anulap DocumentationRelease 1.0a
Cory Kennedy
January 31, 2017
Contents:
1 Introduction 1
2 Quick_Start 32.1 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 MozDef . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 threat_note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.3 ostip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.1 SpiderFoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 Tutorial 5
4 CLI 7
5 Tools_List 95.1 OSINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1.1 Paste Site Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.2.1 yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6 Definitions 11
7 Standards 137.1 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.2 CAPEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.3 CybOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.4 IODEF (RFC5070) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.5 MAEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.6 STIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.7 TAXII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.8 VERIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.9 MISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8 Anonymity_Networks 158.1 i2p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1.1 What is i2p? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158.1.2 How was i2p setup on Project Anulap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.2 TOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
i
8.2.1 What is TOR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.2.2 How Tor was setup on Project Anulap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.2.3 Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.4 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.5 Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2.6 Manual update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9 Anulap_Structure 199.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.2 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.3 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199.5 Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
10 Tools_List 2110.1 OSINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
10.1.1 Paste Site Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2110.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
10.2.1 yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
11 UseCases 23
12 Visualizations 25
13 Upgrading 2713.1 Upgrading Project Anulap to the latest version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2713.2 Point Release(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2713.3 Build Project Anulap local documentation with your own changes . . . . . . . . . . . . . . . . . . . 2713.4 Update ZSH Shell ONLY if you encounter errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
14 Resources 29
15 Indices and tables 31
ii
CHAPTER 1
Introduction
1
anulap Documentation, Release 1.0a
2 Chapter 1. Introduction
CHAPTER 2
Quick_Start
2.1 Frameworks
2.1.1 MozDef
Root Directory ../home/anulap/Anulap/Repositories/Frameworks/mozdef/
Start mozdef:
sudo docker run /home/anulap/Anulap/Repositories/Frameworks/mozdef/docker/sudo docker ps (to get id of container)sudo docker attach 79fdd213efc0(now you are inside docker)/etc/init.d/supervisor startLaunch interface through chromium bookmarks
Meteor http://anulap:3000
Kibana http://anulap:3000
Elasticsearch http://anulap:9200
Loginput http://anulap:8080
API http://anulap:8081
2.1.2 threat_note
Root Directory ../home/anulap/Anulap/Repositories/Frameworks/threat_note/
Start threat_note:
python ~/Anulap/Repositories/Frameworks/threat_note/threat_note.py
2.1.3 ostip
Root Directory ../home/anulap/Anulap/Repositories/Frameworks/ostip/
Start OSTIP
python ~/Anulap/Repositories/Frameworks/ostip/run.py
3
anulap Documentation, Release 1.0a
2.2 Platforms
2.3 Tools
2.3.1 SpiderFoot
Root Directory ../home/anulap/Anulap/Repositories/Tools/spiderfoot/
Start SpiderFoot
python ~/Anulap/Repositories/Tools/spiderfoot/sf.py
4 Chapter 2. Quick_Start
CHAPTER 3
Tutorial
• SecKC Talk
5
anulap Documentation, Release 1.0a
6 Chapter 3. Tutorial
CHAPTER 4
CLI
7
anulap Documentation, Release 1.0a
8 Chapter 4. CLI
CHAPTER 5
Tools_List
5.1 OSINT
5.1.1 Paste Site Searches
osint.anulap.io Google Custom Search Engine (CSE) that searches over 100 paste sites. | Website
or use it with the CLI!
curl "https://www.googleapis.com/customsearch/v1?key=INSERT_YOUR_API_KEY&cx=017576662512468239146:omuauf_lfve&q=anulap" > ~/investigation.jsonjq '.items[].link' investigation.json | awk '{print substr($0, 2, length() - 2)}'
psbdmp.com Some tiny service that dumps pastebin(s) data for hashes,emails and etc. | Website
curl http://psbdmp.com/api/search/domain/anulap.io{"search":"anulap.io","count":1,"data":[{"id":"aNuLap23","time":"2017-08-17 12:03:20"}],"error":0,"error_info":""}%curl -v -silent http://psbdmp.com/api/dump/get/aNuLap23 2>&1 | grep -i "investigate focus"
-a command-line option “a”
-b file options can have arguments and long descriptions
--long options can be long also
--input=file long options can also have arguments
/V DOS/VMS-style options too
5.2 Malware
5.2.1 yara
yargen A Yara Bulk Rule Generator | Website
python ~/yarGen/yarGen.py -a "Anulap" -m .
-a options can have arguments and long descriptions options can be long also
--input=file long options can also have arguments
/V DOS/VMS-style options too
9
anulap Documentation, Release 1.0a
10 Chapter 5. Tools_List
CHAPTER 6
Definitions
11
anulap Documentation, Release 1.0a
12 Chapter 6. Definitions
CHAPTER 7
Standards
Standardized Threat Intelligence schemas.
7.1 OASIS
7.2 CAPEC
7.3 CybOX
7.4 IODEF (RFC5070)
7.5 MAEC
7.6 STIX
7.7 TAXII
7.8 VERIS
7.9 MISP
13
anulap Documentation, Release 1.0a
14 Chapter 7. Standards
CHAPTER 8
Anonymity_Networks
8.1 i2p
To START a i2p connection, perform the following
1. Make sure you are connected to the VPN2. run "i2prouter start" from a terminal3. switch to "i2p" proxy within chromium
To STOP a i2p connection, perform the following
1. run "i2prouter stop" from a terminal2. switch to "Direct" proxy within chromium
8.1.1 What is i2p?
The Invisible Internet Project (I2P) is an overlay network and darknet that allows applications to send messages toeach other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging and file transfers.
8.1.2 How was i2p setup on Project Anulap
Source documenations was copy/pasta’d below for Project Anulap local documentation purposes.
Instructions for Debian
Currently supported architectures include amd64, i386, armel, armhf (for Raspbian), and powerpc. Note: The stepsbelow should be performed with root access (i.e., switching user to root with “su” or by prefixing each command with“sudo”).
Add lines like the following to /etc/apt/sources.list.d/i2p.list.
For Wheezy:
deb https://deb.i2p2.de/ wheezy maindeb-src https://deb.i2p2.de/ wheezy main
For Jessie (stable):
deb https://deb.i2p2.de/ jessie maindeb-src https://deb.i2p2.de/ jessie main
For Testing (Stretch) or Unstable (Sid):
15
anulap Documentation, Release 1.0a
deb https://deb.i2p2.de/ unstable maindeb-src https://deb.i2p2.de/ unstable main
Download the key used to sign the repository and add it to apt:
apt-key add i2p-debian-repo.key.asc
**Notify your package manager of the new repository by entering
apt-get update
This command will retrieve the latest list of software from every repository enabled on your system, including the I2P repository added in step 1.You are now ready to install I2P! Installing the i2p-keyring package will ensure that you receive updates to therepository’s GPG key.
apt-get install i2p i2p-keyring
After the installation process completes you can move on to the next part of starting I2P and configuring it for your system.Post-install work
Using these I2P packages the I2P router can be started in the following three ways:
*"on demand" using the i2prouter script. Simply run "i2prouter start" from a command prompt. (Note: Do not use sudo or run it as root!)
*"on demand" without the java service wrapper (needed on non-Linux/non-x86 systems) by running "i2prouter-nowrapper". (Note: Do not use sudo or run it as root!)as a service that automatically runs when your system boots, even before logging in. The service can be enabled with "dpkg-reconfigure i2p" as root or using sudo. This is the recommended means of operation.
*When installing for the first time, please remember to adjust your NAT/firewall if you can. The ports to forward can be found on the network configuration page in the router console. If guidance with respect to forwarding ports is needed, you may find portforward.com to be helpful.
Please review and adjust the bandwidth settings on the configuration page, as the default settings of 96 KB/s down /40 KB/s up are fairly conservative.
If you want to reach eepsites via your browser, have a look on the browser proxy setup page for an easy howto.
8.2 TOR
To START a TOR connection, perform the following
1. Make sure you are connected to the VPN2. Preferred way to start: Start from bottom dock (green globe) or applications --> internet
8.2.1 What is TOR?
Tor aims to conceal its users’ identities and their online activity from surveillance and traffic analysis by separatingidentification and routing. It is an implementation of onion routing, which encrypts and then randomly bouncescommunications through a network of relays run by volunteers around the globe.
8.2.2 How Tor was setup on Project Anulap
Tor Browswer was setup two ways:
1. Using the well maintained `'torbrowser-launcher' <https://wiki.debian.org/TorBrowser/>`_ to provide automatic updates.2. Manually installing from: https://www.torproject.org/projects/torbrowser.html.en
The Tor browser binary lives in the following directory.
16 Chapter 8. Anonymity_Networks
anulap Documentation, Release 1.0a
~/Anulap/Repositories/Tools/TOR/
Documenation below was copy/pasta’d below from here for Project Anulap local documentation purposes.
Tor Browser protects your privacy while you are surfing the Internet: it prevents somebody watching yourInternet connection from learning what sites you visit, it prevents the sites you visit from learning yourphysical location, and it lets you access sites which are blocked.
Tor Browser is based on Firefox and will be familiar to many users.
To keep your protection strong you need to update the Tor Browser regularly. In Debian the easier way todo that is to install Tor Browser using torbrowser-launcher. Which automatically install Tor Browser, runit, update it to keep its protection strong and protect your privacy.
8.2.3 Install
Using Terminal as Root execute the following command
apt-get install torbrowser-launcher
Run the browser in GNOME by typing “Tor Browser” in the Activities Search. Alternatively, run it form the Terminalby entering
torbrowser-launcher
On the first start the new version of the browser will automatically be downloaded and installed. On every subsequentrun a check for updates will be done.
8.2.4 Update
To update choose one of the following two options. If unsure, the “automatic update” option is easier and recom-mended.
8.2.5 Automatic Update
Tor Browser will automatically prompt you to update the software once a new version has been released. The Torbuttonicon will display a small yellow triangle. When you are prompted to update Tor Browser:
Click on the Torbutton icon Select “Check for Tor Browser Update” option. If needed see those screenshots to clarifythe location. When Tor Browser has finished checking for updates, click on the “Update” button. Wait for the updateto download and install, then restart Tor Browser. You will now be running the latest version. Alternatively, if youinstalled Tor Browser using the torbrowser-launcher package. Simply close all Tor Browser windows. Then re-openTor Browser. It will automatically check if a new version is available. Follow the instructions on your screen.
8.2.6 Manual update
Before manually updating Tor Browser it is suggested to periodically backup any valuable data. Such asyour bookmarks. Which you could import after the manual update.
Manually update Tor Browser
When you are prompted to update Tor Browser, finish the browsing session and close the program. Remove TorBrowser from your system by deleting the folder that contains it. If needed see that Uninstalling section for more in-formation. Visit https://www.torproject.org/projects/torbrowser.html.en and download a copy of the latest Tor Browserrelease, then install it as before.
8.2. TOR 17
anulap Documentation, Release 1.0a
18 Chapter 8. Anonymity_Networks
CHAPTER 9
Anulap_Structure
9.1 Tools
9.2 Frameworks
9.3 Platforms
9.4 Documentation
9.5 Sources
19
anulap Documentation, Release 1.0a
20 Chapter 9. Anulap_Structure
CHAPTER 10
Tools_List
10.1 OSINT
10.1.1 Paste Site Searches
osint.anulap.io Google Custom Search Engine (CSE) that searches over 100 paste sites. | Website
or use it with the CLI!
curl "https://www.googleapis.com/customsearch/v1?key=INSERT_YOUR_API_KEY&cx=017576662512468239146:omuauf_lfve&q=anulap" > ~/investigation.jsonjq '.items[].link' investigation.json | awk '{print substr($0, 2, length() - 2)}'
psbdmp.com Some tiny service that dumps pastebin(s) data for hashes,emails and etc. | Website
curl http://psbdmp.com/api/search/domain/anulap.io{"search":"anulap.io","count":1,"data":[{"id":"aNuLap23","time":"2017-08-17 12:03:20"}],"error":0,"error_info":""}%curl -v -silent http://psbdmp.com/api/dump/get/aNuLap23 2>&1 | grep -i "investigate focus"
-a command-line option “a”
-b file options can have arguments and long descriptions
--long options can be long also
--input=file long options can also have arguments
/V DOS/VMS-style options too
10.2 Malware
10.2.1 yara
yargen A Yara Bulk Rule Generator | Website
python ~/yarGen/yarGen.py -a "Anulap" -m .
-a options can have arguments and long descriptions options can be long also
--input=file long options can also have arguments
/V DOS/VMS-style options too
21
anulap Documentation, Release 1.0a
22 Chapter 10. Tools_List
CHAPTER 11
UseCases
23
anulap Documentation, Release 1.0a
24 Chapter 11. UseCases
CHAPTER 12
Visualizations
• SecKC Talk
Font: Raleway Thin Color (HEX) #4caaff(ff)/76 170 255 255
25
anulap Documentation, Release 1.0a
26 Chapter 12. Visualizations
CHAPTER 13
Upgrading
13.1 Upgrading Project Anulap to the latest version
cd ~/Anulap/Repositories/anulaphgit pull origingit submodule update --init --force
13.2 Point Release(s)
cd ~/Anulap/Repositories/anulapgit fetchgit checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)git submodule update --init --force
13.3 Build Project Anulap local documentation with your ownchanges
1. Navigate to ~/~/Anulap/Repositories/anulap/docs/2. Make your changes to the .RST files3. run: sphinx-build -b html ._build/html
Dependencies
sphinx (pre-installed in project anulap)
13.4 Update ZSH Shell ONLY if you encounter errors
cd .oh-my-zshgit stashupgrade_oh_my_zsh
27
anulap Documentation, Release 1.0a
28 Chapter 13. Upgrading
CHAPTER 14
Resources
• https://attack.mitre.org/index.php/Main_Page
• https://www.us-cert.gov/tlp
• https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml
• http://psbdmp.com
29
anulap Documentation, Release 1.0a
30 Chapter 14. Resources
CHAPTER 15
Indices and tables
• genindex
• modindex
• search
31