Sentry detects and prevents bruteforce attacks against sshd using minimal system resources.

• ip
  An IPv4 address. The IP should come from a reliable source that is difficult to spoof. Tcpwrappers is an excellent source. UDP connections are a poor source as they are easily spoofed. The log files of TCP daemons can be good source if they are parsed carefully to avoid log injection attacks.

• blacklist
  deny all future connections
• whitelist
  whitelist all future connections, remove the IP from the blacklists, and make it immune to future connection tests.
• delist
  remove an IP from the white and blacklists. This is useful for testing that sentry is working as expected.
• connect
  register a connection by an IP. The connect method will log the attempt and the time. See CONNECT.
• update
  Check the most recent version of sentry against the installed version and update if a newer version is available.

$ /var/db/sentry/sentry.pl -r --ip=24.19.45.95
   9 connections from 24.19.45.95
       and it is whitelisted

$ /var/db/sentry/sentry.pl -r
  -------- summary ---------
  1614 unique IPs have connected 76525 times
  1044 IPs are blacklisted
    18 IPs are whitelisted

$ /var/db/sentry/sentry.pl -r
 -------- summary ---------
 1240 unique IPs have connected 285554 times
   40 IPs are blacklisted
    4 IPs are whitelisted

$ /var/db/sentry/sentry.pl -r
-------- summary ---------
3484 unique IPs have connected 15391 times
1127 IPs are blacklisted
   6 IPs are whitelisted

sudo python usbkill.py

• In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a "mouse jiggler" to keep the screensaver and sleep mode from activating.
• You don’t want someone retrieve documents (such as private keys) from your computer or install malware/backdoors via USB.
• You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).

[!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.

Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

• Compatible with Linux, *BSD and OS X.
• Shutdown the computer when there is USB activity.
• Customizable. Define which commands should be executed just before shut down.
• Ability to whitelist a USB device.
• Ability to change the check interval (default: 250ms).
• Ability to melt the program on shut down.
• Works with sleep mode (OS X).
• No dependency except srm. sudo apt-get install secure-delete
• Sensible defaults

• --no-shut-down: Execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
• --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

• Detection:
  • Cuckoo hooks detection (all kind of cuckoo hooks).
  • Suspicius data in own memory (without APIs, page per page scanning).
• Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
  • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.

• Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
• Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
• Session logs stored in an UML Compatible format for easy replay with original timings
• Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

• SFTP and SCP support for file upload
• Support for SSH exec commands
• Logging of direct-tcp connection attempts (ssh proxying)
• Logging in JSON format for easy processing in log management solutions
• Many, many additional commands

• An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
• Python 2.5+
• Twisted 8.0+
• PyCrypto
• pyasn1
• Zope Interface

• dl/ - files downloaded with wget are stored here
• log/cowrie.log - log/debug output
• log/cowrie.json - transaction output in JSON format
• log/tty/ - session logs
• utils/playlog.py - utility to replay session logs
• utils/createfs.py - used to create fs.pickle
• data/fs.pickle - fake filesystem
• honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here

• x86 and x64 support
• Process interaction
  
  • Manage PEB32/PEB64
  • Manage process through WOW64 barrier
• Process Memory
  
  • Allocate and free virtual memory
  • Change memory protection
  • Read/Write virtual memory
• Process modules
  
  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
  • Get exported function address
  • Get the main module
  • Unlink module from loader lists
  • Inject and eject modules (including pure IL images)
  • Inject 64bit modules into WOW64 processes
  • Manually map native PE images
• Threads
  
  • Enumerate threads
  • Create and terminate threads. Support for cross-session thread creation.
  • Get thread exit code
  • Get main thread
  • Manage TEB32/TEB64
  • Join threads
  • Suspend and resume threads
  • Set/Remove hardware breakpoints
• Pattern search
  
  • Search for arbitrary pattern in local or remote process
• Remote code execution
  
  • Execute functions in remote process
  • Assemble own code and execute it remotely
  • Support for cdecl/stdcall/thiscall/fastcall conventions
  • Support for arguments passed by value, pointer or reference, including structures
  • FPU types are supported
  • Execute code in new thread or any existing one
• Remote hooking
  
  • Hook functions in remote process using int3 or hardware breakpoints
  • Hook functions upon return
• Manual map features
  
  • x86 and x64 image support
  • Mapping into any arbitrary unprotected process
  • Section mapping with proper memory protection flags
  • Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
  • Imports and Delayed imports are resolved
  • Bound import is resolved as a side effect, I think
  • Module exports
  • Loading of forwarded export images
  • Api schema name redirection
  • SxS redirection and isolation
  • Activation context support
  • Dll path resolving similar to native load order
  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
  • Static TLS
  • Exception handling support (SEH and C++)
  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
  • Security cookie initialization
  • C++/CLI images are supported
  • Image unloading
  • Increase reference counter for import libraries in case of manual import mapping
  • Cyclic dependencies are handled properly
• Driver features
• Allocate/free/protect user memory
• Read/write user and kernel memory
• Disable permanent DEP for WOW64 processes
• Change process protection flag
• Change handle access rights
• Remap process memory
• Hiding allocated user-mode memory
• User-mode dll injection and manual mapping
• Manual mapping of drivers

1. server:
   Just run qshd on server:
   

      $ ./qshd
   

   But, you would like to run after change it to other name, such as:
   

      $ mv qshd smbd
      $ export PATH=.:$PATH
      $ smbd
   

2. client:
   Set some environment variable, then run qsh:
   

     $ export _IP=127.0.0.1
     $ export _PORT=2800
     $ unset _P
     $ ./qsh shell
   

   Now you already login into server $_IP .

1. put/get files:
   

   $ ./qsh get /path/to/server/file .
   $ ./qsh put /path/to/local/file  /path/to/server/file
   

2. run a command on server:
   

   $ ./qsh exec 'ls -l /bin'
   

3. update server program:
   

   $ ./qsh update /path/to/local/qshd
   

   This function will update remote qshd, and run again.
4. automation to run command on many server:
   

   $ for i in {10..20} ; do \
         export _IP=192.168.0.$i
         export _PORT=2800
         export _P=key   # set key
         ./qsh exec 'ls -l /bin'
     done
   

   Note: qsh use $_P to fetch server key, so you should erase all history data after to use $_P.
5. update password
   start with version 3.2, you can update the password as below:
   

     $ ./qsh passwd
   

devil@hell:~/snitch/$ python snitch.py

                       _ __       __  
           _________  (_) /______/ /_ 
          / ___/ __ \/ / __/ ___/ __ \ 
         (__  ) / / / / /_/ /__/ / / /
        /____/_/ /_/_/\__/\___/_/ /_/ ~0.2   

Usage: snitch.py [options]

Options:
  -h, --help            show this help message and exit
  -U [url], --url=[url]
                        domain(s) or domain extension(s) separated by comma *
  -D [type], --dork=[type]
                        dork type(s) separated by comma *
  -O [file], --output=[file]
                        output file
  -S [ip:port], --socks=[ip:port]
                        socks5 proxy
  -I [seconds], --interval=[seconds]
                        interval between requests, 2s by default
  -P [pages], --pages=[pages]
                        pages to retrieve, 10 by default
  -v                    turn on verbosity

Dork types:
  info  | Information leak & Potential web bugs
  ext   | Sensitive extensions
  docs  | Documents & Messages
  files | Files & Directories
  soft  | Web software
  all   | All

Examples:
  snitch.py -I5 -P3 --dork=ext,info -U gov -S 127.0.0.1:9050
  snitch.py --url=site.com -D all -O /tmp/dorks

devil@hell:~/snitch/$ python snitch.py -U gov -D ext -P20 -S 127.0.0.1:9050
[+] Target: gov
[!] Using SOCKS5 (IP - XX.XX.XX.XX)
[!] Pages limit set to 20

[+] Looking for sensitive extensions

http://www.seismic.ca.gov/pub/CSSC_1998-01_COG.pdf.OLD
http://greengenes.lbl.gov/Download/Sequence_Data/Fasta_data_files/CoreSet_2010/formatdb.log
http://www.uspto.gov/web/patents/pdx/permitting_access.pdf_2010may17.bak
http://www.dss.virginia.gov/tst.log
http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perday.log
ftp://ftp.eia.doe.gov/pub/oil_gas/natural_gas/feature_articles/2006/ngshock/ngshock.pdf.bak
http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perminute.log
https://igscb.jpl.nasa.gov/igscb/station/mgexlog/nya2_20130905.log
http://www.swrcb.ca.gov/losangeles/board_decisions/adopted_orders/index.shtml.old
https://trac.mcs.anl.gov/projects/mpich2/attachment/ticket/83/config.log
https://tcga-data.nci.nih.gov/docs/index.html.bak
https://software.sandia.gov/trac/canary/attachment/ticket/3917/Pike_Hach%26SCAN_Oracle.edsx_convert.log
http://www.glerl.noaa.gov/metdata/2check_all.log
http://ft.ornl.gov/eavl/regression/configure.log
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1883.log
http://www.antd.nist.gov/pubs/Sriram_BGP_IEEE_JSAC.pdf.old
http://www-esh.fnal.gov/pls/default/itna.log
http://www.lanl.gov/wrtout/projects/tscattering/nano/Output//Defaults/ellipsoid.log
http://maine.gov/REVENUE/netfile/WS_FTP.LOG
http://mls.jpl.nasa.gov/lay/UARS_MLS.LOG
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1469.log
http://www.modot.mo.gov/_baks/indexalt.htm.0001.b041.bak
ftp://ftp.hrsa.gov/ruralhealth/FY04RAEDGuidance.pdf.bak
https://www.health.ny.gov/health_care/medicaid/nyserrcd.ini
http://www.thruway.ny.gov/business/contractors/expedite/bid.ini
http://www.star.bnl.gov/~pjakl/documents/configuration.cfg
http://www.wpc.ncep.noaa.gov/html/ecmwf0012loop500_ak.cfg
https://fermilinux.fnal.gov/documentation/security/krb5.conf
http://mirror.pnl.gov/macports/release/ports/security/fail2ban/files/pf-icefloor.conf
https://svn.mcs.anl.gov/repos/ZeptoOS/trunk/BGP/ramdisk/CN/tree/etc/syslog.conf
http://cmip-pcmdi.llnl.gov/cmip5/docs/esg.ini
https://security.fnal.gov/krb5.conf
http://collaborate2.nws.noaa.gov/canned_data/data_files/pqact.conf

[+] Done!

1. Make sure you have at least 2GB of RAM on the machine you plan to use yarGen
2. Clone the git repository
3. Install all dependancies with sudo pip install pickle scandir lxml naiveBayesClassifier
4. Unzip the goodware database (e.g. 7z x good-strings.db.zip.001)
5. See help with python yarGen.py --help

usage: yarGen.py [-h] [-m M] [-g G] [-u] [-c] [-o output_rule_file]
                 [-p prefix] [-a author] [-r ref] [-l min-size] [-z min-score]
                 [-s max-size] [-rc maxstrings] [-nr] [-oe] [-fs size-in-MB]
                 [--score] [--inverse] [--nodirname] [--noscorefilter]
                 [--excludegood] [--nosimple] [--nomagic] [--nofilesize]
                 [-fm FM] [--noglobal] [--nosuper] [--debug]

yarGen

optional arguments:
  -h, --help           show this help message and exit
  -m M                 Path to scan for malware
  -g G                 Path to scan for goodware (dont use the database
                       shipped with yaraGen)
  -u                   Update local goodware database (use with -g)
  -c                   Create new local goodware database (use with -g)
  -o output_rule_file  Output rule file
  -p prefix            Prefix for the rule description
  -a author            Author Name
  -r ref               Reference
  -l min-size          Minimum string length to consider (default=8)
  -z min-score         Minimum score to consider (default=5)
  -s max-size          Maximum length to consider (default=128)
  -rc maxstrings       Maximum number of strings per rule (default=20,
                       intelligent filtering will be applied)
  -nr                  Do not recursively scan directories
  -oe                  Only scan executable extensions EXE, DLL, ASP, JSP,
                       PHP, BIN, INFECTED
  -fs size-in-MB       Max file size in MB to analyze (default=3)
  --score              Show the string scores as comments in the rules
  --inverse            Show the string scores as comments in the rules
  --nodirname          Don't use the folder name variable in inverse rules
  --noscorefilter      Don't filter strings based on score (default in
                       'inverse' mode)
  --excludegood        Force the exclude all goodware strings
  --nosimple           Skip simple rule creation for files included in super
                       rules
  --nomagic            Don't include the magic header condition statement
  --nofilesize         Don't include the filesize condition statement
  -fm FM               Multiplier for the maximum 'filesize' condition
                       (default: 5)
  --noglobal           Don't create global rules
  --nosuper            Don't try to create super rules that match against
                       various files
  --debug              Debug output

python yarGen.py -m X:\MAL\Case1401

python yarGen.py --score -m X:\MAL\Case1401

python yarGen.py --score -z 5 -m X:\MAL\Case1401

python yarGen.py -a "Florian Roth" -r "http://goo.gl/c2qgFx" -m /opt/mal/case_441 -o case441.yar

python yarGen.py --excludegood -m /opt/mal/case_441

python yarGen.py --nosimple -m /opt/mal/case_441

python yarGen.py --debug -m /opt/mal/case_441

python yarGen.py -c -g C:\Windows\System32

python yarGen.py -u -g "C:\Program Files"

• G:\goodware
  • WindowsXP
    • System32 - all files
  • Windows2003
    • System32 - all files
  • Windows2008R2
    • System32 - all files

python yarGen.py --inverse -oe -m G:\goodware\

python yarGen.py --inverse -oe --nodirname -m G:\goodware\

• Red Hat Enterprise Linux
  • 6.6
  • 7.1
• CentOS
  • 6.6
  • 7.1-1503-01

• Management
  • Puppet Server
  • PuppetDB
  • MCollective
• Authentication
  • OpenLDAP
• Kickstart/Update
• YUM
• DNS
• DHCP
• TFTP

• URLs being visited.
• HTTPS host being visited.
• HTTP POSTed data.
• FTP credentials.
• IRC credentials.
• POP, IMAP and SMTP credentials.
• NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

• Java JDK 1.7 or greater http://www.oracle.com/technetwork/java/javase/overview/index.html
• Browser with Web Socket support http://caniuse.com/websocketsNote: In Safari if using a self-signed certificate you must import the certificate into your Keychain. Select 'Show Certificate' -> 'Always Trust' when prompted in Safari
• Maven 3 or greater ( Only needed if building from source ) http://maven.apache.org
• Install FreeOTP or Google Authenticator to enable two-factor authentication with Android or iOS

 export JAVA_HOME=/path/to/jdk
 export PATH=$JAVA_HOME/bin:$PATH

 set JAVA_HOME=C:\path\to\jdk
 set PATH=%JAVA_HOME%\bin;%PATH%

    ./startKeyBox.sh

    startKeyBox.bat

username:admin
password:changeme

% ./dharma.py -grammars grammars/webcrypto.dg

% ./dharma.py -grammars grammars/canvas2d.dg grammars/mediarecorder.dg

% ./dharma.py -grammars grammars/webcrypto.dg -storage . -count 5

% ./dharma.py -server -grammars grammars/canvas2d.dg -template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker 4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/index.html

% time ./dharma.py -grammars grammars/webcrypto.dg -count 10000 > /dev/null

%%% comment

%const% name := value

%section% := value
%section% := variable
%section% := variance

%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)

%repeat%(+variable+)
%repeat%(+variable+, ", ")

%uri%(path)
%uri%(lookup_key)

%block%(path)

%choice%(foo, "bar", 1)

digit :=
    %range%(0-9)

sign :=
    +
    -

value :=
    +sign+%repeat%(+digit+)

+value+

variable :=
    @variable@ = new Foo();

value :=
    !variable!.bar();

value :=
    attribute=+common:number+

foo :=
    Random.pick([0,1]);

1. Install pyftpdlib
2. Generate a server certificate and store it as "server.pem" on the same level as Egress-Assess. This can be done with the following command:

./Egress-Assess.py --server ftp --username testuser --password pass123

./Egress-Assess.py --client ftp --username testuser --password pass123 --ip 192.168.63.149 --datatype ssn

./Egress-Assess.py --server https

./Egress-Assess.py --client https --data-size 15 --ip 192.168.63.149 --datatype cc

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

--auditor "Given name Surname"     Assign an auditor name to the audit (report)
--checkall  -c  Start the check
--check-update     Check if Lynis is up-to-date
--cronjob     Run Lynis as cronjob (includes -c -Q)
--help  -h  Shows valid parameters
--manpage     View man page
--nocolors     Do not use any colors
--pentest     Perform a penetration test scan (non-privileged)
--quick  -Q  Don't wait for user input, except on errors
--quiet     Only show warnings (includes --quick, but doesn't wait)
--reverse-colors   Use a different color scheme for lighter backgrounds
--version  -V  Check program version (and quit)

=  Lynis 2.1.1 (2015-07-22)  =

    This release adds a lot of improvements, with focus on performance, and
    additional support for common Linux distributions and external utilities.
    We recommend to use this latest version.

    * Operating system enhancements
    -------------------------------
    Support for systems like CentOS, openSUSE, Slackware is improved.

    * Performance
    -------------
    Performance tuning has been applied, to speed up execution of the audit on
    systems with many files. This also includes code cleanups.

    * Automatic updates
    -------------------
    Initial work on an automatic updater has been implemented. This way Lynis
    can be scheduled for automatic updating from a trusted source.

    * Internal functions
    --------------------
    Not all systems have readlink, or the -f option of readlink. The
    ShowSymlinkPath function has been extended with a Python based check, which
    is often available.

    * Software support
    ------------------
    Apache module directory /usr/lib64/apache has been added, which is used on
    openSUSE.

    Support for Chef has been added.

    Added tests for CSF's lfd utility for integrity monitoring on directories and
    files. Related tests are FINT-4334 and FINT-4336.

    Added support for Chrony time daemon and timesync daemon. Additionally NTP
    sychronization status is checked when it is enabled.

    Improved single user mode protection on the rescue.service file.

    * Other
    -------
    Check for user permissions has been extended.
    Python binary is now detected, to help with symlink detection.
    Several new legal terms have been added, which are used for usage in banners.
    In several files old tests have been removed, to further clean up the code.

    * Bug fixes
    ---------
    Nginx test showed error when access_log had multiple parameters.
    Tests using locate won't be performed if not present.
    Fix false positive match on Squid unsafe ports [SQD-3624].
    The hardening index is now also inserted into the report if it is not displayed
    on screen.

    * Functions
    ---------
    Added AddSystemGroup function

    * New tests
    ---------
    Several new tests have been added:

    [PKGS-7366] Scan for debsecan utility on Debian systems
    [PKGS-7410] Determine amount of installed kernel packages
    [TIME-3106] Check synchronization status of NTP on systemd based systems
    [CONT-8102] Docker daemon status and gather basic details
    [CONT-8104] Check docker info for any Docker warnings
    [CONT-8106] Check total, running and unused Docker containers

    * Plugins
    ---------

    [PLGN-2602] Disabled by default, as it may be too slow for some machines
    [PLGN-3002] Extended with /sbin/nologin

    * Documentation
    ---------------
    A new document has been created to help with the process of upgrading Lynis.
    It is available at https://cisofy.com/documentation/lynis/upgrading/

  --------------------------------------------------------------

python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap)

-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length

• Preinstalled Linux Kernel 3.16
• New Ubuntu 14.04.2 base
• Ruby 2.1
• Installer with LVM and Full Disk Encryption options
• Handy Thunar custom actions
• RAM wipe at shutdown/reboot
• System improvements
• Upstream components
• Bug corrections
• Performance boost
• Improved Anonymous mode
• Predisposition to ARM architecture (armhf Debian packages)
• Predisposition to BackBox Cloud platform
• New and updated hacking tools: beef-project, btscanner, dirs3arch, metasploit-framework, ophcrack, setoolkit, tor, weevely, wpscan, etc.

• 32-bit or 64-bit processor
• 512 MB of system memory (RAM)
• 6 GB of disk space for installation
• Graphics card capable of 800×600 resolution
• DVD-ROM drive or USB port (2 GB)

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-utopic linux-headers-generic-lts-utopic linux-signed-image-generic-lts-utopic
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backbox-desktop backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstall
sudo apt-get autoremove --purge