Sunday, 21 December 2014

SSH port stats update

So in a previous post we looked at attempts to brute force my SSHd at home for the duration of a week. Lets see the monthly statistics now to get a wide picture of situation.

The top countries changed a bit with Hong Kong getting the first spot and bumping China to 2nd, while France came out of nowhere to 3rd place bumping Turkey and Russia a spot down!



 From a single persistent IP perspective, China came first and Hong-Kong second with France keeping the 3rd place.



From a username aspect, root monopolised the charts once again with admin trailing miles behind, simply put... if you leave PermitRootLogin as "yes" in sshd_config.. you are responsible for your own demise


The attacker volume is quite erratic yet we can surely see a drop around the weekends... even hackers have to clock out I guess!



Lastly the map has not changed much other than France overtaking pretty much everyone except China and Hong Kong!



Hope you enjoyed that :)

Stay tuned for more




Tuesday, 16 December 2014

Security & Forensics USB Swiss Knife (update)

In the past I have compiled a very similar post to detail the creation of a USB Swiss knife for security and forensic purposes... so since its been more than a year, time for an update!

Sill using YUMI, (if it aint broke don't fix it!) which makes the process very easy to complete. Quite a few of the ones below are not available so you want to add them as Unlisted ISOs (GRUB).

I will break the contents down into three main categories {bootables,incident-response,toolbox}

[ bootables ]

Dual Booting Win8.1PE x86 & x64
Gandalf's_Win8.1SE_x64_& _x86_dual_boot v1.1

AVG Rescue - A powerful toolset for rescue & repair of infected 
machines

Darik's Boot and Nuke - A hard drive disk wipe and data clearing utility
Legacy collection of useful utilities
Hiren's.BootCD.15.2

Kali linux - Penetration testing distro

One Kon-Boot pendrive to bypass Windows and Mac OSX authorization process.
Tails - The Amnesic Incognito Live System
DEFT (Digital Evidence & Forensic Toolkit) is a customised distribution of the Ubuntu live Linux CD.
Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac)

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Kaspersky Rescue Disk 10 is designed to scan, disinfect and restore infected operating systems. It should be used when it is impossible to boot the operating system.
kav_rescue_10.iso

[ incident-response ]

CrowdInspect is a free community tool for Microsoft Windows systems that is aimed to help alert you to the presence of potential malware are on your computer that may be communicating over the network. It is a host-based process inspection tool utilizing multiple sources of information to detect untrusted or malicious network-active process.
http://www.crowdstrike.com/community-tools/


Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application.
http://www.crowdstrike.com/community-tools/


SysInternals - The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools.
http://technet.microsoft.com/en-gb/sysinternals/bb842062.aspx

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
http://processhacker.sourceforge.net/

[ toolbox ]


windows-binaries.zip
Its always handy to have those bins with you without having to boot up Kali... so go to your Kali box and:
cd /usr/share/
zip /root/windows-binaries.zip windows-binaries/

ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003, Microsoft Office 2007), Windows (Including Windows 7 and Windows Vista), Exchange Server, and SQL Server installed on your computer. 


ESET SysInspector is an easy to use diagnostic tool that helps troubleshoot a wide range of system issues.
http://www.eset.com/int/support/sysinspector/

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world
https://www.torproject.org/projects/torbrowser.html.en

File Scavenger is a data recovery utility that supports multiple file-system types: NTFS, FAT 32/16/12, Ext3, Ext4, XFS, HFS+, HFSX, UFS1 and UFS2. Personal license is 54$ which for the range of filesystems it supports is not bad at all.

http://www.quetek.com/prod02.htm

VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.
https://veracrypt.codeplex.com/releases/view/132239

I think that's enough! I'd package it and have it here to download but just the logistics of getting permissions to "distribute" is giving me a headache.

Enjoy :) 

Monday, 1 December 2014

SSH port Stats


So I left my ssh port open on one of my systems.. and gathered up some logs.. A script was created to collect the information needed from all the failed attempts from the variety of unwanted people.

So far the script:

  • looks for failed password attempts on auth.log,  
  • gets the country code from a whois lookup from each unique IP address 
  • makes the country code to a country name 
  • tries to get the city from ipinfo.io and falls back to country name if need be 
  • and finally exports everything to a nice csv so we can import to Excel to get some pretty graphs

Script is available here:
https://github.com/npavlidis/scripts/blob/master/authdata.sh

Now the data.csv was imported into Excel and voilĂ ... here is some statistics with some pretty graphs.

First unexpected statistic was Turkey coming 3rd in front of Russia.. well played neighbors!















And saving the prettiest for last, bing map of the Source Countries:




And while we are on the subject of ssh security.. fail2ban is very interesting.

Hope you enjoyed that :) 

Stay tuned for more