Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
TCP/IP – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 Nemesis – TCP/IP Packet Injector. http://seclist.us/nemesis-tcp-ip-packet-injector.html Thu, 12 Apr 2018 19:20:05 +0000 http://seclist.us/?p=17096 Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

nemesis v1.4

Key Features:
+ ARP/RARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF*, RIP, TCP and UDP protocols support
+ Layer 2 or Layer 3 injection on UNIX-like systems
+ Layer 2 injection (only) on Windows systems
+ Packet payload from file
+ IP and TCP options from file
+ Tested on OpenBSD, Linux, Sun Solaris, Mac OS X and Windows 2000

Dependencies:
+ Libnet and GCC

Use and Download:

git clone https://github.com/troglobit/nemesis && cd nemesis
sudo apt-get install libnet1-dev
./autogen.sh
./configure
make
make install

Examples
* Inject malformed ICMP redirect
sudo nemesis icmp -S 10.10.10.3 -D 10.10.10.1 -G 10.10.10.3 -i 5

* IGMP v2 join for group 239.186.39.5
sudo nemesis igmp -v -p 22 -S 192.168.1.20 -i 239.186.39.5 -D 239.186.39.5

Source: https://github.com/troglobit

]]>
MalPipe – Malware/IOC ingestion and processing engine. http://seclist.us/malpipe-malware-ioc-ingestion-and-processing-engine.html Tue, 10 Apr 2018 23:13:51 +0000 http://seclist.us/?p=17088 MalPipe is a modular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.

MalPipe v1.0

At this time, the following feeds are supported:
+ VirusTotal (https://www.virustotal.com)
+ MalShare (https://malshare.com/)
+ BambenekFeeds (osint.bambenekconsulting.com/feeds/)
+ FeodoBlockList (https://feodotracker.abuse.ch)
+ Malc0deIPList (http://malc0de.com/)
+ NoThinkIPFeeds (www.nothink.org/)
+ OpenPhishURLs (https://openphish.com)
+ TorNodes (https://torstatus.blutmagie.de)

Dependencies:
+ Python 2.7.x

Modules for MalPipe located under malpipe/ by type:
– Feeds
An example configuration is provided in config_example.json with settings to get started. This file contains a JSON object containing the required settings for each feed / processor / exporter.

– Processors
Processors are used to enrich/standardize the collected. For example, data from VirusTotal contains yara results for each file collected, whereas MalShare does not. By adding, YaraScan to the PROCESSORS key, you can scan the files to also include this data.

– Exporters
The final components is exporters, these control where the data goes. These can be used to export collected data to a malware repository, a SIEM, JSON Log files or printed for the user.

Use and Download:

git clone https://github.com/silascutler/MalPipe && cd MalPipe
pip install -r requirements.txt
Copy, Edit and rename config_example.json with config.json then insert your API key.
python malpipe.py

Source: https://github.com/silascutler

]]>
fi6s – fast IPv6 network scanner. http://seclist.us/fi6s-fast-ipv6-network-scanner.html Sat, 07 Apr 2018 16:15:08 +0000 http://seclist.us/?p=17062 fi6s is a IPv6 port scanner designed to be fast. This is achieved by sending and processing raw packets asynchronously. The design and goal is pretty similar to Masscan, though it has not reached a similar feature set yet.

fi6s – ipv6 scanner

Grabbing banners:
Since fi6s has its own TCP stack, the OS stack needs to disabled to avoid interference with banner grabbing (RST packets). This is most easily done using ip6tables and a constant –source-port. Banner grabbing is then enabled by passing –banners:

# ip6tables -A INPUT -p tcp -m tcp --dport 12345 -j DROP
# ./fi6s -p 22 --banners --source-port 12345 2001:db8::/120

Use and Download:

sudo apt install gcc make git libpcap-dev
git clone https://github.com/sfan5/fi6s.git && cd fi6s
make
./fi6s --help

Source: https://github.com/sfan5

]]>
wofgen – Universal firewall configuration generator. http://seclist.us/wofgen-universal-firewall-configuration-generator.html Tue, 03 Apr 2018 20:14:36 +0000 http://seclist.us/?p=17041 Walls of Fire(wofgen) is an Universal firewall configuration generator.

Ever get tired of trying to remember how to use ipfw, iptables, netsh, ipf/pf, ufw, wipfw, etc…?Instead of trying to remember, learn the wof “simple syntax” and generate all of them:
Syntax:

tcp/udp local_address/mask:local_port direction remote_address/mask:remote_port pass/deny

wall of fire (wofgen)

Enables established related on incoming ports (allow out what you allowed in). Zero dependencies (other than a C++ compiler and the C++ STL). Eveything but ipf/pf and wipfw cranks out commands that can be run in a terminal.

Use and Download:

git clone https://github.com/mrmoss/wofgen && cd wofgen
cd bin
make

Example Usage:
#Universal
bin/wofgen_iptables rules.wof

#Unix/Cygwin
cat rules.wof|bin/wofgen_ipfw

#Windows
type rules.wof|bin\wofgen_netsh

Source: https://github.com/mrmoss

]]>
ioc_report – ioc report generator. http://seclist.us/ioc_report-ioc-report-generator.html Mon, 02 Apr 2018 06:23:23 +0000 http://seclist.us/?p=17021 ioc_report is used as a tool to automate the process of using OSINT to find indicators of compromise (IOC) to sweep you environment for. Since this project was built around the public APIs, there is a rate limit. I used the VirusTotal rate limit (4 requests per minute at the time of writing this) as the baseline. Since the Hybrid-Analysis function of this script checks two environments (Win 7 32-bit and Win 7 64-bit), it takes approximately 45 seconds to pull the information for each URL provided when generating the full report. The basic report just provides the filetypes and hashes of the initial downloads so this should be 10x faster (FILE DOWNLOAD TIME x NUMBER OF URLS PROVIDED). If you have access to the private API, just remove the 15 second waits and everything “should” be fine. Is 45 seconds a long time? Sure it is but this gives you more time to go do something else like flirt with your crush at work or twidle your thumbs.

ioc_reportgen

The OUTPUTFILE was meant to be used as a lookup in Splunk in order to do more correlation with other log sources but as with any other open-source project, use it as you best see fit. If you are a Splunk master, manipulating the lookup table should be a piece of cake.

Prerequisites
+ Python 2.7.14
+ Python Requests module
+ VirusTotal API key
+ Hybrid-Analysis API key and secret

Script:
+ Basic Report
The basic report, basic_report.sh, is used to pull down files and get the MIME-type, MD5, SHA256 hashes, and write the comma-separated data to a file.

+ Full Report
The full report, full_report.sh, is used to pull down files and get the MIME-type, MD5, SHA256 hashes, requests the hashes from VirusTotal for the ones that were no longer available on the site but previously submitted by another user, request more information (extracted files, hashes, filetypes, hosts, and IP addresses) from Hybrid-Analysis, and write the comma-separated data to a file.

Use and Download:

git clone https://github.com/leunammejii/ioc_report && cd ioc_report
chmod +x basic_report.sh
./basic_report.sh
python full_report.py

Source: https://github.com/leunammejii

]]>
snowdrift is a unit testing for firewall rules. http://seclist.us/snowdrift-is-a-unit-testing-for-firewall-rules.html Sun, 01 Apr 2018 08:09:52 +0000 http://seclist.us/?p=17011 snowdrift is a unit testing for firewall rules. It will change your workflow for the better.

This utility aims to automate that by having “rules files” which this script then procesess and will SSH into each machine and try connecting to the target host on the specified port.

By writing and saving rules file, you now have unit test-like ability for testing firewall changes. After changes are made, you can use this script to verify correctness of firewall operation, as opposed to having to SSH to different machines by hand, run netcat manually, and then run Traceroute manually to send back to the firewall team.
Features
+ Test TCP connectivity from any host you can SSH to to any other target host
+ Test UDP connectivty for DNS by making DNS queries from any host you can SSH to to any other target host
+ Support for a range of hosts using the “[01-nn]” notation found in Ansible inventories.
+ Support for running traceroute and tcptraceroute when a connection fails.
+ Custom DNS queries can be made, with NXDOMAIN results being handled properly
+ Statistics for each Rule File tested against as well as the total run
+ Basic SSH connectivity to each host is checked and its state remembered, so that if there are many rules for a host you cannot SSH into, you will only see one error from the first instead of potentially dozens of errors.

How It Works?
The underlying mechanism is pretty starightforward: for each source host, this script will SSH into that host and run netcat (if testing TCP) or dig (if testing DNS) against the target host. It will then report the results back to you.

snowdrift

Requirements
+ ssh-agent running, with keys to all machines you want to SSH to.
+ Bash
+ netcat (nc) installed on all machines you are testing from
+ dig installed on all machines your are testing DNS from
+ SSH Agent is set up so that you can SSH into machines you are testing from without a password
+ tcptraceroute installed on machines you want to run a TCP traceroute from

Debugging
The following environment variables can be set to output debugging info:
+ DEBUG_CMD – Print out the command sent to SSH
+ DEBUG_SSH_CHECK – Print out the logic used to check whether we can SSH into a host or not
+ DEBUG_CMD_OUTPUT – Print the raw output from the SSH command

Testing
Testing can be done via docker, simply cd into the testing/ directory and run the script go.sh. This will spin up some docker containers, and test the app from inside them.

Use and Download:

git clone https://github.com/Comcast/snowdrift && cd snowdrift
./snowdrift
./snowdrift ./rules/demo.txt

Source: https://github.com/Comcast

]]>
XFLTReaT tunnelling framework. http://seclist.us/xfltreat-tunnelling-framework.html Sun, 25 Mar 2018 22:37:29 +0000 http://seclist.us/?p=16967 XFLTReaT is an open-source Python based tunnelling framework that helps you to create a tunnel between two (or more) computers on different channels/protocols. Although the name of the project correlates with the word “exfiltrate”, the framework is more about tunnelling than exfiltration. The main use-case for it is to create a full Internet Protocols v4 (IPv4) based tunnel between the end points, that can be used as a communications channel to send IP packets back and forth.

The tool is built on the client-server architecture, so at least two computers are needed to set up the environment. The server side can offer different protocols that can be used for tunnelling. The client chooses a protocol that is offered by the server and available on the client network (for example: allowed on the firewall or not restricted by an active network device), and attempts to create a communications channel or tunnel with the server. If the process succeeds, the specified protocols will be used to tunnel data over the network.

XFLTReaTnet

Available modules
+ TCP
+ UDP
+ ICMP
+ SOCKS v4, 4a, 5
+ HTTP CONNECT
+ SCTP (by Darren Martyn @info_dox)
+ WebSocket
+ DNS (A/CNAME, PRIVATE, NULL) – Proof of Concept
+ RDP (Windows only)

If you want to:
– get unrestricted Internet access from restricted networks
– exfiltrate data over a noisy side channel
– use a custom protocol to tunnel data
– etc.
Then this could be your ultimate tool.

Dependencies and OS Support Platform:
+ Python 2.7.x
+ All Operating System Support

Use and Download:

git clone https://github.com/earthquake/XFLTReaT && cd XFLTReaT
git checkout next-version

pip install -r requirements_linux.txt (linux)
pip install -r requirements_mac.txt (MacOS)
pip install -r requirements_win.txt (windows)
python xfltreat.py --server

Source: https://github.com/earthquake

DISCLAMER
The tool is not yet production grade, edge cases (and not that edge cases) are might not handled very well. There can be security issues in the code that has not been fixed. In case you manage to identify any, please contact me in private or create an issue on the Github page. Mail: xfltreat at rycon.hu

]]>
IDS-C : A simple intrusion detection system that detects anomalous IP payload. http://seclist.us/ids-c-a-simple-intrusion-detection-system-that-detects-anomalous-ip-payload.html Thu, 22 Mar 2018 19:33:36 +0000 http://seclist.us/?p=16939 IDS-C is A simple intrusion detection system that detects anomalous IP payloads, vertical and horizontal port scanning attacks in the selected network interface.

IDS-C

System and Requirements:
+ All Linux Support; Tested Ubuntu 16.04, Debian 9
+ Cmake and pcap-dev

Use and Download:

git clone https://github.com/ghousali17/IDS-C && cd IDS-C
make
./myids eth0 {your option}

Source: https://github.com/ghousali17

]]>
Sippts – Set of tools to security audit SIP based VoIP Systems. http://seclist.us/sippts-set-of-tools-to-security-audit-sip-based-voip-systems.html Tue, 13 Mar 2018 15:21:00 +0000 http://seclist.us/?p=16876 Sippts is a suite of tools to audit VoIP servers and devices using SIP protocols. Sippts is programmed in Perl script and it consists of:
+ Sipscan : Fast scanner for SIP services that uses multithread. Sipscan can check IP and port ranges and works over UDP or TCP.
+ Sipexten : Identifies extensions on a SIP server. Sipexten uses multithread and can check IP and port ranges.
+ Sipcrack : Remote password cracker. Sipcrack uses multithread and can test passwords for several users in IP and port ranges.
+ Sipinvite : Check if a server allow us to make calls without authentication. If the SIP server has a bad configuration, it will allows us to make calls to external numbers. Also it can allow us to transfer the call to a second external number.
+ Sipsniff : Simple sniffer for SIP protocols that allows us to filter by SIP method type.

sippts

==Operating System==
Sippts was tested on:
* Linux
* Mac OS X
* Windows

==Requirements==
* Perl

Use and Download:

git clone https://github.com/Pepelux/sippts && cd sippts
sudo apt-get install libnet-pcap-perl libio-socket-ip-perl libsocket-perl libnetaddr-ip-perl libdbd-sqlite3-perl
sudo cpan -i IO:Socket:Timeout
sudo cpan -i String:HexConvert

Example:
perl sipscan.pl -h 192.168.0.1
perl sipexten.pl -h 192.168.0.1 -e 100-200 -v
perl sipcrack.pl -h 192.168.0.1 -w wordlist
sudo perl sipsniff.pl -i eth0

Source: https://github.com/Pepelux

]]>
remediation – Tools and utilities for remediation and incident-response handling. http://seclist.us/remediation-tools-and-utilities-for-remediation-and-incident-response-handling.html Fri, 09 Mar 2018 10:58:41 +0000 http://seclist.us/?p=16793 remediation is a Tools and utilities for remediation and incident-response handling.
JewelRunner is intended to quickly analyze tcp/ip traffic for a target host and create host-based firewall rules in support of micro segmentation activities. In its current form it will:
+ Parse pcap files and summarize tcp/ip traffic to and from a target IP;
+ Parse ipFilter (Solaris) log files and generate firewall rules; and
+ Parse ipSec (AIX) logs and generate firewall rules.

JewelRunner was built and tested with Python 2.7.x

jewelrunner

Assumptions and Caveats
+ I have tried to include references wherever I borrowed from others. If I have missed someone, it was unintentional, lest I incur the wrath of the squirrel man.
+ In retrospect I should have done this in Bro-Script. This is on my list. I’d also like to try using scapy to create and deploy the rules in real time as packets are read.
+ This code is in-efficient. Several functions are repeated in each module. Future work includes plans for the creation of a utility module to consolidate these functions.
+ The higher port is always assumed to be the initiator of the connection. This may not always be the case.
+ JewelRunner will not create rules for high-port (>50000) to high-port traffic. However, it will report these flows in the output.
+ JewelRunner will not create rules for low-port (< 1023) to low-port traffic. However, it will report these flows in the output.
+ When an filter IP is specified, jewelRunner makes no assumptions about the source port (ie. > 1023) when creating the host-based firewall rules. Rules will be created using the source port specified in the log file. It is up to the user to generalize these rules later on.
+ JewelRunner assumes that any traffic it sees is allowed. Any rules should be ultimately adjudicated by the application and product teams.
+ JewelRunner is intended to support “proof-of-concept” activities for micro-segmentation. There are several Enterprise tools that will do this far more effectively at the enterprise level (12 ,13)

Use and Download:

git clone https://github.com/pjhartlieb/remediation && cd remediation
cd jewelrunner
pip install -r requirements.txt
pip install dpkt

Parse pcap file and analyze traffic for target IP 10.10.10.1
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1

Parse pcap file and analyze traffic between target IP 10.10.10.1 and 10.10.10.2
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1 -filter 10.10.10.2

Parse ipFilter log for target IP 10.10.10.1 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target 10.10.10.1

Source: https://github.com/pjhartlieb

]]>
idsEventGenerator – Intrusion Detection Systems Event Generator. http://seclist.us/idseventgenerator-intrusion-detection-systems-event-generator.html Thu, 08 Mar 2018 21:47:55 +0000 http://seclist.us/?p=16780 idsEventGenerator tools for Reads rules written in a Snort like syntax (as of Snort 2.9.11) from a rule file, puts parsed rule content in a struct and (optionally) prints the rule. It than (optionally) constructs HTTP requests that are sent to the configured host (possibly a webserver) that trigger events on a listening IDS related to the parsed rules. “Snort like” means it accepts Snort rules, but does not require all fields of a Snort rule.

For the moment it only converts hex characters in content patterns that are part of the first 128 readable ASCII characters. It only parses rules that use one of the following content modifiers: http_[method,uri,raw_uri,stat_msg,stat_code,header,raw\header,client_body,cookie,raw_cookie] or the equivalent modifiers for PCRE content and rules with the uricontent keyword. It ignores rules that are not triggering an alert or do not contain the ‘content’ or the ‘pcre’ or the ‘uricontent’ keyword or contain any other unsupported content related keyword.

idsEventGenerator

Dependencies:
+ Snort IDS/IPS
+ Python-pip

ISSUES:
– libcurl reports a timeout error if an HTTP HEAD request is sent although the request is sent and a response is received. BEWARE: The more likely cause for this error is that the Webserver at the given IP-address is not responding or down or IP is wrong. -If you see a python “Traceback” error in your stderr than it means that the exrex command hat problems parsing/generating/… the regex from the given rule.

Download:

git clone https://github.com/felixe/idsEventGenerator && cd idsEventGenerator
g++ -std=c++11 -lcurl idsEventGenerator.cpp
./a.out -h

Source: https://github.com/felixe

]]>
DCSYNCMonitor – Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events. http://seclist.us/dcsyncmonitor-monitors-for-dcsync-and-dcshadow-attacks-and-create-custom-windows-events-for-these-events.html Wed, 07 Mar 2018 02:04:20 +0000 http://seclist.us/?p=16759 DCSYNCMonitor tool is an application/service that can be deployed on Domain controllers to alert on Domain Controller Syncronization attempts. When an attempt is detected, the tool will write an event to the Windows Event Log. These events can be correlated in a SIEM. In addition, this tool can take a list of valid DC IP’s and, in this configuration, only alert when a DC SYNC attempt comes from a non-DC ip. This tool is meant to provide Blue Teams with a way to combat DC SYNC and DC SHADOW attacks without commercial tools like Microsoft ATA or fancy IDS/IPS.

DCSYNCMonitor

DCSYNCMonitor tool has the following known limitations:
+ The tool does a byte comparision for the DSNcChange Packet. This pattern should be fairly robust, but can likely be defeatable by an advanced attacker.
+ The tool does not handle IPv4 fragmentation. An attacker could concievably specially craft a DC SYNC request with IPv4 fragmentation to bypass the packet sniffing.
+ The tool does not handle IPv6 packet extensions. An attacker, on an IPv6 network could conceivably craft a DC SYNC request that contains extra header extensions or use a Jumbogram to bypass the signatures.
+ The tool does not handle malformed packets which may or may not be correctly dropped by the kernel.
+ It is highly unlikely, but a false postive could occur if a random tcp packet manages to match the 11 byte signature this tool checks for.
+ This tool will only work on Server 2008 or later.

Use and Download:

Link for prebuilt binaries is here:
32bit Service: https://github.com/shellster/DCSYNCMonitor/raw/master/Release/DCSYNCMONITORSERVICE.exe

64bit Service: https://github.com/shellster/DCSYNCMonitor/raw/master/x64/Release/DCSYNCMONITORSERVICE.exe

Or using git:
git clone https://github.com/shellster/DCSYNCMonitor && cd DCSYNCMonitor
cd Release
DCSYNCMONITORSERVICE.exe -install | -remove | -standalone

Source: https://github.com/shellster

]]>