If you need to get information on a host that has been scanning your perimeter, try SNIPEHUNT!
If you need to get information on a host that has been scanning your perimeter, try SNIPEHUNT!
I made this little tool to automate some administrative tasks such as finding uptime and patch status, but it can be used for much more. Give it a try and feel free to contribute: https://github.com/b3b0/graSSHopper
To automate administative tasks, operational auditing, and hacking.
sudo bash install.sh
/usr/share/grasshopper/servers.cfgfiles appropriately with
df -h && uptime
10.0.0.254, john, 22 myawesomeserver, admin, 22
grasshopper -afor crontab.
$ grasshopper -h GRASSHOPPER NAME grasshopper - run commands against multiple servers. SYNOPSIS grasshopper [OPTION] DESCRIPTION Run commands against multiple serves with user input or as a crontab job. USAGE: - h: Display this menu - a: automatic, runs commands in commands.cfg against servers in servers.cfg - c: Edit commands.cfg - s: Edit servers.cfg
---graSSHopper--- (https://github.com/b3b0/graSSHopper) Copyright (C) 2018 Dustin Davis (b3b0) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
A light-weight NMAP wrapper based on https://github.com/argp/nmapdb.
$ sudo python2 install.py
Everything else from this point is straight-forward.
You can use list files (-iL) for inventorying multiple hosts.
You can explicitly type specifc single hosts for inventory as well.
All working elements of this software are located at
Actual database location:
Feel free to fork it / break it / bop it.
This will be a very brief post, as there is not much to explain.
SCCM 2012 administrators should know how to create configuration items and baselines, so simply plug in the code from my fork of burntmacncheese’s project and make sure you set compliance settings to look for “Success.” as the output of the script, any other result being non-compliant.
This version ONLY checks to see if a workstation or server has applied 2018-01-09 updates to mitigate the vulnerability risk at the OS level. Feel free to fork / bork it to check for full mitigation at the hardware level.
Have fun specter hunting!
Plan on taking a trip to another country? Don’t feel like fighting with international roaming fees while being able to navigate, translate and keep in touch with your loved ones?
Stick around – I have some advice for you.
My girlfriend and I just got home from a trip to Belgium and the Netherlands – beautiful country with no shortage of sights to see, beer to drink and waffles to gorge on. Neither of us wanted to deal with the burden of an outrageous cellular bill at the end of the trip so we had to get creative.
Firstly, you have to enumerate what challenges you may encounter while abroad if you have no cellular data:
I’m going to go through a few of these and offer solutions to each dilemma.
Before ever leaving home, you need to plan which hotel or AirBnB you wish to stay at. If you have some sights or activities in mind that you wish to do, find a spot closest to the middle or very close to all the places that you wish to visit, depending on how urban or rural it is.
If you have a Google account, “Google My Maps” is a handy tool for visualizing this.
You can triangulate your stops and scroll into the middle to find hotels in the desired area within your price range.
Figure out the distance from your hotel to your destinations beforehand to get perspective on how long it would take to walk, Uber, train, or bike to the places you wish to visit.
Make certain that your hotel offers free WiFi! This is very important. Consider this free WiFi your “diving board” for the rest of your trip.
Are you flying in? Driving? Traveling by train? This may be easier for you than what we bumped into.
We flew into Brussels and decided not to rent a car, as we are quite unfamiliar with traffic laws in Belgium (or Europe in general). We decided to take a taxi to our hotel, but there are always cheaper alternatives to get you where you need to be.
When departing from your airport or station, you can use the WiFi offered there to get an Uber (iPhone / Android) or Lyft (iPhone / Android) to get you where you need to be. Taxis can be just as good, but the rates tend to be slightly higher.
And I don’t mean that in the Tinder way. How will you reach the places you wish to visit?
If the places you want to go are close enough to your hotel, as it was for us, consider walking if the area is safe.
Simply install the app (while on WiFi of course), launch the app and it will start prompting you as to whether or not you want to download offline maps for that region. Yes please!
My girlfriend and I are unwashed heathens that only speak English. Luckily for us, the Dutch are taught English in school as a secondary language and they typically speak it very well.
The story could be very different for you if you are going to a place that does not speak your native tongue as a primary or secondary language.
Download languages to be available offline:
Calling overseas is very expensive. If you are an iPhone user and the person you wish to communicate with is as well, you could easily use iMessage features to communicate over WiFi.
Android users don’t have a common internet messaging feature built-in with the OS, but you can arrange for loved ones to install Google Duo (iPhone / Android) or Google Allo (iPhone / Android) before you leave.
Simply purchase credits inside of the app itself and you’re ready to make calls over WiFi to anywhere in the world!
So that concludes this brief guide to survival without cellular. Hope it comes in handy for you on your next holiday. Cheers and good luck!
At the time of this posting, there hasn’t been a statement on the specific nature of the hack – no information on the attack vector or even how many people have truly been affected. I will not concentrate on those juicy details.
Instead, let’s talk about what this hack means for us in the InfoSec field and what it means for those we protect.
I remember the Target hacks of 2013. I was just cutting my teeth as a network engineer studying to get my security certifications. This hack could not have happened at a more coincidental time for me.
Though the hack wasn’t incredibly sophisticated, it was incredibly effective. Malware was installed on a secure payment processing system, credentials were compromised via an insecure third-party HVAC vendor. The malware likely entered a worm-like phase and delegated itself to payment terminals across Target’s 1700+ stores. It was able to pull customer credit card numbers out of RAM before the CPNI was encrypted and sent across the wires. This data was stored on a Target server that had become commandeered by the hackers. It was a considerable amount of time before the security guys within the organization were aware of the attack, and even longer before the details of the hack went public. The hack potentially hit 70 million customers.
Arby’s had been hit by a similar hack in early 2017. Malware had spread to point-of-sale systems across America and 350,000 accounts potentially had been compromised – a mere 0.5% of the amount of people effected by the Target hack a few years before. Arby’s had their information together and was ready to inform the public in about three weeks.
Fast-forward to September 2017. The Equifax hack hits the news like a sack of bricks. An estimate of 143 million Americans have the most confidential of their data, protected by one of the three behemoths of credit reporting, compromised by hackers.
This should be absolutely appalling to anyone – inside or outside of the field of Information Security.
It doesn’t end there folks! Not long after, it came to light that the tool was pretty bogus, returning random results on whether or not your confidential information had been compromised.
Let’s outline this madness.
There are too many failures to count here. Negligence, deception, and world-class ass-covering.
I won’t take time to point fingers or accuse anyone on that corporate ladder at ol’ Equifax. But it seems that they did not have the best talent, the best alerting software, or even the best tactics to undo the damage they let happen. The facts stand – this hack has the potential to be the most damaging ever. Your information may already be on the black market and in use if you haven’t frozen your credit through all three credit reporting agencies.
Why haven’t corporations learned from mistakes of the other giants? Why is security still considered a secondary thought in our ever-connected world? Why is more money spent on the graphic design of our application and software infrastructure than securing it? That goes from the developer to the administrators keeping the systems safe.
We live in the age of information. The pirates of our era can reach into your home from across the world (or from inside the same open WiFi SSID at your local coffee shop) and take your data, which represents the real YOU, and steer your ship into the ground.
Corporations cannot think of these hacks as a cost of doing business. We citizens cannot let those whom we trust with our most pertinent and confidential data get off the hook for this as we have in the past. Many companies have done the right thing and tried as best they can to repay the damage they let fall upon their customers.
I could keep ranting, but will not. I have a Blue Apron to make and wine to drink. After dinner, I will do more research to try and understand how I can be better. If I do not, I could one day be a cog in the machine that allows millions of people to be at risk.
This will VERY be similar to my previous post.
So you wanna make sure that your critical HIDS alerts are being monitored? Let’s get crackin’.
To start, make certain that your email settings are valid (on your agent manager/server) in /var/ossec/etc/ossec.conf. Including your global settings and alerts settings.
I set my email alert threshold to 7 for this excercise.
Now let’s nano or vi our local rules at /var/ossec/etc/rules/local_rules.xml.
Here’s my sample rule:
Restart your Wazuh agent manager / server with:
# /var/ossec/bin/ossec-control restart
Time to get scripting!
Make sure you have python 2.7.
$ sudo apt-get install python2.7
$ sudo apt-get install python-pip
Here’s the actual script:
import time import sys import os def wazuh(): os.system('echo "ALLYOURBASE" >> /var/log/auth.log') print("IT HAS BEEN DONE") wazuh()
Save the script as a .py file and save it on a device that has the Wazuh agent (client) installed.
This excercise is centered around testing a Linux agent manager (server) with a Ubuntu agent client, so make adjustments to your process if you are using Windows or OSX.
Wazuh monitors /var/log/auth.log by default in Ubuntu, so that is why I chose said file for this example.
As you can see from the script, we are simply echoing “ALLYOURBASE” into this file. The rule we have created an local_rules.xml has a regex match statment, looking for that exact string of text.
Now let’s run the script:
$ sudo python2 /home/bebo/Code/python2/allyourbase.py
If there are no errors, your terminal should return “IT HAS BEEN DONE”.
Check out your alert in real-time in /var/ossec/logs/alerts/alerts.log:
# tail -f /var/ossec/logs/alerts/alerts.log
You should see your alert tick right through!
If your email settings are valid, you should also receive an email alert.
Holy crap! Things are working!
You can view source for this snippet at: