Thursday, July 31, 2014

Extreme secured system in 3 lines with iptables ;)

If you want to secure your system as hard as possible, type this in terminal:
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP

That's all! You've got a SUPER SECURED SYSTEM! :)

If you don't know what are you doing, learn it! :)

IPSET. Creating white-list for apt-get updates.

Today we've learned about IPSET, an extension for iptables firewall.
The homework was to write a script on python, that will do:

1. Find out all apt-get sources.
2. Get IP's from domain names
3. Create/Update IPSET set.

It is too painful to do it in python. I've done it in bash:
#!/bin/bash
name="apt-white"      #change it for your needs
function makeset(){
 check=$(sudo ipset list $name |grep -o $name)
 if [[ ! "$check" == "$name" ]]
 then
  sudo ipset create $name iphash
  append_set
 else
  append_set
 fi
}
function append_set(){ 
 ipset flush $name
 ip_list=$(for line in $(echo "$(grep -Ril "http" /etc/apt/ |xargs cat)" |grep http|cut -d":" -f2|cut -d'/' -f3 |sort -u |grep '.'); do host $line;done |grep 'has address' | rev |cut -d' ' -f1 |rev |sort -u)
 for line in $ip_list; do
  ipset -A $name $line
 done
 exit 0
}
makeset

It is only 21 lines. Will see how much code will be in python, next lesson...

UPDATE:

At today's lesson, everyone wrote a script on Python. Here's my: 

#!/usr/bin/env python

from subprocess import Popen,PIPE
from urlparse import urlparse
import sys,re,os
import socket

# Name your SET & Global variables
name = 'apt-white'
srv_list = []
srv_ip = []

# Search in '/etc/apt/' directory for files that includes 'http'
p = Popen('grep -Ril http /etc/apt/'.split(' '),stdout=PIPE)
file_list = p.stdout.read().split()

# Look inside every file in list and extract every domain-name into list(srv_list)
for one_file in file_list:
   with open(one_file,'r') as f:
      for line in f.readlines():
         line = line.lower()
         line = re.findall(r'(https?://\S+)', line)
         if line:
             parsed = urlparse(line[0])
             srv_list.append(parsed.hostname)

# Make DNS lookup for every domain-name in set(srv_list), and return list of IP's in list(srv_ip), IGNORING IPv6 addresses (':' not in string)
for srv in set(srv_list):
   srv_ip += list(set([i[-1][0] for i in socket.getaddrinfo(srv, 80) if not ':' in i[-1][0]]))

# Checking if your SET already exists
command = 'ipset list '+name
p = Popen(command.split(' '),stdout=PIPE)
check = p.stdout.read()

# If not, creating a new one
if not name in check:
   print 'Creating new SET %s' % name
   os.system('ipset create '+name+' iphash')

# If yes, flushing all data in your SET
else:
   print 'Flushing all data in %s' % name
   os.system('ipset flush '+name)

# Appending to the SET all IP addresses we found
for i in set(srv_ip):
   os.system('ipset -A '+name+' '+i)
print '\ndone.'

# Profit! :)

It's a little larger, but also not too big. Only ~35 lines.

Do you know a better way to communicate with shell CLI on Python?

Wednesday, July 30, 2014

Python Multiprocessing global variables

In the beginning, i want to say sorry, if this article will be "messy"...

One day i've noticed, that threading module in python does not working as should be.
Some times it was much slower than in sequential process. Then i learned about GIL (Global Interpreter Lock).

My teacher advised me to use Multiprocessing module.
Fine. It is very simple, just copy/replace:

threading >> multiprocessing
Thread >> Process

That's all! It will work. But how?

In 'Threading' module, threads have shared memory, Threads can manipulate global variables of main thread, instead of multiprocessing module, that runs another subprocess in memory and it does not have shared memory like threading.

For example:
#Threading Example

from threading import Thread

#defining a global variable
mylist = []

def somefunc(a):
    global mylist
    mylist.append(a)

def main()
    for i in range(100):
       t = Thread(target=somefunc,args=(i,))
       t.start()
    t.join()

#Multiprocessing Example

from multiprocessing import Process

#defining a global variable
mylist = []

def somefunc(a):
    global mylist
    mylist.append(a)

def main()
    for i in range(100):
       t = Process(target=somefunc,args=(i,))
       t.start()
    t.join()

In Threading Example, 'somefunc()' will append to the global 'mylist' variable, instead of Multiprocessing will be empty as it was before.

Solution for this issue came Manager objects of Multiprocessing module.
from multiprocessing import Process,Manager

mylist = Manager.list()

def somefunc(a):
    mylist.append(a)

def main()
    for i in range(100):
       t = Process(target=somefunc,args=(i,))
       t.start()
    t.join()


In one hand, this will help, but in another you will get headache. Because, if you add for example KeyboardInterrupt (^C) support, you will get nothing. Manager object will be empty. OK. Maybe my knowledge is not so good, but i've found another solution to manage variables: Callback function.

But before that, let's add some process control. I want to control how many processes running simultaneously:
from multiprocessing import Pool,cpu_count,active_children

mylist = Manager.list()

def somefunc(a):
    mylist.append(a)

def main()

    #creating pool of worker processes, for 4 Cores will be 40 processes.
    pool = Pool(processes=cpu_count()*10)
    for i in range(100):

       #start processes asynchronous, without waiting until process ends.
       pool.apply_async(somefunc, (i,))
    pool.close()

    #waiting for results of ALL processes
    while len(active_children()) > 1:
       sleep(0.5)
    pool.join()
In this example, there will be no more than 40 processes running at the same time.

Now, will add the Callback function:
from multiprocessing import Pool,cpu_count,active_children

mylist = []

def somefunc(a):
    a += 1
    return a    

def main()
    def cb(data):
        if data:
           global mylist
           mylist.append(data)

    pool = Pool(processes=cpu_count()*10)
    for i in range(100):
       pool.apply_async(somefunc, (i,), callback=cb)
    pool.close()
    while len(active_children()) > 1:
       sleep(0.5)
    pool.join()

Every process will return some data to main process, then will be called callback function, that will manipulate with the data.
For me, callback function is much more easy for use and understand...

Next time will try to tell about successful implementation of KeyboardInterrupt ^C into multiprocessing script. It's another issue.

Monday, July 28, 2014

Wireshark/tshark startup error popup.

Lua: Error during loading: 
[string
"/usr/share/wireshark/init.lua"]:45:
dofile has been disabled

If you get this error when you start up wireshark, it means that you trying to run it with root privileges. It may be dangerous.

If you are using lua scripting with Tshark/Wireshark, then it is strongly recommended to change your system to be able to do capturing and analysis without root privileges. Tshark just protects you from running a script (with endless possibilities to mess up your system if programmed badly) with root privileges.

If not, you can just ignore this error message.

To make this error disappear permanently, you should patch this file on line 29:

'disable_lua = false' change it to 'disable_lua = true'
nano /usr/share/wireshark/init.lua

-- Set disable_lua to true to disable Lua support.
disable_lua = true

UPD:
Someone asked me how to run wireshark without root, here's the solution:
sudo addgroup -system wireshark
sudo chown root:wireshark /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
sudo usermod -a -G wireshark YOUR_USER_NAME

There is nothing new under the sun ...mainly

I just had an idea, to write in python script that will disconnect every client on Wifi except of me :)

Started to code, got some challenges, google, solutions.. and BOOM. There is nothing new under the sun.

How to kick everyone around you off wifi with Python

coded by DanMcInerney.
Learned a lot from this. Thank you Dan :)

Dummy way to "hack" your neighbour's WIFI

When i've just started my study at CSI course, lot of students were so excited of one program called 'wifite'.
There are too many tools for cracking wifi passwords. It's one of them. 
That day, when i came home, i immediately found that wifite. 
It is written in python, and VERY EASY to use. Just start, choose your target, and press start :)

Interesting, that about 4 years before, i've wrote my own script in bash that does almost the same things :(
I've tried this, and felt like a script kiddie.

What you will need:

1. Wifi network card (USB), most of internal laptop's nics are not supported to inject packets.
2. Install dependencies:
aircrack-ng 
python-tk
reaver 
macchanger 
pyrit
If you want to try and have troubles with installation, use google.
In couple of hours you will get access to WPA encrypted neighbour's AP.

But there was a good thing too. We learned python on the lessons, and i've looked inside the 'wifite' script, there was a lot of useful stuff!

Let's see:
$wifite

  NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  CoolNet               11  WPA2  66db   wps 
    2  HenP                  11  WPA2  45db   wps 
    3  CIPI                  13  WPA2  43db   wps 
    4  CoolNet2               9  WPA2  40db   wps 
    5  Virus                 11  WPA2  36db   wps 
    6  fani                  11  WPA2  35db   wps 
    7  bbb1950               11  WPA2  33db   wps 
    8  035031801             11  WPA2  30db   wps 
    9  netbox-8845           11  WPA2  29db   wps 
   10  Salon                 11  WPA2  29db    no 
   11  Yeuda                 11  WEP   29db   wps 
   12  niray                 11  WPA2  29db   wps 
   13  Jacob                 11  WEP   29db    no 
   14  Shmueli_Leon          11  WPA2  28db   wps 
   15  gross_zeev 2.4        11  WPA2  27db    no 

 [+] select target numbers (1-15) separated by commas, or 'all': 1

 [+] 1 target selected.

 [0:00:00] initializing WPS PIN attack on CoolNet (F8:1A:67:C8:AB:1E)
 [0:22:47] WPS attack, 357/404 success/ttl, 94.50% complete (3 sec/att)   

 [+] PIN found:     76663919
 [+] WPA key found: testpassword
 [0:08:20] starting wpa handshake capture on "CoolNet"
 [0:00:00] unable to capture handshake in timesent        

 [+] 2 attacks completed:

 [+] 0/2 WPA attacks succeeded
        found CoolNet's WPA key: "testpassword", WPS PIN: 76663919
        

 [+] quitting  

At this time, cracking WPA2 password with WPS PIN attack took 22 minutes. But another try may take 5 hours. Really it does not matter, we have the time.

Why people spend money on things they don't need???

Really, i don't understand.
I study now on awesome Cyber Security Intelligence course, there are so much interesting things..

But there also some people that will never use these techniques.
Worth of this course is about $6000, and what the hell these people sitting in the class, don't understand anything, slowing down the material, and ADMIT, that they will NEVER work in this specialization.
Sorry, but it's fu**ing $6000! Think first and then do something...  

Sorry about this :)

How to get HTTP HEAD request with Python and Bash.

How to get HTTP HEAD request with Python, and get results? Easy.


$python

>>>import requests
>>>r = requests.get('http://google.com')
>>>r.headers

{'alternate-protocol': '80:quic', 'x-xss-protection': '1; mode=block', 'transfer-e
ncoding': 'chunked', 'set-cookie': 'PREF=ID=1f15ab14c12505e8: FF=0:TM=1406501237:L
M=1406501237:S=hHSSoJtgc9dO1MXE; expires=Tue, 26-Jul-2016 22:47:17 GMT; path=/; do
main=.google.co.il, NID=67=D8CbgklOsbelB5ei756y3rTdBBrqAxVON2vpQRxDql2tsw3rq0ANQlc
ndJ8aQ37it9U6ofhaO5xx6wuQOqSX0tHp2QlNREjkwIWtFiXhy_s5L2GLXNKYjE0pkQCs9Fph; expires
=Mon, 26-Jan-2015 22:47:17 GMT; path=/; domain=.google.co.il; HttpOnly', 'expires'
: '-1', 'server': 'gws', 'cache-control': 'private, max-age=0', 'date': 'Sun, 27 J
ul 2014 22:47:17 GMT', 'p3p': 'CP="This is not a P3P policy! See http://www.google
.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."', 'con
tent-type': 'text/html; charset=windows-1255', 'x-frame-options': 'SAMEORIGIN'}

Results depends on parameters you use (follow redirects etc..)
As you can see, type of 'r.headers' is dictionary, so, you can get every value you want by key.
>>>r.headers['server']
'gws'
More info: Python Requests: HTTP for Humans

 

How to get HTTP HEAD with Bash?


$curl --head google.com

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.co.il/?gfe_rd=cr&ei=2YLVU76XNOTa8gf49YGYCw
Content-Length: 261
Date: Sun, 27 Jul 2014 22:53:13 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic

More info: 'man curl'

Two ways of setting Multiple IP Addresses on one interface.

I want to talk about secondary IP addresses on interface in Ubuntu.

Threre is two ways of assigning multiple IP addresses on one interface.
Most of people use the first one:


First method of setting multiple IP Addresses on interface:

 

With root privileges, edit /etc/network/interfaces:
auto eth0
iface eth0 inet static
       address 172.16.100.1
       netmask 255.255.0.0
       gateway 172.16.0.1
       dns-nameservers 8.8.8.8

auto eth0:0
iface eth0:0 inet static
       address 172.16.100.2
       netmask 255.255.0.0

auto eth0:1
iface eth0:1 inet static
       address 172.16.100.3
       netmask 255.255.0.0

 
Save and restart network service.

You can create up-to 254 aliases on one interface (eth0:X)


The second way to set multiple IP Addresses is to use IP command:


$ip addr add 172.16.100.1/16 dev eth0
$ip addr add 172.16.100.2/16 dev eth0
$ip addr add 172.16.100.3/16 dev eth0
$ip addr add 172.16.100.4/16 dev eth0 label eth0:0     #you can label it 'label eth0:0'
$ip addr show dev eth0

2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 28:d2:44:33:d8:a3 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.204/16 brd 172.16.255.255 scope global eth0   << this is the primary IP Address
       valid_lft forever preferred_lft forever
    inet 172.16.100.1/16 scope global secondary eth0            << this is secondary
       valid_lft forever preferred_lft forever
    inet 172.16.100.2/16 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet 172.16.100.3/16 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet 172.16.100.4/16 scope global secondary eth0:0          << this with label 'eth0:0'
       valid_lft forever preferred_lft forever
    inet6 fe80::2ad2:44ff:fe33:a459/64 scope link 
       valid_lft forever preferred_lft forever



As you can see, in 'ifconfig' output, there is no addresses without label. Only one labeled 'eth0:0'
$ifconfig

eth0      Link encap:Ethernet  HWaddr 28:d2:44:33:a4:59  
          inet addr:172.16.1.204  Bcast:172.16.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48726 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30127 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:40392826 (40.3 MB)  TX bytes:4955907 (4.9 MB)

eth0:0    Link encap:Ethernet  HWaddr 28:d2:44:33:a4:59           << only labelled is shown. 
          inet addr:172.16.100.4  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


Want more?
Get it. it's free: 
Linux Advanced Routing & Traffic Control HOWTO


Thursday, July 24, 2014

How to generate phone number list in one line?

Sometimes need to generate some numbers, like phone numbers. 
And it should to be done quickly!

One line phone numbers generator in bash:
$ echo -e "\n"054{0..9}{0..9}{0..9}{0..9}{0..9}{0..9}{0..9} > phones.txt
$ cat phones.txt |head
0540000000 
0540000001 
0540000002 
0540000003 
0540000004 
0540000005 
0540000006 
0540000007 
0540000008 

$ cat phones.txt |tail
0549999990 
0549999991 
0549999992 
0549999993 
0549999994 
0549999995 
0549999996 
0549999997 
0549999998 
0549999999 

Tinc VPN Setup script (BASH)

In Cyber Security Intelligence Couse, one of the first topics in networking was Tinc VPN.
I coded a little script that will setup your encrypted VPN connection.

Tinc is very useful when you need to set up a VPN quickly.

It is a easy to use, and user friendly :)
 #!/bin/bash

 # Tinc VPN Setup script.
 # Be sure, that your system is accessible from outside your LAN. Otherwise it's waste of time :)
 # By Alexander Korznikov.

 #there are text coloring variables
 bldred='\e[1;31m' # Red
 bldgrn='\e[1;32m' # Green
 bldylw='\e[1;33m' # Yellow
 txtrst='\e[0m'    # Text Reset

 function usage()
 {
 echo ""
 echo ""
 echo -e "$txtcyn Be sure you've installed tinc previously, by$txtgrn apt-get install tinc$txtrst"
 echo ""
 echo -e "$bldred Please note, this stupid script will not check your input!! Check it twice!"
 echo ""
 echo -e "$txtwht By the way, you can view the source and get some useful stuff from it :) $txtrst"
 echo ""
 echo -e "$bldgrn Usage: sudo $0 install$txtrst"
 echo ""
 echo -e "$txtwht\t by Alexander Korznikov, @CSI-7$txtrst"
 }

 function install()
 {

 echo ""
 echo -e "Enter your$bldgrn VPN Name$txtrst (default: myvpn) \c"
 read myvpn
 if [[ $myvpn != "myvpn" ]]
 then
 echo ""
 echo -e "Your VPN Name: \"$bldgrn$myvpn$txtrst\""
 myvpn=$myvpn
 else
 myvpn="myvpn"
 echo ""
 echo -e "Your VPN Name: \"$bldgrn$myvpn$txtrst\""
 fi

 mkdir -p /etc/tinc/$myvpn/hosts
 tincconf="/etc/tinc/$myvpn/tinc.conf"

 echo ""
 echo -e "Enter your host name: \c"
 read name
 echo "Name = $name" > $tincconf
 echo ""
 echo "Setting AddressFamily to ipv4..."
 echo "AddressFamily = ipv4" >> $tincconf
 echo ""
 echo "Setting Interface to \"tun0\"..."
 echo ""
 echo "Interface = tun0" >> $tincconf

 # this checks if you using tinc in internet or local network

 echo ""
 echo -e "Do you setup your VPN on$bldgrn WAN$txtrst or$bldgrn LAN$txtrst network? [wan/lan] \c"
 read answer
 if [[ $answer == "wan" ]]
 then
 wget getmyipaddress.org -O ./inetip.txt -o /dev/null
 myip=`cat inetip.txt |grep 'Your IP Address' | cut -d":" -f2 | sed -e 's, ,,g' |cut -d "<" -f1`
 #rm inetip.txt
 elif [[ $answer == "lan" ]]
 then
 myip=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`
 else
 echo "Incorrect answer...exiting!"
 echo ""
 echo "Cleanup..."
 sleep 1
 rm -r /etc/tinc/$myvpn
 exit 0
 fi

 echo -e "For debug.. your IP Address is $bldgrn"$myip"$txtrst..."
 echo ""
 echo "Address = $myip" > /etc/tinc/$myvpn/hosts/$name

 echo -e "Enter your$bldgrn VPN IP address$txtrst [ex. 5.0.0.22]: \c"
 read vpnip
 echo "Subnet = $vpnip/32" >> /etc/tinc/$myvpn/hosts/$name
 echo ""

 #checking if you already have private key for $myvpn

 echo "Removing all previously generated keys for $myvpn..."
 sleep 1
 echo ""

 if [ -e /etc/tinc/$myvpn/rsa_key.priv ]
  then
  rm /etc/tinc/$myvpn/rsa_key.priv
  fi
 echo ""
 echo "Now, we'll generate public/private keys..."
 echo ""
 echo -e "Press Enter to continue... \c"
 read blabla
 tincd -n $myvpn -K4096

 echo "Creating start-up script..."
 sleep 1      #it's just for fun ;)
 echo ""
 echo "!#/bin/bash" > /etc/tinc/$myvpn/tinc-up
 echo "ifconfig \$INTERFACE $vpnip netmask 255.255.255.0" >> /etc/tinc/$myvpn/tinc-up

 chmod +x /etc/tinc/$myvpn/tinc-up

 echo "Creating shutdown script..."
 sleep 1
 echo "!#/bin/bash" > /etc/tinc/$myvpn/tinc-down
 echo "ifconfig \$INTERFACE down" >> /etc/tinc/$myvpn/tinc-down

 chmod +x /etc/tinc/$myvpn/tinc-down

 echo ""
 echo -e "Enter the name you want to connect to [ex. john]: \c"
 read connectto
 echo "ConnectTo = $connectto" >> $tincconf

 echo ""
 echo ""
 echo -e "Now, exchange public keys, and run $bldgrn\"tincd -n $myvpn\"$txtrst"
 echo ""

 if [[ $answer == "wan" ]]
 then
 echo -e "$bldred   Be sure, if your system is accessible from outside.$txtrst"
 echo ""
 fi

 nautilus /etc/tinc/$myvpn/hosts

 echo "Good luck."
 echo ""
 }

 if [[ $1 = "install" ]]
 then
  install
 else
  usage
 fi

Creating dictionary from a Twitter account.

Hi there.
Today will write a simple code in python that will scrape unique words from a Twitter account. For creating a targeted dictionary.

First of all, will find some twitter account:




Next, we need to find out, which field we need to get (with inspect tool):


You can see 'class' named 'ProfileTweet-text js-tweet-text u-dir'. That is what we need.

Let's start coding python:
 import requests
 from bs4 import BeautifulSoup

 r = requests.get('https://twitter.com/CelebWorshipLdr')
 soup = BeautifulSoup(r.content)  #raw html data

The URL is loaded, and passed to BeautifulSoup.

Creating the dictionary:
 a = []
 for i in soup.find_all('p',{'class':'ProfileTweet-text js-tweet-text u-dir'}):
    a += i.text.encode('ascii','ignore').split()

 a = set(a)
 print a
 $ set(['sometimes,', 'saying', 'all', 'ever.', 'background', 'Mumford.'...etc])

That's all. Thank you.

Monday, July 14, 2014

HOTBOX or FiberBOX Wifi Access in Israel

I live in Israel, and work at HOT CATV Company, that provide Internet services.

The prime modem/router that you can get from this company -- "Hotbox DOCSIS 3.0 Cable Modem/Wireless Router", manufactured by SAGEMCOM.

There is new one "FiberBOX" also, that have the same issue explained at bottom.

By Default, WiFi ESSID: HOTBOX-1234 (1234 is last four characters of CM-MAC of the box)

And the password is CM-MAC address.

Lets see all SAGEM MACs:
http://www.adminsubnet.com/mac-address-finder/sagem

As we already know from the ESSID, '1234' are the last four characters of cm-mac, and we know the starting six characters of Vendor ID, we can bruteforce it pretty fast.

For example:
Your neighbour has HOTBOX or Fiberbox (only difference in ESSID: Fiber-1234), with default ESSID 'HOTBOX-1DE4' ok?

We know the starting Vendor ID's (for example):
18622c
2c3996
2ce412
348aae
3c81d8
4c17eb
681590
6c2e85
7c034c
7c03d8

00789e
90013b
94fef4
c0ac54
c0d044
c8cd72
cc33bb
d86ce9
e8be81
e8f1b0
f08261
The last thing that we need to know its 7'th and 8'th character.
So, make a simple bash script that will capture 'handshake', then create a dictionary with all possible MACs, and bruteforce that 'handshake' with pyrit (for example). 
I promise, it will not take more than 10 seconds to crack the handshake.

Maybe i will post a script in next posts.

Ok, let's start!

Finally, i've decided to post something.. There is so many, thoughts in my mind.

Ok. I'm Alexander Korznikov, study at CSI course. (Cyber Security Intelligence).
For now, 1/3 of the course is passed.. and i'll try to uncover some topics in next posts.
Hope it will be useful :)