Jun 062013
 

This is a trick I learned a long time ago.  I used to teach it in my linux administration, digital forensics, and ethical hacking courses I taught at college.  It has been one of the most useful commands I ever learned.  So the scenario goes like this:  lets assume you have a user you suspect is doing something nefarious…maybe even a hacker has a shell on your server.  You would like to be able to see exactly what they are doing.  Wouldn’t it be nice to be able to connect to their shell without them knowing so you can watch what they are doing?

Here is how it is done…..

Continue reading »

May 302013
 

There are times when I need to do things and I don’t trust using public access, hotspots, etc. So basically what I did was set up a vpn on my home network and I can then connect to it from anywhere. This has the advantage of encrypting my communications while in a public place. One of the problems was that my ISP will randomly change the ip address. Granted there are numerous services that will do dynamic dns….but that just has the potential to attract unwanted traffic. So, what I did was basically wrote a small 1 line script that dumps my ip once a day to my dropbox account (encrypted).  Either the script can be run (via crontab) or you can simply add the entire line to crontab:

Continue reading »

May 182013
 

A long time ago, I created a database to hold passwords and their respective hashes for some 16 various hash types.  It has approximately 310,261,848 passwords for each type and is growing nearly every day as more password lists become available.  I found a pretty quick way to generate the hashes for these wordlists and wanted to share how it is done.  These hashes only work with unsalted/unpeppered passwords.

First, lets look at my table schema, which is very simple and very effective.  It uses an index on the hash + password column so there can not be any two hashes+passwords that are the same.  The types table is a  simple lookup table that references data.type 1 to a name like DES.  The primary key is on the name column.  I don’t claim to be a db administrator so if you spot any errors, let me know.

Continue reading »

Mar 162013
 

So one thing you learn pretty quick once you move into the cloud, is that what you normally would do to stop bots, rogue traffic, hackers, etc doesn’t quit work…even at the packet level.  What I mean is this, you have a web server sitting behind an aws load balancer and its under attack.  You are running linux.  First thing you do is set up an iptables rule to drop connections from that ip address.  The problem is, iptables never sees that ip address.  Iptables can’t look into packets.  Instead, it sees the load balancer ip address.  The ip address of the user is hidden in the x-forward-for.  So first thing you need to do is enable x-forward-for logging in your web server.  I will use nginx as an example:

Continue reading »

Mar 092013
 

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

#!/bin/bash
 
# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
 
# 20130308 - original script
 
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
 
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
	exit
fi
 
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
else
	CIF=$1
fi
 
thing=1
 
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	echo
	sleep 1;
done

CHANGES

20130905 – added option to pass interface

Mar 062013
 

This was tested on centos 6.3.  It is running at approx 900 – 3,000+ log events per second from approx 30 hosts.

Current load is about 900 messages per second:  load average: 1.57, 1.35, 1.29 with 8GB memory.

With the above in mind, there was approx 165GB of log data after running for 4 days.

graylog.org web site

elasticsearch web site

mongo db

passenger phusion web site

logstash web site

I wrote a script in order to install a graylog2 central log server.  Its a one shot run and be done kinda thing…..

CHANGES20130309 – see notes in script

Continue reading »

Feb 092013
 

One thing I can’t stand is waiting on software to download.  I mean, I have a blazingly fast internet connection and I expect everything I do to be blazingly fast also.  So, one thing I noticed was my backbox linux installation was taking forever to download updates.  Looking into why, I noticed there were static addresses used in the /etc/apt/sources.list for ubuntu software repositories.

So here is how to fix it so that you always get the mirror closest to you:

Continue reading »

Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Oct 312012
 
#!/bin/bash
 
# By Ed Wiget
# This script grabs the latest nmap, zenmap, ncat, nping in rpm format and converts them to deb
 
# 20121031 - original script
 
# the version we are grabbing
VER=6.01-1
 
# the architecture we are using
ARCH=x86_64
 
# our working dir
TEMP_DIR=~/nmap-files
 
# check if it exists and if not, create it
if [ ! -d ${TEMP_DIR} ]; then
	mkdir -p ${TEMP_DIR}
fi
 
# check to make sure alien is installed and if not, install it
if [ ! -f /usr/bin/alien ]; then
	sudo apt-get install alien
fi
 
# cd to the working dir
cd ${TEMP_DIR}
 
# 386 files
# http://nmap.org/dist/nmap-6.01-1.i386.rpm
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
# http://nmap.org/dist/ncat-6.01-1.i386.rpm
# http://nmap.org/dist/nping-0.6.01-1.i386.rpm
 
# x86_64 files
# http://nmap.org/dist/nmap-6.01-1.x86_64.rpm
# http://nmap.org/dist/ncat-6.01-1.x86_64.rpm
# http://nmap.org/dist/nping-0.6.01-1.x86_64.rpm
 
# no arch
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
 
# grab the files
wget -O ${TEMP_DIR}/nmap-${VER}.${ARCH}.rpm http://nmap.org/dist/nmap-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/ncat-${VER}.${ARCH}.rpm http://nmap.org/dist/ncat-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/nping-0.${VER}.${ARCH}.rpm http://nmap.org/dist/nping-0.${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/zenmap-${VER}.noarch.rpm http://nmap.org/dist/zenmap-${VER}.noarch.rpm
 
# remove any deb files currently in this dir
rm -f *.deb
 
# convert the downloaded files to deb
sudo alien nmap-${VER}.${ARCH}.rpm
sudo alien ncat-${VER}.${ARCH}.rpm
sudo alien nping-0.${VER}.${ARCH}.rpm
sudo alien zenmap-${VER}.noarch.rpm
 
# install the packages
sudo dpkg --install *.deb