anulap Documentation - Read the Docs · anulap Documentation, Release 1.0a...

anulap DocumentationRelease 1.0a

Cory Kennedy

January 31, 2017

Contents:

1 Introduction 1

2 Quick_Start 32.1 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 MozDef . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 threat_note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.3 ostip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.3.1 SpiderFoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Tutorial 5

4 CLI 7

5 Tools_List 95.1 OSINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.1.1 Paste Site Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.2.1 yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Definitions 11

7 Standards 137.1 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.2 CAPEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.3 CybOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.4 IODEF (RFC5070) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.5 MAEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.6 STIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.7 TAXII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.8 VERIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.9 MISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

8 Anonymity_Networks 158.1 i2p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8.1.1 What is i2p? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158.1.2 How was i2p setup on Project Anulap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8.2 TOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

i

8.2.1 What is TOR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.2.2 How Tor was setup on Project Anulap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.2.3 Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.4 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.5 Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.6 Manual update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

9 Anulap_Structure 199.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.2 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.3 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.5 Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

10 Tools_List 2110.1 OSINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

10.1.1 Paste Site Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2110.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

10.2.1 yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

11 UseCases 23

12 Visualizations 25

13 Upgrading 2713.1 Upgrading Project Anulap to the latest version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2713.2 Point Release(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2713.3 Build Project Anulap local documentation with your own changes . . . . . . . . . . . . . . . . . . . 2713.4 Update ZSH Shell ONLY if you encounter errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

14 Resources 29

15 Indices and tables 31

ii

CHAPTER 1

Introduction

1

anulap Documentation, Release 1.0a

2 Chapter 1. Introduction

CHAPTER 2

Quick_Start

2.1 Frameworks

2.1.1 MozDef

Root Directory ../home/anulap/Anulap/Repositories/Frameworks/mozdef/

Start mozdef:

sudo docker run /home/anulap/Anulap/Repositories/Frameworks/mozdef/docker/sudo docker ps (to get id of container)sudo docker attach 79fdd213efc0(now you are inside docker)/etc/init.d/supervisor startLaunch interface through chromium bookmarks

Meteor http://anulap:3000

Kibana http://anulap:3000

Elasticsearch http://anulap:9200

Loginput http://anulap:8080

API http://anulap:8081

2.1.2 threat_note

Root Directory ../home/anulap/Anulap/Repositories/Frameworks/threat_note/

Start threat_note:

python ~/Anulap/Repositories/Frameworks/threat_note/threat_note.py

2.1.3 ostip

Root Directory ../home/anulap/Anulap/Repositories/Frameworks/ostip/

Start OSTIP

python ~/Anulap/Repositories/Frameworks/ostip/run.py

3

http://anulap:3000

http://anulap:3000

http://anulap:9200

http://anulap:8080

http://anulap:8081


2.2 Platforms

2.3 Tools

2.3.1 SpiderFoot

Root Directory ../home/anulap/Anulap/Repositories/Tools/spiderfoot/

Start SpiderFoot

python ~/Anulap/Repositories/Tools/spiderfoot/sf.py

4 Chapter 2. Quick_Start

CHAPTER 3

Tutorial

• SecKC Talk

5


6 Chapter 3. Tutorial

CHAPTER 4

CLI

7


8 Chapter 4. CLI

CHAPTER 5

Tools_List

5.1 OSINT

5.1.1 Paste Site Searches

osint.anulap.io Google Custom Search Engine (CSE) that searches over 100 paste sites. | Website

or use it with the CLI!

curl "https://www.googleapis.com/customsearch/v1?key=INSERT_YOUR_API_KEY&cx=017576662512468239146:omuauf_lfve&q=anulap" > ~/investigation.jsonjq '.items[].link' investigation.json | awk '{print substr($0, 2, length() - 2)}'

psbdmp.com Some tiny service that dumps pastebin(s) data for hashes,emails and etc. | Website

curl http://psbdmp.com/api/search/domain/anulap.io{"search":"anulap.io","count":1,"data":[{"id":"aNuLap23","time":"2017-08-17 12:03:20"}],"error":0,"error_info":""}%curl -v -silent http://psbdmp.com/api/dump/get/aNuLap23 2>&1 | grep -i "investigate focus"

-a command-line option “a”

-b file options can have arguments and long descriptions

--long options can be long also

--input=file long options can also have arguments

/V DOS/VMS-style options too

5.2 Malware

5.2.1 yara

yargen A Yara Bulk Rule Generator | Website

python ~/yarGen/yarGen.py -a "Anulap" -m .

-a options can have arguments and long descriptions options can be long also



9

http://osint.anulap.io

http://psbdmp.com

https://github.com/Neo23x0/yarGen


10 Chapter 5. Tools_List

CHAPTER 6

Definitions

11


12 Chapter 6. Definitions

CHAPTER 7

Standards

Standardized Threat Intelligence schemas.

7.1 OASIS

7.2 CAPEC

7.3 CybOX

7.4 IODEF (RFC5070)

7.5 MAEC

7.6 STIX

7.7 TAXII

7.8 VERIS

7.9 MISP

13


14 Chapter 7. Standards

CHAPTER 8

Anonymity_Networks

8.1 i2p

To START a i2p connection, perform the following

1. Make sure you are connected to the VPN2. run "i2prouter start" from a terminal3. switch to "i2p" proxy within chromium

To STOP a i2p connection, perform the following

1. run "i2prouter stop" from a terminal2. switch to "Direct" proxy within chromium

8.1.1 What is i2p?

The Invisible Internet Project (I2P) is an overlay network and darknet that allows applications to send messages toeach other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging and file transfers.

8.1.2 How was i2p setup on Project Anulap

Source documenations was copy/pasta’d below for Project Anulap local documentation purposes.

Instructions for Debian

Currently supported architectures include amd64, i386, armel, armhf (for Raspbian), and powerpc. Note: The stepsbelow should be performed with root access (i.e., switching user to root with “su” or by prefixing each command with“sudo”).

Add lines like the following to /etc/apt/sources.list.d/i2p.list.

For Wheezy:

deb https://deb.i2p2.de/ wheezy maindeb-src https://deb.i2p2.de/ wheezy main

For Jessie (stable):

deb https://deb.i2p2.de/ jessie maindeb-src https://deb.i2p2.de/ jessie main

For Testing (Stretch) or Unstable (Sid):

15

https://en.wikipedia.org/wiki/I2P/

https://geti2p.net/en/download/debian#debian/


deb https://deb.i2p2.de/ unstable maindeb-src https://deb.i2p2.de/ unstable main

Download the key used to sign the repository and add it to apt:

apt-key add i2p-debian-repo.key.asc

**Notify your package manager of the new repository by entering

apt-get update

This command will retrieve the latest list of software from every repository enabled on your system, including the I2P repository added in step 1.You are now ready to install I2P! Installing the i2p-keyring package will ensure that you receive updates to therepository’s GPG key.

apt-get install i2p i2p-keyring

After the installation process completes you can move on to the next part of starting I2P and configuring it for your system.Post-install work

Using these I2P packages the I2P router can be started in the following three ways:

*"on demand" using the i2prouter script. Simply run "i2prouter start" from a command prompt. (Note: Do not use sudo or run it as root!)

*"on demand" without the java service wrapper (needed on non-Linux/non-x86 systems) by running "i2prouter-nowrapper". (Note: Do not use sudo or run it as root!)as a service that automatically runs when your system boots, even before logging in. The service can be enabled with "dpkg-reconfigure i2p" as root or using sudo. This is the recommended means of operation.

*When installing for the first time, please remember to adjust your NAT/firewall if you can. The ports to forward can be found on the network configuration page in the router console. If guidance with respect to forwarding ports is needed, you may find portforward.com to be helpful.

Please review and adjust the bandwidth settings on the configuration page, as the default settings of 96 KB/s down /40 KB/s up are fairly conservative.

If you want to reach eepsites via your browser, have a look on the browser proxy setup page for an easy howto.

8.2 TOR

To START a TOR connection, perform the following

1. Make sure you are connected to the VPN2. Preferred way to start: Start from bottom dock (green globe) or applications --> internet

8.2.1 What is TOR?

Tor aims to conceal its users’ identities and their online activity from surveillance and traffic analysis by separatingidentification and routing. It is an implementation of onion routing, which encrypts and then randomly bouncescommunications through a network of relays run by volunteers around the globe.

8.2.2 How Tor was setup on Project Anulap

Tor Browswer was setup two ways:

1. Using the well maintained `'torbrowser-launcher' <https://wiki.debian.org/TorBrowser/>`_ to provide automatic updates.2. Manually installing from: https://www.torproject.org/projects/torbrowser.html.en

The Tor browser binary lives in the following directory.

16 Chapter 8. Anonymity_Networks

https://en.wikipedia.org/wiki/Tor_(anonymity_network)/


~/Anulap/Repositories/Tools/TOR/

Documenation below was copy/pasta’d below from here for Project Anulap local documentation purposes.

Tor Browser protects your privacy while you are surfing the Internet: it prevents somebody watching yourInternet connection from learning what sites you visit, it prevents the sites you visit from learning yourphysical location, and it lets you access sites which are blocked.

Tor Browser is based on Firefox and will be familiar to many users.

To keep your protection strong you need to update the Tor Browser regularly. In Debian the easier way todo that is to install Tor Browser using torbrowser-launcher. Which automatically install Tor Browser, runit, update it to keep its protection strong and protect your privacy.

8.2.3 Install

Using Terminal as Root execute the following command

apt-get install torbrowser-launcher

Run the browser in GNOME by typing “Tor Browser” in the Activities Search. Alternatively, run it form the Terminalby entering

torbrowser-launcher

On the first start the new version of the browser will automatically be downloaded and installed. On every subsequentrun a check for updates will be done.

8.2.4 Update

To update choose one of the following two options. If unsure, the “automatic update” option is easier and recom-mended.

8.2.5 Automatic Update

Tor Browser will automatically prompt you to update the software once a new version has been released. The Torbuttonicon will display a small yellow triangle. When you are prompted to update Tor Browser:

Click on the Torbutton icon Select “Check for Tor Browser Update” option. If needed see those screenshots to clarifythe location. When Tor Browser has finished checking for updates, click on the “Update” button. Wait for the updateto download and install, then restart Tor Browser. You will now be running the latest version. Alternatively, if youinstalled Tor Browser using the torbrowser-launcher package. Simply close all Tor Browser windows. Then re-openTor Browser. It will automatically check if a new version is available. Follow the instructions on your screen.

8.2.6 Manual update

Before manually updating Tor Browser it is suggested to periodically backup any valuable data. Such asyour bookmarks. Which you could import after the manual update.

Manually update Tor Browser

When you are prompted to update Tor Browser, finish the browsing session and close the program. Remove TorBrowser from your system by deleting the folder that contains it. If needed see that Uninstalling section for more in-formation. Visit https://www.torproject.org/projects/torbrowser.html.en and download a copy of the latest Tor Browserrelease, then install it as before.

8.2. TOR 17

https://www.torproject.org/projects/torbrowser.html.en

https://www.torproject.org/projects/torbrowser.html.en


18 Chapter 8. Anonymity_Networks

CHAPTER 9

Anulap_Structure

9.1 Tools

9.2 Frameworks

9.3 Platforms

9.4 Documentation

9.5 Sources

19


20 Chapter 9. Anulap_Structure

CHAPTER 10

Tools_List

10.1 OSINT

10.1.1 Paste Site Searches

osint.anulap.io Google Custom Search Engine (CSE) that searches over 100 paste sites. | Website

or use it with the CLI!

curl "https://www.googleapis.com/customsearch/v1?key=INSERT_YOUR_API_KEY&cx=017576662512468239146:omuauf_lfve&q=anulap" > ~/investigation.jsonjq '.items[].link' investigation.json | awk '{print substr($0, 2, length() - 2)}'

psbdmp.com Some tiny service that dumps pastebin(s) data for hashes,emails and etc. | Website

curl http://psbdmp.com/api/search/domain/anulap.io{"search":"anulap.io","count":1,"data":[{"id":"aNuLap23","time":"2017-08-17 12:03:20"}],"error":0,"error_info":""}%curl -v -silent http://psbdmp.com/api/dump/get/aNuLap23 2>&1 | grep -i "investigate focus"

-a command-line option “a”

-b file options can have arguments and long descriptions

--long options can be long also



10.2 Malware

10.2.1 yara

yargen A Yara Bulk Rule Generator | Website

python ~/yarGen/yarGen.py -a "Anulap" -m .

-a options can have arguments and long descriptions options can be long also



21

http://osint.anulap.io

http://psbdmp.com

https://github.com/Neo23x0/yarGen


22 Chapter 10. Tools_List

CHAPTER 11

UseCases

23


24 Chapter 11. UseCases

CHAPTER 12

Visualizations

• SecKC Talk

Font: Raleway Thin Color (HEX) #4caaff(ff)/76 170 255 255

25


26 Chapter 12. Visualizations

CHAPTER 13

Upgrading

13.1 Upgrading Project Anulap to the latest version

cd ~/Anulap/Repositories/anulaphgit pull origingit submodule update --init --force

13.2 Point Release(s)

cd ~/Anulap/Repositories/anulapgit fetchgit checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)git submodule update --init --force

13.3 Build Project Anulap local documentation with your ownchanges

1. Navigate to ~/~/Anulap/Repositories/anulap/docs/2. Make your changes to the .RST files3. run: sphinx-build -b html ._build/html

Dependencies

sphinx (pre-installed in project anulap)

13.4 Update ZSH Shell ONLY if you encounter errors

cd .oh-my-zshgit stashupgrade_oh_my_zsh

27


28 Chapter 13. Upgrading

CHAPTER 14

Resources

• https://attack.mitre.org/index.php/Main_Page

• https://www.us-cert.gov/tlp

• https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml

• http://psbdmp.com

29

https://attack.mitre.org/index.php/Main_Page

https://www.us-cert.gov/tlp

https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml

http://psbdmp.com


30 Chapter 14. Resources

CHAPTER 15

Indices and tables

• genindex

• modindex

• search

31

anulap Documentation - Read the Docs · anulap Documentation, Release 1.0a...

Documents

Transcript of anulap Documentation - Read the Docs · anulap Documentation, Release 1.0a...