Tuesday, March 11, 2014

Ebury SSH Rookit/Backdoor Trojan

About 3 days ago, an Ubuntu user (aka Empire-Phoenix) shouted for help at Ubuntu Forums - Security Discussions that his server has been infected by Ebury SSH Rookit/Backdoor Trojan. In his case, his mail server IP address has been blacklisted due to the infection. His story is here.

CERT Bund has announced the details about this rootkit/backdoor and they also include the Snort rule for the detection. The link is here.

The only solution is to re-install the server(s).

However, the main question is how the intruder(s) compromise our server(s) and install the rootkit? Our server(s) is/are compromised via SSH or other vulnerabilities in the server(s)?

Even if we re-install our server(s) after the infection but leave the unknown factor(s) behind, our server(s) will be infected again. If we installed IDS, we will be notified about the infection but we also need to re-install the server(s) that in question.

I supposed that the server of the captioned Ubuntu user is up-to-date and he had nothing to do with this infection as his server is a production server and he also do not know what is the problem on his server before the infection. The defensive solution is to do penetration test on the server in a regular time and it may prevent this from happening.

Update

More news here.

That's all! See you.

To Be (In)Secure on Kali Linux?

Kali Linux is developed based on Debian 7 (Wheezy). Kali is designed for Penetration Testing and it is running in root privilege. However, almost all the Kali Linux users will also use it as a primary operating system.

When it is using as a Penetration Testing toolkit, the root privilege is in use. When it is using as a primary operating system, the non-root privilege is a good practice. Therefore, a sudoer will be a good choice. However, be keep in mind that sudoer will not guarantee your sudoer account will not be compromised if it equipped with a weak password and easy guess user name.

Penetration Testers or Information Security Researchers will use their browser most of the time as same as other general users. Kali Linux equipped with Iceweasel, which is based on Firefox, and it can use Firefox add-ons. In the BackTrack's old days, we will use "NoScript" Firefox add-on. However, almost all the web sites nowadays are using javascript. It is impossible to disable the javascript or the web broswing experience will be difference. Therefore, "NoScript" is not the solution. However, "NoScript" is blocking XSS attacks by default even the "NoScript" is set to globally allowed.

Kali Linux and tools developers cannot guarantee that their products are free from vulnerabilities. How about if we are being intruded when we are doing pentesting? So embarrassing, right?

If we enable firewall when we are doing pentesting, you will shooting on our toes. If we do not enable the firewall when we are using Kali Linux as primary operating system, we will worrying if anyone can attack our box or not.

Now, we know that what we are facing at the moment. Surfing internet with "NoScript" is not a good solution and we maybe facing vulnerabilites. I think that the best solution for Debian based Linux system is Apparmor.

"AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours." -- Quoted from Apparmor WiKi.

It is very easy to enable Apparmor on Kali Linux. Just passing some kernel parameters when boot and install related packages.

We can enable (or enforce) all the Apparmor profiles (which includes log systems and some services) as well as we can create our own profiles for Iceweasel and any internet connectivity applications, such as HexChat and VirtualBox. If we have Iceweasel Apparmor profile in action, there is no javascript/java malware can successfully attack the browser. For details, We can refer to the documention of Apparmor at here.

Meanwhile, Kali Linux does not equipped with firewall or firewall is not enabled. There is almost no running service by default setting unless you enable it. Therefore, there is no opening port leaving at the Kali Linux box. In general speaking, firewall is not required in this situation.

In conclusion, if we applying Apparmor to Kali Linux, we will not shooting on our toes when doing pentesting. Meanwhile, Apparmor will also give us some protestion on using Kali Linux as Penetration Testing toolkit and as primary operating system. So, we have the balance.

In case you need to disable Javascript, I would recommend to use Firefox Add-ons - QuickJS. One click to disable and enable Javascript on the toolbar.

Reference

HOWTO : Kali Linux 1.0.6 for All Purpose
HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

That's all! See you.

Saturday, March 08, 2014

HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7



IMPORTANT : DO NOT UPGRADE YOUR MAC OSX TO YOSEMITE (10.10) AS REFIND (Version 0.8.3) WILL NOT WORKING PROPERLY AND IT FAILS TO DUAL BOOT.


rEFInd version 0.8.4 is compatible with Mac OSX 10.10.x Yosemite. Existing users please refer to the official site for installation.


UPDATED FOR REFIND 0.8.3 on July 13, 2014

This tutorial is written for MacBook Air (may be other models of Apple computers) and Kali Linux users who want to dual boot Mac OSX and Kali Linux.

Pros :

(1) Use GRUB2 for EFI
(2) Simple and Easy to Use and Install
(3) Mac OSX can be Encrypted but reqires extra work (not in this HOWTO)
(4) Kali Linux can be Encrypted

Cons :

(1) Conexists with Mac OSX
(2) Kali Linux Bootable Live USB cannot be booted with rEFInd (use Option key to boot instead)

Background

Since Kali Linux 1.0.6 is based on Debian 7.0 (Wheezy) which is not EFI enabled by default, the GRUB2 (EFI) will not be installed when installing Kali Linux 1.0.6.

We need to use rEFInd which installed in Mac OSX and post-install the GRUB2 on Kali Linux. Meanwhile, the old GRUB should be removed before hand; otherwise, you will break the system.

Making of Kali Linux Install USB

Please refer to the Kali Linux Documentation of making the install USB at here.

You can also refer to this article for making a persistence USB for the installation if you do not have "Thunderbolt to Ethernet" or "USB 3.0 Gigabit USB LAN Adapter". These two devices can be recognized by Kali Linux out of the box.

Install rEFInd on MacBook Air

Boot up MacBook Air to Mac OSX. Download the rEFInd binary zip file and extract it. Go to "Downloads/refind-bin-0.7.7" "Downloads/refind-bin-0.8.3" and install the rEFInd.

cd Downloads/refind-bin-0.7.7 cd Downloads/refind-bin-0.8.3
sudo ./install.sh --alldrivers


Installation and Partitioning

At the MacBook Air with Mac OSX, execute the "Disk Utility". Create a new partition and making it as two, one is "Macintosh HD" and the new one is "Macintosh HD 2". Applied the change. Then remove the newest created partition (Macintosh HD 2). Do not format it and leave it as is. After that, shut it down.

Insert Kali Linux Live Install USB to the MacBook Air and then power on the MacBook Air with long pressing "Option" key. When the Kali Linux Boot Menu displayed. Select "Live (amd64)" and press "Tab" to append "persistence" at the end of the line. After that, press "Enter". Make sure you are connected to the internet. If not, your install will be failed.

The Kali Linux Live will be launched. Select "Install Kali Linux" from the Menu (Applications -- System Tools). Follow the instructions for the installation. Make sure you have a very strong root password. When you are prompted to do partitioning, you just select "Guided - use the largest continuous free space" for non-encryption installation. Do not select "entire disk" options as it will delete the Mac OSX partitions.

The partitioning for normal install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is biosgrub (unformatted), /etc/sda5 is / (Kali Linux) and /etc/sda6 is SWAP.

If you want to install whole disk encryption, you need to select "Manual". Do not select "entire disk" options as it will delete the Mac OSX partitions. First of all, create a 400MB to 1024MB EXT2 partition which is mount to "/boot". Then, select "Configure encrypted volumes" and name it as "encrypt_vol" for the remaining available spaces. Choose "/dev/sda free #3" for the encrypt volume. Enter the strong "Encryption passphrase". After that, select "Configure the Logical Volume Manager". Create volume group and name it as "kali". Select "/dev/mapper/sda5_crypt" for the volume group. Select "Create logical volume" and name it as "root" with desired capacity. Re-select "Create logical volume" and name it as "swap" with the remaining spaces. Set mount point "/" as EXT4 for "LVM VG kali, LV root" and "swap" as SWAP for for "LVM VG kali, LV swap".

The encrypted volume should be "sda5_crypt" and it is /dev/sda5 too. We need to get its UUID for the bug fix later. It is because Kali Linux Manual partitioning has a serious bug that not allowing you to boot the box.

The partitioning for encryption install is : /etc/sda1 is EFI, /etc/sda2 is Macintosh HD, /etc/sda3 is Recovery HD, /etc/sda4 is /boot (Kali Linux, EXT2) and /etc/sda5 is Encrypted LVM volume which includes / and SWAP.

When asking for installing the GRUB to MBR, just skip it. We do not need it. If you do so, you will kill the system and you need to reinstall the Mac OSX. After that, wait for the installation to complete.

Install EFI on Kali Linux

When the installation is completed, it will return to the Live Kali Linux. Do not reboot it.

Open a terminal. And complete the following commands :

(A) Normal install without luks encryption

mkdir /mnt/root
mount /dev/sda5 /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub


Change from :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"

grub-install
update-grub

exit
reboot


(B) LVM with luks encryption

blkid /dev/sda5

Write down the UUID and the others for further use.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay kali

mkdir /mnt/root
mount /dev/mapper/kali-root /mnt/root

cd /mnt/root
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
mount /dev/sda4 boot/
mkdir boot/efi
mount /dev/sda1 boot/efi

chroot /mnt/root

apt-get --purge remove grub-pc
apt-get --purge autoremove
apt-get install grub-efi-amd64

nano /etc/default/grub


Change from :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Change to :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor pcie_aspm=force radeon.dpm=1 acpi_backlight=vendor libata.force=noncq"

grub-install
update-grub
update-initramfs -u

exit
reboot


In case if the Kali Linux cannot be booted and drop you to a initramfs shell. Do not panic. We can fix it.

cryptsetup luksOpen /dev/sda5 sda5_crypt
vgchange -ay
exit


The Kali Linux can be booted up fine. Upon booted up, you need to do the following :

update-initramfs -u

exit
reboot

Configuration of rEFInd

Boot to Mac OSX and configure the refind.conf.

sudo nano /EFI/refind/refind.conf

Change from :

scan_all_linux_kernels #scan_all_linux_kernels false

Change to :

#scan_all_linux_kernels scan_all_linux_kernels false

Then, you can boot to Kali Linux without problem.

Tailor-made Kali Linux

Boot to Kali Linux. Then configure it by refering to this guide and this guide.

That's all! See you.

Thursday, March 06, 2014

HOWTO : Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

A better method to dual boot Kali Linux on MacBook Air with rEFInd is here.


Pros :

(1) Simple to Use and Install
(2) Straight Forward
(3) Easy to Use and Install

Cons :

(1) No GRUB on Kali Linux
(2) Need to be coexist with Mac OSX
(3) Bootloader is situated in Mac OSX
(4) Need to Edit rEFInd configure file when the Kali Linux Kernel is upgraded
(5) The Mac OSX should not be whole disk encrypted
(6) The Kali Linux cannot be full disk encryption

Step 1 :

First of all, you are required to create a bootable USB pendrive for Kali Linux. Please refer to the Kali Linux Documentation for the procedure at here. I recommend to use 4GB (or larger) USB 2.0 pendrive.

Step 2 :

Boot up Macbook Air and resize the existing partition by adding one more partition with "Disk Utilities". After applied the change, you need to delete the partition that you just created (the partition without Mac OSX). Then leave it unformated.

Step 3 :

Go to rEFInd official site and download the binary zip file. Unzip the downloaded file.

cd Download/refind-bin-0.7.7/
sudo ./install.sh --alldrivers


Step 4 :

Insert the bootable Kali Linux USB pendrive and reboot the Macbook Air with long pressing the "Option" or (alt) key. Upon the boot menu is displayed, select the "Windows" icon to boot the Kali Linux.

Make sure you are connected to the internet by "Thunderbolt to Ethernet" or "PCi USB 3.0 Gagabit LAN Adapter UE-1000T-G3". If you want to connect to internet with wifi, you are required to install the wireless driver by following this guide.

Select "Install" or "Graphical Install". When going to the partition part, select "Install on the available free space". Do not select entire disk; otherwise, you will delete the Mac OSX partitions.

Follow the instruction on screen to install. When you are prompted to select where to install the GRUB, just skip it. GRUB is not required to install.

Then finish the install. Reboot and unplug the USB pendrive.

Step 5 :

Boot to Kali Linux via rEFInd Boot Manager menu. Find out the UUID of EXT4 partition. You can find it at /etc/fstab or "System Monitor". You are also required to write down the file names of /boot. After that, reboot to Mac OSX.

Step 6 :

Boot to Mac OSX via rEFInd Boot Manager menu. Go to the /EFI/refind.

cd /EFI/refind
sudo nano refind.conf


Append the following to the end of the file :



* replace the captioned UUID with your UUID; otherwise, it will not be booted up.

* where 'volume "3:"' is the forth partition that the Kali Linux root is situated.

Step 7 :

Reboot and you will see two Linux icons. The first one is detected automatically which has no optional kernel parameters. Select the second Linux icon which is labelled "Kali Linux". If you can boot to the Kali Linux. The setup is almost completed.

Step 8 :

Reboot to Mac OSX again. Go to the /EFI/refind/refind.conf.

Locate "scan_all_linux_kernels" and comment it out with "#" in the front of the line.

Step 9 :

Reboot to Kali Linux and configure the Kali Linux by following this guide and also this guide. Do not follow the "CUDA" part if you have no nVidia display card.

Step 10 :

After done the Step 9, you can reboot to Kali Linux by selecting the only Linux icon. Now, the setup is completed. Enjoy!

Remarks :

If the Kali Linux kernel is upgraded, you need to change the kernel version at the rEFInd config file.

The full disk encryption for Kali Linux and Mac OSX are not supported.

You may consider to add "noatime, nodiratime, discard" to the /etc/fstab.

That's all! See you.

Saturday, March 01, 2014

HOWTO : Kali Linux 1.0.6 for All Purpose

This article is also suit for Kali Linux 1.0.9a

Kali Linux is designed for penetration testing. I am going to make it for daily use operating system as well as for penetration testing.

Installation

Make sure you select full disk encryption when install the Kali Linux on your computer. Your root password should be as strong as possible.

(A) Sudoer

Basic user of Kali Linux is root. For daily usage, a sudoer is much better.

Login as root. Create a new user, e.g. "Samiux" at Applications -- System Tools -- Preferences -- System Settings -- User Accounts. Make sure the new user password is strong enough.

adduser samiux sudo

* where samiux is the new user name.

Then, you need to logout and re-login to make the setting effective. Now, you can use command with "sudo" with your user's password.

(B) Apparmor

It is not effective to use "NoScript" Add-ons on Iceweasel as almost all web pages are using javascript. To protect your browser from being compromised, an alternative way is to implement the Apparmor. Apparmor for Iceweasel can be used in penetration testing and daily use.

sudo apt-get install apparmor apparmor-docs apparmor-notify apparmor-profiles apparmor-utils dh-apparmor python-libapparmor

Edit the /etc/default/grub to make apparmor to active after boot.

sudo nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

To make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

Then run the following command :

sudo update-grub

After that, create a file namely usr.lib.iceweasel.iceweasel at /etc/apparmor.d/ :

sudo nano /etc/apparmor.d/usr.lib.iceweasel.iceweasel

Copy the following content to the file and save it.



Then change the mode of iceweasel apparmor to enforce by using the following command :

sudo aa-enforce /etc/apparmor.d/usr.lib.iceweasel.iceweasel

To update the rule of apparmor, just run the following command and ask some questions. Most likely, you just need to answer "Allow".

sudo aa-logprof

(C) Iceweasel Add-ons

You may need to install "FoxyProxy" Add-ons to Iceweasel.

sudo apt-get install xul-ext-foxyproxy-standard

You can install any available Add-ons by searching the database :

sudo apt-cache search xul-ext

(D) Power Saving for Laptop

Applying the following setting, your battery life of your laptop will be extended a bit, for example 2 hours battery life more. I have tested this setting on Lenovo ThinkPad X201s and Apple MacBook Air (Mid 2013) with Live USB as well as a Zotac small PC with nVidia display.

Although the i915 is for Intel display, but it is no harm to add them to your box.

nano /etc/modprobe.d/i915.conf

Append the following :

options i915 i915_enable_rc6=1
options i915 i915_enable_fbc=1
options i915 lvds_downclock=1


update-initramfs -u

This file "99macbookair6" is for USB 3.0 power saving. Download this file, "99macbookair6", make it executable and place it at /etc/pm/power.d/99macbookair6



nano /etc/rc.local

Insert the following before "exit 0".

/etc/pm/power.d/99macbookair6 true

Then install the tlp.

nano /etc/apt/sources.list

Append the following :

deb http://ppa.launchpad.net/linrunner/tlp/ubuntu lucid main

Save and exit. Then run the following :

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 02D65EFF

apt-get update
apt-get install tlp tlp-rdw


nano /etc/default/tlp

Change the following values.

DISK_IDLE_SECS_ON_AC=0
DISK_IDLE_SECS_ON_BAT=2
MAX_LOST_WORK_SECS_ON_BAT=60
CPU_SCALING_GOVERNOR_ON_BAT=powersave
DISK_APM_LEVEL_ON_BAT="1 1"
RUNTIME_PM_ALL=1
RESTORE_DEVICE_STATE_ON_STARTUP=1


* Or, leave the /etc/default/tlp settings untouch

To examine the power saving condition, you can install and run "powertop" or/and run "tlp-stat".

sudo apt-get install powertop

sudo nano /etc/default/grub

Locate the following string :

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

And make it looks like :

GRUB_CMDLINE_LINUX_DEFAULT="quiet pcie_aspm=force apparmor=1 security=apparmor radeon.dpm=1 acpi_backlight=vendor"

Then run the following command :

sudo update-grub

No matter your display card is Intel, nVidia or AMD Radeon, you can apply the captioned setting. Meanwhile, you can alter the settings at the /etc/default/tlp for your display card (any) even the settings labelled as "radeon".

If your laptop is Lenovo ThinkPad, you need to install the following too. After that, restart the tlp or reboot.

sudo apt-get install tp-smapi-dkms acpi-call-tools

(E) Changing Repositories Mirror

If your Kali Linux update/upgrade is slow due to slow mirror, you can hard code the repositories mirror in order to improve the update/upgrade performance.

There is a mirror list of Kali Linux. You can change the mirror at /etc/apt/sources.list by refering to this link.

(F) nVidia CUDA

If you have an nVidia card and wanted to use CUDA to do password cracking, you can refer to this link for the installation.

(G) Some Useful Applications

There are some useful applications that you may want to install to the Kali Linux. You can refer to this link for the installation.

Apparmor for Hexchat (/etc/apparmor.d/usr.bin.hexchat) :



Apparmor for Radiotray (/etc/apparmor.d/usr.bin.radiotray) :



Apparmor for VirtualBox (/etc/apparmor.d/usr.bin.VBox) :



(H) Lenovo ThinkPad TrackPoint

nano /usr/share/X11/xorg.conf.d/20-thinkpad.conf

Copy the following to the 20-thinkpad.conf :



(I) Kali Linux GRUB Background Reborn

After the installation, the GRUB background of the Kali Linux will be blue on black. However, it should be a Kali Linux background. We are going to get it back.

sudo apt-get update
sudo apt-get remove grub-pc
sudo apt-get install grub-pc


After that, you can reboot your computer.

That's all! See you.