Showing posts with label HeX. Show all posts
Showing posts with label HeX. Show all posts

Thursday, October 30, 2008

HeX In The Box

We release the HeX special edition for HITB Security Conference, the theme we use is HeX In The Box. If you are the HITB Conference participant, you might or might not get the CD we distribute in the first day of conference as we only have about 120 pieces of them so it is really limited.

This special edition comes with new wallpaper and cd sticker as well. Thanks to Vickson for the comic style of design this time!

HeXInTheBox CD Sticker

HeXInTheBox Wallpaper

On the other hand, HeX hits more than 10,000 downloads since the release of version 2.0!

Cheers (;])
Posted by at 2 comments:
Labels: , ,

Friday, October 10, 2008

Expanding Response: Deeper Analysis

My friend Russ McRee just published a paper called Expanding Response: Deeper Analysis for Incident Handlers with SANS for his GCIH Gold cert that includes details on Argus, HeX, NSM-console, and NetworkMiner using content from the original ISSA articles as well as current updates.

You can find his paper here -

http://www.sans.org/reading_room/whitepapers/incident/32904.php

Nice work Russ!

Cheers ;]
Posted by at 1 comment:
Labels: , ,

Monday, October 06, 2008

HeX 2.0 Release - The Bonobo

Today is big day for us as we finally have HeX 2.0 Release - The Bonobo unleashed.

After many months of struggling in both testing and development phases, there are a lot of new features added in this release. To sum it up, we have -

1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds

For more information, you can check out its own site which is located at -

http://www.rawpacket.org/projects/hex/hex-livecd/version-20-release

I would like to say thanks to HeX team members for all the hard works and continuous efforts. You guys are just rocking!!!!!

Enjoy (;])
Posted by at 5 comments:
Labels: ,

Thursday, October 02, 2008

HeX 2.0 R: Preview

Here we reveal the latest HeX 2.0 Release, it will be out very soon. Stay tuned!








The joy for packet monkeys (;])
Posted by at 3 comments:
Labels: ,

Saturday, September 27, 2008

HeX 2.0 Release is NEAR

We are going to unleash HeX 2.0 Release, if no major issue found again it should be on next week.

Stay tuned ;]
Posted by at No comments:
Labels: ,

Tuesday, August 26, 2008

HeX 021: Decode base64

There are a lot of malicious contents which are actually encoded with base64 to create confusion.

This is just quick one as I have friend asking about it on how to decode base64 encoding. One liner with python -

shell>python -c "import binascii; \
binascii.a2b_base64('encoded strings here')

Or you can use nsm console if you are running HeX -

nsm>decode base64 'encoded strings here'

Enjoy ;]
Posted by at 2 comments:
Labels: ,

Tuesday, August 19, 2008

HeX 021: Resolving Ihack 2008 password.pcap

My friend ayoi has posted Ihack 2008: Defense Challenge here, I don't really have time to look into the whole game. However I have tried to give it a shot for password.pcap to figure out what's the passphrase.

I decide to use HeX liveCD for this quick challenge since chfl4gs_ has presented it in IHack. Initial look at the traffic -

shell>tcpdump -ttttnnr password.pcap
reading from file /home/analyzt/rp-Analysis/password.pcap, link-type EN10MB (Ethernet)
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:1879048192(0) win 512
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 1879048193 win 0
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:872415232(0) win 512
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3288334337 win 0
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:603979776(0) win 512
2008-08-14 12:21:12.959710 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3019898881 win 0
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:889192448(0) win 512

Output truncated .....

Initial view of the network traffic tells you that the network traffic contains no data transfer, and it is heavily crafted(port). It also hints you that the passphrase should be residing in the packet header. Therefore I start dig into the header by printing it in hex and ascii dump output.

shell>tcpdump -XXttttnnr password.pcap
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
1879048193 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 7000 0001 5014 .~zi.9....p...P.
0x0030: 0000 5d9a 0000 ..]...
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
3288334337 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 3400 0001 5014 .~zi.9....4...P.
0x0030: 0000 999a 0000 ......

Output truncated .....

When comes to examing the packet header, it's best to look at the pattern, and realizing that some fields are usually static in this case helps you to identify the different, if we look at the 4 packets above, you may spot

10.10.3.126 -> 10.10.75.1 - tcp sequence number
10.10.75.1 -> 10.10.3.126 - tcp acknowledge number(tcp sequence number + 1)

So to get the answer, you can just print the connection from one side(from 10.10.3.126 to 10.10.75.1) -

shell>tcpdump -XXttttnnr password.pcap ip src 10.10.3.126
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:6
03979776(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 6200 0000 4006 b63d 0a0a 037e 0a0a .(b...@..=...~..
0x0020: 4b01 0539 7a69 2400 0000 0000 0000 5002 K..9zi$.......P.
0x0030: 0200 a7ad 0000 ......
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:8
89192448(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 8d00 0000 4006 8b3d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3500 0000 0000 0000 5002 K..9zi5.......P.
0x0030: 0200 96ad 0000 ......

Output truncated .....

If you want to see another side of the traffic, just tune the bpf filter to ip src 10.10.75.1, however for that you will need to look at the acknowledge number. You should have the answer now.

Anyway when comes to print certain field in the header, you can use tshark(part of wireshark), and force it to print certain field, for example -

shell>tshark -Tfields -e 'tcp.seq' -nr password.pcap -o tcp.relative_sequence_numbers:FALSE -R 'ip.src == 10.10.3.126'
1879048192
872415232
603979776
889192448
1996488704
805306368
1912602624
1677721600
536870912
822083584
889192448
536870912
822083584
838860800
855638016
167772160

That's your answer in decimal, you can convert the number to hex and from hex to ascii. Using pythong quickies -

Decimal to Hex -
shell>python -c 'print hex()'

HeX to Ascii
shell>python -c 'import binascii; print binascii.a2b_hex("")'

You should have the passphrase to unrar Questions.rar

shell>unrar e Questions.rar

Bump in the passphrase and you will be able to retrieve all the files you need.

During the challenge event, I don't see any participants use HeX for this purpose. And lot of them just use wireshark to examine, my opinion is using wireshark is not effective in this scenario as wireshark is great when you want to do per packet examination or dealing with network protocols you are not familiar with. However for this, I would say tcpdump and tshark are more effective tools to obtain the clue.

Enjoy (;])
Posted by at 8 comments:
Labels: , ,

Wednesday, August 06, 2008

HeX 2.0 RC1 is now

After long time development, we have finally reached the stage where we are brave enough to release version 2 of HeX, Release Candidate 1. This is the first public version for HeX 2.0 and we hope that by releasing this, people who are interested in it can help testing out this version. I won't be mentioning the new features that we are adding to HeX 2 here as I will put up all the information once we reach the 2.0 Release instead of RC. For the moment, we need people to test all the applications that we have added, a lot of them can be accessed via fluxbox menu so please help in testing.

Currently there are few known problems -

- Netdude is broken
- Autopsy is broken(sleuthkit issue)
- Gvim is broken(font not available)
- Flowtag is broken(Looking for older version of tk while new one is installed)
- NSM Console(Snort module where wrong path is defined in snort configuration file)
- Silktools(Flowcap and Rwflowpack)
- Ragraph is broken
- Zsh is missing

Most of the issues are already fixed in the development repository, therefore don't report to us if you encounter similar problem in HeX 2.0 RC1. If you encounter any other issues, please do report to us via mailing list -

http://groups.google.com/group/HeX-liveCD

Anyway here's the HeX 2.0 RC1 iso -

http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.md5
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.sha256

Alternatively, you can download from US mirror -

http://us.rawpacket.org/image/hex-i386-2.0-RC1-20080803.iso

Thanks to all the raWPacket members who have put the effort in HeX 2.0 development, you guys are walys rocking!

Enjoy (;])
Posted by at No comments:
Labels: , ,

Tuesday, June 17, 2008

HeX 021: Learning PCRE and its performance

PCRE stands for Perl Compatible Regular Expressions, it is mainly used for pattern matching. If you want to learn more about PCRE, take a good read of its manual -

shell>man pcre

shell>man pcrematching

shell>man pcrepartial

shell>man pcrepattern

shell>man pcreperform

So why do you need to learn regular expressions(regex), here's the answer -

http://geek00l.blogspot.com/2006/12/regex-magic-for-netsexcanalyst.html

Next look at the tool that comes with pcre - pcretest, as the name implies, you can use pcretest to test your regex. Lets go -

shell>pcre --help
Usage: pcretest [options] [input file [output file]]

Input and output default to stdin and stdout.
This version of pcretest is not linked with readline().

Options:
-b show compiled code (bytecode)
-C show PCRE compile-time options and exit
-d debug: show compiled code and information (-b and -i)
-dfa force DFA matching for all subjects
-help show usage information
-i show information about compiled patterns
-m output memory used information
-o set size of offsets vector to
-p use POSIX interface
-q quiet: do not output PCRE version number at start
-S set stack size to megabytes
-s output store (memory) used information
-t time compilation and execution
-t time compilation and execution, repeating times
-tm time execution (matching) only
-tm time execution (matching) only, repeating times

If you have already read the man pages above, you should be able to understand some of the options, I normally use the option -C to check the compiles-time option first -

shell>pcretest -C
PCRE version 7.7 2008-05-07
Compiled with
UTF-8 support
Unicode properties support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack

Other option I usually use is -t to test on the time compilation and execution of particular regex I write.

shell>pcretest -t
PCRE version 7.7 2008-05-07

re>

So you may see the prompt goes to interactive mode - re>, it is for you to define your regex, bear in mind that your regex must use forward slash as delimeter, for example -

re>/[a-z0-9]+/

This means your regex is [a-z0-9]+, once you enter you will see this -

Compile time 0.0028 milliseconds
data>

You may notice the compile time for this regex is 0.0028 milliseconds, now you try to put any data to see if they match the regex,

data>ABC

Once you hit the enter, you will see this -

Execute time 0.0008 milliseconds
No match

The execution time is 0.0008 milliseconds and there's no match, lets change the data -

data> abc
Execute time 0.0004 milliseconds
0: abc

We can now see the execution time is 0.0004 milliseconds and the data seems to match the regex.

You can also figure out multiple regex compile time on the fly by defining them in a file instead of using interactive mode. For example I write the lines below to a file - pcre-testing.txt

/\d{,10000}/

/([a-z0-9]+)?/i

Do remember that if you want to test multi regex at once, you have to split them with a blank line, you can't do like this and it will incur errors -

/\d{,10000}/
/([a-z0-9]+)?/i

Now we can run this -

shell>pcretest -t pcre-testing
PCRE version 7.7 2008-05-07

/\d{,10000}/
Compile time 0.0032 milliseconds

/([a-z0-9]+)?/i
Compile time 0.0054 milliseconds

There are other options that you may want to try out, but I think I have given you enough guide to carry on, you may be interested in reading some of my related posts here -

http://geek00l.blogspot.com/2007/11/regex-learning-tool-kregexpeditor.html

http://geek00l.blogspot.com/2007/07/visualregexp-nice-regex-learning-tool.html

I advocate pcretest because it comes with pcre and available in HeX, and you can evaluate the performance of the regex quickly.

Enjoy (;])
Posted by at 1 comment:
Labels: , ,

Wednesday, June 11, 2008

HeX 2.0: Sneak Peak

We bring you the HeX 2.0 quick preview(it's really just view)!!!!!

FreeBSD 7.0-STABLE, is it real?

Sguil Client 0.7 is here!

Where's the monkey, morphing into lobster?

Stop snorting, oink oink!!!!!

Don't you think it is sexy when shark is on the wire?

Ask for more? Be patient!!!!!

Cheers (;])
Posted by at 1 comment:
Labels: , ,

Wednesday, May 28, 2008

HeX 021 Series

I will start this HeX Zero To One(021) Series in my blog while HeX 2.0 is in active development, and all of them will be imported to HeX Handbook. In future you will see my post with the title prefix of HeX 021: belongs to the series.

Enjoy ;]
Posted by at No comments:
Labels: ,

Friday, May 23, 2008

HeX: Handbook

While we are in the active development of HeX 2.0, we will start a side project mainly for documentation purpose. We call it HeX Handbook, the link is here -

https://trac.security.org.my/hex/wiki/HeXHandbook

Currently there's nothing yet, but I will import all the contents from my incomplete Network Security Analyst Handbook to there, and I'm now trying to design the standard template so that whoever want to contribute can follow the template.

If you are using HeX, and you know different way of doing analysis using the tools in HeX, we would like to hear from you. By the way, if you are good in language translation, please do let me know.

Thanks to scholar who always gives me very fruitful input!

Cheers (;])
Posted by at 1 comment:
Labels: , ,
Subscribe to: Comments (Atom)