The first addon packages are now available for Hex (version 1.0.1 or 1.0.2)! I have successfully created a FreeBSD port and a Hex package for the honeysnap project. You can find the files here (navi.eight7.org) until they are put into an official hex repository.

If you only want the port, download the honeysnap-1.0.6.11.tar.gz file (note that this file will require a full /usr/ports tree in order to build any dependencies, make sure you fetch the ports on a Hex install before trying to build from source). Untar the file (I usually put it in /usr/ports/security/honeysnap), enter the directory and issue the following command:

sudo make install

It should automatically build all the dependencies and install honeysnap for you.

If you want a faster way, download the honeysnap-1.0.6.11.tbz package and it’s dependency the py25-setuptools-0.6c7_1.tbz package into the same directory and issue the following:

sudo pkg_add -v ./honeysnap-1.0.6.11.tbz

The setuptools package will automatically be installed as a dependency.

After installation, you should be able to type “honeysnap” and get all the command-line options, happy honeysnap-ing!

As always, if you have any questions or problems, feel free to email me or leave a comment!

P.S. Forgot to mention, the package above will only work for Hex 1.0.*, however, the port (the honeysnap-1.0.6.11.tar.gz file) will work on both Hex 1.0.* and FreeBSD 6.* without a problem. Hopefully I’ll be submitting it to the FreeBSD team for review soon to have it included in the standard ports

Yep, that’s right, I’m going to be helping out with the Hex LiveCD project. I will hopefully be doing some development for some of the NSM tools and fixing bugs in the CD. In case you don’t know what Hex is, let me give you a little synopsis (from the Trac):

“HeX LiveCD is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analsyst, by analyst. Besides containing most of the popular Open Source NSM tools, the HeX Live CD also contains tools to perform network forensics. This Live CD was built based on the 6.2 Release of FreeBSD, and provides Fluxbox as the default desktop environment. It also includes an installer for installing HeX to hard disk.”

I’m already working on extending the NBF (Network-Based Forensics) offline script to include support for my aimsnarf script. I’m excited about being able to help, hopefully I’ll be able to be useful to the project as well as learning some of the tools I haven’t used before myself

Geek00l will be leading the project with enhanced, chfl4gs and others all providing dev support. I was even going to wait until he announced it before writing this post, but he just keeps saying he’ll do it tomorrow

If you’re interested in the project or any of it’s details, feel free to join us on #rawpacket on Freenode for chatting! (I go by the nick dakrone on IRC)

I want to point out the excellent baseline firewall rules posted by rmogull over on his blog. Check them out if you’re looking for a starting point for ipfw rules on OSX. Thanks rmogull!

UPDATE 2:
njstaticuser mentioned he would like to know where to get this file below: I believe the file should be in /opt/local/var/macports/build/ – there should be a folder called _opt_local_var_macports_sources_rsync.macports.org_release_ports_<ettercap-ng> where <ettercap-ng> will be something like “net_ettercap-ng” (I don’t know the exact name because it has been cleaned from that directory). Under this directory there will be another directory called “work” and under the work directory will be another directory named after the ettercap dist file. Inside this directory you’ll want to look under src/interfaces/curses/widgets/ for the wdg.h and wdg.c files.

If all else fails, run “sudo find /opt/local/var/macports/build -name "wdg.*" -print” and it should print the locations of the files. NOTE: These files will only exist *after* attempting the build with macports, so attempt to build first (sudo port install ettercap-ng), and then look for the files. Hope this helps!

UPDATE:
After talking to people in IRC, I found the real root of this problem, wdg.h and wdc.h need to have #include <sys/types.h> included at the top of the file. At this time, I recommend you attempt the install using MacPorts by doing sudo port install ettercap-ng, let it fail, then go into the directory containing the macports build source, add the include into the 2 files, then run sudo port install ettercap-ng again, it will succeed and your copy of ettercap should work!

Thanks @ Raim in #macports and dmacks in #fink for helping track this down. You can see the bug here.

Original message below:

This is a continuation of the pthread error that I mentioned in a previous post

I finally got it working natively; you might be familiar with the following error when trying to compile ettercap-ng using either fink or natively:

gcc -DHAVE_CONFIG_H -I. -I. -I../../../../include -I/sw/include -O2 -funroll-loops -fomit-frame-pointer -Wall -I/sw/include -I/sw/include -I/sw/include -I/sw/include -g -O2 -c -o libwdg_a-wdg.o `test -f 'wdg.c' || echo './'`wdg.c
In file included from wdg.c:23:
./wdg.h:189: error: syntax error before 'u_char'
./wdg.h:189: warning: no semicolon at end of struct or union
./wdg.h:190: warning: type defaults to 'int' in declaration of 'border_color'
./wdg.h:190: warning: data definition has no type or storage class
./wdg.h:191: error: syntax error before 'focus_color'
./wdg.h:191: warning: type defaults to 'int' in declaration of 'focus_color'
etc etc, errors go on forever...

Well, after poking around in the code I was able to find where to fix the code so that it would compile. Open the directory src/interfaces/curses/widgets/ and edit the files wdg.c and wdg.h

Change all of the occurrences of “u_char” to “int” in these two files, you should now be able to compile without errors.

DISCLAIMER: I don’t know what kind of effect this will have on the curses interface, it will probably break the curses interface permanently, personally I use the text interface the entire time (so I run configure with --disable-gtk so I don’t have to deal with the hassle of installing the gtk/glib libraries), but at least you are able to compile, right?

I’ve tar’d up a patched version of the code and configure script (so you don’t get the pthread error). I am planning on hosting on navi.eight7.org, I will put it up and link to it when I’m able to access the machine (work firewall prevents it).

I’m still getting errors when ettercap tries to forward the packets, but I’m positive they are caused by linking to the wrong version of libnet, that has a different number of arguments to the libnet_write_raw_ipv4() function. If I get a fix I’ll post it here.

If you run into the following error trying to bootstrap fink (I was using version 0.27.8) on Leopard:

./Command/failure......................ok 1/0
./Command/failure......................NOK 24/0# Failed test at ./Command/failure.t line 85.
# ''
# !=
# '0'
./Command/failure......................ok 41/0# Looks like you failed 1 test of 49.
./Command/failure......................dubious
Test returned status 1 (wstat 256, 0x100)
DIED. FAILED test 24
Failed 1/49 tests, 97.96% okay

… snip …

Failed 1/39 test programs. 1/905 subtests failed.
make: *** [test] Error 1
### execution of make failed, exit code 2
phase compiling: fink-0.27.8-41 failed

Edit the following file:

<bootstrap_dir>/t/Command/failure.t
Replace <bootstrap_dir> with the directory you untar’d the fink-0.27.* tarball into.

Comment out line 85 by changing:
cmp_ok( $!, '!=', 0 );
To be:
#cmp_ok( $!, '!=', 0 );

Rebootstrap the fink and it should install without a problem.

Note: This is totally unsupported by the Fink team, and might produce unintended results According to the mailinglists, the error seems like it’s actually caused by perl 5.8.8 on Leopard instead of 5.8.6 on Tiger, so the test fails. If you want to install perl 5.8.6, you can link /usr/bin/perl to the older version and it should pass the tests.

Another quickie,

Anyone running into the following error:

$ sudo make install
Password:
/usr/bin/install -c -m 555 -o bin -g bin arpwatch /usr/local/sbin
install: bin: Invalid argument
make: *** [install] Error 67

When trying to install arpwatch, edit the Makefile and replace all the occurrences of “-o bin” with “-o root” and all the occurrences of “-g bin” with “-g wheel”

Hope this helps someone.

Yea yea, I know, it’s only been a few hours since the first release. Well, here’s the new release with a couple of major todos taken care of:

Download the script here.

Read about aimsnarf in the previous post about it.

Changes in this version:

• Trillian is now supported, as well as AOL’s AIM client. Most other clients should be supported too, I figured out the variable length/number of TLV fields in the packet, so aimsnarf is much smarter about decoding them
• Code cleaned up to be more readable
• Fixed some misc messages that were showing up, you still might see a few

Todos:

• Figure out what the heck iChat is doing, it doesn’t seem to be sending the same kind of data as all the other AIM clients
• Still do OTR stuff
• Maybe add support for different protocols?
• More testing!

If you find any bugs, send me a note or leave a comment. If you really want to help, you can send me some pcap data to analyze   If you have any feature requests, lemme know!

[UPDATE 11/13/07] : version 0.11 released

Firstly, download the script here.

aimsnarf.rb is a small (~200 lines) Ruby script that I’ve written to sniff and dump AOL IM messages to STDOUT. I wrote this an as alternative to aimsniff, because I really dislike having to install aimsniff and all of it’s dependancies when all I want is a simple text transcript. I really felt like the dsniff toolkit should have had something like this (they already have urlsnarf, filesnarf, etc) to be used for penetration testing.

The only thing aimsnarf requires is Ruby and the ruby-pcap library (which is waaay easier to install than the 10+ CPAN modules that aimsniff requires). After installing the pcap library, simply run aimsnarf.rb on the console, here’s the usage:

Use '-h' to display usage
Usage: aimsnarf.rb [ -dnv ] [ -i interface | -r file ] [ -c count ] [ -s snaplen ] [ filter ]
Options:
-n do not convert address to name
-d debug mode
-v verbose mode

Due to the way that ruby-pcap works, I don’t have control over the usage displayed, currently the only real options you should mess with are ‘-i interface‘ and ‘-r file‘, changing anything else might produce “unknown” consequences ;). If you want to see hex dumps of the AIM data, edit the script and change the line “ap.data_debug(0)” to be “ap.data_debug(1)“, this will display the hex data as it is received.

Ignore the “pcap.bundle: warning: do not use Fixnums as Symbols” warnings you get when you run the program, the warning lies with the ruby-pcap library, so it’s out of my hands to fix. When run correctly, you should see something like this:

****** --> <you>: <HTML>what're you up to?</HTML>
<you> --> ******: <HTML>doing some stuff</HTML>
****** --> <you>: <HTML>awesome</HTML>
<you> --> ******: <HTML>talkity talk talk</HTML>
etc, etc

“******” will be the screen name of the person that’s talking. Yes, AIM sends the HTML tags, I don’t put those on.

Tangent:
Let’s talk a little bit about how much I hate the AIM protocol
Take a look at the protocol listing as given from ethereal, you can see that each AIM packet actually holds a pretty good amount of information, turns out, AOL decided to make a ton of their fields variable length, which means a headache for me in decoding it, because the length has to be read, translated, then used to set the offset for reading the data, this is the reason the code for the script is incredibly messy, I plan on cleaning it up at a later time. In a future post, I’ll also go into more detail about how this particular script decodes the protocol (very much hackish at the moment).

Known Issues:

• Messages received by people who are away don’t get intercepted due to the packet being different than a regular incoming message packet
• Different clients might not work (depending on the features supported). Right now I’ve tested with GAIM/Pidgin and Adium, it looks like Trillian isn’t working correctly yet, although I’ve collected some data for analysis so I can get it working.
• This is probably the first *useful* script I’ve written in Ruby. I am not a ruby master so the code is really messy and probably badly written, have a problem with it? Send a patch!
• OTR encrypted chat interception doesn’t work (duh)

TODO (no particular order):

• Clean up code to make it easier to extend to different protocol/clients
• Fix the Trillian problem
• Test with AOL’s AIM client
• Fix the incoming/away message
• Correctly detect OTR chat and do (something?) about it

Remember people, don’t send credit card numbers, social security numbers, passwords, PIN numbers, etc over IM, ESPECIALLY when you’re somewhere like a coffeeshop using public wifi.

Thanks to the HeX LiveCD team for putting out a great release, already having the tools installed for use in a system is super helpful

Questions? Problems? Patches? Hatemail? Email me or leave a comment below!

I’ve spent the last week or so writing a customer emulation script for the QA group here to test some of our archiving products. If you’re unfamiliar with PHFOS/CIOSim, take a look here. In short, PHFOS/CIOSim is a small multi-threaded program that randomly selects files in a given directory to open and hold open.

I started out writing the script in Perl, which at this point is the scripting language I know the best, I then decided that now is as good a time as any to learn Ruby (which I’ve been interested in for a while now), so I re-wrote the entire program in Ruby (first *useful* script I’ve actually written in Ruby). Then, one day at work I was told that I needed to extend the program to support 5000 simultaneous threads doing disk I/O. I thought about this for a while and (after talking with my friend Jon about it) decided on using Java, as the threading was much more robust (something I had problems with using Ruby and Perl). Well, I’ve got working versions of all 3 programs and I thought I’d share my perspective on the pro’s and con’s of each one:

Java pro’s:

• Most robust thread implementation of the 3 languages
• Handles SMP much better than ruby
• Code is portable with minimum requirements to run
• OO language (a bigger pro to actual developers who this matters more to)

Java con’s:

• JVM overhead (not really that much nowadays)
• More difficult to read due to Java’s extreme verbosity
• Requires jdk 1.5+ (1.4 is still the only actual “supported” JDK in my company)

Ruby pro’s:

• Most readable code of all 3 (shortest too)
• I got to learn Ruby
• Ruby implementation available for most platforms
• More OO than Perl (not that I used OO…)

Ruby con’s:

• Ruby only took advantage of 1 of my CPU cores (Java used both)
• Ruby is slower than Perl (maybe one day they’ll be just as fast?)
• Almost no one in my department has heard of Ruby

Perl pro’s:

• Super-easy to install with ActiveState for windows, comes default with most *nix
• Super-easy to install the required module: perl -MCPAN -e shell ; install File::Random
• Allows fine-grain tuning of thread parameters (adjustable thread stack size)

Perl con’s:

• If you don’t have threaded perl, gotta reinstall (/cry @ Solaris)
• Least readable code (unless you loooovvve punctuation)
• Perl doesn’t like me spawning millions of threads and detaching all of them

Overall, since I need code that’s portable to multiple platforms easily, while allowing for very large amounts of IO, I’ll probably stick to the java version (which was renamed CIOSim [Customer I/O Simulator] because you actually pronounce it :P), followed by the Ruby version (so easy to write), and then the Perl version, which, actually has the largest amount of features.

I haven’t written all the features into each version yet (except for the Perl one), but, if you’d like to take a look at them, here they are:

Java version
Ruby version
Perl version

Next tool I need to write, I’ll probably be looking at Ruby

Anyone out there use anything different for sysadmin tools? Python? Lisp? Assembler? Leave a comment and let me know

Thanks to Jon for pointing this out to me, we’re pretty sure that the reason perl chokes and gives you a bus error (on OSX) when you run PHFOS [script] like this:

./phfos.pl -d <dir> -r -v --min=2 --max=3 -n 1000

We’re actually guessing that after allocating too many threads, since we aren’t immediately exiting the thread after reading (what –readstop does), we allocate past the amount of stack space perl allocated us, giving us the EXC_BAD_ACCESS (0x0001) error.

Well, how do we fix that? Turns out perl has an option to set individual stack sizes per thread, so if you decrease the size of the stack per thread, we could allocate more threads. Only 1 problem, on OSX

perl -e'use threads; print(threads->get_stack_size(), "\n")'

Gives you:

Can't locate auto/threads/get_stack_s.al in @INC (@INC contains: /System/Library/Perl/5.8.8/darwin-thread-multi-2level /System/Library/Perl/5.8.8 /Library/Perl/5.8.8/darwin-thread-multi-2level /Library/Perl/5.8.8 /Library/Perl /Network/Library/Perl/5.8.8/darwin-thread-multi-2level /Network/Library/Perl/5.8.8 /Network/Library/Perl /System/Library/Perl/Extras/5.8.8/darwin-thread-multi-2level /System/Library/Perl/Extras/5.8.8 /Library/Perl/5.8.6 /Library/Perl/5.8.1 .) at -e line 1

Anyone else can read about setting stack sizes for perl scripts here (look for the THREAD STACK SIZE section)

Now I need to somehow figure out how I’m going to set thread stack size without being able to see what the values are…

Suggestions?