ENKI SECURITY BLOG

ANONYMIZE YOUR ATTACKS - PART 2

20/2/2015

In our previous post we saw how to prepare Tor and Polipo for our anonymity in pentest purpose.

Configure your browser to use Tor through Polipo: easy one. Go to any ip website identification like whatismyip and check the result.

Now if you want to use Burp Suite Pro as your pentest tool for websites, you have to configure it this way:

1- Go to the options tab
2- In the connections menu select Socks Proxy and use the Tor one

You may want your browser to use Burp. Here is the configuration:

Now you are ready to run anonymously your websites attacks.

Let see how it work with sqlmap:

Doing like this, all your requests goes to the Polipo proxy which send them through Tor (just remember our configuration).

Now you understand how you could be totally anonymous and you can run pentest without worry of getting caught using so many tools such as MSF.

That's it. Hope you enjoy this little tutorial.

Y. from ENKI

ANONYMIZE YOUR ATTACKS - PART 1

20/2/2015

Ok, the subject of this post seems to be clear.
And if you didn't still got it, we are going to show you how you can anonymise your attacks while you are running a pentest.

And as you may know, we are not responsible of what you do with this stuff!

So let's begin!

What we need?

A computer: it could help...
Linux as our host OS.
Tor.
Polipo (some people use Privoxy, they have their reasons and I have mine).
And any hacking tool you would use (in my example, I will use sqlmap and Burp Suite Pro).

1- Install and configure the core tools

The only part that I will show you is the Tor and Polipo configuration (for explanation about what Tor and Polipo are intended for, please do some search on internet). Indeed, you can find great tuto on the net about Linux and how to make it as a pentester box.

So first of all you will install Tor and you have two options:

- Install it from packages
- Install it from source code

Let's install it from packages (I use LinuxMint so use whatever package manager you have in your distro):

# apt-get install tor polipo

Next, add these lines to your /etc/polipo/config file:

socksParentProxy = localhost:9050
diskCacheRoot=""
disableLocalInterface=true

censoredHeaders = from, accept-language, x-pad
censorReferer = maybe

Then add the following lines to your /etc/tor/torrc file:

AvoidDiskWrites 1
ControlPort 9051
Log notice stdout
TestSocks 1
SafeSocks 1
WarnUnsafeSocks 1
SocksListenAddress 127.0.0.1
SocksPort 9050

DNSPort 53
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

Move your /etc/resolv.conf to SameName.orig and create an empty one with the following line:

nameserver 127.0.0.1

You can find explanation about each option into both manual (Tor/Polipo), but we will expose a short note about it:

A- TOR

AvoidDiskWrites: If non-zero, try to write to disk less frequently than we would otherwise.

ControlPort: If set, Tor will accept connections on this port and allow those connections to control the Tor process using the Tor Control Protocol (described in control-spec.txt)... This option is required for many Tor controllers; most use the value of 9051. Set it to "auto" to have Tor pick a port for you. (Default: 0).

Log: Send all messages between minSeverity and maxSeverity to the standard output stream, the standard error stream, or to the system log. (The "syslog" value is only supported on Unix.) Recognized severity levels are debug, info, notice, warn, and err. We advise using "notice" in most cases, since anything more verbose may provide sensitive information to an attacker who obtains the logs.

Ok now an important part of your anonymity when you run a pentest. A clever IT security guy may catch you because of your DNS requests. When you use your own DNS servers, usually you do it through your ISP who saves into log files your requests. I'm sure you understood what I mean.

So what says the manual?

TestSocks: When this option is enabled, Tor will make a notice-level log entry for each connection to the Socks port indicating whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks). This helps to determine whether an application using Tor is possibly leaking DNS requests.

SafeSocks: When this option is enabled, Tor will reject application connections that use unsafe variants of the socks protocol — ones that only provide an IP address, meaning the application is doing a DNS resolve first. Specifically, these are socks4 and socks5 when not doing remote DNS.

WarnUnsafeSocks: When this option is enabled, Tor will warn whenever a request is received that only contains an IP address instead of a hostname. Allowing applications to do DNS resolves themselves is usually a bad idea and can leak your location to attackers.

Use the local TorDNS server: that's the trick!
And we've done it after activated these options:

DNSPort: If non-zero, open this port to listen for UDP DNS requests, and resolve them anonymously.

AutomapHostsOnResolve: When this option is enabled, and we get a request to resolve an address that ends with one of the suffixes in AutomapHostsSuffixes, we map an unused virtual address to that address, and return the new virtual address. This is handy for making ".onion" addresses work with applications that resolve an address and then connect to it.

AutomapHostsSuffixes: A comma-separated list of suffixes to use with AutomapHostsOnResolve. The "." suffix is equivalent to "all addresses."

B- POLIPO

Polipo's easy to configure. And we don't need a lot of parameters to activate for using with Tor.

socksParentProxy and diskCacheRoot: doing this, tells Polipo to use Tor and avoids pages caching on disk.

disableLocalInterface: this option protect yourself from browsers vulnerabilities. For more details please refer to http://www.pps.univ-paris-diderot.fr/~jch/software/polipo/polipo.html (chap. 2.4.1)

censoredHeaders and censorReferer: This two options will sanityze HTTP headers. Again RTFM!

2- Run some test

Launch Tor and Polipo

# /etc/init.d/tor start
# /etc/init.d/polipo start

Make sure they are listenning on ports we have configured:

Now we may check if our DNS resolver is ok:

Ok, as you can see in the Dig result, our anonymity works perfectly (for the DNS resolution part).

Now let's go to the second chapter of this tutorial, we will learn how to configure our tools to use the Tor and Polipo "anonymizers".

Y. from ENKI

Why I chose ENKI as my company name?

10/2/2015

Every era has had its share of sciences and technologies, and always brought by uncommon beings, ingenious, mystics, Great Men.
And because I'm a fan of history of Man, my attention was placed on Sumer - the Cradle of civilization.

So I tried to find the most significant and representative deity/person/entity of my Business. After many readings, I found that the characteristics of ENKI were closest to the missions that we offer to our customers.

So who is ENKI?

EA / ENKI is considered the master of underground fresh water (Abzu), wisdom, arts and techniques, magic and exorcism. In mythology, this is a very important deity, which intervenes several times as a demiurge or adviser and assists in crisis situations faced by other major deities.

The name of the Sumerian god ENKI can be decomposed into Sumerian between EN "Lord" and KI, often translated as "Earth", but actually refers to the "World Below", the underground world beneath the surface of the earth.

Underground

Yes! You've noticed it. The underworld.
This is the link between the role of ENKI and ours. Act in the underworld to ensure the security and safety of the world of the Earth. Work in the background to provide support and technologies to those in need and those who deserve it.

Do not hesitate to learn more about ENKI. This will guide you to us and you will know who we are.

YB - ENKI CEO

What we must do against new threats?

20/1/2015

In this new era of information technology, we have to deal with more and more advanced IT security threats and vulnerabilities.

The pirates have no rules, and thus should be the security managers.
Old and philosophical responses to these threats are no longer acceptable.

IT security managers are imprisoned by corporate life and rules. That is why they should trust in companies that do not have limit in the security matter. Companies whose members act as "hackers" (although this is not the right word to use here).

This is why White Hat stand for.

Russian Spear-Fishing Website Hosts Outlook Web App Phishing Page

19/1/2015

In Russia, the Phish Spear You Spearfishing and spear-phishing may be homonyms, but they have vastly different meanings and apply in very different contexts. Spearfishing is a form of fishing in which the fisherman attempts to impale a fish upon a spear, which can be thrust or thrown by hand, or fired from a spear gun. “Spear phishing” on the other hand is, of course, the by now well-documented technique of sending targeted phishing emails to a user or organization for the purpose of infecting the client and/or stealing logins and other credentials in order to gain a foothold inside the targeted organization – the targeted nature of the threat distinguishes it from longline and other broad-based phishing campaigns.

Read more...

Fake BBC Website lures victims with Charlie Hebdo misinformation

16/1/2015

A website mimicking the official BBC News site has garnered immense traffic earlier this week through false information about Charley Hebdo massacre and it is likely that the fake website may be a facade for cyber criminal activities, according to a report from a cyber security firm. The identical website(bbc-news[.]co[.]uk) carried a fake story claiming […]

More on HackRead

Why I chose Nexpose from Rapid7 against Qualys?

16/1/2015

There is nothing more boring than searching for simplicity when it could be provided the simple way...

1 - Rapid7 is a well-established company with more than 12 years in the market.

2 - It is the leader of the industry from the point of view of any true hacker (by hacker I meant genius and not script kiddies).

3 - It was born from the Open Source community and not from the least known person: just take a look at who is HD MOORE.

4 - It offers free versions of their products (with limited features but enough to have an opinion) while Qualys asks you to pay first.

5 - Simplicity of Nexpose comes with very concise, easy to follow instructions: I have not found any simplicity in using Qualys (just go and create groups/assets...).

6 - Full Metasploit integration (if you want to check the relevance of a vulnerability) while no existing tool for Qualys.

7 - Open Source community behind development of some features (particularly for Metasploit) while Qualys is a black box.

8 - Real time on-demand scan while your scans are queued (no comment) in Qualys.

9 - Impressive reports against poor reports on Qualys.

10 - Very good Rapid7 customer support against hum... how can I qualify the Qualys C support? Ok forget it.

11 - Responsiveness to the latest vulnerabilities and ease of implementation of scans (ex: shellshock vuln, why the hell I tried to scan it with Qualys?)

12 - Network information/details stored locally on Nexpose while it is CLOUDED on Qualys (with no access to the database)!!!

Ok, I'll stop here.
In fact, I do not like shadowed security, which is why I will never use nor will trust in a product such as Qualys.

How NSA and other agencies are watching you through linkedin?

16/1/2015

How NSA and other agencies are watching you through linkedin?
Let me show you.

Implementation of spies’ scripts in the source code of the linkedin pages:

1 - https://lnkd.in/dhK_BW8
Data collected:
Ad Views, Browser Information, Date/Time, Demographic Data, Hardware/Software Type, Page Views, Serving Domains, IP Address, Clickstream Data.
Data Sharing:
Data is shared with 3rd parties.
Data Retention:
Undisclosed.

2 - https://lnkd.in/djyvRFH
Data collected:
Ad Views, Browser Information, Hardware/Software Type, Internet Service Provider, Interaction Data, Page Views, Serving Domains, IP Address, Location Based Data, Device ID
Data Sharing:
Aggregate data is shared with 3rd parties.
Data Retention:
As long as necessary to fulfill a business need or as required by law.

3 - https://lnkd.in/dnjwtnw
Data collected:
Ad Views, Analytics, Browser Information, Date/Time, Demographic Data, Hardware/Software Type, Page Views, IP Address
Data Sharing:
Aggregate data is shared with 3rd parties.
Data Retention:
As long as needed (business need or as required by law).

4 - https://lnkd.in/dEEfZCR
Data collected:
Browser Information, Date/Time, Demographic Data, Hardware/Software Type, Page Views, Search History
Data Sharing:
Data is shared with 3rd parties.
Data Retention:
12-18 Months.

Now look at this one. Very strange.

5 - https://lnkd.in/dtaaKuZ
Data collected:
Details Undisclosed
Data Sharing:
Undisclosed
Data Retention:
3-6 Months.

ANONYMIZE YOUR ATTACKS - PART 2

ANONYMIZE YOUR ATTACKS - PART 1

Why I chose ENKI as my company name?

What we must do against new threats?

Russian Spear-Fishing Website Hosts Outlook Web App Phishing Page

Fake BBC Website lures victims with Charlie Hebdo misinformation

Why I chose Nexpose from Rapid7 against Qualys?

How NSA and other agencies are watching you through linkedin?

Auteurs

Archives

Categories

NOS SERVICES

LA SOCIETE

NOUS CONTACTER