Mac OSX: Sguil Client

My pal Spoonfork has written about how to get sguil client works on Mac OSX previously here, however some of readers reported it won't work on Mac OSX 10.5 or later as tclX is failed to compile. If you really want to get sguil client up and running on Mac OSX, here are the steps -

Download ActiveState TCL for Mac OSX platform from the link below, you can choose either version 8.4.x or 8.5.x as both work -

https://www.activestate.com/activetcl/downloads/

Then what you need to do is click click install, once you are done, obtain sguil client 0.7 from -

http://sourceforge.net/projects/sguil/files/

I choose sguil-client-0.7.0.tar.gz, follow the steps below once you have it downloaded -

shell>tar xvzf sguil-client-0.7.0.tar.gz

shell>cd sguil-0.7.0/client

shell>wish8.5 sguil.tk

You should be good going by now, enjoy playing with sguil client console! If you install Activetcl version 8.4.x, then just run wish8.4 sguil.tk instead.

Cheers (;])

Mac OSX: Nmap 5.0

Many people write about Nmap 5.0 when it is released, here's how I get it work on Mac OSX. If you are installing Nmap 5.0 using MacPorts, then you won't be having zenmap in your pocket, you will only get ncat, ndiff and nmap. Therefore it is best if you can obtain the nmap installation package for OSX from Nmap website and follow the instruction here to get it installed.

Once you have the package installed, you may figure zenmap will not work properly even though you can run it. In fact you need the following software installed to satisfy the dependencies.

shell>sudo port install py25-gtk

shell>sudo port install py25-py2app-devel

It might take a while to get them compiled and installed as they require some of the libraries from X11 as well, if you can get through this stage, then you should be able to run zenmap now -

shell>open /Applications/Zenmap.app


Of course Nmap is rocking in da house -

shell>nmap -V

Nmap version 5.00 ( http://nmap.org )

Peace (;])

Mac OSX: NetGrok

I like security visualization tools, and it helps you to interpret computer events easily. Here's how I get NetGrok running in my apple laptop -

Download and install Jpcap -

shell>wget http://netresearch.ics.uci.edu/kfujii/jpcap/jpcap-0.7.tar.gz

shell>tar xvzf jpcap-0.7.tar.gz

shell>cd jpcap-0.7/src/c

shell>make

shell>cp libjpcap.jnilib /Library/Java/Extensions/

shell>cp ../../jpcap.jar /Library/Java/Extensions/

Download and run NetGrok

shell>wget http://netgrok.googlecode.com/files/netgrok20080928.zip

shell>unzip netgrok20080928.zip

shell>cd Netgrok

There's problem with the file groups.ini, you have to change this line

Private1=Wireless=192.168.0.0/16

To -

Private1-Wireless=192.168.0.0/16

Now you can run netgrok without problem -

shell>java -jar netgrok20080928.jar

Below are two screenshots I took -

You might want to check it out, it definitely supports pcap format file! For more information you can check out at NetGrok site.

Cheers (;])

Argus 3: Situational Awareness(ratop)

You need to know the current state of the network, who is probing your network and services, who is consuming your bandwidth, what are the stuffs running in your network, the main question remains - How much you know about your network?

Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.

As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -

- ratop
- rasql/rasqlinsert
- ralabel

Ratop works just like top, it can connect to argus monitor and show network flow data in near real time view, it also offers vi-like feature, where you can use / to search for flows, and : as command mode to perform various actions such as network flow record filtering/sorting, flow record field reordering, or even extract flow record based on certain timespan in real time. To run ratop, you must have argus monitor running first -

shell>argus -mAJZRU 128 -P 561

Use ratop to connect to the argus monitor -

shell>ratop -S localhost:561

Here's the ratop screenshot -

To quit ratop, it is similar to exiting vi editor, just type :q and you will disconnect from argus monitor. You can see that ratop is very useful when comes to monitor your network in real time, while it doesn't offer you insightful information, it gives quick view of the layer2/3 network conversation. Other features such as sorting can be toggled on with :s, or filtering with :f.

This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.

Enjoy (:])

OpenDPI

I just came across this Open Source Deep Packet Inspection Engine, while I haven't tried it out, this project seems to be interesting. I just want to mention it in my blog so that I can search next time in case I forget -

http://opendpi.org/

You can check out it's manual and source code which is hosted at Google Code here.

Cheers (;])

Argus 3: OpenWRT Binary Blob

Here's the argus 3 binary blob that will work on OpenWRT KamiKaze 8.09(Linksys WRT54GL MIPS platform), if you are lazy to compile your own, and want to check it out, please do give it a try. Thanks to guti for hosting it -

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2.md5.txt

All you need to do is download, verify, decompress, upload it to your OpenWRT, and run!

Enjoy (;])

Argus 3: Database Support

If you have followed argus mailing list, you should have known that Carter has implemented argus database client(rasql/rasqlinsert) to read/write/bla network flow records to database. I'm currently testing this feature and here's the preview for you -

Currently it seems to work on my testing machine. I will introduce more about the new argus client tools such as ralabel, rasql, rasqlinsert and etc in my coming posts.

Cheers (;])

Mac OSX: MYSQL Community Server

This is quick one to get Mysql Community Server running on OSX, download it from -

http://dev.mysql.com/downloads/mysql/5.1.html#macosx-dmg

Choose the dmg package which works for your platform and OSX version. In my case, I choose Mac OS X 10.5 (x86). So after you have it downloaded, it's all about click click install. Remember to install both Mysql server and its startup item package. You also need to copy the MySQL.prefPane to the right location so that it will show up in your System Preferences -

shell>sudo sudo cp -fR /Volumes/mysql-5.1.38-osx10.5-x86/MySQL.prefPane /Library/PreferencePanes/

To start Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM start

To stop Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM stop

To uninstall Mysql Community Server -

shell>sudo rm -rf /Library/StartupItems/MySQL*
shell>sudo rm -rf /Library/PreferencePanes/MySQL*
shell>sudo rm -rf /Library/Receipts/mysql-*
shell>sudo rm /usr/local/mysql
shell>sudo rm -rf /usr/local/mysql-*

And finally remove this line in /etc/hostconfig

MYSQLCOM=-YES-

All for now, I have been idle for a while and hopefully this is come back to be active me.

Cheers ;)

HITB2009MY: The Art Of Network Forensics

Hack In The Box Security Conference 2009 in Malaysia is going to happen again on October 5th-8th 2009. We are looking forward to see the security crowds again! More information about the conference can be found at this link.

Again this time, me and mel(spoonfork) are going to conduct network security training for Hack In the Box 2009 Malaysia. This upcoming training is going to be brand new and focusing on scenario case solving, with the title of "The Art Of Network Forensics: Going Beyond Packet Data", the detail for the training is at here. We haven't finalized the course materials that are going to be provided to students yet, however if we can obtain the kit to build the network tap, then it will be awesome.

On the other hand, we would like to thank to Vickson again for his cool banner design!

Enjoy (;])

Editcap: Discard unwanted frames

With editcap you can actually remove multiple frames(people like to call it packets in general) you don't want. For example if I want to remove frame number 40, 69, 71, 113 and 115 in mail.pcap -

shell>editcap mail.pcap mail-modified.pcap 40 69 71 113 115
Add_Selected: 40
Not inclusive ... 40
Add_Selected: 69
Not inclusive ... 69
Add_Selected: 71
Not inclusive ... 71
Add_Selected: 113
Not inclusive ... 113
Add_Selected: 115
Not inclusive ... 115

Check with capinfos -

shell>capinfos -c mail.pcap
File name: mail.pcap
Number of packets: 173

shell>capinfos -c mail-modified.pcap
File name: mail-modified.pcap
Number of packets: 168

Quick and easy!

Cheers (;])

Time to sell myself .....

This year, I thought things are going to be smooth for me, and I was wrong. But I do know life goes on.

So I'm now out for job again and plan to settle down a bit. This is the first time I put up my resume here, and hopefully can get the right job for myself quickly. I'm looking for job related to firewall/ids/siem implementation/deployment/analysis/response.

If you think there's any opportunity I can grab, or you are interested to hire me, please let me know. Here's my resume.

Thanks!

FreeBSD On VMware Time Sync Issue

We have been trying to fight with the time synchronization issue when running FreeBSD on VMware. With the new FreeBSD(7.1 and above) and new VMware workstation/fusion, the problem is fixed.

That's great as it means we can run HeX more flawlessly on VMware. On the other hand, HeX is back to active development, stay tuned!

Enjoy ;]

Surface Mount Box - 4 ports

I have been looking for 4 ports surface mount box(cat5e compatible) which looks like the above image, if any of you know where I can find in Malaysia, or you sell it, please let me know. I would like to order 20-50 units from you. I want to order online but it is out of stock here. On the other hand, if you know anyone who sell cat5e keystone jack with reasonable price, I would like to buy as well.

My plan is to build network tap using this mount box, and as a gift to whoever attends my future network forensics training.

Cheers ;]

Argus 3.x On Linksys WRT54GL

I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.

Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.

Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -

shell>sudo apt-get install gcc g++ patch binutils \
flex bison make pkg-config unzip zlib1g zlib1g-dev \
libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev

To build OpenWRT Kamikaze 8.09, svn up the source first -

shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09

shell>cd kamikaze-8.09

Start the building process -

shell>make defconfig

shell>make package/symlinks

shell>make menuconfig

shell>make

Take a coffee break when you run make .....

Install libpcap, this is the only dependencies we need to get argus 3 compiled -

shell>make package/libpcap-compile V=99

shell>make package/libpcap-install V=99

Check out the gcc that we need to use -

shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Now we need to set the environment variables for this build -

shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH

shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar

shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as

shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld

shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm

shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp

shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++

shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib

shell>export ac_cv_linux_vers=2.4.35

shell>export LDFLAGS="-static"

shell>export CFLAGS="-Os -s"

Time to have fun, doing cross-compile for argus so it works on MIPS platform -

shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2

shell>./configure --host=mipsel-linux \
--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \
--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8

shell>make

shell>file bin/argus
bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped

Transfer it to my OpenWRT -

shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp

To export argus network flow on ppp0 interface -

shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d

To intercept the network flow -

shell>ra -S 192.168.1.1:561 - ip

I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.

Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php

Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!

Enjoy (;])

OpenWRT: Allow SSH Access On WAN Interface

Here's the quick way to allow SSH Access for WAN interface on OpenWRT, I configure my ssh to run on port 12345 instead of 22 to avoid automated probes from internet using the web interface, then just run this in the terminal -

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT

To check if it loads properly -

shell>/usr/sbin/iptables -L | grep 12345
LOG tcp -- anywhere anywhere tcp dpt:12345 LOG level warning
ACCEPT tcp -- anywhere anywhere tcp dpt:12345

To make sure it survives reboot -

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG"

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT"

shell>nvram commit

Thanks to the link here.

Done!

Cheers (;])

Tshark: Decrypt WEP

Yes, you can decrypt wep using airdecap-ng from aircrack-ng suite, or using wireshark gui. However you can also use tshark to decrypt wep with known key, and you can define many keys to be used to decrypt wep packets as well.

Quick example -

shell>tshark -t ad -o 'wlan.enable_decryption:TRUE' \
-o "wlan.wep_key1:1122aabbcc" -nr wlan-wep.pcap

By the way, you can also decrypt wpa similarly.

Enjoy (;])

Ubuntu: Picviz 0.5 Installation

I first learned about Picviz in secviz.org and know more about it during Honeynet 2009 Annual Meeting in Malaysia when the Picviz author - Toady presented his stuffs. Anyway here's the straightforward Picviz version 0.5 installation guide on Ubuntu Linux -

shell>apt-get install \
cmake python-all-dev python-qt4 libevent-dev libpcre3-dev libcairo2-dev

Make sure you install cmake 2.6, if you are still using Ubuntu 8.04 - Hardy, you need to get this one instead -

http://packages.ubuntu.com/hardy-backports/i386/cmake/download

Download picviz-0.5 -

shell>wget \
http://www.wallinfire.net/picviz/attachment/wiki/ReleasesDownload/picviz-0.5.tar.gz?format=raw

shell>tar xvzf picviz-0.5.tar.gz

shell>cd picviz-0.5

shell>make

shell>sudo make install

If you want to install it on your prefferable directory, you can do this before make -

shell>cmake -DCMAKE_INSTALL_PREFIX=/usr/local/stow/picviz-0.5.0

Build python binding -

shell>cd src/libpicviz/bindings/python/

shell>sudo python ./setup.py install

Build gui frontend -

shell>cd src/frontend

shell>sudo python ./setup.py install

To launch the python gui -

shell>picviz-gui

Done.

Enjoy (;])

Mac OSX: Capturing 802.11 WLAN Traffic

This is trick for Mac OSX users, if you want to capture 802.11 WLAN packets, you can't do that with normal capturing argument using tcpdump. Normally en1 is the wireless network interface for Apple Macbook.

shell>sudo tcpdump -s 0 -nni en1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes

If you look at the link-type, it is EN10MB so 802.11 Radio information header is not going to be captured, however we can define the link type with tcpdump, we can list the supported link type for the interface first -

shell>sudo tcpdump -nni en1 -L
Data link types (use option -y to set):
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header) (not supported)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
EN10MB (Ethernet)

Specify link type with -y option -

shell>sudo tcpdump -y 'IEEE802_11_RADIO' -ttttnni en1
tcpdump: data link type IEEE802_11_RADIO
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
2009-02-18 00:55:13.948664 3466317997us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY
2009-02-18 00:55:14.051029 3466420387us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY

If you want to analyze 802.11 traffic, you can definitely play around with this. Of course if you want to put your Macbook into RFMON mode, the best tool around is Kismac.

Enjoy (;])

HITB Dubai 2009

This year HITB Dubai is coming again, there will be 3 technical trainings and good line up of speakers so don't miss it!

Economy is not in good shape for the moment, but hackers are still working hard so make yourself to the conference and see what they are up to ;]

For more information, check out -

http://conference.hackinthebox.org/hitbsecconf2009dubai/

Cheers ;]

Pcapr - Another pcap repository

I just found out another public packet capture repository which is supported by Mu Dynamics. For more detail, check out the web site here ->

http://www.pcapr.net/home

More packets for the monkeys!

Cheers ;]

Ubuntu: Netdude Installation Revisit

Many people have urged me to update my old Netdude installation guide, I don't know what went wrong for them but here's how I get Netdude 0.5 installed on Ubuntu 8.04.

Make sure you have debian packages that I mentioned in old post installed properly via apt-get, now download Netdude 0.5.0, libnetdude 0.11 and libpcapav 0.8 from here.

The sequence of installation is libpcapav -> libnetdude -> Netdude.

To install libpcapav 0.8 -

shell>tar xvzf libpcapav-0.8.tar.gz

shell>cd libpcapav-0.8

shell>./configure --prefix=/usr/local/stow/libpcapav-0.8

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libpcapav-0.8

To install libnetdude 0.11 -

shell>tar xvzf libnetdude-0.11.tar.gz

shell>cd libnetdude-0.11

shell>./configure --prefix=/usr/local/stow/libnetdude-0.11

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libnetdude-0.11

To install netdude 0.5.0 -

shell>export LDFLAGS=-L/usr/local/lib

shell>tar xvzf netdude-0.5.0.tar.gz

shell>cd netdude-0.5.0

shell>./configure --prefix=/usr/local/stow/netdude-0.5.0

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow netdude-0.5.0

Now you can run netdude and check out its version -

shell>netdude --version
0.5.0

The reason why I like to use stow to manage my software installation is that I can install multiple version of netdude in /usr/local/stow first, and choose which to use by stowing and unstowing(stow -D) them.

There you go, it should be flawless unless my memory sux(though I'm).

Enjoy (;])

Ubuntu: Unicornscan Revisit

I have written about how to install unicornscan on Ubuntu previously here, and it seems a lot of people have problem getting unicornscan compiled on Ubuntu/Debian. So here's the revisit of mine to make it more clear and it should work on Ubuntu 8.x if you are following the steps accordingly.

Install all dependencies -

shell>apt-get install \
libpcap0.8-dev libgeoip-dev libltdl3-dev ibdumbnet1 libdumbnet-dev

shell>sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

Download unicornscan and decompress it -

shell>tar xvjf unicornscan-0.4.7-2.tar.bz2

shell>cd unicornscan-0.4.7

shell>./configure --prefix=/usr/local/stow/unicornscan-0.4.7

Thanks to Debian package, since libdumbnet is used, so we need to replace the linker flags, search for files with ldnet

shell>find ./ -type f -exec grep -H 'ldnet' '{}' \;
./src/Makefile.in:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/tools/Makefile.in: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/tools/Makefile: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/Makefile:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/scan_progs/Makefile.in:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext
./src/scan_progs/Makefile:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext

To replace ldnet to ldumbnet at one shot, do

shell>for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

Now we can compile and install

shell>make

shell>sudo make install

You should now have it install in /usr/local/stow, just do

shell>cd /usr/local/stow

shell>sudo stow unicornscan-0.4.7

DONE!

Enjoy (;])

Latex Editor

If you are using latex(I do especially for presentation slide since spoonfork corrupted me), there's one good latex editor that works across multiple OS platforms. Some people will just use vim as the editor but I prefer texmaker. You can check out its main site here -

http://www.xm1math.net/texmaker/

And it even works on Mac OSX!

Cheers ;]