Tuesday, September 12, 2017

Cloudflare-Recon Version 0.2 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection to the websites. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux.

Changlog :
Version: 0.1 - Sept 10, 2017 GMT+8
[+] Forked from Cloudflare-enum
[+] Enhancement

Version: 0.2 - Sept 12, 2017 GMT+8
[+] Improve readable foramtted output
[+] Error handling





That's all! See you.


Sunday, September 10, 2017

Cloudflare-Recon version 0.1 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Enhancement











That's all! See you.


HatCloud-ng version 0.1 Demo

HatCloud-ng is forked from HatCloud which is written in Ruby. It obtains the "Real IP Address" from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

HatCloud-ng is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Bug fixes for original HatCloud dated 2017-09-10
[+] Information and error handling enhancement





That's all! See you.


Saturday, September 09, 2017

HOWTO : Install Metasploit Framework on Ubuntu 16.04.3 LTS

Metasploit Framework is a exploit framework.

Step 1 :

sudo apt install curl

cd ~
mkdir infosec
cd ~/infosec
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

msfconsole


Answer "yes" when you see this prompt message :

Would you like to use and setup a new database (recommended)? yes

Update and Upgrade

sudo apt update
sudo apt dist-upgrade


That's all! See you.


HOWTO : Install John on Ubuntu 16.04.3 LTS

John is a password cracker.

Step 1 :

sudo apt install git build-essential libssl-dev

Step 2 :

cd ~
mkdir infosec
cd infosec

git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/src
./configure
make clean
make

cd ../run
./john --help


Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/JohnTheRipper
git pull origin master
cd src
./configure
make clean
make


That's all! See you.


HOWTO : Install THC-Hydra on Ubuntu 16.04.3 LTS

THC-Hydra is a password brute forcer.

Step 1 :

sudo apt install git build-essential libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev

Step 2 :

cd ~
mkdir infosec
cd infosec
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
./hydra -h
./xhydra


Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/thc-hydra
git pull origin master
make clean
./configure
make

That's all! See you.


HOWTO : Install Recon-ng on Ubuntu 16.04.3 LTS

Recon-ng is a full-featured Web Reconnaissance framework.

Step 1 :

sudo install git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml

Step 2 :

pip install dicttoxml --upgrade

Step 3 :

cd ~
mkdir infosec
cd ~/infosec
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
./recon-ng


Update and Upgrade

sudo apt update
sudo apt dist-upgrade

pip install dicttoxml --upgrade

cd ~/infosec/recon-ng
git pull origin master


That's all! See you.


Friday, September 08, 2017

HOWTO : Install Weevely3 on Ubuntu 16.04.3 LTS

Weevely3 is a web shell and it is hardly detected by Anti-Virus and the traffic is obfuscated within the HTTP requests.

Step 1 :

sudo apt install g++ python-pip libyaml-dev python-dev libncurses5 libncurses5-dev

mkdir infosec
git clone https://github.com/epinna/weevely3.git
cd weevely3
pip install -r requirements.txt --upgrade


Step 2 :

cd ~/infosec/weevely3
python weevely3.py -h


Update and Upgrade

sudo apt update
sudo apt dist-upgrade
cd ~/infosec/weevely3
git pull origin master
pip install -r requirements.txt --upgrade


Reference

Documentation

That's all! See you.


HOWTO : Install Vega 1.0 on Ubuntu 16.04.3 LTS

Vega is an open source web application vulnerability scanner.

Step 1 :

sudo apt install libwebkitgtk-1.0 default-jdk unzip

mkdir infosec
cd ~/infosec

wget https://dist.subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip
unzip VegaBuild-linux.gtk.x86_64.zip


Step 2 :

cd vega
./Vega


That's all! See you.


Thursday, September 07, 2017

HOWTO : Install SpiderFoot on Ubuntu 16.04.3 LTS

SpiderFoot is an open source intelligence automation tool.

Step 1 :

sudo apt install git python-lxml python-netaddr python-m2crypto python-cherrypy3 python-mako python-requests python-bs4

Step 2 :

cd ~/
mkdir infosec
cd ~/infosec
git clone https://github.com/smicallef/spiderfoot.git


Step 3 : (Optional)

If you want to implement login feature, you need to :

echo "admin:admin" > ~/infosec/spiderfoot/passwd

Step 4 :

To run it :

cd ~/infosec/spiderfoot
python ./sf.py

Step 5 :

Open your browser and point to http://127.0.0.1:5001

* Make sure to add API Keys to the related items in the settings.

Update and Upgrade

sudo apt update
sudo apt dist-upgrade
cd ~/infosec/spiderfoot
git pull origin master


Reference

Documentation

That's all! See you.


HOWTO : Install OpenVAS 9 on Ubuntu 16.04.3 LTS

OpenVAS is an open source vulnerability scanner.

Step 1 :

sudo add-apt-repository ppa:mrazavi/openvas
sudo apt update

sudo apt install sqlite3
sudo apt install openvas9


* Make sure you install sqlite3 first, otherwise, the openvas9 will fail to install.

Step 2 :

To enable pdf reports:

sudo apt install texlive-latex-extra --no-install-recommends
sudo apt install texlive-fonts-recommended


To install openvas-nasl utility:

sudo apt-get install libopenvas9-dev

Step 3 :

sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync


Step 4 :

sudo systemctl restart openvas-scanner
sudo systemctl restart openvas-manager
sudo openvasmd --migrate (#only required when upgrading from an older version)
sudo openvasmd --rebuild --progress


Step 5 :

Default URL is https://localhost:4000
Use "admin" as username and password.

Step 6 : (Optional)

If you want to change port number, you need to :

sudo nano /etc/default/openvas-gsa
sudo systemctl restart openvas-gsa


That's all! See you.


Tuesday, September 05, 2017

HOWTO : Install SQLMap on Ubuntu 16.04.3 LTS

Metasploit Framework is required for SQLMap takeover process. The following is the complete SQLMap installation procedure on Ubuntu 16.04.3 LTS.

Step 1 :

sudo apt update
sudo apt dist-upgrade
sudo apt install git python-pip curl


Step 2 : Install SQLMap

cd ~/
mkdir infosec
cd ~/infosec

git clone https://github.com/sqlmapproject/sqlmap.git


Step 3 : Install Metasploit Framework

cd ~/infosec
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

msfconsole


Answer "yes" when you see this prompt message :

Would you like to use and setup a new database (recommended)? yes

Step 4 : Install SQLMap Dependencies

sudo apt install python-impacket python-ibm-db-sa python-kinterbasdb python-pyodbc python-pymssql python-pymysql python-psycopg2 python-pysqlite2 python-pymssql python-ntlm

pip install cx_Oracle --upgrade


Step 5 : Update/Upgrade

sudo apt update
sudo apt dist-upgrade

msfupdate

pip install cx_Oracle --upgrade

cd ~/infosec/sqlmap
python sqlmap.py --update


That's all! See you.


Wednesday, August 23, 2017

時事觀察節目-談雙學三犯只是加刑

余非:2017年8月21日,上訴庭宣判「雙學三犯」黃之鋒、羅冠聰和周永康三人加刑前,李卓人竟然在面書﹝Facebook﹞預先上載美國國會及行政當局中國委員會支持黃之鋒等人但未公布的聲明。聲明指,美國國會打算在黃之鋒等人被判入獄後,重新檢視香港在美國法例所賦予的特殊關係,明顯公然干涉香港內部事務。

余非又指,「犯罪動機高尚」,這些「搞事青年骨幹」就可以免責?「雙學三犯」黃之鋒、羅冠聰和周永康判監,余非強調是法庭對他們只是加刑,並不是重﹝重新﹞判。

請分享出去一齊聽聽余非的精闢分析!

「廣東話」原聲:余非三藩市《星島電台》時事觀察節目




余非 個人簡介:

香港中文大學中文系畢業,副修中國音樂(古箏),於同校取得碩士學位。之後赴英國修讀出版碩士。在港長期擔任編輯工作,曾主編高錕唯一一本中文自傳《潮平岸闊──高錕自述》;業餘從事文藝寫作。2003年轉為全職作家。

引述:
余非三藩市《星島電台》談雙學三犯只是加刑

Friday, August 18, 2017

HOWTO : Upgrade Ubuntu 16.04.3 to Ubuntu Gnome 16.04.3

Since Ubuntu Unity is no longer supported after Ubuntu 18.04, Ubuntu released Gnome 3 version for Ubuntu 16.04.3. We can upgrade it without pain.

sudo apt install ubuntu-gnome-desktop^

Select "gdm3" when prompted.

sudo apt remove unity lightdm ubuntu-desktop

sudo apt autoremove
sudo apt autoclean
sudo do-release-upgrade


Now, you can force to reboot the box by long pressing the shutdown button.

That's all! See you.

Update on August 19,2017 :

After the upgrade to Firefox 55.0.2, Firefox may not working properly on decimal place in your language. It shows 100,10 instead of 100.10 in my case even it is in English. This link will show you how to change it when necessary. I select "en-US" at "general.useragent.locale" in my case.


Wednesday, August 09, 2017

HOWTO : Fully Upgraded From Ubuntu 16.04.2 To 16.04.3

For some unknown reason, when Ubuntu 16.04.2 is upgraded to 16.04.3, the kernel does not upgrade from 4.4.x to 4.10.x automatically. The following steps will show you how to do it manually.

Step 1 :

sudo apt update
sudo apt dist-upgrade


Step 2 :

cat /etc/lsb-release

The output would be :

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"


Step 3 :

uname -r

If the kernel is still 4.4.x, you need to upgrade it manually.

Step 4 :

sudo apt --install-recommends install linux-generic-hwe-16.04 linux-tools-generic-hwe-16.04 xserver-xorg-hwe-16.04

sudo apt remove --purge linux-generic-lts-xenial linux-tools-generic-lts-xenial xserver-xorg-lts-xenial linux-image-generic-lts-xenial linux-generic linux-tools-generic linux-image-generic xserver-xorg linux-headers-generic linux-headers-generic-lts-xenial
sudo rm /boot/*-4.4.0-*
sudo apt autoremove
sudo apt autoclean


After the fully upgrade, the kernel would be 4.10.x after reboot.

That's all! See you.


Monday, July 17, 2017

[Warning] HSBC Phishing Website

This morning, I received an SMS message which stated that my account had been locked up and asked me to login to verify with a given link (http://activation-hsbc.com/cgi).

I inspected the "login" page and found that it would redirect you to your real local HSBC Personal eBanking Login page. However, your credentials would be logged by javascript and you would be redirected to Deep Web (or Dark Web) where all your real ebanking transaction sessions would be hijacked.

The phishing website domain was registered yesterday and the data show that it is from Russia (may be fake). The IP address of the server is 185.151.245.43. The URL http://185.151.245.43/cgi will show the same content.

I think that it may be a global HSBC phishing website. Beware!

That's all! See you.


(Update) After 4 hours of the reporting : I got the following confirmation email from HSBC :

Dear Customer

Thank you for your e-mail of 17 July regarding an SMS you received claiming to be from HSBC.

We confirm that the SMS in question is NOT genuine HSBC message. We have reported this matter to our relevant department for their attention and necessary action.

To safeguard your interests, please do not reply or click the link inside the SMS. Please delete the SMS immediately.

Thank you once again for taking the time to bring your concern to our attention. We are pleased to be of service.

Yours faithfully


Cxxxxxxa Wong
Senior Customer Support Officer
Retail Banking and Wealth Management

The Hongkong and Shanghai Banking Corporation Limited


Friday, July 07, 2017

[Full Disclosure] TopLeader Is Vulnerable To SQL Injection

Recently, a new local TV advertisement catches my eyes. It is a job hunting website, namely TopLeader.

As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.

The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).

In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.

The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.

Disclosure Timeline

2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.

That's all! See you.


Wednesday, June 21, 2017

[REVIEW] Cyber Security Campaign 2017 (Hong Kong)

Yesterday (Jun 20, 2017), Cyber Security and Technology Crime Bureau (CSTCB) of Hong Kong Police Force announced a Cyber Security Campaign 2017 for a year in order to kill all botnets in Hong Kong. They build a website for Hong Kong citizens to download 3 famous Anti-Virus scanners (Kaspersky, Symantec and Trend Micro). The campaign commenced today. (SCMP news) However, the site could not be accessed until 1500 hours today due to too busy or something else.

I conducted a quick test on the website when the news was announced yesterday. This article is about the not professional test result.

The website is running on Windows Server 2012 and hosting at Alchemy. It is not sure that it is a dedicated server or a shared hosting server. It is possibly that it may be a dedicated server. The IP address of the server is 205.144.171.79.

Meanwhile, I find out that the server is also hosting another website Cyber Security Professional Awards which is also hosted by CSCTB.

The Server

The website is running on Microsoft IIS 8.5 with ASP.NET (Version 4.0.30319 and ASP.NET MVC version is 5.2). Ports 80, 135, 443, 445, 5666 and 49159 are opened on the Windows Server 2012. There is no Web Application Firewall (WAF) on the Microsoft IIS Web Server.

SSL Certificate

Since there is no data exchange between users and web application, the SSL certificate for the website is not required in general. However, it is equipped. It is compatible to TLS 1.0, 1.1 and 1.2. It used a weak cipher suites for the encryption (TLS_RSA_WITH_3DES_EDE_CBC_SHA) in the certificate. Meanwhile, it has a mismatched SSL certificate of www.fishingmilitia.com. In addition, there is no security headers for the website. The grading of the website is A only.

Later learnt that the mismatched SSL certificate of Fishing Militia is pointed to "Cyber Security Professional Awards" website. The SSL certificate of "Fishing Militia" is expired on Jun 16, 2017. However, the "Cyber Security Professional Awards" website is running on Port 80. It is very weird.

Web Application

It is a single page web application mainly running JavaScript. It stores all the images, including background image, on https://storage.googleapis.com. The size of the images is from 58kB to 2.7MB. That is why the website may not be accessed and displayed "Service Unavailable. HTTP Error 503. The service is unavailable." There is no database and no data exchange between users and web application.

When "Cyber Security Campaign 2017" website is loading slow or cannot be accessed, the "Cyber Security Professional Awards" website has the same response.

Conclusion

The Windows Server 2012 is hosting 2 websites, "Cyber Security professional Awards" and "Cyber Security Campaign 2017" on Pot 80 and 443 respectively. If there is a proxy server, both websites can use port 80 instead.

The response time of "Cyber Security Campaign 2017" is slow mainly because of the images are large in size and they are fetched from storage.googleapis.com. The googleapis.com is hosting JavaScript only and the upload speed may not be very high. Therefore the bottleneck is at the size of images and slow external storage.

It is very weird that the SSL certificate of "Cyber Security Professional Awards" website is pointed to another domain.

In conclusion, the website is mis-configured and it is not good in design.

That's all! See you.


Monday, June 19, 2017

HOWTO : Lower CPU Loading With ulimit on Ubuntu 16.04 LTS

ulimit can change the number of process on Linux. One of the features is to lower the CPU loading with it when you have a low end CPU. The lower the CPU loading the lower the CPU temperature.

sudo nano /etc/security/limits.conf

Append the following lines at the end of the file.

* soft nproc 10240
root soft nproc 10240


You can replace "10240" up to "65535".

That's all! See you.


Sunday, June 04, 2017

HOWTO : Update Ubuntu 16.04 LTS

sudo nano ~/update_ubuntu

Append the following lines to the file :

export DEBIAN_FRONTEND=noninteractive
sudo apt update
sudo apt -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o APT::Get::Assume-Yes="true" -y dist-upgrade
sudo apt -y autoclean
sudo apt -y --purge autoremove


Save it and make it executable.

chmod +x ~/update_ubuntu

To run it :

sudo ~/update_ubuntu

That's all! See you.