grepcidr

grepcidr is a 

grepcidr can be used to filter a list of IP addresses against one or more Classless Inter-Domain Routing (CIDR) specifications. As with grep, there are options to invert matching and load patterns from a file. grepcidr is capable of efficiently processing large numbers of IPs and networks.

grepcidr has endless uses in network software, including: mail filtering and processing, network security, log analysis, and many custom applications.

For detailed instructions and examples, please see the README file or man page. A couple examples of usage:

	grepcidr 2001:db8::/32 logfile
	grepcidr 66.249.64.0/19 access.log

Reference: http://www.pc-tools.net/unix/grepcidr/

Install grepcidr with your package manager:

 sudo apt install grepcidr 

Linux du command alternatives

For years I’ve used ncdu a NCurses Disk Usage utility for Linux. Recently someone alerted me to some other options as well as ncdu:

Dust:
du + rust = dust. Like du but more intuitive, Dust is meant to give you an instant overview of which directories are using disk space without requiring sort or head. Dust will print a maximum of 1 ‘Did not have permissions message’. Dust will list the 20 biggest sub directories or files and will smartly recurse down the tree to find the larger ones. There is no need for a ‘-d’ flag or a ‘-h’ flag. The largest sub directory will have its size shown in red.

https://github.com/bootandy/dust

The Tin Summer:
sn is a replacement for du. It has nicer output, saner commands and defaults, and it even runs faster on big directories thanks to multithreading.

https://github.com/vmchale/tin-summer

NCDU:
Ncdu is a disk usage analyzer with an ncurses interface. It is designed to find space hogs on a remote server where you don’t have an entire graphical setup available, but it is a useful tool even on regular desktop systems. Ncdu aims to be fast, simple and easy to use, and should be able to run in any minimal POSIX-like environment with ncurses installed.
Install from repos: sudo apt install ncdu

man page: https://dev.yorhel.nl/ncdu/man

 

tcpdump101.com – generate tcpdump commands

tcpdump101.com is a great site that you can use to generate tcpdump commands, you enter the parameters it’s asks for and it will generate the command for you. It’s handy if you are not running tcpdump commands very often and then have to either look up the help/man pages or Google for the command switches you want. It also has output for Cisco and Checkpoint firewalls.

From there site they say… tcpdump101.com has been designed to help people capture packets on different devices to assist with network troubleshooting, service troubleshooting and even passive red team activities. There is an assumption that the user has a basic understanding of what they want to capture – As much as this is a tool to help people, the user has to use their own logic since every situation is different. That being said, I strongly suggest that if you’re just starting out with packet captures to grab a copy of Virtual Box and play around with Linux and tcpdump. Although tcpdump may not be what you ultimately use, it will give you an excellent understanding of what you’ll see, even with other products and vendors.

As a safety measure (if at all possible) make sure to set a capture limit on your PCaps. If you make a mistake building your filters, you may end up captuing a lot of traffic. Although the odds are slim, there is a chance that your PCap could fill the NIC buffer and start dropping packets. The worst-case scenario is that it runs out of memory while you’re logged in remotely. With today’s hardware, it most likely won’t happen however you should always expect the best and plan for the worst.

 

 

 

 

Reference: tcpdump101.com

lnav – Log File Navigator

The Log File Navigator

Watch and analyze your log files from a terminal with lnav http://lnav.org/ for Linux and Mac. Just like CCZE https://ausinfotech.net/blog/colorize-log-files-with-ccze-tool/ lnav can produce easy readable logs in colour and also highlight important parts of the logs.

Some Features:

Single Log View
All log file contents are merged into a single view based on message timestamps. You no longer need to manually correlate timestamps across multiple windows or figure out the order in which to view rotated log files. The color bars on the left-hand side help to show which file a message belongs to.

Automatic Log Format Detection
The following formats are built in by default:

  • Common Web Access Log format
  • CUPS page_log
  • Syslog
  • Glog
  • VMware ESXi/vCenter Logs
  • dpkg.log
  • uwsgi
  • “Generic” – Any message that starts with a timestamp
  • Strace
  • sudo

Installation:

See http://lnav.org/downloads for details and/or in Linux Debian/Ubuntu run:

 sudo apt install lnav 

Example:

 

 

NetSPI – SQL Injection Wiki

https://sqlwiki.netspi.com

This wiki’s mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems (DBMS).

Below is an outline of the wiki’s structure, laid out in the order of a normal escalation path. Certain queries may be version specific.

Step 1: Injection Detection
Step 2: DBMS Identification
Step 3: Injection Types
Step 4: Injection Techniques
Step 5: Attack Queries

 

ipcalc – bash IP Calculator

ipcalc takes an IP address and netmask and calculates the resulting broadcast, network, Cisco wildcard mask, and host range. By giving a second netmask, you can design subnets and supernets. It is also intended to be a teaching tool and presents the subnetting results as easy-to-understand binary values.

Enter your netmask(s) in CIDR notation (/25) or dotted decimals (255.255.255.0). Inverse netmasks are recognized. If you omit the netmask ipcalc uses the default netmask for the class of your network. Look at the space between the bits of the addresses: The bits before it are the network part of the address, the bits after it are the host part. You can see two simple facts: In a network address all host bits are zero, in a broadcast address they are all set.

 

 

 

ipcalc is available from most Linux distro’s repo’s and from brew on mac’s.

Reference:
man ipcalc
http://jodies.de/ipcalc

Anchore – Container Security Analysis

Anchore provides you with insight and control over the contents of your containers from the start of development all the way to production. Anchore delivers container security solutions for developers, operations, and security teams to deliver insight and control over the contents, security and compliance of containers from the start of development all the way to production. By allowing the creation of policies for security and compliance that are evaluated by Anchore at each stage of the build pipeline, Anchore ensures that only images containers that adhere to an organisation’s policies are deployed.

What’s Inside Your Container Images?
With Docker and containers it’s never been easier to deploy and run any application. Developers now have access to thousands of applications ready to run right “off the shelf” and the ability to quickly build and publish their own images.

In addition to the application, the container image may contain hundreds of packages and thousands of files including binaries, shared libraries, configuration files, and 3rd party modules. Any one of these components may contain a security vulnerability, an outdated software module, a misconfigured configuration file or simply fail to comply with your operational or security best practices.

For more details and to download/install:
https://anchore.com

AD Powershell

After running Windows Server 2016 recently with a DC, I’ve started using Powershell to perform AD functions. Here are a few basics.

New-ADUser cmdlet to create a new user:

 New-ADUser -Name John.Smith 

The above would only create the username, create a new user with more associations:

 New-ADUser -Name John Smith -GivenName John -Surname Smith -Path "OU=Staff,DC=Company,DC=Com" 

Add the password for above account:

 $password = "Strong Password" | ConvertTo-SecureString -AsPlainText -Force
New-ADUser -Name John.Smith -GivenName John -Surname Smith -Path "OU=Staff,DC=Company,DC=Com" 

Bulk Import Users with New-ADUser:

$Import =Import-CSV "c:\utils\aduserimport.csv"
$OU = "OU=staff,DC=ausinfotech,DC=local"
Foreach ($user in $Import)
{
$password = $user.Password | ConvertTo-SecureString -AsPlainText -Force
New-ADUser -Name $user.Name -GivenName $user.FirstName -Surname $user.LastName -Path $OU -AccountPassword $Password -ChangePasswordAtLogon $True -Enabled $True
}

The above script imports the CSV file, sets the standard OU and calls each data record (line of your CSV), writes the password and creates the user account. We are using a “Foreach”-loop, which loads each user record with its parameters from the CSV file.

See here for more info:
http://activedirectoryfaq.com/2016/04/ad-powershell-basics-new-aduser

snap – snapcraft.io

Package any app for every Linux desktop, server, cloud or device, and deliver updates directly. Snap packages are a great way of running apps in an isolated state without using VMs or Containerisation. The website http://snapcraft.io has more details and examples such as this to get going:

A snap is a fancy zip file containing an application together with its dependencies, and a description of how it should safely be run on your system, especially the different ways it should talk to other software. Most importantly snaps are designed to be secure, sandboxed, containerised applications isolated from the underlying system and from other applications. Snaps allow the safe installation of apps from any vendor on mission critical devices and desktops.

Try this (you may need to install snapd)

 $ sudo snap install hello-world 

Now you have installed a snap. You can take a look inside the snap very easily, it shows up as a new directory on your system:

$ cd /snap/hello-world/current/

$ tree
.
├── bin ← this directory structure is just for convenience
│ ├── echo there is no hardcoded structure requirement other
│ ├── env than meta/snap.yaml
│ ├── evil
│ ├── sh
│ ├── showdev
│ └── usehw
└── meta ← your snap must have this directory
├── icon.png ← no prizes for guessing what this is
└── snap.yaml ← this is the required metadata

 

LXD Update Script

Simple shell script wrapper to update all lxd container hypervisor images running Debian or Ubuntu Linux. Run the below script on the host of your lxd server to update all the lxd containers running Ubuntu or Debian. Could be modified to suit CentOS/RedHat OS and/or you container OS of choice.

Script:

#!/bin/bash
# A simple shell script to update all lxd container hypervisor
# URL: https://bash.cyberciti.biz/virtualization/shell-script-to-update-all-lxd-container-hypervisor/
# Tested on : Ubuntu 16.04 LTS lxd server
# Tested on : Ubuntu/Debian lxd container hypervisor only
# ----------------------------------------------------------------------------
# Author: nixCraft
# Copyright: 2016 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated 14 Aug 2016
# ----------------------------------------------------------------------------
# Set full path to bins
_apt="/usr/bin/apt-get"
_lxc="/usr/bin/lxc"
_awk="/usr/bin/awk"
# Get containers list
clist="$(${_lxc} list -c ns | ${_awk} '!/NAME/{ if ( $4 == "RUNNING" ) print $2}')"
# Use bash for loop and update all container hypervisor powered by Debian or Ubuntu
# NOTE: for CentOS use yum command instead of apt-get
for c in $clist
do
echo "Updating Debian/Ubuntu container hypervisor \"$c\"..."
${_lxc} exec $c ${_apt} -- -qq update
${_lxc} exec $c ${_apt} -- -qq -y upgrade
${_lxc} exec $c ${_apt} -- -qq -y clean
${_lxc} exec $c ${_apt} -- -qq -y autoclean
done

Reference:
https://bash.cyberciti.biz/virtualization/shell-script-to-update-all-lxd-container-hypervisor/