After around 8 months of development, HeX 2.0, codename “Bonobo

HeX is a liveCD developed by the rawpacket team that is based on FreeBSD 7.0 and designed to be used for network security monitoring.

There are a lot of new features and a lot of bugfixes that went into this release, but before we get into that, you can grab the iso here:

• mirror 1 (Georgia Tech, USA) [iso] [md5] [sha]
• mirror 2 (Rawpacket, USA) [iso] [md5] [sha] (md5 and sha are broken links right now, use the links from a different mirror until the files propagate)
• mirror 3 (Rawpacket, Malaysia) [iso] [md5] [sha]

Some of the new features include:

• Moved from FreeBSD 6.2 to 7.0 using the newer ULE scheduler instead of the 4BSD scheduler.
• Integration with UnionFS.
• Addition of many new tools like:
  • silktools
  • argus v3
  • dhcpdump
  • rtpbreak
  • pktstat
  • isic
  • tftpgrab
  • flowtag
  • yahsnarf
  • lots more!
• Inclusion of zsh in addition to bash.
• Lots of base package upgrades.
• Additional signatures for fl0p, pads and tcpXtract.
• Additional scripts for packet statistics and analysis.
• NSM-Console updated to 0.8-dev.
• Addition of Firefox plugins and bookmarks for network security.
• New fluxbox themes and desktop wallpapers

Check out the HeX Trac page for the full list of what’s changed in this release. You can also check out some screenshots of the new release on Geek00l’s blog post. In addition to this release, we’ve begun working on the HeX Sensor project, for a drop-in NSM sensor, hopefully we’ll have a release of that soon!

Thanks to the development team for all the work that went into this awesome release! Feel free to leave a comment about any new features you’d like to see, or join us on the mailing list or irc (#rawpacket on Freenode) to hang out and talk about ideas for the next release. Enjoy!

In other news, development on Hex 2.0 continues forward, we’re trying to get ports finished for inclusion in the ISO, (which is what spawns the flowtag porting), malware analysis took a backseat to sysadmin work due to a rather large project that just finished up. Hopefully I’ll have more time to post here soon, here’s what I’ve been working on:

– A simple C program to measure the index of coincidence of a file (for binary data instead of strings). This was going great until I tried it on a non-OSX OS, now I’m running into segfaults trying to get it to run on Linux (does read() behave differently or something?). I’ve also ported it to Windows (which works), but was a giant pain due to the fact that I don’t ever use Visual Studio.

– A binary file to hex string beautifier; basically, take binary data and print it in really nice strings for either a ruby or a C program. Why? Because I’m tired of manually formatting data for programs.

– A program to generate data with variable amounts of randomness (this is really used for work, but I might end up posting it here depending on whether I think it’s neat enough).

– Rewriting labview (our internal machine allocation management software). Okay, so Jon’s really doing most of the work, but that’s mostly because I don’t know how to do SQL “relations”, I’ll do more of the development soon enough.

– Biking to work. Yea, this isn’t technical, but I got a new bike so I’ve been trying to cut down on the commute, save gas, all that kind of stuff.

UPDATE: Just got an email the flowtag port has been committed, it should be showing up the next time you do a “cvsup”

Atlas has written a tool call disass to aid in disassembly and analysis, which is a really cool tool, but can be kind of annoying to get running on different operating systems thanks to Python’s amazingly helpful error messages </sarcasm>

Firstly, make sure you install the dependencies, Python (duh), psyco, atlasutils (from Atlas’ blog), libdisassemble and vtrace (from the Kenshoto guys). Then, install disass-cli (also from Atlas’ blog) just like you would any other python program. You might need to symlink /usr/local/bin/python to /usr/bin/python since disass-cli’s sharp-bang is hardcoded for /usr/bin/python

The first time you run disass-cli, you’ll probably hit this error:

# disass-cli
Traceback (most recent call last):
File "/usr/local/bin/disass-cli", line 3, in <module>
from disass3 import *
File "/usr/local/lib/python2.5/site-packages/disass3/__init__.py", line 105, in <module>
import bsddb
File "/usr/local/lib/python2.5/bsddb/__init__.py", line 51, in <module>
import _bsddb
ImportError: No module named _bsddb

Cryptic eh? Googling is not so helpful on this one (“Recompile Python!”) Well, to fix the problem on FreeBSD, you need to install /usr/ports/databases/py-bsddb, which will rebuild Python with the necessary libraries, easy fix.

On OSX, you’ll need to download the newest Python distro .dmg from python.org (which will have the correct libraries). Now you can update the symlink by doing:

# rm /usr/bin/python
# ln -s /Library/Frameworks/Python.framework/Versions/2.5/bin/python /usr/bin/python

as root. Now you should be able to reinstall the dependencies for disass using the newer Python distribution and disass-cli shouldn’t complain anymore, silly broken Apple versions of Python.

Note: Alternatively, you can edit the disass-cli Python file (in /usr/local/bin/disass-cli) to use the Python distribution you installed directly without changing the symlink, that way everything else still uses Apple’s version of Python (don’t forget to install the dependency libraries for the newer version of Python also).

Hope this helps someone, exploit writing is new to me, coming from more of a network-side, always fun to learn new things

Let’s start with the wiring, at a local electronics store, I purchased 4 RJ-45 wiring plugs, I probably shouldn’t have bought solder-less ones, but I didn’t feel like buying a board to solder them to. Anyhow, 2 of the ports will be used for entry and exit, the other two for taps. In this case, we need 2 extra ports so that inbound data is passed through one port, outbound data is passed through the other port.

Set up the wiring as shown in this wiring diagram (credit goes to the Snort team for the diagram):

Personally, I split open a network cable and used the wires inside just so the color coding could be correct, that’s probably the easiest way to wire the ports.

After wiring the ports, you should be able to test that data passed from one host port to the other host port is unchanged, below is a picture of the tap I created. Yes, I know it’s very messy, the box I bought for it didn’t fit the way I wanted.

The next thing to do it connect the two ports (labeled “tap 1″ and “tap 2″ in the picture above) to 2 NICs in the machine of your choice. I’m using FreeBSD to manage the bridge. If you want to monitor outbound and inbound traffic separately, you’re done, just start tcpdump on the interface and you should be able to see all the traffic.

If you want to monitor both outbound and inbound traffic on the same interface, you’ll need to bridge the interfaces. You can accomplish this in FreeBSD with the following:

shell> ifconfig bridge create
shell> ifconfig bridge0 addm ed0 addm ed1 monitor up
shell> tcpdump -i bridge0
(or run snort/bro-ids/argus/etc on interface bridge0)

In this case, my network cards are ed0 and ed1, if you had different network interfaces, substitute them instead. You don’t need to assign an address to the bridge interface, since the only wires that are connected are the receive wires, so it wouldn’t transmit through the taps if it wanted to. For more advanced bridging, check out the FreeBSD manual on bridging.

I should note though, that you’ll need a 3rd network card in the monitoring machine if you want to remotely manage the machine.

You can grab the iso here. [md5] [sha256]
Or, grab the iso from the mirror. [md5] [sha256]

Since Geek00l already covered a list of the most important changes in his blog post, I’ll just echo the changes in NSM-Console, which is the software that I develop. The version of NSM-Console in Hex 1.0.3 is 0.6-DEVEL, which can be obtained either by checking out the code from subversion (svn co http://svn.security.org.my/trunk/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console nsm-console), or waiting until I release 0.6

New Features:
– ‘dump‘ command added, you can now dump packet payloads into a binary file for later analysis
– Significant speedups in the harimau module and ‘checkip‘ command if wget is installed
– tcpxtract configuration file changed to extract more types of files
– Added foremost module
– Added clamscan module (Thanks JohnQPublic)
– Argus and tcptrace have reverse dns turned off by default now, it was causing the module to hang for extremely large pcap files. Can be switched on by changed the module options
– rot13 encoding and decoding added
Bugfixes:
– alias command
– urlescape (en|de)coding
– file existence check
– many other things
All the other enhancements, bugfixes and additions.

Since Hex 1.0.2 had NSM-Console version 0.2 in it, if you haven’t downloaded the console or checked it out from subversion since the last hex release, here’s what else has been added since then:

• Release notes for NSM-Console version 0.5

• Release notes for NSM-Console version 0.4

• Release notes for NSM-Console version 0.3

Or you can view the TODO and CHANGELOG for NSM-Console directly. If you want to check out more information about either of the projects, check out the Trac pages for Hex and NSM-Console:

Now, onward to FreeBSD 7.0!

Step 1: Get the packages here: http://navi.eight7.org/~hinmanm/files/hex/wmii/, you will need all 4 packages. (hopefully my server doesn’t go down

Step 2: Install the packages. With all the packages in the same directory do:
pkg_add -v ./wmii-3.5.1.tbz
The dependencies will automatically be installed along with it.

Step 3: Hex utilizes .bash_profile to actually do the starting of X11, if you take a look at the last line in ~/.bash_profile, you’ll see:
...
if [ -z "$DISPLAY" ] && [ -z "$SSH_CLIENT" ]; then
exec startx
fi
Since X is already started, the easiest way to have wmii started instead of fluxbox is to simply change your ~/.xinitrc file to read:
while wmii; do
true
done

Step 4: Restart X, kill X with a Ctrl+Alt+Backspace, if everything works correctly, you should be staring at an extremely plain desktop. Hit Alt+Enter to open an xterm.

Step 5: wmii uses the /usr/local/etc/wmii-3.5/wmiirc file to store its configuration options, there are a few lines that need to be changed in order to fit wmii into hex a little better:

WMII_TERM="xterm"
changes to:
WMII_TERM="mrxvt"

xsetroot -solid $WMII_BACKGROUND
changes to whatever background-setting command you like to use, mine is set to:
Esetroot -center /home/analyzt/rp-Wallpapers/rp-team.jpg

In addition, to make using Alt as the MODKEY non-annoying (change the MODKEY=Mod1 setting if you want to use something other than Alt), there are a few changes that should go into ~/.mrxvtrc:

The line:
Mrxvt.macro.Alt+1: GotoTab 1
changed to:
Mrxvt.macro.Ctrl+1: GotoTab 1

Repeat for all the GotoTab # commands. Since wmii uses Alt+# to switch workspaces, using them to switch mrxvt tabs doesn’t work either.

Step 6: Restart wmii, hitting ‘Alt+p’ and selecting ‘quit’ should prompt wmii to restart, with the new settings, now hitting Alt+Enter should open the standard mrxvt terminal.

Check out the guide for additional info on how to use wmii. I am loving the lightweight feel and speedy response I’m getting so far, it works great for running Hex in virtualization, as it’s even lighter weight than Fluxbox is.

Good luck!

P.S. Hex 1.0.3 should be out any day now, It will have NSM-Console 0.5-DEVEL version on it, which I will be releasing additionally for download at the same time, look forward to it!

Firstly, download the files here.
The static page for nsm-console is here.

I finally got around to releasing the next version of the nsm-console. This version incorporates a large amount of bug fixes and additional features, first, I’ll start with some of the features I’m the most happy about Most of these features are in the new Hex 1.0.2 release which came out yesterday (go download it now!)

• Categories
  • You can now toggle certain categories on and off, for instance, one category shipped with the new release is the ‘flow’ categories, you treat them just like a regular module. Simply use “toggle flow” to toggle the flow category (and all of it’s modules) on and off.
  • You can easily add your own categories to customize your work environment, all you have to do is create a file named the same name as the category name in the modules/categories directory.
• Directory analysis
  • When you normally run the nsm-console, you would specify a single pcap file to perform analysis on, now you can use the same “file” command to specify a directory full of files  instead of a single file. When the “run” command is executed, all the toggled module’s operations will be executed on each file in the directory (recursively)
  • To better accommodate this type of operation, I encourage anyone that is writing any modules to write them to output the results into an output file named something like ${PCAP_BASE}.tcpdstat.out (so if you had more than 1 file, the output will go into more than one file)
• The ‘exec’ command
  • I added the exec command because I was tired of spawning an additional shell in order to run a simple ‘tcpdump’. I hope this helps with the automation that I’m going to talk about below.

The directory functionality and the exec command isn’t in the current Hex release, but hopefully it will be in the next release.

Part of the reason I think nsm-console is neat is the ease of automation you can do using simple text files. For instance, if you created a text file called “automate.txt” and put the following lines in it:

file /pcap/data.pcap
output automated-output
toggle aimsnarf
toggle tcpdstat
toggle chaosreader
run
quit

Then, you can run the command:

./nsm < automate.txt > output.txt

Which will run all the commands in the text file automatically, placing all the output in output.txt, simple eh?

If you have any questions, comments or suggestions, feel free to leave a comment or send an email I’d love to hear if/how you’re using nsm-console

/libexec/ld-elf.so.1: Shared object "libaprutil-1.so.2" not found, required by "svn"

As geek00l pointed out, this can be fixed by issuing the following command:

cd /usr/ports/devel/apr-svn/ && make install clean

Assuming you have a ports tree downloaded into hex, but what if you don’t have access to the ports tree? (I can’t download the ports tree from my work) Well, I’ve created the packages you need to install in order to get svn to work properly.

First, download db42-4.2.52_5.tbz and apr-gdbm-db42-1.2.8_2.tbz to the same directory somewhere on the Hex machine. Then issue the following command:

sudo pkg_add -v ./apr-gdbm-db42-1.2.8_2.tbz

This will automatically install the db42 package as a dependency. After installing the apr package, svn should work without any problems.

You can see more packages on the Hex project page.

If you only want the port, download the honeysnap-1.0.6.11.tar.gz file (note that this file will require a full /usr/ports tree in order to build any dependencies, make sure you fetch the ports on a Hex install before trying to build from source). Untar the file (I usually put it in /usr/ports/security/honeysnap), enter the directory and issue the following command:

sudo make install

It should automatically build all the dependencies and install honeysnap for you.

If you want a faster way, download the honeysnap-1.0.6.11.tbz package and it’s dependency the py25-setuptools-0.6c7_1.tbz package into the same directory and issue the following:

sudo pkg_add -v ./honeysnap-1.0.6.11.tbz

The setuptools package will automatically be installed as a dependency.

After installation, you should be able to type “honeysnap” and get all the command-line options, happy honeysnap-ing!

As always, if you have any questions or problems, feel free to email me or leave a comment!

P.S. Forgot to mention, the package above will only work for Hex 1.0.*, however, the port (the honeysnap-1.0.6.11.tar.gz file) will work on both Hex 1.0.* and FreeBSD 6.* without a problem. Hopefully I’ll be submitting it to the FreeBSD team for review soon to have it included in the standard ports

“HeX LiveCD is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analsyst, by analyst. Besides containing most of the popular Open Source NSM tools, the HeX Live CD also contains tools to perform network forensics. This Live CD was built based on the 6.2 Release of FreeBSD, and provides Fluxbox as the default desktop environment. It also includes an installer for installing HeX to hard disk.”

I’m already working on extending the NBF (Network-Based Forensics) offline script to include support for my aimsnarf script. I’m excited about being able to help, hopefully I’ll be able to be useful to the project as well as learning some of the tools I haven’t used before myself

Geek00l will be leading the project with enhanced, chfl4gs and others all providing dev support. I was even going to wait until he announced it before writing this post, but he just keeps saying he’ll do it tomorrow

If you’re interested in the project or any of it’s details, feel free to join us on #rawpacket on Freenode for chatting! (I go by the nick dakrone on IRC)