Linux

Linux

Lynis

Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Using Lynis : Basics
To run Lynis you should meet a few requirements:
- You have to be root (log in as normal user, su to root)
or have equivalent rights (for example by using sudo).
- Have write access to /var/log (for using a log/debug and report file)
- Have write access to /tmp (temporary files)

Depending on the installation or the path you run Lynis from, you can start it with 'lynis' (if installed and the file is available in
your binary path) or 'sh lynis' or './lynis'.

Without parameters, Lynis will give you a valid list of parameters and return back to the shell prompt. At least the '-c' (--check-all) parameter is needed, to start the scan process.

Notes:
- For the update check, outgoing DNS requests should be allowed. Lynis will try to query a TXT record (for example lynis-lv.rootkit.nl).
- Lynis needs write access to /var/log/lynis.log (unless logging is disabled, which disables debugging information as well).

Parameters:
--auditor "Given name Surname"
Assign an auditor name to the audit (report)
--checkall
-c
Start the check
--check-update
Check if Lynis is up-to-date
--cronjob
Run Lynis as cronjob (includes -c -Q)
--help
-h
Shows valid parameters
--manpage
View man page

MorxCrack

MorxCrack is a cracking tool written in Perl to perform a dictionary-based attack on various hashing algorithm and CMS salted-passwords.

As of version 1.2 MorXCrack supports the following algorithms:
MD5
MD5 (Twice)
MD5 (PasswordSalt)
MD5 (SaltPassword)
SHA1
SHA1 (Twice)
SHA1 (PasswordSalt)
SHA1 (SaltPassword)
SHA2 (256 Bits)
SHA2 (512 Bits)
MySQL (4.1+)
Crypt UNIX (Shadow)

And the following CMS:
Joomla
Wordpress (PHPass)
vBulletin
InvisionPowerBoard

Author:
Simo Ben youssef

Requirements:
Tested on Perl 5 (Might work on older versions).

Required modules:
Digest::MD5
Digest::SHA

Install if missing:
perl -MCPAN -e ‘install Digest::SHA’
perl -MCPAN -e ‘install Digest::MD5?

Usage:
Usage for non-salted passwords:
perl morxcrack.pl <’hash’>
perl morxploit md5 ’83583d2b5ea4078b9b83f82254e5d564? wordlist.txt

Usage for salted passwords:
perl morxcrack.pl <’hash’>
perl morxploit.pl joomla ‘a87248e5fc69972804f5bb93c873ee9d’ wordlist.txt 9W11uZafPxbe9xpL

Example:
Test on a Pentium(R) Dual-Core CPU T4500 @ 2.30GHz * 2 processor using md5 and a 3917096 wordlist (43.4 MB):

perl morxcrack.pl md5 ’83583d2b5ea4078b9b83f82254e5d564? all.txt
[*] Hashed password set to 83583d2b5ea4078b9b83f82254e5d564
[*] Algorithm/CMS set to md5
[*] Wordlist set to all.txt
[+] Cracking …
############################################################
# [+] Your password is morxploit
# [+] found at line 3917096
# [+] Job took 16 seconds
############################################################

TODO:
Add support for more algorithms and CMS

Beleth

Beleth is a fast multi-threaded SSH password auditing tool. Per some internet websites, it out performs Ncrack and THC-Hydra in speed.

Source:
$ git clone https://github.com/chokepoint/Beleth.git
$ cd beleth
$ make

Usage: ./beleth [OPTIONS]
-c [payload] Execute payload on remote server once logged in
-h Display this help
-l [threads] Limit threads to given number. Default: 4
-p [port] Specify remote port
-t [target] Attempt connections to this server
-u [user] Attempt connection using this username
-v -v (Show attempts) -vv (Show debugging)
-w [wordlist] Use this wordlist. Defaults to wordlist.txt

Example:
$ ./beleth -l 15 -t 127.0.0.1 -u stderr -w wordlist.txt
+-----------------------------------------+
| Beleth |
| www.chokepoint.net |
+-----------------------------------------+
[*] Read 25 passwords from file.
[*] Starting task manager
[*] Spawning 15 threads
[*] Starting attack on [email protected]:22
[*] Authentication succeeded (root:[email protected]:22)
[*] Executing: uname -a
[*] Linux eclipse 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1+deb7u1 i686 GNU/Linux
[*] Cleaning up child processes.

Multi-threaded design
There are a couple of different options available for developers when coming up with multi-threaded design on Linux based systems using C. Two of the most popular are fork() and pthread_create(). Fork() differs from pthread_create() in that address space is not shared between the parent and child threads. Instead, a complete copy of the parent's address, code, and stack spaces are created for the child process. In order to keep dependencies to a minimum, I decided to go with a standard fork design.

Inter-process Communication (IPC)
Again, there are many options for developers when it comes to IPC as well. Below is a list of only some of the available options.

AIEngine

AIEngine is a packet inspection engine with capabilities of learning without any human intervention. It helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.

Compile:
$ git clone git://bitbucket.com/camp0/aiengine
$ ./autogen.sh
$ ./configure
$ make

Usage:
username@computer:~/code/c++/aiengine/src$ ./aiengine -h
iaengine 0.1
Mandatory arguments:
-I [ --interface ] arg Sets the network interface.
-P [ --pcapfile ] arg Sets the pcap file.

Link Layer optional arguments:
-q [ --tag ] arg Selects the tag type of the ethernet layer (vlan,mpls).

TCP optional arguments:
-t [ --tcp-flows ] arg (=32768) Sets the number of TCP flows on the pool.

UDP optional arguments:
-u [ --udp-flows ] arg (=16384) Sets the number of UDP flows on the pool.

Signature optional arguments:
-R [ --enable-signatures ] Enables the Signature engine.
-r [ --regex ] arg (=.*) Sets the regex for evaluate agains the flows.
-c [ --flow-class ] arg (=all) Uses tcp, udp or all for matches the signature
on the flows.

Frequencies optional arguments:
-F [ --enable-frequencies ] Enables the Frequency engine.
-g [ --group-by ] arg (=dst-port) Groups frequencies by src-ip,dst-ip,src-por
t and dst-port.
-f [ --flow-type ] arg (=tcp) Uses tcp or udp flows.
-L [ --enable-learner ] Enables the Learner engine.
-k [ --key-learner ] arg (=80) Sets the key for the Learner engine.

Optional arguments:
-k [ --stack ] arg (=lan) Sets the network stack (lan,mobile).
-d [ --dumpflows ] Dump the flows to stdout.
-s [ --statistics ] arg (=0) Show statistics of the network stack.
-p [ --pstatistics ] Show statistics of the process.
-h [ --help ] Show help.
-v [ --version ] Show version string.

SkyJack

SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones.

I (the author, Samy Kamkar) detect drones by seeking out any wireless connections from MAC addresses owned by the Parrot company, which you can find defined in the Registration Authority OUI.

aircrack-ng
I use aircrack-ng to put our wireless device into monitor mode to find our drones and drone owners. I then use aireplay-ng to deauthenticate the true owner of the drone I'm targeting. Once deauthenticated, I can connect as the drone is waiting for its owner to reconnect.

node-ar-drone
I use node-ar-drone to control the newly enslaved drone via Javascript and node.js.

Hardware
Parrot AR.Drone 2
The Parrot AR.Drone 2 is the drone that flies around seeking other drones, controlled from an iPhone, iPad or Android, and is also the type of drone SkyJack seeks out in order to control. SkyJack is also capable of seeking out Parrot AR.Drone version 1.

The Parrots actually launch their own wireless network which is how the owner of the drone connects. We take over by deauthenticating the owner, then connecting now that the drone is waiting for its owner to connect back in, exploiting the fact that we destroyed their wireless connection temporarily.

Raspberry Pi
I use a Raspberry Pi to drive the project as it's inexpensive, reasonably light, has USB, and runs Linux.

Alfa AWUS036H wireless adapter
I use the Alfa AWUS036H wireless card which supports raw packet injection and monitor mode which allow me to deauthenticate users who are legitimately connected to their drones.

Edimax EW-7811Un wireless adapter

ExploitPack Security Framework

ExploitPack, an open source GPLv3 licensed bundle of scripts with an easy to use GUI and a SID IDE; it’s built on JAVA and Python.
ExploitPack uses SWT and it is integrated as part of the Eclipse plug-in API, for standalone application development it is best to develop against the SWT standalone download.

dnsgoblin

/*******************************************************************************
 *                                                                             *
 *         ~    .__ °.__   0       o                    ^   .__ °__  `´        *
 *  °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  *
 *  /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  *
 * | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  *
 * |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  *
 * `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  *
 *                                                                             *
 * dnsgoblin.c - nasty creature constantly searching for DNS servers           *
 *                                                                             *
 * DATE                                                                        *
 * 03/11/2011                                                                  *
 *                                                                             *
 * DESCRIPTION                                                                 *
 * dnsgoblin uses standard dns querys and waits for the replies.               *
 *                                                                             *
 * AUTHOR                                                                      *
 * atzeton - <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a>                                      *
 *                                                                             *
 * COMPILE                                                                     *
 * gcc dnsgoblin.c -O2 -lpthread -Wall -Wextra -pedantic \                     *
 * --std=gnu99 -D_REENTRANT                                                    *
 *                                                                             *

dnsspider

#!/usr/bin/env python
# -*- coding: latin-1 -*- ######################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# dnsspider-0.4.py - multithreaded subdomain bruteforcer                       #
#                                                                              #
# DATE                                                                         #
# 08/16/2012                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A very fast multithreaded bruteforcer of subdomains that leverages a         #
# wordlist and/or character permutation.                                       #
#                                                                              #
# AUTHOR                                                                       #
# noptrix - <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a>                                       #
#                                                                              #
# NOTES:                                                                       #
# quick'n'dirty code                                                           #
#                                                                              #
# CHANGELOG:                                                                   #

ripdc.sh

#!/bin/sh
################################################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# ripdc.sh - reverse ip domain checker                                         #
#                                                                              #
# FILE                                                                         #
# ripdc.sh                                                                     #
#                                                                              #
# DATE                                                                         #
# 2013-06-05                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A script which maps domains related to an given ip address or domainname.    #
#                                                                              #
# AUTHOR                                                                       #
# noptrix                                                                      #
#                                                                              #
################################################################################

RopeADope

#!/usr/bin/env python
# -*- coding: latin-1 -*- ######################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# Ropeadope.py -- RopeADope v1.1                                               #
#                                                                              #
# DATE                                                                         #
# 04/20/2012                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A linux log cleaner                                                          #
#                                                                              #
# AUTHOR                                                                       #
# pr1me [at] highhacksociety [dot] com                                         #
# <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a> - <a href="http://www.highhacksociety" title="http://www.highhacksociety">http://www.highhacksociety</a>                    #
#                                                                              #
################################################################################

Syndicate content