Difference between revisions of "Security packages"

From YobiWiki
Jump to navigation Jump to search
m
 
(6 intermediate revisions by the same user not shown)
Line 31: Line 31:
 
memdump - utility to dump memory contents to standard output
 
memdump - utility to dump memory contents to standard output
 
pdfresurrect - tool for extracting/scrubbing versioning data from PDF documents
 
pdfresurrect - tool for extracting/scrubbing versioning data from PDF documents
recover - Undelete files on ext2 partitions
 
 
recoverdm - recover files/disks with damaged sectors
 
recoverdm - recover files/disks with damaged sectors
 
recoverjpeg - tool to recover JPEG images from a filesystem image
 
recoverjpeg - tool to recover JPEG images from a filesystem image
Line 41: Line 40:
 
vbindiff - visual binary diff, visually compare binary files
 
vbindiff - visual binary diff, visually compare binary files
 
</pre>
 
</pre>
  +
Kali:
 
recover - Undelete files on ext2 partitions
  +
 
==stegano==
 
==stegano==
 
<pre>
 
<pre>
Line 49: Line 51:
 
<pre>
 
<pre>
 
fcrackzip - password cracker for zip archives
 
fcrackzip - password cracker for zip archives
john - active password cracking tool
 
 
password-gorilla - cross-platform password manager
 
password-gorilla - cross-platform password manager
 
pdfcrack - PDF files password cracker
 
pdfcrack - PDF files password cracker
Line 55: Line 56:
 
rotix - A program to generate rotational obfuscations
 
rotix - A program to generate rotational obfuscations
 
</pre>
 
</pre>
  +
 
john - active password cracking tool
  +
John is more complete on Kali, so let's pin it:
  +
  +
Add to /etc/apt/preferences.d/kali-package-repositories.pref
  +
Package: john john-data
  +
Pin: release n=kali
  +
Pin-Priority: 990
  +
 
==reverse-engineering==
 
==reverse-engineering==
 
<pre>
 
<pre>
 
flasm - assembler and disassembler for Flash (SWF) bytecode
 
flasm - assembler and disassembler for Flash (SWF) bytecode
 
</pre>
 
</pre>
  +
Kali:
  +
binwalk - A firmware analysis tool
  +
->
  +
apt-get install binwalk/kali
  +
 
==coding==
 
==coding==
 
<pre>
 
<pre>
Line 69: Line 84:
   
 
==Specific installation instructions==
 
==Specific installation instructions==
  +
===Building dependencies===
  +
Some of the softs require prerequisites, see [[LMDE#devel]]
 
===LUKS Nuke===
 
===LUKS Nuke===
 
* http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
 
* http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
Line 125: Line 142:
 
echo "bash: $(basename $0): command not found"
 
echo "bash: $(basename $0): command not found"
 
exit 127
 
exit 127
  +
If you get wrong keys in the log, create a mapfile according to /usr/share/doc/logkeys/README.gz ch4.2 then save it into /etc/logkeys-keymap and to load it, add to /etc/default/logkeys:
  +
DAEMON_OPTS="--keymap /etc/logkeys-keymap"
  +
But /etc/init.d/logkeys adds the incompatible option -u that we've to remove, so edit /etc/init.d/logkeys:
  +
DAEMON_OPTS="-s -d $DEVICE -o $LOGFILE $DAEMON_OPTS"
  +
 
===Wireshark===
 
===Wireshark===
 
<pre>
 
<pre>

Latest revision as of 22:26, 6 August 2014

Here is a list of security-related packages available in Debian-alike distros that I'm using.
My setup is made of a basis of LMDE with Debian and Kali pinned repositories.

network

arping                         - sends IP and/or ARP pings (to the MAC address)
dsniff                         - Various tools to sniff network traffic for cleartext insecurities
etherwake                      - tool to send magic Wake-on-LAN packets
iodine                         - tool for tunneling IPv4 data through a DNS server
kismet                         - wireless sniffer and monitor - core
kismet-plugins                 - wireless sniffer and monitor - plugins
ndisc6                         - IPv6 diagnostic tools
netcat                         - TCP/IP swiss army knife -- transitional package
netsniff-ng                    - packet sniffing beast
nmap                           - The Network Mapper
socat                          - multipurpose relay for bidirectional data transfer
sshfs                          - filesystem client based on SSH File Transfer Protocol
themole                        - automatic SQL injection exploitation tool

forensics

autopsy                        - graphical interface to SleuthKit
chkrootkit                     - rootkit detector
cruft                          - program that finds any cruft built up on your system
dc3dd                          - patched version of GNU dd with forensic features
dcfldd                         - enhanced version of dd for forensics and security
ext4magic                      - recover deleted files from ext3 or ext4 partitions
foremost                       - forensic program to recover lost files
gpart                          - Guess PC disk partition table, find lost partitions
logkeys                        - keylogger for GNU/Linux systems
mac-robber                     - collects data about allocated files in mounted filesystems
memdump                        - utility to dump memory contents to standard output
pdfresurrect                   - tool for extracting/scrubbing versioning data from PDF documents
recoverdm                      - recover files/disks with damaged sectors
recoverjpeg                    - tool to recover JPEG images from a filesystem image
rkhunter                       - rootkit, backdoor, sniffer and exploit scanner
tiger                          - Report system security vulnerabilities
unhide.rb                      - Forensic tool to find processes hidden by rootkits
vinetto                        - A forensics tool to examine Thumbs.db files
wipe                           - Secure file deletion
vbindiff                       - visual binary diff, visually compare binary files

Kali:

recover                        - Undelete files on ext2 partitions

stegano

outguess                       - Universal Steganographic tool
steghide                       - A steganography hiding tool

crypto

fcrackzip                      - password cracker for zip archives
password-gorilla               - cross-platform password manager
pdfcrack                       - PDF files password cracker
ssss                           - Shamir's secret sharing scheme implementation
rotix                          - A program to generate rotational obfuscations
john                           - active password cracking tool

John is more complete on Kali, so let's pin it:

Add to /etc/apt/preferences.d/kali-package-repositories.pref

Package: john john-data
Pin: release n=kali
Pin-Priority: 990

reverse-engineering

flasm                          - assembler and disassembler for Flash (SWF) bytecode

Kali:

binwalk                        - A firmware analysis tool

->

apt-get install binwalk/kali

coding

ckport                         - portability analysis and security checking tool
cppcheck                       - tool for static C/C++ code analysis
flawfinder                     - examines source code and looks for security weaknesses
pychecker                      - tool to find common bugs in Python source code
pylint                         - python code static checker and UML diagram generator

Specific installation instructions

Building dependencies

Some of the softs require prerequisites, see LMDE#devel

LUKS Nuke

The first part of the new feature is to actually store a "nuke" passphrase in a keyslot. However, this passphrase does not encrypt the masterkey used for en-/decrypting the partition, but rather encrypts a magic value (0x0...0).

 cryptsetup luksAddNuke <device>

It behaves pretty much like a "luksAddKey", only that the actual keyslot data does not contain any cryptographic material.
The second part of the implementation is a modification of the function that unlocks a keyslot and extracts the key material for en-/decryption. This function now contains a check for said magical value and deletes all keyslots if it encounters it.

apt-get install cryptsetup/kali cryptsetup-bin/kali libcryptsetup4/kali

If initrd was not rebuilt in the process:

dpkg-reconfigure cryptsetup
cryptsetup luksAddNuke /dev/sda1

Better to pin it:
Add to /etc/apt/preferences.d/kali-package-repositories.pref

Package: /cryptsetup/
Pin: release n=kali
Pin-Priority: 990

pwsafe

Have to backport from squeeze: get and install those

http://ftp.de.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
http://ftp.de.debian.org/debian/pool/main/p/pwsafe/pwsafe_0.2.0-3_amd64.deb

IDA Pro

See http://blog.stalkr.net/2014/01/ida-on-debian-amd64-with-python.html
Run installation file
It requires libglib2.0-0 but because of chromium/jessie we need the jessie one:

apt-get install -t jessie libglib2.0-0:i386 libselinux1:i386
apt-get install libstdc++6:i386 libc6-i686:i386 libexpat1:i386 libffi6:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 \
    libice6:i386 libpcre3:i386 libpng12-0:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 \
    libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386
apt-get install libpython2.7:i386

logkeys

apt-get install logkeys

Find keyboard device to see which eventX to use:

grep "^[NH]" /proc/bus/input/devices

Edit /etc/default/logkeys:

ENABLED=1
LOGFILE=/var/log/logkeys
DEVICE=/dev/input/event0

Avoid it to start automatically:

update-rc.d logkeys disable

Allow starting it without password prompt:
Create /etc/sudoers.d/logkeys:

<myuser>     ALL = NOPASSWD: /etc/init.d/logkeys

Provide stealth hooks, under your choice name, e.g. "sl" (for mispelled "ls") etc:

#!/bin/bash
sudo /etc/init.d/logkeys start >/dev/null
echo "bash: $(basename $0): command not found"
exit 127
#!/bin/bash
sudo /etc/init.d/logkeys stop >/dev/null
echo "bash: $(basename $0): command not found"
exit 127

If you get wrong keys in the log, create a mapfile according to /usr/share/doc/logkeys/README.gz ch4.2 then save it into /etc/logkeys-keymap and to load it, add to /etc/default/logkeys:

DAEMON_OPTS="--keymap /etc/logkeys-keymap"

But /etc/init.d/logkeys adds the incompatible option -u that we've to remove, so edit /etc/init.d/logkeys:

DAEMON_OPTS="-s -d $DEVICE -o $LOGFILE $DAEMON_OPTS"

Wireshark

tshark                         - network traffic analyzer - console version
wireshark                      - network traffic analyzer - GTK+ version
apt-get install wireshark tshark
dpkg-reconfigure wireshark-common
adduser <myuser> wireshark

GUFW

Firewall:

apt-get install gufw

Add entry in menu manually... see /usr/share/applications/gufw.desktop
Right-click the Mint Menu, select "Configure" then "Open the menu editor", Click a software category / "New Item".

mitmproxy

mitmproxy                      - SSL-capable man-in-the-middle HTTP proxy

See http://mitmproxy.org/

apt-get install mitmproxy/jessie python-netlib/jessie

After first run of mitmproxy, certs are created.
Install ~/.mitmproxy/mitmproxy-ca-cert.cer as authority or:
Run mitmproxy, visit http://mitm.it and install certificate

To run mitmproxy on a router as transparent proxy, e.g. on the exit node of my VPN:
I keep same certs as my local ones

scp -r .mitmproxy myvpn.box:


On myvpn.box I've the following scripts:
./mitmproxy:

iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
export LANG=en_US.UTF-8
mitmproxy -T --host -p 8765 $*
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765

./mitmdump:

iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
export LANG=en_US.UTF-8
mitmdump -T --host -p 8765 $*
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765

And I can call them remotely:
vpn_mitmproxy:

ssh -t myvpn.box ./mitmproxy $*

vpn_mitmdump:

ssh myvpn.box ./mitmdump $*

PyCryptoPlus

$ git clone https://github.com/doegox/python-cryptoplus
$ cd python-cryptoplus/
# python setup.py install

Smartcard / RFID / NFC related

Belgian eID

cf http://eid.belgium.be/fr/utiliser_votre_eid/installer_le_logiciel_eid/linux/
-> debian 64
See also https://code.google.com/p/eid-mw/wiki/ChromeLinux :

libnss3-tools                  - Network Security Service tools

Close Chrome

cd
modutil -dbdir sql:.pki/nssdb/ -add "Belgium eID" -libfile /usr/lib/libbeidpkcs11.so
modutil -dbdir sql:.pki/nssdb/ -list

EMV-CAP

python setup.py install

And install:

python-pyscard                 - Python wrapper above PC/SC API

libnfc/libfreefare

libfreefare-bin                - MIFARE card manipulations binaries
libfreefare-dev                - MIFARE card manipulations library (development files)
libfreefare-doc                - documentation for libfreefare
libnfc-bin                     - Near Field Communication (NFC) binaries
libnfc-dev                     - Near Field Communication (NFC) library (development files)
libnfc-examples                - Near Field Communication (NFC) examples
libnfc-pn53x-examples          - Near Field Communication (NFC) examples for PN53x chips only

Better to pin what we always want from Debian directly:
Add to /etc/apt/preferences.d/debian-package-repositories.pref

Package: libnfc*
Pin: origin ftp.be.debian.org
Pin-Priority: 990

Package: libfreefare*
Pin: origin ftp.be.debian.org
Pin-Priority: 990

Then

apt-get install libnfc-bin libnfc-dev libnfc-examples libnfc-pn53x-examples
apt-get install libfreefare-bin libfreefare-dev libfreefare-doc
modprobe -r pn533
adduser <myuser> plugdev

bp-tools

From http://www.eftlab.co.uk/index.php/downloads/bp-tools
Needs libpthread-stubs0:

http://ftp.de.debian.org/debian/pool/main/libp/libpthread-stubs/libpthread-stubs0_0.3-3_amd64.deb
apt-get install libsqlite3-dev sqlite3
dpkg --purge bp-tools
dpkg -i bp-tools_14.04_amd64_free.deb