Razorback

The new Razorback platform developed by Sourcefire is basically a tool for tying together the various layers of detection within an organization, including antivirus, IDS/IPS, Web and email gateways, and firewalls, to use in concert to catch and examine potential threats and create mitigations on the fly.

Its creators say it’s not the same thing as a security information management tool, however, because it does more than capture events: “SIM collects events in a vacuum: It takes an AV event and says this host is infected by a virus … It doesn’t know anything about that piece of malware on the box,” says Matt Watchinski, senior director of Sourcefire’s vulnerability research team.

Download Razorback

Read More

LAMP/LEMP Secure Deployment - JShielder

JSHielder is an Open Source tool developed to help SysAdmin and developers secure there Linux Servers in which they will be deploying any web application. This tool automates the process of installing all the necessary packages to host a web application and Hardening a Linux server with little interaction from the user.

This tool is a Bash Script with a little python script that hardens the Linux Server security automatically and the steps followed are:

• Configures a Hostname
• Reconfigures the Timezone
• Updates the entire System
• Creates a New Admin user so you can manage your server safely without the need of doing remote connections with root.
• Generates Secure RSA Keys, so that remote access to your server is done exclusive from you local pc and no Conventional password
• Configures, Optimize and secures the SSH Server
• Configures IPTABLES Rules to protect the server from common attacks
• Protects the server against Brute Force attacks by installing a configuring fail2ban
• Stop Portscans by blocking intrusive IP via IPTABLES using portsentry
• Install, configure, and optimize MySQL
• Install the Apache Web Server
• Install, configure and secure PHP
• Secure Apache via configuration file and with installation of the Modules ModSecurity, ModEvasive, Qos and SpamHaus
• Installs RootKit Hunter
• Secures Root Home and Grub Configuration Files
• Installs Unhide to help Detect Malicious Hidden Processes
• Installs Tiger, A Security Auditing and Intrusion Prevention system
• Restrict Access to Apache Config Files
• Disable Compilers
• Creates Daily Cron job for System Updates
• Kernel Hardening via sysctl configuration File

Recently Added Hardening Steps

• Added PHP Suhosin Installation to protect PHP Code and Core for Known and Unknown flaws
• Use of Function for code execution customization
• Distro Selection Menu
• Function Selection Menu
• Deployment Selection Menu (LAMP, LEMP, Reverse Proxy)
• Added LEMP Deployment with ModSecurity
• Added /tmp folder Hardening
• Added PSAD IDS installation
• Added Process Accountingcd ..
• Added Unattended Upgrades
• Added MOTD and Banners for Unauthorized access
• Disable USB Support for Improved Security (Optional)
• Restrictive Default UMASK
• Added Additional Hardening Steps

To Run the tool

./jshielder.sh

As the Root user

ChangeLog

v2.0 More Deployment Options, Selection Menu, PHP Suhosin installation, Cleaner Code,

v1.0 - New Code

Download JShielder

Read More

Wordlist Generator - Crunch

Wordlist Generator: Crunch

Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.


Features

ºcrunch1crunch generates wordlists in both combination and permutation ways
ºit can breakup output by number of lines or file size
ºnow has resume support
ºpattern now supports number and symbols
ºpattern now supports upper and lower case characters separately
ºadds a status report when generating multiple files
ºnew -l option for literal support of @,%^
ºnew -d option to limit duplicate characters see man file for details
ºnow has unicode support

Download Crunch

Read More

SIP Witch

SIP Witch


GNU SIP Witch is a secure peer-to-peer VoIP server that uses the SIP protocol. Calls can be made peer-to-peer behind NAT firewalls, and without needing a service provider. GNU SIP Witch supports using secure telephone extensions, for placing and receiving calls directly over the Internet, and intercept-free peer-to-peer audio and video extensions. GNU SIP Witch also is being introduced as a desktop VoIP mediation service to enable the construction of participatory bottom-up secure calling networks and to enable replacement of Skype with free software and published protocols. As a desktop mediation service, GNU SIP Witch can solve issues like NAT in one place for all user agents, and offer new ways to route and redirect VoIP much like gstreamer does for desktop media.

GNU Bayonne is the telephony server of GNU Telephony and the GNU Project. The production release of GNU Bayonne 1 is 1.2.15 and has a long history in production telecommunication environments. GNU Bayonne supports IVR scripting using hardware from Voicetronix, Dialogic, Aculab, CAPI drivers, and Quicklink drivers under GNU/Linux. GNU Bayonne 1 can integrate perl and python applications, and has been commercially deployed in production use for several years. Future releases of GNU Bayonne will be based on ucommon and will further explore it’s role as a Telephony integration server.

GNU SIP Witch is a call and registration server for the SIP protocol. As a call server it services call registration for SIP devices and destination routing through SIP gateways. GNU SIP Witch does not perform codec operations or media proxying and thereby enables SIP endpoints to directly peer negotiate call setting and process peer to peer media streaming even when when multiple SIP Witch call nodes at multiple locations are involved. This means GNU SIP Witch operates without introducing additional media latency or offering a central point for media capture.

GNU SIP Witch is designed to support network scaling of telephony services, rather than the heavily compute-bound solutions we find in use today. This means a call node has a local authentication/registration database, and this will be mirrored, so that any active call node in a cluster will be able to accept and service a call. This allows for the possibility of live failover support in the future as well.

GNU SIP Witch is not a SIP “router”, and does not try to address the same things as a project like iptel “Ser”. GNU SIP Witch is being designed to create on-premise SIP telephone systems, telecenter servers, and Internet hosted SIP telephone systems. One important feature will include use of URI routing to support direct peer to peer calls between service domains over the public internet without needing mediation of an intermediary “service provider” so that people can publish and call sip: uri’s unconstrained. GNU SIP Witch is about freedom to communicate and the removal of artifical barriers and constraints whether imposed by monopoly service providers or by governments.

Download SIP Witch

Read More

Injecting Fake Updates - Evilgrade

Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it’s own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.


When should I use evilgrade?

This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim’s dns traffic), and such thing can be done on 2 scenarios:

Injecting Fake Updates: Evilgrade

ºInternal DNS access
ºARP spoofing
ºDNS Cache Poisoning
ºDHCP spoofing
ºTCP hijacking
ºWi-Fi Access Point impersonation


External scenery:

ºInternal DNS access
ºDNS Cache Poisoning


How does it work?

Evilgrade works with modules, in each module there’s an implemented structure which is needed to emulate a fake update for an specific application/system.


What OS are supported?

ISR-Evilgrade is crossplatform, it only depends of having an appropriate payload for the right target platform to be exploited.


Implemented modules:

ºFreerip 3.30
ºJet photo 4.7.2
ºTeamviewer 5.1.9385
ºISOpen 4.5.0
ºIstat.
ºGom 2.1.25.5015
ºAtube catcher 1.0.300
ºVidbox 7.5
ºCcleaner 2.30.1130
ºFcleaner 1.2.9.409
ºAllmynotes 1.26
ºNotepad++ 5.8.2
ºJava 1.6.0_22 winxp/win7
ºaMSN 0.98.3
ºAppleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)
ºMirc 7.14
ºWindows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
ºDap 9.5.0.3
ºWinscp 4.2.9
ºAutoIt Script 3.3.6.1
ºClamwin 0.96.0.1
ºAppTapp Installer 3.11 (Iphone/Itunes)
getjar (facebook.com)
ºGoogle Analytics Javascript injection
ºSpeedbit Optimizer 3.0 / Video Acceleration 2.2.1.8
ºWinamp 5.581
ºTechTracker (cnet) 1.3.1 (Build 55)
ºNokiasoftware firmware update 2.4.8es – (Windows software)
ºNokia firmware v20.2.011
ºBSplayer 2.53.1034
ºApt ( < Ubuntu 10.04 LTS)
ºUbertwitter 4.6 (0.971)
ºBlackberry Facebook 1.7.0.22 | Twitter 1.0.0.45
ºCpan 1.9402
ºVirtualBox (3.2.8 )
ºExpress talk
ºFilezilla
ºFlashget
ºMiranda
ºOrbit
ºPhotoscape.
ºPanda Antirootkit
ºSkype
ºSunbelt
ºSuperantispyware
ºTrillian <= 5.0.0.26
ºAdium 1.3.10 (Sparkle Framework)
ºVMware
ºmore…
º/docs/CHANGES

Download Evilgrade

Read More

Tiny Core Linux

Tiny Core Linux is a light and modular Linux distribution. Its main purpose is to allow the easy construction of simple but powerful appliance-like desktops.

Contemplating a distribution that can get you to a basic, empty desktop by booting from a 10MB ISO (you read that right), you’d be forgiven for wondering how comprehensive a Tiny Core system could be. On further investigation it turns out that Tiny Core owes its slim stature to a careful choice of lightweight components and the fact that it isn’t derived from one of the mainstream distributions. This decision by the developers brings with it both advantages and disadvantages. Tiny Core offers a very fast experience overall, with a boot time that none of the major distributions can touch. On the other hand, if something goes wrong or you couldn’t find a runnable application that you needed, the remedies that work on other Linux systems may not work with Tiny Core.

Once up and running, you are plonked into a blue desktop courtesy of the FLWM window manager with an icon-based application launcher at the bottom of the screen. By default, there are icons to access settings, add packages to the system, mount disks and to launch the file manager, but there are no substantial applications at this point.

Tiny Core uses its own package format, but rest assured, the package repository is huge with thousands of applications that are ready to go. Adding a medium-sized application such as Firefox, for example, takes only a couple of minutes. When you install applications, using the GUI package manager, they are downloaded and then added on the fly, automatically popping up on the application bar.  During the boot process, the user specifies the location of a directory to be used for settings and application packages, and on subsequent boots, Tiny Core automatically locates the files that it needs. Here again, we glimpse some intriguing technology as there are options for loading the application files into RAM or fetching them from the disk when needed



Tiny Core Linux

There are a few ways of using Tiny Core, but the approach favoured by the developers is to combine a medium such as a CDROM with writable storage such as a hard disk or USB stick. The developers cite the advantage that this makes system files incorruptible, but the problem is that I don’t think that many people will want to boot from a CDROM every time they switch the computer on. Neither will many people be interested in carrying around a CDROM and a USB stick in order to get the system working. Compounding the awkwardness of this approach, Tiny Core doesn’t support NTFS partitions for the user files folder.

A USB pen drive installation is a good compromise, and an automated script for carrying this out does exist. The script isn’t very flexible, however, and it wipes the entire drive, setting up separate partitions for the system files and user data and applications respectively.


The least well supported approach is to boot from the hard disk, and yet I suspect that this would be the most popular amongst potential users. It can be done, but the installation is far from automated and involves manual partitioning, formatting, file copying and setting up of GRUB. Bafflingly, the developers indicate, on the Tiny Core website, that they don’t see the demand for hard disk installation.

Download Tiny Core Linux

Read More

MD5 Online Password Cracking - md5cracker

MD5 Online Password Cracking: md5cracker

md5cracker.sh is a shell script that connects to various online resources to gather hash corresponding to a provided MD5 string


Installation

$ cd /usr/local/bin/
$ sudo wget http://packetstormsecurity.org/Crackers/md5cracker.sh.txt
$ sudo mv md5cracker.sh.txt md5cracker
$ sudo chmod +x md5cracker


Usage

$ md5cracker 8d3533d75ae2c3966d7e0d4fcc69216b


=> Md5 Online Cracker
=> FuRt3X ~> blkhtc0rp@yahoo.com.br


[*] www.md5crack.com: charley
[*] md5.hashcracking:   charley
[*] md5hood.com: charley
[*] md5.gromweb.com:   charley
[*] md5-db.de:  charley
[*] md5.thekaine.de:  OCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">404 Not FoundNot FoundThe requested URL /decode_multi.php was not found on this server.
[*] passcracking.com:  charley
[*] md5-decrypter.com:   charley
[*] www.bigtrapeze.com:  charley

Download md5cracker

Read More

Writing Your Own Exploits

Writing Your Own Exploits

How to find vulnerabilities, write shellcode, exploit the vulnerability and finally turn it into a Metasploit exploit module! David Hoelzer is a Senior Fellow with the SANS Institute and author of the SANS Secure Coding in C/C++ course. TnX



Exploits – Part 1 – Exploit Creation in metasploit (intro)

Exploits – Part 2 – 1 – Finding Flaws (part one and two)

Exploits – Part 2 – 2 

Exploits – Part 3 – 1 – Writing Shellcode (part one and two)

Exploits – Part 4 – 1 – Conversion to metasploit (part one and two)

Read More

Encrypt Your Network Traffic - Tcpcrypt

Tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP. Install Tcpcrypt and you’ll feel no difference in your every day user experience, but yet your traffic will be more secure and you’ll have made life much harder for hackers.

So why is now the right time to turn on encryption? Here are some reasons: 

ºIntercepting communications today is simpler than ever because of wireless networks. Ask a hacker how many e-mail passwords can be intercepted at an airport by just using a wifi-enabled laptop. This unsophisticated attack is in reach of many. The times when only a few elite had the necessary skill to eavesdrop are gone.

ºComputers have now become fast enough to encrypt all Internet traffic. New computers come with special hardware crypto instructions that allow encrypted networking speeds of 10Gbit/s. How many of us even achieve those speeds on the Internet or would want to download (and watch) one movie per second? Clearly, we can encrypt fast enough.

ºResearch advances and the lessons learnt from over 10 years of experience with the web finally enabled us to design a protocol that can be used in today’s Internet, by today’s users. Our protocol is pragmatic: it requires no changes to applications, it works with NATs (i.e., compatible with your DSL router), and will work even if the other end has not yet upgraded to tcpcrypt—in which case it will gracefully fall back to using the old plain-text TCP. No user configuration is required, making it accessible to lay users—no more obscure requests like “Please generate a 2048-bit RSA-3 key and a certificate request for signing by a CA”. Tcpcrypt can be incrementally deployed today, and with time the whole Internet will become encrypted.


How Tcpcrypt works

Tcpcrypt is opportunistic encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be in clear text. Thus, Tcpcrypt alone provides no guarantees—it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.

Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical.

By default Tcpcrypt is vulnerable to active attacks—an attacker can, for example, modify a server’s response to say that Tcpcrypt is not supported (when in fact it is) so that all subsequent traffic will be clear text and can thus be eavesdropped on.

Tcpcrypt, however, is powerful enough to stop active attacks, too, if the application using it performs authentication. For example, if you log in to online banking using a password and the connection is over Tcpcrypt, it is possible to use that shared secret between you and the bank (i.e., the password) to authenticate that you are actually speaking to the bank and not some active (man-in-the-middle) attacker. The attacker cannot spoof authentication as it lacks the password. Thus, by default, Tcpcrypt will try its best to protect your traffic. Applications requiring stricter guarantees can get them by authenticating a Tcpcrypt session.


Installing tcpcrypt

$ git clone git://github.com/scslab/tcpcrypt.git
$ cd tcpcrypt
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo ./launch_tcpcryptd.sh


The launch script starts tcpcryptd and adds firewall rules to divert all TCP traffic — except that which is already encrypted, like SSH — to tcpcryptd. When the script exits (on Ctrl-C or kill), it restores your firewall config to its former state — no permanent changes are made.

On Linux, you must first install libnfnetlink, libnetfilter_queue, and libcap.

Optional: running make install will install libtcpcrypt and tcpcrypt headers, for building apps that use tcpcrypt’s session ID.


Try it out

Go to http://tcpcrypt.org/test.php with tcpcryptd running. If tcpcrypt is working, you’ll be able to join the tcpcrypt Hall of Fame and your tcpcrypt session ID will be displayed at the bottom of the page.

Now let’s examine the packets going over the wire by starting tcpdump and then reloading the URL above.

sudo tcpdump -X -s0 host tcpcrypt.org

Compare this tcpdump output, which appears encrypted (or at least unreadable), with the cleartext packets you would see without tcpcryptd running.

A final netcat example:

$ sudo ./launch_tcpcryptd.sh & 
$ nc -l 7777 &
$ sudo tcpdump -i lo -n -s0 -vvvv -X tcp port 7777 &
$ echo hello, world! | nc localhost 7777
# clean up
$ sudo killall tcpcryptd tcpdump


Troubleshooting

If it’s not working, the most likely causes are the following.

ºYour browser already had an open, non-tcpcrypted TCP connection to tcpcrypt.org before you ran the launch script. Quit and reopen your browser, wait 30 seconds, or use a different browser to retrieve the tcpcrypt.org URL.

ºThere’s a conflict with your existing firewall rules. See the firewall setup section in the install guide for your platform.

Download  Tcpcrypt

Read More