Lan Turtle Review






I was lucky enough to get my hands on a LAN Turtle, the tiny Linux based computer disguised as a USB ethernet adapter.
Specs
  • Atheros AR9331 SoC at 400 MHz MIPS
  • 16 MB Onboard Flash
  • 64 MB DDR2 RAM
  • 10/100 Ethernet Port
  • USB Ethernet Port – Realtek RTL8152
  • Indicator LED (Green Power, Amber Status)
  • Button (inside case for Factory Reset / Firmware Recovery)
  • Dimensions: 95 x 23 x 31 mm
What is it?
The whole idea of the Lan Turtle is to be an innocuous pentest dropbox. That being said this isn’t the device which you would run your entire suite of tools on. The idea is to just simply use the Turtle to pivot into an internal network.
The main way in which you connect to the device to manage and configure it is via SSH. The main interface is a Ncurses style text-based menu system. This makes the device extremely simple to use. Within in a few clicks you can have reverse SSH set up on this thing and go and throw it into a target network. If there is more customization you wish to do, or make some more advanced configurations to the device, you can simply exit this menu system and have full root SSH access.
In order to install packages you need to connect an ethernet cable to the device. The entire package system is based off an HTTP connection to lanturtle.com. This mimics a full package manager, and again, makes the device extremely simple to deploy and use.
Packages
The number of packages or ‘modules’ for the Lan Turtle seems to be ever expanding. The ‘Quick Creds’ module gained some notoriety as Mubix was able to set this thing up to steal SMB creds when plugged into a target machine. A number of other familiar modules are seen above, aswell as SSHFS which was probably my favourite module. SSHFS is as Linux tool which allows you to mount a remote directory over SSH. In the case of the LAN Turtle this meant I could have logs from the device sent via SSH in real-time to a VPS.
Is it worth the cash?
I’d say the LAN Turtle is priced very competitively. Especially considering this thing definitely stands up against the likes of Pwnie Express. (VERY EXPENSIVE). It’s a very small price to pay for a device which is super cool. That being said, the specs on the device are not fantastic. This is clearly purpose built as a way into an internal network. Those specs are completely fine for that. However, in some cases (especially on a real pentest) its not viable to have your attacks going via a VPN into the internal network and it would be far easier to have the tools running directly on the device. A Raspberry Pi 3, which has significantly more horsepower, would probably be a better choice for this. This being said, by going down the homebrew route you do miss out on a lot of ready made offensive security scripts.

If you wanna get your own LAN Turtle, head over to https://lanturtle.com/ (NOT A SPONSOR)

The 10 Worst Spammers in the World

 
The Spamhaus Project is an international organisation, based in both London and Geneva, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an Internet service provider, or other firm, which spams or knowingly provides service to spammers. Amongst other things, Spamhaus listed the 10 Worst Spammers in the World and they update the list frequently.
The Spamhaus Project is responsible for compiling several widely used anti-spam lists. Many internet service providers and email servers use the lists to reduce the amount of spam that reaches their users. In 2006, the Spamhaus services protected 650 million email users, including the European Parliament, US Army, the White House and Microsoft, from billions of spam emails a day.
Spamhaus is also notorious for blacklisting IPs, Domains without much consultation or notices. A good example is when they blacklisted Google Docs IPs. They also blacklisted CyberBunker which is quite renowned for providing BulletProof Hosting and inadvertently blacklisted many legit clients causing the first of large scale DDoS attack in recent memory. [Source: Wiki]
Up to 80% of spam targeted at internet users around the world is generated by a hard-core group of around 100 known persistent spam gangs whose names, aliases and operations are documented in Spamhaus’ Register Of Known Spam Operations (ROKSO) database.
This TOP 10 chart of ROKSO-listed spammers is based on Spamhaus views of the highest threat, least repentant, most persistent, and generally the worst of the career spammers causing the most damage on the internet currently.
As of 23 November 2016 the world’s worst spammers and spam gangs are:
1
Canadian Pharmacy – Ukraine
A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese web hosting.
2
Dante Jimenez / Aiming Invest – United States
Spamwarez, lists, “bulletproof” hosting in the finest South Florida tradition. Working with worst cybercriminal botnet spammers. Now mostly involved in massive botnet spamming with hosting on hacked servers and Eastern European hosters.
3
Yair Shalev / Kobeni Solutions – United States
High volume snowshoe spammer from Florida, (former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO-listed spammer Dan Abramovich. Sued for fraud by the US FTC in 2014.
4
Michael Boehm and Associates – United States
Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IPs and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names.
5
Michael Lindsay – United States
Lindsay’s iMedia Networks is a full-fledged spam-hosting operation serving bulletproof hosting at high premiums to well known ROKSO-listed spammers. His customers spam via botnet zombies with spam payloads hosted offshore, tunneled back to his servers. He and the gang have been hijacking (stealing) IP address space from companies for years to spam from. Illegal in the USA.
6
Yambo Financials – Ukraine
Tied into distribution and billing for child, animal, and incest-porn, pirated software, and pharmaceuticals. Run their own merchant services (credit-card “collection” sites) set up as a fake “bank.”
7
Peter Severa / Peter Levashov – Russian Federation
A spammer who writes and sells virus-spamming spamware and botnet access. Is probably involved in the writing and releasing of viruses & trojans. One of the longest operating criminal spam-lords on the internet. Works with many other Eastern Euro and US based botnet spammers. Was a partner of American spammer Alan Ralsky.
8
Michael Persaud – United States
Long time snowshoe type spammer, recently raided by FBI.
9
Alvin Slocombe / Cyber World Internet Services – United States
Bulletproof spam host operating Cyber World Internet Services / e-Insites, and currently spamming using a variety of aliases such as Brand 4 Marketing, Ad Media Plus, Site Traffic Network, RCM Delivery, and eBox.
10
Jagger Babuin / BHSI – Canada
Romanian spammer now living in Vancouver BC. Also known as the “Dr Oz” spammer.

Source:

  1. Register Of Known Spam Operations (ROKSO) database
  2. Spamhaus Blocklist (SBL) database.
  3. Spamhaus statistics (original post link – updated regularly)
Detailed records on each spammer or spam gang listed can be viewed by clicking on the names.
I always thought that most of the large spammers are from Africa or Eastern European region (no offense guys – clearly mainline-media portrays it that way). Looking at this list and their location was more of a revelation. Anywho, in case you are lots of emails with links that looks legit (but you think they might contain malwares), then you can use reputed providers online site review tools listed in this page.

Shortest Spam Run Ever – Domaincop.org Domain Abuse Notice Spam

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malwares recently. Subject line contained “Domain Abuse Notice” which looked serious.
I mean WOHA! I do write about ‘stuff’ but doesn’t mean I send out emails to anyone. I don’t even respond to my emails half the time cause I don’t really need another SEO expert, another advertiser, another promoter or a globally acclaimed graphics designer to design ‘tings’!
But then again, you read about all these reports that explains how malware and virus’s are served via Advertisement etc. So I decided to carefully examine the email and it’s contents in an attempt to find out more information. Before I even opened the actual email, I checked it’s header and Domain Whois. I always do this, specially Whois because you are unlikely to receive an abuse notice email from any domain that was registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Whois information

I checked their whois from https://who.is/whois/domaincop.org
Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - domaincorp whois - blackMORE Ops - 1
Nice, Registered On 2016-11-22, Updated On 2016-11-22 and today is 2016-11-23. I mean duh, it’s still 22nd of November is some parts of the world. They also has PrivacyGuard enabled which means you cannot see the real owners name or details like darodar.com referrer spam.

Inspect URL and it’s content

The next obvious thing was to check the URL that was sent to me to view the abuse my domains has inflicted. erm, do I use a browser? Perhaps not, I decided to use cURL.
Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - curl URL - blackMORE Ops - 2
root@kali:~# curl -kv http://www.domaincop.org/<removed>
* Could not resolve host: www.domaincop.org
* Closing connection 0
curl: (6) Could not resolve host: www.domaincop.org
hang on, the domain seems to have no DNS response. Let’s double-check that with dig command
root@kali:~# dig www.domaincop.org

; <<>> DiG 9.10.3-P4-Debian <<>> www.domaincop.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64018
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domaincop.org.        IN    A

;; AUTHORITY SECTION:
org.            704    IN    SOA    a0.org.afilias-nst.info. noc.afilias-nst.info. 2012251969 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Wed Nov 23 10:42:53 AEDT 2016
;; MSG SIZE  rcvd: 109
dig returned NXDOMAIN response which means the domain doesn’t exists. It seems either they’ve disabled their domain and/or Cloudflarebanned/removed them. In any case, there is no way to inspect that URL for me now. ‘sad panda’

Sample email

Here’s one of emails I received from  “Imogen Murray” <imogen_murray@domaincop.org>; (the other email was from “Isaac Wright” <isaac-wright@domaincop.org>; ) with exactly same content:
Dear Domain Owner,

Our system has detected that your domain:<removed>.com is being used for spamming and spreading malware recently.

You can download the detailed abuse report of your domain along with date/time of incidents.
Click Here<link-removed>

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:

1. Download your abuse report.

2. Check your domain abuse incidents along with date and time.

3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report<link-removed>

Please look into it and contact us.

Best Regards,

Domain Abuse Admin

DomainCop Inc.

Tel.: (139) 722-66-56

Conclusion

Not sure what this email was about, but in case you ever get these type of emails, here’s what you always do:
  1. Check Domain Whois
  2. Check the URL without actually going into it (cURL it)
  3. Use online scanners to check the links
  4. Check dig/nslookup info
  5. Search in Google
  6. If you must visit the URL, do it from a command line tool or from a VM.
In short, you are unlikely to get such emails from multiple senders from a domain that was setup yesterday, got banned today and has people around the world talking about it being a scam. Another way is to check spammy links is by using reputed providers online site review tools. Here’s a list of them:

Real Time Scanners:

  1. Comodo Web Inspector: Examines the URL in real-time
  2. Joe Sandbox URL Analyzer: Examines the URL in real time
  3. Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
  4. IsItPhishing: Assesses the specified URL in real-time
  5. Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
  6. Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Historical Reputation data:

  1. AVG Website Safety Reports: Provides historical reputation data about the site
  2. Blue Coat WebPulse Site Review: Looks up the website in BlueCoat’s database
  3. BrightCloud URL/IP Lookup: Presents historical reputation data about the website
  4. Cisco SenderBase: Presents historical reputation data about the website
  5. Cymon: Presents data from various threat intel feeds
  6. Deepviz: Offers historical threat intel data about IPs, domains, etc.
  7. FortiGuard lookup: Displays the URL’s history and category
  8. IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
  9. Intel/McAfee: : Presents historical reputation data about the website
  10. KnownSec: Presents historical reputation data about the website; Chinese language only
  11. PhishTank: Looks up the URL in its database of known phishing websites
  12. Malware Domain List: Looks up recently-reported malicious websites
  13. MalwareURL: Looks up the URL in its historical list of malicious websites
  14. McAfee Site Advisor: Presents historical reputation data about the website
  15. MxToolbox: Queries multiple reputational sources for information about the IP or domain
  16. Norton Safe Web: Presents historical reputation data about the website
  17. Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
  18. PassiveTotal: Presents passive DNS and other threat intelligence data
  19. Quttera ThreatSign: Scans the specified URL for the presence of malware
  20. Reputation Authority: Shows reputational data on specified domain or IP address
  21. Trend Micro: Presents historical reputation data about the website
  22. Unmask Parasites: Looks up the URL in the Google Safe Browsing database
  23. URL Blacklist: Looks up the URL in its database of suspicious sites
  24. URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
  25. URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
  26. VirusTotal: Looks up the URL in several databases of malicious sites
  27. vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
  28. ThreatMiner: Presents diverse threat intelligence data
These are industry leaders for checking and categorizing Domains/URL’s and marking them accordingly. For new domains, use the Live scanners; for older domains, use the historical reputation scanners. In any case, stay safe and happy browsing.

How to Fix Detect and Mount CD-ROM [Kali Linux 2016.2]


Kali linux 2.0 is a Penetration testing Distro from Kali Team. Earlier I had posted two articles on how to install Kali (Sana) using both GUI (Live-CD) and Traditional method. But later I tried to install Kali through USB and I received this error during the installation process. "Your Installation CD-ROM couldn’t be mounted. This is probably means that the CD-ROM was not in the drive. If so you can insert and try it again." I googled and found that it is a known bug and can be resolve easily.

This post will let you know how to solve this "Detect and Mount CD-ROM" issue. Follow the below given instructions,
type in terminal: 

mount -t vfat /dev/sdb1 /cdrom
exit 
I hope this solves your problem. Enjoy Sana!

How To Setup Honeypot in Kali Linux


The Pentbox is a safety kit containing various tools for streamlining PenTest conducting a job easily. It is programmed in Ruby and oriented to GNU / Linux, with support for Windows, MacOS and every systems where Ruby is installed. In this small article we will explain how to set up a honeypot in Kali Linux. If you don’t know what is a honeypot, “a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.”

Download Pentbox:

Simply type in the following command in your terminal to download pentbox-1.8.
root@iExplo1t:~# wget http://downloads.sourceforge.net/project/pentbox18realised/pentbox-1.8.tar.gz

Uncompress pentbox files

Decompressing the file with the following command:
root@iExplo1t:~# tar -zxvf pentbox-1.8.tar.gz

Run pentbox ruby script

Change directory into pentbox folder
root@iExplo1t:~# cd pentbox-1.8/
root@iExplo1t:~/pentbox-1.8# ls
Run pentbox using the following command
root@iExplo1t:~# ./pentbox.rb

Setup a honeypot

Use option 2 (Network Tools) and then option 3 (Honeypot).
Finally for first test, choose option 1 (Fast Auto Configuration)
This opens up a honeypot in port 80. Simply open browser and browse to http://192.168.150.128 (where 192.168.150.128 is your IP Address. You should see an Access denied error.

and in the terminal you should see “HONEYPOT ACTIVATED ON PORT 80” followed by “INTRUSION ATTEMPT DETECTED”.
.
Now, if you do the same steps but this time select Option 2 (Manual Configuration), you should see more extra options

Do the same steps but select port 22 this time (SSH Port). Then do a port forwarding in your home router to forward port external port 22 to this machines’ port 22. Alternatively, set it up in a VPS in your cloud server.
You’d be amazed how many bots out there scanning port SSH continuously. You know what you do then? You try to hack them back for the lulz!
Here’s a video of setting up honeypot if video is your thing:

sharethis

 

Copyright @ 2016 iExplo1t.