How to enable 1280×800 resolution in Parallels for X11
This topic really sucks to search for, way too many different results without any actual clarity, so here’s how I was able to get it working:
Firstly, power down the image and edit the configuration options for your image, click on the “Video options”. Check ‘Enable custom screen resolutions’ and add the resolution (in this case, 1280×800). Make sure the resolution is enabled (checked). See the screenshot below for an example of what it should look like:
Next, boot into the VM image and let’s take a look at the xorg.conf file, here are the lines I changed that actually matter:
#HorizSync 31.5 - 48.5
HorizSync 30.0 - 82.0
#VertRefresh 50.0 - 90.0
VertRefresh 50.0 - 90.0
#Option "DPMS"
ModeLine "1280x800" 80.58 1280 1344 1480 1680 800 801 804 827 -HSync -VSync
These should be in the section right after ‘Section “Monitor”‘. After changing the hsync and vsync as well as adding the mode, I changed the display section from:
SubSection "Display"
Depth 24
Modes "1024x768" "800x600" "640x480"
to:
SubSection "Display"
Depth 24
Modes "1280x800" "1024x768" "800x600" "640x480"
It’s a good idea to change the modes for each of the depths (at least 8, 15, 16 and 24) also.
After rebooting (or killing X with Ctrl+Alt+Backspace), your screen should come up in 1280×800 resolution. Hurray!
You can see an example of my desktop setup for Hex 1.0.3-RC2 here:
You can get a copy of my entire xorg.conf file here. (Note that in this xorg.conf, CapsLock is remapped to additional control because I hate capslock with a passion).
Hope this helps someone out there 
Switching from fluxbox to wmii on Hex
Don’t get me wrong, I love fluxbox, I just enjoy experimenting with other window managers and decided I’d finally try the daunting wmii (turns out, not very daunting at all). So, here’s a quick rundown on getting wmii working on Hex 1.0.3BETA (this will work on pretty much any other Hex 1.* release as well). They should always work about the same for a standard 6.2 FreeBSD release, although the steps may vary a little.
Step 1: Get the packages here: http://navi.eight7.org/~hinmanm/files/hex/wmii/, you will need all 4 packages. (hopefully my server doesn’t go down 
Step 2: Install the packages. With all the packages in the same directory do:
pkg_add -v ./wmii-3.5.1.tbz
The dependencies will automatically be installed along with it.
Step 3: Hex utilizes .bash_profile to actually do the starting of X11, if you take a look at the last line in ~/.bash_profile, you’ll see:
...
if [ -z "$DISPLAY" ] && [ -z "$SSH_CLIENT" ]; then
exec startx
fi
Since X is already started, the easiest way to have wmii started instead of fluxbox is to simply change your ~/.xinitrc file to read:
while wmii; do
true
done
Step 4: Restart X, kill X with a Ctrl+Alt+Backspace, if everything works correctly, you should be staring at an extremely plain desktop. Hit Alt+Enter to open an xterm.
Step 5: wmii uses the /usr/local/etc/wmii-3.5/wmiirc file to store its configuration options, there are a few lines that need to be changed in order to fit wmii into hex a little better:
WMII_TERM="xterm"
changes to:
WMII_TERM="mrxvt"
xsetroot -solid $WMII_BACKGROUND
changes to whatever background-setting command you like to use, mine is set to:
Esetroot -center /home/analyzt/rp-Wallpapers/rp-team.jpg
In addition, to make using Alt as the MODKEY non-annoying (change the MODKEY=Mod1 setting if you want to use something other than Alt), there are a few changes that should go into ~/.mrxvtrc:
The line:
Mrxvt.macro.Alt+1: GotoTab 1
changed to:
Mrxvt.macro.Ctrl+1: GotoTab 1
Repeat for all the GotoTab # commands. Since wmii uses Alt+# to switch workspaces, using them to switch mrxvt tabs doesn’t work either.
Step 6: Restart wmii, hitting ‘Alt+p’ and selecting ‘quit’ should prompt wmii to restart, with the new settings, now hitting Alt+Enter should open the standard mrxvt terminal.
Check out the guide for additional info on how to use wmii. I am loving the lightweight feel and speedy response I’m getting so far, it works great for running Hex in virtualization, as it’s even lighter weight than Fluxbox is.
Good luck!
P.S. Hex 1.0.3 should be out any day now, It will have NSM-Console 0.5-DEVEL version on it, which I will be releasing additionally for download at the same time, look forward to it!
How to convert a non-SMP RedHat VM into a SMP RedHat VM
Today I got an interesting request, a user needed to change his 64 bit non-SMP VM image (running RedHat 4.0) to a SMP machine, problem is, I don’t really want to have to go through reconfiguring the kernel and rebuilding it, so here’s the easy way to do it (it’s pretty simple):
- Power the image down
- Right-click and edit the settings for the VM image (if you don’t know how to do this, this article is beyond your scope)
- Change the CPU settings from 1 to >1 (2 or 4 or 8 or whatever you want to use) (see picture)
- Power the VM image back on
- Put the RedHat CD #2 in your desktop CD drive (or using the ISO), connect the disc to the VM image (see picture, note that I selected the wrong ISO, should be disc #2)
- On the vmware image, mount the cd with: mount /media/cdrom
- Enter the directory: cd /media/cdrom/RedHat/RPMS
- In my case, I’m using a 64-bit kernel, so I would use the 64-bit SMP kernel:
[root@lava2057 RPMS]# rpm -Uvh kernel-smp-2.6.9-42.EL.x86_64.rpm - Unmount the CD, dettach the CD/ISO
- Run up2date to make sure the new kernel you installed is up to date (chances are that it isn’t, since RedHat has pushed out a new kernel since putting out the CDs)
- Edit the
/boot/grub/grub.conffile, mine looks something like this before changes:
default=2
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux ES (2.6.9-67.0.1.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-67.0.1.ELsmp ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-67.0.1.ELsmp.img
title Red Hat Enterprise Linux ES (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-42.ELsmp.img
title Red Hat Enterprise Linux ES (2.6.9-67.0.1.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-67.0.1.EL ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-67.0.1.EL.img
title Red Hat Enterprise Linux ES (2.6.9-42.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.EL ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-42.EL.img - I have 4 kernels installed, the initial install 64-bit (non-SMP), the 64-bit SMP I just installed and the most recently updated versions of each of these, as you can see, the line “
default=2” is still pointing to our non-SMP image. We need to use the 2.6.9-67.0.1.ELsmp kernel, so I’m going to change it to “default=0“ - Reboot the machine
- After it’s rebooted, log in and check ‘
uname -a‘, mine shows:
Linux lava2057.lss.emc.com 2.6.9-67.0.1.ELsmp #1 SMP Fri Nov 30 11:57:43 EST 2007 x86_64 x86_64 x86_64 GNU/Linux
Simple eh? I know it’s not related to security, but I figured it’d be helpful to someone out there.
Flowtime – Create a timeline for packet flow
You can never have too many tools for pcap visualization
Flowtime is a script written in Ruby that produces a timeline of the network flows in a pcap file. Everything is better with a picture, so here’s a picture: (warning, this picture is 3000×2000 pixels, kind of large)
Each bar on the left is a IP address along with a port, the timeline on the bottom is the time it was capture (in seconds). The different colors represent different kinds of traffic, http is blue, ssl is red, yellow is other, etc. At the moment there isn’t any legend, but I already think it’s useful just to see patterns in the traffic over time.
Requirements to run Flowtime:
- Argus (version 3 only)
- Ploticus (you should have ‘pl’ in your path. You may have to symlink ‘ploticus’ to ‘pl’)
- EasyTimeline (you should have ‘EasyTimeline’ in your path)
Yea, I know, lots of dependencies, I’m hoping to rewrite this into a MUCH better version in the future, consider this the prototype
Here’s how to run it:
flowtime [-w #] [-h #] [-g] [--help] <pcapfile> <ipaddr> <outfile_base>
-w specify the width, default: 2000
-h specify the height, default: 2000
-g automatically try generate a png (requires 'EasyTimeline' and 'pl' in path)
<pcapfile> the packet file to generate a graph of
<ipaddr> source address to generate a graph for, 'all' for all IPs
<outfile_base> basename for the output file
To generate a basic graph, just do something like ‘flowtime -g data.pcap all data-out‘. After running this (if everything works okay), you should have a few files in your directory, if you open data-out.png you should be able to see the data as a timeline. If there are errors instead of data-out.png, there will be a file called data-out.err.
I know this script has issues, isn’t very user-friendly and doesn’t always work, here’s what I’m hoping to improve for the next version:
- Generate an image of the entire timeline, in addition to showing it in a window
- The ability to zoom in to a particular range of time to show only that time
- Export an image of the current view
- Select a bar to get more information about that flow
I’m going to have to use a different framework though, I’m considering Tk, but I haven’t ever done anything with it before.
Questions? Concerns? Comments? Suggestions?
P.S. I already made an NSM-Console module for flowtime too
Screencast: Creating a module for NSM-Console
It hasn’t been that long since my last screencast, but I thought I’d do another, this time showing how to create a module for NSM-Console (so now you have no excuse for not contributing!).
You can get the screencast here (right-click and download, don’t stream):
It’s under 10 mb and clocks in at 7 minutes and 14 seconds.
If you’re looking to make your own module, I highly recommend first reading this README file (found in the modules directory) and watching the screencast.
If you do make a module and would like it included with the NSM-Console distribution, let me know by sending me an email or leaving a comment.
The version of NSM-Console used in the screencast is verion 0.4
NSM-Console version 0.4 release
Well, it has barely been any length of time and there’s already a new release of NSM-Console, there are so many features that I’ve been coding like crazy to get them all done. First, let’s start with the downloading:
http://writequit.org/projects/nsm-console/files/nsm-console-0.4.tar.gz
And, for anyone interested, here’s a rundown of the most notable new features:
Additional encoding/decoding options
You can now do uuencode and uudecode using encode and decode. In addition I’ve added octal and char decoding, more to come in the future!
The ‘print’ command (or just ‘p’)
NSM-Console now supports reading and printing pcap file connections as well as payloads in a variety of multiple formats. If you use the ‘print’ or ‘p’ command without any arguments, usage is displayed. You can print just connection information, or you can print the payload in either ascii or hex. The print command also supports ranges, *s and commas. For example, all of these are valid commands:
p -x 100
p -h 10-15
p 100-*
p -x 10,53-64,102,2037-*
To see the print command in more action, take a look at how it is used to decode the sans packet challenge.
Color terminal text
Yep, nsm-console now supports color to brighten up your packet analysis experience If you are too dull to enjoy color (or don’t have a terminal that supports it), you can turn it off by using the ‘color off’ command.
Added modules
I’m slowing down for finding modules to easily add, but I still managed to add 2: tcptrace and tcpick. Note that tcpick isn’t installed by default on a Hex 1.0.2 install, so you’ll need to install it yourself. In order to view the graphs generated by tcptrace, you’ll need to install xplot too. (Hopefully these will be included in the next version of Hex)
~/.nsmcrc configuration file
When NSM-Console starts up, it will now check to see if the ~/.nsmcrc file exists, if it does, it will read through it and execute the commands found. For example:
[hinmanm@Euclid] $ cat ~/.nsmcrc
color off
eval $PROMPT="#{$GREEN}nsm#{$RESET}> "
# This is a comment
set honeysnap HOST_LIST 192.168.1.101,192.168.1.102
would set the color to be off, change the prompt to be green (yea, I know, a contradiction, it’s just an example) and set up some of our honeysnap options. Any line starting with a “#” will be ignored as a comment. This should help with some of the tediousness of having the set the same options every time you start up nsm-console.
Bugfixes, always bugfixes
Who doesn’t like bugfixes?
You can see the full list of all the changes in this version here, as well as future TODOs here. I’d like to give a big thanks to Scholar for letting me use his pcap parsing library, this way nsm-console doesn’t depend on any external libraries. Thanks Scholar!
I’ve also set up an NSM-Console wiki page over on the trac, in case you’re having trouble finding any of the information or want to download an older release.
Backdoors available for analysis
Found a couple of backdoors that had been downloaded to a box of mine. They are available here for your convenience (if the links go down, I’ll put them up for download on a mirror):
http://geocities.com/crewnewbie/tools/cbk.tar.gz
http://geocities.com/evikhobare/chanarybot.tar.gz
From my preliminary findings, they both contain the XHide process faker, one of them includes a remote-connect backdoor. I’d welcome any forensic insight into these, as I don’t have a whole lot of experience with doing process/machine forensics. There are still some processes running from the offending user(s), I am wary to kill anything. In the meantime I’ll be doing my own analysis and hopefully reporting on it here.
Advice? Suggestions?
EDIT: The system is a FreeBSD 6.2-RELEASE machine running on a SPARC processor.
Decoding the SANS Christmas packet challenge using only NSM-Console
In my never-ending quest to find justification for writing NSM-Console, I hereby present the following tutorial on how to decode the SANS Christmas packet challenge using nothing but NSM-Console:
I’m going to be using NSM-Console version 0.4-DEVEL, which adds the features that allow this analysis to be performed without external tools. You can get the development version here. Alright, let’s get this party started:
First things first, the fellows at SANS point you to the first packet in the xmas_Starter.pcap file, so let’s load up NSM-Console with the packet capture
./nsm ~/xmas_Starter.pcap
Next, let’s do a printout of all the packets in this dump (since it’s a small file, there shouldn’t be too many)
Hex and NSM-Console source now browsable
You can now directly browse the source code for both the Hex liveCD and the source code for NSM-Console directly from the Rawpacket Hex trac.
If you’re interested in upcoming features in NSM-Console, you can check out the latest TODO file here.
Thanks go to spoonfork who switched us over from CVS to SVN without any major headaches
NSM-Console version 0.3 release
Yep, I’ve just been cranking out code lately, so I am proud to present the 0.3 release of nsm-console!
You can download NSM-Console here:
http://writequit.org/projects/nsm-console/files/nsm-console-0.3.tar.gz
This release was focused a bit more on usability, features and bugfixes rather than the addition of new modules, however, there were still a couple that were added. Since this release has some pretty big changes, let’s start by going over some of the notable ones:
-
My links on del.icio.us
Tumblr
Look me up on Twitter
Get a copy of my gpg public key
AIM: thnetos
Yahoo: okenezak
Join me on irc in #rawpacket on Freenode! 
Twitter feed:- thnetos: @technomancy The interesting parts of your setup are on Amazon? Is that the right link?
- thnetos: @fiftyfootshadow minor bug report for youdisappear.net, http://i.imgur.com/JOGw0.png
- thnetos: @stuartsierra GNU Screen? :)
- thnetos: @fogus Yea, I was underwhelmed by it also.
- thnetos: Consider me... SO TROLLED: http://pastie.org/1110154 /sarcasm. Warning: minor language.
- On Tumblr
- Latest del.icio.us links:
- Recet last.fm tracks
Subscribe in an RSS reader