Archive for the ‘ Linux ’ Category

Writeup about my submission to the latest Honeynet Challenge!

Edit: I won the challange! ūüôā

The Winners:

  1. William Soderberg (Sweden) –¬†William’s submission – Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
  2. Nikunj Shah(USA) –¬†Nikunj’s submission – Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
  3. David Bernal Michelena (Mexico)-¬†David’s submission – Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db

End of edit.

A few weeks ago I’ve learned that Honeynet Project had created a new challenge. Link here.

Challenge 5 – Log Mysteries – (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

I totally felt like this would be a very good way to learn something and so I jumped at the opportunity. The deadline has passed and so I’ve done a writeup of how I analyzed the log files and came to certain conclusions. I figured it was a good way to spread knowledge and also get some criticism. I would really love if someone at least¬†skimmed¬†through my writeup (links below) and told me whether I did a decent job or not.

I’m releasing this now because the deadline for the challenge has passed. Though the submissions doesn’t seem to be closed yet, I don’t care. I did this to learn and not to win some prize.

I created this document while I worked on the challenge and I’ve edited it afterwards. So the grammar might be a bit odd. Sometimes it might be in present tense and sometimes not so present tense. I hope I’ve edited it enough so you won’t find it a pain to read.

Forensics Challange 2010 writeup by wh1sk3yj4ck.doc
Forensics Challange 2010 writeup by wh1sk3yj4ck.odt


Tutorial: intrace

Discovered a neat little reconnaissance tool today. It’s called intrace. Unlike the traditional UDP traceroute application, this one uses TCP to get a better trace.

A traditional traceroute will send UDP segments to the destination for our trace. The UDP segment is encapsulated in an IP packet. This IP packet has a field called Time To Live (TTL). The first transmission will have a TTL value of 1. The first hop router that will receive this packet will decrease the TTL by 1 and then discard the packet. Because if the TTL has expired, then it shouldn’t go further. This feature is necessary for a loop free network/internetwork. When discarded, if properly configured, the router will then use the Internet Control Message Protocol (ICMP). The router will send back an answer to our machine, telling us TTL Expired. This is crucial for our trace. Because in this response from the router/node, it’s source IP is to be found. Thus, the first IP-address in the trace has been completed. The TTL is increased to 2 and the procedure repeats itself till we reach the destination. When the destination machine gets the UDP segment it will respond with a ICMP message saying destination port unreachable. Because no application is listening on the port. This final step basically tells us that the trace is complete.

Now, firewalls often has rules that block incoming traffic. Be it UDP or TCP. Why let traffic through that shouldn’t belong in the network? Our UDP trace goes to some random destination port number that’s not in the firewall ruleset to let through. When tracing a destination that’s behind a firewall, the last hop according to our trace will probably be either the hop before the firewall or the firewall itself.

This is where intrace comes in. If you’re trying to trace the route to a web server for example. Then you will have to establish a TCP connection to port 80 (usually) with the web server. Since this is legitimate traffic according to the firewall, the connection will be allowed. intrace will then use this legitimate TCP connection to send IP packets to the destination with increasing TTL’s. Thus tracing behind the firewall and to the server. This gives us more information then what a traditional trace route.

A good mitigation technique for firewalls will be to block egress ICMP TTL expired messages. Correct me if I’m wrong but I think that will do it, without breaking anything else.

Here’s a video demonstrating how to use intrace. It’s less than good, so the wiki post on the project site is possibly a better way to learn to use it.

Extracting files from a capture file aka. intercepting files

Just learned a cool thing that I’d like to share. ¬†Imagine you’re running a packet sniffer and you want to extract the files that you’ve sniffed. It can be a .pdf, .jpg or whatever. There’s two tools for this once you’ve got the capture file in hand. Namely, tcpflow and foremost.

TCP segments might arrive out of order and needs to be put into the right sequence before you can extract the files from the capture. Else they will probably be corrupted. The reasons why we need to do this is because packet sniffers, or protocol analyzers if you so will, only will display data as they arrive on the interface(s). TCP segments might arrive out of order at the destination and therefore TCP uses something called sequence numbers to keep track of where the data should be put. tcpflow will read your capture file’s TCP sequence numbers and put the segments in the correct order for “convenient protocol analysis or debugging”. The following command do this:

tcpflow -r sniffed.cap

This will create several output files for all the connections you’ve captured. One file per connection. The output will be in your current working directory. So it’s recommended to create a new folder and run the command from that folder to avoid mayhem. The output files can be a pain to work with so we’ll put them¬†together¬†into one single file with the help of concatenate:

cat * > sniffed_organised.cap

Now we can use foremost to extract the files.

foremost -t all -i sniffed_organised.cap

The -t option let’s you choose which file types to extract. The man page will tell you which file formats you can choose from. Unless you specify otherwise, the files will be put into a folder called output. Good luck!

Installing Ubuntu Alternate 10.04 from a USB-drive

If you want an encrypted system drive drive with Ubuntu, then you need to use the alternate install image provided by Canonical. However, a month ago when I tried to do a USB install, I ran into an error. The installer complained that it couldn’t find the CD-rom. Hilarious.

I reported it as a bug and now someone called brabax @ has provided me with a workaround. Kudos.

After several tries I just found the following solution for Kubuntu Alternate installation, which should work for Ubuntu as well:

– Mount your USB drive
– Install and start UNetbootin
– Select Distribution “Kubuntu”
– Select a “HdMedia” subcategory entry, I used “10.04_HdMedia_x86”
– Select your USB drive
– OK
– Copy “kubuntu-10.04-alternate-amd64.iso” to root folder of the usb drive
– USB drive is ready for installation (without problems during installation of a missing CD-ROM drive)

Replace Kubuntu with Ubuntu if you so need.

python-notify documentation

I found this kinda cool notification package for python called python-notify. It was a bit hard to find documentation as how to use this package. I found out that some example code can be found in /usr/share/doc/python-notify/examples/.

The notifications look quite well in Ubuntu Lucid Lynx (10.04). Don’t know why there’s a space between gnome-panel and the notification though. Canonical slacking a bit I guess.

quick review – linux on asus ul30vt

Here’s what you need to be aware of if you’re ¬†looking to run Linux (tested on Ubuntu 10.04/Backtrack 4 Final) on this laptop:

Fake auth attack doesn’t work with the aircrack-ng suite, there’s a workaround available though. Using wpa_supplicant to do association works well, if not a bit tedious, but it works. I do not know whether the fault lies in the driver or the aircrack-ng suite. I’d bet on aircrack-ng though.
If you’re looking for battery life you’re better off with UL30A and buying a USB wireless adapter, like Alfa AWUS036H. The reason for the USB WIC: The UL30A suffers from bad connectivity, some users report, because the WIC only got one antenna; whereas two are the normal case for a normal laptop. The UL30A doesn’t come with a dedicated graphic card but it has a better battery. ¬†If you’re a pen-tester then UL30A is the laptop to choose between the two. I chose UL30VT because I wanted to be able to play hi-def movies¬†smoothly. It was questionable¬†whether¬†an integrated card would handle this well enough.
The trackpad works well enough. Most¬†multi-touch¬†stuff work OTB, horizontal scroll doesn’t but I can live it it.
Some function keys works. Screen brightness adjustments doesn’t work, there’s workarounds for this though.
The CPU is scaling between 800MHz and 1,3GHz. In Windows, Asus provides an application that clocks the cpu to 1,9GHz. Called Turbo something. The CPU running quite hot, ~72-76 degrees,¬†when under maximum load.¬†I’ve been unable to find a Linux application that is capable of overclocking Intel processors. Please let me know if you know of one.
Additional note on the wireless: It took some tinkering to get the WIC to work in Backtrack 4. I had to download compat-wireless and add support for the driver. Then I went to Intel’s website and downloaded the driver and put it into my firmware dir. Those steps worked for me.¬†However, I recommend that you run a dist-upgrade in BT the first thing you do instead. You’ll get a newer kernel and hopefully, support has been added.
I ended up running BT 4 as guest OS with Ubuntu 10.04 being the host OS. I’ve bought myself an ALFA AWUS036H. It works well with Backtrack running in a virtual environment.All in all, I really enjoy this laptop. It’s light, the battery is good and it looks good as well. Feel free to contact me for further¬†enquirers.