Friday, May 25, 2007

rsync copy

It is pretty interesting when I want to know the progress of my file copy process and I can't really see it with cp command. Hence I prefer to use rsync for this purpose while most people usually use rsync for file backup.

shell>rsync --progress -v ./dirty.pcap i-Pcaps/

dirty.pcap
520535973 100% 7.79MB/s 0:01:03 (xfer#1, to-check=0/1)

sent 520599601 bytes received 42 bytes 8071312.29 bytes/sec
total size is 520535973 speedup is 1.00

Not only you can see the progress but also the average time and its rate. Don't you think it is lovely?

Enjoy ;]

Wednesday, May 23, 2007

Nepenthes: Disable Modules

I have been mentioning about nepenthes(low level honeypot to attract malwares) and apparently it is pretty easy to turn on or off nepenthes modules(emulated vulnerable services). I don't want my nepenthes to listen on port 80 as I need to use port 80 for other application. To disable it doesn't seem to be trivial though -

shell>grep '"80"' /etc/nepenthes/*.conf
/etc/nepenthes/log-surfnet.conf: "80",
/etc/nepenthes/vuln-asn1.conf: iisport "80";

Thus I just comment it out at nepenthes core configuration file - /etc/nepenthes/nepenthes.conf

// "vulnasn1.so", "vuln-asn1.conf", ""

Pretty quick isn't it. I have noted it down here for my poor memory sometimes.

Peace ;]

Monday, May 21, 2007

At last .....

I can't resist to post this while it is nothing related to computer security, but hey it is one of the best strategy game ever and I love it while I was young. I'm wondering whether the release of this game will suck my time away.



I bet most of you won't forget this tactical game that requires a lot of offensive and defensive approach to turnaround in the game. Hopefully Blizzard will make it successful again. It's about 10 years now ..... since 1997.

Rock & Roll ....

Enjoy (;])

Saturday, May 19, 2007

Argus 3.0: Cisco Netflow

Cisco netflow is invented initially to speed up the route with its flow cache, but it appears to be very useful this day where Cisco Netflow is used in different area. One of my interest field is examining the network flow data to track the malicious events but you are free to do any kind of interesting research with the netflow data in hand.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn't identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe). Login to the Cisco Router, I run the following commands -

ios#config t
ios(config)#ip flow-capture packet-length
ios(config)#ip flow-capture ttl
ios(config)#ip flow-capture icmp
ios(config)#ip flow-capture ip-id

I choose to export the Netflow version 5 data from network interface GigabitEthernet 0/0 to my argus collector(192.168.0.55) port 9996.

ios(config)#ip flow-export source GigabitEthernet0/0
ios(config)#ip flow-export version 5
ios(config)#ip flow-export destination 192.168.0.55 9996
ios(config)#ip flow-top-talkers
ios(config)#interface GigabitEthernet 0/0

Enable it at the interface GigabitEthernet 0/0 for both ingress and egress flows -

ios(config-if)#ip route-cache flow
ios(config-if)#ip flow ingress
ios(config-if)#ip flow egress
Ctrl+z

Save it to survive reboot -

ios#copy run start

Once I have done the Cisco router configuration part, I login to my argus collector and do the following -

shell>rasplit -CS 9996 -M time 60m -n \
-w /nsm/argus/log/Net-DMZ/%Y/%m/%d/argus_%H:%M:%S

rasplit is one of argus client tools that can split resulting output into consecutive sections of records based on different criteria. The options -CS 9996 is to connect to port 9996 and identify the input as Cisco Netflow format. The interesting thing here is it will split the data hourly(-M time 60m) and log it to its respected directory.

To read the Netflow data, what you need to do is just change to directory /nsm/argus/log/Net-DMZ/2007/05/19(as for today) and read them with ra or racluster.

All for now, have fun with the flow!

Cheers (;])

Tuesday, May 15, 2007

Graphing with rrdtool

RRDtool is widely used today for network based graphing. If you want to learn how to use rrdtool to create graph, here are very good tutorial that I have found -

http://www.cuddletech.com/articles/rrd/rrdintro.pdf


http://merlin.com.ua/doc/rrd/tutorial/


http://www.study-area.org/tips/rrdtool/rrdtool.html

Or you can actually find out all the tutorials that available at the RRDtool website -

http://oss.oetiker.ch/rrdtool/tut/index.en.html


Cheers ;]

Saturday, May 12, 2007

SpyBye

Thanks to Adli who has told me about SpyBye(malwares hunter proxy) which is developed by Niels Provos(Honeyd Guy) where you can find here -

http://www.spybye.org/


Getting it installed is pretty straightforward, I just run it for the first time(I always run the command line with -h, habit sometimes kills :P) -

shell>./spybye -h
./spybye: invalid option -- h
./spybye: [-P] [-p port] [-g good] [-b bad]
-P disable private IP check; allows the proxy to fetch 127/8
-g good_patterns a file or url containing the good patterns
-b bad_patterns a file or url containing the danger patterns
for documentation of all options consult the man page

Starting it up -

shell>/usr/local/stow/spybye-0.2/bin $ ./spybye

SpyBye 0.2 starting up ...
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
Loaded 108322 signatures
Virus scanning enabled
Report sharing enabled.
Making connection to www.monkey.org:80 for /~provos/good_patterns
Received 529 bytes from http://www.monkey.org/~provos/good_patterns
Added 30 good patterns
Making connection to www.monkey.org:80 for /~provos/bad_patterns
Received 3332 bytes from http://www.monkey.org/~provos/bad_patterns
Added 205 bad patterns
Starting web server on port 8080
Configure your browser to use this server as proxy.

I configure my browser manually to point to the local proxy, you can do it easily with switchproxy on Firefox and start browsing milw0rm site -

Making connection to 213.150.45.196:80
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 37418 bytes for http://www.milw0rm.com (unknown)
Virus scanned 37418 bytes; result: clean
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://www.milw0rm.com/milw0rm.css (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://spybye.org/styles/css
Caching 2348 bytes for http://www.milw0rm.com/milw0rm.css (harmless)
Virus scanned 2348 bytes; result: clean
Received request for http://www.milw0rm.com/images/dot.gif (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://www.milw0rm.com/images/milw0rm-wi.jpg (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://ypn-js.overture.com/partner/js/ypn.js (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 804 bytes for http://www.milw0rm.com/images/dot.gif (harmless)
Virus scanned 804 bytes; result: clean
Caching 7038 bytes for http://ypn-js.overture.com/partner/js/ypn.js (unknown)
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Virus scanned 7038 bytes; result: clean
Received request for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 2713 bytes for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (unknown)
Virus scanned 2713 bytes; result: clean
Expiring dns entry for ypn-js.overture.com
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 44225 bytes for http://www.milw0rm.com/images/milw0rm-wi.jpg (harmless)
Virus scanned 44225 bytes; result: clean

Interesting as it is reported as clean but relying on clamAV is actually not a perfect solution but it is the only Open Source Antivirus Software available, I have many malwares that collected from my nepenthes honeypot and seems not be able to recognized as malwares though. Anyway spybye is pretty interesting piece and you should use it if you suspect that your site contains malwares. It can be used as quick examination tools.

If you are interested to know what Niels has done including his contributions, check out -

http://www.citi.umich.edu/u/provos/

Enjoy ;]

raWPacket Sig and .....


The site is not online yet but hopefully soon, I'm currently working with few guys to get this site up and running, the purpose of it is to create the signatures repository for "not so popular or well known" network security tools such as tcpxtract, pads and fl0p(this is the current three in my mind), and providing signatures update for them. Hopefully with this kind of effort we can increase the momentum of the tools usages.

When the site goes live, anyone are free to contribute the signatures and we won't overtake the signature ownership from you, credit is for sure.

If you have some inhouse signatures that you have written previously and they are not bounced to any legal restriction, I do wish you share it out with the community. All the signatures will be included into the raWPacket LiveCD so that any analyst can easily access to them and performing the analysis process directly.

It seems I'm trying to deliver full suite of utilities(LiveCD, Books) for network security analyst and yes I'm. I promise I will built the CD/DVD that contains pcap data from OpenPacket once it goes live too so that anyone is free to learn all the network data with the tools in the LiveCD and Network Security Analyzt Handbook as reference that comes along.

More to come but I'm tire now .....

Enjoy ;]

Friday, May 11, 2007

Network Forensic Chart

I have came across the chart below when reading the article -

http://www.sandstorm.net/support/netintercept/downloads/ni-ieee.pdf


The chart illustrates what kind of information and data that you can obtained via network centric log(pcap). The breakdown shows clearly all forms of data that can be extracted when performing network forensics, this can give very clear view for people who want to learn more about the network forensics. It doesn't actually reflect the real world foo(data can be transfered via icmp and etc) however it does deliver the idea.

The chart says it all .....

What are the open source tools that can be used to performed network forensics?
- tcpXtract
- tcpflow
- chaosreader
- dataecho

Others that I can't think of now .....

Cheers ;]

Hacker Halted?

Again my friend sent me another interesting link regarding the event for cyber security industry in Malaysia. I think I should keep track of news in the star tech starting from now.

http://star-techcentral.com/tech/story.asp?file=/2007/5/1/technology/20070501101945&sec=technology

Malaysia needs more ethical hackers?
Unless you are talking about selling CEH training .....

But a capable IT security professional should also know how a hacker thinks
This is totally insane!!!!! Hacking is not something that can be learned through the training course unless it is delivered to someone who already has prior experience. Another questionable reason is that lots of CEH trainers are not from the hacker community and background, lots of them are just started learning about hacking from the course and passing the exam and get the license to be the CEH instructor, thus they themselves are not hackers and don't even know how hacker thinks, all they know are from the CEH training materials.

"When a professional is certified as an ethical hacker, it shows he knows what he's doing and that would definitely give an employer more assurance (of the professional's skills,"
Is this for real, I still recalled myself what was happening at the previous Hacker Halted Conference in Malaysia. He or she may give employer trouble too .....

According to EC-Council, IT security professionals should have practical experience with hacking but this should not involve illegal acts, of course.
Practical experience doesn't mean playing with all the windows hacking tools either. It's better to play with your toys or dolls then and you won't end up getting caught into jail.

People often misunderstand the meaning of the phrase "ethical hacking," said Sanjay Bavasi, president of the EC-Council. "In this context, it does not refer to the ethics of a person but to the processes and methods used in a hack," he said.
The context is cool enough as it creates pretty high confuse level, the processes and methods used in the hacks determine the person instead of the contrary and this can be taught!

"Since the concept is new, ECCouncil is often criticised for promoting 'legalised' hacking, but ethical hacking is necessary in security,"
This is nothing new.

For more information, you can check out the KL event at -

http://www.hackerhalted.com/

And if you are interested in their CTF event -
The hacking competition is open to all Malaysians and students of any nationality studying in Malaysia during the course of the competition. All entrants must register, receive acceptance of their registration from the organising committee and pay the registration fee of US$5000.

WOW 5000 US Dollar and you must sign the agreement to participate to the game, I thought this is a joke(affordable for students?????). I rather use that money to pay for my down payment when I buy a house.

Coincidentally their logo looks similar to HITB logo which is using a box as the symbol.

Seriously I don't see any interesting hackers in the speakers list. I don't think the intention behind this conference is to create awareness or motivate IT security processional to overcome potential threats or invasions into their systems but more on .....

Hacker Halted, sorry and there's no way to stop the hackers .....

Peace ;]

Saturday, May 05, 2007

Spammer: Love

It seems spammer would like to show some loves to me!!!!!

Beloved .....

Cheers ;]

Friday, May 04, 2007

linguistics

It is pretty enjoyable when reading the articles that written by Don Parker. I just came across this article that written by him lately and I think people who want to be network security analyst should read it.

http://www.securityfocus.com/columnists/443/

Don has pointed that passing the exam and writing practical paper by doing the real work are two things, that's definitely true as exam itself won't actually test the full set of skills that required to be efficient network security analyst. I have met a lot of people who getting a lot of certifications for the sake of employment and better pay. They forget the real meat to live in security industry should be the passionate, curiosity and continuously pursue the necessary knowledge. Remember security evolves over time.

I myself don't hold any GIAC certification thus I really have not much comments on that, what I would like to emphasize here should be the knowledge that must be acquired by network security analyst instead. To be a decent network security analyst(I still learn to be one), you must understand network protocols very well especially those widely used such as tcp, udp, icmp and such. Other than that, you must arm with at least one or two scripting languages to simplify your tasks as well as dealing with tricky incidents. Understanding the technologies such as firewall, intrusion detection/prevention system are important too but you may notice that if you don't have strong networking knowledge, you will have hard time understanding those technologies.

I won't be discussing further about all the necessary knowledges that are needed to be network security analyst, those will be written in my book in network security analyst: roadmap section so hopefully my knowledge sharing would help those wannabe.

So what you speak? I guess I speak hex most of the time.

Enjoy ;]

Wednesday, May 02, 2007

OpenBSD 4.1 Released

It's OpenBSD joy again, version 4.1 is just released and you can check out all the details here -

http://www.openbsd.org/41.html

I plan to upgrade my box to 4.1 by following the guide -

http://www.openbsd.org/41.html#upgrade

Various new packages such as OpenOffice are available. It's time to test out all the new features when possible!

Cheers :]