Download and install Virtualbox from Download and install vagrant. Download CentOS 7 Minimal ISO at Create Virtual Machine.

Hi there, Setting up ELK (Elasticsearch, Logstash and Kibana) is real easy (Follow the guide here ). It is also perfect to use at home to collect logs and to get visibility of your home network. If you also install xpack you will get a function called “watcher”.

This is to be able to alert on certain events. When I set this up in a lab recently I found out that it was not that easy to get started so I decided I should share what I found out.

First of all, in the lab I had a Palo Alto producing logs. What I wanted to do was to alert if someone tried to log on to it and produced a failed login. In Palo Alto this is reported under the “VirtualSystem” and the category “auth-fail”.

More information about the fields can be found here:. So basically I had to put up a watcher to alert if auth-fail was sent from the Palo Alto device. After you have parsed out the information from the Palo Alto logs using logstash and put them in elasticsearch this is what the field would look like in Kibana: So to simply match on this using a watcher, this is what you can do using the development tools in the Kibana GUI (If you are using xpack).

If not, then you can use the local API over command line. Tcpdump - pi eno1 port 53 And I saw that the machine was trying to do reverse lookups of 192.168.x.x which took forever (Going out to google) I had a discussion with a friend and after trying nginx I realised that the problem was not apache or nginx. He suggested I try this setting in the mysql-server on Remnux.

I edited the file /etc/mysql/my.cnf and added the setting “skip-name-resolve”. Here is a snippet from my configuration file on Remnux. Hey, In this article I will describe how to set up a Raspberry Pi, install tor and access it using tor2web. Start by installing RASPBIAN JESSIE LITE (Minimal image based on Debian Jessie) from the. I will be using this version: Version:November 2015 Release date:2015-11-21 Kernel version:4.1 I will walk you through everything until you have a raspberry pi online with a hidden tor2web url that you can access from anywhere.

1 – Change root password The default password is “raspberry” and user is “pi”. Make sure you change this. 2 – Updating the Pi Once you have connected the Pi to the network make sure you update it. Apt-get update -y; apt-get upgrade -y 3 – Installing apache2 I will refer to.

We will also configure it to only listen on localhost, as we do not need it to listen on the public interface, we will only have ssh there. This is also they way tor hidden services work, but more on that later! This is optional. Install php, mysql and php-pdo. Local 3.10.0 - 229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux As you can see, it looks pretty good and we may be able to win over most malware, but there are still stuff that we want to remove. For instance, check out the device manager As you can see there are devices called QEMU which indicates that this is not a laptop.

Note that pafish did not detect this, but still, we should fix it. Our goal today is to make it say something else.

Before we continue there are a lot of posts that I have used for reference (Check the end of this guide), but I wanted to start fresh and make a guide for everyone trying to do this on. You guessed it, CentOS 7.

Before we start let me just explain a little. When you install qemu/kvm on CentOS 7 using yum it will be called qemu-kvm, but when you compile it will be called qemu-system-x86_64. This is important to understand. It is still the same, but it is called different depending on if it is compiled or not. Celcom Broadband Mf190 Installer Gta.

Read more Also, make sure that you have the kvm module loaded. My laptop for this guide is an old laptop running a AMD CPU.

Check with lsmod if the proper modules are loaded. For intel it should say kvm_intel. / usr / libexec / qemu - kvm - enable - kvm - m 1024 - drive file = / vm / winxp. Qcow2, if = none, id = drive - ide0 - 0 - 0, format = qcow2 - device ide - hd, bus = ide. 0, unit = 0, drive = drive - ide0 - 0 - 0, id = ide0 - 0 - 0, bootindex = 1 - k en - boot n - bios / root / bios / seabios / out / bios.

Bin - smbios type = 1, manufacturer = 'Dell' - smbios type = 0, vendor = 'Dell' - smbios type = 4, manufacturer = 'Dell' - smbios type = 17, manufacturer = 'Dell' - smbios type = 3, manufacturer = 'Dell' Notice the parameter. Hey, After the news that FireEye was affected by the it got me thinking that how hard can it be to do this in KVM. Wind Wifi Wpa Calculator Infostrada. This article will give you a start on how to do sort of dynamic analysis, or at least get you going.

I will probably update it later on when I do more. Prerequisites This guide requires that you have already installed a CentOS 7.1 system with KVM support and a Windows XP machine installed. This machine is named “winxp” and will be used further down in the guide. The system has to be configured with IDE drives and qcow2 format. Make sure you have two disks, one disk called “windows_xp.qcow2” mounted at C: and one called “windows_xp_data.qcow2” mounted at E: on the machine. The size of the disks should be at least 80GB or so per disk. Other things like memory should be fine at 2GB.

Let’s kick off! Make sure you have a snapshot on the vm called “ready”.

We will use this as default state before starting the machine. So to sum up. Install a VM Windows XP guest with 2gb of ram and qcow2 disks so that we can use snapshots 2. Make sure it has two disks, one at C: at 80GB and one at E: at 80GB. These qcow2 images are saved in the folder /vm/ 3. Create a snapshot called “ready” when you have installed it. Everything we configure from now on will be done on the KVM host.

That is the mother machine running the guest machines (the Windows XP system is a guest) 1. Install the epel repo.

You will need this for the packages. Yum install libguestfs - tools 3. The is an issue on current (2015-06-08) CentOS 7.1 with winsupport. You have to manually download the rpm and install it using yum localinstall. This is used to be able to mount NTFS drives. Read more here: Download here 4.

Create the folder /root/files/ 5. That should be it. Test it with the script in the next step. Before you run it you have to know what it does.

As you cannot insert files on a live system without (potentially) damaging the filesystem we will make sure the guest is shut down first. We will use destroy since we do not want to wait for a graceful shutdown. After the machine is shut down, we mount the disk called “windows_xp_data.qcow2” which is our E: on the winxp system and then upload all files in the folder “/root/files” to E: files on the Windows XP system. The startup script on the vm host.

#!/bin/bash state=$(virsh domstate winxp) if [[ $state == 'shut off' ]] then echo 'Machine is powered off. Else echo 'Machine is on. Shutting down' virsh destroy winxp echo 'Machine have been shut off' fi echo 'Restoring machine to default state' virsh snapshot-revert winxp ready echo 'Preparing to insert file into filesystem' guestfish. Echo 'Machine is booted, sit down and enjoy!' When the machine now has booted you should find the files on E: files. What you can do now is to implement a python application running at startup on the Windows XP machine that looks in the folder and then uses something like a custom cfg file to perhaps first install a older version of adobe and then launch your pdf file in files. As you can manipulate the filesystem before you boot the machine you may be able remove some or all traces of QEMU or KVM to perhaps “dodge” the vm awareness in some malware.

This entry was posted in,, on. Winexe is an application for Linux that you can use to execute remote commands on Windows machines. Similar to how a meterpreter would work or how you use psexec on Windows. The reason for using it could be that you want to script certain actions on remote machines, such as executing powershell scripts and gather information for forensic purposes etc. I was interested in it because of the last example.

In this guide I will show you how to do that and build a scenario for you and show you how one could use it to collect remote information on your endpoints. As usual I use CentOS 7 with the latest updates as per the date of this post. [root@localhost build]# pwd /root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build [root@localhost build]#./winexe winexe version 1.1 This program may be freely redistributed under the terms of the GNU GPLv3 Usage: winexe [OPTION].

Reg add 'HKLM Software Microsoft Windows CurrentVersion Policies system' / v LocalAccountTokenFilterPolicy / t REG_DWORD / d 1 / f Start cmd as administrator and paste it in. That should be everything. I have already uploaded a powershell script to my machine. It will run some commands and output this to a text file locally on the system. The local user I have created is called “bob” with the password of “secretpassword”. The system I am targeting is a system called windows.domain.local.

Note that it is not joined to a active directory domain, it is just a domain I use for testing. You could do it with kerberos and an active directory account as well.

The command line for executing the powershell script is. Ln - s / usr / local / lib / security / pam_yubico. So / usr / lib64 / security / pam_yubico. Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work.

Console access will still work, so if you use KVM or something similar, you should be able to access it through that. Start by making sure your yubikey is configured as shown in this guide: You should also make sure that the OTP function is working by going here after you have configured it: Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well. When it is working, move on! Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting. Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection. Test: xxyyxxxyyyxx Open a new terminal and login as test ssh test@your-yubikey-configured-system When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine: [root@localhost test]# ssh test@localhost test@localhost’s password: password + yubikey OTP token The yubikey will press enter by default and this should log you on! Other information If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that).

I use Configuration Slot 1 because then you dont have to press it for a longer period of time. If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config. WantedBy = multi - user. Target Now, there are a few things you need to know. The parameter “ExecStart” is what going to happen when you tell systemctl to “start”. There are also “ExecStop” and “ExecReload”.

Those will be used for? You guessed it, when stopped and reloaded.

There are also nice stuff such as “ExecStartPre” and “ExecStartPost” to execute commands before and after the main app has started. More info can be found at However, in our service file above we only need the settings I have provided. So now it is time to execute it.