Saturday, June 30, 2007

Gentoo: Installing perl modules using CPAN

After seeing this interesting example - http://secviz.org/?q=node/74, I feel like trying out afterglow with argus on my gentoo laptop. I install graphviz with emerge and download afterglow instantly.

shell>wget \ http://optusnet.dl.sourceforge.net/sourceforge/afterglow/afterglow-1.5.7.tar.gz

shell>tar xvzf afterglow-1.5.7.tar.gz

I try to run afterglow and I get an error -

Can't locate Text/CSV.pm in @INC (@INC contains: /etc/perl /usr/lib/perl5/vendor_perl/5.8.8/i686-linux /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/site_perl/5.8.8/i686-linux /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/5.8.8/i686-linux /usr/lib/perl5/5.8.8 /usr/local/lib/site_perl .) at /home/geek00l/i-Apps/afterglow/src/perl/graph/afterglow.pl line 111.
BEGIN failed--compilation aborted at /home/geek00l/i-Apps/afterglow/src/perl/graph/afterglow.pl line 111.

Since CSV.pm is not ported to gentoo portage, I have to use cpan instead -

shell>export LANG=en_US shell>perl -MCPAN -e shell

Your configuration suggests that CPAN.pm should use a working
directory of
/home/geek00l/.cpan
Unfortunately we could not create the lock file
/home/geek00l/.cpan/.lock
due to permission problems.

Please make sure that the configuration variable
$CPAN::Config->{cpan_home}
points to a directory where you can write a .lock file. You can set
this variable in either
/usr/lib/perl5/5.8.8/CPAN/Config.pm
or
/home/geek00l/.cpan/CPAN/MyConfig.pm

Could not open >/home/geek00l/.cpan/.lock: Permission denied

Permission problem, easily solved with sudo -

shell>sudo perl -MCPAN -e shell

cpan shell -- CPAN exploration and modules installation (v1.7602)
ReadLine support enabled

cpan> test Text::CSV
CPAN: Storable loaded ok
Going to read /home/geek00l/.cpan/Metadata
Database was generated on Wed, 28 Feb 2007 06:09:10 GMT
LWP not available
CPAN: Net::FTP loaded ok
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/authors/01mailrc.txt.gz
Going to read /home/geek00l/.cpan/sources/authors/01mailrc.txt.gz
LWP not available
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/modules/02packages.details.txt.gz
Going to read /home/geek00l/.cpan/sources/modules/02packages.details.txt.gz
Database was generated on Thu, 07 Jun 2007 03:09:14 GMT
HTTP::Date not available

There's a new CPAN.pm version (v1.9102) available!
[Current version is v1.7602]
You might want to try
install Bundle::CPAN
reload cpan
without quitting the current session. It should be a seamless upgrade
while we are running...

LWP not available
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/modules/03modlist.data.gz
Going to read /home/geek00l/.cpan/sources/modules/03modlist.data.gz
Going to write /home/geek00l/.cpan/Metadata
Running test for module Text::CSV
Running make for A/AL/ALANCITT/Text-CSV-0.01.tar.gz
LWP not available
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/authors/id/A/AL/ALANCITT/Text-CSV-0.01.tar.gz
CPAN: Digest::MD5 loaded ok
LWP not available
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/authors/id/A/AL/ALANCITT/CHECKSUMS
Checksum for /home/geek00l/.cpan/sources/authors/id/A/AL/ALANCITT/Text-CSV-0.01.tar.gz ok
Scanning cache /home/geek00l/.cpan/build for sizes
Text-CSV-0.01/
Text-CSV-0.01/Makefile.PL
Text-CSV-0.01/test.pl
Text-CSV-0.01/README
Text-CSV-0.01/CSV.pm
Text-CSV-0.01/MANIFEST

CPAN.pm: Going to build A/AL/ALANCITT/Text-CSV-0.01.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for Text::CSV
cp CSV.pm blib/lib/Text/CSV.pm
AutoSplitting blib/lib/Text/CSV.pm (blib/lib/auto/Text/CSV)
Manifying blib/man3/Text::CSV.3pm
/usr/bin/make -- OK
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl5.8.8 "-Iblib/lib" "-Iblib/arch" test.pl
1..20
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
ok 9
ok 10
ok 11
ok 12
ok 13
ok 14
ok 15
ok 16
ok 17
ok 18
ok 19
ok 20
/usr/bin/make test -- OK

cpan> install Text::CSV
CPAN: Storable loaded ok
Going to read /home/geek00l/.cpan/Metadata
Database was generated on Thu, 07 Jun 2007 03:09:14 GMT
Running install for module Text::CSV
Running make for A/AL/ALANCITT/Text-CSV-0.01.tar.gz
CPAN: Digest::MD5 loaded ok
Checksum for /home/geek00l/.cpan/sources/authors/id/A/AL/ALANCITT/Text-CSV-0.01.tar.gz ok
Scanning cache /home/geek00l/.cpan/build for sizes
Text-CSV-0.01/
Text-CSV-0.01/Makefile.PL
Text-CSV-0.01/test.pl
Text-CSV-0.01/README
Text-CSV-0.01/CSV.pm
Text-CSV-0.01/MANIFEST
Removing previously used /home/geek00l/.cpan/build/Text-CSV-0.01

CPAN.pm: Going to build A/AL/ALANCITT/Text-CSV-0.01.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for Text::CSV
cp CSV.pm blib/lib/Text/CSV.pm
AutoSplitting blib/lib/Text/CSV.pm (blib/lib/auto/Text/CSV)
Manifying blib/man3/Text::CSV.3pm
/usr/bin/make -- OK
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl5.8.8 "-Iblib/lib" "-Iblib/arch" test.pl
1..20
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
ok 9
ok 10
ok 11
ok 12
ok 13
ok 14
ok 15
ok 16
ok 17
ok 18
ok 19
ok 20
/usr/bin/make test -- OK
Running make install
Installing /usr/lib/perl5/site_perl/5.8.8/Text/CSV.pm
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/version.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/new.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/status.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/error_input.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/string.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/fields.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/combine.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/parse.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/_bite.al
Installing /usr/lib/perl5/site_perl/5.8.8/auto/Text/CSV/autosplit.ix
Installing /usr/share/man/man3/Text::CSV.3pm
Writing /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Text/CSV/.packlist
Appending installation info to /usr/lib/perl5/5.8.8/i686-linux/perllocal.pod
/usr/bin/make install -- OK

cpan>quit
Lockfile removed.

Now I can use afterglow without much problems. It is decent tool to create network graph if you ask me, my friend mel has done it here with interesting example.

Peace ;]

liveCD changes

The liveCD website will be done pretty soon, so does the liveCD, we are currently doing all possible to reach first beta version and we have hard time through out last week but it is pretty much sorted out. By the way the liveCD has new name - Hex. You can find the reason why we name it as hex here.

This liveCD is NSM oriented and network security analyzt usually need to deal with hexadecimal(base16) when examining network data, and it is built using FreeBSD(red devil) Freesbie2 toolkits, therefore Hex is definitely the best artistic name ever.

By the way, I have configured bash shell to be more devilish with its two horns and tail -

Hex Bash Shell Prompt

You may notice that I haven't do much blogging lately, thanks to the liveCD development so that I can take a breath from the world of blogging(sarcasm).

Cheers (;])

Friday, June 22, 2007

FreeBSD: rsync over ssh

I usually use scp to transfer files since ssh is installed on most of Unix based OS, however I found it troublesome when the network connection is bad as I can't resume the transfer when connection is aborted and I have to waste my time and bandwidth to do it all over again. It is fine with small file transfer but it can be pain when dealing with large size file.

After talking to mel yesterday, I decided to try out rsync over ssh, and it appears that the setup is pretty simple and straight forward too. However I'm here to show FreeBSD setup -

To get rsync server runs on FreeBSD -

shell>pkg_add -vr rsync

shell>echo 'rsyncd_enable="YES"' >> /etc/rc.conf

shell>/usr/local/etc/rc.d/rsyncd start

Then start to run rsync client over ssh on client machine. Presume you have rsync installed and you want to transfer the file "testing" to your client machine from the server -

shell>rsync --append --progress -avz -e ssh root@remotehost:/tmp/testing /tmp
receiving file list ...
1 file to consider
2949067413 33% 127.45kB/s 7:08:26

You can resume the transfer if there's connection issue and this is very helpful in many cases.

Enjoy (;])

Tuesday, June 19, 2007

raWPacket LiveCD - Wallpapers

Our liveCD main designer - Vickson has sent me two wallpapers, one is the wallpaper for raWPacket team and another mainly for raWPacket liveCD, it will be shipped with the liveCD and we have scheduled to release the first beta version by end of June. Here's the preview of the wallpapers -

raWPacket team

raWPacket liveCD

The team is currently working hard on it, aside from creating smooth workflow for analyzt when using this liveCD, other highlight features will be -

- 10 extra tcpXtract signatures will be distributed

- 8 extra pads signatures will be distributed

- Well design menu and applications launching placement

We are still testing all the applications we have added, flowgrep 0.9 and metasploit 3 failed to build due to the bugs in port and we have contacted the porter.

Work in progress and stay tuned .....

Peace ;]

Wednesday, June 13, 2007

raWPacket LiveCD - progress 2

More progress about the liveCD development, most of the analysis tools are already added and the fluxbox menu is more shiny now. I have added sguil client as well because this liveCD is NSM oriented. Here's the quick screenshots -

Sguil Client Login Screen

Sguil Client Analyst Console

We are planning to add conky as system monitoring tool so if you have shiny conky configuration file - conkyrc that runs FreeBSD on laptop, feel free to share with us. Btw, here's the current raWPacket liveCD team members -

raWPacket liveCD Project
Original Idea & Leader: myself
Main Developer: chflags
Web Master: guti
Designer: vickson
Contributor: tenner(Fluxbox Style, irssi config)
Contributor: paulh(FreeBSD port)
Contributor: takizo

I will put more info once the main site of raWPacket liveCD is done, currently my blog will serve as liveCD project page until beta version is released.

Enjoy ;]

Monday, June 11, 2007

raWPacket LiveCD - progress

I don't blog much lately due to sickness, while I don't do much on testing and analysis, me and chflags have made some progress on our raWPacket LiveCD which based on FreesBIE 2. Here's the screenshot -

It is no way near production yet but it is very close to beta release. Once we have finished the alpha stage, we will deliver the first beta version and welcome anyone to try out. chflags has put up the near beta version of iso, I have found some bugs and will try to fix it in the source tree so don't yawn at us if it doesn't work for you.

By the way, the liveCD will has its own home soon once we have finished building the website for it.

Cheers ;]

It's all about Network Flow

Argus is my favorite tactical tool when performing flow based analysis and I have mentioned about it quiet a few times in my blog. While it works pretty well and flexible with its powerful client tools to do flow processing, it also offers complex usages. I have found two new weapons lately which can enhance my flow based analysis and complementing.

Undoubtedly argus can eat cisco netflow data, but that's not what argus do best. Argus is more pcap friendly instead of netflow data. Then which tools are great in Open Source arsenal to process netflow? I vote silktools where you can find at -

http://silktools.sourceforge.net/

Silktools is developed as part of NetSA security where you can find at -

http://tools.netsa.cert.org/

It is undeniable that all other projects are interesting too, but that doesn't make my point here and I have no time to check them out yet. The main reason why I'm looking into silktools is because it also offers wide range of analysis tools like argus do. Instead of just doing flow data collection, one can perform in depth analysis on the netflow data using the analysis tools that packed with silktools. But again I found out all these great tools come with complexity and that blow away a lot of new comers.

No fear, silktools comes with great documentation, I greatly appreciate all the hard works that have been put into it not only on the coding section but documentation. You can just learn them from the ground up at -

http://silktools.sourceforge.net/silk_docs.html

Check out the silktools analyst handbook and you may find it interesting, I have read through it and about time to bring them into practice.

The second weapon that worth mentioning is ourmon. You can find that I have installed it on FreeBSD. Ourmon is incredible in doing flow anomaly and heuristic detection that brought to you by Jim Binkley. While it doesn't emphasize on post or offline processing, it is the weapon that concentrating on real time analysis combining it's meaningful network graphs. I'm still learning to utilize ourmon in wide area network environment.

Combining argus, silktools and ourmon, I'm sured you will have a lot of fun to research on the network flow. Except argus 3, silktools and ourmon are available via FreeBSD port. Feel free to try them out. Other network flow processing tools that are great should be flow-tools and nfdump.

Peace ;]

Saturday, June 09, 2007

Nice Comment

I usually don't check out the comments in old blog post but today seems to be good day to check them out as I'm advised by Doctor to do something lighter. I never delete any comments whether it is positive or negative to me. As for now, I find a very nice comment which you can either read up in this link or read it below, the comment is the respond to this story -

Anonymous said...
The person who posted this has no idea about Ethical Hacking. I pity him. It looks like he likes to talk but no action.

Blogs are losing respect nowadays because of silly negative posts. May be one day Blogs will earn their respect like New York Times.

Why don't you take your post to Microsoft's Blue Hat conference as well. You might even call them a hoax. You are pathetic.

Stop posting negative comments and start contributing back to the security community.

I respect security organizations efforts to educate the mass about the issues involving security weakness. EC-Council, Cisco, McAfee are such organizations.

Hacking competition is just an example of attack methodology and don't take it literally.

Hacker Halted conferences provides generic view of security by experts around the world.

So stop complaining and act like a professional.

I will be attending Hacker Halted and Black Hat this year. Keep up the good work guys.

Stephen Jacobson
Sydney, Australia
Should I fight back, what do you think? I'm wondering who is pathetic, anyway I won't delete this silly negative comment.

Enjoy ;]