Thursday, August 1, 2019

Pi-hole Notes

Below are some notes concerning the installation and configuration of the Pi-hole application on a Raspberry PI.

Etcher can be used to create a boot-able Micro SD card.  The commands to install the application within Linux can be found at https://www.fossmint.com/etcher-usb-sd-card-bootable-image-creator-for-linux/.

Raspbian can be downloaded via https://www.raspberrypi.org/downloads/raspbian/.  The minimal version (Lite) can be used.

The default credentials for Raspbian is pi for the user name, and raspberry for the password.  Once logged in, use the command sudo raspi-config to load the configuration utility.  Use option 1 to enter a new password, and option 5 (Interfacing options) and then 2 (SSH) to enable the SSH daemon.

Use the command sudo nano /etc/dhcpcd.conf and remove the comments from the static IP section.

# Example static IP configuration:
interface eth0
static ip_address=192.168.1.200/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=8.8.8.8 fd51:42f8:caae:d92e::1

Use the commands sudo apt-get update and sudo apt-get upgrade to verify all current patches are installed.  Via https://pi-hole.net/, use the following command to install the PI Hole application:

sudo curl -sSL https://install.pi-hole.net | bash

During the setup wizard, a password will be displayed.  The web interface can be accessed via http://IP Address/admin.  To log in remotely to the device, use the command ssh IP Address -l pi.  To set a new password for the web interface, use the command sudo pihole -a -p.

Within the web interface, blocked sites can be viewed within the logs via Tools -> Tail pihole.log

Jun 22 21:44:36 dnsmasq[651]: query[A] aol.com from 192.168.1.10
Jun 22 21:44:36 dnsmasq[651]: /etc/pihole/black.list aol.com is 0.0.0.0

The log can be viewed via an SSH session via the command sudo tail -F /var/log/pihole.log or pihole -t.  Certain domains can be searched for by using the command such as grep aol.com /var/log/pihole.log.

The command pihole -up can be used to update the Pi-hole application itself.

pi@raspberrypi:/ $ pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:     up to date
  [i] Web Interface:    up to date
  [i] FTL:              up to date

  [✓] Everything is up to date!

Regex examples can be found at https://github.com/mmotti/pihole-regex/blob/master/regex.list and https://www.reddit.com/r/pihole/comments/b3fj60/regex_megathread/.

The domain lists can be updated using the pihole -g command.

pi@raspberrypi:~ $ pihole -g
  [i] Pi-hole blocking is enabled
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: mirror1.malwaredomains.com (justdomains)
  [✓] Status: Retrieval successful

  [i] Target: sysctl.org (hosts)
  [✓] Status: No changes detected

  [i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_tracking.txt)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_ad.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (ad_servers.txt)
  [✓] Status: No changes detected

  [✓] Consolidating blocklists
  [✓] Extracting domains from blocklists
  [i] Number of domains being pulled in by gravity: 137133
  [✓] Removing duplicate domains
  [i] Number of unique domains trapped in the Event Horizon: 114873
  [i] Number of whitelisted domains: 0
  [i] Number of blacklisted domains: 0
  [i] Number of regex filters: 17
  [✓] Parsing domains into hosts format
  [✓] Cleaning up stray matter

  [✓] Force-reloading DNS service
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

The command pihole -t tails the real-time log:

pi@raspberrypi:~ $ pihole -t
  [i] Press Ctrl-C to exit
23:49:59 dnsmasq[651]: forwarded spectrum.s3.amazonaws.com to 8.8.8.8
23:49:59 dnsmasq[651]: reply spectrum.s3.amazonaws.com is
23:49:59 dnsmasq[651]: reply s3-directional-w.amazonaws.com is
23:49:59 dnsmasq[651]: reply s3-1-w.amazonaws.com is 52.216.9.139

Additional lists such as https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list can be added via the web interface under Settings -> Blocklists tab.  A web site with details on additional lists can be found at https://firebog.net.

Parameters can be backed up to a single file under Settings -> Teleporter.  A restore option is available if migrating the service to new hardware.

Kali NetHunter App Store for Android

Kali NetHunter App Store is for security relevant Android applications. It is an alternative to the Google Play store for any Android device.

https://store.nethunter.com/


Commando VM

Commando VM is a Windows-based security distribution for penetration testing and red teaming.

https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html

https://isc.sans.edu/forums/diary/Commando+VM+The+Complete+Mandiant+Offensive+VM/25136/

Rifiuti2

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files.

https://abelcheung.github.io/rifiuti2/

https://www.kitploit.com/2019/07/rifiuti2-windows-recycle-bin-analyser.html


Whonix

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.



Sysinternals Sysmon

Sysmon is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. It can log detailed information about process creations, network connections, and changes to file creation time. 


https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

A pre-built configuration file can be found at:

https://github.com/SwiftOnSecurity/sysmon-config

To install Sysmon and use the configuration file, download the Sysmon utility and extract the .ZIP file.  If you download the .XML file using a browser and attempt to use it, an error may be returned with the text of "DTD is prohibited."

To avoid this error, click on the link for the .XML file and then copy/paste the contents into a text editor such as Notepad++, and then save the file using the original file name.

To verify the service was installed and logging is occurring, launch an elevated PowerShell session and enter the following commands.

Get-Service sysmon

Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 10















The logs can be manually viewed via the Computer Management MMC (compmgmt.msc) using the path Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational.



The .XML file includes comments concerning some of the parameters included.


Below is an example of a log entry from using the nslookup command.

Network connection detected:
RuleName:
UtcTime: 2019-02-23 23:41:00.742
ProcessGuid: {8fcfd9c4-da0c-5c71-0000-0010dc068801}
ProcessId: 1636
Image: C:\Windows\System32\nslookup.exe
User: sam
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.254.27
SourceHostname: computer
SourcePort: 60836
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 192.168.254.254
DestinationHostname:
DestinationPort: 53
DestinationPortName: domain