Howto convert Outlook .msg files to normal MIME mails
June 29, 2014
Just got a Microsoft Outlook .msg file and I needed to convert it to something I could read on the console. Its quite simple to convert it to a normal MIME mail .. here for Ubuntu 14.04 but it should be as simple on other distributions:
sudo apt-get install libemail-outlook-message-perl libemail-localdelivery-perl
wget http://www.matijs.net/software/msgconv/msgconvert.pl
perl msgconvert.pl filename.msg
the result file name is filename.msg.mime
.
Android Devices send many Multicast Packets per Second for Chromecast – How to disable it?
June 28, 2014
While tracing/sniffing for something, I mirrored all packets of my mobile phone to Wireshark and I was was really astonished to see many multicast DNS requests (_googlecast._tcp.local) from my mobile …
As you see, these are more than 15 packets per second, which leaded at once to following 3 thoughts:
- That can’t be good for the battery
- The mobile is sending this surely not only in my home network but also in hotspot networks … I don’t like that for security/privacy reasons (specially what happens if the phone gets an answer and maybe sends more info about itself)
- I’m not using Chromecast anywhere
Which leaded at once to the question:
- How can I disable this?
So I went on a search trough the Internet …. but I was not able to find a solution. So the question to the community .. has someone an idea how I can disable that?
ps: I found only one guy asking the same question in the xda developers forum
Howto install and use the Burp Suite as HTTPS Proxy on Ubuntu 14.04
June 26, 2014
This article shows you how to intercept and analyze HTTPS traffic. This of course only works if you can add your CA to the client system or the client system does not check the key chain. But you would not believe how many clients, specially embedded devices and mobiles apps don’t check it. The software I use in this post is the Free version of the Burp Suite – from the homepage of the Burp Suite:
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Installation
As it is written in Java it is really easy to install and run. Just these 3 commands
sudo apt-get install openjdk-7-jre
wget http://portswigger.net/burp/burpsuite_free_v1.6.jar
sudo java -jar -Xmx2g burpsuite_free_v1.6.jar
I use sudo
for the Java process as it needs in my cases to listen on ports lower than 1024 and this requires root permissions. After entering the last command and accepting the EULA you get following window:
Now go to the Proxy | Intercept tab and click onto “Intercept is on” button to disabled it. Otherwise you’ll need to acknowledge every request.
The proxy is already running but only on localhost, we need it to listen on all to look at traffic from other devices.
And in this case I want to see the traffic to a specific host from my mobile, so I set Burp to port 443 and to invisible mode and define a redirect IP address (the original host IP address).
After this, you only need to set on my local DNS Server the wished host name to my desktop IP address and the traffic runs over it and if the client accepts the faked certificate you can look at the traffic. Which looks e.g. like this:
For other devices or requirements it is also possible to use Burp as a HTTP Proxy, just configured it on the client. ARP spoofing is also an idea…..
Howto setup a Mikrotik RouterOS with Suricata as IDS
June 1, 2014
Lets say you’ve a Mikrotik router as your internet router and you would like to detect bad traffic that is going over it, so basically you would like to have an IDS (Intrusion detection system). This article shows how you can setup a IDS with a Mikrotik router and Suricata running on a Ubuntu 14.04 (but it runs on any other Linux). This is no high performance setup for 10Gbit links, as in this case you would use a SPAN port a manged switch and you would need to tune the drivers, Linux and Suricata a bit (a lot actually for 10Gbit … and the server hardware is not cheap/small). This setup is for the SOHO (small office home office) space where you use the Mikrotik as your Internet router, be it for Cable or DSL. I use this setup at home and I’ve installed Ubuntu 14.04 64bit Server as virtual machine on my home server. No special switch or hardware is required as we facilitate the TaZmen Sniffer Protocol (TZSP) which is supported by Mikrotik. It is even possible to sent the data over a Layer-3 connection, you just need the bandwidth for the traffic you want to sent to Suricata.
I assume that Ubuntu 14.04 is installed (minimal server install is recommended).
Mikrotik Setup
You just need to configure it to copy the traffic to the Linux server with these commands:
/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=xxx.xxx.xxx.xxx
/tool sniffer start
xxx.xxx.xxx.xxx
is the IP of the Linux server
Basic Suricata Setup
First we change into the super user mode for every command we execute later:
sudo bash
Now we add the stable Suricata PPA to our system. At the time of writing the stable version is 2.0.1.
add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt-get install suricata oinkmaster
Now we download the open/free Emerging Threats rules for the first tests. (There are also commercial rules available.)
cd /etc/suricata/
wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
tar -xzf emerging.rules.tar.gz
We use the reference.config from ET:
mv reference.config reference.config.orig
ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
And we need to create one file and one directory:
touch /etc/suricata/threshold.config
mkdir /var/log/suricata
In the 2.0.1 packages one file got forgotten, so check if it is also missing in your version and if so download it manually.
ll /etc/suricata/rules/dns-events.rules
If it is missing … do following:
cd /etc/suricata/rules
wget https://raw.githubusercontent.com/inliniac/suricata/master/rules/dns-events.rules
Test Suricata alone
To make the first test call it like this (wait for some minutes):
suricata -c /etc/suricata/suricata.yaml -i eth0
you should get some files in /var/log/suricata
root@nids:/var/log/suricata# ll
total 364
drwxr-xr-x 2 root root 4096 Jun 1 13:45 ./
drwxrwxr-x 10 root syslog 4096 Jun 1 13:32 ../
-rw-r--r-- 1 root root 46195 Jun 1 13:51 eve.json
-rw-r--r-- 1 root root 25138 Jun 1 13:51 fast.log
-rw-r--r-- 1 root root 0 Jun 1 13:36 http.log
-rw-r--r-- 1 root root 236014 Jun 1 13:51 stats.log
-rw-r--r-- 1 root root 1846 Jun 1 13:36 unified2.alert.1401622567
-rw-r--r-- 1 root root 42445 Jun 1 13:51 unified2.alert.1401623113
Test the Mikrotik sniffer stream
Check if you get traffic by first downloading trafr from here and copy it to /usr/local/bin
and extract and test it like this:
cd /usr/local/bin/
tar xzf trafr.tgz
./trafr
If you get -bash: ./trafr: No such file or directory
, take a look at this post. Now check with tcpdump if you’re getting any packets (hit CTRL-C to stop)
trafr -s | tcpdump -r - -n
If you don’t get packets something is wrong with the Mikrotik setup or the packets getting filtered/blocked.
Connect Suricata with Mikrotik sniffer stream
I assume that you got packets and are now ready for your first run of Suricata with the Mikrotik sniffer stream. Just enter following command …
trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
.. and open a second console and type following
tail -f /var/log/suricata/fast.log
your should see output like this (this are just examples)
06/01/2014-14:50:22.703188 [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} xxx.xxx.xxx.xxx:17500 -> 255.255.255.255:17500
06/01/2014-14:57:16.608473 [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:443 -> xxx.xxx.xxx.xxx:49503
06/01/2014-15:26:03.601539 [**] [1:2006380:13] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:58188 -> xxx.xxx.xxx.xxx:8080
If you got also some entries its good, it works – we need to make it permanent now.
Auto-Update ET Rules
Now that every works we need to configure it in a way to get new rules every night. For this we add following line at the end of /etc/oinkmaster.conf
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
To test it we run following command:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
So the config works we create /etc/cron.daily/suricataUpdateRules
with following content:
#!/bin/bash
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |& grep -i "error" > /dev/null
/bin/kill -USR2 `pidof suricata`
After we created it we need to make it executable:
chmod 755 /etc/cron.daily/suricataUpdateRules
Init Script
The last step is to make a init script so everything is started automatically, for this create a file /etc/init/suricata.conf
with following content:
# suricata
description "Intruder Detection System Daemon"
start on runlevel [2345]
stop on runlevel [!2345]
expect fork
exec /usr/local/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml -r - &
Stop the test Suricata command and try it with the init script:
start suricata
You should get something like this:
suricata start/running, process 8003
But to make sure everything is really running, call
ps aux | grep -E "(suri|trafr)"
and you should get following output:
root 8003 0.1 0.0 2020 272 ? S 14:50 0:00 trafr -s
root 8005 8.8 17.5 841852 360556 ? Sl 14:50 0:15 suricata -c /etc/suricata/suricata.yaml -r -
And that’s it. Your IDS is running in a basic configuration. You now need to tune your rules and maybe you want to install a Web GUI for your IDS. I can recommend following to look at:
Howto fix -bash: ./trafr: No such file or directory?
Trafr is a program from Mikrotik which receives mirrored traffic from Mikrotik RouterOS systems. The linked blog article shows how to use it with Wireshark. This blog article shows how to get it working if you have following problem:
root@nids:/usr/local/bin# ll
total 12
drwxr-xr-x 2 root root 4096 Jun 1 13:59 ./
drwxr-xr-x 10 root root 4096 Jun 1 12:09 ../
-rw-r--r-- 1 root root 2629 Jun 1 13:53 trafr.tgz
root@nids:/usr/local/bin# tar xzf trafr.tgz
root@nids:/usr/local/bin# ll
total 20
drwxr-xr-x 2 root root 4096 Jun 1 13:59 ./
drwxr-xr-x 10 root root 4096 Jun 1 12:09 ../
-rwxr-xr-x 1 1003 root 4764 Mär 17 2004 trafr*
-rw-r--r-- 1 root root 2629 Jun 1 13:53 trafr.tgz
root@nids:/usr/local/bin# ./trafr
-bash: ./trafr: No such file or directory
The problem is that the trafr
program is a 32 bit application and you’re trying this on a 64bit OS without 32bit compatibility libraries. To verify that you can use following command:
file ./trafr
./trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped
On Ubuntu 14.04 you can that simple by doing following:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386
and you get
sudo ./trafr
usage: trafr <file | -s> [ip_addr]
-s write output to stdout. pipe it into tcpdump for example:
./trafr -s | /usr/sbin/tcpdump -r -
ip_addr use to filter one source router by ip address
For older Ubuntu Version following helps (didn’t check at which version it changed):
apt-get install ia32-libs
For other distribution its similar. e.g. for CentOS6 or RHEL6 its
sudo yum install glibc.i686
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
31 queries. 0.097 seconds.