(not only) Android applications network analysis

First of all I recommend reading this blog post from Simone evilsocket Margaritelli that is – imho – one of the best comprehensive guides to Android applications reversing, of which network analysis is just a part.

In my post I will present 3 different methods I used to understand the network behavior (the focus is on network analysis, nothing more) of an Android application I analyzed:

  • using an HTTPS interception proxy;
  • MITMing the network traffic;
  • profiling the application with Android Studio.

Everyone can use the method they want (some simply may not work in your scenario), the results of the analysis are the same; the method you’ll choose depends on the scenario you are testing, the software you are used to working with and so on.
Consider that the first two methods can be used to inspect the traffic from any application/program/device, not only an Android application.

Continue reading “(not only) Android applications network analysis”

Configure Squid proxy for SSL/TLS inspection (HTTPS interception)

Squid proxy

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.

Squid can be configured to make SSL/TLS inspection (aka HTTPS interception) so the proxy can decrypt proxied traffic (Squid calls this feature ssl bump).

Afaik the Squid package included in the Linux distros is not compiled with SSL/TLS inspection support but the good news is that diladele (its github repo and Websafety documentation are useful resources) provides packages for Ubuntu and Centos, recompiled (you can do by yourself) with support for HTTPS filtering and SSL/TLS inspection. This means that we have just to configure Squid. Not an easy task anyway ūüôā

I provide to you a working config, follow next steps.

Continue reading “Configure Squid proxy for SSL/TLS inspection (HTTPS interception)”

Ubuntu Terminator bug doubles keystrokes when broadcast option is set

Since Ubuntu 18.10 I’m experiencing a weird bug on Terminator, the terminal I use because of its broadcasting functionality.

The bug is known and tracked on launchpad but not fixed ¬Į\_(„ÉĄ)_/¬Į so I found a quick way to fix it (tested up to 20.04), enjoy!

sudo mv /usr/bin/terminator /usr/bin/terminator.SAVE
cat <<TERMINATOR > /tmp/terminator
sh -c "DBUS_SESSION_BUS_ADDRESS='' /usr/share/terminator/terminator"
chmod 755 /tmp/terminator
sudo mv /tmp/terminator /usr/bin

Follow and be notified of any twitter thread reply – a python twitter scraper

I use twitter to follow a lot of good feeds but often I need to follow twitter threads for new replies to have a fast and complete view of complex threads even if I’m not cited or the tweet owner.

I did some search and found a python script from @edu on github that was a good starting point. I learned that twitter API doesn’t allow to get all the replies to a tweet but can be used to search for replies to a given tweet and replies to any reply as well. Good.

So starting from @edu code I wrote Twitter Scraper, a project – made of 2 scripts

  • twitter-scraper.py to get a complete list of twitter threads replies so you can have a fast and complete view of complex threads even if you are not the owner or you are not cited in all the tweet branches [video]
  • tweet.monitor.sh to check and be notified about new twitter threads replies [video]

The project page details the usage and configuration of both scripts with examples (command line and video), so jump and test ūüôā


Raspberry Pi + Pi-hole: a perfect combo

Raspberry Pi 3 B+ from The Pi Hut
Raspberry Pi 3 B+ from The Pi Hut

In our SOC we use Pi-hole to block network ad-serving domains. Benefits of Pi-hole are highlited on their web site

  • Since ads are blocked before they are downloaded, your network will perform better
  • Network-level blocking allows you to block ads in non-traditional places such as mobile apps and smart TVs, regardless of hardware or OS

Pi-hole works on Linux systems and for home usage is common to install it on a Raspberry Pi device.

This is my jurney into installing Pi-hole on my Raspberry Pi. Continue reading “Raspberry Pi + Pi-hole: a perfect combo”

Install and configure autoclick software on Linux

This is a memo-post for me, hope useful to someone else too.
The need is to have autoclick on your desktop to automate some recurring task.

To do this I installed xdotool

sudo apt-get install xdotool

Ater the installation place your mouse on the desktop and get mouse location:

  • x and y: screen coordinates;
  • screen: screnn number, useful if you have more than one monitor/screen;
  • window: application window ID.

gmellini@SandTigerShark:~$ xdotool getmouselocation
x:758 y:512 screen:0 window:54525959

Test it executing the standalone command.

gmellini@SandTigerShark:~$ xdotool mousemove 1242 998 click 1

And iterate (following commad sleeps 5 seconds between the commands).

gmellini@SandTigerShark:~$ while [ true ]; do xdotool mousemove 1242 998 click 1; sleep 5; done


Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync

Synchronization by Taxydromos69
Synchronization by Taxydromos69

I already wrote how to configure a basic High Availability Ubuntu cluster. The steps to setup a basic cluster are detailed in the previous post, so please read the post if you don’t know how to make the cluster up&running.¬†Same conventions are used here.

One of the topic I didn’t covered on the old post was “application replication/synchronization between the nodes“. Now it’s time to show you how to keep in sync files between cluster nodes, using DRBD software. DRBD is a powerful component of Linux kernel and is designed to keep in sync¬†data via TCP/IP between nodes volumes. In this post we will setup a clustered freeradius service that sync /etc/freeradius/clients.conf file between nodes. Continue reading “Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync”

Block Flash content on Squid proxy

No more flash
No more flash

One of the trending topic I discuss regularly with my company IT department is the need to block Flash content on our navigation proxies.

As a Security people I have no doubt about, Flash must be blocked. Period.

Because I manage some¬†Squid proxy I made this simple and effective configuration in squid.conf¬† file. Continue reading “Block Flash content on Squid proxy”

Forticlient SSLVPN packages for Ubuntu/Debian

[UPDATE: 17th of December 2019]
If you use Ubuntu 19.10 OpenFortiGUI 18.04 package is not working. I’m using openfortivpn from ubuntu repo and is working well

$ sudo apt install openfortivpn
$ cat config.vpn
host = <SERVER>
port = <PORT>
username = <USER>
pppd-use-peerdns = 1
# X509 certificate sha256 sum, trust only this one!
trusted-cert = <CERT>

$ sudo openfortivpn -c config.vpn

[UPDATE: 19th of November 2018]
Since Ubuntu 18.10 I start using the OpenFortiGUI and it works well, so I suggest to give it a try

[UPDATE: 9th Dec 2017]
If you want to use the FortiClient from command line, this is the command (for 64bit, same for 32bit with the right path)

$ yes | /opt/forticlient-sslvpn/64bit/forticlientsslvpn_cli --server <YOUR SERVER IP/FQDN HERE>:<YOUR SERVER PORT HERE> --vpnuser <YOUR USERNAME HERE> > /dev/null

—— original post ——

This post is just to point to the page where the great Rene mantains the .deb packages for Forticlient SSLVPN Linux client (instead of .tar.gz provided by Fortinet).

You can find the .deb files built by Rene in his blog Bits and Bites.

Configure basic Linux High Availability Cluster in Ubuntu with Corosync

Jellyfish Cluster - photo by robin on flickr
Jellyfish Cluster – photo by robin on flickr

[Read also: HA Cluster with DRBD file sync which adds file sync configuration between cluster nodes]

[UPDATED on March 7, 2017: tested the configuration also with Ubuntu 16.04 LTS]

This post show how to configure a basic High Availability cluster in Ubuntu using Corosync (cluster manager) and Pacemaker (cluster resources manager) software available in Ubuntu repositories (tested on Ubuntu 14.04 and 16.04 LTS). More information regarding Linux HA can be found here.

The¬†goal of this post is to¬†setup a¬†freeradius service in HA. To do this we use two Ubuntu 14.04 or 16.04 LTS Server nodes, announcing a single virtual IP from the active cluster node. Notice that in this scenario¬†each freeradius cluster istance is a standalone istance;¬†I don’t cover application replication/synchronization between the nodes (rsync or¬†shared disk via DRBD). Maybe I can¬†do a new post¬†in the future ūüôā [I did the post] Continue reading “Configure basic Linux High Availability Cluster in Ubuntu with Corosync”