Wednesday, November 30, 2005

Scapy - Better Traceroute?

Traceroute is kinda useful when troubleshooting network, and one of the function that you have in Scapy is Traceroute, the traditional traceroute which make use of icmp and udp or maybe dns no longer effective or accurate these days. Traceroute in Scapy by default uses tcp, this is more close to the current world implementation when more and more ISP discard or block icmp or udp by default. However you can actually use traceroute -P tcp to achive the same thing. Another reason why I like about Scapy's traceroute is that it able to do multiple traceroute simultanaeously by putting the hosts you want to traceroute in the list. To visualize the traceroute result in graphical view, you need imagemagick and graphviz.

Multiple tracerouting in actions.

This is the traceroute result displayed in graphical view by using graphviz and ImageMagick.

Monday, November 28, 2005


I will be launching a new site call soon, currently I'm busy with the write up on Sguil Installation Guide On OpenBSD-3.8 and FreeBSD Network Analyst Workstation Handbook, my hand is full now and kind of busy.

So why I personally like the word dissect which defined in FreeDictionary as

To cut apart or separate (tissue), especially for anatomical study.
2. To examine, analyze, or criticize in minute detail: dissected the plan afterward to learn why it had failed. See Synonyms at analyze.

Everything is dissectible from my point of view, as long as you have enough data in hand, data collection is important these days as without it, nothing is dissectible, that's where Sguil fits my need :]

What will be covering? will be a site where analysis and forensic implies, and I will upload all the write up to the site as well and currently I'm alone doing it, I do welcome inputs from you all and if you wish to join me, please do email me since I find myself hardly maintain all the stuffs of interest solely.

Stay tuned .....

Saturday, November 26, 2005

Live Analyst On Hacked Linux Server

When come to analyzing Linux Hacked Server in live, most properly it's HARD. It's HARD in the sense that we can't do the imaging and perform dead analysis since the server requires no down time. However we can actually track down what is currently running or malfunctioning in our server with ps, netstat and memgrep, some might said you will have to have clean binaries for forensic purpose which is trusted, it's certainly true and you can actually download the static binaries from the Incident Response Live CD - Helix, the site provides the static binaries or you can compile your own trusted binaries if you want.

Memgrep is a tool to search, replace, or dump arbitrary memory from running applications and core files. Potential applications for memgrep include reverse engineering, debugging, and vulnerability assessment.

Below are the steps that I have taken on my demo server. I have found there's a suspicious process called kf.

shell>ps auxww | grep kf

nobody 23437 0.0 0.0 1468 856 ? S Nov17 0:00 ./kf

I choose to use -p options since it will show the pid. This is good when you want to track down what process is currently having listenning port, or maybe initiating connection to internet.

shell>netstat -anp | grep 23437

tcp 0 0* LISTEN 23437/kf
unix 2 [ ] STREAM CONNECTED 399392712 23437/kf

Since we do not know what is kf doing, some prefer to use lsof -p 23437, for me I just use memgrep here since memgrep will provide more valuable info. The -L option will list memory segments of a process or core file.

shell>cd /nsm/memgrep/

shell> ./memgrep -p 23437 -L

.bss => 0804a874
.data => 0804a6a0 (96 bytes, 0 Kbytes)
.rodata => 0804959c (226 bytes, 0 Kbytes)
.text => 080489ac (3028 bytes, 2 Kbytes)
stack => bffe60bc

shell> ./memgrep -p 23437 -d -a 0x0804a6a0 -l 96

96 bytes starting at 0804a6a0 (+/- 0) as hexint...
0804a6a0: 00000000 00000000 0804a7d4 00000000 ................
0804a6b0: 00000000 00000000 00000000 00000000 ................
0804a6c0: 30786168 00000072 00000000 00000000 hax0r...........
0804a6d0: 00000000 00000000 00000000 00000000 ................
0804a6e0: 61202d3d 69696170 43616220 3030646b =- apaii baCkd00
0804a6f0: 63282072 30322029 2d203430 00000a3d r (c) 2004 -=...

Do you see the haxor :]

shell> ./memgrep -p 23437 -d -a 0x0804959c -l 226

226 bytes starting at 0804959c (+/- 0) as hexint...
0804959c: 00000003 00020001 73736170 00206477 ........passwd .
080495ac: 6b637546 2166664f 000a2121 73727170 FuckOff!!!..pqrs
080495bc: 77767574 617a7978 65646362 32313000 tuvwxyzabcde.012
080495cc: 36353433 61393837 65646362 642f0066 3456789abcdef./d
080495dc: 702f7665 00786d74 7665642f 7974702f ev/ptmx./dev/pty
080495ec: 65642f00 74742f76 6f730079 74656b63 ./dev/tty.socket
080495fc: 6e696200 696c0064 6e657473 63666e00 .bind.listen.nfc
0804960c: 20736920 72617473 676e6974 002e2e2e is starting....
0804961c: 202c4b4f 20646970 6425203d 6557000a OK, pid = %d..We
0804962c: 6d30636c 30742033 72347020 7a316461 lc0m3 t0 p4rad1z
0804963c: 316b2033 73306464 002f000a 7665642f 3 k1dd0s.././dev
0804964c: 6c756e2f 6873006c 00692d00 454d4f48 /
0804965c: 0073253d 276e6143 6f662074 70206b72 =%s.Can't fork p
0804966c: 202c7974 21657962 622f000a 732f6e69 ty, bye!../bin/s
0804967c: 00000068 /sh.

If you know apaii backd00r or it's variant, please do feedback since I can't find any info regarding it in the internet after googling ..... til next time :]


I'm dealing with spammers and phishers most of the time these days, and currently performing analysis process on them, this is one of the interesting log that I currently have in my hand.

Shutting down spamming host is not effective from my point of view these days, way too many open proxies, smtp relay daemons out there, not blaming windows but windows users who never patch their system or not educated to understand cyber threats.

The root of cause is still the man behind spamming, catch them and proceed to prosecute, I found no tolerate to spammers and phishers, they ain't hackers, they are just bunch of f**ker who use internet as a channel to create junk and make money, out of that, they are nothing.

And if you are spammer or phisher, yet you read my blog, don't hate me because you should know who you are.

No One Loves You!

Friday, November 25, 2005

Using Smbclient - Entering Windows World

This is just quick view of smbclient usage, you should be able to figure it out yourself by using man page. I have used it for my daily task since the real world is always kind of mix.

The -L option basically list out the share available on the host by providing the hostname and -I for specifying IP address, -I is useful when you don't have any name resolver, however you can actualy add a liner to /etc/hosts file which may do the trick.

Thursday, November 24, 2005

My Own Sguil Logo

Personally I don't really like the Sguil logo, thus I decide to create my own logo, since Sguil is practicing the NSM model, thus my idea is simple, a digital monkey with a sensor receiving the intrusion/extrusion signal. And if you notice carefully, I have the signal written in NSM (:])

This is just my initial design, I will make it better once I have time. Give comments if you think it sucks :P

Thanks to Quak, my pal who do a graphic editing for me since I'm not keen in that.

Gdesklets - The Ultimate Resource Killer

I have been using Ubuntu Linux for quite sometimes, one of the eye candy software that I'm using is gdekslets, however gdesklets is the ultimate resource killer, I have this Ubuntu box with gdesklets installed and running starterbar. I have never used the starter bar to launch any applications but it seems that gdesklets quietly consumes the virtual memory size, at first I have acroread and firefox running and it crashed due to insufficient vm, then when it reaches 700MB vm size, finally gdesklets crashing and I able to launch other applications, the system becomes normal and no lagging anymore. Gdesklets consumes a little vm size from time to time and something must be wrong in the application. I bet if I have 2G swap partition, the vm size that consumed by gdesklets may hit 1G. What the hell is this little piece of software.

If you want to use eye candy docking software, go gkrellm or conky, it's much more lightweight compare to this monster.

Seeing is Believing!

Wednesday, November 23, 2005

MySQL 5 On OpenBSD 3.8

Binary Base Installation

Download mysql-standard-5.0.15-openbsd3.7-i386.tar.gz or mysql-5.0.16.tar.gz via

shell>tar xvzf mysql-standard-5.0.15-openbsd3.7-i386.tar.gz
shell>groupadd mysql
shell>useradd -g mysql mysql
shell>cd /usr/local/src
shell>tar xvzf mysql-standard-5.0.15-openbsd3.7-i386.tar.gz
shell>ln -s ./mysql-standard-5.0.15-openbsd3.7-i386 /usr/local/mysql
shell>cd /usr/local/mysql
shell>scripts/mysql_install_db --user=mysql
shell>chwon -R root .
shell>chown -R mysql data
shell>chgrp -R mysql .

Running mysql server

shell>/usr/local/mysql/bin/mysql_safe --user=mysql --basedir=/usr/local/mysql --datadir=/nsm/data \ --pid-file=/usr/local/mysql/data/

Source Base Installation(Special thanks to Transporter for this)

shell>CC=gcc CFLAGS="-02 -fno-strength-reduce" CXX=gcc CXXFLAGS="-02 -fno-rtti -fno-exceptions -felide-constructors -fno-strength-reduce"
shell>./configure --prefix=/var/mysql --enable-assembler --enable-openssl --enable-thread-safe-client

shell>gmake install
shell>chown -R root /var/mysql
shell>chown -R mysql /var/mysql/var
shell>chgrp -R mysql /var/mysql
shell>cp support-files/my-medium.cnf /etc/my.cnf
shell>/var/mysql/bin/mysqld_safe --user=mysql &

I still remember it was a pain to get mysql compiled from source on OpenBSD platform last time and it seems MySQL 5 concerning about OpenBSD users as well and providing Binary installation. If you are sguil users, considered you need to install MySQL 5 from source since mysqltcl requires to compile properly.

Monday, November 21, 2005

Scapy Portability Page

My Scapy Quick Installation Guide has been imported to Scapy Portability Page. You can find it out here. It' my pleasure to help out and thanks to the Scapy Community in mailing list being so friendly and helpful.

Saturday, November 19, 2005

Scapy On FreeBSD 6.0

Quick Installation Guide

Scapy requires lots of dependencies, so I have to install it. Luckily we have all of them in ports/packages and you can go for either one. For me I prefer package as it is fast instead of compiling from port.

libdnet-1.10 (/usr/ports/net/libdnet)
py24-pcap-0.4/0.5 (/usr/ports/net/py-pcap)
py24-pycrypto-2.0.1 (/usr/ports/security/py-pycrypto)
py24-PyX-0.8 (/usr/ports/graphics/py-PyX)
py-gnuplot-1.7 (/usr/ports/math/py-gnuplot/)
graphviz-2.2 (/usr/ports/graphics/graphviz)

Before you install those packages, basically you can specify which mirror site you want to fetch,

If you are using tcsh or csh,

shell>setenv PACKAGESITE \

If you are using ksh or bash,

shell>export PACKAGESITE=\

You can actually find the mirror sites in the link below.

Installing PYTHON

shell>pkg_add -r python-

Installing libpcap from source

libpcap-0.9.4(Packet Capture Library)

shell>tar xvzf libpcap-0.9.4.tar.gz
shell>cd libpcap-0.9.4
shell>make && make install

Installing libdnet-1.10 from port

*Note on libdnet - You have to install this by using port to enable python wrapping.

shell>cd /usr/ports/net/libdnet
shell>make WITH_PYTHON=yes install

Installing py24-pcap

*Note on py24-pcap - If you are installing py24-pcap-0.4, use port, and if you are going for py24-pcap-0.5 which is current, you can just install the package. However you still need to follow steps below to get Scapy working.

Workaround for py24-libpcap-0.4

py24-pcap-0.4 (/usr/ports/net/py-pcap)

shell>cd /usr/ports/net/py-pcap/
shell>cd work/pylibpcap-0.4/
#Replace line 34 of by: if 0:
shell>cd ../..
shell>make install clean

Thanks to Guillaume Valadon for this :).

Workaround for py24-libpcap-0.5

That's a change in behavior between pylibpcap 0.4 and 0.5. If pcap_next fails it used to return a 3-tuple (garbage, None, garbage); now it just returns None, which (as the TypeError points out) is not subscriptable.

That line in scapy could presumably be changed to pkt = ( or (None,None,None)) [1] or the loop could be changed to

while 1:
nextpkt =
if nextpkt:
( pktlen, pkt, pkttime ) = nextpkt

Alternatively pylibpcap could be changed to return (None,None,None) in that case ... that seems like a less natural value than a plain old None, but it would also simplify the calling code a little bit in cases like this.

Just use the first option which is changing the[1] to ( or (None,None,None)) will do. Thanks to Wim Lewis for pointing out in mailing list. Philippe has emailed and telling it will be resolved in next version -> 1.0.29.

Installing Other Needed Apps

For py24-pycrypto, py24-PyX, py-gnuplot, graphiviz, ImageMagick, you can just install using packages.

shell>pkg_add -vr py24-pycrypto py24-PyX py-gnuplot ImageMagick graphviz

For PyX font mapping,

Check out /usr/local/etc/pyxrc, or you can create a file under user directory, ~/.pyxrc

Edit this line,

fontmaps =

then run


#updmap is a utility that creates font config for dvips,pdftex, xdvi and etc. It updates font map files for Tex output drivers, thanks ctime for the tips.

To avoid informational message "Can't Open Ethertypes Files" when you run Scapy,

Download the ethertypes file that from this url - and put it into /etc directory.

Get the latest Scapy now!


Now you can just run Scapy by typing ./ -s new.session

Extra Note:

To import Scapy as python module

shell>cp /usr/local/lib/python2.4/

then you can launch python


In python shell

import scapy

from scapy import *

That's all for now, tire of writing, hopefully this is helpful for user who want to run Scapy on BSD system. Please appreciate my effort :)

I will be concentrating my writing for Sguil On OpenBSD 3.8 now, hopefully get it done before Sguil 0.6 release (:])

Scapy On OpenBSD 3.8

Quick Installation Guide

Below are all the packages/sources that need to be installed in order to get Scapy run properly.


Installing libpcap from source

libpcap-0.9.4(Packet Capture Library)

shell>tar xvzf libpcap-0.9.4.tar.gz
shell>cd libpcap-0.9.4
shell>make && make install

Depends on which shell you are using, the default is ksh

shell>export PKG_PATH=\

Or if you are using csh

shell>setenv PKG_PATH \

Note: You can find lots of mirrors from the this url, check one nearby your location ->

Now you can just install all the packages easily with

shell>pkg_add ${PKG_PATH}libdnet-1.10

shell>pkg_add ${PKG_PATH}python-2.3.5p2.tgz

shell>pkg_add ${PKG_PATH}py-libpcap-0.5.3p0.tgz

shell>pkg_add ${PKG_PATH}py-crypto-2.0.tgz

shell>pkg_add ${PKG_PATH}gnuplot-4.0.0.tgz

shell>pkg_add ${PKG_PATH}py-gnuplot-1.7.tgz

shell>pkg_add ${PKG_PATH}graphviz-1.16p1.tgz

Installing PyX-0.8.1 from source - for psdump() and pdfdump() to function properly

There's a slightly issue since PyX requires teTeX including font Type 1 and I have problem installing teTeX through package since I get mismatch md5 checksum. However you can still install PyX and use psfont.cmz instead.

PyX-0.8.1(Python Graphic Package)

Choose any PyX download mirror ->

shell>tar xvzf PyX-0.8.1.tar.gz
shell>cd PyX-0.8.1
shell>python build
shell>python install

To use font psfonts.cmz

>>>from pyx import *

To avoid informational message "Can't Open Ethertypes Files" when you run Scapy,

Download the ethertypes file that from this url ->
and put it into /etc directory.

Get the latest Scapy now!


Now you can just run Scapy by typing ./ -s new.session

Finally I can get this writing done, next will be quick installation guide on FreeBSD, Stay tuned!

Scapy Sniff Offline Mode

In the previous post, I have shown how you can read pcap file with rdpcap(), however you can actually do the same thing with sniff(), if you run the sniff function in offline mode, you will be able to read the pcap file instead of sniffing on the fly. Then again you will be able to replay the pcap file with it :]

This time Scapy runs on OpenBSD platform, puffy rocks.

Friday, November 18, 2005

Packet Analysis with Scapy

So you like ethereal, the wonderful tool for network analyst. This is good new especially for OpenBSD user who no longer has ethereal in their ports/packages build. Download the Scapereal from this url and put it into the same directory as, yet you need py-gtk to have it work properly. Thanks to Pierre for this. Below in the screenshots you will see how I import Scapereal which allow you to analyze packets via Ethereal-alike interface.

After importing Scapereal, you will be able to call ethereal().
Highlighting is sweet!
Nice huh ... ..

I have succesfully run scapy in OpenBSD as well and might be going to blog about Scapy Installation on both FreeBSD and OpenBSD in very close time. I'm still having little issue with FreeBSD Scapy build and will resolve it as soon as possible.

Special thanks to Guillaume Valadon for pointing me out the issue and workaround on FreeBSD Scapy build.

Thursday, November 17, 2005

Replaying Traffic With Scapy

While I have mentionned how powerful Scapy is, hereby a little demo of how you can use Scapy to work like Tcpreplay. I will show more and more little trick when I have time to explore Scapy and mastering python enough (:])
You can see I get an error while I try to send packet first time, send is used for sending packet at layer 3 which is not working since I'm in the LAN, though I send via sendp which is used to send packet at layer 2 and it works.

rdpcap is a function that used to read pcap file, while you can manipulate the pcap file, of course you can replay the network traffic with it.

Monday, November 14, 2005

Scapy = Master Once, Do It All Kung Fu

I have been mentionning quite a lot of times about scapy in my blog. Thanks to Philippe BIONDI, father of scapy and the rest of oss folks that help.

What is scapy anyway?
Scapy is a powerful interactive packet manipulation program that written in python. It allows you to do almost everything including packet forging, decoding, engineering, tracing, network mapping and etc. This is the only tool that deal with human limitation instead of program limitation. Why human limitation? It is because lacking of knowledge in certain network protocol, you can't create a functional packet that works with it. Scapy itself supports wide range of protocols and allows you to specify any fields in the packet, and the limitation again comes to the imagination of human being.

Master Once, Do It All Kung Fu?
Indeed yes, mastering Scapy ain't easy as it requires a little python scripting knowledge, another thing is that you are taking full advantage of Scapy only if you understand tcp/ip protocol well enough. RFC is a good place to start for that or you can go quick start by reading W. Richard. Stenvens TCP/IP Illustrated series.

Here i will demonstrate how to construct a packet which sending to remote host and destination port 22 with syn flag.
Scapy in Action!
This is the tcpdump output in host

There are more you can do with scapy, check out the Scapy site as it comes with very handy tutorial on the first page.

Monkeying with Scapy Kung FU (:])

<<- HITB 2003 - 2005 T-Shirt ->>

Here are my collections of HITB t-shirt since year 2003, I still keep them nicely. Now putting them in different display views :]

I like the last shot, would prefer to s/c/X

Forget your nessus password?

I have one machine with nessus installed for a while and realizing I need to launch it for vulnerabilities checking today, I quickly run nessus client and start connecting to the nessus server daemon, oops I have forgotten the username and password since I haven't used it for around 2 months and thought I was able to remember it which in case not.

Quickly check on the nessus tools under /usr/local/sbin, I found nessus-adduser. So this should solve problem for a forgetful folk like me. Below is the screenshot for quick view.

Even though nessus goes commercial and close source, however I will still use it and plan to upgrade to version 3.0 when I have time. It is still a wonderful application that works like charm and serve it's purpose right :]

Saturday, November 12, 2005

Snort2c - Active Response Tool for PF

I have used snort2c to defend against certain threats before that and thinking that I should blog it, yet been asked by some friends in #pf, I decide to give it a ride(write).

Normally people fail to differentiate active response and true IPS system, I myself never try to compare of both, but normally active response system will fail on single packet exploit with small footprint.

Like other active response tool such as snortsam(I wish I have time to play on this), fwsnort and etc, snort2c is based on snort, hence we need to have snort running on the system. I never have hard time at all to get snort compiled from source in OpenBSD box. I will directly jump to configuration part since getting snort2c working in the system is easy too.

First creating whitelist for certain or range of IP, for example I want to be whitelisted permanently.

shell>echo > /nsm/whitelist

Running snort

shell>snort -i le1 -c /nsm/snort-2.4.0/rules/snort.conf -l /var/log/snort -D

Running snort2c on bootup

shell>snort2c -s -w /nsm/whitelist -a /var/log/snort/alert

With -s option, it is the best switch as it turn on init mode and create a snort2c table automatically for you with block return rules, that's why it's good to run it on boot. If you want to configure and run snort2c manually, please refer to snort2c site, just follow the instruction in the url and you are done.

Then you can run snort2c manually by,

shell>snort2c -w /nsm/whitelist -a /var/log/snort/alert

Snort2c provides a tool to monitor it's table, it is called mons2c. You can print out blocked ip, flushing snort2c table or delete the ip from snort2c table. However since I'm more used to pfctl, I can actually use the native pfctl to achieve the same thing.

To print out blocked IP and with -v it has even clean output.

shell>pfctl -t snort2c -v -T show

To delete the blocked IP, for example

shell>pfctl -t snort2c -T delete

Flushing snort2c table

shell>pfctl -t snort2c -T delete

Creating snort2c table

shell>pfctl -t snort2c -T add

Remember to tweak your snort rules properly to avoid lockout of yourself :P. I have deployed this on my OpenBSD bridge device and it works properly for me, with this transparent bridge I able to plug it in or out without changing network architecture, yet make it flexible enough for fast incident response device.

Friday, November 11, 2005

For mrxvt user ...

If you are mrxvt user, the multiple aterm, again linuxlah has published tip on mrxvt in his blog, check it out to learn the new trick and this time is on python which is my preferred scripting language.

Cheers :]

Wednesday, November 09, 2005

Interesting Talk - Banking Industry

Last night I have talked to a friend who I haven't met for last two years, she is working in banking industry. What make the conversation interesting was when she told me a lot about the incidents that happenned in that field - phishing, social engineering, and internal threats. I also kind of understand banking system through the conversation. The whole 2 and half hours conversation sounds like an interview, or maybe survey for me to get myself understand the current threat of banking industry. Or maybe I shouldn't have talked to a girl like this to attract her attention, but I'm just too fascinated with this type of real life story telling. From what we have talked, I have summarized the things below.

1. Human exploitation is much more easier to be done, compare to electronic hacks.

2. Banking system(not really computer related) is not tighten enough, there are certain way to circumvent the rules and regulations. Most bad guys can play with the rules instead of breaking the rules.

3. Human mistakes tend to happen, this give lot of chances to lead to the compromised of system.

4. Trust relationship is also one of the issue, sensitive information is not only stored in system but human being.

5. Internal threat is happenning, human control is considered hard to achieve. Blind spot is always discovered by internal people since they know how the banking system works.

Considered this is one in-sight talk regarding Banking Industry in Malaysia, if you know one or working in banking industry, please send me info or at least any threats that currently been discovered that are not published in the internet. I would like to hear from you.

This is nothing related to the topic. Just a message to my friend. It's been nice to have conversation with you, even I haven't met you for so long, the beautiful part of you is that you don't change much(I mean behaviour, mind and thinking) and wonderfully become more mature as most people change after they get out of school. Natural is what you have.

~Smart & Intelligence is what a girl need in New Age~

Tuesday, November 08, 2005

TCPtrace - Little Correction :S

From my previous post regarding tcptrace, I have mentioned it is not playing well with udp, however this is not the case, you can collect udp session data flow by using -u option, the best part is you can even selectively collect udp flow or ignoring it by specifying --oUDP and --iUDP.

Another thing I would like to point out is the add-on modules that available for tcptrace such as TRAFFIC module, HTTP module and etc. You should get your hand dirty with it because it has done very good job in one specific area and not only produce general outputs. I will demonstrate some usages of it when I have times.

Time ain't enough, should I summon another 24 hours for you?

Cheers :]

Monday, November 07, 2005

The Network Analyst Workstation Handbook

FreeBSD, the robust operating system that serves almost every purpose right, is used as my workstation for analyzing process all the while. I will start to write a handbook for Network Analyst to build a perfect workstation for their work, this is nothing big however it's what and how I use to perform my daily task including Incident Handling, Network Forensic and troubleshooting, Incident Response as well, however this handbook is not limited to those usage, you can install your workstation for your own need.

My window manager of choice will still be fluxbox, and I will explain why fluxbox suits Analyst and how to configure and tweak your fluxbox to keep your analyzing work neat and clean :).

I will keep updating the Handbook once I discovered new tools or tricks to perform the job, and it will be published in my blog first and then imported to the handbook. Of course sguil client will be included since I can't live without it.

With that you might be able to have your FreeBSD Analyst Workstation up and running in a day without googling.

No hassle, easy going and it will be released when I have all the write up completed(which will never be :P). I will include the config file as well so that you can import to your system and don't have to configure it manually.

Saturday, November 05, 2005

{Puffy} and ^RedDevil^ Released

I bet most of you already knew this, however I just blog it for my own record, OpenBSD 3.8 and FreeBSD 6.0 is now available. For people who love BSD, you can now download it via ftp mirrors, bit torrent or http sites. Enjoy and cheers again to BSD team to make it happens.

Both released in quite close period and totally meet my blog title - When Puffy meets RedDevil :-]

->Visualize Network Traffic<-

Using ttt(tele traffic tapper), tcptrace and xplot, you will be able to read network traffic in graphical view, especially ttt, it able to break up the protocols and summarizes each protocol, and showing the progress of traffic running when you load the pcap file. Tcptrace able to produce different type of output containing information on each connection seen, sounds like tcpflow right, however it also allows you to export the data to graphical output by using -G argument. The only weak point is that tcptrace can't play with udp and icmp packet. One really good thing about tcptrace is that it has very complete documentation that makes you familiar with it, hence it makes you troubleshooting network problem effectively. Xplot is the tool used to create and view useful graph for analyst, it plays well with tcpdump and if you have time, take a look at tcpdump2xplot.

Before I forget, a little new to tell, sguil-0.6.0 rc2 released, I'm happy because finally it moves to more mature stage.

Here I will show a demonstration on how to use ttt, tcptrace and xplot to load and view the intrusion traffic graphically.

At first I log in to the Sguil Analyst Console, and check out blue color highlighted line(second line in first pane), I load it to ethereal by right clicking on it's sid.cid(2.81).

So you are downloading the raw file(pcap formatted) and load it to ethereal.

Here's how the network traffic shown in ethereal.

You can now either go to File->Save as-> to save the pcap file, or just shift+ctrl+s to save it, I personally save it as Sparc_shellcode_noop.pcap under /home/geek00L/Learn_traffic directory.

Now I start my mrxvt terminal and launch tcptrace,

shell>tcptrace -l Sparc_shellcode_noop.pcap

The result is shown in the screenshot below, it shows all the useful information, the -l shows long output which is similar to verbose mode for other tools.

Shell>tcptrace -lr Sparc_shellcode_noop.pcap

With -r it will even summarize the round trip time information. This is good for network troubleshooting isn't it?

Building graphs for the pcap data is easy with tcptrace, just use the commands below,

Shell>tcptrace -G --output_dir= ~/Learn_Xplot/ Sparc_Noop_Shellcode --output_prefix= SSC_ \ Sparc_shellcode_noop.pcap

A little explanation for the command line above, -G is for all type of graph building, --output_dir means to which directory it sends the output, and --output_prefix is useful because you can specify it's prefix for each output file so that we won't mix out all different traffics. The output files are all in xpl format of which you can view it using xplot.

All the graphs here showing traffics from to The first graph is illustrating outstanding data bytes. I run xplot to view it. It's not hard to use xplot anyway, if you want to zoom in the graph, just drag your mouse and focus on the part you want to zoom in and left mouse clicking, to exit the graph, just right click your mouse.

Shell>xplot SSC_a2b_owin.xpl

Second graph shows the round trip time :)

Third one shows the throughput.

This one shows the time sequence graph.

At last we have the one showing timelines, I bet you find this familiar if you read W.Richard Stevens tcp/ip book.

I zoom in by using left mouse clicking.

And the connection been terminated by reset packet sent from

And I exit the graph with right mouse clicking. Now I will show the ttt. I load the MS05-047 exploit traffic, however since I don't filter out other traffics, you will see how ttt does protocol break up. Just enter the command below.

Shell>ttt -dumpfile MS05-047_traffic.pcap

This one showing the progress of the traffic for Sparc_shellcode_noop intrusion when I just run

Shell>ttt -dumpfile Sparc_shellcode_noop.pcap
You can print the data in postscript format by clicking on print button below and it will be saved in /tmp.

While I was listening to F-Secure, Mikko Hypponen speaking in HITB2005 Sec Conf regarding viewing malicious code in 3D-graphical view saves a lot of works, will it do the same if we able to view the network data in graphical view, for sure it is, I'm still wondering is there any tools that allow us to load the pcap file to graphical view, and while we click on the graph, it will show which network packet is actually running on that point, that might save a lot of works for both network and security analyst while perfoming Network Troubleshooting and Forensic. I think netdude should be able to do it quickly if they have xplot plugins. However I wish ethereal has this capability to ease the task of network analyst. All the tools above are available in FreeBSD ports/packages, and shouldn't be hard to find it in linux.

My last word here is, please give comments if you read my blog, and tell whether it is good or bad so that I able to improve it, Thanks :-]

I really need inputs from readers .....

Offline - Taking good care of my eyes

I was offline and away from computer screen for last two days, this is good for my eyes as both of them getting worst since I change my job. Now I'm back online and first thing that need to be done is upgrading my blog, hopefully everyone is fine and getting start to work now :).

Tuesday, November 01, 2005

Do you like your ISP?

Here's I present you, the best survey ever! Mr.ISP is surveying and he found the target - Mr.XYZ.

Below is their dialogue .....

Mr.ISP: What is the best experience and offer by Tmnut Screamyx so far?

Mr.XYZ: Terminate my line if I haven't paid the bills for 3 months even though they don't send me bill or send to wrong address.

Mr.ISP: Do you think they able to help you to fix your internet connection in time after you have been bugging them.

Mr.XYZ: No, the only immediate action they will take is if you don't pay their bills.

Mr.ISP: Why don't you change internet service provider?

Mr.XYZ: This fucker monopolizes(pollutes) the market!

Mr.ISP: Tmnut offer 1Mb connection, don't you like fast internet?

Mr.XYZ: What you expect?! I pay for 1Mb, and I get 512kbps and sometimes lesser. I want REFUND!

Mr.ISP: Thank you. This is honest feedback indeed.

Mr.XYZ: You better get out of my way fast, else I gonna poke you!

To be continued .....

If you think I'm making a stupid joke, sorry that you totally have no idea what i'm talking about.... this is a fact.

Everyone love truth!!!!!