Sunday, December 1, 2019

FilterLists

FilterLists is a web site that contains information on various filter lists for services/applications such as Pi Hole and uBlock Origin.

https://filterlists.com

bmon

The bmon utility is an application to view network bandwidth usage with a Linux system.  With a Debian-based system, the following command should install the application.

sudo apt-get install bmon

To launch the utility, simply use the command bmon.  The default is to display bytes per second.  To display bits per second, launch the application with a -b switch.

https://www.networkworld.com/article/3447936/viewing-network-bandwidth-usage-with-bmon.html




Flan Scan

Flan Scan is a lightweight network vulnerability scanner.  Flan Scan is a wrapper over Nmap and the vulners script which turns Nmap into a full-fledged network vulnerability scanner.

https://www.kitploit.com/2019/11/flan-pretty-sweet-vulnerability-scanner.html

https://github.com/cloudflare/flan

Sparrow-WiFi

Sparrow-wifi has been built from the ground up to be the next generation 2.4 GHz and 5 GHz Wifi spectral awareness tool. At its most basic it provides a more comprehensive GUI-based replacement for tools like inSSIDer and linssid that runs specifically on linux.

https://www.kitploit.com/2019/11/sparrow-wifi-next-gen-gui-based-wifi.html

https://github.com/ghostop14/sparrow-wifi

Rebel Framework

Rebel Framework is a penetration testing framework.

https://www.kitploit.com/2019/09/rebel-framework-advanced-and-easy-to.html

https://github.com/reb311ion/rebel-framework

Projector Central

Projector Central is a resource for projectors for different purposes such as home theater and portable.

https://www.projectorcentral.com/

Friday, November 1, 2019

How to enable dark mode for all sites with Chrome

Starting with Chrome version 78, a flag is available to enable dark mode for all web sites.  Enter "chrome:flags" in an URL window and search for dark mode.  Enable the parameter for "Force Dark Mode for Web Contents.


https://www.howtogeek.com/446198/how-to-force-dark-mode-on-every-website-in-google-chrome/

Neverware CloudReady

The Home edition is the free version of CloudReady.  The operating system is based on Google’s Chromium OS.  An USB utility is available for Windows to create a drive for installation.




After the installation has completed, one component to update would be the optional media codecs under Settings.






https://www.neverware.com/freedownload

Bitwarden

Bitwarden is a free and open-source password management service that stores information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.

https://bitwarden.com/

Potentially Unwanted Application (PUA) test file

The web site below has an .EXE file that should be identified as a PUA threat by local security clients.

https://www.amtso.org/feature-settings-check-potentially-unwanted-applications/

Other test files are available on the same site at:

https://www.amtso.org/security-features-check/


Disable interactive ads with a Roku

To disable interactive ads with a Roku-based TV device, access Settings > Privacy > Smart TV Experience and disable the “Use info from TV inputs” feature.  This parameter is only present with Roku-based TV units and not standalone devices (at this time.)

Tuesday, October 1, 2019

Configuring auto-login with Windows 10

To configure an account to automatically log in with Windows 10, use Windows Key+R to bring up the Run dialog and then enter netplwiz.  Under the User tab, remove the checkbox for the option "Users must enter a user name and password to use this computer."  A new dialog box will appear asking for the credentials to use.


Examples of finding files within Linux

Below are some examples of how to find files within Linux.  The which command returns the path of a command.

which ping
/bin/ping

The locate command returns any file which contains the text.  To focus on a particular path, use the grep command as well.  The switch "-i" will specify locate to ignore case-sensitivity.

locate chrome | grep /home/sam

The find command is similar; it has several parameters such as:

-iname - file name
-mtime - modified time
-perm - permissions

The example below looks for all files in the home directory that have been created or modified in the past seven days:

find ~/ -mtime -7

https://distrowatch.com/weekly.php?issue=20190812

Quick method to copy system information from a Windows client to a text file

One quick method to obtain system information from a Windows client and save the results to a text file is the launch a command prompt and enter the following command:

systeminfo | clip

Use a text editor such as Notepad and paste the data in from the clipboard.

AntennaPod

AntennaPod is an open-source podcast client for the Android platform.

https://antennapod.org


chrx

The chrx project is designed to install Linux on Chromebook hardware.

https://chrx.org/

Ehtools Framework

Ehtools Framework is a Wi-Fi utility for Linux.

https://www.kitploit.com/2019/09/ehtools-framework-of-serious-wi-fi.html

https://github.com/entynetproject/ehtools

https://ehtools.pro

Sunday, September 1, 2019

How to disable web site notifications within Google Chrome

To disable the dialog box that appears when a web site asks for permission for notifications, enter the following URL:

chrome://settings/content/notifications

Toggle the parameter so the text displayed is "Block".



Boot time with Linux

If the distribution of Linux is using systemd, some utilities are available to troubleshoot boot time issues.  To determine if systemd is used, use the following command:

grep systemd /proc/1/comm && echo I am using systemd || echo I am not using systemd


Use the following command to list start-up services in order of how much time is required.

systemd-analyze blame


https://distrowatch.com/weekly.php?issue=20190610

Syncthing

Syncthing is a continuous file synchronization program.  Clients are available for Windows, macOS, Linux, and Android.

https://syncthing.net/


Remote Desktop Access via Chrome

Google has introduced a new method of remote desktop access.

https://9to5google.com/2019/06/05/chrome-remote-desktop-web/

https://remotedesktop.google.com/support




VMware Ports and Protocols web site

The web site below offers details on various products from VMware concerning the ports and protocols used.

https://ports.vmware.com/

Airgeddon

Airgeddon is a multi-use Bash script for Linux to audit wireless networks.

https://github.com/v1s1t0r1sh3r3/airgeddon

https://www.kitploit.com/2019/08/airgeddon-v921-multi-use-bash-script.html


Thursday, August 1, 2019

Pi-hole Notes

Below are some notes concerning the installation and configuration of the Pi-hole application on a Raspberry PI.

Etcher can be used to create a boot-able Micro SD card.  The commands to install the application within Linux can be found at https://www.fossmint.com/etcher-usb-sd-card-bootable-image-creator-for-linux/.

Raspbian can be downloaded via https://www.raspberrypi.org/downloads/raspbian/.  The minimal version (Lite) can be used.

The default credentials for Raspbian is pi for the user name, and raspberry for the password.  Once logged in, use the command sudo raspi-config to load the configuration utility.  Use option 1 to enter a new password, and option 5 (Interfacing options) and then 2 (SSH) to enable the SSH daemon.

Use the command sudo nano /etc/dhcpcd.conf and remove the comments from the static IP section.

# Example static IP configuration:
interface eth0
static ip_address=192.168.1.200/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=8.8.8.8 fd51:42f8:caae:d92e::1

Use the commands sudo apt-get update and sudo apt-get upgrade to verify all current patches are installed.  Via https://pi-hole.net/, use the following command to install the PI Hole application:

sudo curl -sSL https://install.pi-hole.net | bash

During the setup wizard, a password will be displayed.  The web interface can be accessed via http://IP Address/admin.  To log in remotely to the device, use the command ssh IP Address -l pi.  To set a new password for the web interface, use the command sudo pihole -a -p.

Within the web interface, blocked sites can be viewed within the logs via Tools -> Tail pihole.log

Jun 22 21:44:36 dnsmasq[651]: query[A] aol.com from 192.168.1.10
Jun 22 21:44:36 dnsmasq[651]: /etc/pihole/black.list aol.com is 0.0.0.0

The log can be viewed via an SSH session via the command sudo tail -F /var/log/pihole.log or pihole -t.  Certain domains can be searched for by using the command such as grep aol.com /var/log/pihole.log.

The command pihole -up can be used to update the Pi-hole application itself.

pi@raspberrypi:/ $ pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:     up to date
  [i] Web Interface:    up to date
  [i] FTL:              up to date

  [✓] Everything is up to date!

Regex examples can be found at https://github.com/mmotti/pihole-regex/blob/master/regex.list and https://www.reddit.com/r/pihole/comments/b3fj60/regex_megathread/.

The domain lists can be updated using the pihole -g command.

pi@raspberrypi:~ $ pihole -g
  [i] Pi-hole blocking is enabled
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: mirror1.malwaredomains.com (justdomains)
  [✓] Status: Retrieval successful

  [i] Target: sysctl.org (hosts)
  [✓] Status: No changes detected

  [i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_tracking.txt)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_ad.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (ad_servers.txt)
  [✓] Status: No changes detected

  [✓] Consolidating blocklists
  [✓] Extracting domains from blocklists
  [i] Number of domains being pulled in by gravity: 137133
  [✓] Removing duplicate domains
  [i] Number of unique domains trapped in the Event Horizon: 114873
  [i] Number of whitelisted domains: 0
  [i] Number of blacklisted domains: 0
  [i] Number of regex filters: 17
  [✓] Parsing domains into hosts format
  [✓] Cleaning up stray matter

  [✓] Force-reloading DNS service
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

The command pihole -t tails the real-time log:

pi@raspberrypi:~ $ pihole -t
  [i] Press Ctrl-C to exit
23:49:59 dnsmasq[651]: forwarded spectrum.s3.amazonaws.com to 8.8.8.8
23:49:59 dnsmasq[651]: reply spectrum.s3.amazonaws.com is
23:49:59 dnsmasq[651]: reply s3-directional-w.amazonaws.com is
23:49:59 dnsmasq[651]: reply s3-1-w.amazonaws.com is 52.216.9.139

Additional lists such as https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list can be added via the web interface under Settings -> Blocklists tab.  A web site with details on additional lists can be found at https://firebog.net.

Parameters can be backed up to a single file under Settings -> Teleporter.  A restore option is available if migrating the service to new hardware.

Kali NetHunter App Store for Android

Kali NetHunter App Store is for security relevant Android applications. It is an alternative to the Google Play store for any Android device.

https://store.nethunter.com/


Commando VM

Commando VM is a Windows-based security distribution for penetration testing and red teaming.

https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html

https://isc.sans.edu/forums/diary/Commando+VM+The+Complete+Mandiant+Offensive+VM/25136/

Rifiuti2

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files.

https://abelcheung.github.io/rifiuti2/

https://www.kitploit.com/2019/07/rifiuti2-windows-recycle-bin-analyser.html


Whonix

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.



Sysinternals Sysmon

Sysmon is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. It can log detailed information about process creations, network connections, and changes to file creation time. 


https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

A pre-built configuration file can be found at:

https://github.com/SwiftOnSecurity/sysmon-config

To install Sysmon and use the configuration file, download the Sysmon utility and extract the .ZIP file.  If you download the .XML file using a browser and attempt to use it, an error may be returned with the text of "DTD is prohibited."

To avoid this error, click on the link for the .XML file and then copy/paste the contents into a text editor such as Notepad++, and then save the file using the original file name.

To verify the service was installed and logging is occurring, launch an elevated PowerShell session and enter the following commands.

Get-Service sysmon

Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 10















The logs can be manually viewed via the Computer Management MMC (compmgmt.msc) using the path Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational.



The .XML file includes comments concerning some of the parameters included.


Below is an example of a log entry from using the nslookup command.

Network connection detected:
RuleName:
UtcTime: 2019-02-23 23:41:00.742
ProcessGuid: {8fcfd9c4-da0c-5c71-0000-0010dc068801}
ProcessId: 1636
Image: C:\Windows\System32\nslookup.exe
User: sam
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.254.27
SourceHostname: computer
SourcePort: 60836
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 192.168.254.254
DestinationHostname:
DestinationPort: 53
DestinationPortName: domain


Monday, July 1, 2019

Installing Firefox on an Amazon table

The default web browser on an Amazon table is the Silk Browser.  Other popular browsers such as Chrome or Firefox are not present within the Amazon App Store.  But Firefox can be added manually.

The first item is to enable installation of applications from unknown sources.  The current path is Settings -> Security and Privacy -> Apps from Unknown Sources.

Open the Silk Browser.  Access the web page https://wiki.mozilla.org/Mobile/Platforms/Android.  A direct link to the .APK download should be present.  To download the file, click and hold on the download link.  A dialog box will appear with several options such as to open in a new tab.  Select the Download link option.

A dialog box will appear stating this type of file can harm your device.  Click on the OK button.  The file should be downloaded to the tablet.

Once the download has completed, click on the Open link.  A list of privacy and device access parameters should be displayed.  Click on the Next button, and then on the Install button.

One negative aspect of this method is future updates.  Since the application was not installed via an App Store, it will not be automatically patched.

Free Mac security utilities

The site below has several free security utilities for the OS X Mac platform.

https://objective-see.com/products.html


Dnstap

Dnstap is a structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.

http://dnstap.info/

https://www.blackhillsinfosec.com/tap-into-your-valuable-dns-data/


PcapXray

PcapXray is a Network Forensics Tool to visualize a packet capture offline as a network diagram including device identification, highlight communication, and file extraction.

https://www.kitploit.com/2019/06/pcapxray-v25-network-forensics-tool-to.html

https://github.com/Srinivas11789/PcapXray

KeePassXC

KeePassXC is a community fork of KeePassX, the cross-platform port of KeePass for Windows. 



https://keepassxc.org/



Attack Surface Analyzer

Attack Surface Analyzer is an utility to analyze an operating system's security configuration for changes during software installation.

https://github.com/Microsoft/AttackSurfaceAnalyzer

https://www.microsoft.com/security/blog/2019/05/15/announcing-new-attack-surface-analyzer-2-0/


SyncBack

SyncBack is an utility for Windows to sync data.  A free version is available.

https://www.2brightsparks.com/

Saturday, June 1, 2019

How to Restart Video Driver in Windows 10

To restart the video driver within Windows 10, use the following keyboard combination.

Windows Key + Control Key + Shift Key + B Key

https://winaero.com/blog/restart-video-driver-windows-10/

DeepBlueCLI

DeepBlueCLI is a PowerShell module to allow review of Security and System event logs within Windows.

https://github.com/sans-blue-team/DeepBlueCLI

https://www.activecountermeasures.com/log-analysis-part-2-detecting-host-attacks-or-how-i-found-and-fell-in-love-with-deepbluecli/

EvtxECmd

EvtxECmd is a Windows Event Log (evtx) parser.

https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html

http://windowsir.blogspot.com/2019/05/evtxecmd.html


LogonTracer

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph.

https://github.com/JPCERTCC/LogonTracer

https://www.activecountermeasures.com/log-analysis-part-3-lateral-movement/


DF and DU commands within Linux

Below are some examples of DF and DU commands within Linux.  To view disk usage via megabytes, use the command

df -BM


The -h switch is for human readable.


The following command will display summary disk usage for the current directory.

du -h -s *


https://www.howtogeek.com/409611/how-to-view-free-disk-space-and-disk-usage-from-the-linux-terminal/

Wednesday, May 1, 2019

Linux clean up commands

The following commands can be used within Linux to clean up a few components.

Cleaning up of partial package -> sudo apt autoclean

Cleaning up of the apt cache -> sudo apt-get clean

Cleaning up of any unused dependencies -> sudo apt autoremove



Windows Event Forwarding Guidance

The site below has information on the topic of Windows Event Forwarding.

https://github.com/palantir/windows-event-forwarding

Swappa

Swappa is a web site to buy or sell tech products such as laptops or smartphones.

https://swappa.com/

Osmedeus

Osmedeus offers an automated run of a collection of tools to reconnaissance and vulnerability scanning against a target.

https://github.com/j3ssie/Osmedeus

https://www.kitploit.com/2019/04/osmedeus-fully-automated-offensive_27.html


EasySploit

EasySploit is a Metasploit automation project.  Payloads are available for different operating systems.

https://github.com/KALILINUXTRICKSYT/easysploit

https://www.kitploit.com/2019/04/easysploit-metasploit-automation-easier.html

Suricata

Suricata is a free and open source network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Monday, April 1, 2019

Manage start-up with Linux that uses systemd

To list of services that systemd manages:

systemctl list-unit-files



To view only active entries:

systemctl list-units --type=service

To view the status of a specific service such as bluetooth:

systemctl status bluetooth

To disable an entry such as bluetooth:

sudo systemctl disable bluetooth



https://www.commandlinux.com/man-page/man1/systemctl.1.html


One method to install Google Chrome with Linux Mint

One method to install Google Chrome within Linux Mint is to use the following commands:

sudo wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

sudo echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" | sudo tee /etc/apt/sources.list.d/google-chrome.list

sudo apt update

sudo apt install -y google-chrome-stable

https://www.itzgeek.com/how-tos/linux/linux-mint-how-tos/how-to-install-google-chrome-on-linux-mint-19-tara.html


Etcher

Etcher is an utility to create bootable SD and USB media.  A portable version is available for Windows.

https://www.balena.io/etcher/

https://portableapps.com/apps/utilities/balenaetcher-portable


VDI script for Windows 10

The links below are concerning a VDI configuration script for Windows 10.

https://blogs.technet.microsoft.com/askpfeplat/2019/03/20/windows-10-build-1803-vdi-optimization-script-primer/

https://github.com/TheVDIGuys/W10_1803_VDI_Optimize


Bitdefender Traffic Light

Bitdefender Traffic Light is a free cross-browser add-on that intercepts, processes, and filters all Web traffic and blocking any malicious content.

https://www.bitdefender.com/solutions/trafficlight.html


Otter Browser

Otter Browser aims to recreate the best aspects of the classic Opera (12.x) UI using Qt5.

https://otter-browser.org


Friday, March 1, 2019

Google “Private DNS” with Android 9

Android 9 supports "Private DNS" which uses DNS-over-TLS to provide security and privacy for your DNS queries. You can configure it with the following steps.
  1. Go to "Settings" → "Network & Internet" → "Advanced" → "Private DNS".
  2. Select Private DNS provider hostname.
  3. Enter dns.google as the hostname of the DNS provider.
  4. Click Save.
https://developers.google.com/speed/public-dns/docs/using

https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html


Emsisoft Browser Security Extension

Emsisoft offers a browser security extension for Chrome, Firefox, and Edge that will attempt to block access to known phishing, malware, or scam sites.

https://www.bleepingcomputer.com/news/security/emsisoft-browser-security-protects-you-from-malicious-sites/

https://chrome.google.com/webstore/detail/emsisoft-browser-security/jfofijpkapingknllefalncmbiienkab?hl=en



Extend Windows Server Evaluation

Windows Server evaluation versions will by default “deactivate” after 180 days.  To extend this period up to 6 times, launch an elevated command prompt and enter the following command.

slmgr – dlv

After a few seconds, a pop-up window should appear displaying information about the licensing status of the server.

https://www.petri.com/how-to-extend-windows-server-evaluation

Install software on multiple computers remotely with PowerShell

A PowerShell script is available that allows software installation on multiple computers.

https://gallery.technet.microsoft.com/scriptcenter/Install-software-on-9278d883

http://terenceluk.blogspot.com/2019/02/using-installsoftwareremotelyps1-to.html

Logging Cheat Sheets for Windows

The following web site offers cheat sheets concerning the configuration of logging for Windows.

https://www.malwarearchaeology.com/cheat-sheets

Web site of honeypot resources

The web site below contains a list of resources concerning honeypots.

https://github.com/paralax/awesome-honeypots

Web site to determine when a Chromebook will lose support

Google has a web site that lists when a particular Chromebook model will lose update support.

https://support.google.com/chrome/a/answer/6220366?hl=en

Friday, February 1, 2019

Ubiquiti WiFiman

Ubiquiti offers a WiFiman mobile app that provides a suite of tools to monitor, analyze, and improve Wi-Fi performance.

https://blog.ubnt.com/2018/12/11/introducing-wifiman/

https://itunes.apple.com/us/app/ubiquiti-wifiman/id1385561119?mt=8

https://play.google.com/store/apps/details?id=com.ubnt.usurvey

OpenPhish

OpenPhish is a web site with a list of phishing URL’s.

https://openphish.com/

How to configure Squid on a Linux server

Below are some details of the configuration for a Squid service running on an Ubuntu server.  The server in question was using Ubuntu Server 18.04 as the operating system.
#
#  Determine network interface name
#
ifconfig
#
#  Set static IP address
#
sudo nano /etc/netplan/50-cloud-init.yaml
#
#  The default should be similar to the text below
#
network:
    ethernets:
        ens32:
            addresses: []
            dhcp4: true
    version: 2
#
#  Modify the file to resemble the following
#
network:
    ethernets:
        enp0s3:
   dhcp4: no
   dhcp6: no
            addresses: [192.168.99.99/24]
            gateway4: 192.168.99.1
            nameservers:
     addresses: [8.8.8.8]
    version: 2
#
#  Execute the following command to update and save the configuration
#
sudo netplan apply
#
#  If you are logged into remotely via SSH, your connection will drop
#
#  Once logged back in using the new static IP address, update the OS itself
#
sudo apt-get update
sudo apt-get upgrade
#
#  Disable IPv6
#
sudo nano /etc/sysctl.conf
#
#  Add the following lines
#
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#
#  Restart service
#
sudo service procps reload
#
#  Verify IPv6 is disabled; a "1" should be returned
#
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
#
#  Install Squid
#
sudo apt-get install squid3 -y
#
#  Allow traffic to the listening port on the local firewall
#
sudo ufw allow 3128/tcp
#
#  Make a copy of the original default configuration file
#
sudo cp /etc/squid/squid.conf /etc/squid/squid.original
#
#  Create a text file with a list of domains to block
#
sudo nano /etc/squid/blacklist.txt

.google.com
.bing.com
.yahoo.com

#
#  Edit the configuration file for Squid
#
sudo nano /etc/squid/squid.conf
#
#  At the top of the file, add the line below to include more details within the logs
#
debug_options ALL,2
#
#  Use Control-W to find the text "http_access allow localhost"
#
#  Add a rule to block the domains from the text file created above
#
acl blocksitelist dstdomain "/etc/squid/blacklist.txt"
#
#  Add rules to block URL's that contain the text specified
#  This would block URL's such as google.co.uk
#
acl Yahoo url_regex -i yahoo
acl Google url_regex -i google
acl Bing url_regex -i bing
#
#  Specify the local subnet
#
acl localnet src 192.168.0.0/16
#
#  Add block rules
#
http_access deny blocksitelist
http_access deny Yahoo
http_access deny Google
http_access deny Bing
#
#  Allow the other traffic to pass
#
#  Change the default "http_access allow localhost" to the value below
#
http_access allow localnet
#
#  Use Control-W to find the text "dns_nameservers"
#
#  Configure local DNS servers by adding the following line
#
dns_nameservers 8.8.8.8 8.8.4.4
#
#  Use Control-W to find the text "cache_mgr"
#
#  Set email address that is returned on an error page by adding the following line
#
cache_mgr address@domain.com
#
#  Use Control-W to search for text "Safe_ports"
#
#  This would be used if an internal service used a custom port
#
#  Add port 8383 to the SSL_ports list and add a line below http 
#
acl SSL_ports port 443 83
acl Safe_ports port 80          # http
acl Safe_ports port 8383          
#
#  Use Control-W to search for the text "logfile_rotate"
#
#  Uncomment the line and change the default 0 to 5
#
#  The command to add a cron job is listed below
#
logfile_rotate 5
#
#  Save the configuration file and then use the command below to load the new parameters
#  Errors will be returned if found
#
sudo squid -k reconfigure
#
#  Another option is to restart the service
#
sudo service squid start

#  Logs are stored at /var/log/squid

#
#  To transfer log files to a Windows SMB share, install the smbclient application
#
sudo apt-get install smbclient
#
#  Make a copy of the log file to the user's home directory and change the permissions
#
sudo cp /var/log/squid/access.log /home/sam
sudo chmod 777 /home/sam/access.log
#
#  Use the smbclient to access the SMB share and transfer the file over
#
cd /home/sam
smbclient -m SMB2 -U 'server\user' \\\\192.168.x.x\\share
put access.log
#
#  Below are some examples of commands to review the log files with the converted time stamp
#
sudo perl -p -e 's/^([0-9]*)/"[".localtime($1)."]"/e' < /var/log/squid/access.log
sudo cat /var/log/squid/access.log | perl -p -e 's/^([0-9]*)/"[".localtime($1)."]"/e'
#
#  Below is an example to view denied traffic
#
sudo grep "DENIED" /var/log/squid/access.log
#
#  To rotate Squid's logs, use this command
#
sudo squid -k rotate
#
#  Use the commands below to add a cron job to rotate the logs at midnight
#
sudo crontab -e
0 0 * * * /usr/local/squid/bin/squid -k rotate
#
#  Create a shell script to combine the logs into one file, and then map to a SMB share
#
cd /home/sam
nano logcopy.sh
#
#  Copy the following lines
#
#!/bin/bash
cp /var/log/squid/access.log /home/sam
chmod 777 /home/sam/access.log
cp /var/log/squid/access.log.2 /home/sam
chmod 777 /home/sam/access.log.2
cp /var/log/squid/access.log.3 /home/sam
chmod 777 /home/sam/access.log.3
cp /var/log/squid/access.log.4 /home/sam
chmod 777 /home/sam/access.log.4
cd /home/sam
cat access.log access.log.2 access.log.3 access.log.4 > logs.txt
smbclient -m SMB2 -U 'domain\account' \\\\192.168.x.x\\share
#
#  Mark the file as executable
#
chmod 755 logcopy.sh
#
#  Execute the script with sudo.  Enter the AD user account password and use the "put logs.txt" command to copy the file to the SMB share 
#
sudo ./logcopy.sh
#
#  One method to determine if the default Squid error page was returned is to search within the logs for the following string
#
http://proxy:3128/squid-internal-static/icons/SN.png
#
#  Below is an example of where an URL was denied access
#
1545790661.113      1 192.168.254.215 TCP_DENIED/403 3970 GET http://www.nbcnews.com/ - HIER_NONE/- text/html
1545790661.168      0 192.168.254.215 TCP_MEM_HIT/200 11704 GET http://proxy:3128/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
#
#  The information above was concerning using Squid version 3.  To use Squid version 4, the following steps were used via https://github.com/diladele/squid-ubuntu.
#  The domain source was in Germany, so the geo-blocking parameter required some exceptions to allow the traffic to pass.
#
#  add diladele apt key
#
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -
#
#  add repo
#
#  The original command below would return a "Permission denied" error:
#  echo "deb http://squid48.diladele.com/ubuntu/ bionic main" > /etc/apt/sources.list.d/squid48.diladele.com.list
#
#  Per a Google search, I used the following command to get around the permission error.
#
sudo su -c "echo 'deb http://squid48.diladele.com/ubuntu/ bionic main' >> /etc/apt/sources.list.d/squid48.diladele.com.list"
#
#  update the apt cache
#
sudo apt-get update
#
#  install the application
#
sudo apt-get install squid-common
sudo apt-get install squid 
sudo apt-get install squidclient
#
#   verify installed version
#
squid -v
#
#  Version 4 returned a warning concerning the original version 3 parameter of:
#  acl localnet src 192.168.0.0/16
#  So this was removed from the configuration file

Appscope

Appscope is a directory of Progressive Web Apps, showcasing the best PWA examples. All apps listed run entirely in the web browser and launch instantly without an app download.

https://appsco.pe/

Snorpy

Snorpy is a web base application to easily build Snort/Suricata rules in a graphical way. It is simple to use starting from the Action and Protocol fields and as you pick each field, the rule builder shows the rule in the bottom window.

http://snorpy.com/

https://isc.sans.edu/forums/diary/Snorpy+a+Web+Base+Tool+to+Build+SnortSuricata+Rules/24522/

MailStore Home

MailStore Home lets you archive your private email from almost any email source and search through them quickly.

https://www.mailstore.com/en/products/mailstore-home/

LOIC

LOIC is a network stress test utility.

https://sourceforge.net/projects/loic/

Tilix

Tilix is a tiling terminal emulator which uses the VTE GTK+ 3 widget library. It can display more than one terminal in the same window at the same time.

https://gnunn1.github.io/tilix-web/

https://www.omgubuntu.co.uk/2017/07/tilix-terminix-terminal-emulator-ubuntu

Tuesday, January 1, 2019

ss command within Linux

The ss (socket statistics) command provides information by displaying details on socket activity.  Some command line switch examples would be:

ss -ta dumps all TCP socket

ss -ua dumps all UDP sockets

ss -wa dumps all RAW sockets

ss -xa dumps all UNIX sockets

ss -4a dumps all IPV4 sockets

ss -6a dumps all IPV6 sockets

ss –lt displays only listening sockets

ss_lt

ss-ltn displays the same data with port numbers

ss_ltn

ss-t displays established TCP connections

ss_t

https://www.networkworld.com/article/3327557/linux/using-ss-to-examine-network-connections.html

Microsoft Windows and Office ISO Download Tool

This tool allows an easy and comfortable way to download genuine Windows 7, Windows 8.1 and Windows 10 disk images (ISO) directly from Microsoft's servers, as well as Office 2010, Office 2013, Office 2016, Office 2019, Expression Studio and Office for Mac.

https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool

LiveTcpUdpWatch

LiveTcpUdpWatch is a tool for Windows that displays live information about all TCP and UDP activity on your system. Every line in the main table of LiveTcpUdpWatch displays the protocol (TCP/UDP/IPv4/IPv6), local/remote IP address, local/remote port, number of sent/received bytes, number of sent/received packets, connect/disconnect time (For TCP only), and the process (ID and path) responsible for this activity.  LiveTcpUdpWatch uses event tracing API to get live information from Windows Kernel about every TCP/UDP packet sent/received. It captures all UDP activity with process information but without the need of using a network sniffer.

http://www.nirsoft.net/utils/live_tcp_udp_watch.html

image

Tcpreplay

Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both single and dual NIC modes for testing both sniffing and in-line devices.

https://github.com/appneta/tcpreplay

https://www.kitploit.com/2018/12/tcpreplay-pcap-editing-and-replay-tools.html

Passer

Passer is a passive sniffer and inventory tool.

https://www.activecountermeasures.com/passer-a-passive-sniffer-and-inventory-tool/

https://github.com/activecm/passer/

EventSentry SysAdmin Tools

The EventSentry SysAdmin Tools is a set of command-line and graphical utilities designed to help network administrators with their daily administrative tasks.

https://www.eventsentry.com/sysadmintools

Sndbox.com

SNDBOX is a web site that utilizes artificial intelligence and a hardened virtual environment to perform static and dynamic analysis of malware samples.

https://www.sndbox.com/

Azure Data Studio

Azure Data Studio is a cross-platform database tool for data professionals using the Microsoft family of on-premises and cloud data platforms on Windows, MacOS, and Linux.

Previously released under the preview name SQL Operations Studio, Azure Data Studio offers a modern editor experience with Intellisense, code snippets, source control integration, and an integrated terminal. It is engineered with the data platform user in mind, with built in charting of query result sets and customizable dashboards.

https://docs.microsoft.com/en-us/sql/azure-data-studio/what-is?view=sql-server-2017

https://docs.microsoft.com/en-us/sql/azure-data-studio/download?view=sql-server-2017