Sunday, September 30, 2007

HeX: Full Screen Terminal

For HeX liveCD, our virtual terminal of choice is mrxvt, we use version 0.5.3 which is the latest unstable branch and it works very well.

I know some of you prefer to have Full Screen CLI especially to those who allergy to GUI, here's the simple tip, you can either click on the fluxbox menu->System->Run or type in the terminal -

shell>mrxvt +sb -name FullScreen

Here's the screenshot -

It will launch the full screen terminal, and the font size also becomes bigger in this case. However if you prefer to have small font size while having full screen terminal, you can run -

shell>mrxvt +sb

Then follow by pressing Control+Shift+f keys will do. Here's the screenshot -

Nice little trick but it does what you want.

Peace ;]

Saturday, September 29, 2007

Network Protocols & Passive Analysis

It's weekend day and I should find way to relax but I have to admit I'm network protocol addict. Today I have read about the links below and would like to share -




No comment about the protocol overhead and msn protocol topic but I might say I learn something new and save my time of digging them myself. Well documented stuffs always cool. However for the third link which topic is Passive Network Analysis and the date is 2007-09-28, introducing ethereal is bad especially the writing itself is more to introductory and you have wide range of audience(securityfocus is high profile) unless if we flash back to April 24, 2006. In fact, the wireshark is NOW. Other than that, Stephen Barish has done a great job in explaining the basic and the use of Passive Network Analysis.

Passive Network Analysis is another form of intelligence gathering technique in forming defensive strategy which you should look up.

Cheers ;]

OpenPacket: Emphasizing Practical Knowledge

One of the objective that raWPacket group creating the HeX liveCD is to develop the platform for network security analyzt to analyze the network data(pcap), and it can be great learning tool too if you want to learn about networking or enhance your analysis skill.

In most of the time, I have heard from people that they don't have live network to learn about networking or network security especially students, therefore their practical knowledge usually come after they started working in the field.

Thanks to Richard who taking initiative to launch OpenPacket, it is still in alpha stage but we hope to see it goes live soon. To follow up the progress and development of OpenPacket, stay tune with its blog.

So what is this OpenPacket all about? is a Web site whose mission is to provide a centralized repository of network traffic traces for researchers, analysts, and other members of the digital security community.

I would like to add on that the network traffic traces or sample can be equally useful for education community too, students can download the data and start to learn about them practically instead of reading the unintuitive networking book line by line without real understanding. And it can be very handy and productive if they are using HeX liveCD.

What should you do now? Join the OpenPacket mailing list, share your network traces and be part of community. Your participation are always welcomed.

Before some of you may remind me, another useful website to obtain network data is at -

Enjoy ;]

Friday, September 28, 2007

Fl0p: Decoding the Evil Genius Mindset

People who come from Unix background always have the real guts, and I bet you know what is RTFM all about. In fact it is Read The Fun Manual when you don't know how to use the commands or understand the technical section, sounds polite isn't it ;P

Thanks to one of my great friend who has observed the Fun thing about fl0p which created by one of the man who I really respect - Michal Zalewski. In fact my friend also fixed the packet retransmission handling for fl0p in order to identify the traffic flows more accurately especially in busy networks. We also figure there's error in the command line option where the -q for packet timing threshold is in fact -T, the -q is used for quiet mode instead. We are not too sured to make the patch publically available yet but we hope to fix more things before we do so.

So what's this fun thing about, let's look at the fl0p command lines -

shell>./fl0p -h
Usage: ./fl0p [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -u user ] [ -e ms ] [ -T ms ] [ -FUKrqvpdtl ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-u user - chroot and setuid to this user
-e ms - pcap capture timeout in milliseconds (1)
-T ms - packet timing threshold in milliseconds (400)
-F - disable fuzzy matching on all signatures
-U - display fingerprints for unidentified streams
-K - do not display known signatures (implies -U)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-t - add timestamps to every entry
-l - output concise 1-line output

'Filter rule' is an optional pcap-style BPF expression (man tcpdump).

The command line looks innocent as it is. But what if I do -

shell>./fl0p -t -f /usr/local/etc/fl0p.fp -i eth0 -FUK -u geek00l

So this can be interpreted as F-U-tu.....-K u geek00l! Maybe we should implement another command line argument which is -C. Or Zalewski must have something in his mind to implement for -C to the completion of fl0p.

Peace (;])

Tuesday, September 25, 2007

HeX liveCD: Virtual Appliance

I started to have this idea after conducting the security training with Spoonfork in HITB Security Conference lately, we have created the VMware Image by installing HeX on top of it. However the image is only available to the people who have attended our training only as it also contains interesting pcaps that I have collected during my past network security operation.

I would like to create the platform which network security analyzt can perform network data analysis during network security operation. The HeX liveCD itself is great choice to do so but I believe some folks out there prefer it to be readily installed and can load the network data(pcap format) instantly. However if I have to create the HeX Virtual Appliance, the main issue would be the distribution because of its image size(Gigs). Hence I have thought of few ways to solve it -

- Distribute through p2p networks - bittorrent?

- Getting more download mirrors? Shout to enhancer!!!!!

- Getting support from

I'm not too sured creating HeX Virtual Appliance worth the efforts, and I would like to hear from you - the HeX users out there.

Cheers ;]

HeX liveCD: Mailing List

For all the HeX liveCD users out there, we have been developing this liveCD for quite sometimes and I have received some positive and negative comments and various inputs from the users, therefore instead of me receiving the email and redirect to other co-developers, I decide to create the mailing list for the HeX liveCD so that it will has life of its own ;P

There you go -

Since this is public group and mainly used for mailing list management, I decided to use google group as it is convenience and easy. Therefore feel free to join us!!!!!

On the other hand, you can visit us at Freenode #rawpacket. Most of us are slacking there.

Enjoy ;]

Monday, September 24, 2007

When will spammers' creativity exhaust?

Seriously, I do wonder when will the spammers run out of creativity .....

Even then, they try hard to bypass the detection of "Internet Explorer" strings.

Let's copy it and paste but yet it doesn't work, poor lowpriceoem. com

Peace ;]

VMware-Tool Follow Up

I found this great tip to get VMware-Tool install, in fact the link mentioned that if we are running Xorg 7.2 or later, the driver for VMware is included natively and we just need to install VMware-Guestd. Here's the link -

The tip works great if you have installed HeX in your VMware workstation. After VMware-Guestd is installed, what we need is just the editing the section below in /etc/X11/xorg.conf -

Section "Device"
Identifier "Card0"
Driver "vmware"

By default it is vesa, just change it and restart X will do.

Enjoy ;]

HeX liveCD: VMware-Tool Inclusion & Status

The HeX liveCD project is inactive for a while and now it goes active again, the 1.0 Release is very very close as we are doing some improvement and housekeeping to make it clean and tidy.

As most people who uses HeX liveCD prefer to load it on VMware, it raises the question to us whether it's fine to distribute HeX with VMware-tools. I have discussed with chfl4gs and interestingly we found this link -

Effective immediately, VMware has modified its current policy with regard to VMware Tools as follows:

Subject to your compliance with the VMWARE MASTER END USER LICENSE AGREEMENT, the restriction in Section 3.5 of the VMWARE MASTER END USER LICENSE AGREEMENT prohibiting distribution of the VMware Tools to third parties is hereby removed. You may distribute VMware Tools to third parties in object code format only and solely in conjunction with, and as part of, any Virtual Machine you create with the Software or with any update for any such Virtual Machine.

For now, it seems to be fine to distribute the FreeBSD VMware-tool6 package and we may do so . But changes will be made later if the vendor changes their mindset but from what I know, VMware Inc usually plays well with FOSS community.

From now onward, we are in the package/port freeze state and concentrating on bug fixes until the release of HeX v1.0R.

Cheers ;]

Sunday, September 23, 2007

Sigsssss or Sicksssss

Another post about Bro-Nids regarding the conversion of signatures from Pads to Bro format.

You can find it here -> click

Has been three weeks I adapted in research and development process and it seems to be pain in the ass .....

Peace ;]

Friday, September 21, 2007

Bro - Signature Testing

Unlike snort, Bro-Nids is not signature centric NIDS, however it does offer certain level of signature capability in order to be more comprehensive in event detection. Following is the example of Bro signature in detecting one of trojan -

signature thinstall_trojan
ip-proto == tcp
dst-port == http_ports
http /[pP][oO][sS][tT]\x20{1,}\/bi\/servlet\/ThinstallPre/
tcp-state established,originator
event "ThinstallPre Adware Trojan, personal and machine data theft, successful"
# reference:

It looks pretty straight forward comparing to snort sigs as I would admit snort offers more powerful and flexible capability for sig rule writing. Again we see regular expressions(regex) here. I can't recall how many times I have told about the important of regex to network security analyzt.


What if I want to test the signature on the fly, here's what I do. Write the signature that based on the standard format above and save it as testing.sig, then -

Export bro environment variables -

shell>cd /usr/local/bro

shell>. etc/bro.cfg

Test it with the packet capture data(holycow.pcap) with -s option, and remember to load the other analyzer or policy scripts such as tcp, udp, icmp, http and signatures. All of them can be found under policy directory with .bro suffix. Then execute -

shell>bro -s testing.sig -r holycow.pcap \
tcp udp icmp http signatures

If there's traffic that matching the signature, it will be logged to signatures log file. I will write more tips and tricks about Bro-Nids in future when possible especially at

Cheers (;])

Thursday, September 20, 2007

Ubuntu: Afterglow

Afterglow version 1.5.9 is released lately, I would like to try it out on my laptop that running Ubuntu Linux, the steps are quite straight forward. Here's the less than 1 minute steps -

shell>sudo apt-get install libtext-csv-perl graphviz

After that, just download afterglow source tarball and untar it.

You are good to go now.

shell>perl -h

Afterglow 1.5.9 ---------------------------------------------------------------

A program to visualize network activitiy data using graphs.
Uses the dot graph layout program fromt the Graphviz suite.
Input data is expected to be in this simple CSV-style format:

[subject], [predicate], [object], ACCEPT,

Usage: perl [-adhnstv] [-b lines] [-c conffile] [-e length] [-f threshold ] [-g threshold] [-l lines] [-o threshold] [-p mode] [-x color] [-m maxsize]

-a : turn off labelelling of the output graph with the configuration used
-b lines : number of lines to skip (e.g., 1 for header line)
-c conffile : color config file
-d : print node count
-e length : edge length
-f threshold : source fan out threshold
-g threshold : event fan out threshold (only in three node mode)
-h : this (help) message
-l lines : the maximum number of lines to read
-m : the maximum size for a node
-n : don't print node labels
-o threshold : omit threshold (minimum count for nodes to be displayed)
Non-connected nodes will be filtered too.
-p mode : split mode for predicate nodes where mode is
0 = only one unique predicate node (default)
1 = one predicate node per unique subject node.
2 = one predicate node per unique target node.
3 = one predicate node per unique source/target node.
-s : split subject and object nodes
-t : two node mode (skip over objects)
-u : export URL tags
-v : verbose output
-x : text label color

Example: cat somedata.csv | perl -v | dot -Tgif -o somedata.gif

The dot exectutable from the Graphviz suite can be obtained
from the AT&T research website:

Cheers ;]

Bro-Nids + Afterglow

Yes, I'm in the Bro mood now, I have written about generating insightful flow graph from Bro connection log using afterglow where you can find at here.

This is the simple idea demonstration but I found it useful, at least.

Enjoy (;])

P/S: Thanks to sudugarpu for account access.

Wednesday, September 19, 2007

Malaysia Network Security Community

I have added link to my site which initiated by spoonfork, we are currently digging into Bro-NIDS and you will find a lot of tips regarding Bro in the site. However that's not the only purpose of Malaysia Network Security Community Site, there are many things we would like to do such as honeynet, security commentary, getting Malaysia security professionals together and so forth but time is the limitation to both of us.

Anyway if you had noticed, we have

- honeynet project

- raWPacket project

Both will host all the projects we are working on such as HeX liveCD, honeynet and etc.

Maybe its time to recruit new bloods?

From my point of view, our country is still lacking of real security professionals. On the other hand, computer security certification itself destroys the security industry by training a lot of junks and talk cockers as long as you know how to pass the exam(not that you have the knowledge to pass the exam), the capability of the security professional can never be measured relying on how many related certifications you have as this field requires a lot of studies and steep learning curve as well as self-discipline.

I'm not anti-certification, but with people I have met thus far, the quality is always not up to the par with the title in the given certification and it creates the fake reality and self-ego to the person himself/herself.

Those big companies are the helpers too, they will always recruit people with more certifications than less, and do we think more is always better? In this century, the quantity seems to overtake the quality. With this kind of undesirable trend, I have heard from some of my friends where they have to obtain related certification in order to get employed or better pay or even promoted.

To whoever think I'm ranting now, I'm seriously not. Face it, this is the reality.

It's time to wake up .....

Peace ;]

Saturday, September 15, 2007

BPF - Birectional Filter

Imagine you have the server farm, and one of your web server is suspected to be under attack or in the state of uncertainty, and you would like to examine the traffics that flowing to your web server and the exchange session from the remote nodes to your web server(port 80 by default). How can you do it with BPF filter?

The network conversation is illustrated as below -

Host A - Web Client
Host B - Web Server

Host A (any port) -> Host B (port 80)
Host B (port 80) -> Host A (any port)
Host A (any port) -> Host B (port 80)
Blablablabla .....

Given the web server IP address is, here's the pretty quick tip for you to assess the network traffics that flowing in and out from your web server that initiated by the remote node. As the port 80 resides on the web server, therefore the filter below should work -

(src host and src port 80) or (dst host and dst port 80)

There you go, the bidirectional filter!!!!!

Happy packetysis (;])

Tuesday, September 11, 2007

BPF - Non RFC Compliant?

It's been a while I haven't written anything about network traffics analysis and it's fun to do it again. If you don't know what is BPF, you can check it out here -

- FreeBSD BPF Man Page

- Good Old BPF paper

Here's the description of the Berkeley Packet Filter, it provides a raw interface to data link layers in a protocol independent fashion. All packets on the network, even those destined for other hosts, are accessible through this mechanism.

I came across this when I was trying to filter multicast network traffics from the packet capture file. From my understanding and the RFC references, IPv4 multicast addressing is in the class D of which the first octet of IP address is in the range of 224-239. I tried to confirm what I have learned from the resources below -

- IANA Address Assignment

- RFC3171

- RFC2365

- RFC3330

- IETF Draft

Then I use this BPF filter(ip multicast) to accomplish my need -

shell>tcpdump -ttttnnr multicast-mix.pcap 'ip multicast'

As expected, the tcpdump output shows all the multicast traffics. But wait, it shows other unexpected traffics where I spotted there are some traffics with the destination IP of which I don't think it belongs to multicast addressing. To understand the BPF filter , I dump the compiled packet-matching code in a human readable by running -

shell>tcpdump -d ip multicast
tcpdump: WARNING: eth0: no IPv4 address assigned
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 5
(002) ldb [30]
(003) jge #0xe0 jt 4 jf 5
(004) ret #96
(005) ret #0

From the instruction 000 and 001, we know it is IPv4 traffic. 002 will look at the 30th byte offset in the Ethernet frame where it is actually the location for first octet of destination IP address and 003 performs jge #0xe0 which it will jump into that byte offset and check if it is equal or greater than 0xe0(in decimal it is 224).

If the condition is true(jt 4), it will jump to 4th instruction and returns 96 bytes which is the default snap length of what tcpdump has captured in single ethernet frame, else(jf 5) it will just return nothing.

To be clear, as long as the first octet of destination IP greater than 224, the BPF filter "ip multicast" will catch it.

ip multicast = 224.x.x.x - 255.x.x.x

This is not RFC compliant, isn't it? Therefore to do what I really want with BPF filter, I have to use this -

ip[16]>=224 and ip[16]<=239

I don't mean everything must be RFC Compliant as we know some evil vendors tend to break it. Anyway I just share my finding.

Enjoy (;])

Saturday, September 08, 2007

HITB SEC CONF 2007: The WriteUp

As usual me and mel have conducted the training for HITB this year, everything goes pretty well and organized as we are well prepared and attendees are given the VMware image with HeX and network data(pcap) loaded. Hopefully all the guys who attended our training have good time. The first and second days of the event are just the 7 tracks security trainings and HITB Cinema. I was glad to meet Jose Nazario again and have little conversation with him, SK was there too unfortunately I can't attend to the knowledge session sharing that invited by him due to heavy load of works. After the training is over, the Capture The Flags(CTF) Crews getting together and we started to launch our master plan - the gangbang.

Mel, rd, xwings, takizo, adli, y0muds and me got together and setup the CTF, and we only be able to set everything up in the midnight due to the whatever event in the Hilton hotel.

The third and fourth day of HITB event can be considered the meat of it. Unfortunately we have our CTF game delayed and started by the time of 1430, most of us were not able to attend any interesting talks in the conference though we would like to because we have to monitor the game. On the other hand, we have LockPicking Village and Zone-H Hacking Challenges ongoing. The lock picking stuffs were fun and I have learned how to open the police hand cuff by using the toolkits from TOOOL. Anyway I have sneaked into Rafael Marty's talk about the Insider Threats Visualization. Basically it is all about logs visualization but doing it effectively. If you are interested about graphing stuffs, check out the site maintained by him.

In the fourth day, I only be able to catch up with Luiz and Fx talks regarding Network Protocol Fuzzing and Hacking modern applications. For me Luiz talk is kinda brief but he did mention that Network Protocol Fuzzing has nothing to do with Vulnerability Assessment as the VA uses known vulnerabilities to probe but the Fuzzer usually discovers unknown or 0 days attack, I have checked out the MUsecurity box that brought by him which is pretty cool. Fx has talked about the vulnerabilities that can be found in the modern application with their stupid design flows. And I'm pretty amazed where he can actually design the new logo for ciscock. He also mentioned that attacking is cheap but detection is very expensive which I found it damn right.

Other than that, I have met our good friends from HC2C(Rodrigo and Domingo), US Army Strong guys and I hope they are having good time in Malaysia. After all, the event is over with the CTF and Zone-H prize given ceremony as well as the interesting auction. I bet we can threat Zone-H founder for something else with his unrevealed pictures we have taken ;P

Nothing to mention about the party, except that all the stupid CTF crews as well as the HITB founder been thrown into the swimming pool.

Kudos to all the HITB Members, VLNTs and Speakers who have made this Conference successful.

Cheers (;])

HITB Aftermath: Why you don't know you are having virus in your pocket?

This is something interesting happened during HITB Conference 2007, all of us brought our own USB thumb drive to ease the file transfer process. After the conference is over, Dhillon told us that his USB thumb drive contains virus and ask us to look into ours, interestingly here's what I have in my thumb drive -

shell>cat autorun.inf

shell>file \ MSOCache/90000804-6000-11D3-8CFE-0150048383C9/kb915865.exe
MSOCache/90000804-6000-11D3-8CFE-0150048383C9/kb915865.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Other crews may also have similar files in their USB thumb drive, therefore if any of you have borrowed USB thumb drive from us, good luck! As most of us are using either linux or osX, we don't even know the malicious files reside in our usb thumb drive.

Thanks to F-Secure sticker, I especially like the quote -

Real Men don't use antivirus.

Good luck to all Windows users in the conference.

Enjoy ;]

The root cause of this - thanks to the rented PC from whatever hardware provider ..... you should pay our monetary losssss

The Good Phisher

Yes, I'm talking about good phisher who kicks his/her own asssss -

For security reasons, you are advised to keep your winning information confidential till your claims are processed and your money remitted to you in whatever manner you deem it fit to claim your prize. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements and most importantly for your own security Please be warned

Sometimes I just love spammers/phishers for no reason .....

Cheers ;]