Saturday, January 10, 2009

Ubuntu: Unicornscan Revisit

I have written about how to install unicornscan on Ubuntu previously here, and it seems a lot of people have problem getting unicornscan compiled on Ubuntu/Debian. So here's the revisit of mine to make it more clear and it should work on Ubuntu 8.x if you are following the steps accordingly.

Install all dependencies -

shell>apt-get install \
libpcap0.8-dev libgeoip-dev libltdl3-dev ibdumbnet1 libdumbnet-dev

shell>sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

Download unicornscan and decompress it -

shell>tar xvjf unicornscan-0.4.7-2.tar.bz2

shell>cd unicornscan-0.4.7

shell>./configure --prefix=/usr/local/stow/unicornscan-0.4.7

Thanks to Debian package, since libdumbnet is used, so we need to replace the linker flags, search for files with ldnet

shell>find ./ -type f -exec grep -H 'ldnet' '{}' \;
./src/Makefile.in:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/tools/Makefile.in: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/tools/Makefile: $(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o fantaip fantaip.lo $(G_LDPATH) $(G_LDADD) -lpcap -ldnet
./src/Makefile:G_LDADD=$(LDFLAGS) -lscan -lparse -lunilib -lpcap -lltdl -ldnet -luext
./src/scan_progs/Makefile.in:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext
./src/scan_progs/Makefile:G_LDADD=-lscan -lparse -lunilib -lltdl -ldnet -luext

To replace ldnet to ldumbnet at one shot, do

shell>for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

Now we can compile and install

shell>make

shell>sudo make install

You should now have it install in /usr/local/stow, just do

shell>cd /usr/local/stow

shell>sudo stow unicornscan-0.4.7

DONE!

Enjoy (;])

Wednesday, January 07, 2009

Latex Editor

If you are using latex(I do especially for presentation slide since spoonfork corrupted me), there's one good latex editor that works across multiple OS platforms. Some people will just use vim as the editor but I prefer texmaker. You can check out its main site here -

http://www.xm1math.net/texmaker/

And it even works on Mac OSX!

Cheers ;]

Tuesday, December 23, 2008

Interesting Network Adapter

This looks like interesting dual ports network adapter with bypass function, more information ->

http://www.portwell.com/products/detail.asp?CUSTCHAR1=ABN-192

If you know where can get this in Malaysia, please do let me know.

Saturday, December 20, 2008

NIDS: Administration, Management & Provisioning

We often find many resources that discuss about NIDS technologies, and how can you setup one, however things that are really missed out there(even in the internet) should be the following.

If you are managing tons of Network Intrusion Detection systems(NIDS), for tons I mean more than 50, I would like to hear from you about -

1. What tools do you use to manage all the NIDS, and why you choose them over others?
- For example ssh, however I would like to know more about tools you use to manage massive NIDS instead of one, and the reason you choose it.

2. How do you perform efficient administration securely? For examples,
- System changes/updates
- NIDS tools' changes/updates
- NIDS rules' changes/updates
- NIDS Configuration files' changes/updates
- NIDS Policies' changes/updates

3. Which method you like to use in order to manage them, and why? For example,
- Server pushes rules update to all the sensors(Push)
- Sensors pull the rules update from server(Pull)

3. NIDS health monitoring and self-healing
- I'm talking about something like this, if the system is in incosistent state, operators will be notified. If certain process die, it should recover by itself.

I consider NIDS as critical system and it should be managed wisely to prevent misconfiguration, downtime and so forth. Therefore we should have solid answers for the questions above if we are going for massive NIDS implementation and deployment.

Any in sight or valuable thoughts to share are welcomed!

Peace ;]

Thursday, December 18, 2008

*nixes Backup Solution

I'm looking at various backup solutions that are availabe for unix variants. There are so many of them and I'm just listing them down here in case I forgot what I have found.

- Timevault

- Flyback

- Kbackup

- Rsnapshot

- Rdiff-Backup

Some other solutions can be found here.

Cheers ;]

Sunday, December 14, 2008

FreeBSD ZFS

I have been listening people talking about ZFS, and it is ported to FreeBSD, I don't play with it until today.

It does seem that FreeBSD is getting solarish, ZFS, Dtrace and what else. Anyway here's simple screenshot of mine with ZFS setup -


I may spend more time playing with it, if you are interested in ZFS on FreeBSD, you should check out -

http://wiki.freebsd.org/ZFS

By the way, FreeBSD 7.1 RC1 is out, grab it while it's hot!

Cheers ;]

Saturday, December 13, 2008

Anonymous Troll

I have previously blogged about my experience in Singapore Govware here, however I don't know I get such interesting comment until I was told by a friend who read it. The comment is written as following -

--------------------------------------------------------------
Anonymous said ....
With all due respect to you and your great work with hex and what not, I'd like to rant a bit. I know its belated, but here goes :)

Sometimes security is not about you 'teaching' people what to do with your l337 NSM toolkit. It is normal for security conferences/events to be a closed door affair or by invitation only. I bet there were some concerns by some parties that you're blackhats/can't_be_trusted/not-really-security-analyst whom they can share information with. So its better late than never to kick you out. The level or kind of stuff you and other l337 friends write at security.org.my also don't help I think.

So get real, be trusted, and stop associating yourself with ppl whose deep insights on security are only by taking screenshots at defacements or error messages, blowing them out of porportion, make kidd1e5 happy and then sell a training program! So don't be disheartened at being kicked out at a per invite only program.
-----------------------------------------------------------

I don't really want to argue anything here, my point here is if you don't know me, don't justify me with your narrow minded like you know me very well, and stop acting like anonymous coward.

Peace ;]

What Am I Doing?

I hardly blog these days, and have been busy with current works plus my own fun research. It's about the end of year 2008 and I figure life is more challenging when I'm getting older.

raWPacket is currently in the state of "slowing down" or you can call it slacking, so we will restart our engine next year(2009). Hopefully we can get many interesting projects done in coming year, some are on the way!

It's been couple of months working for GE now, thanks to my friend - Richard Bejtlich for the opportunity, faithfully. For the other guys I'm working with, you guys are always rocking!

For my own research, lets keep it secret for now, it will be revealed soon.

Cheers ;]

Monday, December 01, 2008

Drunken Monkey: Running Network Miner with Wine

Network-Based Forensics is emerging now, we are seeing more and more NBF tools in active development now, one of the decent NBF tool I would like to mention here is NetworkMiner which is developed by Erik Hjelmvik. NetworkMiner is developed using .net framework, therefore it has Windows version only, I will show you how you can get it running using Wine on *nix based OS especially Ubuntu Linux.

Installing Wine -

shell>sudo apt-get install wine wine-dev cabextract

Configure Wine -

shell>winecfg

In Application tab, change windows version to Windows 2000

shell>wget http://kegel.com/wine/winetricks

Install cofefronts and .net framework 2.0 -

shell>sh winetricks corefonts dotnet20

Download NetworkMiner -

shell>wget \
http://sourceforge.net/project/showfiles.php?group_id=189429


Unzip it and run -

shell>wine NetworkMiner.exe

Here you go -



Cheers (;])

Wednesday, November 26, 2008

Network-Based Forensics: Xplico


If you are interested in Network-Based Forensics, you should give this tool a try - Xplico, this tool is quite promising and in active development.

During HITB Training and Conference, I have mentioned about the challenge and problem with Network-Based Forensics, one of them is the lack of protocol dissectors(especially application layer). Looking at Xplico roadmap, you can see they are trying to add more and more dissectors to be more advance in traffic reconstruction(you can't really base on tcp itself as the session itself is mostly handled by the application layer these days).

Xplico is definitely designed for Network-Based Forensics only, and it follows file system forensics approach where you can create case and extract data from the pcap. There are few things I would like to see it in Xplico if possible -

1. Support more packet format(or conversion)
2. Better search engine(not only email)
3. Report generation
4. Data export to various format
5. Per host traffic information

If you are interested in trying out Xplico quickly, you can check out Deft liveCD.

More screenshots!!!!!



Enjoy ;]

Thursday, October 30, 2008

HeX In The Box

We release the HeX special edition for HITB Security Conference, the theme we use is HeX In The Box. If you are the HITB Conference participant, you might or might not get the CD we distribute in the first day of conference as we only have about 120 pieces of them so it is really limited.

This special edition comes with new wallpaper and cd sticker as well. Thanks to Vickson for the comic style of design this time!

HeXInTheBox CD Sticker

HeXInTheBox Wallpaper

On the other hand, HeX hits more than 10,000 downloads since the release of version 2.0!

Cheers (;])

Saturday, October 18, 2008

Bro 1.4: Eating Netflow

The new Bro can import NetFlow version 5 data now, if you are using HeX 2.0, you can test it quickly. Here's how you can test its new ability to work with NetFlow.

Using fprobe to export NetFlow version 5 data on network interface le0 to address 127.0.0.1 and port 5555 -

shell>sudo fprobe -n 5 -f ip -i le0 127.0.0.1:5555

Using bro to eat NetFlow data and log them to disk -

shell>sudo bro --netflow 127.0.0.1:5555 HeX netflow

You will find netflow.log in your $BROLOGS directory, and you can simply examine them with any text viewer.

I'm going to distribute bro-1.4 binary that works well with HeX so that people can try them out if they are interested in latest Bro offerings.

Enjoy (;])

HITB 2008 and Our Technical Training


HackInTheBox Security Conference 2008 in Malaysia is around the corner, this time we are going to bring you triple tracks which will be running simultaneously at the same time and participants are allowed to join any track they like to. Plus we have great speakers line up.

The old and useless CTF organizing team will retire this time and be replaced by the new bloods, so we hope they are doing the best they can to get the game going. On the other hand, there will be OpenHack as usual. We also hope you are going to enjoy HITB Lab which will be running for the first time ever.

For the moment, me and spoonfork are updating our training materials, just like previous training, our training goes with the name "Structured Network Threat Analysis & Forensics". However we are changing strategy and bringing new stuffs. Besides Network Security Monitoring, we are going to focus more on Network Based Forensics and its challenges. We also include exercises so that participants can get the feel of it during the training session.

If you haven't registered yet, I think you should. You can check out the price of registration and it's real cheap. Don't miss the chance to learn about latest security issues, meet the world class security professionals and get to know local talents around!

Cheers ;]

Bro: 1.4 Release

Kudos again to Bro development team for making the release of version 1.4. This release has included tons of new features and also tons of bug fixes.

I'm looking forward to try out things like NetFlow, Time Machine and many others. If you are interested in Bro, grab the latest version while it's hot. You can download it at -

http://bro-ids.org/download.html

The detail changes can be read here.

Enjoy ;]

Friday, October 10, 2008

Foss.my 2008

Many friends in OSS circle have already blogged about this, so I won't repeat anything much, if you are interested in Foss, and you are in Malaysia, this is definitely the event that you should come.

For more information, look here ->

http://foss.my/

Enjoy ;]

Expanding Response: Deeper Analysis

My friend Russ McRee just published a paper called Expanding Response: Deeper Analysis for Incident Handlers with SANS for his GCIH Gold cert that includes details on Argus, HeX, NSM-console, and NetworkMiner using content from the original ISSA articles as well as current updates.

You can find his paper here -

http://www.sans.org/reading_room/whitepapers/incident/32904.php

Nice work Russ!

Cheers ;]

Wednesday, October 08, 2008

Govware: Positive Security?

Few months ago, Dhillon(HITB Founder) told us about Govware which is organized by Ministry Of Home Affairs Singapore and they invited us to their conference.

So HITB is invited to Singapore Govware, and we were quite looking forward to this event as we are told Singapore is first world country and they are great in event organizing. Unfortunately this time, we are going down to Singapore with our own budget(Other events' organizers pay our accomodation for our effort) but we thought since it's just our neighbor country, lets pay on our own.

So we are being supportive to run Web Hacking Challenge for Govware as well(Rufio handles this), me and Mel are also invited to give talk in closed door - Law Enforcement Track to share our knowledge with the audience. In the first day of event, everything goes smoothly. Me and mel are presenting 8 Layers Of Security and performing Network Forensics using HeX 2.0 that we have just released few days ago. We are glad to know some of people who are working in law enforcement units.

So I don't want to comment much about other presentations since I don't really listen to them as we are not allowed to, but we still managed to listen to 3 talks which are also closed door since their people never block us. But then again, we were banned from the room after their clueless dudes figure out we were in the talk, they should have blocked us from going in instead of asking us out in the middle of the presentation.

So nothing much happening in the first day of event except this shit, we went back to apartment and grabbed our dinner.

So today(second day of Govware) we went to the venue, and we just started running Web Hacking Challenge, as usual all of us are wearing HITB t-shirt to present who we are. Then out of sudden, there's some "don't know who"(probably fear to lose(kiasu) organizer) came to us, and informed us that we are not allowed to deliver our HITB conference fliers, we can't promote our HITB Conference in overt style(I don't get this, we just deliver our flier for whoever passes by our booth like everybody else instead of doing it aggresively) and we are also prohibited to wear our own HITB t-shirt as well(but we see others can wear their own company t-shirt(hint: Splunk) and they are not abused.

So what should we do now after coming down all the way from Kuala Lumpur to this Govware Singapore? Absolutely nothing but get out of this crap place. And Govware is promoting Positive Security but can't even allow us to inform the audience about another security conference with world class security experts in neighbor country(to be honest our conference are totally different than Govware as we are emphasizing more on new attack mechanisms and more technical oriented).

So to conclude this, we are now enlightened of how thisso called "First World Country" Ministry people manages international event, with unfair treatment where other companies can do their "not so overt" marketing(because they are sponsors?), they can wear their own company t-shirt, but we are asked to fuck off!

So this is definitely great job from them, and thanks for the awful invitation, you can fuck off now. Kudos!

So Enjoyable ;]

Monday, October 06, 2008

HeX 2.0 Release - The Bonobo

Today is big day for us as we finally have HeX 2.0 Release - The Bonobo unleashed.

After many months of struggling in both testing and development phases, there are a lot of new features added in this release. To sum it up, we have -

1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds

For more information, you can check out its own site which is located at -

http://www.rawpacket.org/projects/hex/hex-livecd/version-20-release

I would like to say thanks to HeX team members for all the hard works and continuous efforts. You guys are just rocking!!!!!

Enjoy (;])

Sunday, October 05, 2008

FreeBSD: Pktanon Installation

What is pktanon?
PktAnon performs network trace anonymization. It is highly configurable and uses anonymization profiles.

My friend Richard has actually blogged about it especially for Debian platform.

One of the pktanon main developer - Christoph has emailed me that they have fixed pktanon and make it work on FreeBSD, and I'd like to try it out, I won't make a port for FreeBSD as I'm told that Wesley is working on pktanon port.

But if you are interested, that's how you can get it to work on FreeBSD.

Get the dependencies, install these two FreeBSD ports -
1. boost
2. xerces-c2

We can now perform pktanon installation -

shell>wget \
http://www.tm.uka.de/software/pktanon/download/pktanon-1.2.1-dev.tar.gz

shell>tar xvzf pktanon-1.2.1-dev.tar.gz

shell>cd pktanon-1.2.1-dev

shell>export CFLAGS=-I/usr/local/include

shell>export CPPFLAGS=-I/usr/local/include

shell>export LDFLAGS=-L/usr/local/lib

shell>./configure

shell>make

shell>sudo make install

You can now start working with pktanon, I won't show those as you can check out the information from pktanon website. We will include pktanon in HeX(definitely not HeX 2.0 but maybe 2.0.1 as we already froze the port tree while pktanon port is still not in yet). It's worth to add it as people who would like to contribute to Openpacket need to anonymize their packet trace.

Cheers (;])

Thursday, October 02, 2008

HeX 2.0 R: Preview

Here we reveal the latest HeX 2.0 Release, it will be out very soon. Stay tuned!








The joy for packet monkeys (;])