Blog Elements

Half Sized Blog Element (Single Author Style)

Half Sized Blog Element (Multi Author Style)

Installing ClamAV on CentOS 7

2018-07-12/0 Comments/in How-to/by Kellep Charles

Referenced from Linux-Audit: To get ClamAV on CentOS installed, we have to use the EPEL repository (Extra Packages for Enterprise Linux). Fortunately, the Fedora project provides this with an easy installation. Unfortunately the default configuration is not properly working. In this post we collect some of the issues and required changes. Let’s start with installing […]

Burp to Brute Force a Login Page

2018-07-12/0 Comments/in How-to/by Kellep Charles

Using Burp to Brute Force a Login Page Authentication lies at the heart of an application’s protection against unauthorized access. If an attacker is able to break an application’s authentication function then they may be able to own the entire application. The following tutorial demonstrates a technique to bypass authentication using a simulated login page […]

Installing ClamAV on CentOS 7

2018-07-12/0 Comments/in How-to/by Kellep Charles

Burp to Brute Force a Login Page

2018-07-12/0 Comments/in How-to/by Kellep Charles

Full Sized Blog Element (Big Preview Pic)

Installing ClamAV on CentOS 7

2018-07-12/0 Comments/in How-to/by Kellep Charles

Referenced from Linux-Audit:

To get ClamAV on CentOS installed, we have to use the EPEL repository (Extra Packages for Enterprise Linux). Fortunately, the Fedora project provides this with an easy installation. Unfortunately the default configuration is not properly working. In this post we collect some of the issues and required changes.

Let’s start with installing the EPEL support.

yum install epel-release

Next step is installing all ClamAV components.

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Installing ClamAV with help of EPEL repository

Configure SELinux for ClamAV

If you are using ClamAV on CentOS, together with SELinux, we should configure it a little bit. This way ClamAV can access all files on disk, and update its data definition files.

Enable antivirus_can_scan_system:

setsebool -P antivirus_can_scan_system 1

Configuration of Clam daemon

Copy a the clamd.conf template, in case you don’t have a configuration file yet.

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf

Change /etc/clamd.d/clamd.conf file and define if you want to run the scanner as root, or a specific user. Check your /etc/passwd file for the related Clam user.

Change the following two options:

User clamscan
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

Enable Freshclam

Freshclam helps with keeping the database of ClamAV up-to-date. First delete the related “Example” line from /etc/freshclam.conf.

cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ‘/^Example/d’ /etc/freshclam.conf

Check the other options in the file, and change it to your preferred settings.

Missing systemd service file

We didn’t get a systemd service file, so creating a quick file here. The process should be forking itself and start freshclam in daemon mode. In this case we configure it to check 4 times a day for new files.

Create a new file /usr/lib/systemd/system/clam-freshclam.service

# Run the freshclam as daemon

[Unit]

Description = freshclam scanner

After = network.target

[Service]

Type = forking

ExecStart = /usr/bin/freshclam -d -c 4

Restart = on-failure

PrivateTmp = true

[Install]

WantedBy=multi-user.target

Now enable and start the service.

systemctl enable clam-freshclam.service

systemctl start clam-freshclam.service

Check the status.

[root@centos7 system]# systemctl status clam-freshclam.service

clam-freshclam.service – freshclam scanner

Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled)

Active: active (running) since Thu 2015-06-11 11:09:24 CEST; 1s ago

Process: 3158 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)

Main PID: 3159 (freshclam)

CGroup: /system.slice/clam-freshclam.service

└─3159 /usr/bin/freshclam -d -c 4

Change service files

By default, the service files seem to be messy and not working.

These are the files bundled:

[root@centos7 system]# ls -l /usr/lib/systemd/system/clam*

-rw-r–r–. 1 root root 136 Apr 29 20:38 /usr/lib/systemd/system/clamd@scan.service

-rw-r–r–. 1 root root 231 Apr 29 20:38 /usr/lib/systemd/system/clamd@.service

When enabling the clamd service, we would see something like this:

[root@centos7 system]# systemctl enable /usr/lib/systemd/system/clamd@.service

Failed to issue method call: Unit /usr/lib/systemd/system/clamd@.service does not exist.

So let’s fix it. First rename the /usr/lib/systemd/system/clamd@.service file.

Rename the clamd@ file.

mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

Now we have to change the clamd@scan service as well, as it refers to a non-existing file now. Change this line in /usr/lib/systemd/system/clamd@scan.service and remove the @ sign.

.include /lib/systemd/system/clamd@.service

Next step is changing the clamd service file /usr/lib/systemd/system/clamd.service

[Unit]

Description = clamd scanner daemon

After = syslog.target nss-lookup.target network.target

[Service]

Type = simple

ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf –foreground=yes

Restart = on-failure

PrivateTmp = true

[Install]

WantedBy=multi-user.target

Move into the directory.

cd /usr/lib/systemd/system

Start all services.

[root@centos7 system]# systemctl enable clamd.service
[root@centos7 system]# systemctl enable clamd@scan.service
[root@centos7 system]# systemctl start clamd.service
[root@centos7 system]# systemctl start clamd@scan.service

Checking the status

With all these changes, ClamAV on CentOS 7 should be running now. The easiest way to check, is using the ps command and see if freshclam and clamd are running.

Useful resources for debugging are the systemctl status command, followed by the service. Then there is logging in /var/log/messages, which usually will reveal when and why something is (not) running.

Burp to Brute Force a Login Page

2018-07-12/0 Comments/in How-to/by Kellep Charles

Using Burp to Brute Force a Login Page

Authentication lies at the heart of an application’s protection against unauthorized access. If an attacker is able to break an application’s authentication function then they may be able to own the entire application.
The following tutorial demonstrates a technique to bypass authentication using a simulated login page from the “Mutillidae” training tool. The version of “Mutillidae” we are using is taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.

First, ensure that Burp is correctly configured with your browser.
In the Burp Proxy tab, ensure “Intercept is off” and visit the login page of the application you are testing in your browser.

Return to Burp.
In the Proxy “Intercept” tab, ensure “Intercept is on”.

In your browser enter some arbitrary details in to the login page and submit the request.

The captured request can be viewed in the Proxy “Intercept” tab.
Right click on the request to bring up the context menu. Then click “Send to Intruder”. Note: You can also send requests to the Intruder via the context menu in any location where HTTP requests are shown, such as the site map or Proxy history.

Go to the Intruder “Positions” tab.
Clear the pre-set payload positions by using the “Clear” button on the right of the request editor. Add the “username” and “password” parameter values as positions by highlighting them and using the “Add” button. Change the attack to “Cluster bomb” using the “Attack type” drop down menu.

Go to the “Payloads” tab.
In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Simple list”. In the “Payload options” settings enter some possible usernames. You can do this manually or use a custom or pre-set payload list.

Next, in the “Payload Sets” options, change “Payload” set to “2”.
In the “Payload options” settings enter some possible passwords. You can do this manually or using a custom or pre-set list. Click the “Start attack” button.

In the “Intruder attack” window you can sort the results using the column headers.
In this example sort by “Length” and by “Status”.

The table now provides us with some interesting results for further investigation.
By viewing the response in the attack window we can see that request 118 is logged in as “admin”.

To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page.

Account Lock Out

In some instances, brute forcing a login page may result in an application locking out the user account. This could be the due to a lock out policy based on a certain number of bad login attempts etc. Although designed to protect the account, such policies can often give rise to further vulnerabilities. A malicious user may be able to lock out multiple accounts, denying access to a system. In addition, a locked out account may cause variances in the behavior of the application, this behavior should be explored and potentially exploited.

Verbose Failure Messages

Where a login requires a username and password, as above, an application might respond to a failed login attempt by indicating whether the reason for the failure was an unrecognized username or incorrect password. In this instance, you can use an automated attack to iterate through a large list of common usernames to enumerate which ones are valid. A list of enumerated usernames can be used as the basis for various subsequent attacks, including password guessing, attacks on user data or sessions, or social engineering.

Scanning a login page

In addition to manual testing techniques, Burp Scanner can be used to find a variety of authentication and session management vulnerabilities. In this example, the Scanner was able to enumerate a variety of issues that could help an attacker break the authentication and session management of the web application.

Refernced from – https://support.portswigger.net/customer/portal/articles/1964020-using-burp-to-brute-force-a-login-page