Tuesday, June 02, 2009

HITB2009MY: The Art Of Network Forensics

Hack In The Box Security Conference 2009 in Malaysia is going to happen again on October 5th-8th 2009. We are looking forward to see the security crowds again! More information about the conference can be found at this link.

Again this time, me and mel(spoonfork) are going to conduct network security training for Hack In the Box 2009 Malaysia. This upcoming training is going to be brand new and focusing on scenario case solving, with the title of "The Art Of Network Forensics: Going Beyond Packet Data", the detail for the training is at here. We haven't finalized the course materials that are going to be provided to students yet, however if we can obtain the kit to build the network tap, then it will be awesome.

On the other hand, we would like to thank to Vickson again for his cool banner design!

Enjoy (;])
Posted by C.S.Lee at 6/02/2009 10:31:00 AM 1 comments
Labels:

Thursday, May 21, 2009

Editcap: Discard unwanted frames

With editcap you can actually remove multiple frames(people like to call it packets in general) you don't want. For example if I want to remove frame number 40, 69, 71, 113 and 115 in mail.pcap -

shell>editcap mail.pcap mail-modified.pcap 40 69 71 113 115
Add_Selected: 40
Not inclusive ... 40
Add_Selected: 69
Not inclusive ... 69
Add_Selected: 71
Not inclusive ... 71
Add_Selected: 113
Not inclusive ... 113
Add_Selected: 115
Not inclusive ... 115

Check with capinfos -

shell>capinfos -c mail.pcap
File name: mail.pcap
Number of packets: 173

shell>capinfos -c mail-modified.pcap
File name: mail-modified.pcap
Number of packets: 168

Quick and easy!

Cheers (;])
Posted by C.S.Lee at 5/21/2009 09:57:00 AM 0 comments
Labels:

Tuesday, May 19, 2009

Time to sell myself .....

This year, I thought things are going to be smooth for me, and I was wrong. But I do know life goes on.

So I'm now out for job again and plan to settle down a bit. This is the first time I put up my resume here, and hopefully can get the right job for myself quickly. I'm looking for job related to firewall/ids/siem implementation/deployment/analysis/response.

If you think there's any opportunity I can grab, or you are interested to hire me, please let me know. Here's my resume.

Thanks!
Posted by C.S.Lee at 5/19/2009 12:30:00 AM 7 comments
Labels:

Friday, May 15, 2009

FreeBSD On VMware Time Sync Issue


We have been trying to fight with the time synchronization issue when running FreeBSD on VMware. With the new FreeBSD(7.1 and above) and new VMware workstation/fusion, the problem is fixed.

That's great as it means we can run HeX more flawlessly on VMware. On the other hand, HeX is back to active development, stay tuned!

Enjoy ;]
Posted by C.S.Lee at 5/15/2009 08:21:00 PM 0 comments
Labels: ,

Surface Mount Box - 4 ports


I have been looking for 4 ports surface mount box(cat5e compatible) which looks like the above image, if any of you know where I can find in Malaysia, or you sell it, please let me know. I would like to order 20-50 units from you. I want to order online but it is out of stock here. On the other hand, if you know anyone who sell cat5e keystone jack with reasonable price, I would like to buy as well.

My plan is to build network tap using this mount box, and as a gift to whoever attends my future network forensics training.

Cheers ;]
Posted by C.S.Lee at 5/15/2009 02:35:00 PM 1 comments
Labels:

Thursday, April 16, 2009

Argus 3.x On Linksys WRT54GL

I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.
Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.

Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -

shell>sudo apt-get install gcc g++ patch binutils \
flex bison make pkg-config unzip zlib1g zlib1g-dev \
libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev

To build OpenWRT Kamikaze 8.09, svn up the source first -

shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09

shell>cd kamikaze-8.09

Start the building process -

shell>make defconfig

shell>make package/symlinks

shell>make menuconfig

shell>make

Take a coffee break when you run make .....

Install libpcap, this is the only dependencies we need to get argus 3 compiled -

shell>make package/libpcap-compile V=99

shell>make package/libpcap-install V=99

Check out the gcc that we need to use -

shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Now we need to set the environment variables for this build -

shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH

shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar

shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as

shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld

shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm

shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp

shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++

shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib

shell>export ac_cv_linux_vers=2.4.35

shell>export LDFLAGS="-static"

shell>export CFLAGS="-Os -s"

Time to have fun, doing cross-compile for argus so it works on MIPS platform -

shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2

shell>./configure --host=mipsel-linux \
--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \
--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8

shell>make

shell>file bin/argus
bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped

Transfer it to my OpenWRT -

shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp

To export argus network flow on ppp0 interface -

shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d

To intercept the network flow -

shell>ra -S 192.168.1.1:561 - ip

I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.

Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php

Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!

Enjoy (;])
Posted by C.S.Lee at 4/16/2009 02:54:00 PM 4 comments
Labels: , ,

Wednesday, April 15, 2009

OpenWRT: Allow SSH Access On WAN Interface

Here's the quick way to allow SSH Access for WAN interface on OpenWRT, I configure my ssh to run on port 12345 instead of 22 to avoid automated probes from internet using the web interface, then just run this in the terminal -

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT

To check if it loads properly -

shell>/usr/sbin/iptables -L | grep 12345
LOG tcp -- anywhere anywhere tcp dpt:12345 LOG level warning
ACCEPT tcp -- anywhere anywhere tcp dpt:12345

To make sure it survives reboot -

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG"

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT"

shell>nvram commit

Thanks to the link here.

Done!

Cheers (;])
Posted by C.S.Lee at 4/15/2009 08:11:00 AM 2 comments
Labels:

Sunday, April 05, 2009

Tshark: Decrypt WEP

Yes, you can decrypt wep using airdecap-ng from aircrack-ng suite, or using wireshark gui. However you can also use tshark to decrypt wep with known key, and you can define many keys to be used to decrypt wep packets as well.

Quick example -

shell>tshark -t ad -o 'wlan.enable_decryption:TRUE' \
-o "wlan.wep_key1:1122aabbcc" -nr wlan-wep.pcap

By the way, you can also decrypt wpa similarly.

Enjoy (;])
Posted by C.S.Lee at 4/05/2009 05:05:00 PM 3 comments
Labels:
Subscribe to: Posts (Atom)