Tuesday, April 08, 2014

Kali/Backbox Linux: Alfa AWUS036H

After migrating from Backtrack to Kali Linux, I encountered problem with WLAN cracking using Alfa awus036h wireless adapter. The initial probem was

shell>airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.  Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.

So it states that I should run airmon-ng -

shell>airmon-ng start wlan0
airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID    Name
2625    dhclient
2722    NetworkManager
2971    wpa_supplicant


Interface    Chipset        Driver

mon0        Realtek RTL8187L    rtl8187 - [phy0]
wlan0        Realtek RTL8187L    rtl8187 - [phy0]
                (monitor mode enabled on mon0)

We used to be able to run airodump-ng on wlan0 if we are using Backtrack, however it's not the case here, what you need to do is running airodump-ng on mon0 pseudo interface instead -

shell>airodump-ng mon0

Now everything looks good, however there's minor bug that shows the channel -1, to get everything running smoothly without the error, I run the following command instead -

shell>airodump-ng --ignore-negative-one mon0

Now you can perform the wlan cracking routine(aireplay-ng,aircrack-ng to do packet injection and cracking), but remember to run the aircrack-ng suite with argument --ignore-negative-one and everything will be fine.

Cheers (;])

p/s: If you are using another Linux distribution - Backbox, the same applies to it as well.

Sunday, March 02, 2014

Interesting Rootkit: Uroburos

My friend ebf0 has shared with me this interesting analysis report from GData Security Lab, you can find the report here -

https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf

To understand why the name "Uroburos", we should refer to

http://en.wikipedia.org/wiki/Ouroboros

Doesn't matter it comes from which party, we all know Intel gathering is always there, by the time we know it it seems late by miles. Internet security community needs to work harder together to uncover them as soon as possible.

Cheers (;])

Monday, February 24, 2014

The Practice Of Network Security Monitoring

Year 2014 will most probably be a refreshing year to myself, everything is like new all over again and what should I do next is important.

NSM has been big part of my career and I'm back to the root, and I would like to discuss/share anything regarding this huge topic. The first thing I would most probably do is to grab the book that is written by my friend - Richard, The Practice Of NSM. Thank you for your effort to write this book, it is really tough to stay focused and finished a book especially for a busy person like you.

Second thing to do would be reviewing the new version of existing tools, and also new tools that kick in without me noticing - Netsniff-ng, Snort, Suricata, Bro-ids, Argus, NetworkMiner, SIFT and many more, you name it.

Third thing to do is sharing, to share what I have found and learned, in the world of IT security.

Monday, August 12, 2013

Port Span: Packet duplication

I have stumbled across this issue multiple times lately, especially if you are trying to span multiple source ports, and there are couple of solutions worth to look at -

http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution/

http://myoss.belgoline.com/despan

I think the packet duplication issue should be eliminated using hardware based solution(built-in), where the switch itself able to eliminate it, while it may add the workload to the network switch, it makes real time monitoring more accurate and possible especially tools such snort/bro are not going to identify duplicate packets.

Sunday, July 15, 2012

HeX 3: On the way

We are in the development of HeX 3, this is for real. HeX 3 will be based on FreeBSD 9 and we are looking to create more FreeBSD ports for network security tools. Most of existing tools are compiled successfully in FreeBSD 9, we will provide two platforms this time, either i386 or x64.

We would like to list down all the new network security tools that are going to be included in HeX 3, currently I have 3 in mind -

- NetworkMiner
- Prads
- PassiveDNS
- Pcapfix

Thanks to Erik(NetworkMiner developer) for sending the installation guide to me, that saves my works ;)

Here's the screenshot of NetworkMiner running on upcoming HeX 3 -


If you are aware of any network security tools(especially for packet analysis) and would like us to add it to HeX 3, kindly let me know.

Cheers (;])

Thursday, July 12, 2012

FreeBSD: Netmap

High speed network, big data technology are related terms, they are developed to meet the challenge of application demand today. We always see a lot of works for Linux regarding high speed network(10G and up) but not so much on BSD side. I reported FreeBSD ringmap in my previous blog post, Robert Watson has also implemented zero copy bpf buffers for FreeBSD. And thanks to the friends in #snort-gui, I just found netmap that is going to be part of FreeBSD 10, it seems promising to me and thanks Luigi and his team for the effort to improve the performance of network stack.

Right now there's nothing much we can do to test netmap, however if you want to try it out, you can basically download the images from the netmap website and play around with them, or install FreeBSD Current using the snapshot image which you can find here - http://pub.allbsd.org/FreeBSD-snapshots/

Here are few steps I did after FreeBSD current is installed -

shell>cd /usr/src/sys/modules/netmap
shell>make
shell>kldload ./netmap.ko
shell>kldstat
shell>ls -la /dev/netmap
shell>dmesg

Everything is there but you need to play around with them, so download -

http://info.iet.unipi.it/~luigi/netmap/20120608-netmap.tgz

After untar it, you can start play around with the pkt-gen and other binaries provided in there. Currently netmap is still under development and testing, hopefully when it reaches stable stage, we will be able to see a lot of network security monitoring tools ported to work with netmap since it will be in native FreeBSD system. For most of the detail stuffs, do check out the presentation slide and other information in netmap website.

Cheers ;]

Flocon 2012: Argus Training Slide

If you are looking for detail information about latest argus development and offering, look no further -

http://www.qosient.com/argus/presentations/Argus.FloCon.2012.Tutorial.pdf

The slide is made by Carter and it contains a lot of information for state of the art flow analysis tool - argus. Though a long time argus user, I still learn something new from the slide.

Cheers (;])

Thursday, June 21, 2012

Inter VM NSM

Cloud is everywhere now, and I have been playing with OpenVSwitch for a while, it looks like a critical solution to provide network security monitoring to virtualization technology. If you want to know more about OpenVSwitch, information can be found in the website below -

http://openvswitch.org

The OpenVSwitch is not just a virtual switch, it offers many network traffic monitoring features such as span, rspan, netflow and sflow, I have tried out many features in OpenVSwitch and they are useful depending on your monitoring need.

Traditional network traffic monitoring is not going to help here, you can't simply deploy a network tap or port mirroring to monitor the traffic in the cloud server farms, of course you can still monitor when the virtual machines are talking to outside world, however you can't really see the conversation between virtual machines. For example, when vm1 performs network scanning on other virtual machines in the same cloud server.

More thoughts need to be put into cloud network security monitoring since it becomes a trend and widely used in enterprise world, I have encountered couple of times where performing forensics operation is much harder in the cloud.

OpenVSwitch seems to be promising, hopefully with the inclusion of OpenVSwitch in Linux 3.3 kernel, it will become more popular and widely used.

http://blog.sflow.com/2012/03/linux-33-released.html

Cheers ;]