Suricata in Ubuntu

Suricata is a free, open source, mature, fast and robust network threat detection engine. In this publication, we will show one of the many things you can do.

We will need our virtual machine of any operative system of which we are going to make a ping. On the other hand, we need our virtual Linux machine Ubuntu in which we will install and configure Suricata.

We update our Linux virtual machine with the following command.

$ sudo apt-get update

With the following command we will install Suricata

$ sudo apt-get install suricata -y

We will create an empty rules file with the following command.

$ sudo touch /etc/suricata/rules/local.rules

Now we will edit the file suricata.yaml with the following command, you can use vim or nano in our case we will use gedit.

$ sudo gedit /etc/suricata/suricata.yaml

We will comment on all the rules files available, in this way our rules file will have priority, the comment is made by adding the sign # at the beginning of the line.

local.rules was a file that we created in the past.

Now we will add our local network, which we have configured in our virtual machine, in this case we have the 192.168.100.0/24

The next step is to edit our local file.rules

$ sudo gedit /etc/suricata/rules/local.rules

This is what we have to write in our file local.rules

$ alert icmp any any -> 192.168.100.3 any (msg: "ICMP detected";  sid:100000001;)

If you do not have ethtool installed yet, you can do it with the following command.

$ sudo -s

# apt-get install ethtool

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

$ sudo ethtool -K enp0s3 gro off

Then again turn On NIDS mode of surictata using given below command.

$ sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3

Now we ping from another virtual machine that is in the same network.

ping 192.168.100.3

And as a result, we have the record that made the virtual machine infosecaddicts@hacker to the machine that has meerkat installed infosecaddicts@infosecaddicts, to see that information in detail we will review the file fast.log with the following command.

$ sudo tall -f /var/log/suricata/fast.log

Suricata has other much better functionality we invite you to install and perform much more tests with this tool.

 

Enumerating NetBIOS services

NetBIOS or Network Basic Input Output System is an API that allows applications on a local area network (LAN) to communicate with another computer and share files or another resource. In General, NetBIOS is active by default, since it is an integrated component to the system, its main use is associated with directory sharing, which together with SMB enables the possibility of communicating two computers to send and receive files.

In a NetBIOS network, computers receive several values that make them unique. Most of the data that is assigned to a PC could be associated with the services, configuration, and many other details, so since NetBIOS is widely used joined with the type information that we could get, makes NetBIOS a potential target. In this lesson, we going to analyze the NetBIOS service and see what type of information we can get.

Enumerating NetBIOS services:

In this Lab, we will configure 2 virtual machines, a W7 as a victim machine (192.168.122.157/24) and our ubuntu-infosecaddicts as the local machine to collect information.

Scanning with Nmap

run

sudo nmap -sS -O 192.168.122.157

we can see the port 139/tcp belong to netbios-ssn, the standar port for NetBIOS are UDP port 137 (name services), UDP port 138 (datagram services) and TCP port 139 (session services).

Now, we can focus or analysis to the port 139/tcp, run the command:

sudo nmap -sS -O 192.168.122.157 -p139

As we can check, the W7 victim is running a NetBIOS service. The Next step is to research about what type of service this machine are sharing.

Scanning with nbtscan

Once we detect the NetBIOS service, we need to obtain as many details as possible, to achieve this task we can use the nbtscan tool, that is a program for scanning networks for searching NetBIOS information.

Installing nbtscan:

$sudo apt search nbtscan

Now run:

 sudo apt install nbtscan 

With the -h attribute we can see the available options when executing the nbtscan command

Gathering Information

Nikto open source scanner

Nikto is an open source scanner written by Chris Sullo. Used with any web servers (Apache, Nginx, IHS, OHS, Litespeed, etc.). This is a perfect in-house tool for scanning web servers. if you need test Intranet applications or in-house applications, then Nikto web scanner is what you need.

Technical Characteristics:

Nikto can scan for over 6700 items enabling it to detect misconfiguration, risky files, etc. It’s notable features include;

  • Ability to save reports in HTML, XML, CSV
  • Supporting SSL
  • Scanning multiple ports on the server
  • Finding subdomain
  • Apache user enumeration
  • Checking for outdated components
  • Detecting parking sites

We will begin with the installation process and then we will show how to use the tool to perform some basic operations over example systems. Nikto can be installed on Kali Linux or other Operating Systems (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.) that support Perl.

On this particular article, I will show you how to use it on Ubuntu Linux

Note: lots of requests are made to your web server when performing scans.

Installation Process:

First of all, we have to download the file that contains Nikto we can do this by typing the following command:

wget https://github.com/sullo/nikto/archive/master.zip

Once the file is downloaded, we use the following command:

unzip master.zip

After we are completed the extraction of the files, we can locate ourselves into the Nikto folder to use the tool, we can use the following command to achieve this:

cd nikto-master/program
perl nikto.pl

Attacking Process:

There are several ways/syntax one can use when running the scan. However, this is the quickest way to do it:

nikto –h webserverurl

Be sure to change $webserverurl to your actual web server IP or FQDN. On the example

rpcinfo/showmount

RPC or Remote Procedure Call is a protocol on which services such as NFS, NIS, SAMBA are based. Essentially RPC facilitates the process of encoding and decoding requests between clients and servers. When a client tries to connect to an NFS service RPC take the control and maps the request to the port on which the service is listening. If we are looking for compromise this type of service, it will be necessary to analyze how RPC works, so in this lesson, we will examine this protocol.

Network File System And RPC

Wikipedia says:

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984,[1]allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The NFS is an open standard defined in Request for Comments (RFC), allowing anyone to implement the protocol.

As we can see NSF is a service that is based on RPC, so we will configure an NFS server in order to examine the operation of RPC.

Setup an NFS-Server (192.168.122.131)

We can use infosecaddicts ubuntu VM and install NFS-Server as continue:

sudo su
apt-get update
sudo apt install nfs-kernel-server

After install, we can check:

systemctl status nfs-server

Now, We will publish a directory for testing purposes, for that we need to edit /etc/exports and copy :

/home/infosecaddicts/backups 192.168.122.0/24(rw,sync,no_subtree_check)

Finally, Restart the VM.

Setup our local Machine

In our local machine install rpcbind and nfs-common (nfs-client) components:

sudo su
apt install rpcbind nfs-common

rpcbind allows us to run the rpcinfo command that helps us to get information about RCP services in a given system, rpcinfo makes an RPC call to an RPC server and reports what it finds.

With nfs-common, we get all the client tools to successfully connect to an NFS-Server.

Enumerating RPC services:

rpcinfo/showmount commands:

Once our lab has been configured, we can focus and  see what type of information we can obtain from the NFS-server:

Now, from our local machine run:

rcpinfo -p 192.168.122.131

After running rpcinfo command we get a lot of interest information:

  • All the services (RPC) that are running on the NFS-server (192.168.122.131).
  • The default port for RPC services (111).
  • The ports associated with each service.
  • The information about another RPC services (such as nfs, nlockmgr, quotad, mountd, etc.)
  • The protocol used by each service UDP, TCP.

If after doing a scan we detect port 111, we can say that in the target server there is a NIS, NFS, CIF or SAMBA type service waiting for remote connections. Also, rpcinfo tells us what service he is listening to. In the image above we can see that there is an NFS service running at port TCP/UDP 2049. When rpcinfo command run, the local host makes an RPC call to the NFS-server (port 111), Next, it consults with portmapper to determine where the RPC server is listening.

The most important thing is that through RCP we can list other services, in our case we see the NFS service and the ports in which it is waiting for connections.

with nmap we can scan and see a result similar to the previous one:

run:

nmap -Sc -p111 192.168.122.131

Finally, since that we have verified that an NFS service is running, we can deepen and see what else we can obtain.

run to export a list of directories:

showmount -e 192.168.122.131

Try to mount the directory:

sudo mount -t nfs 192.168.122.131:/home/infosecaddicts/backcups /tmp/nfs

Check for Files system mount on our local machine:

mount

As you have been able to analyze, examining RPC-type services allows us to obtain a lot of information not only from the network infrastructure, but also we can assemble a network folder and obtain the files that are there.