Finally ...
Thanks to Niresh for hosting 4REN6 VM. Now you can download the VM via
http://4ren6.radiobandit.org/
If you would like to help out by hosting the VM for download, please let me know. I will update the VM once Ubuntu releases version 10.10. If you try out the VM and have any feature request, feel free to email me.
Cheers ;]
Tuesday, November 30, 2010
Thursday, September 30, 2010
Cisco Regex
Whoever follow my blog or my workshop will know I always mention about regular expressions(regex) as applied knoweldge for security analyst, I came across interesting read about Cisco regex and think it would be good to share with the bunch, there you go -
http://www.ciscozine.com/2010/09/29/cisco-regular-expressions/
Have fun and good to read some background history of regex and how Cisco makes use of it.
Cheers ;]
http://www.ciscozine.com/2010/09/29/cisco-regular-expressions/
Have fun and good to read some background history of regex and how Cisco makes use of it.
Cheers ;]
Friday, August 13, 2010
4REN6 VM WalkThrough Guide
As promised in previous post, hereby I release the 4REN6 VM WalkThrough Guide, you can find how to install comprehensive list of forensics tools on Ubuntu 10.04, here's the link for the guide -
http://www.scribd.com/doc/35816772/4REN6-VM-Builder-Guide
Currently you need an account to download it but no problem for quick read, I will upload this guide to my own server later so that you can download it freely(both pdf and odt format in case you want to edit). Maybe wiki is good way to go for documentation collaboration but right now I don't have any plan about it yet.
Feel free to comment and appreciate any valuable inputs! By the way I'm still looking for anyone who is willing to host the 4REN6 VM image.
Cheers (;])
http://www.scribd.com/doc/35816772/4REN6-VM-Builder-Guide
Currently you need an account to download it but no problem for quick read, I will upload this guide to my own server later so that you can download it freely(both pdf and odt format in case you want to edit). Maybe wiki is good way to go for documentation collaboration but right now I don't have any plan about it yet.
Feel free to comment and appreciate any valuable inputs! By the way I'm still looking for anyone who is willing to host the 4REN6 VM image.
Cheers (;])
Tuesday, August 03, 2010
Home For 4REN6 VM
Yes I'm still working in IT industry and I'm not dead yet, right now I'm working on both tech and non-tech stuffs so this first paragraph is just ice breaking for me to say something.
I have Virtual Machine Image I have prepared for Digital Forensics Training, and I would like to release it, it has the name - 4REN6 but it doesn't has a home now, the size of the VM is 2.6G so if any of you is interested to host the image, please do contact me via
geek00l[at]gmail[dot]com
Please make sure you send to my email correctly as geek zero zero L and not o o L as there are couple of people tried to send me email but fail to do so, I'm sorry about that but I can do nothing about it.
Don't ask me why I'm doing this while there are similar stuffs such as SIFT, Helix, PlainSight or some I may not know, the main reason being I just want to have exercise and to confirm all the stuffs I work on really working, bear in mind I'm doing this alone so please don't shout at me if it breaks. On the other hand, I will release the documentation of how to install everything you need to make forensic desktop using Ubuntu since I have already taken all the notes during the making of this VM and it's just matter of putting them together.
Some sneak peaks -
By the way the wallpaper is designed by myself so it is not really a slick wallpaper we used to have in HeX.
Last but not least, I would like to thank to my blog readers who have encouraged me to continue my blog again, and some other friends along the line. I think this is right thing to do.
Cheers (;])
I have Virtual Machine Image I have prepared for Digital Forensics Training, and I would like to release it, it has the name - 4REN6 but it doesn't has a home now, the size of the VM is 2.6G so if any of you is interested to host the image, please do contact me via
geek00l[at]gmail[dot]com
Please make sure you send to my email correctly as geek zero zero L and not o o L as there are couple of people tried to send me email but fail to do so, I'm sorry about that but I can do nothing about it.
Don't ask me why I'm doing this while there are similar stuffs such as SIFT, Helix, PlainSight or some I may not know, the main reason being I just want to have exercise and to confirm all the stuffs I work on really working, bear in mind I'm doing this alone so please don't shout at me if it breaks. On the other hand, I will release the documentation of how to install everything you need to make forensic desktop using Ubuntu since I have already taken all the notes during the making of this VM and it's just matter of putting them together.
Some sneak peaks -
By the way the wallpaper is designed by myself so it is not really a slick wallpaper we used to have in HeX.
Last but not least, I would like to thank to my blog readers who have encouraged me to continue my blog again, and some other friends along the line. I think this is right thing to do.
Cheers (;])
Friday, May 21, 2010
You can play pacman in Google.com
Since I haven't been blogging for a while, lets start with something else -
If you don't know, your old good game is first released on 22th of May 1980, so fast 30 years have passed, anyway enjoy playing pacman!
Cheers ;)
Monday, March 22, 2010
What I do lately
Here's what I do lately, I haven't been blogging for a while but doing some other stuffs, and I figure I still need to keep this blog alive no matter what. I have been poking with
- Splunk - Working on snort/argus module
- Nokia N900 - this is by far the most open system for mobile platform I have seen, and guess what, you can run snort on it with debian stack.
- Gns3 - Way to learn cisco stuffs and WAN setup
- Training - Design new security training course
- HackerSpaceKL - Help where I can
Application I used but keep forgetting at some other times if I haven't used for a while, so it's good to note it down
- recordMyDesktop - gtk-recordMyDesktop
- gnome-screenshot - gnome-screenshot --area
- Funambol - sudo sh bin/funambol start
- xdg-open - xdg-open whatever
Till next time ...
Cheers ;]
- Splunk - Working on snort/argus module
- Nokia N900 - this is by far the most open system for mobile platform I have seen, and guess what, you can run snort on it with debian stack.
- Gns3 - Way to learn cisco stuffs and WAN setup
- Training - Design new security training course
- HackerSpaceKL - Help where I can
Application I used but keep forgetting at some other times if I haven't used for a while, so it's good to note it down
- recordMyDesktop - gtk-recordMyDesktop
- gnome-screenshot - gnome-screenshot --area
- Funambol - sudo sh bin/funambol start
- xdg-open - xdg-open whatever
Till next time ...
Cheers ;]
Tuesday, September 22, 2009
Mac OSX: Sguil Client
My pal Spoonfork has written about how to get sguil client works on Mac OSX previously here, however some of readers reported it won't work on Mac OSX 10.5 or later as tclX is failed to compile. If you really want to get sguil client up and running on Mac OSX, here are the steps -
Download ActiveState TCL for Mac OSX platform from the link below, you can choose either version 8.4.x or 8.5.x as both work -
Download ActiveState TCL for Mac OSX platform from the link below, you can choose either version 8.4.x or 8.5.x as both work -
https://www.activestate.com/activetcl/downloads/
Then what you need to do is click click install, once you are done, obtain sguil client 0.7 from -
http://sourceforge.net/projects/sguil/files/
I choose sguil-client-0.7.0.tar.gz, follow the steps below once you have it downloaded -
shell>tar xvzf sguil-client-0.7.0.tar.gz
shell>cd sguil-0.7.0/client
shell>wish8.5 sguil.tk
You should be good going by now, enjoy playing with sguil client console! If you install Activetcl version 8.4.x, then just run wish8.4 sguil.tk instead.
Cheers (;])
Sunday, September 20, 2009
Mac OSX: Nmap 5.0
Many people write about Nmap 5.0 when it is released, here's how I get it work on Mac OSX. If you are installing Nmap 5.0 using MacPorts, then you won't be having zenmap in your pocket, you will only get ncat, ndiff and nmap. Therefore it is best if you can obtain the nmap installation package for OSX from Nmap website and follow the instruction here to get it installed.Once you have the package installed, you may figure zenmap will not work properly even though you can run it. In fact you need the following software installed to satisfy the dependencies.
shell>sudo port install py25-gtk
shell>sudo port install py25-py2app-devel
It might take a while to get them compiled and installed as they require some of the libraries from X11 as well, if you can get through this stage, then you should be able to run zenmap now -
shell>open /Applications/Zenmap.app
Of course Nmap is rocking in da house -
shell>nmap -V
Nmap version 5.00 ( http://nmap.org )
Peace (;])
Tuesday, September 15, 2009
Mac OSX: NetGrok
I like security visualization tools, and it helps you to interpret computer events easily. Here's how I get NetGrok running in my apple laptop -
Download and install Jpcap -
shell>wget http://netresearch.ics.uci.edu/kfujii/jpcap/jpcap-0.7.tar.gz
shell>tar xvzf jpcap-0.7.tar.gz
shell>cd jpcap-0.7/src/c
shell>make
shell>cp libjpcap.jnilib /Library/Java/Extensions/
shell>cp ../../jpcap.jar /Library/Java/Extensions/
Download and run NetGrok
shell>wget http://netgrok.googlecode.com/files/netgrok20080928.zip
shell>unzip netgrok20080928.zip
shell>cd Netgrok
There's problem with the file groups.ini, you have to change this line
Private1=Wireless=192.168.0.0/16
To -
Private1-Wireless=192.168.0.0/16
Now you can run netgrok without problem -
shell>java -jar netgrok20080928.jar
Below are two screenshots I took -
You might want to check it out, it definitely supports pcap format file! For more information you can check out at NetGrok site.
Cheers (;])
Saturday, September 12, 2009
Argus 3: Situational Awareness(ratop)
You need to know the current state of the network, who is probing your network and services, who is consuming your bandwidth, what are the stuffs running in your network, the main question remains - How much you know about your network?
Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.
As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -
Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.
As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -
- ratop
- rasql/rasqlinsert
- ralabel
Ratop works just like top, it can connect to argus monitor and show network flow data in near real time view, it also offers vi-like feature, where you can use / to search for flows, and : as command mode to perform various actions such as network flow record filtering/sorting, flow record field reordering, or even extract flow record based on certain timespan in real time. To run ratop, you must have argus monitor running first -
shell>argus -mAJZRU 128 -P 561
Use ratop to connect to the argus monitor -
shell>ratop -S localhost:561
Here's the ratop screenshot -
To quit ratop, it is similar to exiting vi editor, just type :q and you will disconnect from argus monitor. You can see that ratop is very useful when comes to monitor your network in real time, while it doesn't offer you insightful information, it gives quick view of the layer2/3 network conversation. Other features such as sorting can be toggled on with :s, or filtering with :f.
This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.
Enjoy (:])
This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.
Enjoy (:])
OpenDPI
I just came across this Open Source Deep Packet Inspection Engine, while I haven't tried it out, this project seems to be interesting. I just want to mention it in my blog so that I can search next time in case I forget -
http://opendpi.org/
You can check out it's manual and source code which is hosted at Google Code here.
http://opendpi.org/
You can check out it's manual and source code which is hosted at Google Code here.
Cheers (;])
Friday, September 11, 2009
Argus 3: OpenWRT Binary Blob
Here's the argus 3 binary blob that will work on OpenWRT KamiKaze 8.09(Linksys WRT54GL MIPS platform), if you are lazy to compile your own, and want to check it out, please do give it a try. Thanks to guti for hosting it -
http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2
http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2.md5.txt
All you need to do is download, verify, decompress, upload it to your OpenWRT, and run!
Enjoy (;])
Enjoy (;])
Argus 3: Database Support
If you have followed argus mailing list, you should have known that Carter has implemented argus database client(rasql/rasqlinsert) to read/write/bla network flow records to database. I'm currently testing this feature and here's the preview for you -
Currently it seems to work on my testing machine. I will introduce more about the new argus client tools such as ralabel, rasql, rasqlinsert and etc in my coming posts.
Cheers (;])
Mac OSX: MYSQL Community Server
This is quick one to get Mysql Community Server running on OSX, download it from -
http://dev.mysql.com/downloads/mysql/5.1.html#macosx-dmg
Choose the dmg package which works for your platform and OSX version. In my case, I choose Mac OS X 10.5 (x86). So after you have it downloaded, it's all about click click install. Remember to install both Mysql server and its startup item package. You also need to copy the MySQL.prefPane to the right location so that it will show up in your System Preferences -
shell>sudo sudo cp -fR /Volumes/mysql-5.1.38-osx10.5-x86/MySQL.prefPane /Library/PreferencePanes/
To start Mysql server, run -
shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM start
To stop Mysql server, run -
shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM stop
To uninstall Mysql Community Server -
shell>sudo rm -rf /Library/StartupItems/MySQL*
shell>sudo rm -rf /Library/PreferencePanes/MySQL*
shell>sudo rm -rf /Library/Receipts/mysql-*
shell>sudo rm /usr/local/mysql
shell>sudo rm -rf /usr/local/mysql-*
And finally remove this line in /etc/hostconfig
MYSQLCOM=-YES-
All for now, I have been idle for a while and hopefully this is come back to be active me.
Cheers ;)
Tuesday, June 02, 2009
HITB2009MY: The Art Of Network Forensics
Hack In The Box Security Conference 2009 in Malaysia is going to happen again on October 5th-8th 2009. We are looking forward to see the security crowds again! More information about the conference can be found at this link.
Again this time, me and mel(spoonfork) are going to conduct network security training for Hack In the Box 2009 Malaysia. This upcoming training is going to be brand new and focusing on scenario case solving, with the title of "The Art Of Network Forensics: Going Beyond Packet Data", the detail for the training is at here. We haven't finalized the course materials that are going to be provided to students yet, however if we can obtain the kit to build the network tap, then it will be awesome.On the other hand, we would like to thank to Vickson again for his cool banner design!
Enjoy (;])
Thursday, May 21, 2009
Editcap: Discard unwanted frames
With editcap you can actually remove multiple frames(people like to call it packets in general) you don't want. For example if I want to remove frame number 40, 69, 71, 113 and 115 in mail.pcap -
shell>editcap mail.pcap mail-modified.pcap 40 69 71 113 115
Add_Selected: 40
Not inclusive ... 40
Add_Selected: 69
Not inclusive ... 69
Add_Selected: 71
Not inclusive ... 71
Add_Selected: 113
Not inclusive ... 113
Add_Selected: 115
Not inclusive ... 115
Check with capinfos -
shell>capinfos -c mail.pcap
File name: mail.pcap
Number of packets: 173
shell>capinfos -c mail-modified.pcap
File name: mail-modified.pcap
Number of packets: 168
Quick and easy!
Cheers (;])
Tuesday, May 19, 2009
Time to sell myself .....
This year, I thought things are going to be smooth for me, and I was wrong. But I do know life goes on.
So I'm now out for job again and plan to settle down a bit. This is the first time I put up my resume here, and hopefully can get the right job for myself quickly. I'm looking for job related to firewall/ids/siem implementation/deployment/analysis/response.
If you think there's any opportunity I can grab, or you are interested to hire me, please let me know. Here's my resume.
Thanks!
So I'm now out for job again and plan to settle down a bit. This is the first time I put up my resume here, and hopefully can get the right job for myself quickly. I'm looking for job related to firewall/ids/siem implementation/deployment/analysis/response.
If you think there's any opportunity I can grab, or you are interested to hire me, please let me know. Here's my resume.
Friday, May 15, 2009
FreeBSD On VMware Time Sync Issue
We have been trying to fight with the time synchronization issue when running FreeBSD on VMware. With the new FreeBSD(7.1 and above) and new VMware workstation/fusion, the problem is fixed.
That's great as it means we can run HeX more flawlessly on VMware. On the other hand, HeX is back to active development, stay tuned!
Enjoy ;]
That's great as it means we can run HeX more flawlessly on VMware. On the other hand, HeX is back to active development, stay tuned!
Enjoy ;]
Surface Mount Box - 4 ports
I have been looking for 4 ports surface mount box(cat5e compatible) which looks like the above image, if any of you know where I can find in Malaysia, or you sell it, please let me know. I would like to order 20-50 units from you. I want to order online but it is out of stock here. On the other hand, if you know anyone who sell cat5e keystone jack with reasonable price, I would like to buy as well.
My plan is to build network tap using this mount box, and as a gift to whoever attends my future network forensics training.
My plan is to build network tap using this mount box, and as a gift to whoever attends my future network forensics training.
Cheers ;]
Thursday, April 16, 2009
Argus 3.x On Linksys WRT54GL
I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.
Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -
shell>sudo apt-get install gcc g++ patch binutils \
flex bison make pkg-config unzip zlib1g zlib1g-dev \
libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev
To build OpenWRT Kamikaze 8.09, svn up the source first -
shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09
shell>cd kamikaze-8.09
Start the building process -
shell>make defconfig
shell>make package/symlinks
shell>make menuconfig
shell>make
Take a coffee break when you run make .....
Install libpcap, this is the only dependencies we need to get argus 3 compiled -
shell>make package/libpcap-compile V=99
shell>make package/libpcap-install V=99
Check out the gcc that we need to use -
shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Now we need to set the environment variables for this build -
shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH
shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar
shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as
shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld
shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm
shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc
shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp
shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc
shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++
shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib
shell>export ac_cv_linux_vers=2.4.35
shell>export LDFLAGS="-static"
shell>export CFLAGS="-Os -s"
Time to have fun, doing cross-compile for argus so it works on MIPS platform -
shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2
shell>./configure --host=mipsel-linux \
--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \
--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8
shell>make
shell>file bin/argus
bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped
Transfer it to my OpenWRT -
shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp
To export argus network flow on ppp0 interface -
shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d
To intercept the network flow -
shell>ra -S 192.168.1.1:561 - ip
I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.
Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php
Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!
Enjoy (;])
Enjoy (;])
Subscribe to:
Posts (Atom)