When {Puffy} Meets ^RedDevil^

FreeBSD 9.0 Release is OUT!

2012-01-14T01:20:00.002+08:00

If you haven't noticed yet, FreeBSD 9.0 Release is out, grab it while it is still hot. The announcement can be found at

http://www.freebsd.org/releases/9.0R/announce.html

You can check out the release note at -

http://www.freebsd.org/releases/9.0R/relnotes.html

I'm glad to see the driver improvement for network adapters especially intel based cards, and the netgraph ng_netflow supports NetFlow V9 export. Another interesting feature is usbdump which can be used to dump packets over usb controller. As always ipfw is improved in almost every FreeBSD release just like pf in OpenBSD. The FreeBSD team has also made a lot of improvement on file system wise. Finally we see new installer for FreeBSD ;)

With FreeBSD 9.0 Release is officially out, time to work on HeX 3!

Cheers ;]

Argus 3: Some hardly used scripts

2012-01-11T20:23:00.002+08:00

There are couple of perl scripts come with argus 3 to process argus data, in case you haven't used them, do try them out, I will just show the result generated by those scripts -

shell>perl ./raips -r ~/pcap-repo/anubis.arg3
187.45.196.28
187.45.241.156
192.168.0.1
192.168.0.2

Raips will generate all unique IP addresses that are seen in the argus data.

shell>perl ./rahosts -r ~/pcap-repo/anubis.arg3
192.168.0.2: (3) 187.45.196.28, 187.45.241.156, 192.168.0.1

Rahosts will generate host report, and telling you the hosts that initiate network connection(transmitter) and also destination hosts that are probed(receiver), you may get an array of IP addresses in the same network if it is network scanning or worm outbreak activity.

shell>perl ./raports -r ~/pcap-repo/anubis.arg3
187.45.241.156 tcp: (1) 80
192.168.0.1 udp: (1) 53
187.45.196.28 tcp: (1) 1433

Raports will generate the port report, however only on server side, which means those ports that are probed by any host.

If you are not satisfied with the result generated by those scripts, you are free to modify them to fit your needs, basically Carter is just demonstrating what you can do with argus data using some scripting capabilities.

Cheers (;])

Large Scale Pcap Analysis

2012-01-11T13:43:00.000+08:00

It seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and timemachine to capture and analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop -

https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop

As we know as well, pcapr is also making use of cloud technology to share and analyze pcap data for internet community.

Enjoy ;]

Picviz on Windows

2012-01-09T22:40:00.002+08:00

I never know that someone has actually ported picviz to Windows OS platform for a while until I'm working on picviz stuffs and googling some information, you can find here if you are interested -

http://berise.blogspot.com/2011/01/picviz-for-win32-port.html

Open source really opens up many unknown possibilities ...

Cheers ;]

Digital Forensics Tools For Linux

2011-12-18T18:44:00.003+08:00

If you are using Fedora Linux Distro to perform Forensics works, you may want to look into this -

http://www.cert.org/forensics/tools/

CERT also provides vmware forensics appliance where you find at the link above.

Enjoy ;]

Re-look: Security Operation Tools

2011-12-18T14:18:00.000+08:00

I haven't kept track of my favorite tools for awhile, and it's time to pay attention to them again -

- Bro-ids
- Splunk
- Suricata
- Argus
- Ntop

All of them have new version released and it seems there are numerous changes that worth re-look into ;)

High Tech Fix For "Nokia N900: All telephony functions are disabled" issue

2011-12-16T12:35:00.005+08:00

Last week, my Nokia N900 phone suddenly popped up with the message -

All telephony functions, including emergency calls, are disabled due to communication error. To recover, you might have to reboot the device

You will see something like a sim card icon on the top panel when this message appears.

Awesome, it seems I couldn't make or receive call after this message is shown, I rebooted my phone and it works again ... until this week, the phone is dead, I can't use it as a phone but small tablet. Maybe I should try google to see if there's any solution and here's what I have found -

http://discussions.europe.nokia.com/t5/Maemo-and-MeeGo-Devices/N900-All-telephony-functions-are-disabled-and-No-IMEI/td-p/915441

http://talk.maemo.org/showthread.php?t=60881

Basically the solution is to claim the warranty and Nokia replaces a new one for you, what if you are out of warranty, just someone like me? Nokia has no answer for that, thank you Nokia ;)

I was thinking "Sim card icon and communication error", maybe it is sim card slot issue? I don't know, but here's what I try -

0. Switch off N900

1. Open up N900 case at the back(battery part)

2. Take out battery

3. Take out sim card from the slot, clean it

4. Put the sim card back to the slot

5. Tighten the slot

6. Take the toilet paper, yes I say toilet paper because it was on my desk when I was trying to fix this

7. Try to tear the toilet paper and make it thicker by layering them

8. Make the toilet paper slightly same size(square) as the sim card slot

9. Put the toilet paper on top of the sim card slot and push in a bit

10. Put back your battery and press it little hard, the toilet paper will be underneath

11. Close the case

12. Switch on your phone

The phone works automagically, don't ask me why, it's really high tech fix if you ever encounter this issue.

Have fun with N900 again, by the way no fun since not much apps for it(Thank you Nokia), BUT it works as PHONE again!

Cheers ;]

p/s: By the way let me know if this solves your problem, I would like to hear about it!

Time to Kill Bill

2011-12-09T00:07:00.011+08:00

For all Malaysia IT people, do read this and spread out the words, it's time to kill Bill, what Bill? Computing Professionals Bill 2011!

http://www.scribd.com/doc/75107593/CPB2011-Draft

Do read it in detail! Currently it is in drafting processing, thanks to my best pal - Mel to share this nonsense bill. By the way, if you have facebook, support this -

https://www.facebook.com/pages/Malaysians-Against-Board-of-Computing-Professionals-Bill/289002177811647

I will constantly update this post if there's any progress regarding the matter, voice out while you can regarding CPB2011 to the document below -

https://docs.google.com/document/d/14E05jHZKQA0y6rP07n2PYtR4obBLEpiiK7OO1iQQ0PA/edit?hl=en_US

Mosti has put up their latest working draft which you can find here -

http://www.mosti.gov.my/mosti/images/stories/pdf/2011/ruu_bcpm_v17.pdf?PHPSESSID=b5a0a3c0faa9f630065896d7694435a1

Please review it and make your voice loud and clear!

Some opinions from the individual who works in IT industry ;)

http://www.youtube.com/watch?v=lCDHiWh6Ky4&feature=channel_video_title

Petition!

https://www.change.org/petitions/mosti-stop-computing-professionals-bill-2011-cpb2011

Follow the Tweets regarding CPB2011

https://twitter.com/#!/search?q=%23CPB2011

Flip-flop, uncertainty?

http://www.themalaysianinsider.com/malaysia/article/it-bill-may-be-dumped-says-mosti/

Makes yourself certified criteria?

http://www.mncc.com.my/members.htm

Mosti is just facilitator?

http://www.lowyat.net/v2/index.php?option=com_content&task=view&id=5849&Itemid=1

Role model of CPB 2011, seriously?

http://allafrica.com/stories/201107061218.html

Interview of Malaysia Deputy Minister Of Science, Technology And Innovation, Datuk Fadillah Yusoft by Astro Awani, if only you know Malay Language -

https://www.facebook.com/photo.php?v=10150460323294820&set=vb.11726505964&type=2&permPage=1

From Tony Pua, member of Parliament -

http://www.youtube.com/watch?v=6ilM5bKokkw&feature=youtu.be

While they can't define what is CNII properly during open meeting, now they want to include more sectors in this undefined crap? Seriously if the government sector has failed to deliver security all these years, that means PRISMA that was initiated to protect government ICT agency by our government is a big failure(so much money wasted and now this)? By the way if you read carefully at the last few paragraphs, you will notice "What we can do at CyberSecurity Malaysia is to continue to provide more training and capability building in cyber security, says CyberSecurity malaysia Chieft Executive Officer(CEO) Lt Col Prof Datuk Husin Jazri."

To me, that basically sounds like if this bill is passed, he can make big money by selling training and certification program, now we know who is really pushing this AGENDA at the back ;)

http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10119744&sec=nation

Discussion about CPB 2011 on BFM radio station -

http://bfm.my/geeksquawks_ep53.html

The TeAM(The Technopreneuers Association Of Malaysia) objects to CPB 2011 -

http://techcentral.my/news/story.aspx?file=/2011/12/14/it_news/20111214141030&sec=IT_News

Speak out loud, geeks!

http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10105092&sec=nation

No cheers this time, F it!

Intel X520

2011-12-06T13:21:00.003+08:00

I want this for my Christmas present ;]

http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/ethernet-x520.html

I never thought 10G network adapter can go very cheap, really need to get one for development and testing!

Virtual PF_Ring

2011-12-05T22:15:00.004+08:00

Ntop development team has always developed high performance packet capture solutions that I would like to take a look into it -

http://www.ntop.org/products/pf_ring/vpf_ring/

Virtual PF_RING can only be used with KVM, with this it will bypass many copy operations and capture packets in line rate. I think I will test it on my Linux box and see how it goes. By the way you need to donate to obtain it.

Cheers ;]

RIP - Dennis Ritchie

2011-10-16T20:39:00.002+08:00

Sorry for the belated one.

Nothing much I can say but truly from my heart - Rest In Peace, Mr. Dennis Ritchie.

FreeBSD: Ringmap Quick Testing

2011-01-13T11:48:00.003+08:00

I have mentioned about FreeBSD ringmap here, and now I will share how I get ringmap installed quickly. As the developer of ringmap(Alex) has ported it to FreeBSD stable, here's what you can do -

Download FreeBSD 8.1 stable iso -

shell>wget -c ftp://ftp.jp.freebsd.org/pub/FreeBSD/snapshots/201011/FreeBSD-8.1-STABLE-201011-i386-disc1.iso

Install FreeBSD 8.1 stable on VirtualBox using the iso(Standard Install and make sure you include the source), you can do this quickly without issue if you are familiar with FreeBSD installation. The reason why I choose VirtualBox because VirtualBox can virtualize the following six types of networking hardware:

- AMD PCNet PCI II (Am79C970A)
- AMD PCNet FAST III (Am79C973, the default)
- Intel PRO/1000 MT Desktop (82540OEM)
- Intel PRO/1000 T Server (82543GC)
- Intel PRO/1000 MT Server (82545EM)
- Paravirtualized network adapter (virtio-net)

The ringmap implementation supports Intel 8254x network cards which you can find in the list above, therefore it's the ideal VM solution to use. Make sure you use any of the Intel 8254x in the list.

After I have FreeBSD stable installed on VirtualBox, then proceed to recompile the kernel without device em.

shell>cd /usr/src/sys/i386/conf
shell>mkdir /root/kernels
shell>cp GENERIC /root/kernels/RINGMAP
shell>ln -s /root/kernels/RINGMAP

Edit /root/kernels/RINGMAP by commenting out this line

# device em # Intel PRO/1000 Gigabit Ethernet Family

To recompile and install the custom kernel -

shell>cd /usr/src
shell>make buildkernel KERNCONF=RINGMAP
shell>make installkernel KERNCONF=RINGMAP

It will take a while and once you got it done, reboot the system. After the system is up, add these two lines to /etc/make.conf(if the file not exists, you can just create it) -

EM_RINGMAP=yes
LIBPCAP_RINGMAP=yes

Download ringmap source and install -

shell>fetch http://ringmap.googlecode.com/files/ringmap_freebsd_8.1_1.1.0.bz2
shell>tar xvjf ringmap_freebsd_8.1_1.1.0.bz2
shell>cd FreeBSD_8/scripts
shell>chmod 755 *
shell>./build_ringmap.sh

To enable the ringmap -

shell>./set_ringmap.sh

To make sure you can run any packet capture tool, you need to turn on monitor mode for the network interface -

shell>ifconfig em0 monitor up

For quick testing just run tcpdump and listen to em0 interface -

shell>tcpdump -ttttnni em0

That's all for ringmap testing, I haven't done any benchmarking yet until I get the real hardware for testing but you definitely can find more information about ringmap in its own page here -

http://code.google.com/p/ringmap/

Cheers (;])

Ubuntu: Daemonlogger

2011-01-12T19:33:00.002+08:00

To install daemonlogger on Ubuntu 10.10, you can follow me here -

Install all the required dependencies -

shell>sudo apt-get install libpcap-dev libdumbnet1 libdumbnet-dev

As the libdnet files are renamed to dumb names, we need to create soft link for them so that daemonlogger can find them, otherwise you can install libdnet from source which I want to avoid here -

shell>cd /usr/lib

shell>sudo ln -s libdumbnet.a libdnet.a

shell>sudo ln -s libdumbnet.so libdnet.so

shell>sudo ln -s libdumbnet.so.1.0.1 libdnet.so.1.0.1

shell>sudo ln -s libdumbnet.so.1 libdnet.so.1

shell>sudo ln -s libdumbnet.la libdnet.la

shell>cd /usr/include/

shell>sudo ln -s dumbnet.h dnet.h

Install daemonlogger -

shell>wget -c http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz

shell>tar xvzf daemonlogger-1.2.1.tar.gz

shell>cd daemonlogger-1.2.1

shell>./configure

shell>make

shell>sudo make install

There you go, now you have daemologger installed on Ubuntu and ready to capture packets.

Enjoy (;])

Happy New Year 2011

2011-01-01T10:00:00.002+08:00

Good bye 2010, and here comes 2011!

Happy new year everyone, and hopefully myself will be more active in blogging this year!

Cheers & Enjoy (;])

FreeBSD: High Performance Packet Capture

2010-12-24T15:26:00.004+08:00

I'm not sure how many of you have heard about this project, however I found FreeBSD ringmap implementation when I was googling and it seems to be interesting to me, I suggest you visit the link and read up the documentation/presentation.

I'm going to try it out whenever possible, right now it is ported to FreeBSD 8.1 stable, you can actually download the source code and test it out yourself.

http://code.google.com/p/ringmap/

You can also find a lot of information about high performance packet capture from the link below as well, I usually use the setting that is recommended over there for my FreeBSD sensor setup.

http://www.net.t-labs.tu-berlin.de/research/hppc/

By the way, FreeBSD already has zero copy bpf implemented, thanks to Robert Watson for that since he has done a lot of background works on it. To know more about zero copy bpf you can check the presentation slide here -

http://www.watson.org/~robert/freebsd/2007asiabsdcon/20070309-devsummit-zerocopybpf.pdf

Cheers (;])

FreeBSD: Virtual Network Switch

2010-12-24T13:25:00.005+08:00

In the previous post, I have mentioned about I'm going to cover Open vSwitch and Vde implementation. However I think it is also interesting to cover how you can setup virtual switch with FreeBSD native system. As we all know bridging is actually software switching, therefore we can make use of bridge interface to achieve this. I will explain the 6 ports virtual network switch setup that is illustrated in the diagram below -

shell>ifconfig bridge0 create

shell>ifconfig tap0 create

shell>ifconfig tap1 create

shell>ifconfig tap2 create

shell>ifconfig tap3 create

shell>ifconfig tap4 create

shell>ifconfig tap5 create

shell>ifconfig bridge0 addm tap0 addm tap1 addm tap3 addm tap4 addm tap5 up

By now you have exact setup like what is shown in the diagram above, to make it permanent/persistent you need to add the following lines to /etc/rc.conf -

cloned_interfaces="bridge0 tap0 tap1 tap2 tap3 tap4 tap5"
ifconfig_bridge0="addm tap0 addm tap1 addm tap2 addm tap3 addm tap4 addm tap5 up"

Also add the following lines to /etc/sysctl.conf -

net.link.tap.up_on_open=1
net.link.tap.user_open=1

Once you have everything done, you can check if it is setup properly -

shell>ifconfig bridge0
bridge0: flags=8843 metric 0 mtu 1500
ether 0e:a5:28:73:f9:3b
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap5 flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000000
member: tap4 flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000000
member: tap3 flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000000
member: tap2 flags=143
ifmaxaddr 0 port 6 priority 128 path cost 2000000
member: tap1 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 2000000
member: tap0 flags=143
ifmaxaddr 0 port 4 priority 128 path cost 2000000

To undo everything, just run

shell>ifconfig bridge0 deletem tap0 deletem tap1 deletem tap2 deletem tap3 deletem tap4 deletem tap5

shell>ifconfig tap0 destroy

shell>ifconfig tap1 destroy

shell>ifconfig tap2 destroy

shell>ifconfig tap3 destroy

shell>ifconfig tap4 destroy

shell>ifconfig tap5 destroy

The setup is complete, in the next blog post, I will talk about how you can setup similar virtual switch using FreeBSD ng_bridge implementation. Plus releasing the FreeBSD VM for you to try out the setup yourself.

Enjoy (;])

Virtual Network Switch

2010-12-17T18:03:00.005+08:00

Many people have talked about hypervisor, and playing around with virtual machines. There are many solutions available today, either open source or commercial one. We have VMware, Xen, Virtualbox, Qemu, KVM, Parallel, Virtual PC, and others that I may not know.

What I would like to discuss here is virtual network switching, many of us have used a piece of hardware call network switch, which allows the end point to talk to each other. For the hardware network switch, we have many companies that are producing it, for example Cisco, Juniper, 3Com, DLink, NetGear and etc.

The virtual machine lives inside single operating system, which means we can have many virtual machines running inside a piece of hardware, so with virtual network switch we also can run many network switches inside a piece of hardware, and using them to connect virtual machines, and get them to talk to each other.

However, how many solutions are there for virtual network switch? As far as I know, not many. Cisco has produced one which is called Cisco Nexus 1000 Series. If you do know any other commercial solution, please comment.

How about open source solution for that? Yes, here are two that I found very interesting, again if you know any other open source solution, please let me know.

- Open vSwitch
- Vde

This is just simple writeup for what I'm going to cover in the future which I will discuss about how you can setup virtual network switch, and leverage on them. Most of my posts will be discussing about both Open vSwitch and Vde while Virtualbox and Qemu will be used to connect to the switch.

Enjoy (;])

Virtualization Insanity

2010-12-16T12:53:00.004+08:00

I have been poking around with virtualization technologies, and this is one of the screenshot I have taken when multiple qemu vm talking to multiple virtualbox vm.

I will cover a lot about this topic soon, for my own note, and also for sharing purpose.

Cheers ;]

4REN6 VM Mirror

2010-12-15T21:09:00.003+08:00

Thanks to Digital Forensics Framework(DFF) team to provide mirror for 4REN6 vm where you can find here -

http://ftp.digital-forensic.org/mirror/4ren6.radiobandit.org/

I'm still looking for more download mirrors, please let me know if you can host it.

Enjoy ;]

Cloud Technology

2010-12-15T19:05:00.001+08:00

I need to tag this post as it contains the list of Cloud solutions so I can check them out whenever necessary -

http://slash4.de/tutorials/Cloud_computing_technologies_overview_and_comparison

Cheers ;]

Virtualization tools

2010-12-14T19:37:00.002+08:00

I mentioned about ovftool in my previous post, and I also found xenconvert here -

http://www.citrix.com/lang/English/lp/lp_1688624.asp

By the way another fun tool to mention is imvirt which you can find here -

http://micky.ibh.net/~liske/imvirt.html

Enjoy ;]

Good Reference For Linux /dev

2010-12-14T19:33:00.002+08:00

I came across this link while playing around with tun/tap device in Linux, and it's worth sharing -

http://www.lanana.org/docs/device-list/devices-2.6+.txt

You can use mknod to play around with the /dev on Linux, for tun/tap you can use tunctl or openvpn to create them.

Enjoy ;]

sFlow Resources

2010-12-14T17:19:00.001+08:00

I need to keep track of what I have read and tested, currently I'm looking into sFlow stuffs for network visibility. If you are interested about sFlow as well, feel free to check out the links below -

http://www.ietf.org/rfc/rfc3176.txt

http://www.sflow.org/SFLOW-DATAGRAM5.txt

http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/sflow-configuring-ex-series.html

If you have more sFlow stuffs to share, feel free to comment.

Cheers ;]

VMware ovftool

2010-12-08T22:56:00.003+08:00

I just found out this tool and want to keep track of it, it's best to just post in my blog so that I can search through it next time, basically it is a command-line utility that allows you to import and export OVF packages to and from a wide variety of VMware platform products.

http://www.vmware.com/support/developer/ovf/

Cheers ;]

4REN6 VM Download

2010-11-30T23:54:00.002+08:00

Finally ...

Thanks to Niresh for hosting 4REN6 VM. Now you can download the VM via

http://4ren6.radiobandit.org/

If you would like to help out by hosting the VM for download, please let me know. I will update the VM once Ubuntu releases version 10.10. If you try out the VM and have any feature request, feel free to email me.

Cheers ;]

Cisco Regex

2010-09-30T19:33:00.003+08:00

Whoever follow my blog or my workshop will know I always mention about regular expressions(regex) as applied knoweldge for security analyst, I came across interesting read about Cisco regex and think it would be good to share with the bunch, there you go -

http://www.ciscozine.com/2010/09/29/cisco-regular-expressions/

Have fun and good to read some background history of regex and how Cisco makes use of it.

Cheers ;]

4REN6 VM WalkThrough Guide

2010-08-13T11:10:00.003+08:00

As promised in previous post, hereby I release the 4REN6 VM WalkThrough Guide, you can find how to install comprehensive list of forensics tools on Ubuntu 10.04, here's the link for the guide -

http://www.scribd.com/doc/35816772/4REN6-VM-Builder-Guide

Currently you need an account to download it but no problem for quick read, I will upload this guide to my own server later so that you can download it freely(both pdf and odt format in case you want to edit). Maybe wiki is good way to go for documentation collaboration but right now I don't have any plan about it yet.

Feel free to comment and appreciate any valuable inputs! By the way I'm still looking for anyone who is willing to host the 4REN6 VM image.

Cheers (;])

Home For 4REN6 VM

2010-08-03T20:54:00.005+08:00

Yes I'm still working in IT industry and I'm not dead yet, right now I'm working on both tech and non-tech stuffs so this first paragraph is just ice breaking for me to say something.

I have Virtual Machine Image I have prepared for Digital Forensics Training, and I would like to release it, it has the name - 4REN6 but it doesn't has a home now, the size of the VM is 2.6G so if any of you is interested to host the image, please do contact me via

geek00l[at]gmail[dot]com

Please make sure you send to my email correctly as geek zero zero L and not o o L as there are couple of people tried to send me email but fail to do so, I'm sorry about that but I can do nothing about it.

Don't ask me why I'm doing this while there are similar stuffs such as SIFT, Helix, PlainSight or some I may not know, the main reason being I just want to have exercise and to confirm all the stuffs I work on really working, bear in mind I'm doing this alone so please don't shout at me if it breaks. On the other hand, I will release the documentation of how to install everything you need to make forensic desktop using Ubuntu since I have already taken all the notes during the making of this VM and it's just matter of putting them together.

Some sneak peaks -

By the way the wallpaper is designed by myself so it is not really a slick wallpaper we used to have in HeX.

Last but not least, I would like to thank to my blog readers who have encouraged me to continue my blog again, and some other friends along the line. I think this is right thing to do.

Cheers (;])

You can play pacman in Google.com

2010-05-21T23:37:00.004+08:00

Since I haven't been blogging for a while, lets start with something else -

If you don't know, your old good game is first released on 22th of May 1980, so fast 30 years have passed, anyway enjoy playing pacman!

Cheers ;)

What I do lately

2010-03-22T09:13:00.005+08:00

Here's what I do lately, I haven't been blogging for a while but doing some other stuffs, and I figure I still need to keep this blog alive no matter what. I have been poking with

- Splunk - Working on snort/argus module
- Nokia N900 - this is by far the most open system for mobile platform I have seen, and guess what, you can run snort on it with debian stack.
- Gns3 - Way to learn cisco stuffs and WAN setup
- Training - Design new security training course
- HackerSpaceKL - Help where I can

Application I used but keep forgetting at some other times if I haven't used for a while, so it's good to note it down

- recordMyDesktop - gtk-recordMyDesktop
- gnome-screenshot - gnome-screenshot --area
- Funambol - sudo sh bin/funambol start
- xdg-open - xdg-open whatever

Till next time ...

Cheers ;]

Mac OSX: Sguil Client

2009-09-22T03:30:00.003+08:00

My pal Spoonfork has written about how to get sguil client works on Mac OSX previously here, however some of readers reported it won't work on Mac OSX 10.5 or later as tclX is failed to compile. If you really want to get sguil client up and running on Mac OSX, here are the steps -

Download ActiveState TCL for Mac OSX platform from the link below, you can choose either version 8.4.x or 8.5.x as both work -

https://www.activestate.com/activetcl/downloads/

Then what you need to do is click click install, once you are done, obtain sguil client 0.7 from -

http://sourceforge.net/projects/sguil/files/

I choose sguil-client-0.7.0.tar.gz, follow the steps below once you have it downloaded -

shell>tar xvzf sguil-client-0.7.0.tar.gz

shell>cd sguil-0.7.0/client

shell>wish8.5 sguil.tk

You should be good going by now, enjoy playing with sguil client console! If you install Activetcl version 8.4.x, then just run wish8.4 sguil.tk instead.

Cheers (;])

Mac OSX: Nmap 5.0

2009-09-20T00:13:00.005+08:00

Many people write about Nmap 5.0 when it is released, here's how I get it work on Mac OSX. If you are installing Nmap 5.0 using MacPorts, then you won't be having zenmap in your pocket, you will only get ncat, ndiff and nmap. Therefore it is best if you can obtain the nmap installation package for OSX from Nmap website and follow the instruction here to get it installed.

Once you have the package installed, you may figure zenmap will not work properly even though you can run it. In fact you need the following software installed to satisfy the dependencies.

shell>sudo port install py25-gtk

shell>sudo port install py25-py2app-devel

It might take a while to get them compiled and installed as they require some of the libraries from X11 as well, if you can get through this stage, then you should be able to run zenmap now -

shell>open /Applications/Zenmap.app

Of course Nmap is rocking in da house -

shell>nmap -V

Nmap version 5.00 ( http://nmap.org )

Peace (;])

Mac OSX: NetGrok

2009-09-15T21:50:00.007+08:00

I like security visualization tools, and it helps you to interpret computer events easily. Here's how I get NetGrok running in my apple laptop -

Download and install Jpcap -

shell>wget http://netresearch.ics.uci.edu/kfujii/jpcap/jpcap-0.7.tar.gz

shell>tar xvzf jpcap-0.7.tar.gz

shell>cd jpcap-0.7/src/c

shell>make

shell>cp libjpcap.jnilib /Library/Java/Extensions/

shell>cp ../../jpcap.jar /Library/Java/Extensions/

Download and run NetGrok

shell>wget http://netgrok.googlecode.com/files/netgrok20080928.zip

shell>unzip netgrok20080928.zip

shell>cd Netgrok

There's problem with the file groups.ini, you have to change this line

Private1=Wireless=192.168.0.0/16

To -

Private1-Wireless=192.168.0.0/16

Now you can run netgrok without problem -

shell>java -jar netgrok20080928.jar

Below are two screenshots I took -

You might want to check it out, it definitely supports pcap format file! For more information you can check out at NetGrok site.

Cheers (;])

Argus 3: Situational Awareness(ratop)

2009-09-12T18:38:00.006+08:00

You need to know the current state of the network, who is probing your network and services, who is consuming your bandwidth, what are the stuffs running in your network, the main question remains - How much you know about your network?

Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.

As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -

- ratop
- rasql/rasqlinsert
- ralabel

Ratop works just like top, it can connect to argus monitor and show network flow data in near real time view, it also offers vi-like feature, where you can use / to search for flows, and : as command mode to perform various actions such as network flow record filtering/sorting, flow record field reordering, or even extract flow record based on certain timespan in real time. To run ratop, you must have argus monitor running first -

shell>argus -mAJZRU 128 -P 561

Use ratop to connect to the argus monitor -

shell>ratop -S localhost:561

Here's the ratop screenshot -

To quit ratop, it is similar to exiting vi editor, just type :q and you will disconnect from argus monitor. You can see that ratop is very useful when comes to monitor your network in real time, while it doesn't offer you insightful information, it gives quick view of the layer2/3 network conversation. Other features such as sorting can be toggled on with :s, or filtering with :f.

This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.

Enjoy (:])

OpenDPI

2009-09-12T14:22:00.003+08:00

I just came across this Open Source Deep Packet Inspection Engine, while I haven't tried it out, this project seems to be interesting. I just want to mention it in my blog so that I can search next time in case I forget -

http://opendpi.org/

You can check out it's manual and source code which is hosted at Google Code here.

Cheers (;])

Argus 3: OpenWRT Binary Blob

2009-09-11T23:43:00.004+08:00

Here's the argus 3 binary blob that will work on OpenWRT KamiKaze 8.09(Linksys WRT54GL MIPS platform), if you are lazy to compile your own, and want to check it out, please do give it a try. Thanks to guti for hosting it -

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2.md5.txt

All you need to do is download, verify, decompress, upload it to your OpenWRT, and run!

Enjoy (;])

Argus 3: Database Support

2009-09-11T22:57:00.004+08:00

If you have followed argus mailing list, you should have known that Carter has implemented argus database client(rasql/rasqlinsert) to read/write/bla network flow records to database. I'm currently testing this feature and here's the preview for you -

Currently it seems to work on my testing machine. I will introduce more about the new argus client tools such as ralabel, rasql, rasqlinsert and etc in my coming posts.

Cheers (;])

Mac OSX: MYSQL Community Server

2009-09-11T10:04:00.005+08:00

This is quick one to get Mysql Community Server running on OSX, download it from -

http://dev.mysql.com/downloads/mysql/5.1.html#macosx-dmg

Choose the dmg package which works for your platform and OSX version. In my case, I choose Mac OS X 10.5 (x86). So after you have it downloaded, it's all about click click install. Remember to install both Mysql server and its startup item package. You also need to copy the MySQL.prefPane to the right location so that it will show up in your System Preferences -

shell>sudo sudo cp -fR /Volumes/mysql-5.1.38-osx10.5-x86/MySQL.prefPane /Library/PreferencePanes/

To start Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM start

To stop Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM stop

To uninstall Mysql Community Server -

shell>sudo rm -rf /Library/StartupItems/MySQL*
shell>sudo rm -rf /Library/PreferencePanes/MySQL*
shell>sudo rm -rf /Library/Receipts/mysql-*
shell>sudo rm /usr/local/mysql
shell>sudo rm -rf /usr/local/mysql-*

And finally remove this line in /etc/hostconfig

MYSQLCOM=-YES-

All for now, I have been idle for a while and hopefully this is come back to be active me.

Cheers ;)

HITB2009MY: The Art Of Network Forensics

2009-06-02T10:31:00.008+08:00

Hack In The Box Security Conference 2009 in Malaysia is going to happen again on October 5th-8th 2009. We are looking forward to see the security crowds again! More information about the conference can be found at this link.

Again this time, me and mel(spoonfork) are going to conduct network security training for Hack In the Box 2009 Malaysia. This upcoming training is going to be brand new and focusing on scenario case solving, with the title of "The Art Of Network Forensics: Going Beyond Packet Data", the detail for the training is at here. We haven't finalized the course materials that are going to be provided to students yet, however if we can obtain the kit to build the network tap, then it will be awesome.

On the other hand, we would like to thank to Vickson again for his cool banner design!

Enjoy (;])

Editcap: Discard unwanted frames

2009-05-21T09:57:00.003+08:00

With editcap you can actually remove multiple frames(people like to call it packets in general) you don't want. For example if I want to remove frame number 40, 69, 71, 113 and 115 in mail.pcap -

shell>editcap mail.pcap mail-modified.pcap 40 69 71 113 115
Add_Selected: 40
Not inclusive ... 40
Add_Selected: 69
Not inclusive ... 69
Add_Selected: 71
Not inclusive ... 71
Add_Selected: 113
Not inclusive ... 113
Add_Selected: 115
Not inclusive ... 115

Check with capinfos -

shell>capinfos -c mail.pcap
File name: mail.pcap
Number of packets: 173

shell>capinfos -c mail-modified.pcap
File name: mail-modified.pcap
Number of packets: 168

Quick and easy!

Cheers (;])

Time to sell myself .....

2009-05-19T00:30:00.009+08:00

This year, I thought things are going to be smooth for me, and I was wrong. But I do know life goes on.

So I'm now out for job again and plan to settle down a bit. This is the first time I put up my resume here, and hopefully can get the right job for myself quickly. I'm looking for job related to firewall/ids/siem implementation/deployment/analysis/response.

If you think there's any opportunity I can grab, or you are interested to hire me, please let me know. Here's my resume.

Thanks!

FreeBSD On VMware Time Sync Issue

2009-05-15T20:21:00.003+08:00

We have been trying to fight with the time synchronization issue when running FreeBSD on VMware. With the new FreeBSD(7.1 and above) and new VMware workstation/fusion, the problem is fixed.

That's great as it means we can run HeX more flawlessly on VMware. On the other hand, HeX is back to active development, stay tuned!

Enjoy ;]

Surface Mount Box - 4 ports

2009-05-15T14:35:00.005+08:00

I have been looking for 4 ports surface mount box(cat5e compatible) which looks like the above image, if any of you know where I can find in Malaysia, or you sell it, please let me know. I would like to order 20-50 units from you. I want to order online but it is out of stock here. On the other hand, if you know anyone who sell cat5e keystone jack with reasonable price, I would like to buy as well.

My plan is to build network tap using this mount box, and as a gift to whoever attends my future network forensics training.

Cheers ;]

Argus 3.x On Linksys WRT54GL

2009-04-16T14:54:00.001+08:00

I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.

Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.

Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -

shell>sudo apt-get install gcc g++ patch binutils \
flex bison make pkg-config unzip zlib1g zlib1g-dev \
libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev

To build OpenWRT Kamikaze 8.09, svn up the source first -

shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09

shell>cd kamikaze-8.09

Start the building process -

shell>make defconfig

shell>make package/symlinks

shell>make menuconfig

shell>make

Take a coffee break when you run make .....

Install libpcap, this is the only dependencies we need to get argus 3 compiled -

shell>make package/libpcap-compile V=99

shell>make package/libpcap-install V=99

Check out the gcc that we need to use -

shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Now we need to set the environment variables for this build -

shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH

shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar

shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as

shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld

shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm

shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp

shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc

shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++

shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib

shell>export ac_cv_linux_vers=2.4.35

shell>export LDFLAGS="-static"

shell>export CFLAGS="-Os -s"

Time to have fun, doing cross-compile for argus so it works on MIPS platform -

shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2

shell>./configure --host=mipsel-linux \
--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \
--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8

shell>make

shell>file bin/argus
bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped

Transfer it to my OpenWRT -

shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp

To export argus network flow on ppp0 interface -

shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d

To intercept the network flow -

shell>ra -S 192.168.1.1:561 - ip

I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.

Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php

Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!

Enjoy (;])

OpenWRT: Allow SSH Access On WAN Interface

2009-04-15T08:11:00.000+08:00

Here's the quick way to allow SSH Access for WAN interface on OpenWRT, I configure my ssh to run on port 12345 instead of 22 to avoid automated probes from internet using the web interface, then just run this in the terminal -

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT

To check if it loads properly -

shell>/usr/sbin/iptables -L | grep 12345
LOG tcp -- anywhere anywhere tcp dpt:12345 LOG level warning
ACCEPT tcp -- anywhere anywhere tcp dpt:12345

To make sure it survives reboot -

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG"

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT"

shell>nvram commit

Thanks to the link here.

Done!

Cheers (;])

Tshark: Decrypt WEP

2009-04-05T17:05:00.000+08:00

Yes, you can decrypt wep using airdecap-ng from aircrack-ng suite, or using wireshark gui. However you can also use tshark to decrypt wep with known key, and you can define many keys to be used to decrypt wep packets as well.

Quick example -

shell>tshark -t ad -o 'wlan.enable_decryption:TRUE' \
-o "wlan.wep_key1:1122aabbcc" -nr wlan-wep.pcap

By the way, you can also decrypt wpa similarly.

Enjoy (;])

Ubuntu: Picviz 0.5 Installation

2009-03-21T18:53:00.013+08:00

I first learned about Picviz in secviz.org and know more about it during Honeynet 2009 Annual Meeting in Malaysia when the Picviz author - Toady presented his stuffs. Anyway here's the straightforward Picviz version 0.5 installation guide on Ubuntu Linux -

shell>apt-get install \
cmake python-all-dev python-qt4 libevent-dev libpcre3-dev libcairo2-dev

Make sure you install cmake 2.6, if you are still using Ubuntu 8.04 - Hardy, you need to get this one instead -

http://packages.ubuntu.com/hardy-backports/i386/cmake/download

Download picviz-0.5 -

shell>wget \
http://www.wallinfire.net/picviz/attachment/wiki/ReleasesDownload/picviz-0.5.tar.gz?format=raw

shell>tar xvzf picviz-0.5.tar.gz

shell>cd picviz-0.5

shell>make

shell>sudo make install

If you want to install it on your prefferable directory, you can do this before make -

shell>cmake -DCMAKE_INSTALL_PREFIX=/usr/local/stow/picviz-0.5.0

Build python binding -

shell>cd src/libpicviz/bindings/python/

shell>sudo python ./setup.py install

Build gui frontend -

shell>cd src/frontend

shell>sudo python ./setup.py install

To launch the python gui -

shell>picviz-gui

Done.

Enjoy (;])

Mac OSX: Capturing 802.11 WLAN Traffic

2009-02-18T00:03:00.004+08:00

This is trick for Mac OSX users, if you want to capture 802.11 WLAN packets, you can't do that with normal capturing argument using tcpdump. Normally en1 is the wireless network interface for Apple Macbook.

shell>sudo tcpdump -s 0 -nni en1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes

If you look at the link-type, it is EN10MB so 802.11 Radio information header is not going to be captured, however we can define the link type with tcpdump, we can list the supported link type for the interface first -

shell>sudo tcpdump -nni en1 -L
Data link types (use option -y to set):
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header) (not supported)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
EN10MB (Ethernet)

Specify link type with -y option -

shell>sudo tcpdump -y 'IEEE802_11_RADIO' -ttttnni en1
tcpdump: data link type IEEE802_11_RADIO
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
2009-02-18 00:55:13.948664 3466317997us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY
2009-02-18 00:55:14.051029 3466420387us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY

If you want to analyze 802.11 traffic, you can definitely play around with this. Of course if you want to put your Macbook into RFMON mode, the best tool around is Kismac.

Enjoy (;])

HITB Dubai 2009

2009-02-17T08:42:00.004+08:00

This year HITB Dubai is coming again, there will be 3 technical trainings and good line up of speakers so don't miss it!

Economy is not in good shape for the moment, but hackers are still working hard so make yourself to the conference and see what they are up to ;]

For more information, check out -

http://conference.hackinthebox.org/hitbsecconf2009dubai/

Cheers ;]

Pcapr - Another pcap repository

2009-02-09T13:07:00.002+08:00

I just found out another public packet capture repository which is supported by Mu Dynamics. For more detail, check out the web site here ->

http://www.pcapr.net/home

More packets for the monkeys!

Cheers ;]

Ubuntu: Netdude Installation Revisit

2009-02-04T13:16:00.004+08:00

Many people have urged me to update my old Netdude installation guide, I don't know what went wrong for them but here's how I get Netdude 0.5 installed on Ubuntu 8.04.

Make sure you have debian packages that I mentioned in old post installed properly via apt-get, now download Netdude 0.5.0, libnetdude 0.11 and libpcapav 0.8 from here.

The sequence of installation is libpcapav -> libnetdude -> Netdude.

To install libpcapav 0.8 -

shell>tar xvzf libpcapav-0.8.tar.gz

shell>cd libpcapav-0.8

shell>./configure --prefix=/usr/local/stow/libpcapav-0.8

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libpcapav-0.8

To install libnetdude 0.11 -

shell>tar xvzf libnetdude-0.11.tar.gz

shell>cd libnetdude-0.11

shell>./configure --prefix=/usr/local/stow/libnetdude-0.11

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libnetdude-0.11

To install netdude 0.5.0 -

shell>export LDFLAGS=-L/usr/local/lib

shell>tar xvzf netdude-0.5.0.tar.gz

shell>cd netdude-0.5.0

shell>./configure --prefix=/usr/local/stow/netdude-0.5.0

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow netdude-0.5.0

Now you can run netdude and check out its version -

shell>netdude --version
0.5.0

The reason why I like to use stow to manage my software installation is that I can install multiple version of netdude in /usr/local/stow first, and choose which to use by stowing and unstowing(stow -D) them.

There you go, it should be flawless unless my memory sux(though I'm).

Enjoy (;])

Ubuntu: Unicornscan Revisit

2009-01-10T14:29:00.004+08:00

I have written about how to install unicornscan on Ubuntu previously here, and it seems a lot of people have problem getting unicornscan compiled on Ubuntu/Debian. So here's the revisit of mine to make it more clear and it should work on Ubuntu 8.x if you are following the steps accordingly.

Install all dependencies -

shell>apt-get install \
libpcap0.8-dev libgeoip-dev libltdl3-dev ibdumbnet1 libdumbnet-dev

shell>sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

Download unicornscan and decompress it -

shell>tar xvjf unicornscan-0.4.7-2.tar.bz2

shell>cd unicornscan-0.4.7

shell>./configure --prefix=/usr/local/stow/unicornscan-0.4.7

Thanks to Debian package, since libdumbnet is used, so we need to replace the linker flags, search for files with ldnet

shell>find ./ -type f -exec grep -H 'ldnet' '{}' \;
./src/Makefile.in:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/tools/Makefile.in: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/tools/Makefile: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/Makefile:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/scan_progs/Makefile.in:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext
./src/scan_progs/Makefile:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext

To replace ldnet to ldumbnet at one shot, do

shell>for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

Now we can compile and install

shell>make

shell>sudo make install

You should now have it install in /usr/local/stow, just do

shell>cd /usr/local/stow

shell>sudo stow unicornscan-0.4.7

DONE!

Enjoy (;])

Latex Editor

2009-01-07T08:42:00.003+08:00

If you are using latex(I do especially for presentation slide since spoonfork corrupted me), there's one good latex editor that works across multiple OS platforms. Some people will just use vim as the editor but I prefer texmaker. You can check out its main site here -

http://www.xm1math.net/texmaker/

And it even works on Mac OSX!

Cheers ;]

Interesting Network Adapter

2008-12-23T16:25:00.003+08:00

This looks like interesting dual ports network adapter with bypass function, more information ->

http://www.portwell.com/products/detail.asp?CUSTCHAR1=ABN-192

If you know where can get this in Malaysia, please do let me know.

NIDS: Administration, Management & Provisioning

2008-12-20T17:05:00.005+08:00

We often find many resources that discuss about NIDS technologies, and how can you setup one, however things that are really missed out there(even in the internet) should be the following.

If you are managing tons of Network Intrusion Detection systems(NIDS), for tons I mean more than 50, I would like to hear from you about -

1. What tools do you use to manage all the NIDS, and why you choose them over others?
- For example ssh, however I would like to know more about tools you use to manage massive NIDS instead of one, and the reason you choose it.

2. How do you perform efficient administration securely? For examples,
- System changes/updates
- NIDS tools' changes/updates
- NIDS rules' changes/updates
- NIDS Configuration files' changes/updates
- NIDS Policies' changes/updates

3. Which method you like to use in order to manage them, and why? For example,
- Server pushes rules update to all the sensors(Push)
- Sensors pull the rules update from server(Pull)

3. NIDS health monitoring and self-healing
- I'm talking about something like this, if the system is in incosistent state, operators will be notified. If certain process die, it should recover by itself.

I consider NIDS as critical system and it should be managed wisely to prevent misconfiguration, downtime and so forth. Therefore we should have solid answers for the questions above if we are going for massive NIDS implementation and deployment.

Any in sight or valuable thoughts to share are welcomed!

Peace ;]

*nixes Backup Solution

2008-12-18T10:36:00.002+08:00

I'm looking at various backup solutions that are availabe for unix variants. There are so many of them and I'm just listing them down here in case I forgot what I have found.

- Timevault

- Flyback

- Kbackup

- Rsnapshot

- Rdiff-Backup

Some other solutions can be found here.

Cheers ;]

FreeBSD ZFS

2008-12-14T23:41:00.006+08:00

I have been listening people talking about ZFS, and it is ported to FreeBSD, I don't play with it until today.

It does seem that FreeBSD is getting solarish, ZFS, Dtrace and what else. Anyway here's simple screenshot of mine with ZFS setup -

I may spend more time playing with it, if you are interested in ZFS on FreeBSD, you should check out -

http://wiki.freebsd.org/ZFS

By the way, FreeBSD 7.1 RC1 is out, grab it while it's hot!

Cheers ;]

Anonymous Troll

2008-12-13T15:43:00.004+08:00

I have previously blogged about my experience in Singapore Govware here, however I don't know I get such interesting comment until I was told by a friend who read it. The comment is written as following -

--------------------------------------------------------------
Anonymous said ....
With all due respect to you and your great work with hex and what not, I'd like to rant a bit. I know its belated, but here goes :)

Sometimes security is not about you 'teaching' people what to do with your l337 NSM toolkit. It is normal for security conferences/events to be a closed door affair or by invitation only. I bet there were some concerns by some parties that you're blackhats/can't_be_trusted/not-really-security-analyst whom they can share information with. So its better late than never to kick you out. The level or kind of stuff you and other l337 friends write at security.org.my also don't help I think.

So get real, be trusted, and stop associating yourself with ppl whose deep insights on security are only by taking screenshots at defacements or error messages, blowing them out of porportion, make kidd1e5 happy and then sell a training program! So don't be disheartened at being kicked out at a per invite only program.
-----------------------------------------------------------

I don't really want to argue anything here, my point here is if you don't know me, don't justify me with your narrow minded like you know me very well, and stop acting like anonymous coward.

Peace ;]

What Am I Doing?

2008-12-13T15:16:00.002+08:00

I hardly blog these days, and have been busy with current works plus my own fun research. It's about the end of year 2008 and I figure life is more challenging when I'm getting older.

raWPacket is currently in the state of "slowing down" or you can call it slacking, so we will restart our engine next year(2009). Hopefully we can get many interesting projects done in coming year, some are on the way!

It's been couple of months working for GE now, thanks to my friend - Richard Bejtlich for the opportunity, faithfully. For the other guys I'm working with, you guys are always rocking!

For my own research, lets keep it secret for now, it will be revealed soon.

Cheers ;]

Drunken Monkey: Running Network Miner with Wine

2008-12-01T01:11:00.000+08:00

Network-Based Forensics is emerging now, we are seeing more and more NBF tools in active development now, one of the decent NBF tool I would like to mention here is NetworkMiner which is developed by Erik Hjelmvik. NetworkMiner is developed using .net framework, therefore it has Windows version only, I will show you how you can get it running using Wine on *nix based OS especially Ubuntu Linux.

Installing Wine -

shell>sudo apt-get install wine wine-dev cabextract

Configure Wine -

shell>winecfg

In Application tab, change windows version to Windows 2000

shell>wget http://kegel.com/wine/winetricks

Install cofefronts and .net framework 2.0 -

shell>sh winetricks corefonts dotnet20

Download NetworkMiner -

shell>wget \
http://sourceforge.net/project/showfiles.php?group_id=189429

Unzip it and run -

shell>wine NetworkMiner.exe

Here you go -

Cheers (;])

Network-Based Forensics: Xplico

2008-11-26T14:19:00.000+08:00

If you are interested in Network-Based Forensics, you should give this tool a try - Xplico, this tool is quite promising and in active development.

During HITB Training and Conference, I have mentioned about the challenge and problem with Network-Based Forensics, one of them is the lack of protocol dissectors(especially application layer). Looking at Xplico roadmap, you can see they are trying to add more and more dissectors to be more advance in traffic reconstruction(you can't really base on tcp itself as the session itself is mostly handled by the application layer these days).

Xplico is definitely designed for Network-Based Forensics only, and it follows file system forensics approach where you can create case and extract data from the pcap. There are few things I would like to see it in Xplico if possible -

1. Support more packet format(or conversion)
2. Better search engine(not only email)
3. Report generation
4. Data export to various format
5. Per host traffic information

If you are interested in trying out Xplico quickly, you can check out Deft liveCD.

More screenshots!!!!!

Enjoy ;]

HeX In The Box

2008-10-30T06:43:00.008+08:00

We release the HeX special edition for HITB Security Conference, the theme we use is HeX In The Box. If you are the HITB Conference participant, you might or might not get the CD we distribute in the first day of conference as we only have about 120 pieces of them so it is really limited.

This special edition comes with new wallpaper and cd sticker as well. Thanks to Vickson for the comic style of design this time!

HeXInTheBox CD Sticker

HeXInTheBox Wallpaper

On the other hand, HeX hits more than 10,000 downloads since the release of version 2.0!

Cheers (;])

Bro 1.4: Eating Netflow

2008-10-18T18:19:00.005+08:00

The new Bro can import NetFlow version 5 data now, if you are using HeX 2.0, you can test it quickly. Here's how you can test its new ability to work with NetFlow.

Using fprobe to export NetFlow version 5 data on network interface le0 to address 127.0.0.1 and port 5555 -

shell>sudo fprobe -n 5 -f ip -i le0 127.0.0.1:5555

Using bro to eat NetFlow data and log them to disk -

shell>sudo bro --netflow 127.0.0.1:5555 HeX netflow

You will find netflow.log in your $BROLOGS directory, and you can simply examine them with any text viewer.

I'm going to distribute bro-1.4 binary that works well with HeX so that people can try them out if they are interested in latest Bro offerings.

Enjoy (;])

HITB 2008 and Our Technical Training

2008-10-18T16:53:00.005+08:00

HackInTheBox Security Conference 2008 in Malaysia is around the corner, this time we are going to bring you triple tracks which will be running simultaneously at the same time and participants are allowed to join any track they like to. Plus we have great speakers line up.

The old and useless CTF organizing team will retire this time and be replaced by the new bloods, so we hope they are doing the best they can to get the game going. On the other hand, there will be OpenHack as usual. We also hope you are going to enjoy HITB Lab which will be running for the first time ever.

For the moment, me and spoonfork are updating our training materials, just like previous training, our training goes with the name "Structured Network Threat Analysis & Forensics". However we are changing strategy and bringing new stuffs. Besides Network Security Monitoring, we are going to focus more on Network Based Forensics and its challenges. We also include exercises so that participants can get the feel of it during the training session.

If you haven't registered yet, I think you should. You can check out the price of registration and it's real cheap. Don't miss the chance to learn about latest security issues, meet the world class security professionals and get to know local talents around!

Cheers ;]

Bro: 1.4 Release

2008-10-18T10:41:00.005+08:00

Kudos again to Bro development team for making the release of version 1.4. This release has included tons of new features and also tons of bug fixes.

I'm looking forward to try out things like NetFlow, Time Machine and many others. If you are interested in Bro, grab the latest version while it's hot. You can download it at -

http://bro-ids.org/download.html

The detail changes can be read here.

Enjoy ;]

Foss.my 2008

2008-10-10T16:32:00.003+08:00

Many friends in OSS circle have already blogged about this, so I won't repeat anything much, if you are interested in Foss, and you are in Malaysia, this is definitely the event that you should come.

For more information, look here ->

http://foss.my/

Enjoy ;]

Expanding Response: Deeper Analysis

2008-10-10T16:12:00.005+08:00

My friend Russ McRee just published a paper called Expanding Response: Deeper Analysis for Incident Handlers with SANS for his GCIH Gold cert that includes details on Argus, HeX, NSM-console, and NetworkMiner using content from the original ISSA articles as well as current updates.

You can find his paper here -

http://www.sans.org/reading_room/whitepapers/incident/32904.php

Nice work Russ!

Cheers ;]

Govware: Positive Security?

2008-10-08T12:37:00.008+08:00

Few months ago, Dhillon(HITB Founder) told us about Govware which is organized by Ministry Of Home Affairs Singapore and they invited us to their conference.

So HITB is invited to Singapore Govware, and we were quite looking forward to this event as we are told Singapore is first world country and they are great in event organizing. Unfortunately this time, we are going down to Singapore with our own budget(Other events' organizers pay our accomodation for our effort) but we thought since it's just our neighbor country, lets pay on our own.

So we are being supportive to run Web Hacking Challenge for Govware as well(Rufio handles this), me and Mel are also invited to give talk in closed door - Law Enforcement Track to share our knowledge with the audience. In the first day of event, everything goes smoothly. Me and mel are presenting 8 Layers Of Security and performing Network Forensics using HeX 2.0 that we have just released few days ago. We are glad to know some of people who are working in law enforcement units.

So I don't want to comment much about other presentations since I don't really listen to them as we are not allowed to, but we still managed to listen to 3 talks which are also closed door since their people never block us. But then again, we were banned from the room after their clueless dudes figure out we were in the talk, they should have blocked us from going in instead of asking us out in the middle of the presentation.

So nothing much happening in the first day of event except this shit, we went back to apartment and grabbed our dinner.

So today(second day of Govware) we went to the venue, and we just started running Web Hacking Challenge, as usual all of us are wearing HITB t-shirt to present who we are. Then out of sudden, there's some "don't know who"(probably fear to lose(kiasu) organizer) came to us, and informed us that we are not allowed to deliver our HITB conference fliers, we can't promote our HITB Conference in overt style(I don't get this, we just deliver our flier for whoever passes by our booth like everybody else instead of doing it aggresively) and we are also prohibited to wear our own HITB t-shirt as well(but we see others can wear their own company t-shirt(hint: Splunk) and they are not abused.

So what should we do now after coming down all the way from Kuala Lumpur to this Govware Singapore? Absolutely nothing but get out of this crap place. And Govware is promoting Positive Security but can't even allow us to inform the audience about another security conference with world class security experts in neighbor country(to be honest our conference are totally different than Govware as we are emphasizing more on new attack mechanisms and more technical oriented).

So to conclude this, we are now enlightened of how thisso called "First World Country" Ministry people manages international event, with unfair treatment where other companies can do their "not so overt" marketing(because they are sponsors?), they can wear their own company t-shirt, but we are asked to fuck off!

So this is definitely great job from them, and thanks for the awful invitation, you can fuck off now. Kudos!

So Enjoyable ;]

HeX 2.0 Release - The Bonobo

2008-10-06T19:01:00.004+08:00

Today is big day for us as we finally have HeX 2.0 Release - The Bonobo unleashed.

After many months of struggling in both testing and development phases, there are a lot of new features added in this release. To sum it up, we have -

1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds

For more information, you can check out its own site which is located at -

http://www.rawpacket.org/projects/hex/hex-livecd/version-20-release

I would like to say thanks to HeX team members for all the hard works and continuous efforts. You guys are just rocking!!!!!

Enjoy (;])

FreeBSD: Pktanon Installation

2008-10-05T12:09:00.006+08:00

What is pktanon?
PktAnon performs network trace anonymization. It is highly configurable and uses anonymization profiles.

My friend Richard has actually blogged about it especially for Debian platform.

One of the pktanon main developer - Christoph has emailed me that they have fixed pktanon and make it work on FreeBSD, and I'd like to try it out, I won't make a port for FreeBSD as I'm told that Wesley is working on pktanon port.

But if you are interested, that's how you can get it to work on FreeBSD.

Get the dependencies, install these two FreeBSD ports -
1. boost
2. xerces-c2

We can now perform pktanon installation -

shell>wget \
http://www.tm.uka.de/software/pktanon/download/pktanon-1.2.1-dev.tar.gz

shell>tar xvzf pktanon-1.2.1-dev.tar.gz

shell>cd pktanon-1.2.1-dev

shell>export CFLAGS=-I/usr/local/include

shell>export CPPFLAGS=-I/usr/local/include

shell>export LDFLAGS=-L/usr/local/lib

shell>./configure

shell>make

shell>sudo make install

You can now start working with pktanon, I won't show those as you can check out the information from pktanon website. We will include pktanon in HeX(definitely not HeX 2.0 but maybe 2.0.1 as we already froze the port tree while pktanon port is still not in yet). It's worth to add it as people who would like to contribute to Openpacket need to anonymize their packet trace.

Cheers (;])

HeX 2.0 R: Preview

2008-10-02T16:02:00.005+08:00

Here we reveal the latest HeX 2.0 Release, it will be out very soon. Stay tuned!

The joy for packet monkeys (;])

HeX 2.0 Release is NEAR

2008-09-27T17:37:00.001+08:00

We are going to unleash HeX 2.0 Release, if no major issue found again it should be on next week.

Stay tuned ;]

Another NSM related blog

2008-09-20T17:48:00.003+08:00

Our webmaster guti has his own technical blog, if you are interested in his works, check out -

http://www.gutizz.com/

I learned some tips and tricks about ourmon and grace, though he doesn't blog frequently, but I found his post with quality.

Enjoy ;]

FreeBSD: Port's Foo

2008-09-02T15:25:00.003+08:00

I have learned a few new tricks about using FreeBSD ports which I don't know last time, there you go!

For ports which provides configure options, you can actually configure it via -

shell>make config

To show the configuration -

shell>make showconfig

To remove current configuration, or reset it to default -

shell>make rmconfig

To build the package from port -

shell>make package

To build the package from port for its dependencies as well -

shell>make package-recursive

If you have the port previously installed, and you want to reinstall with different option set, make sure you have the "work" directory deleted in particular port or else the new configure option won't be used.

Enjoy ;]

HeX 021: Decode base64

2008-08-26T20:55:00.006+08:00

There are a lot of malicious contents which are actually encoded with base64 to create confusion.

This is just quick one as I have friend asking about it on how to decode base64 encoding. One liner with python -

shell>python -c "import binascii; \
binascii.a2b_base64('encoded strings here')

Or you can use nsm console if you are running HeX -

nsm>decode base64 'encoded strings here'

Enjoy ;]

HeX 021: Resolving Ihack 2008 password.pcap

2008-08-19T14:05:00.009+08:00

My friend ayoi has posted Ihack 2008: Defense Challenge here, I don't really have time to look into the whole game. However I have tried to give it a shot for password.pcap to figure out what's the passphrase.

I decide to use HeX liveCD for this quick challenge since chfl4gs_ has presented it in IHack. Initial look at the traffic -

shell>tcpdump -ttttnnr password.pcap

reading from file /home/analyzt/rp-Analysis/password.pcap, link-type EN10MB (Ethernet)
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:1879048192(0) win 512
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 1879048193 win 0
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:872415232(0) win 512
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3288334337 win 0
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:603979776(0) win 512
2008-08-14 12:21:12.959710 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3019898881 win 0
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:889192448(0) win 512

Output truncated .....

Initial view of the network traffic tells you that the network traffic contains no data transfer, and it is heavily crafted(port). It also hints you that the passphrase should be residing in the packet header. Therefore I start dig into the header by printing it in hex and ascii dump output.

shell>tcpdump -XXttttnnr password.pcap
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
1879048193 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 7000 0001 5014 .~zi.9....p...P.
0x0030: 0000 5d9a 0000 ..]...
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
3288334337 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 3400 0001 5014 .~zi.9....4...P.
0x0030: 0000 999a 0000 ......

Output truncated .....

When comes to examing the packet header, it's best to look at the pattern, and realizing that some fields are usually static in this case helps you to identify the different, if we look at the 4 packets above, you may spot

10.10.3.126 -> 10.10.75.1 - tcp sequence number
10.10.75.1 -> 10.10.3.126 - tcp acknowledge number(tcp sequence number + 1)

So to get the answer, you can just print the connection from one side(from 10.10.3.126 to 10.10.75.1) -

shell>tcpdump -XXttttnnr password.pcap ip src 10.10.3.126
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:6
03979776(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 6200 0000 4006 b63d 0a0a 037e 0a0a .(b...@..=...~..
0x0020: 4b01 0539 7a69 2400 0000 0000 0000 5002 K..9zi$.......P.
0x0030: 0200 a7ad 0000 ......
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:8
89192448(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 8d00 0000 4006 8b3d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3500 0000 0000 0000 5002 K..9zi5.......P.
0x0030: 0200 96ad 0000 ......

Output truncated .....

If you want to see another side of the traffic, just tune the bpf filter to ip src 10.10.75.1, however for that you will need to look at the acknowledge number. You should have the answer now.

Anyway when comes to print certain field in the header, you can use tshark(part of wireshark), and force it to print certain field, for example -

shell>tshark -Tfields -e 'tcp.seq' -nr password.pcap -o tcp.relative_sequence_numbers:FALSE -R 'ip.src == 10.10.3.126'
1879048192
872415232
603979776
889192448
1996488704
805306368
1912602624
1677721600
536870912
822083584
889192448
536870912
822083584
838860800
855638016
167772160

That's your answer in decimal, you can convert the number to hex and from hex to ascii. Using pythong quickies -

Decimal to Hex -
shell>python -c 'print hex()'

HeX to Ascii
shell>python -c 'import binascii; print binascii.a2b_hex("")'

You should have the passphrase to unrar Questions.rar

shell>unrar e Questions.rar

Bump in the passphrase and you will be able to retrieve all the files you need.

During the challenge event, I don't see any participants use HeX for this purpose. And lot of them just use wireshark to examine, my opinion is using wireshark is not effective in this scenario as wireshark is great when you want to do per packet examination or dealing with network protocols you are not familiar with. However for this, I would say tcpdump and tshark are more effective tools to obtain the clue.

Enjoy (;])

Little note about GDB

2008-08-18T22:36:00.006+08:00

This is just for myself as I'm not the guy who uses debugger much. However sometimes it helps when you have core dump for the program you are running. This is simple one of what you can examine with the core dump file.

shell>gdb bro bro.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `bro'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libmagic.so.3...done.
Loaded symbols for /usr/lib/libmagic.so.3
Reading symbols from /lib/libz.so.4...done.
Loaded symbols for /lib/libz.so.4
Reading symbols from /usr/lib/libssl.so.5...done.
Loaded symbols for /usr/lib/libssl.so.5
Reading symbols from /lib/libcrypto.so.5...done.
Loaded symbols for /lib/libcrypto.so.5
Reading symbols from /lib/libncurses.so.7...done.
Loaded symbols for /lib/libncurses.so.7
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libm.so.5...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x080518ef in copy_string () at SSLInterpreter.cc:30
30 */

(gdb) print copy_string
$1 = {} 0x80518d0

(gdb) bt
#0 0x080518ef in copy_string () at SSLInterpreter.cc:30
#1 0x0809e249 in DNS_Mapping (this=0x843e6c8,
host=0x810e00c1

, h=0x830c0d0)
at DNS_Mgr.cc:171
#2 0x080a049f in DNS_Mgr::AddResult (this=0x830bd68, dr=0x843e210,
r=0xbfbf9070) at DNS_Mgr.cc:697
#3 0x080a08d6 in DNS_Mgr::Resolve (this=0x830bd68) at DNS_Mgr.cc:601
#4 0x080a0edd in DNS_Mgr::LookupHost (this=0x830bd68,
name=0x843398e "l.root-servers.net") at DNS_Mgr.cc:485
#5 0x0806826a in brolex () at scan.l:330
#6 0x08053d5c in yyparse () at p.c:2277
#7 0x0804efb6 in main (argc=5, argv=0xbfbfebac) at main.cc:751

(gdb) up
#1 0x0809e249 in DNS_Mapping (this=0x843e6c8,
host=0x810e00c1

, h=0x830c0d0)
at DNS_Mgr.cc:171
171 req_host = copy_string(host);

I'm still learning how to interpret them correctly, hopefully more to come.

Cheers ;]

FreeBSD: Bpfstat is in Netstat

2008-08-16T20:10:00.000+08:00

My friend Richard(Taosecurity) has blogged about bpfstat here, and for now bpfstat is already ported as part of netstat in FreeBSD 7. You can run the netstat with -B option -

shell>netstat -B -I le0

Pid Netif Flags Recv Drop Match Sblen Hblen Command
820 le0 p--s--- 989344 0 958346 0 0 bro
761 le0 p--s--- 989444 0 989444 216 0 argus
754 le0 p--s--- 410 0 410 1392 0 ourmon
330 le0 -ifs--l 989458 0 440 0 0 dhclient

As you can see it is very useful when comes to monitor the libpcap based tools, however there's one feature I miss during the time I use bpfstat which is -i(interval of wait second to report). To simulate similar function, I have found a simple way by using infinite loops -

shell>z=1; while [ $z -eq 1 ]; do netstat -B -I le0; sleep 3; done

This way it will report every 3 seconds(sleep 3), and if you just want to monitor particular tools, use grep will do.

Cheers ;]

HeX 2.0 RC1 is now

2008-08-06T17:28:00.003+08:00

After long time development, we have finally reached the stage where we are brave enough to release version 2 of HeX, Release Candidate 1. This is the first public version for HeX 2.0 and we hope that by releasing this, people who are interested in it can help testing out this version. I won't be mentioning the new features that we are adding to HeX 2 here as I will put up all the information once we reach the 2.0 Release instead of RC. For the moment, we need people to test all the applications that we have added, a lot of them can be accessed via fluxbox menu so please help in testing.

Currently there are few known problems -

- Netdude is broken
- Autopsy is broken(sleuthkit issue)
- Gvim is broken(font not available)
- Flowtag is broken(Looking for older version of tk while new one is installed)
- NSM Console(Snort module where wrong path is defined in snort configuration file)
- Silktools(Flowcap and Rwflowpack)
- Ragraph is broken
- Zsh is missing

Most of the issues are already fixed in the development repository, therefore don't report to us if you encounter similar problem in HeX 2.0 RC1. If you encounter any other issues, please do report to us via mailing list -

http://groups.google.com/group/HeX-liveCD

Anyway here's the HeX 2.0 RC1 iso -

http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.md5
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.sha256

Alternatively, you can download from US mirror -

http://us.rawpacket.org/image/hex-i386-2.0-RC1-20080803.iso

Thanks to all the raWPacket members who have put the effort in HeX 2.0 development, you guys are walys rocking!

Enjoy (;])

Unimas: Open Source Security Tools Talks

2008-07-21T11:40:00.006+08:00

First of all, thanks for the invitation from Unimas, and En. Ahmad who has put the effort to make it happen, me and Mel will be going to University Malaysia Sarawak (Unimas) tomorrow to give talks about Open Source Security Tools and how it can be very useful, either for corporate, or educational environment.

If you are interested in the topic, and you are currently studying in Unimas. Feel free to join us!

Enjoy ;]

Ubuntu: Netdude Manual Installation

2008-07-15T19:12:00.004+08:00

I use netdude for pcap file editing, it's simple and straightforward since it is gui based, however the ubuntu package is rather old(0.3.x) and I need to use the latest version, here's quick way to get the latest version of netdude installed on Ubuntu 8.04.

Download the latest version of netdude, libpcapnav and libnetdude from here -

http://netdude.sourceforge.net/download.html

Then install all the necessary packages -

shell>sudo apt-get install stow

shell>sudo apt-get install build-essential

shell>sudo apt-get install libgtk1.2-dev

shell>sudo apt-get install libpcap0.7-dev

Decompress netdude, libpcapnav and libnetdude, and install them following the sequence - libpcapnav, libnetdude and netdude. It should be prety quick to get it done.

Enjoy ;]

EmergingBro: HowTo

2008-07-13T22:59:00.005+08:00

First of all, make sure you have Bro installed on your machine, or you can download it at http://bro-ids.org. If you are using HeX, Bro is installed by default. Once installed, you may find the directory structure of Bro looks like this -

shell>ls -la

total 34
drwxr-xr-x 15 analyzt wheel 512 Jul 10 17:36 ./
drwxr-xr-x 3 root wheel 512 Jul 10 07:51 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 archive/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 bin/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:39 etc/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 include/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 lib/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:01 logs/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 17:36 perl/
drwxr-xr-x 3 analyzt wheel 5120 Jul 10 17:59 policy/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 reports/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:36 scripts/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:51 share/
drwxr-xr-x 2 analyzt wheel 512 Jul 11 22:50 site/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 var/

Please take note on few important directories -

policy directory contains all the policy and analysis scripts with the file extension .bro.

site directory contains site policy files which you can define or configure for specific site.

logs directory contains all the log files that are generated by bro.

etc directory contains bro configuration files, for start up and bro environment variable settings.

Obtain the latest signatures from Emerging Bro -

shell>cvs -d:pserver:anonymous@cvs.emergingthreats.net:/cvsroot/bro co emerging-bro

shell>cd emerging-bro

shell>ls -l

total 14
drwxr-xr-x 7 analyzt wheel 512 Jul 10 07:58 ./
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:55 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 11:23 CVS/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 07:58 CVSROOT/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:24 rules/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 18:28 scripts/
drwxr-xr-x 17 analyzt wheel 512 Jul 10 11:23 sigs/

sigs directory contains all the individual signature in different category

rules directory contains main signature file for each category. For example emerging-bro-malware.sig contains all the signatures for MALWARE category.

scripts directory contains all the policy and analysis scripts that are contributed by the community members.

To perform quick test, you can use invoke the signature file using command line option -

Set Bro environment variables -

shell>. bro.cfg

Execute Bro -

shell>bro -s emerging-bro-all.sig -r whatever.pcap `hostname`

If you plan to run it in long term, it's best to edit the file generated during make install-brolite. The file name starts with your hostname, for example it is raWPacket.bro in HeX liveCD since my hostname is raWPacket. Just edit the following section in the file -

-----------------------------------------------------------------------
# To run signatures, uncomment the following line.
# @load brolite-sigs

@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif
-----------------------------------------------------------------------

To this -

@load brolite-sigs

redef signature_files += "emerging-bro-all.sig"

Please do note that other policy scripts must be loaded in order to have signatures invoked properly especially brolite.bro.

Enjoy ;]

DefCraft: Official Launching

2008-07-09T09:10:00.000+08:00

After long consideration, I decide to start a company that focuses on security research, development and consultancy. The company name is straightforward - Defensive Craft (DefCraft).

The company offers a wide range of consulting services for specific domains, here's the list -

Network and Web Application Security Assessment
Network Security Architecture Planning & Deployment
Network Security Monitoring Implementation
Network Security Architecture Auditing
Network Device Testing & Evaluation
Network Based Forensics
Network Profiling Operation
Incident Response & Handling
Digital Security Training

If you have any inquiry, please feel free to contact me.

Contact Number: 016 415 9873
Contact Email: defcraft at gmail dot com

For more information, you can check out at -

http://www.defcraft.net

The company has its own blog too which we will blog about what we do behind the lab -

http://blog.defcraft.net

On the other hand, I will still contribute my free time to various open source projects that I'm working on since this is part of company principle I'm emphasizing.

Emerging Bro

2008-07-05T07:59:00.003+08:00

I'm sured not many have heard of Bro comparing to Snort in NIDS arsenal, while both are actually applying different approach in intrusion detection, they are the Open Source NIDS I like to use to complement each others in different setup and deployment.

I'm now working closely with Matt Jonkman from EmergingThreats(ET) to start the new project calls Emerging-Bro, basically the project is about converting set of latest signatures from Snort to Bro so that Bro operators can take advantage of it. You can find more information from the announcement here -

http://www.emergingthreats.net/content/view/80/1/

If you are Bro operators, you might have question of why I'm doing this as Bro is more focused on policy and analysis script development to detect network event(be it normal or abnormal) instead of relying on signatures matching in byte stream. There are reasons why I'm doing this and I'm going to explain here -

Edge
Emerging-Bro will only focus on latest or critical signatures from ET, therefore the project is basically more concerning about latest/critical attacks because most networks are more vulnerable to newly discovered attacks than the old one, therefore detecting and preventing them at network boundary is much important. Currently there are about 100 latest signatures converted from ET to Emerging-Bro, and if you think certain Snort signature should be included, please do let me know.

Leverage
The signature set that is developed by EmergingThreats usually give little time window for attacker and reduce the outbreak period significantly, hence you can pretty quick in detecting initial stage of new attacks. Bro operators can take advantage of this if they can monitor the new attack in time and quickly develope more complete detection scheme with Bro policy scripts.

Requests
Yes, according to Matt, there are requests about it, on and off there are people in Bro mailing list asking about the availability of Bro signatures, so why not doing it to help the community?

I think these gives enough reasons for me to work on the project. But providing latest signatures is not the end of Emerging-Bro, I greatly appreciate the help from Seth Hall to step up and discuss with me about the direction of the project and we both agree that it should be the platform for people to share or contribute their policy/analysis scripts as well. Currently he has his own development repository here and I will import them to Emerging-Bro.

For the moment, you can access and download all the signatures at -

http://www.emergingthreats.net/bro/

Enough for now, and this project is also part of the reason why I'm not much blogging last two weeks as I have paid my free time to it. I would like to thank Matt and Seth for the collaboration works, and also Bro developers for their endorsement!

Cheers (;])

Davix: Review

2008-07-02T11:15:00.001+08:00

From Davix's main site -

DAVIX, a live CD for data analysis and visualization, brings the most important free tools for data processing and visualization to your desk. There's no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.

The clause above is definitely right above Davix liveCD!!!!!

When people ask me which liveCD I use frequently, I always advocate these 3 -

1. HeX liveCD (Network Based Forensics)
2. BackTrack liveCD (Penetration Testing)
3. Helix liveCD (Digital Forensics)

I have mentioned many times that I prefer liveCD which focuses on specific domain very well, and Davix is really one of those. Undoubtedly I would love to include Davix to my CD folder.

Before I start anything serious, lets view the screenshot after startup from the liveCD -

It's based on SLAX, and I guess most of people know how good SLAX is after trying out BackTrack, DAVIX takes advantage of SLAX modularity, stability and hardware supports, I have tested it with my own hardwares and it works pretty well.

If you are familiar with linux desktop solution, you will definitely recognize that it is using KDE from the screenshot. Though I'm not fan of KDE, but KDE is always simple and easy to use for general users. Many of system configuration can be done via gui so it saves a lot of hassle figuring how to get the system working for you.

On top of that, DAVIX offers very informative resources for users to have great kickstart in learning data capturing, processing and visualization by providing a set of firefox bookmark toolbars, you can easily access all the information requires to study the topic, this can reduce time in studying certain tools and learning visualization techniques, and it also saves you from googling hassle. I like the idea of toolbars organization in firefox.

On the other hand, DAVIX also comes with its own manual which is about 108 pages, you can access it via KDE menu -> DAVIX -> DAVIX Manual. If you are serious about learning data visualization with DAVIX, I suggest you to start with its manual instead of playing around with the desktop without knowing what to do. It contains the basic guide of how to use all the tools that are delivered in DAVIX, the best part is you can follow the manual and learn it practically with all the tools available in DAVIX.

There are 3 main categories listed in Kde menu, they are Capture, Process, and Visualize. The Capture contains tools for you to perform data logging, especially network data. The Process contains tools to perform data processing so that the output of data processed can be parsed by visualization tools. The Visualize mainly contains all the tools for you to visualize the data set by generating different kind of images, diagrams or graphs. As I have mentioned you can just learn all the tools shipped by DAVIX with the comprehensive manual itself.

So what are the tools shipped with DAVIX, there are way too many that I can cover here, however here are my favourites -

1. Rumint
2. Tnv
3. Afterglow
4. Inetvis
5. Etherape
6. Gnuplot
7. Rrdtools
8. Mrtg
9. Wireshark

This is more to preference thingy as I have used those tools previously and familiar with them, I will need to explore the potential of other tools which I never use before. If you want to learn how those tools work, you can actually refer to the DAVIX manual, and then refer to the data set example which you can properly find in /usr/local/share/*, different tools may support different kind of data formats so that may require some learning curves. But the real question lies in what kind of visualization techniques should be applied to the data set you have so that it makes most sense.

After talking about all the good things, I still think there are few things worth improved.

1. Log sample
As this is the liveCD for data analysis and visualization, except that it has the example data set in /usr/local/share/*, it should provide a set of sample logs(apache, postfix, exim, proftpd and etc). Then demonstrating how to format them to feed those visualization tools will be great.

2. Fat taskbar
You may notice in the screenshot that the taskbar is quite big(double taskbar), this is nothing wrong, but if I have to offer a liveCD for visualization purpose, I would prefer to have everything slicker to give bigger space to display the images that I have generated from the data.

3. Unified keyboard shortcut
This is just my idea, when I work with images, I always like to zoom in and out. Zooming in allows you to focus on detail, zooming out on the other hand can improve macro view to understand the ratio or distribution of data. I do know different tools have always defined different keyboard shortcut layout. If zoom(in/out) uses same set of shortcut key settings across all the tools in DAVIX, that would be really great. I'm glad DAVIX offers gqview as the main application to display images as that's my favorite one with its ease of use interface.

4. Installer
Currently it comes with BackTrack Installer which is quite experimental, it needs some works to get it installed, I have tested the installer and it works fine(if you know what you are doing), I'm looking forward for easy installer in future.

By the way, one might ask why should I use DAVIX, simple enough. Take the old cliche "A Picture Is Worth A Thousand Words". Using correct visualization techniques to process your thousand lines log files, to be honest you can do more with less, it saves your times and brain power to focus on something more important.

Guess I should end my review about DAVIX here, in case you are interested to try out DAVIX -

DAVIX is also part of Raffael's upcoming book Applied Security Visualization which will be published by Addision Wesley.

Currently, DAVIX is only available to beta testers. To participate in testing, please contact jan.monsch at iplosion.com

Thanks to DAVIX development team for allowing me to participate in beta testing, later is better than never. I do know developing a liveCD require hard works if you want to build a solid one, kudos!

Update Note:
DAVIX developer Jan. P. Monsch has informed me that he has actually making the taskbar more slicker now in new version of Davix, thanks for taking positively on my input.

Enjoy (;])

Snort 3.0 Beta

2008-07-01T11:37:00.002+08:00

If you are interested to check out what's offered by latest Snort, now you have it. Kudos to snort development team!!!!!

http://www.snort.org/dl/snortsp/

I haven't tried that out personally yet, but you should!

Enjoy ;]

Earthquake? or Storm .....

2008-06-24T00:27:00.003+08:00

The terrible disaster .....

The beijing.exe is actually the storm variant, I thought they are making use of festivals only, it seems they don't even let any single chance going with the use of disaster(popularity counts), that's going too far from humanity.

If you run it, it's really disaster!

Peace :[

For Real?

2008-06-22T21:09:00.003+08:00

It's year 2008 now, but .....

ZzZzzzz .....

Peace ;]

Good Read on Bro's Signature Engine

2008-06-20T10:57:00.004+08:00

The ICIR blog is always informative, and I'm quite please with the latest post about Bro's Signature Engine.

I just learned few things that I don't know from the post, and it appears that Bro uses flex's regular expression syntax. It is important to understand which condition to use when writing the signature .

Otherwise, take the good read on Things To Keep In Mind When Writing Signatures, that section is particularly useful if you are interested to write Bro sigs.

Peace ;]

Forensics Tools

2008-06-18T19:47:00.006+08:00

I have to do some forensics work, and the tools below are very handy -

http://www.afflib.org/

http://www.pyflag.net/cgi-bin/moin.cgi

http://ftimes.sourceforge.net/FTimes/

http://p2pmarshal.atc-nycorp.com/

Cheers ;]

M$: Server Hardening & Auditing

2008-06-18T11:15:00.002+08:00

Don't laugh, sometimes you have to deal with this whether you like it or not.

I'm looking for tools to perform M$ Windows Server Hardening & Auditing, I know Microsoft Baseline Security Analyzer and IIS Lockdown but are there other tools you use to assist you in Hardening & Auditing operation such as hardening regedit keys, auditing Active Directory and so forth.

If your job is managing M$ Server Farm, how do you perform your task to make sure all servers have same set of configuration and policy, and they are all monitored properly?

I would like to hear from you, and recommend me good tools and methods of doing these. There's no real secure OS, there's only capable or bullshit sysadmin!

Wake up sysadmin, system security is part of your job .....

Enjoy ;]

HeX 021: Learning PCRE and its performance

2008-06-17T16:07:00.001+08:00

PCRE stands for Perl Compatible Regular Expressions, it is mainly used for pattern matching. If you want to learn more about PCRE, take a good read of its manual -

shell>man pcre

shell>man pcrematching

shell>man pcrepartial

shell>man pcrepattern

shell>man pcreperform

So why do you need to learn regular expressions(regex), here's the answer -

http://geek00l.blogspot.com/2006/12/regex-magic-for-netsexcanalyst.html

Next look at the tool that comes with pcre - pcretest, as the name implies, you can use pcretest to test your regex. Lets go -

shell>pcre --help
Usage: pcretest [options] [input file [output file]]

Input and output default to stdin and stdout.
This version of pcretest is not linked with readline().

Options:
-b show compiled code (bytecode)
-C show PCRE compile-time options and exit
-d debug: show compiled code and information (-b and -i)
-dfa force DFA matching for all subjects
-help show usage information
-i show information about compiled patterns
-m output memory used information
-o set size of offsets vector to
-p use POSIX interface
-q quiet: do not output PCRE version number at start
-S set stack size to megabytes
-s output store (memory) used information
-t time compilation and execution
-t time compilation and execution, repeating times
-tm time execution (matching) only
-tm time execution (matching) only, repeating times

If you have already read the man pages above, you should be able to understand some of the options, I normally use the option -C to check the compiles-time option first -

shell>pcretest -C
PCRE version 7.7 2008-05-07
Compiled with
UTF-8 support
Unicode properties support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack

Other option I usually use is -t to test on the time compilation and execution of particular regex I write.

shell>pcretest -t
PCRE version 7.7 2008-05-07

re>

So you may see the prompt goes to interactive mode - re>, it is for you to define your regex, bear in mind that your regex must use forward slash as delimeter, for example -

re>/[a-z0-9]+/

This means your regex is [a-z0-9]+, once you enter you will see this -

Compile time 0.0028 milliseconds
data>

You may notice the compile time for this regex is 0.0028 milliseconds, now you try to put any data to see if they match the regex,

data>ABC

Once you hit the enter, you will see this -

Execute time 0.0008 milliseconds
No match

The execution time is 0.0008 milliseconds and there's no match, lets change the data -

data> abc
Execute time 0.0004 milliseconds
0: abc

We can now see the execution time is 0.0004 milliseconds and the data seems to match the regex.

You can also figure out multiple regex compile time on the fly by defining them in a file instead of using interactive mode. For example I write the lines below to a file - pcre-testing.txt

/\d{,10000}/

/([a-z0-9]+)?/i

Do remember that if you want to test multi regex at once, you have to split them with a blank line, you can't do like this and it will incur errors -

/\d{,10000}/
/([a-z0-9]+)?/i

Now we can run this -

shell>pcretest -t pcre-testing
PCRE version 7.7 2008-05-07

/\d{,10000}/
Compile time 0.0032 milliseconds

/([a-z0-9]+)?/i
Compile time 0.0054 milliseconds

There are other options that you may want to try out, but I think I have given you enough guide to carry on, you may be interested in reading some of my related posts here -

http://geek00l.blogspot.com/2007/11/regex-learning-tool-kregexpeditor.html

http://geek00l.blogspot.com/2007/07/visualregexp-nice-regex-learning-tool.html

I advocate pcretest because it comes with pcre and available in HeX, and you can evaluate the performance of the regex quickly.

Enjoy (;])

HeX 2.0: Sneak Peak

2008-06-11T10:55:00.001+08:00

We bring you the HeX 2.0 quick preview(it's really just view)!!!!!

FreeBSD 7.0-STABLE, is it real?

Sguil Client 0.7 is here!

Where's the monkey, morphing into lobster?

Stop snorting, oink oink!!!!!

Don't you think it is sexy when shark is on the wire?

Ask for more? Be patient!!!!!

Cheers (;])

MSN IM -> Blogspot -> Pr0ning

2008-06-09T09:25:00.012+08:00

I came across this seductive message, and it contains the link that I can't resist to click since it is asked by horny ladies, the link must be legitimate -

http://cux7850mdmk.blogspot.com

Once you click on it, that blog will bring you to another site which is -

http://66.111.45.170/cams/1/

You can see below what is loaded when you go to the blog that is setup with malicious purpose -

The cut-down zoom in version -

META http-equiv="refresh" content="0;URL=http://66.111.45.170/cams/1/"

I manually check http://66.111.45.170/cams, and you might enjoy the screenshot -

Lets see what is in http://66.111.45.170/cams/1/, the content location is actually at -

http://66.111.45.170/cams/1/index.htm

And the index.htm contains -

meta http-equiv="refresh" content="0; URL=http://www.xxxblackbook.com/?s=register&r=lc129795"

Now you should be happy to land at this page, and lets register as a member.

It's rather easy to get someone to click on "look legitimate" link than from the email spam these days. We see the use of meta http-equiv="refresh", and you can find the information about it here -

http://www.html-reference.com/META_httpequiv_refresh.htm

During discussion at freenode #rawpacket, my friend scholar pointed me out related information here -

http://spamtrackers.eu/wiki/index.php?title=Blogspot

Enjoy ;]

Network Flow: Uni-Directional VS Bi-Directional

2008-06-01T21:24:00.000+08:00

If you are working on network flow research, you should have heard about Uni-Directional and Bi-Directional Network Flow. I will try to explain what are they here. Lets take the quick look of what network flow is first -

Network Flow is the sequence of packets or a packet that belonged to certain network session(conversation) between two end points but delimited by the setting of flow generation tool. To cut it short, it provides network traffic summarization by metering or accounting certain attributes in the network session.

The endpoints here are defined as below -

Layer 2 Endpoint - Source Mac Address | Destination Mac Address
Layer 3 Endpoint - Source IP Address | Destination IP Address
Layer 4 Endpoint - Source Port | Destination Port

Before we dive into understanding of UniFlow and BiFlow, lets look at the definition of Uni and Bi here -

http://www.yourdictionary.com/uni-prefix

http://www.yourdictionary.com/bi-prefix

Uni - one; having or consisting of one only; regarded as a single entity

Bi - using two or both; joining two, combining or involving two

In the context of Uni/Bi Directional Flow, Uni means single, Bi means both. Now, let make it more clearer.

Uni-Directional = Single Directional

Bi-Direction = Both Directional

I put up the illustration in the diagram below.

Uni-Directional Flow

Bi-Directional Flow

Now I will make a simple example, host A sends 90 bytes to host B and host B replies with 120 bytes. Here's the output -

Uni-Directional Network Flow
Srcaddr Direction Dstaddr Total Bytes
Host A -> Host B 90
Host B -> Host A 120

Bi-Directional Network Flow
Srcaddr Direction Dstaddr Total Bytes Src Bytes Dst Bytes
Host A <-> Host B 210 90 120

The Srcaddr and Dstaddr are the endpoints here. In Uni-Directional Flow, you only see the total bytes that sent by Host A(attribute of Host A) but nothing about Host B in the first flow record. Then the next record shows Host B sends 120 bytes to Host A(attribute of Host B). The total bytes is accounted from single endpoint(either Host A or B) only. But in BiFlow, you can see that Host A sends 90 bytes(Source Bytes) and Host B replies with 120 bytes(Destination Bytes). The total bytes is the accumulation of source and destination bytes. To summarize them -

Uni-Directional Network Flow Model - One direction at a time, every flow record contains the attribute of single endpoint only.

Bi-Directional Network Flow Model - Both direction at a time, every flow record contains the attribute of both endpoints.

Theory is tough sometime, here's the practical sample -

Cisco NetFlow uses Uni-Directional model for flow generation

Argus uses Bi-Directional model for flow generation

To draw good picture of Uni-Directional and Bi-Directional Network Flow, it's best to do comparison of them.

1. Network Flow data which is generated by Argus 3 natively
2. Network Flow data which is generated by Cisco NetFlow version 5

The flow records below are generated from the same network session. You can examine closely by clicking on them.

Cisco NetFlow(UniFlow):

Argus(BiFlow):

Flow record property:
SrcAddr = Source Address
Sport = Source Port
Dir = Direction
DstAddr = Destination Address
Dport = Destination Port
SrcPkts = Source Packets
DstPkets = Destination Packets
TotPkts = Total Packets
SrcBytes = Source Bytes
DstBytes = Destination Bytes
TotBytes = Total Bytes

Sometimes I like to think that UniFlow is stateless and BiFlow is stateful.

I will continue writing this Network Flow series, and I hope you enjoy it. Stay tuned for the next one - Traffic Matrix. And of course the HeX 021 series too.

Argus 3 Tip:
You can convert Argus BiFlow to UniFlow by using -M rmon option.

Peace (;])

Network Flow: TopN

2008-05-30T13:21:00.005+08:00

There are a lot of questions popping up on and off in argus mailing list regarding how to generate TopN output from argus data, but frequently you may find the questions are too rough to give complete answer.

I'm going to discuss about TopN this time, TopN is the technique that widely used in many industries, what is it for?

TopN is used to retrieve the first N records from the data based on certain object and ordered by its property. Since I'm talking about Network Flow, I would like to make the example using it.

Data: Network Flow Record
Object: Protocol, Network, IP(host), Port, etc
Object Property: Packet Count, Byte Count, etc

Bear in mind that I'm avoiding the use of Flow terminology but layman one so that this example can be understood easily.

If you want to use TopN technique to generate information from the network flow data, first you need to know what you are looking for. Lets go with a simple one -

I want to find out Top 5 IP ordered by Total Packet Count

Total Packet Per IP(host) = (packet send + packet receive) Per IP(host)

Now you run the argus client command to parse the data and generate exactly the result which looks like this -

shell>racluster -M rmon -m saddr -nr testing.arg3 -w - | \
rasort -m pkts -w - | \
ra -L0 -N 5 -s saddr pkts

SrcAddr TotPkts
172.16.1.108 993
193.231.236.41 824
211.185.125.124 178
172.16.1.103 56
211.180.229.190 36

The command above is to generate Top 5 IP ordered by Packet Count. Don't ask me about the command line, it looks complicated for now but that's not my point here, look at the output instead. Host 172.16.1.108 sends or receives 993 pakcets, followed by 193.231.236.41 and so forth.

Now if you want to locate Top 5 IP ordered by Byte Count. You can just run -

shell>racluster -M rmon -m saddr -nr testing.arg3 -w - | \
rasort -m bytes -w - | \
ra -L0 -N 5 -s saddr bytes

SrcAddr TotBytes
172.16.1.108 599949
193.231.236.41 579050
211.185.125.124 18901
172.16.1.103 4964
216.168.224.69 3458

You want to use TopN, you should draft out the TopN output you are looking for, I have seen questions like this -

1. Which is the most active network?
2. Who is the most active sender?
3. Who is the most active receiver(got ddos?)

Or worse,

How can I find out the top talkers?

These kind of questions are too loose, you should at least specify the property, such as most active sender that is ordered by packet count, or most active network that is ordered by byte count and so forth. You have to bear in mind that packet and byte are not going inline, you can have one host sending many small size packets which won't hit TopN byte count at all.

With this kind of idea in mind, you can build the list of TopN which can draw you a good picture of network activeness to solve different issues.

For the next round, I will introduce Traffic Matrix, stay tuned!

Enjoy (;])

Laptop: Alternatives For Security Road Warrior

2008-05-29T12:40:00.004+08:00

Which laptop model are you using? This is my question today. I have been looking for laptop of choice for myself, as a security road warrior, I prefer it to be -

1. Lightweight(small/medium size and compact)

2. Black and solid look

3. Miminum 150G of Disk and 4G of Rams

4. Great keyboard touch build(old thinkpad?)

5. 12-14inch display

6. Good battery life

7. FreeBSD/Linux Compatible or I will use VMware/VirtualBox

Currently there are 3 laptop models I have in my mind -

1. Macbook Black

2. Thinkpad T61

3. Dell Xps m1330

What do you think and what's your favorite laptop if you work in security industry, and you need to travel frequently? I'm looking forward for any good suggestion and sharing. Thanks!

Peace ;]

HeX 021 Series

2008-05-28T11:02:00.007+08:00

I will start this HeX Zero To One(021) Series in my blog while HeX 2.0 is in active development, and all of them will be imported to HeX Handbook. In future you will see my post with the title prefix of HeX 021: belongs to the series.

Enjoy ;]

HeX: From Zero To One

2008-05-28T08:56:00.011+08:00

These days, I have encountered questions like this,

1. How can I be an efficient network security analyst?

2. Is there a quick path or short cut to be one?

3. I'm just system administrator/programmer and don't know crap about security, I'm interested in it but don't know where to start?

4. There are so many resources in the internet, what's the specific knowledge required to be network security analyst so that I can be more focusing on particular subjects?

If you are a student, or just starting to work as network security analyst, I hope this post will shade some lights for you -

I would like to point out 3 posts that I have written -

http://geek00l.blogspot.com/2008/05/hex-handbook.html

http://geek00l.blogspot.com/2007/07/hex-livecd-analogy.html

http://geek00l.blogspot.com/2007/03/netsecanalyst-handbook.html

The HeX System that we are developing is the key to answer almost all your questions, but you might not be able to know where to look at if I throw you HeX liveCD without giving you hints or tips. The HeX Handbook which is derived from my own Network Security Analyst Handbook is actually designed to lead you to the right path.

If you read my post about HeX liveCD analogy, I mentioned this -

The HeX liveCD can only make up to this part(see below) -

Obtain Network Based Data -> Utilizing NSM Based Tools -> Generate Output

The rest depends on how analyst able to perform it -

Output Interpretation -> Output Analysis -> Output Summarization -> Report

Clearly enough, the HeX itself can't do everything for you, you have to help yourself starting from Output Interpretation process.

If you apply the reverse thinking, what are the obstacle you have encountered during Output Interpretation? You have used the tools to generate the output for you, for example - snort, bro-ids or even simple tcpdump. Apparently if you find yourself can't understand those output, you can't interpret them correctly. Now the important question is "Why can't you understand those output?" There are few answers to it -

1. You may not have enough network protocol knowledge.

2. You may not familiar with the tools because different tools tend to generate the output in different ways or results.

3. You may not update yourself with current security trends(follow bug traq, cve and so forth)

4. You are being lazy

Now I flash back again to my Network Security Analyst Handbook post, I have put the book into four sections -

Sec 1 - Net Sec Analyst: The RoadMap
Sec 2 - Net Sec Analyst: The Workflows
Sec 3 - Net Sec Analyst: The Tools
Sec 4 - Net Sec Analyst: The Case Study

For the Section 1 and Section 2, I have elaborated them as -

Network Security Analyst: The RoadMap
What are good foundations and technical knowledge that should be acquired to become good network security analyst? I hope The RoadMap can answer question like that, until now I haven 't seen any books discussing about this topic yet.

Network Security Analyst: The WorkFlows
What are the methodologies and mechanisms that are used by network security analyst to handle their tasks? The routine daily tasks, the automated and manual process of performing analysis, situation handling and so forth.
This is more of how to think or work like a network security analyst. I will try to standardize the common work flows but you are free to extend it to your own way.

If you have gone through Section 1 and 2, you should be able to do this -

Output Interpretation -> Output Analysis -> Output Summarization -> Report

Unfortunately we don't offer these in HeX version 1.x, but this is going to change, we are currently working on integrating things that are discussed in Section 1 and 2 into HeX version 2.x which will be released sometime around June. As Section 3 is already integrated into HeX, you should be able to complete Section 1-3 with HeX, all you need is discipline!

This is not a myth, the HeX Handbook will guide you to complete Section 1-3 using HeX System itself, you don't need more.

For the Section 4, I already have other plan and maybe you can see them in HeX 3.x, who knows.

If you want to learn to be a competent network security analyst, you can start with HeX. It will take you from 0 to 1.

Now I start to think that University should offer this kind of course for students, as far as I know country like Philippine has their Universities offering malware analysis course and therefore you can see a lot of them working in AntiVirus Industry, if our country want to produce competent network security analyst, they should offer security related courses in University. Not wait until they are out of school and busy with works.

Enjoy ;]

Training: Practical Network Flow Analysis

2008-05-26T23:02:00.003+08:00

This time, me and spoonfork will bring you our new and upcoming training which is -

Understanding Network Conversations:
Practical Network Flow Analysis

Here's the description of our training -

Network Flow data represents a summary of conversation between two end points. It provides valuable information to assist investigation and analysis of network and security issues. Unlike deep packet inspection, flow data does not rely on packet payloads. Instead the analyst relies on information gathered from packet headers and its associated metrics. This provides the analyst a neutral view of network traffic flow by tracking network sessions between multiple endpoints simultaneously. In addition, having network flow data will provide a better visibility of network events without having the need to perform payload analysis.

With the implementation and deployment of Network Flow technologies, an analyst can discover different types and classes of network activities, be it normal or abnormal. In this training we will show you how to interpret Network Flow data and perform practical Network Flow Analysis.

While high level theory explanations are extremely useful, hands-on exercises are even better. Each chapter is accompanied by practical hands-on exercises such as exporting network flow data from Unix and Cisco-based routers, performing simple operations such as IP accounting, network baselining, and identifying different kinds of network anomalies and attacks.

Who should attend?

Network Security Analyst
Network Administrator
ISP Network Architect
System Administrator

Bonus

+ First 10 registrants get free seat for HITB Conference Kuala Lumpur in October 2008

+ Human Resources Development Fund(HRDF) Claimable

For more information, check it out at -

http://training.hitb.org/flowanalysis/

Cheers (;])