Friday, March 31, 2006

Brontok - DDOS

While analyzing the behaviour of brontok using Process Explorer, it is trying to perform denial of service with ping flood. It is trying to run the command - ping 17tahun.com -n 250 -l 747. Why it ping with the payload of 747 bytes, may he or she is a lover of boeing airplane 747? The airstrike seems successful since I can't browse 17tahun.com with my browser.


Once brontok goes wild, it will try to spawn more pings in order to bring down 17tahun.com.


You may like to view this interesting graph.


However what funny is when I tried to ping 17tahun.com manually, I get a very surprised result - 64 bytes from 127.0.0.1, it is supposed to be destination host unreachable or maybe request timed out if the destination host is down. But what tends to shock me is it replied with the lookpback address - 127.0.0.1.


I ran into dnsreport.com and checking it's dns status, and I found this interesting piece of it's result.

Your www.17tahun.com A record is

www.17tahun.com. A 127.0.0.1 [TTL=3601] [*L]


It seems that the DNS record is totally incorrect, I'm now having doubt on this, is this something to do with DNS cache poisonning?

Enjoy .....

P/S: Brontok tries to bring down other sites by ping flooding as well, however those are not as interesting as this one.

Thursday, March 30, 2006

A to Z Introduction

I have found two applications which attracts my attention enough. One of them is Zebedee, I hardly see this tool been mentionned anywhere and it seems promising. It is used to encrypt and secure the connection over tcp/ip and udp. Maybe it will be another alternative of ssh when come to creating tunnel for your insecure connection that acrossing the network in plain text form.

The second application I would like to try out is AIRT, this AIRT is different than the one called airt-linux, airt-linux is used to detect misbehavioural of system when it is suspected to be compromised. However AIRT is developed to address the need of Incident Response Team to profile and manage all the cases effectively. It provides web based system that allows access from anywhere as long as you have internet browser.

That's all I want to share for now, cheers :]

Sunday, March 26, 2006

Monkey tricks: Extracting Viruses/Worms

It's all start from here, browsing through the internet with my internet browser, I visited a forum based web page, and something hits my curiosity. I guess you may find it interesting as well with the screenshot below. This is totally not right since normal web page shouldn't be look like a corrupted chunk datas.


I decide to understand what is the actual contents of this data, but how can I do it? I decide to sniff my own connection and browse the same URL again. Quick launching my tcpdump to log full content data with

shell>tcpdump -qeXX -tttt -n -s 1550 -w malicious_pcap

After finished browsing the URL, I killed my tcpdump quickly with Ctrl+c, then I start my packet analysis with ethereal, one of the interesting packet is in the packet bytes pane(the lowest pane) with the string kernel32. This is most prolly Windows thingy.


I have heard about how people able to reconstruct or extract the binary(executable file) from pcap, however I haven't seen one that actually demonstrating you how to do it, most to most are the one that extracting file with jpeg, gif and such. Those are not what I need because I smell Windows EXE in this network stream. Tcpxtract maybe able to do it but need tweaking, and it is based on foremost. Foremost is a console program to recover files based on their headers, footers, and internal data structures, hence I guess I can use foremost to recover all the possible files that I need since pcap is actually in binary format.

Since I'm lazy to type, here's how I extract and recover files in pcap using foremost, I have renamed malicious_pcap to brontok_pcap. Check out the screenshot .....


You may find a file called audit.txt in the extract directory which is actually a report that generated by foremost. Here's the content of it.

Foremost version 1.1 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sun Mar 26 13:17:03 2006
Invocation: foremost -i brontok_pcap -o /nsm/IR_20050326/extract/
Output directory: /nsm/IR_20050326/extract
Configuration file: /usr/local/etc/foremost.conf
------------------------------------------------------------------
File: brontok_pcap
Start: Sun Mar 26 13:17:03 2006
Length: 188 KB (192512 bytes)

Num Name (bs=512) Size File Offset Comment

0: 133.jpg 1 KB 68134
1: 102.gif 497 B 52662 (20 x 20)
2: 111.gif 589 B 57195 (13 x 13)
3: 162.gif 2 KB 83314 (48 x 47)
4: 197.gif 2 KB 101333 (48 x 47)
5: 205.gif 2 KB 105152 (48 x 51)
6: 211.gif 2 KB 108098 (48 x 47)
7: 219.gif 2 KB 112196 (51 x 48)
8: 226.gif 3 KB 115742 (48 x 47)
9: 239.gif 2 KB 122553 (48 x 49)
10: 245.gif 1 KB 125504 (48 x 49)
11: 250.gif 2 KB 128453 (48 x 47)
12: 256.gif 2 KB 131419 (48 x 47)
13: 264.gif 2 KB 135561 (49 x 50)
14: 272.gif 2 KB 139375 (48 x 47)
15: 279.gif 2 KB 143205 (48 x 49)
16: 287.gif 2 KB 146982 (48 x 49)
17: 293.gif 3 KB 150488 (48 x 47)
18: 301.gif 2 KB 154478 (48 x 47)
19: 308.gif 2 KB 157943 (48 x 48)
20: 315.gif 2 KB 161438 (48 x 47)
21: 321.gif 2 KB 164781 (49 x 48)
22: 328.gif 1 KB 167942 (48 x 48)
23: 332.gif 2 KB 170202 (48 x 47)
24: 338.gif 2 KB 173370 (48 x 49)
25: 344.gif 2 KB 176608 (48 x 47)
26: 353.gif 2 KB 180947 (48 x 48)
27: 360.gif 2 KB 184442 (48 x 47)
28: 365.gif 2 KB 187154 (48 x 48)
29: 5.htm 95 KB 2944
30: 372.htm 339 B 190890
31: 65.exe 41 KB 33483 01/01/1970 00:00:00
Finish: Sun Mar 26 13:17:03 2006

32 FILES EXTRACTED

jpg:= 1
gif:= 28
htm:= 2
exe:= 1
------------------------------------------------------------------

Foremost finished at Sun Mar 26 13:17:03 2006

Notice the green color text in the screenshot above is actually MS-DOS executable file, I have performed behavioural analysis by running this executable files in a sandbox Windows VM. As well as I have launched Richard's Sguil VM to see if Sguil smells anything. That's where I found that it is actually brontok worms that trying to pinging the host to see if it is alive and try to connect to the netbios(port 139) open share and upload the brontok worms to another victims.

However one thing I found weird that never posted in any AntiVirus Resource info is that the infected host is trying to locate all the nodes with port 21 openned too, I doubted it is maybe trying to find one and download certain binaries or files from the ftp server or something. However I'm not too assured of it yet unless disaseembling binaries is done.

The reason why I blog about it is that I can't find any good info regarding recovering EXE files from the pcap file, and this time what make it interesting is that I'm using Forensic acquisition tool which used to acquire data from hd images that generated by dd, Safeback, Encase but this time on pcap that generated by tcpdump, snort or maybe tethereal and it is actually Virus/Worm binary that recovered in the process.

I guess people who visiting the forum of whom mostly are M$ Windows users infected by that so called "Mass Mailing Worms" if they don't have AntiVirus installed with latest signatures and updates.

To M$ Windows users, good luck!!!!!

P/S: Uploading worms to forum seems to be right idea since forum used to have mass users and that totally fits the term "WORM".

Saturday, March 25, 2006

New FreeBSD Sguil VM released

This time, Richard at taosecurity has built a new sguil VM that based on Sguil-0.6.1. He has just put up the descriptions and how to use the Sguil Vm in his blog here. I have downloaded and boot it up with my VMware, just follow the instructions of his blog and you may find it works in couple of minutes. I would like to try his installation script but currently I'm busy, feel free to try out and report to him if you have problem with it, by now all the components of Sguil is installed with separated scripts to clean the process of installation instead of installing everything with single script.

This is just one of my screenshot, and you may find the Sguil VM download link in his blog. With this you no longer need to go through painful installation process.


Have fun with Sguil (:])

System Recovery > System Security ?

I seldom comment about commercial solution but I really have to mention about this.

CPanel
- The gui control panel for the web hosting environment, thus it provides user friendliness of managing servers, it totally has false sense of security. The apparoach taken by CPanel is utterly stupid and destroying the evidence of server compromised. When CPanel detects that the system binaries checksum is totally different than the one in their database, they will automatically report to the sysadmin and what killing might be removing the suspicious binaries and replace it with the standard binaries that should be in the system. I understand why CPanel is taking this approach as they don't want the system being malfunctioning, and they consider

System Recovery > System Security

However without much evidence, how can we trace what was happening and how system was compromised, that might causing the server to be intruded for second or maybe n times till the sysadmin going upside down.

Another thing I would like to critic is their patching system, the patching process is definitely killing, ineffective and slow. You can't patch the standard applications manually, CPanel will replace it with it's "clean" applicaitons automatically and reports your "patched" applications serving malicious purpose. If you - CPanel really want to make the server secure, please patch the system or proving updates as soon as you have tested the available patches or updates, what happenned in the pass about the perl integer overflow that taking so long to patch is what we don't like to see.

Who's fault is that when servers get compromised, may I bill you for my loss ?????

No cheers this time? CHEERS :)

Friday, March 24, 2006

Incident Handling: Analyzing IIS6 Log

This is one of the Incident Handling that I have done recently, IP and some infos have changed to protect the related parties.

Date: 20060312

User Domain: www.server.com

Server.com IP = 1.2.3.4

Hacker IP = 6.7.8.9

Client reports about malicious files been uploaded to his web space such as

www.server.com/cgi-bin/cmd.exe
www.server.com/scripts/cmd.exe
www.server.com/scripts/cgitelnet.pl
www.server.com/scripts/NT.pl
www.server.com/scripts/win.pl

First thing I decide to do is navigating IIS6 logs since it is clearly the place to look for the sign of compromised. I compressed the web log under C:\Domains\server.com\logs\W3SVC5213.
I also compress all the malicious files under directories cgi-bin and scripts after checking the MAC time. You might say I shouldn't do anything with it however since I already tag down the MAC time, I just continue with my investigaiton.
The reason why compressing the log due to lacking of tools in Windows that can perform text processing well, so I decide to compress all the logs and perform log parsing in my Unixes machine.
Since the most of the malicious files with the timestamp of March 11, I start navigating the log of the date. And I found z.asp that seems to be malicious as it uploads through images directory. I don't think people upload file with asp extension to images directory. That's fishy!!!!!

2006-03-11 21:16:34 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp action=cmd 80 - 6.7.8.9 HTTP/1.1 Mozilla/ 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP - www.server.com 200 0 0 1053 350 562

Then I have to make a copy of z.asp file to be analyzed. However when comes to analyze z.asp, I was stucked with it's content. You may view the supressed content here. Apparently it is encoded VBScript.


I won't be giving up in this way and try to look for any infos regarding VB script encoding, and I found

http://www.microsoft.com/downloads/details.aspx?FamilyID=e7877f67-c447-4873-b1b0-21f0626a6329&displaylang=en

And with collegue's help, I found the decoder's in the link below and quickly download it.

http://www.virtualconspiracy.com/index.php?page=/scrdec/intro


If you read the microsoft link, it seems the encoding tool used to encounter the hacker is used to protect the code of the hacker, what a joke. That's what happen when tools down to the hand of wrong party.

To decode z.asp, I download the decoder and run

cmd>scrdec18.exe z.asp z.decode -dumb

After decode it, I get the clear content of the VB script and try to understand the code won't be too hard now. Here's the partial contents ...


By now I already understand the function of the VB script, I need to turn back to my log parsing to search for the strings of other tools that been uploaded through z.asp since it provides such function.

To filter IIS6 Log on my Unixes machine, I just run

shell>find ./ -type -f -exec \
egrep -i 'CMD.EXE|NT.PL|cgitelnet.pl|win.pl|z.asp' '{}' \; \
-print > /nsm/WinIR_20060321/all_trace &

I have the footprints of the hacker by now and knowing what is he doing, You can view part of the entries in the screenshot below and some interesting entries would be

2006-03-11 21:17:08 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\ 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.
50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP - www.server.com 200 0 0 14121 536 968

2006-03-11 21:17:11 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705;+.N
ET+CLR+2.0.50727) ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents%20And%20Settings\ www.server.com 200 0 0 11300 640 562

2006-03-11 21:17:14 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR
+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users www.server.com 200 0 0 10931 658 843

2006-03-11 21:17:16 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu\Programs 80 - 6.7.8.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;
+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users\Start+Menu www.server.com 200 0 0 21882 678 1281

2006-03-11 21:17:37 W3SVC5213 Server 1.2.3.4 GET /gallery/images/z.asp raiz=C:\Documents%20And%20Settings\All%20Users\Start%20Menu\Programs\Startup 80 - 6.7.8.9 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1
.1.4322;+.NET+CLR+1.0.3705;+.NET+CLR+2.0.50727)ASPSESSIONIDCARQRBDC=KAELDFGBBPCPAMAOCAFCHMEP http://www.server.com/gallery/images/z.asp?raiz=C:\Documents+And+Settings\All+Users\Start+Menu\Programs www.server.com 200 0 0 6782 695 406

Here's part of the filtered logs.


However it seems he/she has no success on browsing other directories except the user directory because of the permission settings. At last he/she gives up since can't gain control of the whole system.

P/S: I use egrep with -i to ignore case sensitive since it is windows log.

Have fun with track and trace (:])

Thursday, March 23, 2006

Flowgrep on CentOS-4.2

Previously I have flowgrep installed on my CentOS 4.2 and I have forgotten how I get it to work and now I try to revisit it again and noted it down so that I have my memory slots for other stuffs instead of remembering how to get flowgrep installed on CentOS. Here's how I get it done ...

At first I download all the files from here. Then just go normal rpm install,

shell>rpm -Uvh libnet-1.0.2-2.2.el4.rf.i386.rpm

shell>rpm -Uvh python-nids-0.5-2.2.el4.rf.i386.rpm

shell>rpm -Uvh flowgrep-0.8-1.2.el4.rf.noarch.rpm

Since I have libpcap install previously, that's why I don't need to install it here.

Cheers :]

P/S: I would like to blog about the recent incident handling but it seems blogspot keeps killing me from posting screenshot so I might do it later, stay tuned ...

Tuesday, March 21, 2006

Fluxbox-0.9.15 Released

Again my favourite WM - Fluxbox moving to next level. You may find the changelog here

http://www.fluxbox.org/version-0.9.php

It is still in devel phase but you may find it very stable and fast. Check out another upcoming project - Knoppix-NSM that based on Network Security Monitoring model which uses Fluxbox as it's Window Manager too. Thanks Richard for the link.

http://www.knoppix-nsm.dyndns.org/

I can't wait for it's release .....

Cheers :)

Reverse Engineering

If you are studying or keen into the Art of Exploitation and Reverse Engineering, I bet these three sites might be your interest, feel free to check it out and it may help you to improve your skillz of RE. I'm not one who into this kind of thingy but it should help people who really love RE.

http://www.rootkit.com/

http://www.openrce.org/about/

http://www.uninformed.org/


Enjoy :]

Sunday, March 19, 2006

Scapy: 3D Tracerouting

This serve as updates for my Scapy on FreeBSD installation guide. Though there's already scapy ports for FreeBSD, however it is dated and you might need to download the latest scapy to play with this new feature - 3D graph for traceroute function. You can just grab the latest scapy here -

http://www.secdev.org/projects/scapy/files/scapy.py

To enable new functionality for Scapy which is added recently that allows you to create 3D graph of traceroute like the one showing in the Scapy's main page, you will have to install boost-python and py24-visual.

Here's quicky for it,

shell>pkg_add -vr boost-python

shell>pkg_add -vr py24-visual

I won't be showing how you can generate the 3D graph here since it is explainned in Scapy main site. Here are the screenshots,




I'm glad that Scapy keeps improving day by day, if you really feel interested of Scapy, submit yourself to the mailing list and you might find yourself excited where you will see more and more protocols are supported and added by the scapy community.

Enjoy (:])

Saturday, March 18, 2006

OpenBSD Sguil Doc

I have been receiving lots of emails about the Sguil setup on OpenBSD, though I have written the installation guide, as well as releasing the sguil vmware image. I'm looking forward to upgrade my installation guide with better rewrite and improve the sguil vmware image as well. Though it is not easy to setup sguil on OpenBSD, I have also included the sguil installaiton script. I promise I will update the installation script too once OpenBSD 3.9 is shipped.

For anyone who have problem, please wait for OpenBSD 3.9 or you should run on either OpenBSD 3.8 stable. Mysql 5.0.18 port/package is available and it ease your installation experience. I will try to create port/package for mysqltcl when I have my spare time.

Stay tuned.

(:])

FAUST - File Audit Security Toolkit

Faust is a perl script that helps to analyze files found after an intrusion or compromised. Its goal is not to make the analysis, but to extract the pieces of information to html report that you will use afterward in your analysis. This tool is seldom mentionned anywhere but I would like to give it a try on my CentOS system. Faust requires certain dependencies and I need to install it to get it run.

Installing it's dependencies - ltrace and strace

shell>yum install ltrace
Setting up Install Process
Setting up repositories
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 75 kB 00:04
update : ################################################## 185/185
Added 4 new packages, deleted 4 old in 0.82 seconds
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for ltrace to pack into transaction set.
ltrace-0.3.36-2.EL4.i386. 100% |=========================| 5.5 kB 00:00
---> Package ltrace.i386 0:0.3.36-2.EL4 set to be updated
--> Running transaction check

Dependencies Resolved

======================================================
Package Arch Version Repository Size
======================================================
Installing:
ltrace i386 0.3.36-2.EL4 base 72 k

Transaction Summary
======================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 72 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): ltrace-0.3.36-2.EL 100% |=========================| 72 kB 00:09
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ltrace ######################### [1/1]

Installed: ltrace.i386 0:0.3.36-2.EL4
Complete!
[root@trinity FAUST-0.1.0rc2]# yum install strace
Setting up Install Process
Setting up repositories
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for strace to pack into transaction set.
strace-4.5.13-0.EL4.1.i38 100% |=========================| 12 kB 00:00
---> Package strace.i386 0:4.5.13-0.EL4.1 set to be updated
--> Running transaction check

Dependencies Resolved

======================================================
Package Arch Version Repository Size
======================================================
Installing:
strace i386 4.5.13-0.EL4.1 base 91 k

Transaction Summary
======================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 91 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): strace-4.5.13-0.EL 100% |=========================| 91 kB 00:04
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: strace ######################### [1/1]

Installed: strace.i386 0:4.5.13-0.EL4.1
Complete!

After all the needed dependencies by faust get installed, you will have to tweak the variable path of the binaries in faust.conf, I will show the only part I have tweaked and I'm running CentOS 4.2.

file /usr/bin/file
objdump /usr/bin/objdump

strings /usr/bin/strings
readelf /usr/bin/readelf
ldd /usr/bin/ldd

nm /usr/bin/nm

ltrace /usr/bin/ltrace
strace /usr/bin/strace

md5sum /usr/bin/md5sum

#ps /bin/ps

#awk /bin/awk


You config may be vary, just define properly and it's done, now should be time to run faust.

shell>faust.pl -c faust.conf msggrep


Once it runs without errors, it will generate the html file called msggrep-analysis.html with it's corresponded directory.

Modifying the generated html report since it shows the page with black color background and black color text so we see nothing, just edit bgcolor variable will do. You may modify faust.pl since it's more easy for later.

body bgcolor="blue"

table cellspacing="2" bgcolor="white" border="0" cellpadding="0" width="100%"


table cellspacing="1" bgcolor="white" border="0" cellpadding="0" width="90%"


And don't forget to copy faust.css file since it is already been included in the generated html file.

You can download faust at http://security-labs.org/index.php3?page=faust

Here's the output example -





Cheers :]

Extrusion Detection


I'm currently reading this book, written by Richard Bejtlich. I'm not yet finish reading it but the book is promising, I'm practicing NSM for quite sometimes which I belief it's the best model for Network Security Analyst. NSM takes "Zero Escaped" approach, it is possible to deploy NSM with commercial hard/software but if you are looking fo NSM suite, that must be Sguil which is one powerful Open Source project that allows you to perform NSM operation. Check it out!

Back to the book, I found the book mentionning about Prelude-IDS, I use prelude-IDS for the fact that it allows me to collect host IDS log(with samhain) and firewall log instead of network IDS. Prelude-ids has stopped developing it's own network IDS and instead you can compiled snort with prelude support and enable it in command line with --enable-prelude since the developers of prelude-IDS believes that snort has already done a good job in NIDS and prelude-IDS will take another approach which is agent based system.

Another thing I would like to talk about is the OpenBSD PF usage, especially when performing Extrusion Detection, one of the my own war story that happenned 2 years back is that I enable the log capability for the network interface that connected to intranet on the OpenBSD router that I setup for my friend's company network, and that might help in collecting Firewall logs to analyzt, another tool I use is pftop which is pf state viewer. Pftop can show the statistics and the network flows in real time. It happens where my friend call me up to tell me that his whole network screws up and none can browse the internet. Then I quickly login to his router, check the Firewall log and launch pftop to monitor what was happening, and what surprise me is that there are two hosts that trying to perform denical service as well as trying to connect to port 139 of every single host in the network, it hits the host IP from 1-255. I quickly go down town and ask my friend to shut down all the hosts in the network since I need to collect volatile data from the two hosts that trying to spread malicious functions first before all other hosts get infected, then quickly collecting the data and shutdown those two hosts and resume the network without delay. After all, the network resumes and working properly. Therefore I just took my time to analyze those two machines and found something fishy in registry. Pftop should be used at Extrusion Detection for the fact that it might help when you feel something is wrong in your network and you may see the traffic leaving your network on the fly.

Collecting full content data is expensive especially when the network is a busy one. However you can turn to collect session data if you can't perform full content data logging. For this part I would like to outline something, is there a guideline for the full content data logging, such as for 2Mb internet connection, how much harddrive space we need, and for 8Mb internet connection, how much harddrive space we need to acquire and for how long we can keep it. I'm looking forward for this type of guideline which may help others to deploy NSM model since this is great profiling to be done.

I will talk about the book later when I get to finish reading it. If you found yourself like this book as well as the idea and concept that Richard tries to deliver, you may find yourself enjoy reading his another book which is The Tao of Network Security Monitoring: Beyong Intrusion Detection.

By reading Rich's book and blog, and through chat session with him in IRC, I do learn a lot about network security down from essential to advance, hereby I take this oppoturnity to say thanks again and I do really appreciate, as I always do.

Wednesday, March 15, 2006

Blogger - BANG!!!

Blogger.com is currently having issue where I can't seem to upload screenshots, hopefully it will be fine as soon as possible since I don't want to stop posting because of the problem. Be patient of myself.

Cheers :)

Shell Programming Book again ...


To get yourself out of Unix Shell Programming Myth, this book is a must read - Unix Shell Programming, I'm currently reading and finding out that this book aims in creating simplicity for it's audience. You don't have to take painful process to RTFM in order to understand and learn Unix System underlying basic commands and tools, the book has covered most of them by showing very good examples. You might be very productive and handy to work with Unix System since the book improving your understanding of how Unix system works as well.

The authors of the book are Stephen adn Patrick, both of them are long time Unix l33ts.

Peace :)

Monday, March 13, 2006

Sguil Spawning

There are two projects that spawned to enhance the Sguil experience, first would be instantNSM that I have mentionned quite a few times, however there are still not many people knowing what instantNSM is and the existance of it even. Here I would like to emphasize again about this project, if you feel that Sguil is hard to deploy due to the problem of getting all the components working properly, that's the main reason why instantNSM is here to serve that purpose, easing the installation and configuration of sguil so that Sec Analyzt can start tinkering with sguil without much hassle going through deployment phase. Though it is linux centric however Hanashi promises to add supports for other OS platforms in future.

Squert - Simple Query and Report Tool for Sguil, aims to generate web base report via browser. It is useful when you don't have sguil client installed but only web browser, though this can give a quick overview and report to the admin of the sguil who don't have time to monitor the event in real time. I haven't have time to try Squert yet so not much comments about it, but I believe it should be useful and benefit Sguil users.

Here are the links of two projects that I have mentionned, feel free to give it a try.

http://instantnsm.sourceforge.net/

http://squert.sourceforge.net/


Powered by Sguil the F8 Monkey (:])

Saturday, March 11, 2006

OpenBSD - Cooking FTP with WGET

Here's little tip about the coexist of OpenBSD ftp client and wget, if you are downloading files using OpenBSD ftp client, and there you get connection breaks half way you downloading the files and leaving the smaller chunks of incomplete files in your system, you can actually use wget to resume the connection and continue downloading the incomplete files. Just use wget -c and you are done.


With wget you won't feel shit when you have intermittent connection that offered by your ISP.

Cheers :)

CSI - Utilize Open Source

Watching my favourite show - CSI Miami, I'm always enjoying myself and feel attached when the CSI team performing Computer Forensic Investigation, the recent episode that broadcasted in Astro mentionned about using Open Source Forensic Tool - The Coroner Toolkit(TCT) that designned by Dan Farmer and Wietse Venema. One of the small utility that provided by TCT is grave-robber, that's the tool that used to collect volatile data in live system before taking it down to ensure system's integrity. It's always enjoyable when you seeing Open Source Tool been used somewhere.

CSI uses Open Source, how about FBI :]

Tuesday, March 07, 2006

Firefox Ftp Plugin - FireFTP

I just come across this plugin and I think this is a must for most of desktop users out there, while most of IE users can use drag and drop features to upload or download thru FTP, I think this might help desktop users who are not keen on CLI and just use it as tool for daily task. Hence this Firefox plugin suits all the users out there when they need to use ftp.

Here's the GUI of FireFTP -


You can download FireFTP here.

Enjoy :)

OpenBSD - AC

AC - the tool to count the connect time of specific users, it's real useful when we need to check whether the user has login and how long he or she logins to the terminal, I encourage people to look at the unix standard tool when comes to system monitoring because all those tools are available in every single variant of unix alike system. Here's how I make use of ac.

Total time of user root at ttyp1

shell>ac -t ttyp1 root
total 61.48

Total time of user by day/24 hours scale of user root at ttyp1

shell>ac -d -t ttyp1 root
Feb 22 total 10.12
Feb 23 total 37.19
Feb 24 total 14.18

Totaly time of all users

shell>ac -p
dummy 0.02
root 243.93
total 243.95

This is a quickie to help system administrator so that they manage to check on the login users easily.

Peace :]

Monday, March 06, 2006

OpenBSD - bzipx

Since OpenBSD don't have tar xvjf option to decompress tar.bzip2 file, I think I suppose share my user friendly bzipx script which I wrote and clean the script just by today so that it works for all the OpenBSD users as long as you have bzip2 installed. It by no mean perfect but maybe it helps people who lazy to type long commands. Here's the script -

#!/bin/ksh

# Written by geek00L[20060223] - The easy bzip2 decompression script for OpenBSD
# Revision
# 20050306 - Improved error message handling as well as bzip2 checking

if [ -f /usr/local/bin/bzip2 ]
then
echo "bzip2 is installed" > /dev/null;
else
echo "bzip2 not found, please install it via ports/packages";
exit 1

fi

Kompressed="$1"

if [ $# -ne 1 ]
then
echo "Usage : $0 compressed_file"
exit 1
fi

if [ -f $Kompressed ];
then
/usr/local/bin/bzip2 -d < $Kompressed | tar xvf -
fi

To use it, just download and put the script to /usr/local/bin, remember to chmod +x :)

shell>bzipx
Usage : /usr/local/bin/bzipx compressed_file

Decompress gaim source file .....

shell>bzipx gaim-1.5.0.tar.bz2
gaim-1.5.0
gaim-1.5.0/INSTALL
gaim-1.5.0/Makefile.in
gaim-1.5.0/gaim.desktop
gaim-1.5.0/ChangeLog
gaim-1.5.0/gaim.apspec.in
gaim-1.5.0/config.h.mingw
gaim-1.5.0/gaim.spec.in
gaim-1.5.0/install-sh
gaim-1.5.0/pixmaps
gaim-1.5.0/pixmaps/gaim_msgpend_16.ico
gaim-1.5.0/pixmaps/gaim_offline_16.ico
gaim-1.5.0/pixmaps/info.png
gaim-1.5.0/pixmaps/gaim_offline.ico
gaim-1.5.0/pixmaps/Makefile.in
gaim-1.5.0/pixmaps/send-im.png
gaim-1.5.0/pixmaps/gaim_msgunread_16.ico
gaim-1.5.0/pixmaps/msgpend.png
gaim-1.5.0/pixmaps/text_normal.png
gaim-1.5.0/pixmaps/tb_drag_arrow_right.xpm
gaim-1.5.0/pixmaps/gaim_offline_4bit_16.ico
gaim-1.5.0/pixmaps/gaim_warning.png
gaim-1.5.0/pixmaps/away.png
gaim-1.5.0/pixmaps/insert-smiley-small.png
gaim-1.5.0/pixmaps/text_smaller.png
...............

That's all for now, enjoy :]

Sunday, March 05, 2006

Awk/Sed to Perl

When one of my pal asking is there a way to port awk script to perl, I remember there's a tool that I haven't tried before which able to convert awk script to perl script, and yes it is in the OpenBSD port as well, I quickly install it and give it a try.

A2P - Awk to Perl converter

I just write a simple awk filter to try out which is awk-test

shell>cat awk-test

# Simple Awk filter to search for the non-numeric at first field of data

!/^[0-9]/{ print $1 }

Then this is the file I want to filter - datafile

shell>cat datafile
Bon Jovi 190
Lee 20
Ven 2000
Jack 100222
890 Lee

This is the result when I run the awk simple script against datafile.

shell>nawk -f awk-test datafile
Bon
Lee
Ven
Jack

Since it works, then I try to use a2p to convert it to perl code.

shell>a2p awk-test
#!/usr/bin/perl
eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
# this emulates #! processing on NIH machines.
# (remove #! line above if indigestible)

eval '$'.$1.'$2;' while $ARGV[0] =~ /^([A-Za-z_0-9]+=)(.*)/ && shift;
# process any FOO=bar switches

$, = ' '; # set output field separator
$\ = "\n"; # set output record separator

while (<>) {
($Fld1) = split(' ', $_, 9999);
if (!/^[0-9]/) {
print $Fld1;
}
}

Once I have the output, I redirect it to aperl-test.

shell>a2p awk-test > aperl-test

shell>chmod +x aperl-test

Now I run the perl script that converted from awk and it works :)

shell>./aperl-test datafile
Bon
Lee
Ven
Jack

Later I found out there's sed to perl converter too and feel fun to check it out.

s2p - Sed to Perl Converter

shell>cat sed-test

# Simple Sed filter to search for : and replace with null globally
s/://g

I create the file called datafile2 to try out the filter.

shell>cat datafile2
Lee: 123
Tia: 456
Test: 789
god: 345
ghost: 098

I directly convert the sed script to perl script.

shell>s2p -f sed-test
#!/usr/bin/perl -w
eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
if 0;
$0 =~ s/^.*?(\w+)[\.\w+]*$/$1/;

use strict;
use Symbol;
use vars qw{ $isEOF $Hold %wFiles @Q $CondReg
$doAutoPrint $doOpenWrite $doPrint };
$doAutoPrint = 1;
$doOpenWrite = 1;
# prototypes
sub openARGV();
sub getsARGV(;\$);
sub eofARGV();
sub printQ();

# Run: the sed loop reading input and applying the script
#
sub Run(){
my( $h, $icnt, $s, $n );
# hack (not unbreakable :-/) to avoid // matching an empty string
my $z = "\000"; $z =~ /$z/;
# Initialize.
openARGV();
$Hold = '';
$CondReg = 0;
$doPrint = $doAutoPrint;
CYCLE:
while( getsARGV() ){
chomp();
$CondReg = 0; # cleared on t
BOS:;
# s/://g
{ $s = s /://sg;
$CondReg ||= $s;
}
EOS: if( $doPrint ){
print $_, "\n";
} else {
$doPrint = $doAutoPrint;
}
printQ() if @Q;
}

exit( 0 );
}
Run();

# openARGV: open 1st input file
#
sub openARGV(){
unshift( @ARGV, '-' ) unless @ARGV;
my $file = shift( @ARGV );
open( ARG, "<$file" )
|| die( "$0: can't open $file for reading ($!)\n" );
$isEOF = 0;
}

# getsARGV: Read another input line into argument (default: $_).
# Move on to next input file, and reset EOF flag $isEOF.
sub getsARGV(;\$){
my $argref = @_ ? shift() : \$_;
while( $isEOF || ! defined( $$argref = ) ){
close( ARG );
return 0 unless @ARGV;
my $file = shift( @ARGV );
open( ARG, "<$file" )
|| die( "$0: can't open $file for reading ($!)\n" );
$isEOF = 0;
}
1;
}

# eofARGV: end-of-file test
#
sub eofARGV(){
return @ARGV == 0 && ( $isEOF = eof( ARG ) );
}

# makeHandle: Generates another file handle for some file (given by its path)
# to be written due to a w command or an s command's w flag.
sub makeHandle($){
my( $path ) = @_;
my $handle;
if( ! exists( $wFiles{$path} ) || $wFiles{$path} eq '' ){
$handle = $wFiles{$path} = gensym();
if( $doOpenWrite ){
if( ! open( $handle, ">$path" ) ){
die( "$0: can't open $path for writing: ($!)\n" );
}
}
} else {
$handle = $wFiles{$path};
}
return $handle;
}

# printQ: Print queued output which is either a string or a reference
# to a pathname.
sub printQ(){
for my $q ( @Q ){
if( ref( $q ) ){
# flush open w files so that reading this file gets it all
if( exists( $wFiles{$$q} ) && $wFiles{$$q} ne '' ){
open( $wFiles{$$q}, ">>$$q" );
}
# copy file to stdout: slow, but safe
if( open( RF, "<$$q" ) ){
while( defined( my $line = ) ){
print $line;
}
close( RF );
}
} else {
print $q;
}
}
undef( @Q );
}

Converting and writing the perl code to sperl-test.

shell>s2p -f sed-test > sperl-test

shell>chmod +x sperl-test

Trying to run the converted perl script against datafile2 and it works since all the : gone :)

shell> ./sperl-test datafile2
Lee 123
Tia 456
Test 789
god 345
ghost 098

Most code monkey will write their own codes but this kind of tools just about easing the code porting especially for simple codes that don't overkill.

Cheers :]

Saturday, March 04, 2006

OpenBSD IpSEC

These are two useful links regarding OpenBSD vpn solution - IpSEC, for anyone who interested and would like to check out how to build solid vpn solution with OpenBSD. If you want a quick setup, go to

http://www.securityfocus.com/infocus/1859

If you want to have better understanding of how it works, go to

http://www.papamike.ca/tutorials/pub/obsd_ipsec.html

Have fun with VPN!!!!! :]

Friday, March 03, 2006

OpenBSD - fstat vs lsof

I'm all time lsof users when I need to list open files by the process that running on the system, however when I get lsof installed on OpenBSD and try to run it, I get an error which is real bad - Segmentation fault(core dumped).

shell>pkg_add ${PKG_PATH}lsof-4.75p0

shell> lsof
Segmentation fault (core dumped)

Then I turn to fstat which is the native tool that listing open file handles of running process. When I run it against process ID 25166, it shows me the INUM - inode number of the file and with it's mount point. But it seems that it only shows the parent path of the files and doesn't show the actual files but it's inode number only, here we see the advantage of using lsof over fstat alone.

shell>fstat -p 25166
USER CMD PID FD MOUNT INUM MODE R/W DV|SZ
www httpd 25166 root /var 37892 drwxr-xr-x r 512
www httpd 25166 wd /var 37892 drwxr-xr-x r 512
www httpd 25166 0 / 1432 crw-rw-rw- r null
www httpd 25166 1 / 1432 crw-rw-rw- w null
www httpd 25166 2 /var 38655 -rw-r--r-- w 14472
www httpd 25166 3 /var 38657 -rw-r--r-- w 14993
www httpd 25166 4 / 1430 crw-rw-rw- rw crypto
www httpd 25166 15 /var 38655 -rw-r--r-- w 14472
www httpd 25166 16* internet stream tcp 0xd3ae6000 *:80
www httpd 25166 17 /var 38656 -rw-r--r-- w 13091

How I gonna locate the inode, maybe I can use icat or ils in sleuthkit, but doesn't it sound overkill to locate open file by using Forensic tool, I quickly check the man page of OpenBSD and luckily I found this native tool in OpenBSD - ncheck_ffs. Ncheck_ffs is used to generate the file name from inode number,

If I want to just have quick checking on process 25166 and for example one of inode number is 37892, since my /var is mounting at /dev/wd0e, I can just run.

shell>ncheck -i 37892 /dev/wd0e
/dev/rwd0e:
37892 /www/.

However that's not effective since I have to check on it's inode manually and it's time consuming for single process with lots of inodes locating. Then I think of better idea where I generate all the file names based on it's inode numbers with ncheck_ffs so that I can reference later. But before that I need to identify my filesystem by checking my /etc/fstab or using df.

shell>df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 245M 34.8M 198M 15% /
/dev/wd0g 145M 2.0K 138M 0% /home
/dev/wd0h 3.6G 1.2G 2.2G 35% /nsm
/dev/wd0d 245M 2.0K 233M 0% /tmp
/dev/wd0f 2.5G 1013M 1.3G 42% /usr
/dev/wd0e 1008M 8.2M 949M 1% /var

Creating directory to store all inodes reference file

shell>mkdir /nsm/ALLINODE

Generate file names with it's inode numbers for all filesystems.

shell>ncheck -m /dev/wd0a > /nsm/ALLINODE/root_inode
shell>ncheck -m /dev/wd0d > /nsm/ALLINODE/tmp_inode
shell>ncheck -m /dev/wd0e > /nsm/ALLINODE/var_inode
shell>ncheck -m /dev/wd0f > /nsm/ALLINODE/home_inode
shell>ncheck -m /dev/wd0g > /nsm/ALLINODE/usr_inode
shell>ncheck -m /dev/wd0h > /nsm/ALLINODE/nsm_inode

shell>cd /nsm/ALLINODE/

shell>cat root_inode tmp_inode var_inode \
home_inode usr_inode nsm_inode > all_inode

I'm now having all the inode numbers with it's file names in all_inode. I can refer back later, to ease my work, I decide to write a crap script to check on the process as I hate doing the same thing again and again. I named my script as iREFERENCE.sh, below it's my script content.

##################Script Starts#####################

#!/bin/ksh

# Fstat Enhanced Script to view the file with it's correlated inode
# Written by geek00L[20060302]

IRF=/nsm/ALLINODE/irf.sys
fstatmp=/nsm/fstat_tmp

# Creating Inode Reference File

if [[ -s /nsm/ALLINODE/all_inode ]];
then
print "\nInode reference file exists!!!!! Continue checking process\n"
else
mkdir /nsm/ALLINODE
ncheck -m /dev/wd0a > /nsm/ALLINODE/root_inode
ncheck -m /dev/wd0d > /nsm/ALLINODE/tmp_inode
ncheck -m /dev/wd0e > /nsm/ALLINODE/var_inode
ncheck -m /dev/wd0f > /nsm/ALLINODE/home_inode
ncheck -m /dev/wd0g > /nsm/ALLINODE/usr_inode
ncheck -m /dev/wd0h > /nsm/ALLINODE/nsm_inode
cd /nsm/ALLINODE/
cat root_inode tmp_inode var_inode home_inode usr_inode nsm_inode \
> all_inode
nawk '{ print $8, $9 }' all_inode > irf.sys
fi

ps auxww | nawk '{ print $1, $2, $11 }'
echo "Which process you want to check it's listed open file?"
read process

if [[ -x /usr/bin/fstat ]];
then
fstat -p $process | nawk '{ print $6 }' | egrep '^[0-9]' > $fstatmp
fi

for i in $(cat /nsm/fstat_tmp);
do
grep "^$i " $IRF >> /nsm/fstat_$process
done

echo "The open files by the specified process is stored in /nsm/fstat_$process."

##################Script Ends#####################

To use the script,

shell>./iREFERENCE.sh

Inode reference file exists!!!!! Continue checking process

USER PID COMMAND
root 1 /sbin/init
root 11508 syslogd:
_syslogd 32431 syslogd
root 18993 pflogd:
_pflogd 31619 pflogd:
www 4185 httpd:
root 13732 sendmail:
www 8854 httpd:
www 25166 httpd:
www 13886 httpd:
www 31657 httpd:
www 3031 httpd:
root 14993 /usr/sbin/sshd
root 14660 cron
root 32610 sshd:
root 7535 sshd:
root 3563 /bin/ksh
root 15570 -ksh
root 10236 -ksh
root 8500 /bin/ksh
root 6397 /bin/ksh
root 29120 ps
root 15303 -ksh
root 12908 script
root 485 script
root 31694 /usr/libexec/getty
root 8702 /usr/libexec/getty
root 5759 /usr/libexec/getty
root 6144 /usr/libexec/getty

Which process you want to check it's listed open file?
25166

The open files by the specified process is stored in /nsm/fstat_25166.

shell> cat /nsm/fstat_25166
37892 /www/.
37892 /lib/apache/modules/.
37892 /www/.
37892 /lib/apache/modules/.
1432 /dev/null
1432 /dev/null
38655 /www/logs/error_log
38657 /www/logs/access_log
1430 /dev/crypto
38655 /www/logs/error_log
38656 /www/logs/ssl_engine_log

Remember the /var is not shown because it won't show the parent path, especially since I ignore the / reference inode in ncheck_ffs without using -a option when generating all inodes. / is always with the inode of 2 so we can just ignore it. And if you are not too sured about where is parent directory of the file is, find command is your friend or you can just run fstat -p again to check it's mount point and you will get it revealed anyway. This script is only applicable on OpenBSD and I haven't tried out on other OS, and you are free to use and modify it. Againt I will upload the script to my dissectible.org site.

Wednesday, March 01, 2006

IpCOP - Solid Firewall

IpCOP - a linux based Firewall Distro, the impressive part should be the features that offered by IpCOP and the community efforts to make it completely solid firewalling solution.

Last few days my friend asking me regarding how I can do Layer 7 filtering or what it calls Application Layer filtering, this features seems not available via OpenBSD PF while you can use Snort2C hooking with PF to do so or maybe Squid as proxy to control but what he means would be total Layer 7 filtering such as blocking bittorent traffic, p2p or maybe any kind of application traffics. I quickly checkout Netfilter and I found this. It shows that there's possible to do Layer 7 filtering with Iptables but need stuffs to be recompiled, since I'm too lazy to install a linux system and recompiling stuffs, I remember there's distro called IpCOP which I have tried it out years back and it might offer Layer 7 filtering, aparts from that I also want to see the progress of IpCOP thus far.

After finished downloading IpCOP which it's size around 42MB, I burn the ISO and try to install it, installing is in a glance, installation completed in 3 minutes by answering few questions and you are done.

Installation is fast!!!!!

So now I have it installed, the next thing I do is login to the Web Control Panel of IpCOP to try out it's features. I like the way it organizes things where all of them in proper order and categories. The status tab has all the info of the system including the traffic graph as well. You can monitor system's activity by browsing through the tab.

System Information

Traffic Graph for the NIC .....

And since I'm more concern about the Layer 7 filtering, I found nothing much about it in the initial installation, I find out there is official extra addon modules for IpCOP here. I downloaded the L7-filter, p2pblock and qos and install thru ssh CLI. That's all I need for the IpCOP to enable Layer 7 filtering. Once installation done, I find Qos and P2Pblock in service tab. There I can specify what kind of Layer 7 traffic I want to filter.

Applying Layer 7 filtering on chosen NIC

P2Pblock module is real cool

Since I'm not really sure whether it is applied properly by just clicking on the Web-Gui, I'm more to CLI kind of person, then I try to run IPtables command to check out to see if it applies correctly.

shell>iptables -L P2PBLOCK_FORWARD -v

Below is the output of iptables P2PBLOCK_FORWARD chain.



Not only it offers layer 7 filtering capabilities, I downloaded IDScontrol module and install it, then I have Intrusion Detection on my IpCOP directly, the best part is I can download and update snort rules with just few clicks. Snortalog module is available too however I don't show it here.

IDScontrol for IpCOP, the snort rule management interface

Then if anyone interest in OpenVPN, there's unofficial module that available here, OpenVPN is always my first choice of VPN solution and I'm glad it works on IpCOP.

OpenVPN Configuration Interface

I have not much complaints about IpCOP, the way they putting it all together is well maintainned and I do wish this project continuously growing to be one of the best Enteprise Rate Firewall even though I know they are now.

Have fun with IpCOP - The Bad Packets Stop HERE!!!!!