tv crime2ChaosVPN is a system to connect Hackers.

Design principals include that it should be without Single Point of Failure, make usage of full encryption, use RFC1918 ip ranges, scales well on >100 connected networks and is being able to run on an embedded hardware you will find in our today’s router. It should be designed that no one sees other peoples traffic. It should be mainly autoconfig as in that besides the joining node no administrator of the network should be in the need to actually do something when a node joins or leaves. If you want to find a solution for a Network without Single Point of failure, has – due to Voice over IP – low latency and that no one will see other peoples traffic you end up pretty quick with a full mesh based network.

Therefore we came up with the tinc solution. tinc does a fully meshed peer to peer network and it defines endpoints and not tunnels.

ChaosVPN connects hacker wherever they are. We connect road warriors with their notebook. Servers, even virtual ones in Datacenters, Hacker houses, and hackerspaces. To sum it up we connect networks – may be down to a small /32.

So there we are. It is working and it seems the usage increases, more nodes join in and more services pop up.

Installation

  • Installation dependency package

    If you get an “E: The package bison is not available for the candidate” error, please add them to your sources.list file
    deb http://debian.sdinet.de/ stable chaosvpn
    deb-src http://debian.sdinet.de/ stable chaosvpn
    apt-get update

  • Install
    apt-get install chaosvpn
    If the error cannot be installed
    vi /etc/apt/sources.list
    deb http://security.debian.org/debian-security wheezy/updates main
    apt-get update
    apt-get install libssl1.0.0
    apt-get install chaosvpn

Configuration

  • For tinc and chaosvpn docking operation
    mkdir -p /etc/tinc/chaos
    tincd –ne=chaosvpn –generate-keys=2048
    if you get “Error opening file `/etc/tinc/=chaosvpn/rsa_key.priv’: No such file or directory” error, then run a command:
    mkdir /etc/tinc/chaos/ecdsa_key.priv
  •  executed
    tincd –ne=chaosvpn –generate-keys=2048
  • run command
    vi /etc/tinc/chaosvpn.conf
    Change parameters
    $ my_vpn_ip = 172.31。。[1-255]
    Only use a-z, 0-9 and underline
    Ip address to be changed to 172.31.x.x
    Save the exit.
  • you have to join chaosVPN also must write a letter of introduction to indicate your motive, send mail to chaosvpn-join@hamburg.ccc.de
  • If you join, in the terminal input chaosvpn, you can see some information.

    The contents of the letter of introduction are:

  • Start
    /etc/init.d/chaosvpn start
  • View the chaosvpn network port
    route -n

 

Advertisements

Open Elasticsearch nodes on Shodan

Posted: 06/01/2018 in Uncategorized
Tags: , , , ,

Administrators like to use Elasticsearch (What is Elasticsearch?) as a real-time data search and analysis tool. However lots of administrators forget to secure these nodes.

With a simple search on shodan, we can find the Elastic indices :

https://www.shodan.io/search?query=port:”9200″ product:”Elastic”

Confidential information can be accessed through these addresses, below is the syntax to use:

http://IP:9200/_search?pretty

Here are some basic recommendations for securing your nodes :

  • Only allow direct access to known IP addresses (Source to destination)
  • Add Authentication to Elastic Node (2FA all the way)

PoC

  1. Use this filter on shodan to search elastic node : port:”9200″ product:”Elastic”
  2. Check Elastic connection : http://IP:9200
  3. Executing Search : http://IP:9200/_search?pretty

This Node disclose some confidential information, we can use it to access to all accounts

Now we can use this information to access the Elastic backend

After contact the company has now secured their node.

For help security Elasticsearch watch the video on link below:

https://www.elastic.co/elasticon/conf/2016/sf/securing-elasticsearch

Also see Amazon Elasticsearch Service (Amazon ES) Developer Guide

LogViewer is designed to work with any large text files so that even very large files can be opened, viewed and searched.

Its original use case is for DFIR cases that involve log analysis. Whilst I use grep (well actually I use sift to extract data from logs, it is handy to be able to view log files, search for terms, hide lines whilst you get an idea what the log file contains, what actions are being performed.

The use of the custom control would make debugging any future issues a lot harder, so after a bit of thought, I used the ObjectListView library. The ObjectListView library is a custom list view control for use with .Net projects, I have used it extensively as it is easy to use and works with large datasets.

The core operation of LogViewer works in the same way as Highlighter e.g. parse the file, find the line offsets and line lengths, then when a line is needed for display, an existing file stream is used to seek to the offset, and then read X bytes.

I tested the v0.0.1 release of LogViewer against v1.1.3 of Mandiant Highlighter. My test log file was 1.2 GB and had 4.4 million rows. The following shows the operation and duration of the operation to compare:

  • Load (LogViewer): 15s
  • Load (Highlighter): 42s
  • Search (LogViewer): 1m 5s
  • Search (Highlighter): 2m 15s
  • Show Only Highlighted (LogViewer): 2s (+ the search operation above 1m 5s) Total: 1m 7s
  • Show Only Highlighted (Highlighter): Killed after 35m

The main reasons for this being faster is that it has removed some functionality and I have optimised the file load code so that there is less memory allocation and unnecessary checks/logic, plus Highlighter does some Md5 calcs etc.

Features

  • Very fast
  • Supports huge files
  • Cumulative search
  • Can disable/enable search terms that are cumulative and the results are displayed instantly
  • Export current view
  • Show/Hide matched lines
  • Four search modes (SubString Case Insensitive, SubString Case Sensitive, Regex Case Insensitive, Regex Case Sensitive)

General

  • To stop an action such as load, search, export, you double click on the progress bar, located in the status bar
  • The context menu holds the majority of actions
  • Lots of stuff to be fixed/added!

Download

 

HP has an awful history of ‘accidentally’ leaving keyloggers onto its customers’ laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger “by setting a registry value.”

Here’s the location of the registry key:

  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default

The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually “a debug trace” which was left accidentally, but has now been removed.

A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.

The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.

This is not the first time a keylogger has been detected in HP laptops. In May 2017, a built-in keylogger was found in an HP audio driver that was silently recording all of its users’ keystrokes and storing them in a human-readable file.

Caintech.co.ukThe NAS4Free operating system can be installed on virtually any hardware platform to share computer data storage over a computer network. ‘NAS’ as in “Network-Attached Storage” and ‘4Free’ as in ‘Free and open source’, NAS4Free is the simplest and fastest way to create a centralized and easily-accessible server for all kind of data!

NAS4Free supports sharing across Windows, Apple, and UNIX-like systems. It includes ZFS, Software RAID (0,1,5), disk encryption, S.M.A.R.T / email reports etc. with following protocols/services: CIFS/SMB (samba), Samba AD, FTP, NFS v4, TFTP, AFP, RSYNC, Unison, iSCSI, UPnP, Bittorent, Syncthing, VirtualBox and noVNC, Bridge, CARP (Common Address Redundancy Protocol) and HAST (Highly Available Storage).

This all can easy be managed by a configurable web interface.

Features
Backup
NAS
File Server

Websitehttps://www.nas4free.org

 

Caintech.co.uk

vsaudit

This is an opensource tool to perform attacks to general voip services It allows to scans the whole network or single host to do the gathering phase, then it is able to search for most known vulnerabilities on the founds alive hosts and try to exploit them.

Install dependencies

To start using vsaudit you must install the ‘bundler’ package that will be used to install the requireds gem dependencies through the Gemfile.

Download directly from website:

http://bundler.io/

Or install with ‘gem’ (ruby package manager) with:

deftcode ~ $ gem install bundler

After that the installation has been completed, run (in the directory where is located vsaudit):

deftcode vsaudit $ bundle

Now you can start vsaudit with:

deftcode vsaudit $ ruby vsaudit.rb

NOTE: If you get an error with gem, you need to install the libssl-dev package (kali-linux: apt install libssl-dev).

Environment commands

  • Display the available options that can be set
  • List the environment variables
  • Get the value of environment variable
  • Set or change the environment variables

Audit commands

  • Check mistakes in the local configuration files
  • Scan a local o remote network
  • Enumerate the extensions
  • Bruteforce extensions
  • Get the live network traffic
  • Intercept the network traffic by custom bpf

Informations commands

  • Get informations about modules or address
  • Show the report list
  • Show the extensions list

Global commands

  • Display the help message
  • Quit from the framework

Screenshot

Reference

Source: https://github.com/eurialo/vsaudit

So why do we restrict Powershell to users in an organisation, well the answer is Mimikittenz.

Mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

  • TRACK2 (CreditCard) data from merchant/POS processes
  • PII data
  • Encryption Keys & All the other goodstuff

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
Currently mimikittenz is able to extract the following credentials from memory:

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

Currently mimikittenz is able to extract the following credentials from memory:

#####Webmail#####

Gmail
Office365
Outlook Web
#####Accounting#####

Xero
MYOB
#####Remote Access#####

Juniper SSL-VPN
Citrix NetScaler
Remote Desktop Web Access 2012
#####Developement#####

Jira
Github
Bugzilla
Zendesk
Cpanel
#####IHateReverseEngineers#####

Malwr
VirusTotal
AnubisLabs
#####Misc#####

Dropbox
Microsoft Onedrive
AWS Web Services
Slack
Twitter
Facebook

Download
git clone https://github.com/putterpanda/mimikittenz.git
https://github.com/putterpanda/mimikittenz.git

Also read: Unofficial Guide to Mimikatz & Command Reference