0xStrait

Table of Contents Why is IDS necessary? Hardware requirements Software requirements Switch Setup Install Elasticsearch, Kibana and Wazuh Configure the Elasticsearch Configure Kibana Configure the Filebeat Set Suricata, Filebeat and Rogue Access Point on the Raspberry Pi 4 Configure Suricata Configure Filebeat Configure the Rogue Access Point Check the logs Why is IDS necessary? The IDS analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues, IDS can offer protection from external users and internal attackers, where traffic doesn’t go past the firewall at all. In this article, I will explain how to build your own home network-based Intrusion Detection System (IDS) using a low budget. NOTE: This network-based could be easily transformed into a strong SIEM by installing Wazuh-Agent on all devices that are part of the infrastructure, see the example. Hardware requirements Any router with multiple ports TP-Link TL-SG108E Smart Switch Raspberry Pi4 8GB Netgear AC1200 network adapter 1 x DigitalOcean VPS, minimum requirements: 4 GB Memory / 50 GB Disk / Ubuntu 22.10 x64 Software requirements Elasticsearch Kibana Filebeat Filebeat modules Suricata Switch Setup First of all, we need to set the ports that we want to mirror, in this case, ports 1, 2, and 3 will be mirrored to port 8. Let’s assume that you have already the Easy Smart Configuration Utility installed and configured. Login to your Switch Windows Application / Web interface Go to “Monitoring” Choose the “Port Mirror” option on the left menu Ok, all you have to do is to change the Port Mirror status to enable and Mirroring Port to port 8, next enable the “Ingress” and “Egress” for ports 1, 2, and 3, after that just click on “Apply”. To check if the traffic is mirrored, login to your Raspberry and capture the port 80 traffic while you do a browser/curl request to http://testphp.vulnweb.com/ using your device connected to any of the following ports 1, 2, or 3. It looks good: Install Elasticsearch, Kibana and Wazuh For this project, I used a Ubuntu VPS from DigitalOcean, as you probably know those components require many resources, if this system is used on a large scale is recommended to use a distributed system. In my case I use “All-in-one deployment”, so I highly recommend a server with a minimum of 4 GB Memory / 50 GB Disk / Ubuntu 22.10 x64. Login and update your server apt-get update Bash Install the requirements apt-get install curl apt-transport-https zip unzip lsb-release libcap2-bin -y Bash Trust the GPG key and add the Elasticsearch to your source list curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch --max-time 300 | apt-key add - echo 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' | eval "tee /etc/apt/sources.list.d/elastic-7.x.list" Bash Trust the GPG key, add the Wazuh to your source list and update the system curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH --max-time 300 | apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list apt-get update Bash Install components apt-get install elasticsearch kibana=7.11.2 wazuh-manager filebeat -y Bash Configure the Elasticsearch Create the file below to /etc/elasticsearch/elasticsearch.yml network.host: 0.0.0.0 node.name: elasticsearch cluster.initial_master_nodes: elasticsearch # Transport layer xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt # HTTP layer xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt # Elasticsearch authentication xpack.security.enabled: true path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch YAML Note: You can use the same configuration. Create the file below to /usr/share/elasticsearch/instances.yml instances: - name: "elasticsearch" ip: - "127.0.0.1" YAML Note: Don’t forget to change your public IP. Generate the certificates using the bash script below: #!/bin/bash /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip unzip ~/certs.zip -d ~/certs mkdir /etc/elasticsearch/certs/ca -p cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/ chown -R elasticsearch: /etc/elasticsearch/certs chmod -R 500 /etc/elasticsearch/certs chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.* Bash Start the Elasticsearch systemctl start elasticsearch Bash Generate the passwords /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b Bash You will receive an output like this: Check if it works by accessing https://<your-public-ip>:9200 with the user: elastic and your generated password. Configure Kibana Create the file below to /etc/kibana/kibana.yml server.host: 0.0.0.0 server.port: 443 elasticsearch.hosts: https://localhost:9200 elasticsearch.password: <elasticsearch_password> # Elasticsearch from/to Kibana elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt elasticsearch.ssl.key: /etc/kibana/certs/kibana.key # Browser from/to Kibana server.ssl.enabled: true server.ssl.certificate: /etc/kibana/certs/kibana.crt server.ssl.key: /etc/kibana/certs/kibana.key # Elasticsearch authentication xpack.security.enabled: true elasticsearch.username: elastic uiSettings.overrides.defaultRoute: "/app/wazuh" elasticsearch.ssl.verificationMode: certificate YAML Note: Don’t forget to add your generated password. Configure kibana certs and install the Wazuh plugin #!/bin/bash mkdir /usr/share/kibana/data chown -R kibana:kibana /usr/share/kibana/ cd /usr/share/kibana sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip mkdir /etc/kibana/certs/ca -p cp -R /etc/elasticsearch/certs/ca/ /etc/kibana/certs/ cp /etc/elasticsearch/certs/elasticsearch.key /etc/kibana/certs/kibana.key cp /etc/elasticsearch/certs/elasticsearch.crt /etc/kibana/certs/kibana.crt chown -R kibana:kibana /etc/kibana/ chmod -R 500 /etc/kibana/certs chmod 440 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.* setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node Bash Start Wazuh-manager systemctl start wazuh-manager Bash Configure the Filebeat Create the following file to /etc/filebeat/filebeat.yml # Wazuh - Filebeat configuration file output.elasticsearch.hosts: ["127.0.0.1:9200"] output.elasticsearch.password: <elasticsearch_password> filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false setup.template.json.enabled: true setup.template.json.path: /etc/filebeat/wazuh-template.json setup.template.json.name: wazuh setup.template.overwrite: true setup.ilm.enabled: false output.elasticsearch.protocol: https output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt output.elasticsearch.username: elastic YAML Don’t forget to edit the following parameters output.elasticsearch.hosts and output.elasticsearch.password. Download wazuh-filebeat module and copy the certificates #!/bin/bash curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json --max-time 300 chmod go+r /etc/filebeat/wazuh-template.json curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz --max-time 300 | tar -xvz -C /usr/share/filebeat/module mkdir /etc/filebeat/certs cp -r /etc/elasticsearch/certs/ca/ /etc/filebeat/certs/ cp /etc/elasticsearch/certs/elasticsearch.crt /etc/filebeat/certs/filebeat.crt cp /etc/elasticsearch/certs/elasticsearch.key /etc/filebeat/certs/filebeat.key Bash Start the Filebeat systemctl start filebeat Bash Test the config filebeat test output Bash Ok, it looks good Set Suricata, Filebeat and Rogue Access Point on the Raspberry Pi 4 In order to install Filebeat, the source below should be added. curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH --max-time 300 | apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list apt-get update apt install filebeat apt install suricata Bash Configure Suricata Make sure that the following file /etc/systemd/system/suricata.service looks like: [Unit] Description=Suricata Intrusion Detection Service After=network.target syslog.target [Service] ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -S /var/lib/suricata/rules/suricata.rules ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill $MAINPID [Install] WantedBy=multi-user.target Bash Start the Suricata sudo systemctl start suricata Bash To test your IDS, run the following script on any device that the traffic is mirrored. On your Raspberry use the command below to see logs: sudo tail -f /var/log/suricata/fast.log Bash Configure Filebeat Create the following file to /etc/filebeat/filebeat.yml # Wazuh - Filebeat configuration file output.elasticsearch.hosts: ["206.189.6.131:9200"] output.elasticsearch.username: elastic output.elasticsearch.password: wB1t1Fhp7snQgsg0TaAY filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false filebeat.config.modules: path : /etc/filebeat/modules.d/*.yml setup.template.json.enabled: true setup.template.json.path: /etc/filebeat/wazuh-template.json setup.template.json.name: wazuh setup.template.overwrite: true setup.ilm.enabled: false output.elasticsearch.ssl.verification_mode: none output.elasticsearch.protocol: https output.elasticsearch.ssl.certificate: /home/<any-location>/elastic-certs/certs/elasticsearch.crt output.elasticsearch.ssl.key: /home/<any-location>/elastic-certs/certs/elasticsearch.key output.elasticsearch.ssl.certificate_authorities: /home/<any-location>/elastic-certs/certs/ca/ca.crt output.elasticsearch.username: elastic YAML Copy the certificates from the Manager server to your Raspberry scp -r root@<digital-server>:/etc/elasticsearch/certs/ /home/<any-location>/ Bash Edit the parameters output.elasticsearch.ssl.certificate, output.elasticsearch.ssl.key and output.elasticsearch.ssl.certificate_authorities according to your certificate locations. Enable the module for Suricata sudo filebeat modules enable suricata Bash Let’s check the Filebeat modules sudo filebeat modules list Bash Configure the Suricata module (/etc/filebeat/modules.d/suricata.yml) as the code below: # Module: suricata # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html - module: suricata # All logs eve: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. var.paths: ["/var/log/suricata/eve.json"] YAML Start filebeat sudo systemctl start filebeat Bash Test the filebeat output NOTE: As you probably noticed, the Filebeat configuration file between the Elasticsearch & Kibana (DigitalOcean) server and Raspberry differ, due to the architecture on the Raspberry is used another Filebeat version. I want to mention that the certificates are usually generated only for one IP, which is why the following option output.elasticsearch.ssl.verification_mode: none is used. Configure the Rogue Access Point Q: Ok, maybe you ask why use I a Rogue Access Point instead of a second Wifi router? A: Using the following adapter AC1200 to create a router the entire traffic could be manipulated, which isn’t possible by using a conventional router. Note: To know what my system looks like, see the pic below. Install the requirements: sudo apt install iptables hostapd dnsmasq Bash Create your config file /etc/hostapd/hostapd.conf interface=wlan1 ssid=Syzhack channel=4 hw_mode=g wpa=3 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP wpa_passphrase=Yours4f3pass auth_algs=3 ap_max_inactivity=99999 ieee80211n=1 wmm_enabled=1 Bash Adapt the script below with your configuration details, the wlan1 IP range could be also modified. Note: You could run it in the background using a screen session or just create a systemd file. Don’t forget to set the Burpsuite to listen for all interfaces and enable the “invisible proxying” option. #!/bin/bash airmon-ng check kill ip link set dev wlan1 up ip a a <your-range>/24 dev wlan1 iptables -F -t nat iptables -X -t nat iptables -F iptables -X iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s <your-range>/24 -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.conf.all.send_redirects=0 iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 80 -j DNAT --to-destination <your-burp-porxy-ip>:8080 iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 443 -j DNAT --to-destination <your-burp-porxy-ip>:8080 sleep 3 hostapd -T -B /etc/hostapd/hostapd.conf -f /var/log/hostapd.log sleep 3 dnsmasq -d -i wlan1 Bash Run the script: sudo bash mitm.sh Bash Check the Burpsuite results Check the logs Go to your Kibana Dashboard using your IP on set port (443 - https://<ip>) and wait for the Wazuh plugin to be automatically configured, if an error occurs, please wait. The Wazuh logs should be displayed as follow: Suricata logs: De mult ma gandeam sa fac un experiment de genul, din discutia asta am implementat unele idei. Daca aveti intrebari/feedback, va stau la dispozitie. // Pe blog se vede mai bine

+1 pentru idea lui Nytro, merge MITM in retea, acum depinde daca sunt conectate LAN sau Wireless, daca e LAN -> DHCP MITM faci un iptables POSTROUTING cu optiunea MASQUERADE, apoi un iptables PREROUTING port 80 catre port-ul proxy-ului tau (eg. Burpsuite - 8080), pe langa tehnica asta poti folosi SSLStrip ca sa pacalesti victima (https://site.com v-a fii redirectionat catre http://site.com). A 2-a optiune Wirleless MITM, mai exact Rogue Access Point, numele retelei trebuie sa fie familiar sau chiar lafel si victima se conecteaza automat la reteaua ta fara parola, se aplica aceleasi reguli iptables ca sa redirectionezi trafficul catre proxy. Este un Network Adapter special pentru asta, Wifi Pineapple, dar aici nu te poti juca cu redirectionearea catre proxy (doar daca cunosti OpenWrt, cel putin eu nu am reusit) , vei vedea trafficul direct in dashboard-ul device-ului. Daca vrei sa faci victima sa-ti instaleze certificatul SSL (eg. Burpsuite), folosesti ARP Poisoning + SE. Oricum ne-am dus prea departe in subiect, omul vrea doar ceea ce a scris yoyosis :))

Nu cred ca ai formulat bine intrebarea... este vorba de vre-un IDS/SIEM? Daca e asa log-urile server-ului WEB nu te-ar ajuta prea mult pentru ca vei avea acces doar la logurile server-ului pe care-l deti... Sunt alternative gratuite (partial), dar trebuie sa sti ce log-uri vrei sa colectezi, vrei doar traficul care trece prin retea? Atunci poti folosi Suricata sau Snort, dar e destul de complex configurarea de retea (eg. port mirroring), apoi trimiterea log-urilor catre o aplicatie care genereaza alerte (nu stiu daca m-am exprimat bine) gen Elasticsearch/Splunk, aici iar trebuie configurat/customizat. BTW: Lucrez la un proiect personal IDS folosind resurse gratuite... poate o sa scriu un tutorial daca-mi permite timpul. Asta cred ca te-ar ajuta sa intelegi idea si complexitatea, bine aici e voarba de un IDS care s-ar putea aplica pentru utilizarea proprie (proiect personal).

Nice, felicitari! BTW (out of scope): https://api.partnercenter.microsoft.com/insights/v1/mpn/swagger/index.html?configUrl=https://pentesting.syzhack.com/swg/test.json

Cred ca ar fi mai simplu sa folosesti o aplicatie legala gen mspy (Parental Control - cauta pe google), pentru ca e destul de greu sa-ti generezi un payload printr-un C2 Framework (tinand cont de experienta)... dar e ilegal sa faci asta fara aprobarea ei. Cred ca mai simplu si legal ar fi sa ai o discutie sincera sau angajezi un detectiv... Doar de curiozitate: se aplica aici cazul de barbat 45 ani cu bani si femeie de 20 fara?

Cei cu bloguri treceti pe static si numai aveti batai de cap...

Lăsând gluma la o parte, este banal ce se întâmplă. Cum sa nu poți proteja niște site-uri la un atac DDoS banal de 3000-5000 de boți? Era un articol cum ca s-au investit nu știu cate milioane de euro pentru dezvoltarea "Capitalei cibernetice a Europei" a.k.a România. S-a mediatizat mult știrea asta si oamenii care nu au cunoștințele necesare rămân uimiți. Ne cam scade din reputație... daca s-ar fi chinuit puțin cei care se ocupa de site-urile respective ar fi găsit soluții de protecție open-source pe GitHub, dar incompetenta e la ea acasă... si cine plm ar face asta pentru 1500 lei? Daca aveți prieteni/cunoștințe care au poziții înalte pe acolo, ar fii o idee sa le oferim un topic/secțiune aici, si sa-i ajutam cu cate o idee...

Salut, nu poti sti niciodata 100% daca un fisier este sau nu malitios (doar daca analizezi executabilul). Toate site-urile gen virustotal si altele, primesc defapt "alerte" de la diferite servicii/antivirusi cum (,) ca fisierul cu hash-ul respectiv contine "virus". Cel mai bine ruleaza intr-o masina virtuala, fara conexiune la internet. Se poate trece si de masina virtuala (guest to host escape), dar aici nu cred ca e cazul. Rezultatele par sa fie OK, hybrid-analysis - posibil false-positive Mult succes!

Cum ai procedat tu defapt, ai setat proxy pe iPhone si ai analizat request-urile http/https prin Fiddler? Alte request-uri vezi? Posibil sa nu fi configurat tu bine "setup-ul". Lasa un screen cu request-urile, sunt curios. Daca chiar ai timp si vrei sa rezolvi problema, poti incerca Jailbreak pe iPhone apoi creezi un sistem WLAN cu o antena, si poti redirectiona tot traficul de pe 80/443 pe alt port (IP Masquerade), poti capta request-urile in burpsuite. Poti trece de SSL cu Frida sau instalezi asta direct pe iPhone, a doua varianta am testat-o recent si functioneaza pe iOS 13.4.1. Poti incerca si Wireshark, probabil aplicatia se foloseste de alt protocol pentru reclame.

Rog cei care au posibilitate sa "imortalizeze" conferinta si sa uploadeze pe o platforma de streaming, din pacate nu o sa pot sa fiu prezent

Interesant! Am creeat si eu un tool asemanator, dar mai complex. Cei care practicati BB sau sunteti interesati si aveti idei noi putem sa automatizam tot procesul de recon. Ca sa incurajam tinerii il vom face public. Cine este interesat?

Ti-as recomanda sa iti iei un job part-time (25 ore/sapt) si asa o sa ai timp de BB, e cam riscant sa incepi direct full-time BB si sa lucrezi sub presiune ca sa-ti faci banii de "supravietuire". In acelasi timp iti recomand sa-ti faci si un blog si sa incepi sa scri despre vuln pe care le vei gasi, in modul asta chiar daca nu faci foarte multi bani din BB, o sa te abordeze o companie mica/mare. Cel putin metoda asta a functionat la mine Succes!

Nope, port scanning nu e out of scope. ("Out of scope" e termenul folosit domeniilor pentru care nu primesti recompensa sau domenilor pe care nu ai voie sa faci teste, in unele cazuri poti raporta vulnerabilitati si acolo ca sa faci rep, dar nu vei primi reward) Te poti folosi de orice in BB, poti raporta chiar si 0day dar regula ca sa primesti reward este sa treaca 30 zile de la publicarea 0day-ului sau in cazul in care tu gasesti un 0day poti sa-l raportezi mai multor site-uri care au program BB dupa care sa-l faci public. Sau sa nu te complici cu BB si sa-l vinzi pe zerodium. @aelius, mi se pare foarte tare sa-ti faci contractele singur si sa lucrezi de acasa. Dar cum faci asta? Este vre-o platforma gen freelancer pt. cyber sec?

Cum zice Nytro, daca faci BB nu e nevoie de VPN. Apropo, ia-ti server de la Digitalocean nu o sa ai probleme cu port scanning / content-discovery / bruteforce. Daca esti interesat, lasa-mi pm o sa-ti dau link-ul meu de referral si primesti $50 ,eu la randul meu o sa primesc $20 credit, daca tin bine minte. Succes!

E tare tipul, a luat vreo $30k. Asta a luat $70k de la Yahoo si mai e un indian care a luat $100k de la Apple pentru account takeover. Toate vulnerabilitatiile fiind WEB APP.