Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
Monitoring/System Administrator – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 yamot – yet another monitoring tool. http://seclist.us/yamot-yet-another-monitoring-tool.html Mon, 16 Apr 2018 14:42:23 +0000 http://seclist.us/?p=17107 yamot is a web-based server-monitoring tool built for small environments with just a handful servers. It takes a minimum of resources which allows the execution on almost every machine, also very old ones. It works best with Linux or BSD. Windows is not part of the server scope.

You could use it for example to monitor your Raspberry Pi Servers running at home. It takes only a few steps of configuration and after that it displays much relevant server measurement data in your browser:
+ System Load
+ Memory Usage
+ Uptime / Boot Time
+ Costs (calculated)
+ Battery (e.g. for monitoring a mobile device)
+ WiFi Signal Strength
+ Temperatures
+ Processor (Cores, Speed, Usages, …)
+ System (Distro, Version, Architecture, …)
+ Network Services (Open Listening Ports)
+ Network Devices & Addresses
+ Network Interfaces IO (bytes sent/received)
+ Disk Storage Usage (used & total space)
+ Disk Device IO (bytes read/written)
+ Users logged in (name, login date, …)

yamot – yet another monitoring tool.

* Architecture
The architecture is divided up into three parts (original MVC)

* Server Component
This component needs to be executed on the server-system which you want to monitor. It’s basically a simple webserver. For security reasons it just has readonly access to the system. The Auth is done via HTTP Basic Auth, so don’t use it in untrusted networks!

The Server component provides realtime data only. There are no cyclical background tasks or other stuff running which occupy the processor/memory/disk. If you don’t access the server it will take up almost no resources. The server is built with Python3, which of course needs to be installed. Default server port is 9393.

* Controller Component
One server needs to have the additional role of the controller. The controller is also just a webserver which provides a REST-API to manage the application.

The Auth is also done via HTTP Basic Auth, so also don’t use it in untrusted networks! The controller is built with node.js and express.js. If you don’t have those installed, you could also use the Docker-Image called prod. Default controller port is 8080.

* Client Component
Finally the client represents the web-page and gets served by the Controller (on port 8080). The client is built with Angular, some Bootstrap CSS and a subset of FontAwesome Icons. A refresh-cycle to display new data (every 3sec per default) incurs requesting all your servers to get updates of the measured data.

Installation:

git clone https://github.com/knrdl/yamot && cd yamot

Server
1. Install python3 and psutil and ujson on every server with sudo apt-get install python3-psutil python3-ujson. If you are not running an apt-based system (Debian or Ubuntu) use sudo pip3 install psutil instead.
2. Copy the file yamot_server.py to your server (e.g. under /opt/yamot) and add it to /etc/rc.local as sudo -u username dash -c 'cd /opt/yamot && python3 /opt/yamot/yamot_server.py' & in front of the “exit 0”-line (enable autostart)
3. Run the server once interactively via python3 yamot_server.py to generate a config file (needs one-time write permission in the same folder).
4. If you are running a firewall on your server (like ufw) open the specified port sudo ufw allow 9393 (default port is 9393)

Client & Controller
1. The controller-component needs to be running on a server in your network (the same network where also the servers are running). The server which runs the controller can also run the server component at the same time.
2. There you will need a node.js installation with express.js (or docker, if you use the prod image)
3. Use node controller.js to start the controller and check if it is working
4. The login credentials will be provided by the controller on startup in the shell.
5. Now you could also add it to the autostart of the system. Don’t forget to open the port if you are using a firewall.
6. If you are done, open browser and navigate to http://ip-of-the-controller-device:8080 (8080 is the default controller port)

URL: http://localhost:8080/

login credentials:
+ Username: yamot
+ Password: test123

Source: https://github.com/knrdl

]]>
Pulse-monitor : A client + server tool to to log and rectify communications problems. http://seclist.us/pulse-monitor-a-client-server-tool-to-to-log-and-rectify-communications-problems.html Sat, 10 Mar 2018 04:04:59 +0000 http://seclist.us/?p=16799 The Heartbeat computer (server or client–doesn’t matter) delivers messages to a file on the Monitor computer via SSH. The Monitor checks the file and executes remedial action if conditions are met. Server and client can fill either role assuming a VPN or reverse SSH tunnel exist. Frequency, timeout, and remedial actions are all configurable.

Pulse-Monitor

NOTE: Pulse-Monitor is designed to take a specific action when the Monitor system loses touch with the Heartbeat system. An alternate use, however, is to install only the Heartbeat role. This essentially builds a logging system in which the Monitor system (with no Pulse-Monitor components installed) has a log file that is updated regularly by the Heartbeat system, per arguments supplied to ./install-heartbeat.sh. In this setup, no logic is performed on any missed heartbeats, so the Monitor system takes no action. It does make for a handy heartbeat/connectivity logging tool, thoug

Use and Download:

git clone https://github.com/viiateix/Pulse-Monitor && cd Pulse-Monitor
Example:
./install-heartbeat.sh 2 /home/seclist/.ssh/id_rsa remoteuser 12.34.56.78 22 /home/seclist/heartbeat.log "Hello there"

Source: https://github.com/viiateix

]]>
Natlog is a utility logging traffic through a firewall doing source natting. http://seclist.us/natlog-is-a-utility-logging-traffic-through-a-firewall-doing-source-natting.html Thu, 08 Feb 2018 03:44:32 +0000 http://seclist.us/?p=16476 Natlog is a utility logging traffic through a firewall that performs source-NATting (a.k.a. POSTROUTING).
Firewalls like iptables usually offer POSTROUTING source network address translation facilities changing the source address of a host behind the firewall to the address of the host before the firewall.

natlog v2.00.00

The standard logs facilities provided by iptables do not easily allow us to associate addresses behind the firewall to their source-natted equivalents before the firewall. Natlog was designed to fill in that particular niche.
When running natlog, messages are sent to the syslog daemon and/or to the standard output stream showing the essential characteristics of the connection using source natting.

Natlog depends on facilities provided by iptables, but may also generate logs directly using facilities offered by the pcap library.

Dependencies:
+ g++ (>= 4.7.1), icmake (>= 7.19.00),
+ libbobcat-dev (>=3.01.00), libpcap-dev, and yodl (>=3.00.0)

Use and Download:

git clone https://github.com/fbb-git/natlog && cd natlog
cd natlog
./build -q (for how to Build)
./build program

Source: https://github.com/fbb-git

]]>
Network Monitoring Tool – a tool monitors whole subnets (IP-Address ranges) for hardware changes and vulnerability. http://seclist.us/network-monitoring-tool-a-tool-monitors-whole-subnets-ip-address-ranges-for-hardware-changes-and-vulnerability.html Mon, 15 Jan 2018 07:14:01 +0000 http://seclist.us/?p=16300 Network Monitoring Tool is A simple network monitoring tool designed to notify the network administrator about changes and vulnerabilities.
Requirements
+ nmap version 7.00 or higher
+ cron (optional, needed only for regular checks)

Network Monitoring Tool

Explanation of keys:
– name: needed to specify this network as action parameter
– monitoring: can be all (scan complete subnet for unkown devices) or list-only (only scan specified hosts).
– exclude: must be an array containing at most vulnerability (skip vulnerability scan for this host) and mac (do not check if MAC address matches).

Usage:

git clone https://github.com/temparus/network-monitoring.py && cd network-monitoring.py
python network-monitoring.py -h

Just copy the source files to a directory on your machine.

Source: https://github.com/temparus

]]>
flightsim – A utility to generate malicious network traffic and evaluate security controls. http://seclist.us/flightsim-a-utility-to-generate-malicious-network-traffic-and-evaluate-security-controls.html Thu, 11 Jan 2018 12:58:44 +0000 http://seclist.us/?p=16267 flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.

flightsim

Dependencies:
+ Golang https://golang.org/doc/install
+ Linux, MacOS, Windows Opeating System Support.

How to Build and Use:

git clone https://github.com/alphasoc/flightsim && cd flightsim
go build
./flightsim --help
./flightsim run --help

Source:https://github.com/alphasoc

]]>
WireSpy (wsd) – captures packets and generates firewall rules and netflow logs. http://seclist.us/wirespy-wsd-captures-packets-and-generates-firewall-rules-and-netflow-logs.html Thu, 04 Jan 2018 11:31:33 +0000 http://seclist.us/?p=16220 What is wsd?
Wirespy is a simple network sniffer for information security that extracts interesting metadata about network traffic and logs it. That sounds like a million other security and network tools, and it is in many ways though there are some very important differences.

Why use it?
Wirespy is not a replacement for tcpdump, wireshark or any of the other network sniffers. It has a specific purpose in providing long term metadata about network traffic including TCP flow logging. It is efficent and can monitoring live network traffic or process PCAP files.

wirespy v0.6

I use it on my network recorders to extract metadata from the PCAP files that takes up less space, further extended the number of months of network intelligence I can save before running out of disk space.

The TCP flow capability is tollerant of lost packets which are common when passively monitoring network traffic.

How to use it?
Wirespy can run as a daemon if you are using it to monitor live network traffic and can also process PCAP files saved using other tools that support libpcap format files.

Usage:

git clone https://github.com/rondilley/wirespy && cd wirespy
autoconf
./bootstrap
./configure
make
make install

sudo ./wsd -i eth0

Source: https://github.com/rondilley

]]>
weffles – Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI. http://seclist.us/weffles-threat-hunting-incident-response-console-with-windows-event-forwarding-and-powerbi.html Mon, 18 Dec 2017 04:05:51 +0000 http://seclist.us/?p=16091 WEFFLES is designed to be small and lightweight, both for speed of getting something deployed during an Incident Response and also for the sake of being sustainable in an environment going forward. It’s not necessary to be familiar with the underlying technology of Windows Event Forwarding to set up the solution as it’s scripted out of you.

WEFFLES is a way to build a fast, free, and effective threat hunting console using Windows Event Forwarding and PowerBI.

Requirements for deploying WEFFLES :
Active Directory – we need to be able to create and link a GPO that will apply to all of the machines we want in scope of monitoring. I would hope this would include desktops, servers, and domain controllers for the sake of completeness, but the flexibility to link the GPO that enables Windows Event Forwarding to a testing Organizational Unit is also a great way to start.
– A server to act as the Windows Event Collector – I recommend using a dedicated server as the collector, for performance and security reasons. The server does not have to be massive in spec though, even if you have a lot of endpoints you plan to have checking in to it. The log data should not go over 10GB for even large organizations (500k endpoints is my biggest WEFFLES deployment so far) and the solution exports data to CSV files for safekeeping, which are quite small. The main performance need on a collector is memory to hold the log files. We scope the size of the event log as 1GB as it acts as a holding place only before the events get exported to CSV in this solution, but the general rule of thumb is if you wanted a larger event log you need : amount of memory required to run windows and do things like backups + specified event log size.
– PowerBI Desktop – The console/data slicer itself is built using PowerBI Desktop. If you’d rather use another data slicer or the most widely used incident response tool on the planet (Microsoft Excel) the output weffles.csv file can be loaded into many different tools. There is a pre-built weffles.pbix PowerBI Desktop file in the GitHub repo that allows you to use the same data slicer console view I show in this post.

WEFFLES uses the EventLogWatcher(https://pseventlogwatcher.codeplex.com/) script from CodePlex to output the CSV file, and it’s kicked off via ScheduledTask as system startup, so reboot the machine now. The next part takes a while to “cook” so have patience and maybe walk away for 10 minutes as the subscriptions start to work and the script starts to parse the logs.

Use and Download:

git clone https://github.com/jepayneMSFT/WEFFLES && cd WEFFLES
.\wefsetup.ps1

1. Browse to the c:\weffles directory, and you should see a bookmarks.stream file and weffles.csv - that means everything is working!
2. If you download create a c:\weffles directory on your machine and copy the weffles.pbix from the GitHub repo and the weffles.csv from your environment to it, you should be able to open weffles.pbix (assuming you installed PowerBI Desktop) and click "Refresh" and it will pull the data from your environment into my example slicers

Source: https://github.com/jepayneMSFT | https://aka.ms/weffles

]]>
JENNOM – Java Enterprise Network Nodes Monitoring. http://seclist.us/jennom-java-enterprise-network-nodes-monitoring.html Sat, 21 Oct 2017 12:09:42 +0000 http://seclist.us/?p=15764 JENNOM – Java Enterprise Network Nodes Monitor, project is free, portable, cross-platform and 100%-pure java. At first Jennom use ICMP to check nodes, if it is unavailable, it tries to check with TCP/echo. In addition, Jennom calculate loss packets and all sending packets – see please ‘Loss/All’ column. Support filtering by different fields and export data to PDF/XLS/XML/CSV files

Use standart OS ICMP packet-size – Linux=64 bytes, Windows=32 bytes. When any node change state, Jennom write message to local DB, send message to remote syslog-server and can send email for you. Only state changes will be fixed ! Support both IPv4 and IPv6. Successfully tested in Windows and Linux with Mozilla Firefox and Google Chrome browsers for more 200 nodes. Developed by JavaEE stack technologies: JSF + PrimeFaces, CDI, JPA, EJB, Security – Apache Shiro, and JavaEE certified server Apache TomEE v1.7.4. (jax-rs release).

jennom

Dependencies:
+ Java 1.8

Features
+ Project is free, portable, cross-platform and 100%-pure java
+ Jennom use ICMP to check nodes, if it is unavailable, it tries to check with TCP/echo.
+ Jennom calculate loss packets and all sending packets
+ Support filtering by different fields and export data to PDF/XLS/XML/CSV files
+ Support logging to local DB, remote syslog-server and can send email for you..
+ Only state changes are fixed.
+ Support both IPv4 and IPv6.
+ Based on client-server architecture
+ After run jennom-server try “http://<your-server-IP>:8080/jennom/” in web-browser
+ Successfully tested in Windows and Linux with Mozilla Firefox and Google Chrome browsers for more 200 nodes.

Download: jennom_jee_build_20-10-17_bin.zip (62.1 MB)
Source: https://sourceforge.net/projects/jennom/

]]>
dawgmon – attack surface analyzer and change monitoring tools. http://seclist.us/dawgmon-attack-surface-analyzer-and-change-monitoring-tools.html Tue, 19 Sep 2017 09:52:43 +0000 http://seclist.us/?p=15496 dawgmon is an dawg the hallway monitor, monitor operating system changes and analyze introduced attack surface when installing software.

The tool is not meant for complete accuracy. There are very serious recommendations normally to not rely on the output of GNU core-utils such as ls for tool input. In other words; one should rarely build tools to parse and rely on this type of output as it can change all the time. Realistically the output of these tools is relatively stable as a lot of people and automatic tools already rely on their outputs for all kinds of purposes.

dawgmon

However the tradeoff for dawgmon is the following; we would need to implement a lot of logic to do file system monitoring ourselves, build complex binaries that include libraries to do the parsing and monitoring of block devices, the network interfaces and what not more. This will also make the tool way more
complex and less maintainable. On projects right now one can add a new command including change detection in very little time as the main dawgmon tool already takes care of caching, executing the command and then supplying the previous and current output when running a comparision to a command implementation. This means that on time-constrained projects one can very quickly add a new command
and run analysises including those new commands.

Usage:

git clone https://github.com/anvilventures/dawgmon && cd dawgmon
./dawgmon -h (run must root)

Source: https://github.com/anvilventures

]]>
PiSavar – Detects PineAP module and starts deauthentication attack (for fakeAP). http://seclist.us/pisavar-detects-pineap-module-and-starts-deauthentication-attack-for-fakeap.html Thu, 17 Aug 2017 10:11:17 +0000 http://seclist.us/?p=15203 PiSavar is tools to find out the fake access points opened by the WiFi pineapple device using the PineAP module and to prevent clients from being affected by initiating a deauthentication attack to the attacking device.
How PineAP Module Works:
– Collects SSID information
– Creates SSID pool with collected SSID information
– Creates fake access points using information in the SSID pool

PiSavar – FakeAP Detection tools

Features of PiSavar:
+ Detects PineAP activities
+ Detects networks opened by PineAP.
+ Starts deauthentication attack for PineAP.

Features to add:
+ List of clients connected to fake access points
+ Record activities – Logging

Dependencies:
+ Aircrack-ng
+ iw-wireless-tools
+ python 2.7.x with tercolor module

Hardware Test:
– TPLink

Usage:

git clone https://github.com/besimaltnok/PiSavar && cd PiSavar
python pisavar.py interface(wlan0,wlan1) (Monitor mode)

Source: https://github.com/besimaltnok

]]>
AITF – Active Internet Traffic Filtering. http://seclist.us/aitf-active-internet-traffic-filtering.html Fri, 04 Aug 2017 07:23:01 +0000 http://seclist.us/?p=15101 Short Abstract:
Active Internet Traffic Filtering (AITF), a mechanism for blocking highly distributed denial-of-service (DDoS) attacks. These attacks are an acute contemporary problem, with few practical solutions available today; we describe in this paper the rea-sons why no effective DDoS filtering mechanism has been deployed yet. We show that the current Internet’s routers have sufficient filtering resources to thwart such attacks, with the condition that attack traffic be blocked close to its sources; AITF leverages this observation. Our results demonstrate that AITF can block a million-flow attack within seconds, while it requires only tens of thousands of wire-speed filters per participating router — an amount easily accommodated by today’s routers. AITF can be deployed incrementally and yields benefits even to the very first adopters.

AITF-Gateway

Dependencies:
+ libboost-all-dev make g++ pkg-config libssl-dev libnetfilter-queue-dev
+ All Linux Platform

For Learn you can read this:
https://www.usenix.org/legacy/publications/library/proceedings/usenix05/tech/general/full_papers/argyraki/argyraki.pdf

Usage:

git clone https://github.com/magwitch324/AITF && cd AITF
./Setup.sh (run wit root user)

Source: https://github.com/magwitch324

]]>
prowler – AWS security assessment, auditing and hardening tools. http://seclist.us/prowler-aws-security-assessment-auditing-and-hardening-tools.html Wed, 19 Jul 2017 01:10:02 +0000 http://seclist.us/?p=14976 prowler is a Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1 https://www.cisecurity.org/cis-benchmarks/

Features:
It covers hardening and security best practices for all AWS regions related to:
+ Identity and Access Management (24 checks)
+ Logging (8 checks)
+ Monitoring (15 checks)
+ Networking (5 checks)
+ Extra checks (3 checks) *see Extras section

Prowler: AWS CIS Benchmark Tool

For a comprehesive list and resolution look at the guide on the link above.
With Prowler you can:
– get a colourish or monochrome report
– a CSV format report for diff
– run specific checks without having to run the entire report
– check multiple AWS accounts in parallel

STS expired token
If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
– A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired

Usage:

git clone https://github.com/Alfresco/prowler && cd prowler
pip install awscli

Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
aws configure

Example Policy ARN is
arn:aws:iam::aws:policy/SecurityAudit

./prowler

Source: https://github.com/Alfresco

]]>