Friday, April 22, 2016

Installing Bro Network Security Monitor

This is the first of a two part series. In part two I'll be demonstrating how to use Bro as well as use cases.


This installation was done on Debian. Use the appropriate package manager for your Linux distribution to install the following packages.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

sudo apt-get install libgeoip-dev

gunzip GeoLiteCity.dat.gz

sudo mv /home/<username>/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat


tar zxvf bro-2.4.1.tar.gz

cd bro-2.4.1

sudo ./configure --prefix=/opt/bro2


make install

export PATH=/opt/bro2/bin:$PATH

nano ~/.profile

  • In /opt/bro2/etc/node.cfg, set the right interface to monitor.
  • In /opt/bro2/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
  • In /opt/bro2/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.






bro -C -r pcap.pcap

Stay tuned for more Bro goodness!

Saturday, April 16, 2016

Web application pentesting on Seattle vm

In my spare time I like to sharpen my skills by pentesting vulnerable virtual machines, usually from This is my review of "Seattle". This wasn't a thorough pentest of the web application, it was what I was able to knock out in a couple of hours one afternoon for fun.

I found an LFI at the URL "/details.php?prod=1&type=1&lang=USD".

The "My Account" page is vulnerable to SQL injection. The email address must be a valid email address. It wouldn't accept

On the Blog page, I clicked on "Admin" and arrived at this page which includes admin's email address.

Back on the "My Account" page, I logged in with and a password of "' or 1=1 -- ".

After multiple tests, I was able to exploit stored XSS on the site with "<a onmouseover=alert(document.cookie)>xxs link</a>". Any requests containing SCRIPT were filtered on the blog form. OWASP has an excellent cheat sheet on XSS filter evasion at

I was able to use sqlmap to exploit SQL injection with any of the product pages, using URL "/details.php?prod=1" for example. This was a blind SQL injection vulnerability, meaning that my usual methods of manually pulling info from the database to be displayed on the page didn't work, so I let sqlmap do the heavy lifting as blind SQL injection can be very difficult to exploit.


I pasted the hash into and found the root password. Had it not been found on crackstation I would have run it through oclhashcat which uses the GPU to run through very large password lists in a few minutes.

Game over:


This wasn't the most difficult web app that I've worked through. It did provide a couple of hours of fun on an afternoon off from work.