SpiderFoot Open Source Intelligence

Something else I’ve been playing with is the SpiderFoot project for intelligence gathering on targets like xyz.com domain or whatever you would like to point it at.

It gathers a ton of information from search engines, social media, the target domain itself and can also check sources like Virustotal, Shodan Honeypot Checker and others using API keys if you have them.

As you would expect, it gathers information of all types which could be useful.

This is another project that’s super simple to get up and running on a VPS or hardware if you like. I did need to run this on at least a 1GB VM so that SpiderFoot did not run out of memory, but other than that it seems to perform well.

You’ll also find some interesting details out about yourself when pointing at your own domain.

Graylog as an alternative to Splunk

 

I’ve been experimenting with a few different logging solutions; free Splunk, loggly.com and now Graylog.

Splunk would be my choice were it not for the high price. Free Splunk works great to a point but after 60 days alerting and some other features stop working. And well, logging without alerting is kind of silly.

Loggly.com was actually pretty cool for about $80/month which included alerting, log backup to Amazon S3, secure log transmission and various setup scripts for getting it all working on Apache, Nginx or whatever.

As nice as loggly.com was, I was still looking for something similar to Splunk.

Graylog has been the closest solution so far. There’s a Open Source version which has most of what you need for a personal solution. The Enterprise version adds support, Audit Log and Archiving. The Enterprise versions state around 200GB/day so I’m not exactly sure what the Open Source limit is or if it has one. But for a personal solution, whatever the limit is it’s probably sufficient.

There is also a Graylog marketplace with a crap load of add-ons for integration with Amazon AWS, a DNS resolver filter for reverse lookup on source field, JIRA integration and a whole lot more.

To this point I’ve added a few Streams for picking out info that I’m interested in from the logs, created alerts and email notifications along with a pretty nifty dashboard.

As far as hardware, I have it running on a 2GB droplet at Digital Ocean and it was super simple to setup and get running. Add in https using free certificates from LetsEncrypt and your good to go.

I had no idea this solution even existed and had never heard of it until a little while ago, but so far it has performed great without any issues.

Moving on from SoundCloud

Actually I haven’t had any issues with SoundCloud from a hosting standpoint, but they don’t really seem long for this world given their financial woes.

Apparently today they received another $170 million in funding which includes a reorg and life support equipment I suppose.

Given some of the stories I’ve seen about how it’s been run, “shitshow” from former employees, I don’t expect the latest round of funding to make much difference long term.

So I’m moving on and just hosting my audio and video files myself. Seems to be the easiest and most reliable way going forward.

Good luck SoundCloud but I’m not giving any more of my money to a company that seems to be run by a bunch of frat boys with too much money.

Maltrail Install and Setup Script

I’ve put together a quick script for installing and performing some basic setup of Maltrail.

Maltrail setup script on GitHub.

If you’ve never used it, it’s great for seeing all the traffic bouncing off an internet host.

It also ties the traffic to known troublemakers on the internet while providing tons of other information on source IP addresses which are sending traffic your way.

Definitely worth a look.

Maltrail on GitHub.

SMB Ransomware Protection Steps

Hosts with SMB exposed on the internet.

So the Petya ransomware is going crazy today hitting banks, telecoms, power companies… really anyone who has SMBv1 exposed and hasn’t bothered to patch against ETERNALBLUE (MS17-010).

Some quick protection steps:

  1. Patch for MS17-010 if you haven’t already.
  2. Disable SMBv1 if you can. It’s most likely on by default if you have not actively disabled it.

Check if it’s enabled with PowerShell.

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

Disable with PowerShell running as admin.

Set-SmbServerConfiguration -EnableSMB1Protocol $false

The above works on versions of Windows newer than Windows 7 and Windows Server 2008 R2

Below works on Windows 7 and other versions.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

3. You may also want to ensure you don’t have PSEXEC tools installed if not needed since Petya is taking advantage of those.

4. WMIC is also recommended to be disabled, however WMI is used for many things so that might not be an option.

5. Ensure SMB isn’t exposed to the internet through your firewall. Probably a good idea to block outgoing SMB as well.

These steps should also help against other ransomware that are using the SMB attack vector.

Stay safe out there.