Difference between revisions of "Security packages"

From YobiWiki
Jump to navigation Jump to search
m
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
Here is a list of security-related packages available in Debian-alike distros.
+
Here is a list of security-related packages available in Debian-alike distros that I'm using.
 
<br>My setup is made of a basis of [[LMDE]] with [[LMDE#Add_Debian_repositories|Debian]] and [[Kali#Add_Kali_repositories_to_LMDE|Kali]] pinned repositories.
 
<br>My setup is made of a basis of [[LMDE]] with [[LMDE#Add_Debian_repositories|Debian]] and [[Kali#Add_Kali_repositories_to_LMDE|Kali]] pinned repositories.
 
==network==
 
==network==
Line 31: Line 31:
 
memdump - utility to dump memory contents to standard output
 
memdump - utility to dump memory contents to standard output
 
pdfresurrect - tool for extracting/scrubbing versioning data from PDF documents
 
pdfresurrect - tool for extracting/scrubbing versioning data from PDF documents
recover - Undelete files on ext2 partitions
 
 
recoverdm - recover files/disks with damaged sectors
 
recoverdm - recover files/disks with damaged sectors
 
recoverjpeg - tool to recover JPEG images from a filesystem image
 
recoverjpeg - tool to recover JPEG images from a filesystem image
Line 41: Line 40:
 
vbindiff - visual binary diff, visually compare binary files
 
vbindiff - visual binary diff, visually compare binary files
 
</pre>
 
</pre>
  +
Kali:
  +
recover - Undelete files on ext2 partitions
  +
 
==stegano==
 
==stegano==
 
<pre>
 
<pre>
Line 49: Line 51:
 
<pre>
 
<pre>
 
fcrackzip - password cracker for zip archives
 
fcrackzip - password cracker for zip archives
john - active password cracking tool
 
 
password-gorilla - cross-platform password manager
 
password-gorilla - cross-platform password manager
 
pdfcrack - PDF files password cracker
 
pdfcrack - PDF files password cracker
Line 55: Line 56:
 
rotix - A program to generate rotational obfuscations
 
rotix - A program to generate rotational obfuscations
 
</pre>
 
</pre>
  +
  +
john - active password cracking tool
  +
John is more complete on Kali, so let's pin it:
  +
  +
Add to /etc/apt/preferences.d/kali-package-repositories.pref
  +
Package: john john-data
  +
Pin: release n=kali
  +
Pin-Priority: 990
  +
 
==reverse-engineering==
 
==reverse-engineering==
 
<pre>
 
<pre>
 
flasm - assembler and disassembler for Flash (SWF) bytecode
 
flasm - assembler and disassembler for Flash (SWF) bytecode
 
</pre>
 
</pre>
  +
Kali:
  +
binwalk - A firmware analysis tool
  +
->
  +
apt-get install binwalk/kali
  +
 
==coding==
 
==coding==
 
<pre>
 
<pre>
Line 69: Line 84:
   
 
==Specific installation instructions==
 
==Specific installation instructions==
  +
===Building dependencies===
  +
Some of the softs require prerequisites, see [[LMDE#devel]]
 
===LUKS Nuke===
 
===LUKS Nuke===
 
* http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
 
* http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
Line 88: Line 105:
 
Pin: release n=kali
 
Pin: release n=kali
 
Pin-Priority: 990
 
Pin-Priority: 990
  +
===pwsafe===
  +
Have to backport from squeeze: get and install those
  +
http://ftp.de.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
  +
http://ftp.de.debian.org/debian/pool/main/p/pwsafe/pwsafe_0.2.0-3_amd64.deb
  +
===IDA Pro===
  +
See http://blog.stalkr.net/2014/01/ida-on-debian-amd64-with-python.html
  +
<br>Run installation file
  +
<br>It requires libglib2.0-0 but because of chromium/jessie we need the jessie one:
  +
apt-get install -t jessie libglib2.0-0:i386 libselinux1:i386
  +
  +
apt-get install libstdc++6:i386 libc6-i686:i386 libexpat1:i386 libffi6:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 \
  +
libice6:i386 libpcre3:i386 libpng12-0:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 \
  +
libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386
  +
apt-get install libpython2.7:i386
  +
===logkeys===
  +
apt-get install logkeys
  +
Find keyboard device to see which eventX to use:
  +
grep "^[NH]" /proc/bus/input/devices
  +
Edit /etc/default/logkeys:
  +
ENABLED=1
  +
LOGFILE=/var/log/logkeys
  +
DEVICE=/dev/input/event0
  +
Avoid it to start automatically:
  +
update-rc.d logkeys disable
  +
Allow starting it without password prompt:
  +
<br>Create /etc/sudoers.d/logkeys:
  +
<myuser> ALL = NOPASSWD: /etc/init.d/logkeys
  +
Provide stealth hooks, under your choice name, e.g. "sl" (for mispelled "ls") etc:
  +
#!/bin/bash
  +
sudo /etc/init.d/logkeys start >/dev/null
  +
echo "bash: $(basename $0): command not found"
  +
exit 127
  +
  +
#!/bin/bash
  +
sudo /etc/init.d/logkeys stop >/dev/null
  +
echo "bash: $(basename $0): command not found"
  +
exit 127
  +
If you get wrong keys in the log, create a mapfile according to /usr/share/doc/logkeys/README.gz ch4.2 then save it into /etc/logkeys-keymap and to load it, add to /etc/default/logkeys:
  +
DAEMON_OPTS="--keymap /etc/logkeys-keymap"
  +
But /etc/init.d/logkeys adds the incompatible option -u that we've to remove, so edit /etc/init.d/logkeys:
  +
DAEMON_OPTS="-s -d $DEVICE -o $LOGFILE $DAEMON_OPTS"
  +
  +
===Wireshark===
  +
<pre>
  +
tshark - network traffic analyzer - console version
  +
wireshark - network traffic analyzer - GTK+ version
  +
</pre>
  +
  +
apt-get install wireshark tshark
  +
dpkg-reconfigure wireshark-common
  +
adduser <myuser> wireshark
  +
===GUFW===
  +
Firewall:
  +
apt-get install gufw
  +
Add entry in menu manually... see /usr/share/applications/gufw.desktop
  +
<br>Right-click the Mint Menu, select "Configure" then "Open the menu editor", Click a software category / "New Item".
  +
===mitmproxy===
  +
<pre>
  +
mitmproxy - SSL-capable man-in-the-middle HTTP proxy
  +
</pre>
  +
See http://mitmproxy.org/
  +
apt-get install mitmproxy/jessie python-netlib/jessie
  +
After first run of mitmproxy, certs are created.
  +
<br>Install ~/.mitmproxy/mitmproxy-ca-cert.cer as authority or:
  +
<br>Run mitmproxy, visit http://mitm.it and install certificate
  +
  +
To run mitmproxy on a router as transparent proxy, e.g. on the exit node of my VPN:
  +
<br>I keep same certs as my local ones
  +
scp -r .mitmproxy myvpn.box:
  +
<br>On myvpn.box I've the following scripts:
  +
<br>./mitmproxy:
  +
<source lang=bash>
  +
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
  +
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
  +
export LANG=en_US.UTF-8
  +
mitmproxy -T --host -p 8765 $*
  +
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
  +
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
  +
</source>
  +
./mitmdump:
  +
<source lang=bash>
  +
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
  +
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
  +
export LANG=en_US.UTF-8
  +
mitmdump -T --host -p 8765 $*
  +
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
  +
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
  +
</source>
  +
And I can call them remotely:
  +
<br>vpn_mitmproxy:
  +
<source lang=bash>
  +
ssh -t myvpn.box ./mitmproxy $*
  +
</source>
  +
  +
vpn_mitmdump:
  +
<source lang=bash>
  +
ssh myvpn.box ./mitmdump $*
  +
</source>
  +
  +
===[[PyCryptoPlus]]===
  +
$ git clone https://github.com/doegox/python-cryptoplus
  +
$ cd python-cryptoplus/
  +
# python setup.py install
  +
  +
===Smartcard / RFID / NFC related===
  +
====[[Belgian eID]]====
  +
cf http://eid.belgium.be/fr/utiliser_votre_eid/installer_le_logiciel_eid/linux/
  +
<br>-> debian 64
  +
<br>See also https://code.google.com/p/eid-mw/wiki/ChromeLinux :
  +
<pre>
  +
libnss3-tools - Network Security Service tools
  +
</pre>
  +
Close Chrome
  +
cd
  +
modutil -dbdir sql:.pki/nssdb/ -add "Belgium eID" -libfile /usr/lib/libbeidpkcs11.so
  +
modutil -dbdir sql:.pki/nssdb/ -list
  +
====EMV-CAP====
  +
python setup.py install
  +
And install:
  +
<pre>
  +
python-pyscard - Python wrapper above PC/SC API
  +
</pre>
  +
====libnfc/libfreefare====
  +
<pre>
  +
libfreefare-bin - MIFARE card manipulations binaries
  +
libfreefare-dev - MIFARE card manipulations library (development files)
  +
libfreefare-doc - documentation for libfreefare
  +
libnfc-bin - Near Field Communication (NFC) binaries
  +
libnfc-dev - Near Field Communication (NFC) library (development files)
  +
libnfc-examples - Near Field Communication (NFC) examples
  +
libnfc-pn53x-examples - Near Field Communication (NFC) examples for PN53x chips only
  +
</pre>
  +
Better to pin what we always want from Debian directly:
  +
<br>Add to /etc/apt/preferences.d/debian-package-repositories.pref
  +
<pre>
  +
Package: libnfc*
  +
Pin: origin ftp.be.debian.org
  +
Pin-Priority: 990
  +
  +
Package: libfreefare*
  +
Pin: origin ftp.be.debian.org
  +
Pin-Priority: 990
  +
</pre>
  +
Then
  +
apt-get install libnfc-bin libnfc-dev libnfc-examples libnfc-pn53x-examples
  +
apt-get install libfreefare-bin libfreefare-dev libfreefare-doc
  +
modprobe -r pn533
  +
adduser <myuser> plugdev
  +
  +
====bp-tools====
  +
From http://www.eftlab.co.uk/index.php/downloads/bp-tools
  +
<br>Needs libpthread-stubs0:
  +
http://ftp.de.debian.org/debian/pool/main/libp/libpthread-stubs/libpthread-stubs0_0.3-3_amd64.deb
  +
  +
apt-get install libsqlite3-dev sqlite3
  +
dpkg --purge bp-tools
  +
dpkg -i bp-tools_14.04_amd64_free.deb

Latest revision as of 22:26, 6 August 2014

Here is a list of security-related packages available in Debian-alike distros that I'm using.
My setup is made of a basis of LMDE with Debian and Kali pinned repositories.

network

arping                         - sends IP and/or ARP pings (to the MAC address)
dsniff                         - Various tools to sniff network traffic for cleartext insecurities
etherwake                      - tool to send magic Wake-on-LAN packets
iodine                         - tool for tunneling IPv4 data through a DNS server
kismet                         - wireless sniffer and monitor - core
kismet-plugins                 - wireless sniffer and monitor - plugins
ndisc6                         - IPv6 diagnostic tools
netcat                         - TCP/IP swiss army knife -- transitional package
netsniff-ng                    - packet sniffing beast
nmap                           - The Network Mapper
socat                          - multipurpose relay for bidirectional data transfer
sshfs                          - filesystem client based on SSH File Transfer Protocol
themole                        - automatic SQL injection exploitation tool

forensics

autopsy                        - graphical interface to SleuthKit
chkrootkit                     - rootkit detector
cruft                          - program that finds any cruft built up on your system
dc3dd                          - patched version of GNU dd with forensic features
dcfldd                         - enhanced version of dd for forensics and security
ext4magic                      - recover deleted files from ext3 or ext4 partitions
foremost                       - forensic program to recover lost files
gpart                          - Guess PC disk partition table, find lost partitions
logkeys                        - keylogger for GNU/Linux systems
mac-robber                     - collects data about allocated files in mounted filesystems
memdump                        - utility to dump memory contents to standard output
pdfresurrect                   - tool for extracting/scrubbing versioning data from PDF documents
recoverdm                      - recover files/disks with damaged sectors
recoverjpeg                    - tool to recover JPEG images from a filesystem image
rkhunter                       - rootkit, backdoor, sniffer and exploit scanner
tiger                          - Report system security vulnerabilities
unhide.rb                      - Forensic tool to find processes hidden by rootkits
vinetto                        - A forensics tool to examine Thumbs.db files
wipe                           - Secure file deletion
vbindiff                       - visual binary diff, visually compare binary files

Kali:

recover                        - Undelete files on ext2 partitions

stegano

outguess                       - Universal Steganographic tool
steghide                       - A steganography hiding tool

crypto

fcrackzip                      - password cracker for zip archives
password-gorilla               - cross-platform password manager
pdfcrack                       - PDF files password cracker
ssss                           - Shamir's secret sharing scheme implementation
rotix                          - A program to generate rotational obfuscations
john                           - active password cracking tool

John is more complete on Kali, so let's pin it:

Add to /etc/apt/preferences.d/kali-package-repositories.pref

Package: john john-data
Pin: release n=kali
Pin-Priority: 990

reverse-engineering

flasm                          - assembler and disassembler for Flash (SWF) bytecode

Kali:

binwalk                        - A firmware analysis tool

->

apt-get install binwalk/kali

coding

ckport                         - portability analysis and security checking tool
cppcheck                       - tool for static C/C++ code analysis
flawfinder                     - examines source code and looks for security weaknesses
pychecker                      - tool to find common bugs in Python source code
pylint                         - python code static checker and UML diagram generator

Specific installation instructions

Building dependencies

Some of the softs require prerequisites, see LMDE#devel

LUKS Nuke

The first part of the new feature is to actually store a "nuke" passphrase in a keyslot. However, this passphrase does not encrypt the masterkey used for en-/decrypting the partition, but rather encrypts a magic value (0x0...0).

 cryptsetup luksAddNuke <device>

It behaves pretty much like a "luksAddKey", only that the actual keyslot data does not contain any cryptographic material.
The second part of the implementation is a modification of the function that unlocks a keyslot and extracts the key material for en-/decryption. This function now contains a check for said magical value and deletes all keyslots if it encounters it.

apt-get install cryptsetup/kali cryptsetup-bin/kali libcryptsetup4/kali

If initrd was not rebuilt in the process:

dpkg-reconfigure cryptsetup
cryptsetup luksAddNuke /dev/sda1

Better to pin it:
Add to /etc/apt/preferences.d/kali-package-repositories.pref

Package: /cryptsetup/
Pin: release n=kali
Pin-Priority: 990

pwsafe

Have to backport from squeeze: get and install those

http://ftp.de.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
http://ftp.de.debian.org/debian/pool/main/p/pwsafe/pwsafe_0.2.0-3_amd64.deb

IDA Pro

See http://blog.stalkr.net/2014/01/ida-on-debian-amd64-with-python.html
Run installation file
It requires libglib2.0-0 but because of chromium/jessie we need the jessie one:

apt-get install -t jessie libglib2.0-0:i386 libselinux1:i386
apt-get install libstdc++6:i386 libc6-i686:i386 libexpat1:i386 libffi6:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 \
    libice6:i386 libpcre3:i386 libpng12-0:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 \
    libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386
apt-get install libpython2.7:i386

logkeys

apt-get install logkeys

Find keyboard device to see which eventX to use:

grep "^[NH]" /proc/bus/input/devices

Edit /etc/default/logkeys:

ENABLED=1
LOGFILE=/var/log/logkeys
DEVICE=/dev/input/event0

Avoid it to start automatically:

update-rc.d logkeys disable

Allow starting it without password prompt:
Create /etc/sudoers.d/logkeys:

<myuser>     ALL = NOPASSWD: /etc/init.d/logkeys

Provide stealth hooks, under your choice name, e.g. "sl" (for mispelled "ls") etc:

#!/bin/bash
sudo /etc/init.d/logkeys start >/dev/null
echo "bash: $(basename $0): command not found"
exit 127
#!/bin/bash
sudo /etc/init.d/logkeys stop >/dev/null
echo "bash: $(basename $0): command not found"
exit 127

If you get wrong keys in the log, create a mapfile according to /usr/share/doc/logkeys/README.gz ch4.2 then save it into /etc/logkeys-keymap and to load it, add to /etc/default/logkeys:

DAEMON_OPTS="--keymap /etc/logkeys-keymap"

But /etc/init.d/logkeys adds the incompatible option -u that we've to remove, so edit /etc/init.d/logkeys:

DAEMON_OPTS="-s -d $DEVICE -o $LOGFILE $DAEMON_OPTS"

Wireshark

tshark                         - network traffic analyzer - console version
wireshark                      - network traffic analyzer - GTK+ version
apt-get install wireshark tshark
dpkg-reconfigure wireshark-common
adduser <myuser> wireshark

GUFW

Firewall:

apt-get install gufw

Add entry in menu manually... see /usr/share/applications/gufw.desktop
Right-click the Mint Menu, select "Configure" then "Open the menu editor", Click a software category / "New Item".

mitmproxy

mitmproxy                      - SSL-capable man-in-the-middle HTTP proxy

See http://mitmproxy.org/

apt-get install mitmproxy/jessie python-netlib/jessie

After first run of mitmproxy, certs are created.
Install ~/.mitmproxy/mitmproxy-ca-cert.cer as authority or:
Run mitmproxy, visit http://mitm.it and install certificate

To run mitmproxy on a router as transparent proxy, e.g. on the exit node of my VPN:
I keep same certs as my local ones

scp -r .mitmproxy myvpn.box:


On myvpn.box I've the following scripts:
./mitmproxy:

iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
export LANG=en_US.UTF-8
mitmproxy -T --host -p 8765 $*
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765

./mitmdump:

iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765
export LANG=en_US.UTF-8
mitmdump -T --host -p 8765 $*
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8765
iptables -t nat -D PREROUTING -i tap0 -p tcp --dport 443 -j REDIRECT --to-port 8765

And I can call them remotely:
vpn_mitmproxy:

ssh -t myvpn.box ./mitmproxy $*

vpn_mitmdump:

ssh myvpn.box ./mitmdump $*

PyCryptoPlus

$ git clone https://github.com/doegox/python-cryptoplus
$ cd python-cryptoplus/
# python setup.py install

Smartcard / RFID / NFC related

Belgian eID

cf http://eid.belgium.be/fr/utiliser_votre_eid/installer_le_logiciel_eid/linux/
-> debian 64
See also https://code.google.com/p/eid-mw/wiki/ChromeLinux :

libnss3-tools                  - Network Security Service tools

Close Chrome

cd
modutil -dbdir sql:.pki/nssdb/ -add "Belgium eID" -libfile /usr/lib/libbeidpkcs11.so
modutil -dbdir sql:.pki/nssdb/ -list

EMV-CAP

python setup.py install

And install:

python-pyscard                 - Python wrapper above PC/SC API

libnfc/libfreefare

libfreefare-bin                - MIFARE card manipulations binaries
libfreefare-dev                - MIFARE card manipulations library (development files)
libfreefare-doc                - documentation for libfreefare
libnfc-bin                     - Near Field Communication (NFC) binaries
libnfc-dev                     - Near Field Communication (NFC) library (development files)
libnfc-examples                - Near Field Communication (NFC) examples
libnfc-pn53x-examples          - Near Field Communication (NFC) examples for PN53x chips only

Better to pin what we always want from Debian directly:
Add to /etc/apt/preferences.d/debian-package-repositories.pref

Package: libnfc*
Pin: origin ftp.be.debian.org
Pin-Priority: 990

Package: libfreefare*
Pin: origin ftp.be.debian.org
Pin-Priority: 990

Then

apt-get install libnfc-bin libnfc-dev libnfc-examples libnfc-pn53x-examples
apt-get install libfreefare-bin libfreefare-dev libfreefare-doc
modprobe -r pn533
adduser <myuser> plugdev

bp-tools

From http://www.eftlab.co.uk/index.php/downloads/bp-tools
Needs libpthread-stubs0:

http://ftp.de.debian.org/debian/pool/main/libp/libpthread-stubs/libpthread-stubs0_0.3-3_amd64.deb
apt-get install libsqlite3-dev sqlite3
dpkg --purge bp-tools
dpkg -i bp-tools_14.04_amd64_free.deb