Thu, 13 Jul 2017
I’m not entirely certain when BackTrack/Kali began behaving more like a regular desktop distro but I seem to recall that originally, networking subsystems were down when you booted up into Run Level 3. It was up to you to turn on the interfaces and fire up a GUI if such was desired. IMO, that’s precisely how it should be. I get it. Most of us aren’t ever won’t ever find ourselves in a clandestine lot, inside of a snack and caffeine filled, non-descript, conversion van with a Yagi pointed at the bubble-window, ready to pilfer innocent datums just trying to get by in this lossy-protocoled, collision-rife, world.
Rather, very many of us just want the stinking box online so we can run through our tutorials and hack our own intentionally vulnerable VMs. A thorough taste of hacking’s un-glamorous underbelly is quite enough for many.
I’m confident that the BT fora were inundated with fledgling hackers complaining that their fresh install couldn’t find WiFi or didn’t load the desktop. However, I feel that distros dedicated to the Red Team should try to instill good habits. Having your machine boot and activate an interface announcing your presence and spewing out MAC and hostname is bad for business. Booting into a (comparatively) heavy GUI is also not where I want to begin.
Let’s imagine that we’re trying to crack into a thing. Don’t we want to apply maximal CPU resources, rather than having GUI elements bringing little beyond cost? If you notice, very many of the related tools still live on the CLI. The typical course of development (e.g.: Nmap, Metasploit) is that the CLI version is thoroughly developed before someone drops a GUI atop (respectively: Zenmap, Armitage).
So let’s take our Kali and make a few quick changes. We want to boot up in text/CLI mode and we want networking left off until we choose to make noise. Further, we want to randomize our MAC address and hostname at every boot.
We’ll use iwconfig to enumerate our wireless interfaces.
lo no wireless extensions.
wlan1 IEEE 802.11 ESSID:"ESSID"
Mode:Managed Frequency:2.412 GHz Access Point: 17:23:53:96:BE:67
Bit Rate=72.2 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-21 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:253 Invalid misc:400 Missed beacon:0
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
We have two wireless interfaces: wlan0, wlan1
Okay, first let’s configure to start up in text mode:
> systemctl set-default multi-user.target
Created symlink /etc/systemd/system/default.target → /lib/systemd/system/multi-user.target.
Traditionally from text mode, we bring up the GUI desktop with the command startx. Since we don’t yet have that command, let’s create it:
> echo "systemctl start gdm3.service" > /usr/sbin/startx && chmod +x /usr/sbin/startx
Disable network-manager autostart:
> systemctl disable network-manager.service
> sed -i 's/5min/30sec/' /etc/systemd/system/network-online.target.wants/networking.service
Now, let’s randomize our hostname and MAC addresses at every boot by adding some cronjobs:
> crontab -e
We’ll add two jobs to randomize MAC address and one for our host name:
@reboot macchanger -r wlan0
@reboot macchanger -r wlan1
@reboot hostname `strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 30 | tr -d '\n'`
We ‘re good! We’ve improved efficiency by staving off the GUI for when we genuinely want it and improved anonymity by randomizing some common ways of identifying the rig.
Tags: BackTrack, hostname , ifconfig, Kali, MAC, macchanger, Privacy, systemctl, systemd
Permalink: 2017-07-10.improved.anonymity.on.kali.linux
Mon, 02 Jan 2017
Happy new year! New year means new servers, right?
That provides its own set of interesting circumstances!
The server we’re investigating in this scenario was chosen for being a dedicated box in a country that has quite tight privacy laws. And it was a great deal offered on LEB.
So herein is the fascinating bit. The rig took a few days for the provider to set up and, upon completion, the password for SSHing into the root account was emailed out. (o_0)
In very security-minded considerations, that means that there was a window of opportunity for bad guys to work on guessing the password before its owner even tuned in. That window remains open until the server is better secured. Luckily, there was a nice interface for reinstalling the OS permitting its purchaser to select a password.
My preferred approach was to script the basic lock-down so that we can reinstall the base OS and immediately start closing gaps.
In order:
Set up SSH keys (scripted)
Disable password usage for root (scripted)
Install and configure IPset (scripted. details in next post)
Install and configure fail2ban
Install and configure PortSentry
In this post, we’re focused on the first two steps.
The tasks to be handled are:
Generate keys
Configure local SSH to use key
Transmit key to target server
Disable usage of password for ‘root’ account
We’ll use ssh-keygen to generate a key — and stick with RSA for ease. If you’d prefer ECC then you’re probably reading the wrong blog but feel encouraged to contact me privately.
The code:
#!/bin/bash
#configure variables
remote_host="myserver.com"
remote_user="j0rg3"
remote_pass="thisisaratheraquitecomplicatedpasswordbatterystaple" # https://xkcd.com/936/
local_user=`whoami`
local_host=`hostname`
local_date=`date -I`
local_filename=~/.ssh/id_rsa@$remote_host
#generate key without passphrase
ssh-keygen -b 4096 -P "" -C $local_user@local_host-$local_date -f $local_filename
#add reference to generated key to local configuration
printf '%s\n' "Host $remote_host" "IdentityFile $local_filename" >> ~/.ssh/config
#copy key to remote host
sshpass -p $remote_pass ssh-copy-id $remote_user@$remote_host
#disable password for root on remote
ssh $remote_user@$remote_host "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak && sed -i '0,/RE/s/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
We just run this script soon as the OS is reinstalled and we’re substantially safer. As a Deb8 install, quickly pulling down fail2ban and PortSentry makes things quite a lot tighter.
In another post, we’ll visit the 2017 version of making a DIY script to batten the hatches using a variety of publicly provided blocklists.
Download here:
ssh_quick_fix.sh
Tags: CLI, Fail2ban, IPset, security, SSH
Permalink: 20170102.securing.a.new.server
Sun, 09 Jun 2013
In an effort to promote practical privacy measures, when I send people links to search engines, I choose ixquick. However, my personal settings submit my search terms via POST data rather than GET, meaning that the search terms aren’t in the URL.
Recently, I’ve found myself hand-crafting links for people and then I paste the link into a new tab, to make sure I didn’t fat-finger anything. Not a problem per se, but the technique leaves room for a bit more efficiency. So I’ve taken the ‘A Search Box on Your Website’ tool offered by ixquick and slightly modified the code it offers, to use GET variables, in a new tab where I can then copy the URL and provide the link to others.
You can test, or use, it here — I may add it (or a variant that just provides you the link) to the navigation bar above. First, though, I’m going to mention the need to the outstanding minds at ixquick because it would make a LOT more sense on their page than on mine.
Tags: ixquick, search
Permalink: 20130609.ixquick.search
Thu, 30 May 2013
In this writer’s opinion, it is vitally important that we take reasonable measures now to help insure anonymity, lest we create a situation where privacy no longer exists, and the simple want of, becomes suspicious.
Here’s how to configure your browser to automatically use a search engine that respects your privacy.
Chrome:
- Click Settings.
- Click “Set pages” in the “On startup” section.
- Enter
https://ixquick.com/eng/ in the “Add a new page” text field.
- Click OK.
- Click “Manage search engines…”
- At the bottom of the “Search Engines” dialog, click in the “Add a new search engine” field.
- Enter
ixquick
ixquick.com
https://ixquick.com/do/search?lui=english&language=english&cat=web&query=%s
- Click “Make Default”.
- Click “Done”.
Firefox:
- Click the Tools Menu.
- Click Options.
- Click the General tab.
- In “When Firefox Starts” dropdown, select “Show my home page”.
- Enter
https://ixquick.com/eng/ in the “Home Page” text field.
- Click one of the English options here.
- Check box for “Start using it right away.”
- Click “Add”.
Opera:
- Click “Manage Search Engines
- Click “Add”
- Enter
Name: ixquick
Keyword: x
Address: https://ixquick.com/do/search?lui=english&language=english&cat=web&query=%s
- Check “Use as default search engine”
- Click “OK”
Internet Explorer:
_ ___ _ __ ___ _ _____ ___
| | / _ \| |\ \ / / | | |_ _|__ \
| | | | | | | \ \ /\ / /| | | | | | / /
| |__| |_| | |__\ V V / | |_| | | | |_|
|_____\___/|_____\_/\_/ \___/ |_| (_)
(This is not a good strategy for privacy.)
Congratulations!
\o/
You are now one step closer to not having every motion on the Internet recorded.
This is a relatively small measure, though. You can improve your resistance to prying eyes (e.g., browser fingerprinting) by using the Torbrowser Bundle, or even better, Tails, and routing your web usage through Tor, i2p, or FreeNet.
If you would like more on subjects like anonymyzing, privacy and security then drop me a line via email or Bitmessage me: BM-2D9tDkYEJSTnEkGDKf7xYA5rUj2ihETxVR
Tags: \o/, anonymous, Chrome, Firefox, FreeNet, i2p, ixquick, LOLWUT, Opera, privacy, security, Tails, Tor, TorBrowser, TorBrowser-Bundle
Permalink: 20130530.hey.you.get.offa.my.data
