What to expect

The next few (well probably more than a few) articles I write will be very beginner orientated. I have recently received some new Cybersecurity books that I will be working through and posting my write ups for here. I am by no means an expert in the field and am very much a beginner so the write ups I post may not be the most technically advanced articles but they serve a valuable purpose to me. By writing up articles as I work through problems presented in the texts I hope to create a solid starting point for any research I do on my own and hope to perfect my writing style along the way.

I hope that what I write may help someone out there just getting started, and for those of you who aren’t just starting out maybe they will become a nice refresher.

If you notice any flaws in the articles I write please bring them to my attention and I will revise! I am open to all criticism so don’t hesitate!

Advertisements

AWUS036ACH – Getting it to work on Linux (w/ Packet injection & Monitor mode)

61tbn28kcil-_sl1500_

This thing.. this little devil right here has caused me nothing but trouble this past week. I have FINALLY gotten it to work, and maybe someone will stumble upon this article somewhere in the dark back pages of google and it’ll help them too.

The Struggle

Nothing worked out of the box. The only reason I got the card was because I had just read a Kali article saying they had the drivers (with packet injection working) in their repos. So I thought, as I was running Arch at the time, it’ll be in the AUR right?

Right I was…

So I downloaded these fancy AUR drivers (RTL8812AU) and installed them, bingo, card was now recognized.. except it would not go into monitor mode(or allow packet injection.. or txpower changes). And when I tried, It brought down my entire network stack. Everything just stopped working. I blamed it on the recent kernel updates and jumped ship on Arch to try out a new, more stable and less bleeding edge OS. More on that at another time.

The Solution

Building the driver myself. (From provided sources of course)

I searched through at LEAST 5 different github repos for a working driver. Now for the most part, they worked fine but still no packet injection. So I thought to myself, if the Kali driver works, and they claimed it supported packet injection, why not just use that driver??

I went through the latest Kali repos until I found the driver, downloaded it, built it and installed it… and it fucking worked.

I uploaded the Kali RTL88XXAU driver here:

https://github.com/0syntral/rtl8812au

Clone that repo, cd into it, and make it, and then install the driver.

Or use DKMS, which I did.

NOTE: I have not gotten airmon-ng to work with this driver, to get this device into monitor mode you must do the following:

ifconfig <wlaninterface> down
iwconfig <wlaninterface> mode monitor
ifconfig <wlaninterface> up

 

modemonitor

 

 

Graylog server setup

I decided to learn more about log management, how to track down incidents, and how to extract useful information from large amounts of data. From this information I plan to create alerts when specific patterns of activities happen. Even

To do this, I set up a CentOS VM(GB RAM, 4Core CPU) and installed Graylog onto it.

I’m not going to go into setting up Graylog here, as they have fantastic documentation on setting it up for RHEL/CentOS here:

http://docs.graylog.org/en/2.2/

First thoughts:

Graylog

The Web Interface is super nice.

There are a ton of features, the search function is extremely powerful, and it allows you to pull specific fields from your log messages and do all sorts of cool things with them. Once we have logs anyway… (This image is deceiving, I had already had some logs being forwarded at this time)

Getting Logs into our server

First, if you’re using an OS with a firewall (which I hope you are!!!!!) open the port that you’ll be using for log traffic.

Then read this, once again, their documentation is fantastic and goes over most of this in details:

http://docs.graylog.org/en/2.2/pages/sending_data.html

Basically the process goes something like this:

  1. Create an input
  2. Start input
  3. Forward logs from X server via whichever method you used to create the input to the port you specified (and opened in your firewall!)
  4. Check your log server and see if logs are coming in!

Parsing data

This is where I am currently at. I now have logs coming in from my router, VM host, and a few windows machines but haven’t created any extractors for them yet. So I have some raw messsages that I have to do some very explicit searching for, which isn’t tooo bad but you can’t make a ton of cool graphs and stuff with it yet..

This article explains extractors and how to create them nicely:

http://docs.graylog.org/en/2.2/pages/extractors.html

I’ll update more once I get some message extracting done!

My current hardware

Currently I have a small home lab, for virtual machines and what not. It makes it easy to test different OS’s, tools, software, etc. I will try to keep this updated with my current setup as I do plan on gradually adding more and more hardware as I progress more.

Daily driver:

I am currently using a Lenovo T460 running Arch as my daily laptop. This laptop is the most sturdy and well built machine I’ve ever used. The keyboard feels fantastic. And the dual battery (23WHr built in + 72WHr removable) lasts FOREVER. I seriously have worked for 12hrs straight without needing to charge this thing. The 14in screen is a perfect not too big, not too small ratio as well.

Current homelab setup:

  • Router – ASUS RT-N66U (running DD-WRT)
  • Some small 5port dumb switch
  • HP ML110 G7 – Running ProxMox (Will probably change this to CentOS + Qemu later)
  • A RaspberryPi, somewhere, running  something.

Future homelab hardware:

  • Another, bigger, server. Thinking about an HP DL360 G7.
  • PF sense firewall (I might build one or buy one)