Last night I had some free time to play with my network, and I ran  tcpdump out of curiosity. For a while, I’ve been interested to analyze what traffic is going through my home network, and the result of my test pushed me to get to work. I have a bunch of Raspberry Pi devices in my drawers, so, the simplest thing that I can do is get one and install Elastic SIEM on it. For those of you, who don’t know what SIEM is, it stands for Security Information and Event Management. My hope was that with it, I will be able to get a better understanding of the traffic on my home network.

Installing Elastic SIEM on Raspberry Pi

The first thing I had to do is to install the ELK stack on a Raspberry Pi. There are not too many good articles that explain how to set up Elastic SIEM on your Pi. According to Elastic, Elastic SIEM is generally available in Elastic Stack 7.6. So, installing the Elastic Stack should do the work.

A couple of notes before that:

  1. The first thing to keep in mind is that 8GB is the minimum requirement for the ELK stack. You can get around with 2GB Pi, but if you want to run the whole stack (Elasticsearch, Logstash, and Kibana) on a single device, make sure that you order Raspberry Pi 4 Model B Quad Core 64 Bit with 4GB[ad]. Even this one is a stretch if you collect a lot of information. A good option would be to split the stack over two devices: one for Elasticsearch and Kibana, and another one for the Logstash service
  2. Elastic has no builds for Raspbian. Hence, in the instructions below, I will use Debian packages and will describe the steps to install those on the Pi. This will require some custom configs and scripts, so be prepared for that. Well, this article is how to hack the installation and no warranties are provided 🙂
  3. You will not be able to use the ML functionality of Elasticsearch because it is not supported on the low-powered Raspbian device
  4. Below steps assume version 7.7.0 of the ELK stack. If you are installing a different version, make sure that you replace it accordingly in the commands below
  5. Last but not least (in the spirit of no warranties), Elasticsearch has a dependency on libc6that will be ignored and will break future updates. You have to deal with this at your own risk

Here the steps to follow.

Installing Elasticsearch on Raspberry Pi

  1. Set up your Raspberry Pi first. Here are the steps to set up your Rasberry Pi. The Raspberry Pi Imager makes it even easier to set up the OS. Once again, I would recommend using Raspberry Pi 4 Model B Quad Core 64 Bit with 4GB[ad] and a larger SD card[ad] to save logs for longer.
  2. Make sure all packages are up to date, and your Raspbian OS is fully patched.
    sudo apt-get update
    sudo apt-get upgrade
  3. Install the ZIP utility, we will need that later on for the Logstash configuration.
    sudo apt-get install zip
  4. Then, install the Java JRE because Elastic Stack requires it. You can use the open-source JRE to avoid licensing troubles with Oracle’s one.
    sudo apt-get install default-jre
  5. Once this is done, go ahead and download the Debian package for Elasticsearch. Make sure that you download the package with no JDK in it.
    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.7.0-no-jdk-amd64.deb
  6. Once this is done, go ahead and install Elasticsearch using the package manager.
    sudo dpkg -i --force-all --ignore-depends=libc6 elasticsearch-7.7.0-no-jdk-amd64.deb
  7. Next, we need to configure Elasticsearch to use the installed JDK.
    sudo vi /etc/default/elasticsearch

    Set the JAVA_HOMEto the location of the JDK. Normally this is /usr/lib/jvm/default-java. You can also set the JAVA_HOMEto the same path in the /etc/environmentfile but this is not required.

  8. Last thing you need to do if to disable the ML XPack for Elasticsearch. Change the access mode to the /etc/elasticsearchdirectory first and edit the Elasticsearch configuration file.
    sudo chmod g+w /etc/elasticsearch
    sudo vi /etc/elasticsearch/elasticsearch.yml

    Change the xpack.ml.enabledsetting to falseas follows:

    xpack.ml.enabled: false

The above steps install and configure the Elasticsearch service on your Raspberry Pi. You can start the service with:

sudo service elasticsearch start

Or check its status with:

sudo service elasticsearch status

Installing Logstash on Raspberry Pi

Installing Logstash on the Raspberry Pi turned out to be a bit more problematic than Elasticsearch. Again, Elastic doesn’t have a Logstash package that targets ARM architecture and you need to install it manually. StackOverflow posts and GitHub issues were particularly helpful for that – I listed the two I used in the References at the end of this article. Here the steps:

  1. Download the Logstash Debian package from Elastic’s repository.
    wget https://artifacts.elastic.co/downloads/logstash/logstash-7.7.0.deb
  2. Install the downloaded package using the dpkg package installer.
    sudo dpkg -i logstash-7.7.0.deb
  3. If you run Logstash at this point and encounter error similar to logstash load error: ffi/ffi -- java.lang.NullPointerException: null get Alexandre Alouit’s fix from GitHub using.
    wget https://gist.githubusercontent.com/toddysm/6b4b9c63f32a3dfc476a725561fc23af/raw/06a2409df3eba5054d7266a8227b991a87837407/fix.sh
  4. Go to /usr/share/logstash/logstash-core/lib/jars and check the version of the jruby-complete-X.X.X.X.jarJAR
  5. Open the downloaded fix.sh, and replace the version of the jruby-complete-X.X.X.X.jaron line 11 with the one from your distribution. In my case, that was  jruby-complete-9.2.11.1.jar
  6. Change the permissions of the downloaded fix.shscript, and run it.
    chmod 755 fix.sh
    sudo ./fix.sh
  7. You can run Logstash with.
    sudo service logstash start

You can check the Logstash logs in /var/log/logstash/logstash-plain.logfor information on whether Logstash is successfully started.

Installing Kibana on Raspberry Pi

Installing Kibana had different challenges. The problem is that Kibana requires an older version of NodeJS, but the one that is packed with the Debian package doesn’t run on Raspbian. What you need to do is to replace the NodeJS version after you install the Debian package. Here the steps:

  1. Download the Kinabna Debian package from Elastic’s repository.
    wget https://artifacts.elastic.co/downloads/kibana/kibana-7.7.0-amd64.deb
  2. Install the downloaded package using the dpkg package installer.
    sudo dpkg -i --force-all kibana-7.7.0-amd64.deb
  3. Move the redistributed NodeJS to another folder (or delete it completely) and create a new empty directory nodein the Kibana installation directory.
    sudo mv /usr/share/kibana/node /usr/share/kibana/node.OLD
    sudo mkdir /usr/share/kibana/node
  4. Next, download version 10.19.0 of NodeJS. This is the required version of NodeJS for Kibana 7.7.0. If you are installing another version of Kibana, you may want to check what NodeJS version it requires. The best way to do that is to start the Kibana service and it will tell you.
    wget https://nodejs.org/download/release/v10.19.0/node-v10.19.0-linux-armv7l.tar.xz
  5. Unpack the TAR and move the content to the nodedirectory under the Kibana installation directory.
    sudo tar -xJvf node-v10.19.0-linux-armv7l.tar.xz
    sudo mv ./node-v10.19.0-linux-armv7l.tar.xz/* /usr/share/kibana/node
  6. You may also want to create symlinks for the NodeJS executable and its tools.
    sudo ln -s /usr/share/kibana/node/bin/node /usr/bin/node
    sudo ln -s /usr/share/kibana/node/bin/npm /usr/bin/npm
    sudo ln -s /usr/share/kibana/node/bin/npx /usr/bin/npx
  7. Configure Kibana to accept requests on any IP address on the device.
    sudo vi /etc/kibana/kibana.yml

    Set the server.hostsetting to 0.0.0.0like this:

    server.host: "0.0.0.0"
  8. You can run Kibana with.
    sudo service kibana start

Conclusion

Although not supported, you can run the complete ELK stack on a Raspberry Pi 4[ad] device. It is not the most trivial installation, but it is not so hard either. In the following posts, I will explain how you can use the Elastic SIEM to monitor the traffic on your network.

References

Here are some additional links that you may find useful:

In my last post, I demonstrated how easy it is to create fake accounts on the major social networks. Now, let’s take a look at what can we do with those fake social network accounts. Also, let’s not forget that my goals here are to penetrate specific individual’s home network (in this case my own family’s home network) and gain access to files and passwords. To do that, I need to find as much information about this individual as possible, so I can discover a weak link to exploit.

1. Search Engines

The first and most obvious way to find anything on the web is, of course, Google. Have you ever Googled yourself? Search for “Toddy Mladenov” on Google yields about 4000 results (at the time of this writing). The first page gives me quite a few useful links:

  • My LinkedIn page
  • Some pages on sys-con.com (must be important if it is so highly ranked by Google). Will check it later
  • Link to my blog
  • Link to my Quora profile
  • Link to a book on Amazon
  • Two different Facebook links (interesting…)
  • Link to a site that can show me my email and phone number (wow! what more do I need 😀)
  • And a link to a site that can show me more about my business profile

The last two links look very intriguing. Whether we want it or not, there are thousands of companies that scrape the Web for information and sell our data for money. Of course, those two links point to such sites. Following those two links I can learn quite a lot about myself:

  • I have (at least) two emails – one with my own domain toddysm.com and one with Gmail. I can get two emails if I register for free on one of the sites or start a free trial on the other (how convenient 😀)
  • I am the CTO co-founder of Agitare Technologies, Inc
  • I get immediate access to my company’s location and phone number (for free and without any registrations)
  • Also, they give me more hints about emails t***@***.com (I can get the full email if I decide to join the free trial)
  • Clicking on the link to the company information additional information about the company – revenue, website as well as names of other employees in the company

OK, enough with those two sites. In just 5 minutes I got enough to start forming a plan. But those links made me curious. What will happen if I search for “Toddy Mladenov’s email address” and “Toddy Mladenov’s phone number” on Google? That doesn’t give me too much but points me to a few sites that do a specialized search like people search and reverse phone lookup. Following some links, I land on truepeoplesearch.com from where I can get my work email address. I also can learn that my real name is Metodi Mladenov. Another site that I learned about recently is pipl.com. A search on it, not surprisingly, returns my home address, my username (not sure for what) as well as the names of relatives and/or friends.

Doing an image search for “Toddy Mladenov” pulls out my picture as well as an old picture of my family.

Let’s do two more simple searches and be done with this. “Metodi Mladenov email address” and “Metodi Mladenov phone number” give my email addresses with Bellevue College and North Seattle College (NSC). I am sure that the NSC email address belongs to the target person because the picture matches. For the Bellevue College one, I can only assume.

Here is useful information I gathered so far with those searches:

  • Legal name
  • 3 email addresses (all work-related, 1 not confirmed)
  • 2 confirmed and 1 potential employer
  • Home address
  • Company name
  • Company address
  • Company phone number
  • Titles (at different employers)
  • Personal web site
  • Social media profiles (Facebook and LinkedIn so far)

Also, I have hints for two personal emails – one on toddysm.com and one on Gmail.

2. Social Media Sites

As you can assume, social media sites are full of information about you. If by now, you didn’t realize it, their business model is to sell that information (it doesn’t matter what Mark Zuckerberg tries to convince you). Now, let’s see what my fake accounts will offer.

Starting with Facebook, I sign in with my fake female account (SMJ) and type the URL to my personal Facebook page that Google returned. What I saw didn’t make me happy at all. Despite my ongoing efforts to lock down my privacy settings on Facebook, it turns out that anyone with a Facebook account can still see quite a lot about me. Mostly it was data from 2016 and before but enough to learn about my family and some friends. Using the fake account, I was able to see pictures of my family and the conversations that I had with friends around the globe. Of course, I was not able to see the list of my friends, but I was still able to click on some names from the conversations and photos and get to their profiles (that is smart, Facebook!). Not only that but Facebook was allowing the fake user to share these posts with other people, i.e., on her timeline (yet another smartie from the Facebook developers).

I was easily able to get to my wife’s profile (same last name, calling me “dear” in posts – easy to figure it out). From the pictures, I was able to see on my and my wife’s profile, I was also able to deduct that we have three daughters and that one of them is on Facebook, although under different last name. Unlike her parents (and like many other millennials), my daughter didn’t protect her list of friends – I was able to see all 43 of them without being her “friend.”

So far Facebook gave me valuable information about my target:

  • Family pictures
  • Wife’s name
  • Teenage daughter’s name
  • A couple of close friends

I also learned that my target and his wife are somehow privacy conscious but thanks to the sloppy privacy practices that Facebook follows, I am still able to gather important intelligence from it.

As we all know, teens are not so much on Facebook but on Instagram (like there is a big difference). Facebook though was nice enough to give me an entry point to continue my research. On to Instagram. My wife’s profile is private. Hence, I was not able to gather any more information about her from Instagram. It was different the case with my daughter – with the fake account I was able to see all her followers and people she follows. Crawling hundreds of followers manually is not something I want to do so, I decided to leave this research for later. I am pretty sure; I will be able to get something more out of her Instagram account. For now, I will just note both Instagram accounts and move on.

Next is LinkedIn. I signed in with the male (RJD) fake account that I created. The first interesting thing that I noticed is that I already had eight people accepting my invite (yes, the one I send by mistake). So, eight people blindly decided to connect with a fake account without a picture, job history details or any other detailed information whatsoever! For almost all of them I was able to see a personal email address, and for some even phone, and eventually address and birth date -pretty useful information, isn’t it? That made me think, how much data can I collect if I build a complete profile.

Getting back on track! Toddy Mladenov’s LinkedIn page gives me the whole work history, associations, and (oops) his birth date. The information confirmed that the emails found previous are most probably valid and can easily be used for a phishing campaign (you see where am I going with this 😀). Now, let’s look what my wife’s page can give me. I can say that I am really proud of her because contact info was completely locked (no email, birthdate or any other sensitive information). Of course, her full resume and work history were freely available. I didn’t expect to see my daughter on LinkedIn, but it turned out she already had a profile there – searching for her name yielded only two results in the US and only one in the area where we live. Doing some crosscheck with the information on Instagram and Facebook made me confident that I found her LinkedIn profile.

3. Government Websites

Government sites expose a lot of information about businesses and their owners. The Secretary of State site allows you to search any company name, and find not only details like legal name, address, and owners but also the owners’ personal addresses, emails and sometimes phone numbers. Department of Revenue web site also gives you the possibility to search for a company by address. Between those two, you can build a pretty good business profile.

Knowing the person’s physical address, the county’s site will give you a lot of details about their property, neighborhood, and neighbors (names are included). Google Maps and Zillow are two more tools that you can use to build a complete physical map of the property – something that you can leverage if you plan to penetrate the WiFi network (I will come back to this in one of my later posts where we will look at how to break into the WiFi network).

Closing Thoughts

I have always assumed that there will be a lot of information about me on the Internet, but until now I didn’t realize the extent to which this information can be used for malicious purposes. The other thing that I realized is that although I tried to follow the guidelines from Facebook and other social media sites to “protect” my information, it is not protected enough, which gives me no confidence that those companies will ever take care of our privacy (doesn’t matter what they say). Like many other people nowadays, I post things on the Internet without realizing the consequences of my actions.

Couple of notes for myself:

  • I need to figure out a way to remove from the web some of the personal information like emails and phone numbers. Not an easy task, especially in the US
  • Facebook, as always fails the privacy check. I have to find a way to hide those older posts from non-friends
  • I also need to educate my family on locking down their social media profiles (well, now that I have that information, I don’t want other people to use it)
  • Hide the birthday from my LinkedIn page

In my next post, I will start preparing a phishing campaign with the goal to discover my home network’s router IP. I will also try to post few suggestions, how you can restrict the access to information from your social media profiles – something that I believe, everyone should do.

Disclaimer: This post describes techniques for online reconnaissance and cyber attacks. The activities described in this post are performed with the consent of the impacted people or entities and are intended to improve the security of those people or entities as well as to bring awareness to the general public of the online threats existing today. Using the above steps without consent from the targeted parties is against the law. The reader of this post is fully responsible for any damage or legal actions against her or him, which may result from actions he or she has taken to perform malicious online activities against other people or entities.