file, it sends a completion message in response to the server’s end of file message. This continues until all clients have either send a completion message or have timed out after the server sent its end of file message.

The File Info phase and the Data Transfer phase are then repeated for each file to be sent during the session.


The Completion/Confirmation phase shuts down the session between the server and clients. It starts with a message from the server indication the end of the session. The clients then respond with a completion message, and the server responds to each completion with a confirmation message.

Download UFTP

Read More

IDS evasion - Inundator

IDS/IPS/WAF Evasion & Flooding Tool

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount.

IDS evasion: Inundator Features

ºParses Snort rules files to generate false positive attacks
ºSupport for multiple targets (FQDN, ip addr range, subnet in CIDR format)
ºMulti-threaded
ºQueue-based
ºSOCKS support

Dependencies:

ºNmap
ºPerl (>= 5.10)
ºNet::SOCKS (>=0.03)
ºNet::CIDR (>= 0.11)
ºSnort’s rules files
ºOinkmaster (for keeping Snort rules up to date)
ºTor (If you don’t have a remote SOCKS proxy to exploit.)


When would I use Inundator?

Whenever you feel like it. Seriously. It’s anonymous, so why not watch the world burn?

Example Scenarios:

ºBefore, during, and after a real attack to bury any potential alerts among a flood of false positives.

ºSeriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.

ºTest the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.


How does Inundator work?

At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort’s poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor’s local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.

Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.


Downloading and Installing Inundator.

The preferred method of installation for all other .deb-based distributions is via our software repository. This is by far the best and simplest way of installing Inundator and its dependencies.

Add our repository to /etc/apt/sources.list:

deb http://inundator.sourceforge.net/repo/ all/

Next, download and install our GPG key:

wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc

Then you can automatically pull in Inundator and all its dependencies:

aptitude update
aptitude install inundator

Download Inundator

Read More

Standardized Security - OpenSCAP

The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities. It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP.

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.


The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It’s our goal to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents. Tools for parsing SCAP documents and querying content must be created to achieve this. This requires common set of interfaces to be defined and implemented to meet this need. It is the intent of this project to provide these interfaces and functional examples that would allow others in the open-source and vendor communities to make use of SCAP while minimizing the effort needed to gain value from it.

Standardized Security: OpenSCAP:

ºLibrary – OpenSCAP library provides API to SCAP document processing.
ºToolkit – oscap is a command line tool that provides various SCAP capabilities; for instance: configuration scanner, vulnerability scanner, SCAP content validation and transformation etc.
ºData – We also produce SCAP content samples that can be used mainly for experimental testing purposes.


Specifications supported by OpenSCAP:

ºXCCDF: The Extensible Configuration Checklist Description Format (ver. 1.2)
ºOVAL®: Open Vulnerability and Assessment Language (ver. 5.10.1)
ºAsset Identification (ver. 1.1)
ºARF: Asset Reporting Format (ver. 1.1)
ºCCE™: Common Configuration Enumeration (ver. 5.0)
ºCPE™: Common Platform Enumeration (ver. 2.3)
ºCVE®: Common Vulnerabilities and Exposures
ºCVSS: Common Vulnerability Scoring System (ver. 2.0)
ºStandardized Security: OpenSCAP Standardized Security

Furthermore, OpenSCAP also implements technology that is not included in SCAP standards:


ºSCE – the alternative check engine. Allows you to use familiar scripting language of your choice instead of OVAL for checks.


Related Projects

ºscap-workbench – a tool with nice graphical user interface that provides scanning(both local and remote machine), content customization and machine remediation functionality.

ºSCAP addon for Anaconda installer, which is used in Fedora and Red Hat Enterprise Linux, for applying SCAP content in the installation process.

ºSCE Community Content – set of various security configuration settings (security controls) expressed in standardized format. Each security control can be evaluated by a small shell script which is executed via SCE.

ºSCC – a compiler used for SC. SC is a small language intended to make the creation of OVAL content easier. The SC language is more “human readable” than the XML of OVAL.

ºsecstate – a tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provideremediation to security relevant configuration items.


Security Compliance Communities

ºSCAP Security Guide
ºAqueduct

Download OpenSCAP

Read More