Categories
Security Tools

Using Wireshark and tcpdump

Wireshark and tcpdump is a free and open-source network packet analyzer. Where Wireshark is a desktop application that can be installed on multiple Operating Systems while tcpdump is a commandline utility mainly seen in Linux/Unix based Operating Systems.

In this post we are using tcpdump to capture packets from a remote machine and analyse it using Wireshark.

Before we begin we need the following

  • A remote computer linux server with SSH enabled and tcpdump installed.
  • Root access to the server.
  • Any service which can be used to generate network traffic, like Apache Webserver or a node server.
  • A local computer with Wireshark installed.

The goal here is to capture the network traffic on a remote computer using tcpdump , download and analyse using wireshark.

Capturing packet remotely

In order to capture packets remotely connect using SSH, Connect to the remote server and start tcpdump like below.

[[email protected] ~]#  tcpdump -s 0 -i ens192 -w tcpdump_Capture.pcap

In short, the above command will capture all traffic on the specified interface with -i option and write it to a file tcpdump_capture.pcap in a format compatible with Wireshark. Once you’ve finished capturing traffic, end the tcpdump session by pressing Ctrl+C

Note:

Make sure you use the proper network interface to capture the traffic, In this case, it was a Redhat Linux box and the interface name was ens192, In the case of certain other machines it might be eth0.

Analyzing the tcpdump file using Wireshark

we can download the tcpdump file from the remote server using any of the file transfer utilities like WinScp, Filezilla, or pscp.exe.

Once downloaded you can open the file in Wireshark. Open Wireshark, then import the tcpdump captured session using File –> Open and browse for your file. You can also double-click the tcpdump capture file to open it in Wireshark, as long as it has the *.pcap file extension.

This blog gives a basic introduction for using Wireshark and tcpdump, more details can be obtained from their respective websites.

Categories
Security Tools

OWASP Dependency-Check: what does it do?

The Open Web Application Security Project (OWASP), is an online community where we get free articles, methodologies, documentation tools, and other content related to Web Application Security.

Open source components have become an integral part of software development. The increasingly widespread use of open source components requires that developers take a more proactive approach to open source security management. They need to make sure throughout the development process that the software products that they are creating and maintaining don’t contain vulnerable components.

The OWASP Top 10 2013 contains a new entry: A9-Using Components with Known Vulnerabilities. Dependency-Check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.

Supported Programming Languages and Integrations

The OWASP Dependency-Check currently supports five different programming languages. Java and .NET are fully supported and additional experimental support is provided for Ruby, Node.js, and Python.

The OWASP’s tool also supports the Jenkins plugin, and can fail the build process, allowing you to make sure only approved code with no open source vulnerabilities is deployed to production.

Vulnerability Scanning

Scanning is the process of running the tool on the user’s code, to identify any vulnerable open source component. This is usually done by conducting a comparison between the user’s code and known open source vulnerabilities in the vulnerabilities database.  

The OWASP Dependency-Check uses a variety of analyzers to build a list of Common Platform Enumeration (CPE) entries. CPE is a structured naming scheme, which includes a method for checking names against a system.

Reporting is extremely important when dealing with vulnerability management, since it provides all security and development teams with actionable insights, as well as giving stakeholders the metrics that they need. The OWASP Dependency-Check can support these needs and can generate reports and exports in a variety of formats: XML, CSV, JSON, and HTML.  

OWASP Dependency-Check: Pros & Cons

proscons
It’s freeNo Dashboard
Multi reporting and export optionsNo overview report or report comparison
Easy to deploy and runNo vulnerability remediation
Lightweight
Categories
Linux

Changing TimeZone in RHEL 6/7/8 and Centos

First, check the current timezone in your system by using the date command.

[[email protected]~]# date
Thu Oct 29 11:28:27 PST 2020

Here the timezone is set to PST.

Change Timezone in Centos/RHEL 7/8

We can use the timedatectl command to change the current timezone. First, let’s list all timezones.

[[email protected] ~]# timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
.....

Now use the following command to change the timezone to

[[email protected] ~]# timedatectl set-timezone Asia/Kolkata

Change Timezone in Centos/RHEL 5/6

To change timezone in Centos/RHEL 5/6 versions we just need to link /etc/localtime file to the correct timezone configuration file.

[[email protected] ~]# mv /etc/localtime /root/localtime.bak
[[email protected] ~]# ln -s /usr/share/zoneinfo/Asia/Calcutta /etc/localtime

With this timezone will be changed and can be verified by issue date command

Categories
Performance Testing

why jmeter for performance testing?

Here’s is the top 30 reason for using Jmeter as a performance  testing tool.

  1. Jmeter is an open source tool.
  2. There seem to be more cost saving for MQ ,SOAP,FTP protocols when considering other proprietary tools in the market.
  3. Customized/Specialized reports are given in proprietary tools to attract the end users. Jmeter has simple reports and it will be helpful to analyse the server logs and get into the root cause of the performance issue. So if you do not want Grand UI reports , Jmeter will save more money from you pocket
  4. User friendly UI.
  5. All the components are pre-built and readily available for use. Even the person who is not much comfortable with coding can understand and script in jmeter.
  6. Test can be executed in NON-GUI mode to save the machine resources.
  7. You can extend or write the new samplers in java and it can be included in jmeter.
  8. You can send the files with the request using simple configuration.
  9. It is easy to run multiple users (1000 User logins in ~2GB system) without worrying license cost.
  10. Simple and effective session correlation for a web application.
  11. You can run multiple scripts consecutively(One at a time) , also all at a time (concurrently)
  12. Response time results can be exported to CSV.
  13. Assertions will help to validate the response from the server easily.
  14. You can send JSON string and test JSON response for HTTP request.
  15. Various timers are there to introduce the delay concept
  16. Using SSH Sampler , Jmeter can connect to Linux Shell.
  17. Jmeter Can Execute Perl Script from Shell.
  18. Jmeter Supports functional testing.
  19. Jmeter has Perfmon for monitoring the entire system.
  20. Jmeter has Jmxmon for monitoring JVM.
  21. Jmeter can be integrated with ant jar to generate HTML Reports.
  22. Jmeter supports SOAP testing.
  23. Jmeter supports JDBC Testing.
  24. Easy to add new properties in Jmeter’s property file.
  25. Jmeter’s Beanshell processor supports Beanshell language.
  26. Jmeter’s JSR223 Preprocessor supports JAVA language,bsh.
  27. Easy to use Jmeter’s Function Helper.
  28. Jmeter’s Test Action Sampler helps to pause the test.
  29. Junit sampler is available in Jmeter.
  30. Jmeter can Test MongoDB.
  31. Jmeter Supports Distributed Testing.

Watch out for more updates.

Categories
General Uncategorized

How to access a blocked website?

How to access a blocked website? Well, a direct answer to that question is switch to Tor.

What is Tor?

Tor Browser is your choice if you need an extra layer of anonymity. It’s a modified version of Firefox, it comes with pre-installed privacy add-ons, encryption and an advanced proxy. The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

Tor Browser

it’s currently available for  Windows, macOS, Linux, iOSAndroidOpenBSD.

 

https://youtu.be/8LNLB4xXrCQ

Categories
Android General

How to go Incognito with Youtube in Android

Sometimes we don’t want all the videos we watch to show up in our browsing history, yes for this youtube has a new feature added, an Incognito mode that makes it easier to watch videos without adding to your view history.

This feature is currently only available for Android.

Note: This helps only in not listing the videos in your history, your traffic can be still monitored by service providers.

To turn on Incognito mode, launch the YouTube app and tap on your profile picture. From there, select “Turn on Incognito” from the menu that appears.

Categories
Jmeter Performance Testing

JMeter Distributed Testing using AutoMeter

AutoMeter is an automation tool which helps us to create distributed load testing environment. It is developed and released by Intuit to open source world. It includes Jmeter in Docker image. It provides single command to start, stop test. At the end of the run, we get reports in master docker node. It can also be integrated with Jenkins easily for any of the CI requirements. What makes unique about AutoMeter is that it simplifies JMeter’s Master Slave configuration.Performance Testing in Jmeter Distributed environment can be triggered just by “One-Click”. To scale the load we can just add AutoMeter-Slave in autometer.config.js.

autometer --help  provides help manual

More details on installing an configuring AutoMeter can be found here https://github.com/intuit/autometer

Prerequisites

  • One or more linux hosts with docker (>=1.12.5) installed.
  • In one of the linux host install nodeJs (>=7) and autometer npm module. This node can be designated as master (from where tests has to be triggered).

Installation

npm install -g autometer

AutoMeter
AutoMeter

Comparison Between AutoMeter and BlazeMeter

Features AutoMeter BlazeMeter (Available Yes/No)
Supported Tools Jmeter Jmeter, Gatling
Proprietary Open Source Tool Yes
Jenkins Integration Yes Yes
Test Ongoing  Stastics Yes(Limited ,Console View) Yes( Web View )
AWS Support Yes (By Default) Yes ( Can deploy in any environment)
Reports JTL, HTML Reports JTL, CSV (Can view in Blazemeter web)
Categories
technews

How to change Google Drive folder location?

By default Google Drive installer creates a folder here C:\Users\<USERNAME>\AppData\Local\Google (Replace ‘USERNAME’ with your computer username), considering the storage option available with google drives this might end-up in utilizing filling your default drive space if all folders is allowed to sync.

We can change the Gdrive  installation location in two ways.

During installation we can change as mentioned BELOW
  • Download the latest drive installer
  • Begin the installation, then click “Get started”
  • Log in using your account
  • Click next 3 times after logging in, you should see a window that says “You’re all set” –>There should now be an Advanced Setup button
  • Click that button and choose your installation location.
After Installation
  • Click on the Google Drive icon in your system tray
  • Choose Disconnect account… in Preferences
  • Sign in again. You can change the folder when you click Advanced setup button.

 

Categories
technews

PETYA Crypto-ransomware

Till now we have heard of ransomware’s targeted computers files will be encrypted, in this scenario users are allowed to login to the Operating System but won’t be able to open encrypted files. The newly discovered PETYA Crypto-Ransomware has crossed one more step and it overwrites the MBR itself to lock users out of their computers.

Petya is still distributed via email. Victims would receive an email tailored to look and read like an applicant applying for a job in a company. It would present users with a hyperlink to Dropbox storage location, which would let users download the above said user’s CV.

The file downloaded is actually a self-extracting executable which will unleash the trojan into the system.

Once executed, Petya overwrites the MBR of the entire hard drive, causing windows to crash and display a blue screen. When the user tries to reboot the system the modified MBR will stop him to boot into the operating system, and will be greeted with an ASCII skull and an ultimatum: pay up with a certain amount of bitcoins or lose access to your files and computer.

Fig1: Petya’s red skulls-and-crossbones warning

 

This modified MBR even disable booting to safe mode also. The user is then given explicit instructions on how to do this, just like any crypto-ransomware currently making the rounds: a list of demands, a link to the Tor Project and how to get to the payment page using it, and a personal decryption code.

Fig 2: Petya’s decryption and ransom payment instructions

Categories
technews

Drown vulnerabilty

Drown stands for Decrypting RSA using Obsolete and Weakened eNcryption, and it provides a way for attackers to decrypt HTTPS communications from servers that are still supporting SSLv2. Most of us think supporting SSLv2 protocol on server is not a problem because most of the modern client software’s just don’t use it.

But looks like the mere existence of SSLv2 help attackers to crack a connection’s encryption, and initiate what is effectively a MITM attack.

According to the researchers, a server is vulnerable to the DROWN vulnerability (also known as CVE-2016-0800) if:

It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.

or:

Its private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33% of HTTPS servers at risk.

If you want to check whether a particular site is vulnerable, the researchers have helpfully provided an online tool.