Sunday, October 30, 2005

Netdude & Tcpreplay

I have read the taosecurity blog and the post regarding Snort BO exploit is kinda interesting, Kyle Haugness has written a tool to detect the Snort BO exploit and he recommends using netdude and tcpreplay to edit and replay the pcap file that provided by him. Let's see how we can do it by using these two tools.

Download the pcap from Kyle's site.

shell>wget http://handlers.dshield.org/khaugsness/1025a

Then load the pcap file to netdude.

Now change the ip and mac address by just double clicking the header field. I assume source ip is 192.168.0.44 and destination ip is 192.168.0.66.

After you have modified it, save it and you can now replay the pcap file. As I save the file as snortBO1025a.cap, we can now replay the pcap file by enter the command below.

shell>tcpreplay -i bge0 snortBO1025a.cap
sending on:bge0
1 packets (1086 bytes) sent in 0.68 seconds
157528.3 bytes/sec 1.20 megabits/sec 145 packets/sec

Here's the result shows in ethereal, it seems work and I have sent 8 packets.

The payloads below show the replies from the host 192.168.0.66

Tcpreplay is nifty tool to replay the traffic, however I'm using the old 2.2 version which is in freeBSD port, the latest should be version 3 which is more powerful and I will try it if I have time in hand.
Netdude is the easiet tool I find so far for packet modification purpose, of course it is nothing hard to do with packet forging as well when you able to modify the header of packets. For ethereal, one really good point that I give thumbs up for it is that the capability of differenatiate normal and malformed packet. This is definitely saving the valuable time of analyst in handling incident response and network forensics :)

For people who fall in love with Packet Monkeying, go SCAPY!!!!!

~Eye Candy & Happy Holiday~

This is the new screenshot{eye candy} of my workstation. I have ease my tasks by writing some scripts to make it works perfectly as my analyst workstation :).
I will blog more since I have noted down all the stuffs that I have done. For all the Malaysian, enjoy your holidays and celebrations, peace!

Happy Deepavali and Hari Raya :-)

Wednesday, October 26, 2005

RPPPOE - The Penguin PPPOE client

If you are novice user like me and just use your linux box as desktop, there's nothing much to do with hardcore techie stuffs, all we want is simplicity and user friendliness. Here I will show you a little tool to dial your ADSL pppoe connection(Streamyx in MY). Using RPPPOE, you can just easily dialing DSL connection like what you normally do in windows XP.

Just type in the necessary info ... and click on start button ... and you are done.

This client is good enough to show the upstream and downstream :)

This tool is available in freebsd port as well, however I have never tried it yet on that platform. Hopefully I able to show more and more applications that works well for normal users in my future blog. Enjoy the internet connection, cheers :-)

Tuesday, October 25, 2005

Colorize the RedDevil

I guess everyone love colorized terminal as it makes you more easy to work with files especially when you don't have good file manager like me. Here is how it looks in freeBSD with the command: ls -laG.
Another screenshot I have brought this time is irssi, the irc client. Irssi is not gui based however it offers all the nice funtions that irc client suppose to have. Thanks to tenner from #fluxbox of your irssi ice theme. You've always been so kind. For people who prefer gui based irc client, you can have gaim or x-chat, let's love oss!



Everyone love clean stuffs :)

Monday, October 24, 2005

In response to linuxlah tips

How to login to multiple servers on one-go using mrxvt?

Most prolly you can find the answer in his recent blog, the tip is nice as I myself using mrxvt for my daily task. However for the part of which you will have multiple tab with the same name might be annoying and you have to either rename it manually or use the perl script workaround by linuxlah.

You can actually use the command below to overcome it :)

shell>mrxvt -vt0.tabTitle m0b -vt0.e 'ssh root@202.75.42.254 -p 22' -vt1.tabTitle tri -vt1.e 'ssh root@192.168.0.5 -p 22' vt2.tabTitle tro -vt2.e 'ssh root@192.168.0.10 -p 22' -tnum3 -bg black

That's how it looks like :)


Hopefully it helps!

Sunday, October 23, 2005

[[[Shuttle PC]]]

Finally I get myself offline, and get to shop at Prangin Mall in Penang, and there's a little box caught my eyes. After talking to the sales boy, he told me I can find the info regarding this little box online. It must be fun to own one :).

If you are interested about the little box too, check out the link below.

http://au.shuttle.com/Product/Barebone/brb_default.asp

Enjoy!

Gmail - Against all odds?

Google has taken drastic steps to fight for spam, and now they are taking mail viruses/trojans seriusly, today when I try to email .exe file to my friend, it gives me the error below.

For sure I'm wondering, are they really that strict? Then I change the file extension to .exe.scr and see if they really block on it, yet I get my answer quickly.
It might be blocking for a attachment that having .exe or .scr extension(considered not payload checking), if you look at the error message closely, it says that .exe.scr is executable file and can't be delivered :P

At some point, this is real good for a fact that most users are just has no idea about security.

Saturday, October 22, 2005

Toying with OpenBSD PF

Today while I just back from my hometown, fire up my machine and login to the #pf in freenode, and there's a guy asking how PF interactively reply to the packets when people try to apply this rule.

block drop in on $NIC inet proto icmp from any to any icmp-type unreach code net-unr

Normally ths rule is just applied so that if anybody who try to probe using icmp will get the message of icmp destination net unreachable. Let's test it out.

Results Comparison

Windows machine

cmd>ping 192.168.0.5

Pinging 192.168.0.5 with 32 bytes of data:

Request timed out.
Reply from 192.168.0.5: Destination net unreachable.
... ... ... ...

Freebsd machine

shell>ping 192.168.0.5

Pinging 192.168.0.5: 56 data bytes
36 bytes from 192.168.0.5: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 b16c 0 0000 2d 01 51a4 192.168.0.4 192.168.0.5
... ... ... ...

--- 192.168.0.5 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss.

Linux machine

shell>ping 192.168.0.5

Ping 192.168.0.5 56(84) bytes of data.

From 192.168.0.5 icmp_seq=0 Packet filtered
From 192.168.0.5 icmp_sqd=1 Packet filtered
... ... ... ...

--- 192.168.0.5 ping statistics ---
21 packets transmitted, 0 received, +19 errors, 100% packet loss and bla bla.

I log the traffic using tcpdump, it seems that freebsd is giving me the exact error message that I supposed received. Basically I don't think this is good rule to be applied, single icmp packet can easily detect the box as firewalling boxen. Windows box is totally been fooled, let's screw script kiddies.

Do you smell Packet filtered?

Wednesday, October 19, 2005

MMORPG == MMWRPG

For people who don't know what is MMORPG, let me explain a bit, MMORPG is so called Massive Multiplayer Online Role Playing Game that enables thousands or perhaps millions of players to play in an evolving virtual world at the same time over the Internet, refer to wikipedia. So what is MMWRPG, this term you can't find it in wikipedia and only in my dictionary, MMWRPG that defined by me is Massive Multi Worm Online RPG. For people who don't know what is RPG, RPG is actually a self-adventurer type of game in few years back, however with MMORPG, no longer it is self-adventurer but you are allowed to know my people, friends in a virtual world instead of playing solely. Interactive is human's nature, therefore more and more people become adaptive to the MMORPG.

You might think I'm crazy to say things like this since it may not happen in the future, however this is just my prediction, of which I have certain points that make me believe that MMORPG will be the main target of trojan/worm writers. Based on my study, I found out what I feel convincing.

1. Most of the gamers pro in gaming, know nothing about computer science, they are easy to be tricked.

2. Worm is about spreading, MMORPG is massive, doesn't it sound so close?

3. Most of the games are natively supporting windows, that is easy target, writing worm/trojan/viruses for windows application is much more easy.

4. More and more players trading items in the MMORPG, talk about trading heh, I want your credit card info.

5. Nuff said, they are all online, and online most of the times, it would be good to have such supportive bots.

There are more to say about it. I have seen lots immature scenes that those bad guy written a trojanned version of games, support applications that stealing game accounts which is not so serius yet. However with recent noticed of bot spreading words in warcraft channel regarding interesting(malicious) link. We will soon seeing more and more mature worms mitigation in gaming world of which stealing your personal info, cookies, credit card and so on. The massive worms will start their journey of adventure in gaming world. Beware!

~Welcome to the Age of MMWRPG~

Tuesday, October 18, 2005

Sguil Client 6.0 beta - Sensor status addon

Sguil Analyst Console now has this new feature - Sguil Sensor status(notice in the left down pane). It is good to keep track of multiple sensors if we have features like this, sguil owns!
And I'm still wondering when Sguil 6.0 release hit the ground :P

Monday, October 17, 2005

***Torifying with Privoxy***

Anyone who prefer to be true anonymous, tor and privoxy are the best friends for you!

Let's see the difference of it, seeing is believing ... ... ... ...

Before torifying the firefox :(

After torifying the firefox, sorry if the IP is yours :P

That's my firefox initialize page, I'm not from Italy :P

Okay, this is how to torify for liferea, two steps and you are done. First step ...

Second step ... ...
Tada, no one knows where are you coming from!

Sunday, October 16, 2005

For the lazy Network Admin ...

If you are real lazy on subnetting or you just don't know how, check this out ... ... ... ....

Squid Reverse Proxy + Mod_Security = ?

You think you have firewall, IDS/IPS and that's good enough? I have recently deployed few squid reverse proxy boxes per client request, it seems that with Mod_Security kicking in, you can have very effective intrusion prevention boxen for your http server protecting your vulnerable web applications. More than that, you can even have the access control list since squid is flexible enough with it's extensive configuration.

Perhaps you might say that it is just another firewalling box, however that's not the case, imagine you can have the reverse proxy deployed anywhere which not bounce to the geographical limitation, another advantage is that it can serve client request more faster since squid offer caching as well.

Squid Reverse Proxy + Mod_Security = Next Generation Defense Perimeter!

I should have written more but I'm tired now ...... sweet dream guys...ZzzzZZZZ....Snorting.....

Friday, October 14, 2005

Python - The next generation hacker language?

Why PYTHON?

There are more and more sec/hack tools that are created using python nowadays. For example, flowgrep, scapy and etc. Instead of perfomance issue, python seems to be one of the greatest scripting language ever to write sec/hack tools. Modular design and object oriented make it shiny and yet powerful, clean implmentation, less code liners and human readable make it a perfect language even in debugging level.

Get a python kickstart at http://diveintopython.org now.

Unleash the power of SNAKE, don't spend more with less!

Tuesday, October 11, 2005

~Flowgrep v0.9 powered by Libdistance~

For anyone who has attended HITB Sec Conf this year, you might still remember the shiny presentation of Jose Nazario regarding libdistance.

Wake up from the dead in the morning today, I do receive an email from Jose that he has finished the initial stage of getting libdistance to empower the flowgrep, I'm totally happy with that since Jose has really done what I have requested during HITB Sec Conf and I'm very much appreciate it. I can't wait to try it now, therefore what I can do is get it installed in my freebsd analyst workstation.

In order to get flowgrep-0.9 working for you, install the freebsd packages or ports below.

Libnet-1.0.2a
libpcapnav-0.5
python-2.4.1_3
swig-1.3.25_1
perl-5.8.6.2

Once you have all the dependencies, you can start downloading the libdistance from Jose site.

shell>cd /usr/local/src

shell>wget http://monkey.org/~jose/software/libdistance/
libdistance-0.2.1.tar.gz

shell>tar xvzf libdistance-0.2.1.tar.gz

shell>cd libdistance-0.2.1

shell>make

To have access libdistance from python, you have to install it too

shell>cd python

shell>python setup.py install

We are done with libdistance now, times to fetch flowgrep-0.9 source.

shell>wget http://monkey.org/~jose/software/flowgrep/
flowgrep-0.9.tar.gz

shell>tar xvzf flowgrep-0.9.tar.gz

shell>cd flowgrep-0.9

shell>cp flowgrep.py flowgrep

shell>python setup.py install

Flowgrep 0.9 will be installed in /usr/sbin

I have installed the flowgrep 0.8 previously from freebsd ports and it doesn't really matters since it is in /usr/local/sbin.

Flowgrep version 0.9 has libdistance integrated, it is more powerful now! I still need more times to explore the New Flowgrep, hopefully Jose will improve the perfomance of it in coming future.

Faithful thanks to Jose Nazario, you are a real Monkey!

Netgear WG311T

I have bought the Netgear WG311T Wireless pci adapter, it comes with atheros chipset. So I just plug it into my pfsense(FreeBSD 6.0 kernel) box and automagically it detects it as ath0. Thanks to Kaeru from myoss introducing me this adapter.

Now I just configure it as my Wireless AP and I'm on the run :)

Whoever likes D-link product, you can buy this model which is using atheros chipset too, dwl-G520.

Netgear and D-link doesn't pay me for advertisement, I just mentionned here to help anyone who want to buy valuable wireless products which work well with OSS.

Monday, October 10, 2005

(-: Atheros pleasure :-)

For any linux/bsd wireless users, atheros chipset is always well supported. I have always asked myself where can I find atheros chipset wireless products and here we go :)

http://customerproducts.atheros.com/customerproducts/

Hopefully this may help you a lot instead of google nowhere :P

Enjoy!

Sunday, October 09, 2005

Snort + Nessus News

Sourcefire, the company founded by Marty Roesch(Snort's father) was acquired by Checkpoint. However Snort's license will be still remained as GPLed, Checkpoint claims that they will continue supporting the Snort Community, and I'm not really sured about how they define "support" in this case. I'm still happy with this case as long as snort remain it's open source status.

Here comes the bad news, Nessus v3 goes close source, so we no longer have access to Nessus source code. But it will be distributed in binary form and trying to support as many OS platforms as possible.

Will more and more open source projects go commercial after they are well established? I do think it might be the trend in the future where you will see more and more open source projects get into the world of commercial.

Friday, October 07, 2005

Ubuntu Linux Sguil-Client - the quick and easy

Ubuntu Linux is now gaining more and more popularities and I have been asked whether deploying sguil sensor on Ubuntu Linux is easy, however since I have got no time to try it out yet, previously I have given sguil-client a shoot since I have it installed as desktop in one of my machine. Wondefully, it is so easy to get it working ......

Tcl8.4 and Tk8.4 is already installed by default when you install Ubuntu Linux as desktop instead of base installation, therefore we just install other sources that needed by sguil-client. Here we go

shell>sudo apt-get install tcltls
shell>sudo apt-get install tcllib
shell>sudo apt-get install tclx8.4
shell>sudo apt-get install iwidgets4

The itcl3 and itk3 will be installed while you fetching and installing iwidgets4, so now we already have all the dependencies, we can start downloading the sguil client.

shell>wget http://jaist.dl.sourceforge.net/sourceforge/sguil/sguil-
client-0.5.3.tar.gz

Just untar it and you will find there's a sguil.tk in the client directory. You can either double click the sguil.tk file or just run sguil.tk and you will have sguil analyst console popping up :)

Remember to edit the path in sguil.conf and you are good to go.

set BROWSER_PATH /usr/bin/firefox
set ETHEREAL_PATH /usr/bin/ethereal

Done!

Thursday, October 06, 2005

[[HITB Sec Conf 2005 Presentation Slides]]

For anyone who want to have quick access to HITB Sec Conf 2005 presentation slides, you can download them @t

ftp://ftp.prabu.us/hitb2005/

Enjoy :)

Thanks to Prabu the Speedy!

Wednesday, October 05, 2005

Nice shots in HITB Conf 2005

Discussions with Dr. Jose Nazario
Joanna from Invisiblethings.org ;)

Thanks to Paul Ooi for sending me the pics of mine in HITB event !

Tuesday, October 04, 2005

Netdude dancing with Sguil Client !

I have just finished my reading on the sguil user mailing list. One interesting mail caught my eyes of which asking whether can have netdude replacing the ethereal since ethereal is not available in OpenBSD port anymore. So I just tried out to see if it works since I have netdude installed previously, here we have another replacement to ethereal - Netdude :).

If you don't know what is netdude, check out the link below.

http://netdude.sourceforge.net/

Hereby with the screenshot of it, seeing is believing ......