How to install BeEF on Ubuntu 10.04 LTS

--------------------------------------------------------

The Browser Exploitation Framework (BeEF) is a wonderful tool to have in your pen test arsenal. The latest version of the framework is written in ruby and requires ruby version 1.9.1 or greater in order to run. The default version of ruby that Ubuntu 10.04 LTS installs with the "apt-get install ruby" command is 1.8.7. While ruby version 1.9.1 is available from the apt repository I decided not to alter the system version of ruby and used Ruby Version Manager (RVM) to install a local version of ruby 1.9.2 to run BeEF. RVM is a command line tool that allows you to install multiple ruby environments (http://beginrescueend.com/).

These instructions assume you have a default install of Ubuntu 10.04 LTS. The examples also show all commands being run as a normal user, not root, as any commands that require elevated privileges will use the sudo command.

Our first step will be to install our prerequisites.

sudo apt-get install curl git-core ruby subversion libssl-dev libsqlite3-dev

Now that we have our prerequisites installed, let's install RVM

bash < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer )

You will now have to restart your shell so the RVM environment will be in place. Simply type exit or Ctl-d to exit out of your current shell, then start a new shell. Now that RVM is installed we can install ruby 1.9.2

rvm install ruby-1.9.2-p290

Once we have installed ruby 1.9.2, we can set it to be our default ruby version for this user

rvm --default ruby-1.9.2-p290

We will want to verify that ruby 1.9.2 is our default version.

ruby -v

With RVM and ruby 1.9.2 installed, let's move on to BeEF. I like to set up my tools in a tools directory, so let's create the directory and download the framework.

mkdir ~/tools

cd ~/tools

svn checkout http://beef.googlecode.com/svn/trunk/ beef

cd beef

The framework comes with an install script to help make sure you have the prerequisite ruby gems installed for the framework to run. Let's make the script executable and run it to see what we need.

chmod 755 install

./install

# The following is the output from the ./install command

Welcome to the BeEF installer!

Please make sure you have installed SQLite before proceeding. For instructions on how to do this please see the README file

Some gems required by BEeF are not present on your system please select an option to continue:

1) Install all required gems automatically

2) List required gems and exit so they can be installed manually

3) Exit installer

2

Please run the following command to update and install all required gems:

sudo gem install ansi term-ansicolor dm-core json data_objects do_sqlite3 sqlite3 dm-sqlite-adapter parseconfig erubis dm-migrations && sudo gem install librex -v0.0.52 --no-rdoc --no-ri

We need to remember that we are using RVM to maintain our ruby environment and will have to install the needed gems with the rvm command and not apt-get.

rvm all do gem install ansi term-ansicolor dm-core json data_objects do_sqlite3 sqlite3 dm-sqlite-adapter parseconfig erubis dm-migrations

rvm all do gem install librex -v0.0.52 --no-rdoc --no-ri

Now let's fire up BeEF.

./beef

We now have the Browser Exploitation Framework installed and running on Ubuntu 10.04 LTS. Log into the web interface and let the good times roll :-)

MobiSec Live Environment DARPA Project

Mobile devices have become the most common computer technology available today, as indicated in a recent report from the CTIA stating that the United States now has more mobile phones than people; a staggering 327.6 million phones!  In the past year, the number of smartphones and wireless-enabled PDAs (tablets, e-readers, etc.) has risen 57%, to a total of 95.8 million devices.  These mobile devices have increased in computing capabilities and features, typically remaining connected to the Internet a majority of the time, if not constantly.  These devices have also become a major target to attackers due to these increased capabilities and features, resulting in large amounts of data stored on the devices or removable media.  Organizations are challenged in understanding the security concerns and risk related to both these devices and the applications running on them.

One of the challenges organizations face is the expense and complexity in designing, developing, and building test environments to adequately evaluate the security controls and risks around their mobile devices, applications, and infrastructure.  Consequently, the complexity and expense increases by orders of magnitude when taking into account the variety of mobile devices, operating systems, application versions, supporting infrastructure, and the various potential configuration settings that an organization may include in their mobile environment.  Given these challenges, very few organizations are actually testing mobile device security as it relates to their environment.

Secure Ideas is working to solve this challenge that organizations face with the development of the MobiSec Live Environment, which will be a live testing environment that is preconfigured and installed with all the tools and configurations needed to perform security assessments and testing of mobile platforms.  The benefits will provide penetration testers, mobile IT administrators, and information security professionals the ability to assess mobile environments with a suite of tools that are structured and organized based on an industry-proven testing methodology, all within a testing environment that has been tested and validated to support each of the testing tools.  This relieves the testers of having to research mobile testing tools independently and build an environment to maintain and launch the testing tools, with all the prerequisites required for all the tools.  With the MobiSec Live Environment, the operating system includes all the prerequisites required for all the tools and scripts, which have been tested and validated to work correctly.  

This live environment will also provide the ability to update the tools over the Internet with little effort by the tester, again relieving the requirement for constantly maintaining the tools and the environment from which they are launched.  The MobiSec Live Environment can run as a “read-only” environment, ensuring the integrity of the tools and environment each time it is used, or it can be installed into an environment that can be updated or enhanced with additional tools as the tester deems necessary.  This gives the tester the flexibility needed to customize the MobiSec Live Environment for specific needs and requirements.  

The MobiSec Live Environment makes mobile penetration testing more streamlined for the tester, allowing more time to focus on the test objectives and progress, and less on the tools or the testing environment.  These benefits all come without any cost or expense to the tester as the MobiSec Live Environment will leverage an operating system and tools with licenses based on free or open source software.  The intent here is to provide a comprehensive mobile testing environment, organized and structured based on an industry-proven testing framework, openly available and financially accessible for all organizations, improving the testing capabilities and overall security posture in the mobility space.

In order to financially support the development of this project, Secure Ideas turned to the DARPA Cyber Fast Track (CFT) Program.  The objective of this program is to support multiple small cyber projects with a focus on short time frames, low cost, and with the expectation of results demonstrated in less than 12-month periods.  This is an excellent program for small security companies, like Secure Ideas, to obtain financial support for quick and inexpensive security projects.  The process for submitting a project proposal is rather straightforward and simple, and the time for the CFT program to review proposals and provide a response is less than 2 weeks.  For the MobiSec project, Secure Ideas received approval within 5 days!

The CFT Program requires submitters to provide documentation that complies with their very specific requirements for both formatting, length, and content.  However, compared to the typical proposals for Government programs, this process was a breeze.  The proposal must include an executive summary, a detailed technical description of the proposed solution, metrics that will demonstrate the performance of the project through the entire life cycle, a statement of work with a detailed task breakdown, a schedule of milestones and deliverables, and a detailed list of costs and expenses.  Details of the program and how to submit a project proposal can be found at http://www.cft.usma.edu/resources/DARPA-RA-11-52_(CFT)-1.pdf and more information about the program is available at http://www.cft.usma.edu/.

The completion of the MobiSec Live Environment Mobile Testing Framework project, which will be performed solely by Secure Ideas, is targeted for release in February 2012.  Secure Ideas plans on using the MobiSec Live Environment in a future release of the SANS SEC571 Mobile Device Security class, which will make its debut at the SANS Cyber Defense Initiative 2011 conference in Washington, DC.  Additional blog entries will be posted as we build out this environment identifying tools and utilities that will be included, as well as lessons learned.  Stay tuned...

Life keeps going on....

Wow, I can't believe it has been this long since my last post. Quite a bit is going on around here. Sarah was born and I am teaching SANS classes coming up in September and then October. We released the updated hping for Windows and got Nikto-NSE out the door. Both of these were added to the SecTools project. I hope to get some updates out in the next few days as I have a bit to talk about. Even if I am just talking to myself, it helps to get it on the wire.

Have fun and be safe!

Mining in a corporate environment

We have a virus attack! Words that will stop any security professional in their tracks. Even with strict security policies and procedures around patch and anti-virus management, virii are still a major threat. Everyday new virii and variations of old favorites are released into the wild and our networks. A single host, not under our control, being plugged in or a user that shutdowns their anti-virus software for that little extra performance are a couple of the potential entry points. And even more of the virii are coming in through bugs in the browsers we use to surf the web. So what do we do?
Well, as most of us have been taught; “Prevention is ideal, detection is required!” While patches and anti-virus programs may be the prevention methods we choose, they aren't perfect. And when, not if, they fail and we have a particularly nasty bug running loose through our network, we need to see where it is as soon as possible.

So how do we accomplish this, at minimal cost, while recognizing that our network of responsibility may spread around the globe? We believe that the solution is what are called “canary hosts”. If we take a trick from the history of mining, where they would take a canary down in the mine with them. If it died, they knew they needed to get out of there! To model our solution on this, we deploy a stream-lined, small footprint Snort system to client machines around the network. As a virus attack initially launches, the canary machines will see the attacks and alert to our central reporting server. This enables the incident response team to immediately identify where the virus has originated within the network. Thus enabling the team to contain the virus sooner then normal detection methods. Regular post-incident handling can then be used to recover the infected machines.

The setup of the canary hosts is optimized to be able to run on client machines already deployed throughout the company, without impacting the performance to the end user. This allows us to save money in comparison to using various IDS appliances. Snort is used because of its cost, ease of use and ability to run on practically every platform imaginable.

The rules running on the hosts are optimized to try and minimize false positives while preventing false negatives. The rules are setup to focus on incoming connections, since most workstations do not offer services to be used by other workstations. We also are able to turn off most of the rules relating to servers and public services. The rules are loaded from a central network share along with the actual Snort configuration. This allows us to control the rules and configuration in one location and any changes are picked up on the next restart of the workstation.

Using this system in a controlled deployment, your incident response team will be better prepared to contain any malicious code loose in your network. When your system alerts that a host has detected attack behavior, you will be able to quickly isolate the problem before major parts of your network is affected.

Technical Debt: Dave Ramsey, where are you?

It is interesting how an idea pops up in your daily life. I was reading through the torrent of email that is the FD mailing list and the phrase "Technical Debt" was mentioned. It started me thinking about security and how companies treat it when they develop their systems and infrastructure. I then thought that we all need a little Dave Ramsey in our SOCs.

So now the question becomes, how do we measure our "security debt" when performing an audit? Because we really need to realize that our debt will be paid by our partners and our customers. It is commonly skipped over that the penalty for not securing our systems, sadly, is never paid by the people who chose not to secure the systems.