Skip to content

Blog

  • 20 min read

Malicious Traffic Analysis

maltraffic-chacho

The following is a combination of notes, research, and knowledge acquired from a malicious traffic analysis course. The focus of this post is on identifying malicious activity in Wireshark. For basic Wireshark setup and tips for filtering, check here.

Note: A good rule of thumb in terms of physical requirements is that whatever the pcap size is, you should have four times that amount of RAM available.

Lifecycle: Reconnaissance

This includes discovery as well as scanning for hosts, fingerprinting, sevices, and network mapping.

TTL-OS Table

When you ping an ip address, the Operating System can sometimes be surmised by the TTL value. The table below is from this maintained website.

Device / OS Version Protocol TTL
AIX TCP 60
AIX UDP 30
BSDI 3.2, 4.1 ICMP 255
Compa BSD/OS 3.1 and 4.0 ICMP 255
Cisco ICMP 64
DEC Pathworks ICMP 254
Foundry V5 TCP and UDP 30
FreeBSD 2.1R ICMP 64
FreeBSD 3.4, 4.0 TCP and UDP 64
FreeBSD 5 ICMP 255
HP-UX 9.0x ICMP 64
HP-UX 10.01 TCP and UDP 30
HP-UX 10.2 TCP and UDP 64
HP-UX 11 ICMP 255
Irix 11 ICMP 255
Irix 5.3 TCP 64
juniper 6.x TCP and UDP 60
MPE/IX (HP) 6.5.3, 6.5.8 TCP and UDP 60
Linux ICMP 255
Linux ICMP 64
Linux 2.0.x kernel ICMP 200
Linux 2.2.14 kernel ICMP 64
Linux 2.4 kernel ICMP 255
Linux Red Hat 9 ICMP 255
MacOS/MacTCP 2.0.x ICMP and TCP 64
MacOS/MacTCP X (10.5.6) TCP and UDP 60
NetBSD ICMP 255
Netgear FVG318 ICMP and UDP 64
OpenBSD 2.6 & 2.7 ICMP 255
OpenVMS 07.01.2002 ICMP 255
OS/2 TCP/IP 3.0 ICMP 64
OSF/1 V3.2A TCP 60
OSF/1 V3.2A UDP 30
Solaris 2.5.1, 2.6, 2.7, 2.8 ICMP 255
Solaris 2.8 TCP 64
Stratus TCP_OS ICMP 255
Stratus TCP_OS (14.2-) TCP and UDP 30
Stratus TCP_OS (14.3+) TCP and UDP 64
SunOS STCP ICMP/TCP/UDP 60
SunOS 4.1.3/4.1.4 TCP and UDP 60
Ultrix 5.7 ICMP and TCP 255
VMS/Multinet V4.1/V4.2A TCP 60
VMS/TCPware V4.1/V4.2A UDP 30
VMS/Wollongong V4.2 – 4.5 ICMP 255
VMS/UCX TCP and UDP 64
Windows 1.1.1.1 TCP 128
Windows 1.1.1.1 UDP 30
Windows for Workgroups TCP and UDP 128
Windows 95 TCP and UDP 32
Windows 98 ICMP 32
Windows 98, 98 SE ICMP 128
Windows 98 TCP 128
Windows NT 3.51 TCP and UDP 32
Windows NT 4.0 TCP and UDP 128
Windows NT 4.0 SP5- 32
Windows NT 4.0 SP6+ 128
Windows NT 4 WRKS SP 3, SP 6a ICMP 128
Windows NT 4 Server SP4 ICMP 128
Windows ME ICMP 128
Windows 2000 pro ICMP/TCP/UDP 128
Windows 2000 family ICMP 128
Windows Server 2003 128
Windows XP ICMP/TCP/UDP 128
Windows Vista ICMP/TCP/UDP 128
Windows 7 ICMP/TCP/UDP 128
Windows Server 2008 ICMP/TCP/UDP 128
Windows 10 ICMP/TCP/UDP 128

Display Anomalous TCP Flags

By applying the filter below, you will display packets with TCP flag combinations not included in the normal set, helping to identify potential anomalous activity.

Detect unusual TCP flag combinations: 

tcp && (!(tcp.flags == 0x02 || tcp.flags == 0x12 || tcp.flags == 0x10 || tcp.flags == 0x01 || tcp.flags == 0x04 || tcp.flags == 0x18))

  • 4 min read

nmap Cheatsheet

nmap-chacho

Default Scanning as Non-root with no Flags/Options

nmap 192.168.1.0/24 = nmap -sT 192.168.1.0/24
(noisy)

Default Scanning as Root with no Flags/Options

nmap 192.168.1.0/24 = nmap -sS 192.168.1.0/24
(quiet)

Process

The Noisy Way

When to use: When you need detailed information quickly and stealth is not a concern.
Consideration: This method generates a lot of traffic and is likely to be detected by IDS/IPS systems. 

nmap -sT -vv -oA network-topology <ip.addr/24>
Grab our list of open IPs: 
grep open network-topology.gnmap | cut -d" " -f 2 > device_list.txt
Rescan network aggressively for additional IPs at the exclusion of our open IP list: 
nmap -A --excludefile device_list.txt <ip.addr/24>
Add any additional IPs found to the list: 
echo "<IP_ADDRESS>" >> device_list.txt
Now rerun scan of the found IPs aggressively, but remove the ping as we no longer need to discover hosts: 
nmap -Pn -A -iL device_list.txt
  • 13 min read

Solving for Silicon

help-chacho

During Apple's transition to ARM architecture, there were significant challenges with VM compatibility due to the differences between ARM and x86 architectures. While ARM Assembly has been prevalent in devices like Raspberry Pis and other IoT devices, its introduction to personal computers like desktops and laptops is relatively recent. This transition prompted many cybersecurity and IT educational institutions to adapt their VM labs. To address compatibility issues, some institutions shifted from using downloadable .ISO files to web-based environments, utilizing tools like Cockpit and KVM for easier management and deployment of virtual machines. However, not all institutions have made this shift, necessitating a different solution for this student. Switching to a PC was not an option so I decided to host my VMs on a server connected to my local network.

Initially, I tried using Cockpit and KVM, but the setup didn't meet my needs. I needed something more robust—a type 1 hypervisor.

I had loved using VMWare Fusion, but the Broadcom takeover turned me away from using ESXi. The customer experience for downloading any VMWare tools/products was frustratingly difficult. Thus, ESXi was not an option. Eventually, I landed on Proxmox, an open-source type 1 hypervisor that operates similarly to ESXi but without the headaches. Below is the process for installing the system and some examples (with links to each) of the VMs I chose to add to my lab environment with their individual setups.

Installing and Setting up Proxmox VE

Step 1: Download and Flash Proxmox VE

  • 3 min read
Draft

Web Server Setup

Nginx

web-chacho

The following guide provides a walkthrough for setting up a web server on a local network using Nginx. This guide assumes you are using Ubuntu or another debian-based flavor of Linux as your operating system.

Step 1: Install Nginx

Before we start, make sure to update your package manager:

sudo apt update

Next, install Nginx:

sudo apt install nginx

Once the installation is complete, check the status of Nginx:

sudo systemctl status nginx

Ensure Nginx is running. You should see output indicating that the service is active (running).

Verify that port 80 (the default HTTP port) is open:

netstat -ant
  • 7 min read
Draft

Airgeddon: Setup & Use Walkthrough

swissarmyknife-chacho

Airgeddon is essentially a Swiss Army knife for wireless network auditing, without the risk of nicking your fingers. It's a multi-use bash script that does everything from monitoring to cracking Wi-Fi networks, offering several tools wrapped in one streamlined interface. Trusting your network security to luck is like using a paper umbrella in a hurricane— optimistic, but impractical. This post will focus on the use of Airgeddon to poke at your Wi-Fi networks and then implement more secure practices that will harden your Wi-Fi, saving the paper umbrella for a mai tai.

This covers the setup of Airgeddon in a Docker container and the usage of various plugins to enhance your wireless network testing and auditing capabilities. Ensure to follow legal and ethical guidelines while using these tools.

Git Hub Repo

Essential Tools

1. Install Docker:

Ensure Docker is installed and running on your system.

2. Optional: Create a Custom Dockerfile (if you want to customize the image):

  • Create directory 

    mkdir airgeddon-docker && cd airgeddon-docker

  • Create Dockerfile: 

    FROM kalilinux/kali-rolling

RUN apt-get update && \
    apt-get install -y git iw net-tools wireless-tools aircrack-ng reaver macchanger mdk3 gpsd kismet

RUN git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git /opt/airgeddon

WORKDIR /opt/airgeddon

ENTRYPOINT ["./airgeddon.sh"]
  • 3 min read

Log Server Setup Using rsyslog

The following is a basic setup for implementing rsyslog on your local network. Setting up logging is highly specific to a specific user/network needs so this is just to get started and consider some basic security best practices.

logserver-chacho

Server-side Configuration

Grab server IP address and add to client's /etc/hosts file

sudo echo "10.3.2.240 syslog-server" >> /etc/hosts

Install rsyslog

sudo apt install rsyslog

Get Info

rsyslog -v

systemctl status rsyslog
  • 5 min read

Creating a Custom Shell

Customizing Zsh

Customizing my shell significantly enhanced my productivity, made my workflow more efficient and made content more readable. With a tailored shell environment, you can streamline tasks, reduce repetitive actions, and access powerful features that improve your overall user experience. In this walkthrough, I'll be going through the steps I took to set up a customized Zsh shell using zinit as the plugin manager.

chacho-shell

1. Install zsh

If you don't already have zsh installed, you can install it using your package manager.

macOS, use Homebrew:
brew install zsh
Ubuntu/Debian:
sudo apt install zsh autojump git

2. Set zsh as the Default Shell

Set zsh as default shell:
chsh -s $(which zsh)

3. Install zinit

zinit is a plugin manager for zsh that makes it easy to manage and load plugins.

Download and install zinit:
sh -c "$(curl -fsSL https://raw.githubusercontent.com/zdharma-continuum/zinit/main/scripts/install.sh)"

4. Configure zsh with zinit and Oh My zsh

Create or edit your .zshrc file to configure zinit and load Oh My zsh:

vi ~/.zshrc
Add content to the file: 
# Load zinit
source ~/.zinit/bin/zinit.zsh

#  On a Linux box, you won't need this next line, but if you're on macOS, you may need to source autojump so you can uncomment this: 
# [[ -s /opt/homebrew/etc/profile.d/autojump.sh ]] && source /opt/homebrew/etc/profile.d/autojump.sh

# Load Oh My zsh
zinit light ohmyzsh/ohmyzsh

# Load the theme
zinit light romkatv/powerlevel10k

# Load plugins
zinit light zsh-users/zsh-autosuggestions
zinit light zsh-users/zsh-syntax-highlighting
zinit light zsh-users/zsh-completions
zinit light hcgraf/zsh-sudo
zinit light wting/autojump
zinit light ael-code/zsh-colored-man-pages
  • 2 min read
Draft

CLI Random Tips

taco-chacho

Adding Commands

When you download an application using wget, you can add it to your command directory rather than updating your PATH variable. 

wget DOMAIN-TO-DOWNLOAD-APPLICATION
Extract Application from tarball if necessary: 
tar -xf APPLICATION-TARFILE-NAME
CD 
cd APPLICATION-EXTRACTED-DIRECTORY
List the contents of the directory to see the exact name of the applicaiton. 
ls
Install the application where it belongs. 
install APPLICATION-NAME /usr/local/bin

Forgetting Sudo

It turns out this is such a common occurance, there's a shortcut for when it happens. Rather than punching that up arrow, CTRL+A to the beginning, you can just sudo !! and it will apply sudo to whatever your last command was.

sudo !!

Read the Error Message!

This sounds like common sense, but it turns out that I'm not alone in sometimes getting caught up in what I thought the error was that if I'd just read the error output, it would have led me to the issue quicker.

Pipe Output to vim -

If you don't know where you want to put the output of a command yet 

grep -Hnri "chacho" | vim -
This opens the output of the command in vim where you can edit it or you can use :%! to run the output back through another command: 
:%!grep -v sushi
or 
:%!sort

  • 3 min read
Draft

DNSmasq

masq-chacho

Dnsmasq: the unsung hero of network management, where DNS meets DHCP with a side of TFTP, just to keep things spicy. (Speaking of spicy, how do you like the novelty glasses?) DNSmasq is a lightweight, yet robust service that doesn't just juggle network requests—it makes local network life easier. Ideal for smaller networks like your home or that tiny, yet over-ambitious office, Dnsmasq helps devices play nice with each other by resolving hostnames and dishing out IP addresses. So why bother? Because manually handling network configurations is about as enjoyable as stepping on LEGOs. Read on for the more boring installation and config instructions/considerations.

Installation Walkthrough for a Local DNS Server.

To set up dnsmasq on an Ubuntu server for local DNS queries, with forwarding to Cloudflare's nameservers for internet queries, follow these detailed step-by-step instructions:

Install dnsmasq

  1. Update your package list to ensure you get the latest version available: 

    sudo apt update

  2. Install dnsmasq: 

    sudo apt install dnsmasq

Configure dnsmasq

  1. Backup the original configuration file for safety: 

    sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup

  2. Edit the configuration file: 

    sudo nano /etc/dnsmasq.conf
    Add/update the following settings to tailor dnsmasq for your needs:

  3. Set the listening interface, if you want dnsmasq to listen only on specific network interfaces (e.g., eth0 for Ethernet): 

    interface=eth0
listen-address=127.0.0.1  # Listen on localhost
bind-interfaces           # Bind to the interface specified
  • 4 min read
Draft

MySQL

gardendb

Install

sudo apt install mysql-server -y

Run the mysql Secure Installation Program

sudo mysql_secure_installation
  • Establish Password Validity Policy
  • You can use more secure authentication means like keys rather than passwords.
  • MySQL has an anonymous user capability for testing, but it should be removed for security.
  • Root user should only be allowed to connect from localhost.
  • Remove the test database.
  • Reload the privileges table.

Enable the Firewall

sudo ufw enable


sudo ufw allow mysql
Check to ensure it's listening: 
netstat -ant
You should see the 127.0.0.1:3306 (3306 indicating the default port for mySQL) The database server will eventually need to talk to other systems on the network.

Set Up

Configuration

cd /etc/mysql/mysql.conf.d && ll
  • mysql.cnf configures the command line's behavior
  • mysqld.cnf configures the server's behavior

vi mysqld.cnf