There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.
I am a huge fan of the Streisand privacy stack because it includes and L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.
The problem with Streisand though is the install is amazingly complicated using ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).
The steps are as follows:
Create a new digitalocean Ubuntu 14.04 droplet named streisand with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).
Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5
Download and configure strisand with the follwoing commnads:
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/127.0.0.1/g' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html(This takes between 10 and 15 minutes to complete. )
Use streisand for safer internet:
Copy generated-docs/streisand.html to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html) and it will have all the information you need to use your new privacy server on almost every device you own. You can also share this information with your family or team as one server should support 4 or 5 users.
If you trust me (and you shouldnt) here is a bash script to automate the install:
https://gist.github.com/jgamblin/3100b682510119722c56f5667fa2e18b
Blog Posts
I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information.
Tom Steele has done an amazing job with the project but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance with 7 simple commands on a clean (digitalocean) Ubuntu 16.04 install:
curl -sSL https://get.docker.com/ | sh
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
git clone https://github.com/ryhanson/lair-docker.git
cd lair-docker
docker-compose build
docker-compose up
From there you can start importing data with drones or entering it manually but with the installation bar lowered you do not have a reason to not give this amazing tool a try!
One of the tips that security professionals love to give is to use a VPN on public wifi networks. This is great advice and (I personally like PrivateInternetAccess and NordVPN). Recently I noticed nike.com blocks traffic from TOR and VPN providers:
That got me wondering what other websites were blocking traffic from these sources so I decided to test the Alexa Top 1000 websites.
First I needed to get a list of the Top 1000 websites. To do this I used this line of command line kung fu that grabs a CSV of the top 1 million websites and puts the top 1000 in a urls.txt file:
curl -s -O s3.amazonaws.com/alexa-static/top-1m.csv.zip ; unzip -q -o top-1m.csv.zip top-1m.csv ; head -1000 top-1m.csv | cut -d, -f2 | cut -d/ -f1 > urls.txt
Here is the output from this command.
I now needed to automatically take a screenshot of 1000 websites. I had started to write my own terrible python script using selenium until Chris Truncer pointed me to his amazing project called EyeWitness.
The command I used was:
./Eyewitness.py --web -f urls.txt
During my first test using PrivateInternetAccess I found 11 of 1000* blocked access with a 401/404:
hilton.com
nike.com
craigslist.org
tickermaster.com
tradeadexchange.com
blog-newstime.com
brightonclick.com
adnetworkperformance.com
kissanime.to
neobux.com
loading-delivery2.com
With craigslist.org, nike.com, ticketmaster.com and hilton.com being the most inpactful websites on that list:
I then ran the test again through tor (using the tor container I built) and found 40 of 1000* blocked access with a 401/404: :
adnetworkperformance.com
nordstrom.com
overstock.com
asos.com
prjcq.com
avito.ru
quikr.com
bestbuy.com
retailmenot.com
blog-newstime.com
secureserver.net
brightonclick.com
shopclues.com
craigslist.org
ticketmaster.com
expedia.com
tradeadexchange.com
foxnews.com
trulia.com
garmin.com
tube8.com
groupon.com
usbank.com
ticketmaster.com
irs.gov
usps.com
justdial.com
walmart.com
kohls.com
wayfair.com
lowes.com
hilton.com
whitepages.com
macys.com
xbox.com
newegg.com
zara.com
nike.com
zhihu.com
With many more asking for a captcha before gaining access:
Epilogue: I play defense in my day job. I understand the need stop malicious traffic from reaching your website. This isn’t an indictment just an academic exercise although if more and more websites take this approach tools like TOR and commercial VPNs will become less useful.
Final Notes:
I was surprised at how many porn websites are in the top 1000 overall websites.
It takes 1.8 gigs of storage to screenshot the top 1000 websites.
*Your results will vary on what is blocked based on exit node, VPN, time you test and what color shirt you have one.
I had a 2014 Dell Chromebook 11 I was not doing anything so I decided to turn it into a stand alone Kali box using the Chromium OS Universal Chroot Environment.
The installation steps are pretty simple:
Add a l33t hacker sticker:
Enable Developer Mode (this will wipe the device).
Login and download the latest crouton.
Access the terminal by pressing:
CTL - ALT - TRun the following commands:
shell
sudo sh -e ~/Downloads/crouton -r sana -t xfceGo eat lunch (it takes about 30 minutes to pull down the image).
Hack (legally) all the things:
You have a couple of options on how to use Kali on the ChromeBook. The option I will use the most is just the terminal option. You can access it by typing: sudo enter-chroot -n sana
You can also access a full gui by typing: sudo startxfce4 -n sana
Couple of notes:
Kali-Rolling is working on crouton right now due to an abandoned package issue. They are working on it.
The install of Kali is super light weight. The meta-packages will be your friend when building your image.
A picture started floating around the internet of Mark Zuckerberg holding an Instagram cutout:
People almost instantly started to notice that his webcam and mic were taped over. While Mark Zuckerberg isnt exactly known for having great security practices, all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you via your webcam. So being a huge fan of the POC||GTFO model of security I put together a quick POC using a 10 line bash script and imagesnap and put it on github.
Simply Running ./capture.sh & takes a photo every 60 seconds.
While I dont shower with my mac (that much) I will be Zuckerberging my webcam from now so hackers can not see the strange faces I make at my computer when trying to figure out how to get a bash script to work correctly.
While rebuilding my iPad this weekend I noticed that I could name it an emoji. So I named my iPad 📱(U+1F4F1):
While I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname.
From there I renamed all of my lab machines emojis. Mostly variations of 💩 (U+1F4A9) because I am sophomoric:
In case you were wondering this is all totally illegally according to RFC 952 (that was written in 1985) and shouldn’t be allowed but I have not found an OS the enforces it.
While doing some research on hostnames and emojis I read that .ws (Samoa) and .tk (Tokelau) allow emoji domains with the help on punycoder so I registered http://☠💻💩.ws which is either going to be the waste of $6 or the start of a $10B security startup. I have not decided yet.
If all of this isn’t ridiculous enough for you can even name your wireless network with emojis:
…emojis: they just aren’t for 12 year olds anymore. 😎
Earlier today I ran across this blog post on hijacking windows .lnk file so I decided to build out and test a full POC for it using Windows 8.1. 
To reproduce this just copy these 7 lines into powershell and ctrl+c now runs calc.exe instead of copying your text:
https://gist.github.com/jgamblin/4aa897a2cca6912eeea96a12d73d8cd6
For extra jerkiness this will shutdown a windows machine when ctrl+c is pressed:
https://gist.github.com/jgamblin/9ca3be57c24d4b422e385d296763d903
Using this technique you could easily natively remap common commands like ctrl+c , ctrl+v, ctrl-alt-delete to do anything the logged in user can do. You could also copy these links into the common desktop (C:\Users\Public\Desktop\) to make anyone who logs into the machine have these mappings.
Here is a full video of the POC:
While getting ready to teach an “introduction to penetration testing with docker ” class I stumbled across the Shipyard-Project which brings an amazing web based interface to docker.
Installing on Debian on DigitalOcean is as simple as starting a droplet and running these two commands:
curl -sSL https://get.docker.com/ | sh
curl -sSL https://shipyard-project.com/deploy | bash -s
Update: Running scripts you have not read through is a really bad idea (almost as bad as suggesting you do so). Make sure you take a look at the docker and shipyard scripts before you run them.
From there you have an amazing docker interface at http://yourip:8080
You Can Pull And Manage Images:
Configure Containers:
Easily Control Containers:
Check Stats and Logs:
Access Containers Console:
While the CLI for docker isn’t hard to learn this does seem like the “Killer App” that could help people adopt containers. I know I will be using it to manage my containers from here on out and recommending it to as many people as I can.
Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous things like:
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
http://localhost:8080/?anonym=true&app=ZAP
— Jerry Gamblin (@JGamblin) June 7, 2016
…but it is 2016 and you should never run code on your machine if you don’t know what it does. These are mini-virtual machines and not magically secure little shipping containers*. At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.
Pull the container first:
docker pull jgamblin/tiny-tor
Use Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor
You will want to carefully read through that output and take time to look at these fields:
- Image The image this container is running.
- NetworkSettings The network settings for the container,
- LogPath The system path to this container’s log file.
- Name The user defined name for the container.
- Volumes Defines the volume mapping between the host system and the container.
- HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
- Config The runtime configuration options set when the docker run command was executed.
Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor
Protip: CenturylinkLabs released a tool to create a Dockerfile from a container.
Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh
After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor
If you do these basic things you can feel a little better about what you are running on your system.
* What a magically secure little shipping container might look like:
I built a simple TOR socks proxy container today to be able to easily use TOR to machines I am working on.
Getting it to run is as simple as:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
This will run it as a daemon:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
From there all you have to do is configure your browser to use port 9150 and you are using TOR.
The dockerfile for this build is fairly simple and is on Github and Docker Hub:
https://gist.github.com/jgamblin/3e1fd9aad19fcd496ed3d35d2cfe383b
As always if you are *REALLY* worried about security you should be using Tails but this works perfectly to get an “outside-in” real world look of your environment. If you have any questions please reach out to me on twitter at @jgamblin.