I found this when wandering around the Internet, and think it's good to share out for packet monkeys, this is very good reference document for anyone who want to learn about point-to-point protocol, very straightforward indeed -
http://www.eit.lth.se/ppplab/PPPdocs/ppp-quick-ref.pdf
Check it out if you are interested.
Friday, April 25, 2014
Wednesday, April 23, 2014
Argus 3: Debug & Testing
If you are testing argus 3, the best way is always compile argus source with debug mode on -
Argus -
shell>tar xvzf argus-3.0.5.tar.gz
shell>cd argus-3.0.7.5
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install
Argus Clients -
shell>tar xvzf argus-clients-3.0.7.25.tar.gz
shell>cd argus-clients-3.0.7.25
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argusc-3.0.7.25
shell>sudo make && make install
If argus or its client suite fails to run or behaves wrongly, you can just run them with -D 1-5 depending on the debug information you want. I'm just writing this as note to myself and hopefully it helps others who are using argus as well.
Cheers ;]
Argus -
shell>tar xvzf argus-3.0.5.tar.gz
shell>cd argus-3.0.7.5
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install
Argus Clients -
shell>tar xvzf argus-clients-3.0.7.25.tar.gz
shell>cd argus-clients-3.0.7.25
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argusc-3.0.7.25
shell>sudo make && make install
If argus or its client suite fails to run or behaves wrongly, you can just run them with -D 1-5 depending on the debug information you want. I'm just writing this as note to myself and hopefully it helps others who are using argus as well.
Cheers ;]
Sunday, April 20, 2014
Ubuntu Linux: Argus 3 Installation
If you want to test the latest version of argus with all the features enabled on Ubuntu Linux, here's the fastest way, just follow the steps below -
I use stow to manage argus source -
shell>sudo apt-get install stow
shell>mkdir /usr/local/stow
Install mysql server -
shell>sudo apt-get install mysql-server
Install software dependencies for argus clients -
shell>sudo apt-get install flex bison libpcap-dev libmysqlclient-dev libncurses5-dev libreadline-dev libgeoip-dev libpcre3-dev
Now download argus and its client suite -
shell>wget http://qosient.com/argus/dev/argus-3.0.7.5.tar.gz
shell>wget http://qosient.com/argus/dev/argus-clients-3.0.7.23.tar.gz
Install argus -
shell>tar xvzf argus-3.0.7.5.tar.gz
shell>cd argus-3.0.7.5
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install
Install argus client -
shell>tar xvzf argus-clients-3.0.7.23.tar.gz
shell>cd argus-clients-3.0.7.23
shell>./configure --with-libpcre --prefix=/usr/local/stow/argusc-3.0.7.23
shell>sudo make && make install
Now you can use stow to link them to default PATH(/usr/local/sbin and /usr/local/bin) so that you don't need to define full path when running argus -
shell>cd /usr/local/stow
shell>sudo stow argus-3.0.7.5
shell>sudo stow argusc-3.0.7.23
Done and you can start testing argus for fun!
I use stow to manage argus source -
shell>sudo apt-get install stow
shell>mkdir /usr/local/stow
Install mysql server -
shell>sudo apt-get install mysql-server
Install software dependencies for argus clients -
shell>sudo apt-get install flex bison libpcap-dev libmysqlclient-dev libncurses5-dev libreadline-dev libgeoip-dev libpcre3-dev
Now download argus and its client suite -
shell>wget http://qosient.com/argus/dev/argus-3.0.7.5.tar.gz
shell>wget http://qosient.com/argus/dev/argus-clients-3.0.7.23.tar.gz
Install argus -
shell>tar xvzf argus-3.0.7.5.tar.gz
shell>cd argus-3.0.7.5
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install
Install argus client -
shell>tar xvzf argus-clients-3.0.7.23.tar.gz
shell>cd argus-clients-3.0.7.23
shell>./configure --with-libpcre --prefix=/usr/local/stow/argusc-3.0.7.23
shell>sudo make && make install
Now you can use stow to link them to default PATH(/usr/local/sbin and /usr/local/bin) so that you don't need to define full path when running argus -
shell>cd /usr/local/stow
shell>sudo stow argus-3.0.7.5
shell>sudo stow argusc-3.0.7.23
Done and you can start testing argus for fun!
Tuesday, April 08, 2014
Kali/Backbox Linux: Alfa AWUS036H
After migrating from Backtrack to Kali Linux, I encountered problem with WLAN cracking using Alfa awus036h wireless adapter. The initial probem was
shell>airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
So it states that I should run airmon-ng -
shell>airmon-ng start wlan0
airmon-ng start wlan0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2625 dhclient
2722 NetworkManager
2971 wpa_supplicant
Interface Chipset Driver
mon0 Realtek RTL8187L rtl8187 - [phy0]
wlan0 Realtek RTL8187L rtl8187 - [phy0]
(monitor mode enabled on mon0)
We used to be able to run airodump-ng on wlan0 if we are using Backtrack, however it's not the case here, what you need to do is running airodump-ng on mon0 pseudo interface instead -
shell>airodump-ng mon0
Now everything looks good, however there's minor bug that shows the channel -1, to get everything running smoothly without the error, I run the following command instead -
shell>airodump-ng --ignore-negative-one mon0
Now you can perform the wlan cracking routine(aireplay-ng,aircrack-ng to do packet injection and cracking), but remember to run the aircrack-ng suite with argument --ignore-negative-one and everything will be fine.
Cheers (;])
p/s: If you are using another Linux distribution - Backbox, the same applies to it as well.
shell>airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
So it states that I should run airmon-ng -
shell>airmon-ng start wlan0
airmon-ng start wlan0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2625 dhclient
2722 NetworkManager
2971 wpa_supplicant
Interface Chipset Driver
mon0 Realtek RTL8187L rtl8187 - [phy0]
wlan0 Realtek RTL8187L rtl8187 - [phy0]
(monitor mode enabled on mon0)
We used to be able to run airodump-ng on wlan0 if we are using Backtrack, however it's not the case here, what you need to do is running airodump-ng on mon0 pseudo interface instead -
shell>airodump-ng mon0
Now everything looks good, however there's minor bug that shows the channel -1, to get everything running smoothly without the error, I run the following command instead -
shell>airodump-ng --ignore-negative-one mon0
Now you can perform the wlan cracking routine(aireplay-ng,aircrack-ng to do packet injection and cracking), but remember to run the aircrack-ng suite with argument --ignore-negative-one and everything will be fine.
Cheers (;])
p/s: If you are using another Linux distribution - Backbox, the same applies to it as well.
Sunday, March 02, 2014
Interesting Rootkit: Uroburos
My friend ebf0 has shared with me this interesting analysis report from GData Security Lab, you can find the report here -
https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf
To understand why the name "Uroburos", we should refer to
http://en.wikipedia.org/wiki/Ouroboros
Doesn't matter it comes from which party, we all know Intel gathering is always there, by the time we know it it seems late by miles. Internet security community needs to work harder together to uncover them as soon as possible.
Cheers (;])
https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf
To understand why the name "Uroburos", we should refer to
http://en.wikipedia.org/wiki/Ouroboros
Doesn't matter it comes from which party, we all know Intel gathering is always there, by the time we know it it seems late by miles. Internet security community needs to work harder together to uncover them as soon as possible.
Cheers (;])
Monday, February 24, 2014
The Practice Of Network Security Monitoring
Year 2014 will most probably be a refreshing year to myself, everything is like new all over again and what should I do next is important.
NSM has been big part of my career and I'm back to the root, and I would like to discuss/share anything regarding this huge topic. The first thing I would most probably do is to grab the book that is written by my friend - Richard, The Practice Of NSM. Thank you for your effort to write this book, it is really tough to stay focused and finished a book especially for a busy person like you.
Second thing to do would be reviewing the new version of existing tools, and also new tools that kick in without me noticing - Netsniff-ng, Snort, Suricata, Bro-ids, Argus, NetworkMiner, SIFT and many more, you name it.
Third thing to do is sharing, to share what I have found and learned, in the world of IT security.
NSM has been big part of my career and I'm back to the root, and I would like to discuss/share anything regarding this huge topic. The first thing I would most probably do is to grab the book that is written by my friend - Richard, The Practice Of NSM. Thank you for your effort to write this book, it is really tough to stay focused and finished a book especially for a busy person like you.
Second thing to do would be reviewing the new version of existing tools, and also new tools that kick in without me noticing - Netsniff-ng, Snort, Suricata, Bro-ids, Argus, NetworkMiner, SIFT and many more, you name it.
Third thing to do is sharing, to share what I have found and learned, in the world of IT security.
Subscribe to:
Posts (Atom)