Metasploit Hardware Bridge extends Metasploit’s capabilities into the physical world of hardware devices as for example your car:
https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix
GRR Rapid Response
Very interesting incident response framework focused on remote live forensics:
https://github.com/google/grr/
Disaster Recovery Planning
A short summary of what to know about Disaster Recovery Planning:
https://www.uscybersecurity.net/disaster-recovery-planning/
Reset iLO Admin Password
I tripped over the following blog post that describes a simple way to reset the iLO Administrator Password without having to reboot the server:
http://blog.netnerds.net/2006/04/ribcl-reset-administrator-password-on-ilo/
To summarize, follow the steps below to reset the password for the iLO-account named Administrator:
- Install “HP Lights-Out Online Configuration Utility” if it is not already installed in the server.
- Create an XML-file with the following contents:
<ribcl VERSION=“2.0”><login USER_LOGIN=“Administrator” PASSWORD=“boguspassword”><user_INFO MODE=“write”><mod_USER USER_LOGIN=“Administrator”><password value=“newpass”/></mod_USER></user_INFO></login></ribcl>
- Execute the following command in a command prompt on the server:
HPONCFG.exe /f xml-file-above.xml /l log.txt > output.txt
The Hive – Platform for security incident management
The Hive seems to be a promising platform for security incident management:
http://chrissanders.org/2017/03/case-management-the-hive/
https://thehive-project.org/
Block ads, tracking and other garbage with dnsmasq
There is an automatically updated, moderated and optimized list available on GitHub for blocking ads, trackers and other online garbage:
https://github.com/notracking/hosts-blocklists
The list is designed for use with dnsmasq. There is also a validation script available at https://github.com/bahamas10/notracking. You can configure automatic update of the list by following these steps:
-
- Install Node.JS that is a requirement for the notracking validate script:
$ curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
$ sudo apt-get install -y nodejs - Clone the notracking repository:
$ cd /opt/
$ git clone git://github.com/bahamas10/notracking.git - Configure crontab to download updated lists on a daily basis by creating the file /etc/cron.d/notracking with the following content:
0 6 * * * root cd /opt/notracking;./update;mv /opt/notracking/*.txt /etc/dnsmasq.d/;/usr/sbin/service dnsmasq restart
- Disable the CONFIG_DIR option in /etc/default/dnsmasq by comment out the following row:
#CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
- Add these two lines to the file /etc/dnsmasq.conf:
conf-file=/etc/dnsmasq.d/domains.txt
addn-hosts=/etc/dnsmasq.d/hostnames.txt
- Install Node.JS that is a requirement for the notracking validate script:
To get the configuration running immediately you can manually execute the commands from the cronjob or you can wait for it to run by it self at 06:00 the morning after you configured dnsmasq.
Securing Ubiquiti UniFi Cloud Key with Let’s Encrypt SSL and automatic dns-01 challenge with Cloudflare
I was trying to find out how to use Let’s Encrypt SSL to secure a internal unifi controller. Google gave me a link to the following excellent blogpost which describes how to use automatic dns-01 challenge to request and update the certificate from Let’s Encrypt:
https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/
Follow these steps to configure SSL/TLS-certificate for your internal unifi controller including automatic update of the certificate using Let’s encrypt and Cloudflare DNS:
1. Log in as root on your controller.
2. Install acme.sh via the online installer:
curl https://get.acme.sh | sh
3. Exit the terminal and reopen it again.
4. Enable auto-upgrade, just remember to change the email-address before executing the command:
acme.sh --upgrade --auto-upgrade --accountemail "mynotifaction@example.com"
5. Create the file /root/.acme.sh/cloudkey-renew-hook.sh:
#!/bin/bash
# Renew-hook for ACME / Let's encrypt
echo "** Configuring new Let's Encrypt certs"
cd /etc/ssl/private
rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem
openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore
-deststorepass aircontrolenterprise
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
rm -f /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:root /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
echo "** Testing Nginx and restarting"
/usr/sbin/nginx -t
/etc/init.d/nginx restart ; /etc/init.d/unifi restart
6. Log in to your Clodflare account and get the Global API Code.
7. Configure exports for your DNS API:
export CF_Key="YOUR-CLOUDFLARE-API-KEY"
export CF_Email="YOUR-CLOUDFLARE-EMAIL"
8. Now it is time to get the new certificate. The following command will backup your existing certificate, contact Let’s encrypt to issue the new certificate, install the certificate and restart the controller. Remember to change the hostname in the parameter -d before running the command:
acme.sh --force --issue --dns dns_cf -d unifi.example.com --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"
9. Log in to the controller and ensure that the hostname is configured.
10. Verify that a cronjob has been configured to enable automatic renewal of the certificate:
crontab -e
The line for acme.sh should look like the one below:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log
Malware Analysis
A good introduction to malware analysis:
http://blogs.cisco.com/security/malware-analysis-for-the-incident-responder
CyberChef
CyberChef is a interesting web app that is designed to enable analysts to manipulate data in complex ways using a webbrowser without having to deal with complex tools or algorithms.
Notepad and Unix LF EOL characters
Finally Notepad will support Unix line endings (LF) and Macintosh line endings (CR) in addition to Windows line endings (CRLF).
https://blogs.msdn.microsoft.com/commandline/2018/05/08/extended-eol-in-notepad/