Simple Java IDS/Honeypot - Honeyjar

Well I've been learning Java so I decided I might as well code something worth while as I learn which I would actually use. So I figured I would make a simple program which opens up a socket and listens on it for incoming scans or connection attempts. It then sends fake banners and logs the attackers input and IP. It also does a whois lookup on the attackers IP. Keep in mind I'm still learning so the code may not be as efficient as it could be, but it does the job. If anyone has suggestions or make their own improvements on it than please feel free to send me a copy in a comment. It comes with two premade listeners and one for you to put your own custom message if you want.

Anyhow, here it is. Enjoy, someone finds it useful whether it be to learn from it or to use it. If you make any improvements or have any suggestions than feel free to comment!

Here's the source, keep in mind I'm still working on it. Only posting it because I've been a bit busy lately so I haven't had time to post or to finish this.

Source - http://pastebin.com/rJxEPYeT
Jar - http://www.mediafire.com/?5cepfpx9bqdasf3

Useage: java -jar honey.jar

The rest is self explanatory.

Java Regex Example for IP's

I've been learning Java lately so I figured I would post this quick Regex example. This code can be used to grab IP's out of a string and display them using regular expressions(Regex).

http://pastebin.com/cHmS804v

Fluxbox on BT4

Well I personally am not a huge fan of KDE so I decided to make a switch to a lightweight windows manager which I'd enjoy. Fluxbox was an easy switch as I found out. Below I will show you how to make the switch.

First off you should make sure you're all up to date. Once you've done that run "apt-get install backtrack-dragon" to make sure it's installed and up to date as well. Now run backtrack-dragon with the command "dragon" which will prompt you with usable commands. We will now change the default WM to Fluxbox like so;

desktop fluxbox

Now in a new shell we will actually switch to flux now;

flux-for-back -s

You will be prompted with some possible commands, we will be using either option 1 or 2. I choose 1, but if you want icons with flux choose 2. Once you issue the command it will begin making the switch, which may take a moment or two. After it's completed if it doesn't switch than you may have to reboot, which will boot running flux as we set that to be the default WM.

Screenshot taken with imagemagick, you can also see how to add images to your users backgrounds;

import -window root flux.png

Do note though, Fluxbox takes a bit of configuring and isn't quite so user friendly, but it's really not to complicated and kicks ass.

Medusa Bruteforcer

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing. 

This tool could be used with one of the dictionaries I posted to test the security of your password, or by someone trying to bruteforce into your SSH for example. This is just another reason as to why you should choose a very secure password like S0meP4ss[1984] or something of the like. This way you don't have to worry about hackers trying to bruteforce your logins.

Example usage for bruteforcing SSH;

medusa -h IP Address -u username -P dictionary -O logfile -protocol

medusa -h 88.213.43.13 -u root -P /home/Desktop/dictionary.txt -O mlog -M ssh

Scanning random IP ranges for specific ports with NMAP

This will be a quick example of how Nmap can scan a random IP range for specific ports with the scanner Nmap.

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Example command;

nmap -iR <# of ips> -oG filename -A -p 21-25, 8080 --open

nmap -iR 1000 -oG nlog -A -p 21-25 --open

Pretty obvious, but this scans 1000 random ips for open ports 21-25 (Telnet, FTP, SSH) and only displays the IP if it has an open port. It also runs a OS detection, service detection and traceroute due to the "-A". It then logs the scan as nlog. Do note this is a noisy scan due to all the service and OS detections, which means you could detected/block it.

Snort Intrusion Detection System (IDS)

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion prevention system.

Here's an example of its usage, if we just wanted to run it in sniffer mode we would use the following;

snort -v

This will just show the headers, if you would like to see the data you can use this command;

snort -v -d

This will display the packets data, but you can also see the data link layers header you can add a "-e" and in addition you can set it to log the packets by issuing the following;

mkdir slog

snort -d -e -v -l ./slog

or you can use -L to log to a file rather than a directory.

This will automatically run it in sniffing mode. If you want to use snort as an IDS, you must set up a snort config file which once completed can be used as shown below;

snort -c snort.conf

And that's the very basics of snort, this tool is very configurable and extremely useful. To download it or read more you can visit the site here. You can also use the apt-get or yum command.

Aspartame created from Monsanto's Genetically Modified bacteria.

The manufacturers of the most prevalent sweetener in the world have a secret, and it`s not a sweet one. Aspartame, an artificial sweetener found in thousands of products worldwide, has been found to be created using genetically modified (GM) bacteria. What`s even more shocking is how long this information has been known. A 1999 article by The Independent was the first to expose the abominable process in which aspartame was created. Ironically, the discovery was made around the same time as rich leaders around the globe met at the G8 Summit to discuss the safety of GM foods.

The 1999 investigation found that Monsanto, the largest biotech corporation in the world, often used GM bacteria to produce aspartame in their US production plants. The end result is a fusion between two of the largest health hazards to ever hit the food industry -- artificial sweeteners and an array of genetically altered organisms. Both have led to large-scale debate, with aspartame being the subject of multiple congressional hearings and scientific criticism. Scientists and health advocates are not the only ones to speak out against aspartame, however. The FDA received a flurry of complaints from consumers using NutraSweet, a product containing aspartame. Since 1992, the FDA has stopped documenting reports on the subject.

Learn more: http://www.naturalnews.com/030918_aspartame_GM_bacteria.html#ixzz1ABtQzIJC

Toxic Animal Feed Contaminates Food

Chromium-6 Toxin Polluting U.S. Tap Water

According to a recent study, the cancer-causing chromium-6 compound has been found polluting tap water in 31 U.S. cities. Approximately 74 million Americans in 42 states consume water that is polluted with the chromium-6 chemical.

Chromium-6, aka hexavalent chromium, came to be well known to the public from the 2000 biographical film Erin Brockovitch. Chromium-6 comes from industrial processes and facilities used to manufacture pigments, dyes, and chrome plating. It is also frequently discharged from steel and pulp mills.

The EPA does not currently regulate chromium-6 specifically, but total chromium threshold is set at 100 ppb to protect against skin irritation. The EPA is expected to determine if a new level will set sometime this year.

ArpON - Protect yourself from MITM attacks.

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or "Static Arp Inspection" the second on DARPI or "Dynamic Arp Inspection" approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.

Here's a very quick example of it's usage, we will use SARPI.

arpon -n 10 -g -u 1 -s -i eth0

 
  ArpON "Arp handler inspection" version 1.90 (http://arpon.sourceforge.net)

  [00/02/2011 - 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: 192.168.1.101 Netmask: 255.255.255.0

  [00/02/2011 - 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: 192.168.1.101 Netmask: 255.255.255.0
  [00/02/2011 - 08:32:04 PST] SARPI Start...
  [00/02/2011 - 08:32:04 PST] SARPI protects these Arp Cache's entries:
  [00/02/2011 - 08:32:04 PST] 1)     192.168.1.1 ->  0:66:78:d6:92:c8
  [00/02/2011 - 08:32:04 PST] SARPI Arp Cache refresh timeout: 1 minute.
  [00/02/2011 - 08:32:04 PST] SARPI Realtime Protect actived!

-n 10 ~ Sets priority   
-g ~ Works in logging mode
-u 1 ~ Sets sarpi timeout to 1 minute 
-s ~ Manage arp cache statically

You can get ArpON with the apt-get command or visit here

Dictionary pack for bruteforcing

Here's a pack of dictionaries I've accumulated, covers a good amount of words.

You can download them here - http://www.mediafire.com/?sdfubfwmd7qw4ui