Thursday, September 14, 2017

Expressing Uncertainty in Language

I am currently working on an incident and during the lessons learned phase one person asked me how we use language to express uncertainty. It is something that is obvious once you know about it but it is something worth sharing :

  • 100% = certain (NL: zeker, FR: certain)
  • 93% with 6% deviation up and down = almost certain (NL: bijna zeker, FR: presque certain)
  • 75% with 12% deviation up and down = probable (NL: waarschijnlijk, FR: probable)
  • 50% with 10% deviation up and down = chances are even that ... (NL: de kansen zijn gelijk ..., FR: les chances sont aussi probable que ...)
  • 30% with 10% deviation up and down = probably not (NL: onwaarschijnlijk , FR: improbable)
  • 7% with 5% deviation up and down = almost certainly not (NL: zeer onwaarschijnlijk, FR: très improbable)
  • 0% = impossible (NL: onmogenlijk, FR: impossible)

An example of use is the discussion we were having about the user-agent and how good it is as a piece of evidence. Since the user-agent string can be manipulated and the machine is not under our control, we can't do forensics on it. This gives us a 50% chance that the user-agent string was manipulated and thus the right wording is : "chances are even that the user-agent is ...".

I am not mentioning the user-agent string since I don't want to discuss the case as such.

Monday, July 24, 2017

Veracrypt revisited

I like veracrypt, I use encrypted volumes and up till now I've been using the GUI interface but recently the need changed to work from the command line and thus this is my little brain dump.

Creating a key file
veracrypt --text --create-keyfile --random-source=/dev/random /home/erik/

By keeping the key stored in a different place than the volume you make it a bit harder to access it but if you want more security it is a good thing. You can for example store it on an external volume or store it in your keepass password vault.

Creating a volume
veracrypt --text --create --volume-type=normal --size=10M --encryption=AES --hash=SHA-512 --filesystem=NTFS --password=Password --random-source=/dev/random --keyfiles=/home/erik/ --pim=0

Remember that you need to take a precaution so that the command is not logged in your histfile. On my system this is done by putting a space in front of the command, my HISTCONTROL system variable is set to ignoreboth.

The reason to do this is that you give away the password you used for this volume. When your password is stored in your command line history you should consider it as known to the rest of the world.

The PIM is a second 'secret' value you will need to know, the default value is 0 but it is of course a good idea to have a different one than 0.

Mounting a volume
mkdir -p /home/erik/veracrypt
sudo veracrypt --text --password=Password --pim=0 --keyfiles=/home/erik/ --protect-hidden=no /home/erik/veracrypt

Again it is a good idea to take the precaution so that your mounting doesn't give away the the password or the pim.

Unmounting a volume
sudo veracrypt -d

Wednesday, June 21, 2017

Firefox Focus

I like my privacy, it is something I value and when I saw that Mozilla produced Firefox Focus, a browser for Android that does a better job for your privacy I wanted to test it out.

I installed it and went as usual straight for the settings, where I had a little disappointment. The default search engine is Yahoo and not Duckduckgo and instead of an opt-in you have an opt-out for sending anonymous data. For the rest I turned all options on to block as much as possible.

I visited a couple of websites and must say that it ran smoothly and if you think about it, you are pulling down less from the Internet so that means that you will consume less of your data plan.

If I run in any trouble I will write a follow-up but up till now, there were no issues.

Thursday, April 20, 2017

Docker behind a proxy

Docker is a useful tool in my toolbox. I especially recommend the remnux contributions by Lenny Zeltser. Recently I needed a VM with an Ubuntu guest OS to run docker instances of container but the issue was that the pull had to go through a authenticated proxy.

Docker has given this scenario thought and this is what I did:

sudo mkdir /etc/systemd/system/docker.service.d
sudo touch /etc/systemd/system/docker.service.d/http-proxy.conf
sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf

In this file you put:

Flush the changes:
sudo systemctl daemon-reload

Test if it worked:
sudo systemctl show --property=Environment docker

This should result in the proxy you entered

Restart docker
sudo systemctl restart docker

Thursday, April 6, 2017

Dockerized recon-ng

OSINT is very important in what I do and thus I've spent some time getting familiarized with recon-ng in the past. Since I like my toys as much as the next IT guy I decided to run it in a container so that I can spin it up exactly how I like it in every environment.

The dockerfile

# Based on ubuntu
FROM ubuntu:16.04
Maintainer Erik Vanderhasselt

# Set environment variables
ENV DEBIAN_FRONTEND noninteractive

# Set the mirror to the country mirror
RUN sed -i 's/archive/be.archive/g' /etc/apt/sources.list

# Upgrade Ubuntu
RUN apt-get update
RUN apt-get install -f
RUN apt-get dist-upgrade -y

# Set the timezone
# bug in ubuntu 16.04:
RUN ln -fs /usr/share/zoneinfo/Europe/Brussels /etc/localtime
RUN dpkg-reconfigure -f noninteractive tzdata

# installation of git
RUN apt-get install -y git

# Clone the recon-ng from bitbucket
RUN git clone

# Remove git
RUN apt-get remove -y git

# installation of python and pip
RUN apt-get install -y python
RUN apt-get install -y python-pip

WORKDIR /recon-ng
RUN pip install -r REQUIREMENTS

# Cleaning up
RUN apt-get autoremove -y
RUN apt-get clean -y

# Execute recon-ng framework
ENTRYPOINT ["./recon-ng"]

I am spinning this container up in Belgium thus that is why the mirror is the be mirror. If you work in another country it might be a good idea to change the value. This will make the downloads a bit faster.

To make the build a bit easier I wrote a small build script
#! /bin/bash

# creation of the output directory and subdirectories
mkdir -p output

# build of the docker script
DATE=`date +%y%m%d%H%M%S`
sudo docker build -t recon-ng:$DATE -t recon-ng:latest .

And since spinning it up requires the -v to simplify the output I wrote a little script

#! /bin/bash

# create the variables

# creation of the output directory
mkdir -p output

# run the build
sudo docker run --rm -it -v $PATH_RECON/output/:/root/.recon-ng/ $IMAGE

Finally while I as at it I wrote a little script to archive the result so that I am sure I don't mix databases while working on different projects in parallel.

#! /bin/bash

# archive the output directory
sudo tar cvf recon-ng.tar output/

# delete the output directory
sudo rm -Rf output/

Monday, March 20, 2017



I stumbled on github tagging recently. It is a feature I was not aware of.

For example if I am very interested in RAT (remote access trojans) I can find these projects with and

The syntax of the repo list is thus:

This a list of interesting keywords I've been looking at:
  • trojan
  • rat
  • keylogger
  • spyware
  • malware-research
  • malware-development
  • steganography
  • pentesting
  • blacklist
  • code-injection
  • virus
  • persistence
  • meterpreter
  • reverse-shell
  • malware
  • threat
  • bypass-av
  • powershell
  • sniffer
  • scanner
  • xss
  • sql-injection
  • sqli
  • denial-of-service
  • phishing
  • man-in-the-middle
  • exploit
  • fuzzer
  • poc
  • attacker

One should of course not jump to conclusions and understand that a knife can be used for killing but I used one this morning to cut my bread.

Powershell try catch, quick demo

This post is for the person to whom I explained try catch today ;)

When you do things in powershell you will need try-catch blocks to handle your errors.

Try, catch and finally
The try block contains the things you want to do. The catch block handles the error types, the generic catch is a catch all (usually not the right solution) and finally is what to do when you are finished.

The $error variable is the variable that will be your friend. When you run a script the $error.count() should be 0. When you are running in an IDE this can be different so as a matter of safety to avoid headache you might want to put as first lines of your script:

# clearing output and $error
Making errors
To demo the try catch I did a division by zero, as we all know this will give error and is thus an excellent candidate to learn try-catch.

$a = 1
$b = 0
$a / $b

Getting the errors from $error
Now that we have an error we can ask $error what type of error we created.


This returned [System.Management.Automation.RuntimeException]

When you are developing, check $error.count() to see if you handled all errors and did not forget one. During development, you can put as last line

write-host $error

To check if you handled everything.

Handling the error
Now that we know the error type we can handle it:

try {
    $a = 1
    $b = 0
    $a / $b
catch [System.Management.Automation.RuntimeException]{
   write-host "You caught your an error"
   write-host "This is the finally block"

The break statement instructs the catch block to go to the finally block and the $error.clear() in the finally block is cleaning up after yourself.