Wednesday, April 30, 2008

Dnstop: Statistical Tool for DNS Traffics

I learn about dnstop when reading rolland's presentation slide, thanks to his comment in my blog.

You can find his presentation at -

http://homepage.mac.com/roland.dobbins/FileSharing5


The presentation title is Listening to the Network: Utilizing Telemetry to Detect and Classify Network Traffic, I enjoy reading it as I have learned some new tricks or two from his presentation. One of the tool he has mentioned in the presentation is dnstop and I figure it is available in either Ubuntu packages repository or FreeBSD ports, I decide to try it out.

Just like the top command in Unix based system, it can run as real time monitor for your dns traffic by listening to the network device or it can also do post processing by reading the pcap file. The command option for dnstop is pretty straight forward and you can find them in man dnstop. It also provides a set of run time option to show different results from the statistical analysis output. To perform real time monitoring of dns traffic, you can listen to the device -

shell>sudo dnstop -4 lnc0

It looks pretty straightforward, you can also read the pcap file by specifying them -

shell>dnstop -4 -b ip -l 9 testing.pcap
Queries: 1005 new, 34812 total Wed Apr 30 18:10:46 2008

Sources Count %
-------------- --------- ------
192.168.42.149 3644 10.5
192.168.42.56 1965 5.6
192.168.42.33 1791 5.1
192.168.42.78 1790 5.1
192.168.42.163 1530 4.4
.....

I truncated the output here, then if you press 1, it will show the first level query names -

Queries: 44 new, 34856 total Wed Apr 30 18:11:55 2008

Query Name Count %
------------ --------- ------
com 13200 37.9
in-addr.arpa 8843 25.4
my 5950 17.1
org 3145 9.0
net 2630 7.5
biz 223 0.6
de 92 0.3
.....

If you press 3, it shows third level query names -

Queries: 0 new, 34856 total Wed Apr 30 18:13:10 2008

Query Name Count %
----------------------------- --------- ------
waumail.com 2805 8.0
208.218.in-addr.arpa 1883 5.4
excitedd.com.my 1388 4.0
sharishit.com.my 1112 3.2
sbl-xbl.spamhaus.org 938 2.7
.....

If you press !, it will show the sources that are performing first level query names -

Queries: 0 new, 34856 total Wed Apr 30 18:15:14 2008

Source Query Name Count %
-------------- ------------ --------- ------
192.168.42.149 in-addr.arpa 3007 8.6
192.168.42.78 in-addr.arpa 1009 2.9
192.168.42.56 in-addr.arpa 845 2.4
192.168.60.253 com 833 2.4
192.168.125.201 my 697 2.0
.....

There are many other options which you can figure it out yourself and this is really great tool for dns traffic analysis. For more information, you can find at its home page -

http://dns.measurement-factory.com/tools/dnstop/


Btw, I like the use of the word 'telemetry' here and enjoy some dns voodoo .....

Cheers (;])

Thinking: Enumerating Goodness & Security Through Obscurity

I read about this and this.

Enumerating Goodness has its own weakness though, the mimic attacks that look legit will create false negative and be categorized as Goodness.

Security through obscurity is not a great idea and to certain people it sounds dumb as if the application/software that you are trying to protect is vulnerable, you will be eventually exploited, however it does asist for defensive side because it helps to prevent against automated tools and also requires offensive side to perform more steps to achieve what they are trying to do and this leaves more footprints to be examined and traced by the defensive side. It can be considered as early warning of its kind if you know how to make use of it.

This is just my personal thought and feel free to discuss about the topic. There's no perfect model or principle.

Monday, April 28, 2008

Export Cisco NetFlow in Single Screenshot

I'm digging into network flow analysis for a while. The single screenshot below is to show how to export Cisco Netflow version 5 to the flow monitor at 172.16.1.55, simple and straightforward. The router model is Cisco 7200 series.


Note to myself.

Cheers ;]

Tuesday, April 22, 2008

Malaysia Tourism, visit the malwares!!!!!

If you are security.org.my reader, you may find the latest post about Malaysia Tourism Website is serving malwares to everyone. This is not big surprise as Malaysia Internetwork is largely contributing to malwares distribution globally according to Google.

So this "Malaysia Can" spirit continues, we are distributing malwares to people around the world efficiently. I'm wondering how much our lovely government has spent to setup and maintain the web sites, let us know if you have clue.

Enough crap, lets look at the term of usage in the Tourism Malaysia website -

All the information contained herein is correct at the time of publication. Whilst every effort has been made to ensure the accuracy of the contents, Tourism Malaysia shall not be held liable for any errors, omissions or inaccuracies which may occur.

That's great, don't blame them as they have thrown the best effort!

Now time to do some analysis by looking at these two scripts -

http://www.852599.cn/mp3/list.htm
http://www.852599.cn/mp3/MZ.htm

The MZ.htm is the java script, here's the content -

This looks like the black hat SEO technique that quite commonly used by China and Russia hackers which we have seen to increase the counter stat, and of course the charset does tell the story here. On the other hand, the file list.htm doesn't look to be so straight forward to understand -

I truncated the line t="68,105,109....." so that it can be read properly here. The list.htm is VBScript and that's why it won't work on other browsers except Internet Explorer. If you look at the last line, it calls MZ.htm using iframe technique. In order to know what this VBScript, we have to de-obfuscate it and the easiest way is to replace the function execute to msgbox so it looks like this -

msgbox(rechange(t))

Then load the file to Internet Explorer and viola, check out the screenshot below -


Now we can find the location of the malware -

http://www.852599.cn/mp3/setup.exe

I downloaded the executable file and tried to scan it using ClamAV with no result, therefore I uploaded it to Virustotal to scan through different Antivirus Softwares. The result is decent, out of 31 types of Antivirus Software, only 12 recognize it as malware. If any of users who are using those Antivirus Softwares that still don't detect it, congratulations! The result of scanning is here.

I would like to thank to my friend - tehtb who is the decent Windows Programmer, I was silly to tell him maybe we can use print function and he pointed me out msgbox function works well here.

Enjoy (;])

Sunday, April 20, 2008

Google Http Redirection

Thanks to Google, you can now redirect anyone to yahoo.com from google.com. Click below -

Google to Yahoo

Basically you can redirect to any site you want, the http request looks like this -

http://www.google.com/pagead/iclk?sa=l&ai=FnzbwS&num=67575&adurl=
http://www.yahoo.com

I think Google doesn't verify ai= or num= field, you can just put whatever input to it and still get it parsed properly, for example -

http://www.google.com/pagead/iclk?sa=l&ai=abcdef&num=12345&adurl=whatverURL

This is the trick from one of the spam I received today which redirects me to download malwares and it still works now, hopefully Google fixes it as soon as possible.

Peace ;]

HITB Dubai 2008 Wrap Up

First of all, thanks to HITB crews, sponsors, speakers and all the attendees to make this happen again. We also thank to Dhillon(HITB Founder) for giving us(me and spoonfork) opportunity to present this time. Lets talk about some craps first -

1. Dubai hotel is expensive!
2. The hotel foods are always the same!
3. Pizza express is nice!
4. We always have great support from Army!
5. Dubai Gold Souk has too much golds!
6. Rufio and Niresh are upset because of .....!
7. I met all the cool people there!
8. The conference party is real fun because we get to hang up with beers!

Here's the sum up of all the presentations that I have attended -

Bruce Schneier
Schneier On Security
Bruce talks about the distance between the feeling and reality of security. I'm not really a guy who emphasizes on conceptual or semantic, however I think people will never get it right between the believe and reality, the line is blur because you can never educate the masses about the technologies that keep evolving from time to time.

Jeremiah Grossman
Hacks Happen
Jeremiah is statistics man, and of course the numbers tell you the changes of threat landscape and that's not really big surprise. He concluded all the quantitative data from different sources to give you macro view of current vulnerabilities and threats state. The web attack is popular as it becomes important business platform, remember the popularity brings paparazzi. And again we can't really defend ourselves from "just surface or 1st day' attack(I don't call it 0 days as the technique is already used) because we don't understand them. The summary is pretty simple, hacks happen .... all the time. That guarantees we won't be jobless too ;P

Christopher J.Rouland
Advances in Intrusion Detection and Prevention
I don't know Christopher personally, I attended his talk because the topic has something to do with intrusion detecion, seriously there's nothing really new or advance if you are following cutting edge intrusion detection technologies for long time. Most of the time Christopher is just explaining what IBM ISS offers and they are better than other vendors in comparison. Their system also emphasizes on session data by importing NetFlow data and we can't consider it as new stuff(think NSM). We are seeing more and more vendors taking session data seriously now.

Alessio 'mayhem' Pennasilico
VoIP (in)Security - Italians Do It Better
Alessio talked about his experience of making fun with voip system during CCC in Italy, I like his term of spitting, you should check out his presentation slide once it is up online. I would say fear the embassy who can reach you anytime, that's really entertaining talk from Mayhem. He also demonstrated the device which can change the voice at the end of the talk.

Marc Weber Tobias
How We Cracked Their Codes: A Case Study in Compromising the Most Popular High Security Lock in America - Medeco m3 and Biaxial
I'm not into lock domain or I know nothing about it at all, however I'm really impressed with Marc's work to crack the lock, and respect his 40 years passion in the same domain. I'm just 5 years old in network security industry and hope I can keep my passionate to network security field like he does.

Cesar Ceurrudo
Token Kidnapping
Cesar is the CEO of ArgenISS who sponsored our conference party, he showed us the weakness of design flaw in latest windows technology by kidnapping the token of particular process threads and you can gain the access priviledge to do anything you want. This is not something that can be fixed easily and therefore he has informed Microsoft before the presentation. If you want to know more about it, feel free to check out his presentation slides.

Walter Goulet, Viviana Basso and Benjamin Hagen
Real World Attacks Against 3G Networks Using Subscriber Devices
This is the talk from Motorola guys, they discuss their experience of penetration testing for 3G Networks, their conclusion is pretty simple, most of the security issues derive from the deployment phase where the party that setting up the network has to meet the timeline and leave most of the devices with default setting. As long as they are connected to the IP networks, you can basically probe them easily.

Alexander Kornbrust
Practical Oracle Forensics
I'm not database expert and don't know anything about Oracle at all(I use MySQL or PostgreSQL), I like Alexander's formalized approach to perform forensics process on Oracle Database System, he classifies different kind of malicious attackers with different kind of purposes and attentions, by knowing what kind of malicious attackers you are dealing with, you know what kind of sql statement will be queried by them, and that's really good lead to figure things out. Alex is really a bright guy and he shares his stuffs, he has written the scripts to retrieve all the necessary information to find culprits and evidences from the database system. I'm wondering if similar approach can be applied to MySQL and PostgreSQL and maybe should start looking up on this.

Petko D Petkov
For My Next Trick… Client-Side Hacking
Adrian 'pagvac' Pastor
Cracking into Embedded Devices and Beyond!
Pdp and Adrian are both thinktankers from Gnucitizen, I'm one of their blog readers(as always you can't forget about offensive security techniques while you are in defensive side), they are concluding their works of client side hackings and embedded devices cracking. If you are their blog reader, you should be familiar with all the stuffs they are sharing during the presentation, I like their single slide explanation where they only show the meat of particular hacking trick so that you can understand them easily. I think they are trying to deliver the mindset of "hacking through simplicity" and it will just work most of the time.

Mel(Spoonfork) and I presented Defensive Network Security, this is the first time we deliver our talk in Dubai, I hope whoever have attended our talk enjoy it and thanks to the 22 years old Amy for not sparing even 5 minutes.

I miss some of the presentations as both presentation tracks were running at the same time, anyway I will grab their presentation slide once they are online. Overall I enjoy the HITB conference in Dubai this time(congrates to Rufio as the new CTF overlord this time, hopefully you will suffer for another few years).

This conference party was organized on the cruise, and I bet everyone was enjoying the alcohols after "long fasting". See you guys in next HITB Conference again!!!!!

Cheers (;])

Tuesday, April 15, 2008

HeX is 1 year old now

Me and Chfl4gs_ decided to start the development of HeX System since mid of April 2007, and it's much improved with the involvement of other active members. Today it turns one year old.

Happy birthday to HeX, and thanks to the raWPacket team members to make it happen.

Happy packetysis!!!!!

Enjoy (;])

Saturday, April 12, 2008

Tuesday, April 01, 2008

Sguil: Excitement!!!!!

As the active member of NSM community, I got the first hand information about the acquisition of Sguil by Cisco. My friend Hanashi hits it first in his blog. Here's the full announcement -

Cisco Announces Agreement to Acquire SguilTM Open Source Monitoring Project Acquisition Furthers Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the SguilTM project today announced an agreement for Cisco to acquire the SguilTM project, a leading Open Source network security solution. With hundreds of installations world-wide, SguilTM is the de facto reference implementation for the Network Security Monitoring (NSM) model. SguilTM-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open Source movement while at the same time furthering its long-held vision of integrating security into the network infrastructure.

Under terms of the transaction, Cisco has acquired the SguilTM project and related trademarks, as well as the copyrights held by the five principal members of the SguilTM team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source SguilTM project including the Sguil.net domain, web site and web site content and the SguilTM Sourceforge project page. In addition, the SguilTM team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.

To date, SguilTM has been developed primarily in the Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into the rest of the Cisco product line by 4Q09. Linksys-branded device will follow thereafter, though the exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into their network infrastructure layer. Not only was it sometimes difficult to intercept and monitor the traffic, but there were often political problems at the customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that they were ‘dead’. Now, with SguilTM integrated into all their network devices, they’ll have no choice!”

Although the financial details of the agreement have not been announced, SguilTM developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the SguilTM project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”

About Cisco Systems
Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About SguilTM
SguilTM is the leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. SguilTM was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.

With this deal, Sguil will go into active and sharp development very soon and kudos to the Sguil team, I would say Cisco has made the best decision ever!!!!!

I bet the stubborn of using TCL works this time .....

Enjoy (;])