2017 - New Year New You.

Hello Everyone,

2017 is upon us, and with the new year, it got me thinking. You know, many people make silly new year resolutions, like "Lose 10 lbs" "Eat Healthier" "Quit smoking" etc, but rarely does anyone say "Make More Money" or "Change careers to something I am passionate about".

Sadly, most people lack the drive or ambition to keep their resolutions, and they fall by the wayside.

Did you know that Cyber Security Professionals are estimated to make an average of $80-100k+ this year alone?

If 2016 should have Taught us anything at all, it's that Cyber Security professionals are needed now more so than ever before. WE are and will continue to be in high demand for decades to come.

I'm so glad that I finally started the online school www.PentesterUniversity.org and I want to help you get into the trade. So, use promo code "pre10" at check out to save 10% off our already super low course prices.

Are you ready to enter one of the most popular, highly sought after trades? If so be sure to use the promo code above and check us out!

I look forward to seeing you there!

Best Regards,
AfterBurn

Hard Drive Crash

Hey Everyone,

So if you've been following along on Twitter, you'd have had a good laugh at my expense today. Last night the HDD crashed on the trusty laptop.

I tried everything, fsck, etc. Nothing. Bad sectors, probably physical damage! But, I finally had enough of these physical hard drives always eventually breaking, and finally broke down and bought a SSD for the laptop. This Computer flys now!

So, that being said, I had to re-download Kali Linux, and being that my main laptop just died, and no external CD/DVD writers around for the tablets/smart phones, I broke out a very old, highly abused windows XP laptop I found laying around. It only had a CD burner, but I wanted the full ISO of Kali. So, that won't fit on a CD.

Plan B: I had to download the large ISO over WiFi. No big deal, but now I remember why I tossed that WinXP Laptop into the back of the closet. The wifi card randomly kills the signal, and of course the ancient hardware. So imagine downloading 2.8GB of an iso, over a spotty wifi and only 512MB Ram!

Finally got it downloaded, and made a bootable USB jump drive, then installed to this Laptop from that!

Happy Friday

:-)

The Stickers Are In!!

Hey Guys,

If you guys have been following the blog and twitter, you would have saw that I created some very Unique Stickers for you to put on your tablets, laptops, cars, etc. Well they are finally in, and I shipped the first batch to those who pre-ordered them on the blog last week!

The rest are now in my physical possession, and I will ship them out immediately upon payment! So get yours HERE, and share it with your like minded friends, colleagues, or who ever!

zscaler - Fake it till you make it?

So on the twitter sphere today, I saw a post about this website; http://securitypreview.zscaler.com/ which is supposed to be some "in the cloud" network security company, I guess? And their free check up script is supposed to do an "Automated Audit" on your system, via the web browser. I know right, silly to even type this, but that's the claim.

Well apparently some of us professionals in the know tried it out. And no matter your OS, Device, Browser, etc, we noticed that every single time on ANYTHING, this scan would tell you that you are Vulnerable to the "zbot Virus", which oddly enough, their company name also starts with a "z" as in "ZScaler" Twitter @zscaler. Coincidence? I think not. Scareware, I think yes.

Just imagine for a second, if you will, some overly zealous CEO of some small-medium corporation coming across this advertisement. He figures, sure, why not, I'll run a free scan! I'll show those over priced infosec companies, HA!

He then sees he's vulnerable to some erroneous "zbot" virus. "OH NO!" he exclaims, and promptly follows the companies call to action to sign up for their "service". Sigh.. we've all been saying this for years, this was bound to happen. but what Mr CEO Doesn't realize -- and it's our jobs to educate them on this -- is that Network Security auditing and/or Penetration Testing involves (should always) thinking outside the box. There is absolutely no "canned" or out of the box magic protection software/technology. It's not possible, and everyone who thinks that is just another foolish sheep.

Anyway, I know exactly nothing else about the above mentioned company, however, I do know that what they are doing is an underhanded, shady practice no different from any other traditional scareware tactics.

By the way, as I mentioned, it doesnt matter the platform you're on, they tell you that you are vulnerable to the zbot virus. I googled the zbot virus, and the only systems it can infect is

Trojan

Systems Affected:

Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Notice it doesn't say anything about Linux/Unix or android, mac, etc. Yet on all of those devices, it said I was vulnerable.

Reference

-AfterBurn

Updated 8-24-15

Hey Guys,

Just wanted to post an update as to what I am currently up to. First, I see Kali Linux 2.0 is out and that's exciting! I went ahead and ordered a new (to me) laptop, and that should be to me by the 29th. First thing will be installing Kali Linux 2.0. In reading the docs for Kali 2.0, I realized that there are some scripts I can write to certainly save some time, and make stuff easier for the Kali Community, to which I will do as soon as I install it. So keep an eye out for that.

I am searching through my old backups looking for data from the www.learnnetsec.com website. UGH, it may not be as easy as I thought to get the site back and going. But, that said, I want to make it bigger, better, more content, more hacker challenges, forums, learning portals, etc. So until then, this site is serving as the backup. Please subscribe to it. For now, the domain www.learnnetsec.com is forwarded to this one, until I get this resolved. 

I am very active on twitter again, so check me out there @LearnNetSec 

I am very excited to be back and at it again guys, honestly. I have found new software to edit videos on Linux, and of course its open source! So good bye windows! Once and for all! 

Stay Tuned, 

- AfterBurn

Updates: Next Week

Starting Next Week:

I am going to begin compiling the data for the presentation on "Phases of NetSec" which will discuss all of the details, steps, etc in Network Security Auditing and Penetration Testing. So far it's 13 slides of just talking points, so there is a lot of ground to cover. 

I am trying to figure out how to Produce the Video. Meaning it's obviously going to have to be done in parts since there is so much information to cover. 

While I am working on that, don't forget to check out the newest video:
Tor-Buddy Script Demo Tor + Proxychains + Anonymous DNS:
https://www.youtube.com/watch?v=AedFlLSmJf8

I will still be making Quick Vids based on your guys input on what you would like to learn in the interim. We have had 2 requests so far, 1 for nmap and one for VM-tools for kali linux. nmap will be included in the next video set: "Phases of NetSec".

Remember, please don't forget to like and share our videos, Facebook, and of course this very blog with all of your friends, family, and co-workers! Our presence on the web has been growing steadily, and that is great! The more people interested, the more creative I can be! 

Thanks Guys! See you in the next Video!

What's Up Next?

Hey Guys,

As I am sure most of you have already seen, I uploaded what was intended to be a new Video Intro last night that turned out to be more of a Trailer of what is to come in the next few videos. That Video is HERE in case you missed it.

We will be discussing the "Meat and Potatoes" of actually Hacking. Finally! But, it's way to much information to stuff in one video, even my infamous 45+ minute videos. We will start with an overview of what we are going to learn via Presentation slides and explaining each and every topic. Then we will move on to actually Hacking the Network. Explaining what to use, how, why, where, and when in great detail, as always. This is why it must be a multi-part video. We have a lot to cover!

Moving forward from that, we are going to go into Advanced Techniques, such as firewall/IDS/IPS evasion tactics, Packet Analysis, Reporting, Etc.

I will also be making a few videos in the interim, like, Building a real Virtual Lab using ProxMox (Free), Different types of attacks, like MITM, etc.

So Stay Tuned Guys! It's about to get really interesting!

New Trailer Uploaded!

Just a small taste of things to come in future Videos!

Update: New Intro

The New Video Intro:

Okay, Okay, so the new intro really didn't turn out to be a 3 minute or less intro like I planned, however it came out pretty awesome as a Trailer of things to come in the next few videos. It's basically me beating up some boxes on the LAN :-) Video link to follow post upload!

I do still think that the very beginning of the Trailer video has potential to be good footage for an intro to new videos. I just need to edit the intro start song to be 30 seconds but still sound good! I think I can, I think I can!

Rendering video now, and uploading soon!

It's Monday!

Hey Guys,

Hope you enjoyed your weekend. I apologize for making a post so late in the day, but, well, it's Manic Monday here!

The day is un-winding now. I am hoping to get the new intro done today/tonight. Then I want to move onto getting my virtual lab finished so we can resume Hacking the machines in there on the videos. I am going to redo the lab, because I want to further segment it, and put a Virtual Router/Firewall in place to simulate real world excersizes on how to perform firewall evasion.

I will also do a video on setting up your own Virtual Lab as has been requested by one of our members!

I am also thinking of creating a forum where we can ask questions, get help, etc. This idea I am not sure about quite yet.

Enough out of me! Back to work! :-)

EDIT:

I think what we are going to do is save the Virtual Firewall for the Advanced Video Tutorials.

I really want to get into showing you guys some examples of hacking machines. Then we will do a Virtual Lab setup, and then I will re-do the lab and setup the virtual firewall, fire it up on a Public IP, and show advanced techniques in terms of firewall evasion, etc.  

New Video Intro

Hey Guys,

I am working on a new Intro to our videos. I find as I am becoming better with Video Editing, that the default intro is kinda boring. I am hoping that tomorrow I can get Win2k3 server installed on the VM server. Also, I need to reinstall win7 because somehow it decided to BSOD with the network config, Not even sure why, but that is MSFT windows for you. All of my UNIX/Linux VM's are chugging right along without a hitch. This is why I love linux!

Anyways it's Sunday and I am going to take the day to relax, it was a rough week! Of course though, my brain never shuts off, so I will be doing some reading on Techie stuff, etc LOL.

Enjoy the rest of your weekend. I will see you all tomorrow, and hopefully I can respond to any questions/emails in a timely fashion for the rest of today.

Also, again, Thanks for the feedback, and questions/suggestions you guys have provided so far! It really goes a long way for me to see people interacting and even helping each other on the comments! Our youtube channel now has 67 Subscribers so far! Not bad for under a month of the sites and videos being active (started this on May 15th). I have you guys to Thank for the fast growth of this project, so Thank You!

As always keep sharing our pages, videos, blog, etc. Thanks!

Happy Saturday!

Hey Guys,

I hope you are enjoying your weekend so far! On Monday I am going to move forward with getting the rest of the Virtual Machines created and configured. I Have ran into a few snags, and that is to be expected since I have never used ProxMox to host VM's before. Since I am lacking the proper hardware to make windows play nicely in ProxMox, it's a bit challenging. I will however press on.

In the meantime, keep reading, and learning.

Do you guys have any suggestions for future videos? Let me know!

And as always Thank You for your feedback, and support! Keep sharing the videos, and our YouTube, facebook, and blog pages!

Good Morning Good People!

I am going to be out in the field today. I will do my very best to answer any questions you guys may have from my phone.

I hope you guys enjoyed the latest video on ToR and Proxy chains I did yesterday. Please keep spreading the word, Thumbs up the videos, share them, and our facebook page. Thank You!

Enjoy your day!

Round 3!

Good Morning,

Okay, so I am going to try this for the 3rd time! I am turning off the ringers on all of the office phones, cell phone, etc.

The video I want to produce today will be about the different phases of Network Security from a Professionals point of view.

I have most of the labs VM machines going, except win2k, as my old install media is messed up and will not work :(. Which is ok, because most of what we will be going over will apply to any machine that is windows based. I am going to fire in a few Linux based machines also, just to give us some more variety.

There is one thing to keep in mind guys; No audit is always successful, and you may not find anything worthwhile. Nothing is 100% guaranteed to succeed!

The video I may wind up producing before we get into this process may very well be setting up Metasploit Framework + Armitage. The only thing holding me back is that I have already went ahead and registered my community version of Metasploit, so I could get the most important updates for vulns. I need to find a way to reverse that so I can show you guys how to do this from scratch!

After that quick video, we will now have most of our more commonly used tools that need configuring setup, so we can dive into the meaty stuff, like actually doing some pentests on the lab! - Finally!

Operation: Get things in order - engaged!

Good Morning Fellow Hackers of the World!

Good Morning Guys and Gals,

I am still setting up VM's in ProxMox so we can do a full on Tutorial on that. It may take a few more hours to get them all installed.

For now, we will be working with Windows 7 Ultimate, Windows XP Pro, Windows 2000 Pro, and windows 2000 advanced server. I Know what you are probably thinking "Windows 2000?! Who still uses that?!?!" but you would be surprised. A lot of manufacturers still use it because their old proprietary machinist software runs on that platform.

Using windows 7, I want to bring you into the realm of newer OS platforms that are still in wide use, due to the lack of adaptation of windows 8 in corporate environments. Most of the Vulns' and Exploits for win7 can also be applied to win2k8 server, so for the time being, in lieu of a legit copy of win2k8, we will go forward with this.

In terms of windows XP pro.. again you would be surprised on how many corporate environments still have a lot of these lurking around for what ever reason.

Keep in mind, I am funding this entire project out of pocket, so that is the reason for the ads on the blog and youtube. Also, there is always the donations button on the home page, if you feel so inclined :-)

Thanks!

Stay Tuned!

Update on Metasploit + Armitage Tutorial

Well Guys, in testing today with a WIN-7 image on my poor XP VM host box that also runs the Kali environment we have been working with, it has come to my attention that it would be a mistake to try and teach you guys that on this machine, because of the massive amounts of resources windows itself needs to run. The recording would turn out horrible.

So, because I want the best for our learning sessions, I am dedicating a physical machine to handle all of the VM's except for Kali. It will be running ProxMox as it's host OS, which is made to run a VM environment. I am installing it tonight and configuring it with the VM's of what I have; WIN7 Ultimate, Win XP Pro, Win XP Home, Windows 2000, and Windows 2000 server. I was unable to locate my old copy of windows server 2003, and I am still awaiting a donation of a legitimate copy of windows server 2008 for demo purposes. I really want you guys to get a feel for what you are up against out there in the wild, so I am taking my time to do it right, and make available to you as much as I can conjure up in my contacts.

I will be happy if I can get a video out on it tomorrow at least showing windows 7, and XP in the scans with metasploit and armitage,

On another side note, if all goes well with ProxMox (never used it), Perhaps I will setup an subscriber based private network environment for you guys to hack away at. That would be the best to simulate real-world road blocks that you may run into. I have 4 extra static IP's sitting here doing nothing, so why not put them to good use :-)

I apologize for the delay.

DNS Attacks - Hello Old Friend!

Some years ago there was an attack on BIND9 where an attacker would exploit the default values in the BIND9 config allowing for recursion, a blind recursive attack was placed, and it caused a server to overload and die, or lag really bad.

This attack was mitigated by custom ACL rule sets within the ACL of bind9. However, a new breed of attack emerged, and effectively does the same thing. I will explain how it works.

An attacker will send a spoofed dig  command to a dns server with a source address of another dns server for a bogus domain that doesn't exist, or a blind "." request. Even with recursion off, this still creates an attack if sent in the masses. Why? Because even though the DNS server (if setup correctly), will respond with a  fail or blocked reply, it will still send that reply to the spoofed source IP. It's kind of like an old ack/syn flood.

This attack creates load on the targeted server, and the spoofed server since they don't filter these types of requests. Now there are ways to defeat this, using iptables, or APF, and of course a properly configured dns server.

Here is what the attack looks like:

cat /var/log/messages


May 21 12:15:37 <your hostname> named[2158]: client 82.196.3.203#61935: query (cache) 'isc.org/ANY/IN' denied

Now, if you were to run wireshark on this server, you would see that the protocol is UDP on port 53. The attacks have gotten more advanced, as the attacker will forge the packet size, etc to try and bypass filters/firewalls. 

Now; what does it look like when it's blocked by APF/iptables?

tail -f /var/log/messages

May 24 11:28:06 u16937963 kernel: ** IN_UDP DROP ** IN=eth0 OUT= MAC=your:mac:here SRC=46.105.124.172 DST=your.ip.here LEN=64 TOS=0x00 PREC=0x00 TTL=117 ID=37644 PROTO=UDP SPT=28164 DPT=53 LEN=44

Breaking this down;

The source attacker was IP under SRC= the Destination = DST and that is your IP. The packet length is LEN=64 the Time To LIve or TTL=117 Protocol is PROTO=UDP SPT = source port and DPT = Destination Port of 53 / dns. Len=44

We do syn_cookies on this server too, to block any spoofing attacks. This is what helps pick it up.

This is a live environment of a web hosting company that I maintain and monitor. The reason I picked up on this was because BIND9 kept crashing, SMTP/POP3/IMAP kept crashing, etc. This would cause the mail server queue to get stuck with un-deliverable mail because DNS was not running, and it had no way to route the mail messages to who ever the recipient was. So in the mail queue in their Plesk panel was shown as

from " " to " " subject " " date "December 31st, 1969 7:00pm" - obviously this is no good. However if you went into the mail queue in a terminal and manually opened the message, it had the correct headers, etc. So, I Knew this had to be an issue with dns, after I ruled out an attack on the mail server itself. Mail server is not a relay.

Further investigation into the logs showed the following in the hundreds at around the time the mail server was erroring, and other service were crashing.

May 21 12:23:19 u16937963 named[2158]: client 37.153.98.159#51340: query (cache) 'isc.org/ANY/IN' denied
May 21 12:23:19 u16937963 named[2158]: client 189.120.90.245#49940: query (cache) 'isc.org/ANY/IN' denied
May 21 12:23:19 u16937963 named[2158]: client 37.153.98.159#51340: query (cache) 'isc.org/ANY/IN' denied
May 21 12:23:19 u16937963 named[2158]: client 37.153.98.159#51340: query (cache) 'isc.org/ANY/IN' denied

As you can see by the above, there is a query being sent to the dns server for records for isc.org and searching for any, or wild card. Obviously isc.org is not hosted by us, and the developer of BIND9 dns servers, which we use. You can see the request was denied, however, it still lags. Explaining further, lets do some research on that IP's who made the request;

using nslookup to resolve a hostname didn't give any results. Using GeoIpTool.com I could see this was coming from Switzerland. Umm, that shouldn't be..

So trying the other IP 189.120.90.245

# nslookup 189.120.90.245

Non-authoritative answer:

245.90.120.189.in-addr.arpa     name = bd785af5.virtua.com.br.

Ok so opening a browser and going to that domain virtua.com.br at the time brought us to what looked like a web hosting company.

So knowing they probably are not attacking us, I noticed that they were probably being spoofed. So I flipped back on APF, enabled syncookies, and logging. Bingo, attacks blocked and logged.

Now the logs will fill up quick if this is a massive attack. So, if it's one IP doing the mass of the attack, just add them to the firewall to block all traffic. 

That's all for now. This was a brand new server setup that I just started to admin. After I secured the box initially, I noticed all sorts of attacks coming its way. I believe we have mitigated at least 90% of that now.

You can get APF at RFX Networks

I also suggest you install BFD (Brute Force Detection) which works with APF to block any kind of brute force attempts. It's also available from their website.