Bits and bytes of a hacker.

Granular Network Security Monitoring With Bro IDS

If you’re a security researcher and haven’t kicked the wheels yet of Doug Burks' Security Onion, you’re missing out on a enormous asset to your security arsenal. The Onion provides complete insight into your network providing you with a full IDS (Intrusion Detection System) and NSM (Network Security Monitoring) capabilities.

One of the greatest tools Security Onion provides is Bro logging. The Security Onion takes less than an hour to setup and configure, but once connected to a network tap and put in “promiscuous” mode, Bro logging kicks in and begins capturing, logging, and compressing every packet flowing into and out of your network.

Given this visibility sparked me to write a little bash script building off of Sketchymoose’s python written URL checker, which uses Virustotal’s API to check a large quantity of given URLs for any detections among 51 scanning engines.

The script coupled with the Onion is designed to find any and all domains visited by anyone on the network that end in foreign country codes (.hk .ru .cc …etc) over the duration of 24 hours at 11:55 pm. These domains are then scanned by Virus Total and those that come back as being malicious are recorded.

An email will then be sent at midnight informing the incident response team which endpoints had visited malicious sites and for how long each connection persisted after the initial connection had been made.

If a connection was made to a known malicious site and the connection lasted dozens of minutes or hours, it can be assumed that the endpoint was more than likely compromised. At this point the endpoint would be further examined and an investigation can be made to determine whether or not any sensitive data was put at risk.

Follow these steps to configure the script.

  1. Install Security Onion and configure the tap interface to monitor in promiscuous mode.

  2. Create a directory in the /opt/ folder called URLchecker.

  3. Inside URLchecker, place CountryCodeChecker.sh and both Sketchymoose’s scripts, urlChecker.py and parseCheckerFile.py.

  4. Edit urlChecker.py and provide your Virus Total API key (free once you sign up.) Also, be sure to uncomment the timeout.sleep functions if you have a free license. Comment out line 50, 122,126, and 129 to lessen the verbosity of the script. If you encounter errors regarding invalid JSON variables, I fixed this by changing line 121 to if count1 % 4 == 0: and changing my sleep intervals to 30 seconds instead of 15.

  5. Edit parseCheckerFile.py by changing line 30 to [base:base+4] and line 31 to if "Link: " in l:.

Make CountryCodeChecker.sh executable with: sudo chmod u+x CountryCodeChecker.sh

Follow this tutorial to setup SSMTP to allow cron to email you the script output, Gmail works fine but if you have an internal email server, that should work too.

To configure cron run crontab -e as root, select nano as your editor, then put in the bottom of your crontab file: MAILTO="" 55 23 * * * /opt/URLchecker/CountryCodeChecker.sh | /usr/sbin/ssmtp [email protected]

Anonymous Content Grabbing With Python

As a malware analyst, sometimes it’s necessary to obtain a sample of a website’s source code to manually evaluate any hidden malicious JavaScript. But why give up your IP address just to snoop around a bit?

Fellow analysts, I present to you, my customized python-based anonymous browser, anonBrowser.py.

It’s nothing special, just a quick and dirty little python script that grabs a random proxy, emulates a random browser and pulls the target content using it’s forged identity. Written so that it’s easy to understand and easy to customize should you like to make changes to it.

Usage: ./anonBrowser.py -s URL

Encrypted Meterpreter Sessions With Maligno

Attention: This post is now deprecated.

Certain situations require meterpreter sessions to be encrypted to avoid layer 4 detection. This is something I’ve desired in the past but never really pursued, until I came across Maligno. Maligno is a platform from which you can launch Metasploit payloads via https that are AES encrypted and base64 encoded. The payload to be pushed to the client can also be be encoded numerous times via any Metasploit encoders to avoid layer 7 detection.

This is the process of setting up your server:

  1. Download and extract Maligno here: Maligno

  2. Install the prerequisite binaries:

sudo apt-get update && sudo apt-get install python-ipcalc

  1. Generate the self-signed SSL cert to be used on your server:

./certgen.sh

  1. Configure server.conf to allow the following:

    • Serve 3 different payloads to 3 different targets all over port 443

    • Serve via https

    • Scope to your network

    • Set the server IP to that of the Maligno host

  1. Generate the python scripts for the clients to reach out to Maligno with:

python clientgen.py -i 0 -f server.conf -o client1.py python clientgen.py -i 1 -f server.conf -o client2.py python clientgen.py -i 2 -f server.conf -o client3.py

  1. On a Windows machine, install python2.7, pycrypto and py2exe.

  2. Generate executables from the python scripts using py2exe for all 3 target clients:

  1. Start the Maligno server and the meterpreter handler to listen for incoming connections:

  1. Upon execution of your crafted executables, an encrypted meterpreter session will be opened undetected by antivirus or NIDS: