Saturday, 29 August 2009

Security-Onion, because there are layers to security

The Security-Onion is a live CD tool. As the site states:

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.
Most (if not all) of the tools I have been posting on can be found compiled and ready on this distro.

The only fault I have with it is Xubuntu. I am not a fan. But this is just personal preference. I shall likely always remain a dinosaur who likes easier access to the text configurations over GUI based tools.

Best of all, there are a number of tools such as Cheops-ng that can be difficult to get running on newer versions of Linux (without adding a pile of outdated libraries).

The CD is a great way to get a set of tools up and running fast and effectively.

Good work Doug & Mubley.

Friday, 28 August 2009

Netdude

Netdude is a tool for manipulating packets. If you can not write code to manipulate packets - or like me, are too lazy/busy to always do that, Netdude is the answer.
Netdude is another libpcap based program. As you can see from the image loaded above, we can load a pcap capture file into the program and view the output line by line.

By selecting the tabs, we can drill down and view selected packets in a more user friendly manner. In the images below we will drill down from the pcap capture to the payload using netdude.
Here we start with the details from the pcap file itself on the individual packet.
And next the Ethernet header. All we do to jump to the different sections of the packet is to click on the related field.
Then the IP header.
The TCP header.
And the packet payload. This in itself would have use, but the real purpose of netdude is to allow us to change these values. By clicking on any of the fields, we are given a dialog box that we can enter a new value into.

For instance, in the image below, I have decided to click the destination address under the IPv4 header:
In this case I have changed the destination from 203.57.21.103 to 203.57.21.100.
You can note from the image above that the destination IP address is now 203.57.21.100 and has changed from the previous packets that I displayed. Also note that the checksum is highlighted in red as this is no longer correct. We now need to fix this.

To fix this, select:
-> Plugins -> 'Checksum Fixer'

This is located on the top menu.
Now you see that the checksum is no longer highlighted and our packet has been altered. At this point we could save the pcap file with the altered variables.

Why you ask?

Netdude allows you to create 'canned' packet traces. For pen testing, you can change the destination and run a defined test stream. For load tests you can place separate server under different loads. The good bit being that you have a set pcap that you can use as the input. Hence a baseline.

The thing is, pcap captures can be replayed.

Thursday, 27 August 2009

Ettercap

Ettercap is an interception tool. This is, it can be used to sniff traffic and inject packets into the stream. This is activity that is generally associated with MiTM (Man in the middle) attacks. On the right side of the fence, this can be useful in pen tests and other audits. Many of the uses are not so noble. Much of this comes down to intent.

You can download ettercap from this link.

Ettercap is used primarily for arp poisioning and sniffing. It can also re-route traffic and filter it. This is, it can sit in the middle of a transaction stream and change the data.

There is a good tutorial on the creation of ettercap filters available here and another one here.

Ettercap has the ability to actively or passively find other poisoners on the LAN. This is a feature that is truly useful. This is not just as an attack tool, but in defending networks. There are other options for this such as ArpWatch that do not have the negative features that ettercap can pose to a production network.
More on arpwatch another time.

Ettercap is also a password collector, so finding unauthorised and monitored version sof this software on a network is rarely a good thing.

The ettercap man file has a number of examples on its use. This is the first place to read.

For this post, I will cover the use of the console (see the links above for details on writing ettercap filters).

Fro the console exercise, we will use the command;

  • 'ettercap -Tzq -i eth0'
This command places ettercap into console mode without arp scanning the network (which can result in a DoS in some production networks). This also runs in quiet mode so that ettercap does not display all of the packets that it captures and it is listening on the eth0 interface.

In this mode, selected passwords will be displayed and the hosts will be logged.
Having run for a couple minutes, you can see the output of my system as the password (obscured) have been captured from the Pop3 email sessions that I started for this. Also not the DNS requests:
In console mode, there are a number of options to display the captured data (typer 'h' for the help screen for details). For instance, enter 'c' on the main screen for a list of connections:
Use the console interface, do not ARP scan the net and be quiet.
The packet content will not be displayed, but user and pass-
words, as well as other messages, will be displayed.

The program can also read a pcap forat capture file as input:
  • ettercap -r (additional options here)
In the example in the image above, we see the username and password from the Spyking software installer as it authenticates to its site. In analysing the Spyking software, I captured a network trace. We see in this where the software authenicates to the server to register my account.

One final use of the tool is monitoring pairings and finding out where an attacker has come into a system (including password scans etc).

Wednesday, 26 August 2009

p0f

The program, p0f is an application host on freshmeat designed to passively identify operating systems. See also the page about p0f.

Why care?
Well the answer is fairly simple, when reviewing an incident, you do not want to scan the site that a packet came from. Sending data to the attacker is bad!

On top of this, you can also make sense of a remote site with this information. Think:

  1. Are there multiple OS versions for a single IP address (Proxy or NAT)?
  2. Does the system remain the same or change?
  3. Are you being attacked from a certain version of OS?
In fact, you can use P0f to identify:
  • Hosts that connect to your system (SYN mode),
  • Hosts you have initiated a connection to (SYN+ACK mode),
  • Hosts that you are unable to initiate a connection with (RST+ mode), &
  • Those hosts for whose communications you can observe (IDS, TCPDump etc).
Best of all
P0f is passive. It does not generate ANY further network traffic. The attacker will have NO idea that it is running.

So you have decided that you want ot try using p0f. First, download it from the link (get version 2.0.8 here).

Step 1
With the tgz file extracted to a temporary directory (tar -xvfz file.tgz), first read the 'README' file.

Step 2
As long as you have a build environment configured, the build process is faily standard.
You will need to ensure that your system has the following requirements (and I would hope so as some of these are damn old):
  1. libpcap 0.4 or newer
  2. GNU C Compiler 2.7.x or newer
  3. GNU make 3.7x or newer, or BSD make
  4. GNU bash / awk / grep / sed / textutils (for p0frep only)
Step 3
There is no '.configure' script. All you will have to do (I use RHEL, Centos and Solaris and this is all for these) is to go to the directory you extracted p0f into and to enter the commands:
  • make
  • make install
Simple huh!

Step 4
Test the tool and ensure that the install worked.
p0f can read data from pcap files (p0f -s ) so that you can also use it on your capture files at a later date. Note that the '-s' flag is used for tcpdump format files. The '-f' option is a file load option, but for p0f formats.

In the exaple above (in the image) we see a capture and the results from a Linux and Windows XP host. In each case, the correct diagnosis.

That's about it
There are more options (p0f --help). The best bet is to use the program on your data or on captures you may have access to.

Next...
Ettercap