Monday, July 31, 2006

Home Made Network Tap

Commercial Network Tap tends to be expensive, thus I'm always looking for alternative way to build my own Network Tap device. This is more suitable for home network environment since it is cheap to build. If you are interested in how to build one so that you can learn more about network traffic monitoring, check out this writing -

http://www.altsec.info/passive-network-tap.html

http://www.sun.com/bigadmin/content/submitted/passive_ethernet_tap.html

Feel free to build one!!!!!

Enjoy ;]

Sunday, July 30, 2006

Fosscar Presentation Slides

Finally I have done with Fosscar presentation, I'm glad to meet mel, jayakumar, angch and all the folks like xwings, ditesh, and so forth. As I promised, I had already uploaded the presentation slides up and you can download via -

http://www.dissectible.org/anonymous/Misc/Fosscar-2006.pdf

By the way, Malaysia seriously needs more and more conferences of this kind.

Cheers :]

OpenBSD Sguil Client Ports

I haven't been blogging for quite sometimes, and I think I should blog about this. Nikns has created OpenBSD Sguil Client Ports, what I mean is that he created all the ports for libraries that needed to get Sguil Client works. If you happenned to run Sguil on OpenBSD, please do try out and send report to OpenBSD Ports Mailing List. He will most properly appreciate that. Thanks.

You can download those ports via

http://secure.lv/~nikns/stuff/ports/

Cheers :]

Friday, July 21, 2006

Wireshark-0.99.2 Released

For people who haven't noticed, wireshark is silently released. I think most of people should already know the core developer leaved the company and joining other force. The wireshark 0.99.2 is released, it is same old ethereal but with different name, bug fixes and improvements, check out the site.


Beware of shark .....

Cheers :]

Tuesday, July 18, 2006

Tcptrack - Monitoring on the fly

I haven't been writing anything regarding NSM tools recently, and yes I'm actually writing and editing my handbook indeed. Here's another interesting tool to monitor and track what is happenning in your network.

While tools like iftop, bwm-ng can provide you the clear view of your network interface statistic, tcptrack takes it further by allowing you to monitor the network by specifying bpf like filter. It can provide quick view when you suspect that your network is being hacked or having malicious events running. The only weak point about tcptrack as is name implied, it doesn't track icmp and udp based connection, thus you can't get overview of the whole network activities that happening in the network. I install tcptrack via FreeBSD port/package since it is the easiest way to get it install, and I just need to run,

shell>tcptrack -i fxp0 -r 10

It will start to sniff on fxp0 interface and with -r 10, it will refresh the screen so that close connection won't be shown anymore as it is meaningless. You may notice that it shows total connection at the footer. You can pause it and sort it with p and s key.


If you just want to navigate the connection that belonged to 10.0.0.1 alone, you can run -

shell>tcptrack -i fxp0 -r 10 src or dst 10.0.0.1

You can also checking whether your server - 192.168.0.100 is connecting to non-legitimate smtp server by specifying -

shell>tcptrack -i fxp0 -r 10 src 192.168.0.100 \
and dst port 25

While you are suspecting your network is infected by worms such as sasser, korgo that will launch outbound connections to port 445 that exploiting lsass. You can actually run this command to check on the outbound traffics from your network, for example let's say your network is 192.168.5.0/24. Just run -

shell>tcptrack -i fxp0 -r 10 src net 192.168.5 and dst port 445

Screenshot below shows the output -


Interesting huh, let's have fun with tcptrack.

Peace (:])

Interesting Network Adapter

I just found this cool intel network card, while reading its spec of which it is actually based on Endace encap, I would like to know anybody have experience with this card - Intel Pro/1000mt Server adapter. It seems to be great network adapter to use for network security monitoring purpose as we all know Endace is a vendor that providing hardware which plays well with Open Source Tools. Here's the infos of the network adapter -

http://www.endace.com/enCap.html#


http://www.intel.com/network/connectivity/products/pro1000mt_server_adapter.htm

I plan to get this adapter and install it on FreeBSD box. Please do share your experience if you have one, it would be glad to hear from you.

Cheers :]

Sunday, July 16, 2006

Bridge or Trunk?

When I had been asked whether to use either trunk interface or bridge interface when connecting OpenBSD box to the network tap with RX/TX separated, I suggest trunk. The main reason is that bridge interface that you created is not doing network bonding, which means that it doesn't actually aggregate the network traffics that flowing into both network interfaces that been added to bridge interface. On the other hand, trunk interface creates a single channel for the network interfaces that bound to it. The advantage of this feature that lacking in bridge interface makes whole lots of differences. While trunk can survive in heavy load since it uses roundrobin mechanism by default to process the packets where you can share the load between network interfaces that binded to trunk interface, bridge won't do so. If one of the network interface in heavy loaded traffcs, it may cause packet loss since bridge doesn't create single channel to load the network traffics across multiple network interfaces. This is total failure because it will make deployment of IDS useless at all. I have blogged about it previously in case you didn't notice, here's the link. You may need to check out the screenshot below where I run vmstat ifstat command to understand how trunk interface works comparing to bridge.


I only show the screenshot of trunk interface, the bridge interface shows the common result where each separated network interface has its own load based on the packets it intercepted.

Peace (;])

Gmail Lover

I always like the small utility that works well for me, I have used this little utility calls gmail-notify now to track the incoming google mail automatically. If you are on FreeBSD, just pkg_add will do. Then create a file call .notifier.conf under your user directory, the content should be almost similar to -

[options]
lang = English
voffset = 0
gmailusername = geek00L
checkinterval = 20000
gmailpassword = 123456
browserpath = opera-devel
popuptimespan = 5000
hoffset = 0
actionpath = play
animationdelay = 15

You may tweak your browserpath, mine is opera-devel since I'm using opera, go with what you like. To run it manually,

shell>/usr/local/bin/gmail-notifier

Nichy little util indeed .....

Cheers :)

Wednesday, July 12, 2006

)))Irresistable(((

Yeah I know I have been very busy lately, but I can't resist myself to post this sceenshot .....

F34R me

Have fun :p

Monday, July 03, 2006

FreeBSD Based Projects

I like the projects that built on top of FreeBSD, I have found two that actually grab my attention, the first one is Frenzy, the FreeBSD Based System Admin Live CD, it uses Fluxbox as main Window Manager and including tons of useful tools for Sysadmin, I will give it a try once I finish downloading it.

Another project is FreeNAS, FreeNAS is the answer to Network Attached Storage System. While many companies sell expensive NAS solution, you can actually do the same thing by using FreeNAS which is much more cost effective especially for home users who can't afford. I had already installed and get it up and running within minutes, the web base configuration that based on m0n0wall is very clean.

I suggest you take a look at it, for the fun of it -

http://frenzy.org.ua/en/

http://www.freenas.org/

Till next time .....

Cheers :]

Sunday, July 02, 2006

FreeBSD - Qemu with Multiple NICs

Previously I have setup qemu for testing by using the quick how-to at the taosecurity blog here. Everything is going well and I'm pretty satisfied to run qemu for my pre-deployment testing. However the setup won't allow me to connect to the Virtual Machine remotely by using localhost, which means that I can only interact with qemu VM by login to another machine and connect back to qemu VM. This is not a big problem anyway but it kills my need of running everything with my standalone notebook only.

After going through the man page of if_bridge, I decided to create bridge interface using it instead of the one mentioned in bridge man page. Both are different and you can read it anyway by just run man if_bridge and man bridge. With that I have successfully connect to qemu VM with localhost. All I need is just run my VM with the command,

shell>qemu -boot c -hda /nsm/i-VMimages/NSM.img \
-net nic -net tap

Then create the bridge interface and adding the physical interface - bge0 and the pseudo interface - tap0 to the bridge interface.

shell>ifconfig bridge0 create

shell>ifconfig bridge0 addm bge0 addm tap0

You need to assign the IP to the bridge interface if you want to have the VM connecting to internet, and don't forget to delete the ip configuration of the bge0 interface.

shell>ifconfig bridge0 inet 192.168.0.199 \
netmask 255.255.255.0 up

shell>ifconfig bge0 inet delete

Now you may have the VM in the same LAN is the bridge interface, just configure your network interface in the VM to be something within range 192.168.0./24 will do. The NIC variable in my OpenBSD VM is ne3, just run ifconfig utility to configure the IP address will do.

Remember I have told that I'm creating the sguil qemu image, currently it is in the progress and I named it as NSM.img(OpenBSD VM), this is working properly with single NIC. I can ping each other and interact with VM perfectly fine.

But is this what I want? I remember I used to create multiple NICs in my VMware, I crawled the qemu man page and found that I can actually create multiple NICs by running,

shell>qemu -boot c -hda /nsm/i-VMimages/NSM.img \
-net nic -net tap -net nic -net tap

Once the VM is started, I found ne3 and ne4 network interfaces in my VM, I thought that everything is going as expected, I add IP address 192.168.0.123 to ne3 and 192.168.0.124 to ne4, then I start to ping 192.168.0.123, now havocs started where I have tons of DUPLICATE ping packets. If this is the case that would be bad since I can't setup my VM with multiple NICs.

Since I'm not a give up type, I crawled against the qemu manual page. I found that I can actually create the NICs with different vlan setting. Thus I might give it a try, I run the commands,

shell>qemu -boot c -hda /nsm/i-VMimages/NSM.img \
-net nic -net tap,vlan=0,ifname=0 \
-net nic -net tap,vlan=1,ifname=1

Without making any assumption that it works, I start to ping 192.168.0.123, and this time everything goes fine and I don't see any problem, this is what I really want and I got it running this time. Now I can start tinkering with my NSM setup on qemu image. With the correct configuration of gateway and dns server, both my localhost and VM can connect to the internet. Check the screenshots below and look at the interface configuration and the ping result of my VM to localhost and internet, it just works!!!!!

My network interface configuration

VM pinging localhost and internet

If you don't want to use qemu anymore, and would like to delete the pseudo interfacessuch as tap and bridge interface, normally you don't have to do the ifconfig NIC destroy, you are better of doing this - unload the pseudo interfaces module,

shell>kldstat
Id Refs Address Size Name
1 19 0xc0400000 6a29c0 kernel
2 1 0xc0aa3000 5f60 snd_ich.ko
3 2 0xc0aa9000 22b88 sound.ko
4 1 0xc0acc000 58554 acpi.ko
5 1 0xc4ebd000 9000 if_iwi.ko
6 1 0xc4fe1000 16000 linux.ko
7 1 0xc5267000 5000 i915.ko
8 1 0xc526c000 e000 drm.ko
10 1 0xc5a69000 4000 if_tap.ko
11 1 0xc5a41000 8000 if_bridge.ko

shell>kldunload if_tap

shell>kldunload if_bridge

That's the right way of deleting pseudo interface instead of using ifconfig. On the other hand, I have found the mail thread where people are asking of problem when creating tap interface. Normally you just need to do this to avoid the unwanted error.

shell>kldload if_tap

shell>cat /dev/null > /dev/tap0

I just point out here in case this helps when people googling for answer :P

Though it is not as user friendly as VMware, I will still stick with qemu for the time being. I think the more I use qemu, the more I can do with it in practical environment.

Note: I will add this write-up to my handbook, for the section - Building cheapest testing lab environment.

Peace :]

Saturday, July 01, 2006

FTP Commands & Codes

If I recall myself correctly, I did mentioned in my previous blog posts regarding the important of understanding http commands & codes, while I think it is pretty useful when analyzt need to perform analysis on http session, the same thing happens to ftp as well. One should at least know partial well known ftp commands such as RETR, STOR and codes like 226 or 250.

Normally you won't see much benefit until you get your hand dirty with ftp session, by looking at the ftp code you may know whether file is successfully uploaded or downloaded, here are two quick and straight forward urls that explaining about ftp commands and codes very well -

http://www.ftpplanet.com/ftpresources/ftp_codes.htm

http://www.nsftools.com/tips/RawFTP.htm

Or if you never feel enough of reading quick guides and would like to know more inner working of FTP, RFC is recommended as always -

http://www.faqs.org/rfcs/rfc959.html
I'm more to RFC guy, apparently not everyone like RFC due to the lenghty contents.

~ RFC is just ROX ~

Another Pcap File Editor - Bittwiste

If you feel that l33tness is important and you would like to do stuffs in CLI instead of GUI, no problem!!!!! Instead of using netdude, you can actually use bittwiste. What is bittwiste, it is a command line based pcap file editor that bundled with bit-twist(Libpcap-based Ethernet packet generator).

For more information, you can check out more info at it's main site, I pretty like the bittwiste reference sheet that located at

http://bittwist.sourceforge.net/doc/bittwiste_options_s.jpg

To change the destination address to 10.0.0.2, you can just run

shell>bittwiste -I /nsm/pcap/testing.pcap \
-O /nsm/pcap/testing1.pcap -T ip -d 10.0.0.2

To confirm that I have edited it correctly, I run tcpdump to check the output,

shell>tcpdump -qeXXttttnr /nsm/pcap/testing1.pcap -c 8


Bittwiste will automatically fix the checksum value as well, it is very quick and neat tool to modify pcap file indeed. Credit goes to Addy who create this interesting tool.

Peace :]

Pcap file editing with Netdude

Now you got cool pcap file that captured from the wire and would like to edit it to replay the traffics against your server, thus you need to change the destination IP address. Since there are so many packets and you want to change the destination IP address at one time, here's little tricks that you can do with netdude.

For example you can just load the pcap file into netdude, in my situation the destination IP is 172.16.0.99, then I need to change it to 10.0.0.1, thus I just need to go to Edit -> Select All or you can just right click in the pane and Select All, then click on the IPv4 tab below, choose the Dst.addr field and you can change the value from 172.16.0.99 to 10.0.0.1, once you have changed it, you may have almost the same thing like the screenshot below.


Since you have made changes to the IP header, the checksum value will be wrong and need to be recalculated, you can just correct it by click on Plugins -> Checksum Fixer.


The checksum value is corrected and you can save it by now and ready to replay the traffics with it.

Cheers :]