Secure IOT with VLAN on pfSense including a managed switch and Unifi Access Point

Been away for awhile so thought I’d start updating this blog with something that has helped me and a few others. There are plenty of articles and videos explaining how this is setup, however the issue I’ve come across is setting up VLAN tagging and trunking etc. So this is my attempt explain and outlining my steps.

First setting up the VLAN ID on pfSense is fairly straight forward. Go to Interfaces > Assignments > VLANs > ADD. Here and in this situation I am using the parent interface LAN, choose a VLAN ID other then 1 and give a description. Save read more

My RE Setup

Here is a quick run down of what I have setup for any malware analysis vms. I utilize 2 primary vms running in VirtualBox. Before FireEye Flare I was just running a normal Windows 7 image with my necessary tools. After Flare was released, this is now my primary Windows vm. I also run Remnux along side Flare. While you can do a good portion of your work from a single vm, I opt in to using Remnux for any python tools being utilized for RE. Just me but I find this easier.

Reminder once you have everything the way you like it, export the appliance to keep a backup and also create a snapshot to revert after any analysis on that vm.

Cheers

FireEye Flare REM

A few weeks back the FireEye team released their version of a REM box called “Flare”. A customizable vm for analyzing malware. Has a full suite of tools installed from:

Debuggers
———
* OllyDbg + OllyDump + OllyDumpEx
* OllyDbg2 + OllyDumpEx
* x64dbg
* WinDbg

Disassemblers ====

* IDA Free
* Binary Ninja Demo

Java ====
* JD-GUI

Visual Basic ====
* VBDecompiler

Flash ====
* FFDec

.NET ====
* ILSpy
* DNSpy
* DotPeek
* De4dot

Office ====
* Offvis

Hex Editors ====
* FileInsight
* HxD
* 010 Editor

PE ====
* PEiD
* ExplorerSuite (CFF Explorer)
* PEview
* DIE

Text Editors ====
* SublimeText3
* Notepad++
* Vim

Utilities ====
* MD5
* 7zip
* Putty
* Wireshark
* RawCap
* Wget
* UPX
* Sysinternals Suite
* API Monitor
* SpyStudio
* Checksum
* Unxutils

Python, Modules, Tools ====
* Python 2.7
* Hexdump
* PEFile
* Winappdbg
* FakeNet-NG
* Vivisect
* FLOSS
* FLARE_QDB
* PyCrypto
* Cryptography

Other ====
* VC Redistributable Modules (2008, 2010, 2012, 2013)

Now it does say you can install this on a Windows 7 box but found some issues and opted in to upgrade to Windows 10 clean install. Once upgraded, the FE Flare installer seemed to have worked better. Visit their GitHub page here for installation and additional information: https://github.com/fireeye/flare-vm

Installation is very easy, simply run:

http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1

in Microsoft Edge or IE. This will then spawn the boxstarter process to start the installation. Keep in mind that this install can take awhile to complete. After that you should have a pretty solid starting foundation to start analyzing malware. After the install was complete you can install any other apps needed for your tool belt.

Thanks to Peter for his work.

Practical Malware Analysis

Anyone looking into RE, I’d highly suggest `Practical Malware Analysis` by Michael Sikorski. You can find this book on Amazon here! I was also able to obtain a copy from Humble Bundle when the they had a security offering. I’d highly suggest checking them out too, great company doing greater things.

This book has good info on setting up your env safely and working the labs provided which you can find here: https://practicalmalwareanalysis.com/labs/

**KEEP IN MIND THE FOLLOWING**

WARNING

The lab binaries contain malicious code and you should not install or run these programs without first setting up a safe environment.

Please understand that these binaries will have adverse affects in your env should you run them. A great breakdown in details on these labs can be found in the back of the book. Most of the tools mentioned are freeware but there are some advantages to other paid versions of these same tools.

Hope this adds to the list of tools to your arsenal.

Machinae Security Intelligence Collector

Came across this tool while investigating IOCs and needed a fast way to gather intel on IPs, domains, hashes etc. You can find this opensource tool here:

https://github.com/HurricaneLabs/machinae

Keep in mind you can simple pip install:

pip3 install machinae

but you will still need to download the config file “machinae.yml” which can you find here:

https://github.com/HurricaneLabs/machinae/blob/master/machinae.yml

HTTP Basic Authentication and Configuration

Machinae supports HTTP Basic Auth for sites that require it through the –auth/-a flag. You will need to create a YAML file with your credentials, which will include a key to the site that requires the credentials and a list of two items, username and password or API key. For example, for the included PassiveTotal site this might look like:

passivetotal: [‘myemail@example.com’, ‘my_api_key’]
Inside the site configuration under request you will see a key such as:

1
2
3
4
5
6
json:
  request:
    url: '...'
    auth: passivetotal
The auth: passivetotal points to the key inside the authentication config passed
Once installed simply run:

Usage:

1
2
3
machinae [-h] [-c CONFIG] [-d DELAY] [-f FILE] [--nomerge] [-o {D,J,N}]
                [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES]
                targets [targets ...]

Best thing about Machinae is the out of the box support with the following data sources:

IPVoid
URLVoid
URL Unshortener (http://www.toolsvoid.com/unshorten-url)
Malc0de
SANS
FreeGeoIP (freegeoip.io)
Fortinet Category
VirusTotal pDNS (via web scrape – commented out)
VirusTotal pDNS (via JSON API)
VirusTotal URL Report (via JSON API)
VirusTotal File Report (via JSON API)
Reputation Authority
ThreatExpert
VxVault
ProjectHoneypot
McAfee Threat Intelligence
StopForumSpam
Cymru MHR
ICSI Certificate Notary
TotalHash (disabled by default)
DomainTools Parsed Whois (Requires API key)
DomainTools Reverse Whois (Requires API key)
DomainTools Reputation
IP WHOIS (Using RIR REST interfaces)

Depending if you want to output the data to a file, just append it as follows:

1
machinae IP_ADDR >> IP_ADDR.txt

Really cool tool to have.

Cuckoo Sandbox Installation and Setup

My Cuckoo Sandbox Setup and installation guide.

This is my attempt to help install and configure Cuckoo Sandbox. Cuckoo is a sandbox which allows you to analyze Malware on a systems from Windows to Linux and even OSX! This is a great tool to see what a file/url or hash will do when detonated in any environment. Open-Sourced but was a bit confusing setting up so thought this might help.

I am running Cuckoo Sandbox on Ubuntu Desktop 14.04 LTS using VirtualBox.

Installation of Ubuntu will follows as any normal installation. Installing CuckooSandbox is a different story.

First read the python requirements needed here.

Firstly be sure Ubuntu is updated.

1
$ sudo apt-get update

Then:

1
2
3
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

Also in order to utilize Cuckoo’s web interface you will need to install MongoDB.

1
$ sudo apt-get install mongodb

Cuckoo’s recommended database is PostgreSQL and can be installed.

1
$ sudo apt-get install postgresql libpq-dev

Cuckoo Sandbox Installation

Once this is been completed, proceed to download Cuckoo Sandbox(https://cuckoosandbox.org/index.html) then extracting it.

1
tar -xvf filename.tar.gz

Next you will want to ‘cd‘ into the Cuckoo directory to run the installation.

1
$ sudo python setup.py install

The Following are additional plugins that are recommended for this installation.

TCPDump

1
2
3
4
$ sudo apt-get install tcpdump
$ sudo apt-get install libcap2-bin
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

Volatility

1
2
3
4
$ sudo apt install git 
$ git clone https://github.com/volatilityfoundation/volatility.git
cd into the Volatility directory
$ sudo python setup.py install

Volatility Plugins

Distorm3

1
2
3
$ tar -xvf filename.tar.gz
cd into directory
$ sudo python setup.py install

Yara

1
2
3
4
5
6
7
8
9
10
11
$ sudo apt-get install autoconf
$ sudo apt-get install libtool-bin
Download Yara
$ tar -xvf filename.tar.gz
cd into directory
 
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install
$ sudo -H pip install yara-python

PyCrypto

1
2
3
4
5
Download PyCrypto
$ tar -xvf filename.tar.gz
cd into directory
$ python setup.py build
$ sudo python setup.py install

Openpyxl

1
$ sudo -H pip install openpyxl

UJSON

1
$ sudo -H pip install ujson

Jupyter

1
$ sudo -H pip install jupyter

Mitmproxy

e4dfa7c011f9585ee1ad21cfd703270c017 read more