Sharing information via a collection of cheat sheets, how-to guides, and notes iv'e been collecting while engaged in projects or conducting research.
Wednesday, July 22, 2015
Operator’s Guide to ps, kill, and nice to Manage Processes in Linux
How To View Running Processes in Linux
top
The easiest way to find out what processes are running on your server is to run the top command:
top
top - 15:14:40 up 46 min, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 56 total, 1 running, 55 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1019600k total, 316576k used, 703024k free, 7652k buffers
Swap: 0k total, 0k used, 0k free, 258976k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 24188 2120 1300 S 0.0 0.2 0:00.56 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/0
6 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0.0 0.0 0:00.03 watchdog/0
8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset
9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
The top chunk of information give system statistics, such as system load and the total number of tasks.
You can easily see that there is 1 running process, and 55 processes are sleeping (aka idle/not using CPU resources).
The bottom portion has the running processes and their usage statistics.
htop
An improved version of top, called htop, is available in the repositories. Install it with this command:
sudo apt-get install htop
If we run the htop command, we will see that there is a more user-friendly display:
htop
Mem[||||||||||| 49/995MB] Load average: 0.00 0.03 0.05
CPU[ 0.0%] Tasks: 21, 3 thr; 1 running
Swp[ 0/0MB] Uptime: 00:58:11
PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
1259 root 20 0 25660 1880 1368 R 0.0 0.2 0:00.06 htop
1 root 20 0 24188 2120 1300 S 0.0 0.2 0:00.56 /sbin/init
311 root 20 0 17224 636 440 S 0.0 0.1 0:00.07 upstart-udev-brid
314 root 20 0 21592 1280 760 S 0.0 0.1 0:00.06 /sbin/udevd --dae
389 messagebu 20 0 23808 688 444 S 0.0 0.1 0:00.01 dbus-daemon --sys
407 syslog 20 0 243M 1404 1080 S 0.0 0.1 0:00.02 rsyslogd -c5
408 syslog 20 0 243M 1404 1080 S 0.0 0.1 0:00.00 rsyslogd -c5
409 syslog 20 0 243M 1404 1080 S 0.0 0.1 0:00.00 rsyslogd -c5
406 syslog 20 0 243M 1404 1080 S 0.0 0.1 0:00.04 rsyslogd -c5
553 root 20 0 15180 400 204 S 0.0 0.0 0:00.01 upstart-socket-br
You can learn more about how to use top and htop here.
How To Use ps to List Processes
Both top and htop provide a nice interface to view running processes similar to a graphical task manager.
However, these tools are not always flexible enough to adequately cover all scenarios. A powerful command called ps is often the answer to these problems.
When called without arguments, the output can be a bit lack-lustre:
ps
PID TTY TIME CMD
1017 pts/0 00:00:00 bash
1262 pts/0 00:00:00 ps
This output shows all of the processes associated with the current user and terminal session. This makes sense because we are only running bash and ps with this terminal currently.
To get a more complete picture of the processes on this system, we can run the following:
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 24188 2120 ? Ss 14:28 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 14:28 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 14:28 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 14:28 0:00 [migration/0]
root 7 0.0 0.0 0 0 ? S 14:28 0:00 [watchdog/0]
root 8 0.0 0.0 0 0 ? S< 14:28 0:00 [cpuset]
root 9 0.0 0.0 0 0 ? S< 14:28 0:00 [khelper]
. . .
These options tell ps to show processes owned by all users (regardless of their terminal association) in a user-friendly format.
To see a tree view, where hierarchical relationships are illustrated, we can run the command with these options:
ps axjf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
0 2 0 0 ? -1 S 0 0:00 [kthreadd]
2 3 0 0 ? -1 S 0 0:00 \_ [ksoftirqd/0]
2 6 0 0 ? -1 S 0 0:00 \_ [migration/0]
2 7 0 0 ? -1 S 0 0:00 \_ [watchdog/0]
2 8 0 0 ? -1 S< 0 0:00 \_ [cpuset]
2 9 0 0 ? -1 S< 0 0:00 \_ [khelper]
2 10 0 0 ? -1 S 0 0:00 \_ [kdevtmpfs]
2 11 0 0 ? -1 S< 0 0:00 \_ [netns]
. . .
As you can see, the process kthreadd is shown to be a parent of the ksoftirqd/0 process and the others.
A Note About Process IDs
In Linux and Unix-like systems, each process is assigned a process ID, or PID. This is how the operating system identifies and keeps track of processes.
A quick way of getting the PID of a process is with the pgrep command:
pgrep bash
1017
This will simply query the process ID and return it.
The first process spawned at boot, called init, is given the PID of "1".
pgrep init
1
This process is then responsible for spawning every other process on the system. The later processes are given larger PID numbers.
A process's parent is the process that was responsible for spawning it. If a process's parent is killed, then the child processes also die. The parent process's PID is referred to as the PPID.
You can see PID and PPID in the column headers in many process management applications, includingtop, htop and ps.
Any communication between the user and the operating system about processes involves translating between process names and PIDs at some point during the operation. This is why utilities tell you the PID.
How To Send Processes Signals in Linux
All processes in Linux respond to signals. Signals are an os-level way of telling programs to terminate or modify their behaviour.
How To Send Processes Signals by PID
The most common way of passing signals to a program is with the kill command.
As you might expect, the default functionality of this utility is to attempt to kill a process:
kill PID_of_target_process
This sends the TERM signal to the process. The TERM signal tells the process to please terminate. This allows the program to perform clean-up operations and exit smoothly.
If the program is misbehaving and does not exit when given the TERM signal, we can escalate the signal by passing the KILL signal:
kill -KILL PID_of_target_process
This is a special signal that is not sent to the program.
Instead, it is given to the operating system kernel, which shuts down the process. This is used to bypass programs that ignore the signals sent to them.
Each signal has an associated number that can be passed instead of the name. For instance, You can pass "-15" instead of "-TERM", and "-9" instead of "-KILL".
How To Use Signals For Other Purposes
Signals are not only used to shut down programs. They can also be used to perform other actions.
For instance, many daemons will restart when they are given the HUP, or hang-up signal. Apache is one program that operates like this.
sudo kill -HUP pid_of_apache
The above command will cause Apache to reload its configuration file and resume serving content.
You can list all of the signals that are possible to send with kill by typing:
kill -l
1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP
6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1
11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM
. . .
How To Send Processes Signals by Name
Although the conventional way of sending signals is through the use of PIDs, there are also methods of doing this with regular process names.
The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
pkill -9 ping
The above command is the equivalent of:
kill -9 `pgrep ping`
If you would like to send a signal to every instance of a certain process, you can use the killallcommand:
killall firefox
The above command will send the TERM signal to every instance of firefox running on the computer.
How To Adjust Process Priorities
Often, you will want to adjust which processes are given priority in a server environment.
Some processes might be considered mission critical for your situation, while others may be executed whenever there might be leftover resources.
Linux controls priority through a value called niceness.
High priority tasks are considered less nice, because they don't share resources as well. Low priority processes, on the other hand, are nice because they insist on only taking minimal resources.
When we ran top at the beginning of the article, there was a column marked "NI". This is the nice value of the process:
top
Tasks: 56 total, 1 running, 55 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.3%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1019600k total, 324496k used, 695104k free, 8512k buffers
Swap: 0k total, 0k used, 0k free, 264812k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1635 root 20 0 17300 1200 920 R 0.3 0.1 0:00.01 top
1 root 20 0 24188 2120 1300 S 0.0 0.2 0:00.56 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.11 ksoftirqd/0
Nice values can range between "-19/-20" (highest priority) and "19/20" (lowest priority) depending on the system.
To run a program with a certain nice value, we can use the nice command:
nice -n 15 command_to_execute
This only works when beginning a new program.
To alter the nice value of a program that is already executing, we use a tool called renice:
renice 0 PID_to_prioritize
Note: While nice operates with a command name by necessity, renice operates by calling the process PID
My ANONYMOUS Surf Solution
This is how I achieve anonymity online while applying a local layer of security.Please note these instructions are not a tutorial or how to guide.
What you will need:
Hardware:
16GB USB thumb drive. The smaller the better. The Scandisk Cruzer is smaller than a thumbnail.
Laptop or desktop machine. This can be an older machine and it will work just fine.Here's the one I'm currently utilizing.
Yeah, missing keys and everything. :)
Software:
Tails
Unetbootin
Service:
Internet connection
STEPS:
1. Download Tails ISO and Unetbootin :
Tails > https://tails.boum.org/download/index.en.html
Unetbootin > http://unetbootin.sourceforge.net/
2. Use unetbootin to create boot disk with tails OS and your USB drive. The unetbootin page has pretty good instructions on how to do this, the step above contains the link.
3. Remove hdd from laptop or machine to be utilized for anonymous access to the web.
4. Boot into tails OS
5. Select forward to proceed with login or configure root pwd.
7. Establish VPN internet connection through your preferred VPN tunnel. (optional)
8. Establish TOR internet connection and ONLY use tor browser (world icon located on desktop toolbar).
9. When the TOR browser connects it will prompt you. Only use when it has properly connected.
10. Look up YouTube Videos on how to do the above steps for details. Have fun and don't get caught doing dumb shit , this is for learning and shit.lol
Oh, and if none of this makes sense you don't need to be doing anything online that requires a high level of security on your own. Please seek the help of a professional before applying any of the techniques described in this document.
Notes:
This can be achieved without the use of TAILS OS. A solid understanding of VPN and TOR is all that is necessary. However, for a higher level of security, another layer per-Se, it is recommended to run your OS off live CD USB. I recommend it to be small in case you have to eat it, smash it, insert it inside an animal, a body cavity etc..
You should also consider destroying any incriminating evidence from media removed from machine(s) or ensure the volume and containers thereof are encrypted. I hear hard drives make cool clocks and stuff.
Consider renting space on an offshore server and configuring a VPN server solution. I use openvpn client which is free. My rental fee is $5.00 per mo with the offshore vpn service I rent from.
Always ensure the host you're renting with does not keep or hand over logs to authorities if audited.
To achieve an extra layer of anonymity, it is highly recommended that all communications are issued from an IP address originating outside of your current location or home address, town, city , state. etc. This is probably the most important point to remember.
Advantages of managing your VPN solution.
The originating IP address is known by the vpn access server, if you are in control of said server, you can control logs, connection of client (block) if necessary.
With a vpn solution, secure connections from mobile devices can be achieved. These can also be stacked with the TOR browser client.
Thursday, June 25, 2015
Steps to Harden your External Router
- Implement RFC1918 (Private Address Space), RFC2827 (Network Ingress Filtering), and bogon Filtering (filtering unassigned address spaces).
- Drop fragmented traffic
- Implement Authentication, Authorization, and Accounting (AAA).
- Implement management console access restrictions using AAA and ACLs.
- Harden the routing protocols
- Implement ACLs to restict SNMP access.
- Implement flood management through the use of traffic shaping, Quality of Service (QoS), and Weighted Fair Queuing (WFQ), on routers that support it.
- Remove all unnecessary services.
- Implement logging with syslog, SNMP traps and accounting.
- Drop directed broadcasts.
- Implement anti-spoofing. Don't allow your internal IP range to be the source address of packets arriving on the external interface.
- Prevent source routing.
- Prevent ICMP redirects.
- For your Cisco routers, implement Cisco Express Forwarding(CEF) to handle SYN floods.
- Ensure that you are running the latest stable software version to prevent being susceptible to threats that have been patched or updated.
- If your router has the horsepower to support it, implement the first line of traffic to allow only traffic that should be traversing the network edge through the use of ACLs, or in the case of Cisco routers running the IOS firewall feature set and using Context Based Access Control (CBAC).
Thursday, March 26, 2015
Ten DOS Attacks and Free DOS Attacking Tools
Some of these tools are dated but will still work. Please read the notes prior to usage and always use in a lab environment or permission of system/network/server proprietors.
1. LOIC (Low
Orbit Ion Canon) - LOIC is one of the most popular DOS attacking tools freely
available on the Internet. This tool was used by the popular hackers group
Anonymous against many big companies’ networks last year. Anonymous has not
only used the tool, but also requested Internet users to join their DDOS attack
via IRC.
3. HULK (HTTP Unbearable Load King) - generates a unique request for each and every generated request to obfuscated traffic at a web server. This tool uses many other techniques to avoid attack detection via known patterns.
It has a list of known user agents to use randomly with requests. It also uses referrer forgery and it can bypass caching engines, thus it directly hits the server’s resource pool.
4. DDOSIM—Layer 7 DDOS Simulator - used to perform DDOS attacks by simulating several zombie hosts. All zombie hosts create full TCP connections to the target server. This tool is written in C++ and runs on Linux systems.
5. R-U-Dead-Yet - also known as RUDY. It performs a DOS attack with a long form field submission via the POST method. This tool comes with an interactive console menu. It detects forms on a given URL and lets users select which forms and fields should be used for a POST-based DOS attack.Download RUDY: https://code.google.com/p/r-u-dead-yet/
6. Tor’s Hammer - It is a slow post tool written in Python. This tool has an extra advantage: It can be run through a TOR network to be anonymous while performing the attack. It is an effective tool that can kill Apache or IIS servers in few seconds.Download TOR’s Hammer here: http://packetstormsecurity.com/files/98831/
7. PyLoris - PyLoris is said to be a testing tool for servers. It can be used to perform DOS attacks on a service. This tool can utilize SOCKS proxies and SSL connections to perform a DOS attack on a server. It can target various protocols, including HTTP, FTP, SMTP, IMAP, and Telnet. The latest version of the tool comes with a simple and easy-to-use GUI. Unlike other traditional DOS attacking tools, this tool directly hits the service.Download PyLoris: http://sourceforge.net/projects/pyloris/
8. OWASP DOS HTTP POST - You can use this tool to check whether your web server is able to defend DOS attack or not. Not only for defense, it can also be used to perform DOS attacks against a website.Download here: https://code.google.com/p/owasp-dos-http-post/
9. DAVOSET - The latest version of the tool has added support for cookies along with many other features. You can download DAVOSET for free from Packetstormsecurity.
Download DavoSET: http://packetstormsecurity.com/files/123084/DAVOSET-1.1.3.html
It can be used simply by a single user
to perform a DOS attack on small servers. This tool is really easy to use, even
for a beginner. This tool performs a DOS attack by sending UDP, TCP, or HTTP
requests to the victim server. You only need to know the URL of IP address of
the server and the tool will do the rest.
You can see the snapshot of the tool
above. Enter the URL or IP address and then select the attack parameters. If
you are not sure, you can leave the defaults. When you are done with
everything, click on the big button saying “IMMA CHARGIN MAH LAZER” and it will
start attacking on the target server. In a few seconds, you will see that the
website has stopped responding to your requests.
This tool also has a HIVEMIND mode. It
lets attacker control remote LOIC systems to perform a DDOS attack. This
feature is used to control all other computers in your zombie network. This
tool can be used for both DOS attacks and DDOS attacks against any website or
server.
The most important thing you should
know is that LOIC does nothing to hide your IP address. If you are planning to
use LOIC to perform a DOS attack, think again. Using a proxy will not help you
because it will hit the proxy server not the target server. So using this tool
against a server can create a trouble for you.
Download
LOIC Here: http://sourceforge.net/projects/loic/
2. XOIC - performs
a DOS attack on any server with an IP address, a user-selected port, and a
user-selected protocol. Developers of XOIC claim that XOIC is more powerful
than LOIC in many ways. Like LOIC, it comes with an easy-to-use GUI, so a
beginner can easily use this tool to perform attacks on other websites or
servers.
3. HULK (HTTP Unbearable Load King) - generates a unique request for each and every generated request to obfuscated traffic at a web server. This tool uses many other techniques to avoid attack detection via known patterns.
It has a list of known user agents to use randomly with requests. It also uses referrer forgery and it can bypass caching engines, thus it directly hits the server’s resource pool.
The developer of the tool tested it on
an IIS 7 web server with 4 GB RAM. This tool brought the server down in under
one minute.
Download HULK here: http://packetstormsecurity.com/files/112856/HULK-Http-Unbearable-Load-King.html
4. DDOSIM—Layer 7 DDOS Simulator - used to perform DDOS attacks by simulating several zombie hosts. All zombie hosts create full TCP connections to the target server. This tool is written in C++ and runs on Linux systems.
These are main features of DDOSIM
- Simulates several zombies in attack
- Random IP addresses
- TCP-connection-based attacks
- Application-layer DDOS attacks
- HTTP DDoS with valid requests
- HTTP DDoS with invalid requests (similar to a DC++
attack)
- SMTP DDoS
- TCP connection flood on random port
Download DDOSIM here: http://sourceforge.net/projects/ddosim/
Read more about this tool here: http://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos-simulator/
5. R-U-Dead-Yet - also known as RUDY. It performs a DOS attack with a long form field submission via the POST method. This tool comes with an interactive console menu. It detects forms on a given URL and lets users select which forms and fields should be used for a POST-based DOS attack.Download RUDY: https://code.google.com/p/r-u-dead-yet/
6. Tor’s Hammer - It is a slow post tool written in Python. This tool has an extra advantage: It can be run through a TOR network to be anonymous while performing the attack. It is an effective tool that can kill Apache or IIS servers in few seconds.Download TOR’s Hammer here: http://packetstormsecurity.com/files/98831/
7. PyLoris - PyLoris is said to be a testing tool for servers. It can be used to perform DOS attacks on a service. This tool can utilize SOCKS proxies and SSL connections to perform a DOS attack on a server. It can target various protocols, including HTTP, FTP, SMTP, IMAP, and Telnet. The latest version of the tool comes with a simple and easy-to-use GUI. Unlike other traditional DOS attacking tools, this tool directly hits the service.Download PyLoris: http://sourceforge.net/projects/pyloris/
8. OWASP DOS HTTP POST - You can use this tool to check whether your web server is able to defend DOS attack or not. Not only for defense, it can also be used to perform DOS attacks against a website.Download here: https://code.google.com/p/owasp-dos-http-post/
9. DAVOSET - The latest version of the tool has added support for cookies along with many other features. You can download DAVOSET for free from Packetstormsecurity.
Download DavoSET: http://packetstormsecurity.com/files/123084/DAVOSET-1.1.3.html
10. GoldenEye HTTP Denial Of
Service Tool - tools that can put heavy
load on HTTP servers in order to bring them to their knees by exhausting
resource pools.
Wednesday, March 11, 2015
I love Cyberghost - Secure your connections in 3 easy steps: No registration, super easy, completely free.
3 Steps, and It's fast, it's easy, and it's free!!
1. Download Cyberghost VPN by clicking link below:
*If your download doesn't start click on the download button on this page => www.cyberghostvpn.com/en_us/download
2. When cyberghost installs it will launch a window indicating your real location. Click on the power
button in the middle of the lower part of the window. Leave the Automatic defaults for simulated
country and IP address.
3. You will now see your simulated location. Confirm by copying the IP address provided into a google search.
Happy Surfing!
Tuesday, March 3, 2015
Virtual Machine Utilization, Highlights and Advantages
Virtual Machine
utilization highlights and advantages:
VMWare and
Virtual Box are the most popular free distributions of virtualization software.
The documentation below is for VirtualBox but google searches will provide
extensive installation and configuration documentation to both
applications/appliances.
Why are virtual machines useful?
Multiple Operating Systems on one
computer:
Virtualization allows you to run more than one operating system at a time. This way, you can
run software written for one operating system on another (for example, Windows
software on Linux or a mac) without having to reboot to use it.
OS Management:
Virtual
machines and their virtual hard disks can be considered "containers"
that can be
arbitrarily
frozen, woken up, copied, backed up, and transported between hosts.
Software Testing and Disaster
Recovery:
Utilizing
VirtualBox "snapshots", one can save a particular state of a virtual
machine and revert back to that state,
if necessary.
This way, one can freely
experiment with a computing environment.
If something goes wrong (e.g. after
installing misbehaving software or infecting theguest with a
virus), one can easily switch back to a previous snapshot and avoid the need of frequent
backups and restores.
Any number
of snapshots can be created, allowing you to travel back and forward in virtual
machine time. You can delete snapshots while a VM is running to reclaim disk
space.
------------------
Resources:
Virtual Box
installation manual:
How to
install Virtual Box in Windows 7 YouTube install videos:
https://www.youtube.com/results?search_query=virtual+box+install+in+windows+7
Virtual box
download page:
https://www.virtualbox.org/wiki/Downloads
Saturday, January 10, 2015
Lists & Dictionaries
https://downloads.skullsecurity.org/passwords/
http://dazzlepod.com/site_media/txt/passwords.txt
http://dazzlepod.com/site_media/txt/passwords.txt
brute force with ncrack, hydra and medusa
nrack
wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
Medusa main page:
http://foofus.net/goons/jmk/medusa/medusa.html
wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
./configurehydra
make
make install
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
./configuremedusa
make
make install
wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
./configure----------------------------------------
make
make install
Medusa main page:
http://foofus.net/goons/jmk/medusa/medusa.html
HOWTO : DirBuster on Ubuntu Desktop 12.04 LTS
HOWTO : DirBuster on Ubuntu Desktop 12.04 LTS
Step 1 :
sudo -sH
cd /opt
wget
"http://downloads.sourceforge.net/project/dirbuster/DirBuster%20%28jar%20%2B%20lists%29/1.0-RC1/DirBuster-1.0-RC1.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdirbuster%2Ffiles%2FDirBuster%2520%2528jar%2520%252B%2520lists%2529%2F1.0-RC1%2F&ts=1370262745&use_mirror=nchc"
-O DirBuster-1.0-RC1.tar.bz2
tar -xjvf DirBuster-1.0-RC1.tar.bz2
mv DirBuster-1.0-RC1 DirBuster
rm DirBuster-1.0-RC1.tar.bz2
Step 2 :
To run it.
sudo -sH
cd /opt/DirBuster
./DirBuster-1.0-RC1.sh
That's all! See you.
Subscribe to:
Posts (Atom)