Thursday, 20 December 2012

Install Metasploit and Armitage on Mac OSX Mountain Lion


  • Install the latest version of XCode from the App store
  • Install the command line tools in Xcode (Xcode -> Preferences -> Downloads)
# sudo vi /etc/sysctl.conf

On a MacBook Pro with 2GB of RAM, my sysctl.conf contains:


Reboot your machine before proceeding for the above settings to take effect

PostgreSQL Installation:

  • Download and install PostgreSQL from
  • Setup your root PostgreSQL password during installation.
  • Launch the newly installed "PGAdmin III" application.
  • Connect (double click) on the local PostgreSQL database and enter your root password when prompted.
  • Under the PostgreSQL drop down, right click on “Login Roles”, and select “New Login Role”
  • Set the role name to msfuser.
  • Click on the definition tab, and set the password as msfpassword.
  • Click OK to continue.
  • Next, right click on the databases list, and select “New Database”.
  • Set the name to metasploitdb, and set the owner to msfuser.
  • Press OK, and we’re done. You can close PGAdmin. 

Ruby and RubyGems installation: 

# sudo port selfupdate
# sudo port install ruby19 +nosuffix
# sudo env ARCHFLAGS='-arch x86_64' gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/
# sudo port install msgpack
# sudo gem install msgpack
# export PATH=/opt/msf3:$PATH

Metasploit 4 Installation

# sudo svn co /opt/msf3/
# sudo ln -s /opt/msf3/msf* /opt/local/bin

Configure the Metasploit Database

# sudo mkdir /opt/local/config
# sudo vi /opt/local/config/database.yml

The config file should look something like this

  adapter: "postgresql"
  database: "metasploitdb"
  username: "msfuser"
  password: "msfpassword"
  port: 5432
  host: "localhost"
  pool: 256
  timeout: 5

Add the location of the database file to your environment

# export MSF_DATABASE_CONFIG=/opt/local/config/database.yml

Create pidof

You need to create a pidof file as the Armitage team server uses it to check if msfrpcd is running already. Since pidof does not exist on MacOSX natively, we will have to hack one together

# sudo vi /usr/local/bin/pidof

Add the following in the file:

ps axc|awk "{if (\$5==\"$1\") print \$1}"|tr '\n' ' '

Make the file executable

# sudo chmod 755 /usr/local/bin/pidof

Run Metasploit and Armitage

Start the Armitage team server

# cd /opt/msf3/data/armitage
# sudo -E ./teamserver <ip address> <password>

Note the -E option for sudo to keep the environment variables


Q: When trying to start the teamserver as root I get the following error:
[*] MSGRPC starting on (SSL):Msg...
[*] MSGRPC ready at Thu Dec 20 12:03:26 +0200 2012.
/opt/msf3/lib/fastlib.rb:374:in `fastlib_original_require': no such file to load -- msgpack (LoadError)
    from /opt/msf3/lib/fastlib.rb:374:in `gem_original_require'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rubygems

A: As root, I ran "gem install msgpack" again and the error went away

Q: I get the following error when trying to start the teamserver

Warning: Uncaught exception: java.lang.RuntimeException: I can not find a database.yml file. I *really* need it.
Try setting MSF_DATABASE_CONFIG to a file that exists. at

A: Run "export MSF_DATABASE_CONFIG=/opt/local/config/database.yml" and make sure to use the -E flag for sudo

Wednesday, 19 December 2012

Installing Snort with ETPRO rules on Ubuntu 12.04


You first need to get a base image up and running which we won't cover here.
This guide also assumes that you are already spanning relevant traffic to eth1 of your snort box

Now you need to install Snort. Generally speaking I like using the source repositories as its easier to maintain and update. So lets get going...

# sudo su -
# apt-get update
# apt-get upgrade
# apt-get install snort-mysql

When prompted for the default home range, I normally use, yours might be different but most internal networks are in the 10.x.x.x range.

When asked whether a snort database should be created, choose "Yes" as we will be logging to Snorby that will be running on a separate server but that we will configure later

I always install swatch as I use it to monitor the log files for error messages

# apt-get install swatch

Now we need to install oinkmaster that will keep snort updated

# apt-get install oinkmaster

Now we need to configure oinkmaster to use our ET PRO rules instead of the default ones

First check what version of Snort you are running

# snort -V

In my case the version is 2.9.2 as can be seen below

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version:

Now edit the oinkmaster.conf file and add the ET Pro line like so

# vi /etc/oinkmaster.conf

Add the following line to the file

url =<etpro code goes here>/snort-2.9.2/etpro.rules.tar.gz

Next up you need to edit snort.conf to reflect your preferences. Below are the settings that I normally change, just search for them in the snort.conf file

# vi /etc/snort/snort.conf

Here are my changes:

# syslog
output alert_syslog: LOG_LOCAL7 LOG_ALERT

# pcap
#output log_tcpdump: tcpdump.log

Just before "Step #8:", I add the following

# Include the ETPRO rules
include $RULE_PATH/etpro.conf

Configure Swatch

Edit the swatch.conf file

# vi /etc/swatch.conf

Add the following line

watchfor /(ERROR)/
        mail addresses=<put your email address here>,subject=Snort FATAL Error

Starting Snort

Now I prefer starting and stopping snort via a cron script as can control exactly what is going on. So create the following script:

# vi /etc/cron.daily/5.snort

Add the following lines to the file:

#!/bin/sh -e
test -f /usr/sbin/snort || exit 0

# Kill Snort
kill -INT `cat /etc/snort/` || true

# Kill Swatch
kill -INT `cat /etc/` || true

sleep 10

# Delete log files to keep the disks clean
/bin/rm /var/log/snort/unified* || true
/bin/rm /var/log/snort/snort* || true

# Restart SYSLOG so everything is nice and clean
service rsyslog restart || true

#Run Oinkmaster
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules

# Start swatch
/usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/syslog --daemon --pid-file /etc/

sleep 10

# Start SNORT
/usr/sbin/snort -x -c /etc/snort/snort.conf --pid-path /etc/snort -i eth1 2>>/var/log/syslog &

exit 0

Another reason I start snort like this is also to be able to catch error messages with swatch and email it to myself which will come in very handy, trust me...

Now we run the cron file to start everything up

# /etc/cron.daily/5snort

If all goes according to plan, snort should start up and you can see the snort alerts by running

# tail -f /var/log/syslog

But things rarely go acccording to plan so you probably need to fix a few things....


Since I use swatch, I get the following error popping up on my terminal which shows something went wrong when I try and start up snort

ERROR: /etc/snort/rules/policy.rules(298) !any is not allowed: ![$DNS_SERVERS,$SMTP_SERVERS].

This means there is an unsupported option in the policy.rules file. Oinkmaster to the rescue since it can be used to modify rules as its downloaded

At the bottom of the /etc/oinkmaster.conf file, add the following line

disablesid 2003195

The above line disables the rule that is giving us trouble.

Now run the cron file again and deal with the next issue in a similar fashion

Thursday, 12 April 2012

Open Source Network Forensics and Zero-Day Malware

Although I work at a large enterprise with enough budget for the best security tech money can buy, I still have a passion for open source tools and a deep admiration for the people that freely give up their time and energy to build things of value and then share it with others.

We have successfully implemented a combination of open source tools, particularly in the field of network forensics, to detect and alert on malware traffic that was missed by the expensive tech, although they of course do their fair share of detecting and blocking as well.

It's obvious that now, more than ever, a defense in depth strategy is needed to combat what is in my opinion the #1 threat organizations face today - malware.

So why yet another blog...

Inspired by the name of one of the blogs I read regularly, The Day Before Zero, I've decided to put words into action and start a blog where we (me and others in my team) can share our experiences and learnings from the trenches of IT Security.

Because that is what we do, we defend the organizations we work for on a daily basis against the bad guys out there. So hopefully this blog will help in bolstering your defenses and keeping your company out of the headlines.

Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that th...