Feb 14 2014

Kippo-Malware update

Kippo-Malware has been updated!

It now includes optional arguments to select an HTTP proxy through which to download the files (as to not send your IP to attacker-owned servers) and also supports custom User-Agent values. A list of HTTP proxies can be found online, e.g.: https://hidemyass.com/proxy-list/search-225414

You can download it from: https://github.com/ikoniaris/kippo-malware (git clone or pull).

For comments, suggestions, fixes, please use the Kippo-Malware page: http://bruteforce.gr/kippo-malware

Feb 13 2014

Announcing Kippo-Malware

This is another side project, with the goal of creating a script that will download all malicious files stored as URLs in a Kippo SSH honeypot database (and help me learn some Python during the process). This is useful in situations where you have lost your files or something happened to your VPS/server but you still have your DB intact.

You can download it from: https://github.com/ikoniaris/kippo-malware

The script uses the following packages: MySQL-python, pony, requests, and clint. Installing those is trivial via pip. Your only problem might be with MySQL-python under Windows but you can use this precompiled binary.

# python kippo-malware.py -h
usage: kippo-malware.py [-h] [--directory DIRECTORY] [--hostname HOSTNAME]
[--port PORT] [--username USERNAME] [--password PASSWORD] [--database DATABASE] [--debug]
optional arguments:
-h, --help            show this help message and exit
--directory DIRECTORY Dir to save the files -- DEFAULT: <current>/downloads
--hostname HOSTNAME   MySQL server hostname -- DEFAULT:
--port PORT           MySQL server port -- DEFAULT: 3306
--username USERNAME   MySQL server username -- DEFAULT: kippo
--password PASSWORD   MySQL server password -- DEFAULT: kippo
--database DATABASE   MySQL server database -- DEFAULT: kippo
--debug               Enable debugging

For comments, suggestions, fixes, please use the Kippo-Malware page: http://bruteforce.gr/kippo-malware


HoneyKippo en HoneyDrive [ES, no sound]

Feb 11 2014

HonSSH - A high interaction honeypot solution for Linux based systems

This is a guest post by BruteForce Lab’s long time supporter and honeypot enthusiast “Black September”. It is also posted on his site here.

Honeypots are nothing new, their use pre-dates computers and malware. Their main goal is to passively sit and wait for someone to engage them. The handler (administrator) of the honeypot will monitor and record everything that happens on the honeypot.

Law enforcement have used honeypots (in human terms) in sting operations, intelligence agencies for catching double agents and “recruiting” new assets. In the realm of IT security honeypots, the ones we are talking about here, have traditionally been used for research and education.

Honeypots will yield a lot of data that can be used for research such as frequency and type of attacks, what type of malware and exploits the attackers use, how they utilize the honeypot once its compromised and the level of knowledge the attackers possess. The malware can be analysed and the AV industry can add another signature to their databases.

Another use of honeypots is for testing. I guess we all have read a “best practices” manual at some point, but very few of us have been able to test these best practices. Building a virtual replica of your production network as a honeynet is one way to get it tested. This will put it to the ultimate test and show you where the weak points are, what type of attacks you can expect and it can even be used in incident response training.

There are three categories of honeypots. High, Medium and Low interaction. Low interaction honeypots are nothing more than a emulated service and give the attacker a very limited level of interaction. High interaction honeypots are fully fledged operating systems and yield a lot more data.

Honeypots have been hard to deploy. Many techniques required you to install software on the honeypots themselves that send information about what is happening on the system back to a collector/sensor. This strategy has worked most of the times, but the reporting software have in some cases rendered the honeypots unusable and the attackers have sometimes been able to detect it.

Late summer of 2013, I came across a Python project that - while far from being a “silver bullet” - had great potential and worked amazingly well. It was easy to deploy and configure and solved a lot of issues with the de facto way we deploy honeypots. The project is called HonSSH.

As described on its project page (https://code.google.com/p/honssh/):

HonSSH will sit between an attacker and a honeypot, creating two separate SSH connections between them, capturing all connection attempts to a text file. When an attacker sends a password guess, HonSSH can either automatically replace their attempt with the correct password and allowing them to login, but confuses them when trying to use sudo with the same [wrong password]. Or with password spoofing disabled, handle the connections as any other NAT device and, once the correct password is detected, capture all the interaction in a TTY log. Sessions can be viewed or hijacked in real time, using the management telnet interface, or be played back later from the saved TTY logs.

In theory, this allows us to deploy HonSSH on a NAT device that sits between the Internet and an internal network. Once HonSSH is installed we can deploy any operating system with a SSH server on it to be used as a high interaction honeypot, without having to install reporting software.

Until now I have not seen any easy way to deploy Linux based high interaction honeypots, but this project sounded extremely promising. During the last couple of weeks I have been playing around with it. It has worked well above my expectations and has showed the potential for becoming a real contender to some of the old ways we have been doing it.

Read the rest of this entry »

Feb 06 2014

Kippo-Graph 0.9.1 - Google Map fix

Kippo-Graph has been updated to version 0.9.1, fixing the Google Map rendering issue in Kippo-Geo component.

You can download the new version from here: kippo-graph-0.9.1, or clone/pull from Kippo-Graph’s git repository hosted on GitHub: https://github.com/ikoniaris/kippo-graph.

As always, here are the checksums for the tar file:

MD5 Checksum: 5F496A1C3AF911B644E0A2E54D60980C
SHA-1 Checksum: CDA97448823C202B181B4453153812B019F19CE2


Version 0.9.1:
+ Fixed Google Map rendering issue.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforce.gr/kippo-graph

Jan 21 2014

Make apt-get use IPv4 instead of IPv6

It seems that Ubuntu/Debian (or perhaps other distros as well) prefer IPv6 DNS records instead of IPv4 when applicable and some times this results in loss of connectivity or similar problems.

I ran into this issue today while trying to update an old VPS with apt-get/aptitude. Specifically, security.ubuntu.com was being resolved in an unreachable IPv6 address and I had to wait some minutes for timeout every time.

Fortunately, there is an easy fix for this; you just have to edit the file located at: /etc/gai.conf which is the configuration for getaddrinfo(). There you have to uncomment line ~54 which reads: “precedence ::ffff:0:0/96  100″, and you are all set! (assuming that every other option is commented out by default as in my case).

Jan 01 2014

Πλαστογραφημένες δικτυακές αιτήσεις

Το Cross-Site Request Forgery δεν αποτελεί ιδιαίτερα γνωστή μέθοδο επίθεσης, αλλά να είσαστε σίγουροι ότι είναι αρκετά επικίνδυνη. Σε αυτό το άρθρο θα μάθουμε τι είναι και πώς υλοποιείται, στήνοντας το κατάλληλο δικτυακό περιβάλλον και πραγματοποιώντας μερικά ενδιαφέροντα πειράματα. Επιπρόσθετα, θα εξετάσουμε κι έναν απλό μηχανισμό άμυνας.

deltaHacker 027 (τεύχος Δεκεμβρίου 2013) | Πλαστογραφημένες δικτυακές αιτήσεις

Το Cross-Site Request Forgery (ή απλά CSRF) αποτελεί μια επίθεση που πραγματοποιείται με στόχο κάποιο ευπαθές website. Ωστόσο το θύμα αυτής της επίθεσης δεν είναι το εκάστοτε website, ούτε ο server που το φιλοξενεί, ούτε ο διαχειριστής του. Το θύμα αυτής της επίθεσης είναι κάποιος από τους χρήστες του website! Η επίθεση CSRF προβλέπει την ύπουλη αποστολή δικτυακών αιτημάτων (requests) προς κάποιο website, χωρίς τη συναίνεση του χρήστη (επισκέπτη). Εκεί κολλάει και το “request forgery” , αφού τα αιτήματα μοιάζουν να προέρχονται από τον χρήστη, ενώ στην πραγματικότητα είναι κατασκευασμένα από τον επιτιθέμενο. Τα εν λόγω αιτήματα κρύβονται σε ιστοσελίδες που έχει επίσης κατασκευάσει ο επιτιθέμενος, ενώ παραπέμπουν σε άσχετα websites. Έτσι δικαιολογείται κι ο όρος “Cross-site”, αφού η επίθεση λαμβάνει χώρα από έναν δικτυακό τόπο προς κάποιον άλλο. Όλα αυτά όμως είναι πολύ θεωρητικά. Ας δούμε για αρχή τι είναι αυτά τα δικτυακά αιτήματα και σε τι χρησιμεύουν, για να εξετάσουμε στη συνέχεια το πώς μπορούν να αξιοποιηθούν από τον επιτιθέμενο.

Διαβάστε ολόκληρο το άρθρο στο deltaHacker 027 (τεύχος Δεκεμβρίου 2013).

Το μηνιαίο περιοδικό deltaHacker είναι πλέον ηλεκτρονικό! Μάθετε για τις νέες, απίστευτες τιμές και κάντε τώρα την παραγγελία σας συμπληρώνοντας τη σχετική φόρμα.

Σημείωση για τους νέους φίλους: Δεν έχετε πάρει ακόμα συνδρομή στο περιοδικό; Δείτε αυτές τις προσφορές, μάλλον θα σας ενδιαφέρουν :)

Page 7 of 29« First...56789...20...Last »