Archive for August, 2010

h1

Sguil: The Analyst Console for Network Security Monitoring (NSM)

August 27, 2010


Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Sguil is included in the Hex Live CD from raw packet team. You just have to launch Sguil from the desktop by right clicking and choose Sguil as your launch application. You will be prompted with a username and password..Key in your username and password and get connected to the Sguil server.

Screenshot for the main window of Sguil:-

Well , my advice ,.. try Sguil and see what it can do. It’s a cool Network Monitoring System. Download the latest version from Sourceforge.com .

p/s: A new Ubuntu called Maverick Meercat version 10.10 had released. It’s still in Alpha stage. Try it!…Check this website:-

http://ubuntumaverickmeerkat.com/

h1

Installing Hex Live CD in VMWare , version 2.0….the latest…

August 20, 2010

Hex Live CD is a Malaysian project of FreeBSD using the latest kernel development that comprises  NSM ( Network Security Monitoring ) tools and software that used to do network security analyst and network forensic. There are many tools/OS out there that assist in penetration testing , security audit , but none that do network security analyst and network forensic. So , with C.S.Lee and Zarul Shahrin as the co-founder from Hack In The Box  , they develop the FreeBSD operating system that consist of tools and software that are design to help network forensic and security audit.

I took 1 hour to download the VMWARE Image of the Hex Live Cd and install it in my HP netbook. The download page is here:  http://my.rawpacket.org/hex-images/HeX-VMware.tar.bz2

After that , you need a VMWARE Player to run the VMWARE image. Choose play VMWARE image on the file location , choose the VMWARE image location that is the VMDK file on the hard disk , and start runnning the image uisng play.

The magic thing is , there is no need for configuration as the Hex Live Cd boots up the FreeBSD and enter the X-window system , get some GUI and there you go…the Hex Live CD.

You need to configure your VMWARE network configuration to be bridge instead of NAT , in order to use the networking services….start login as a super user , su , and type this:-

ifconfig lanc0 up                                 // lanc0 = your wireless adapter..

dhclient lanc0 up

there you go , your wireless adapter is detected…

try ifconfig and see the address of your wireless adapter…..

A Message from the Raw Packet Team….

Ver. 2.0 Release

After months of development and testing, we have finally got HeX 2.0 Release, The Bonobo unleashed. Besides having FreeBSD 7.0 Stable as the base system for HeX 2.0 Release, we have also updated most of the HeX 1.0 applications in this major release, added new applications, ports, bookmarks, and many more!

Thanks and Kudos to all the HeX team members for the hard works!

HeX System 2.0 – The Bonobo

Lastly , I encourage every network engineer and system administrator to use this FreeBSD distribution to do their job more efficiency…Beside Backtrack 4 , Hex Live CD is a must tools to have in doing network audit or network forensic…thanks to the raw packets team, and C.S.Lee for the documentation….Have fun!….

h1

A Guide to Deploying DNSSEC…….

August 11, 2010

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment

This are the excerpt of the table of contents of the report on Deploying DNSSEC…..

Table of Contents
Good practices guide for deploying DNSSEC …………………………. 4
Scope of this document …………………………………………………….. 5
DNSSEC practices statement ………………………………………………  6
Signing your zone …………………………………………………………….. 6
Value of a signed zone ………………………………………………………. 7
Designing a signing system ………………………………………………… 7
Signing in a test environment …………………………………………….. 9
Checking the DNS servers…………………………………………………. 10
Key generation and management ………………………………………. 10
Physical security ……………………………………………………………. 11
Use of NSEC3 …………………………………………………………………. 11
Key rollovers ………………………………………………………………… 12
Performance issues ………………………………………………………… 13
Publication of keys ………………………………………………………… 14
Change of registrar ……………………….. ……………………………… 15
Change a zone from signed to unsigned …………………………….. 15

Change of domain holder (registrant) ………………………………. 16
Selecting a product ………………………………………………………. 16
Outsourcing ………………………………………………………………… 17
Change of DNS provider ………………………………………………… 17
Validating DNS queries …………………………………………………. 19
Configure trust anchors ………………………………………………… 20
Routers, firewalls and other network equipment ……………….. 21
Conclusions ………………………. ………………………………………. 21

ANNEX 1: Contents of a TAR’s policy and practices statement .. 22

ANNEX 2: Support of DNSSEC on commonly used nameservers .. 27

Reference…………..

The full report can be obtained from this website:-

http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec/at_download/fullReport

h1

Millions of Home Routers Vulnerable to DNS Rebinding Attack ….

August 1, 2010

Reports of a  presentation shown by Craig Heffner at the Black Hat security conference show how millions of home routers are vulnerable to hacker attack. The attack would let Internet traffic to get redirected and intercepted as well as giving access to home networks. Some of the routers that are vulnerable are from Netgear, Belkin, and Linksys. Models affected include routers used for Verizon’s FIOS and DSL services; popular third-party firmwares like DD-WRT and OpenWRT were found to be vulnerable as well.

A list of the tested routers is available here. Ones that say YES in the last column were successfully hacked. Approximately half of the routers were able to withstand the attack.

Heffner works at security consultancy Seismic and will have a proof-of-concept along with the presentation. He wishes to get this issue out into the open so router manufacturers will take greater notice and release new firmware. The attack employs an old method that has been in use for 15 years, DNS rebinding, which lets the attack get around browser limits on scripts and HTML. DNS is the system that maps english website addresses into IP addresses. DNS allows one name be mapped to multiple IP addresses, DNS rebinding takes advantage of this ability to include the malicious site into the list of sites to load for the site name.

How this comes in handy for hacking routers:

With DNS rebinding, the attacker can make the browser think that any computer he chooses has the same origin as his own malicious page—he just has to create a DNS entry pointing to that computer that matches the DNS name for his malicious site. So, by creating DNS entries for computers in the victim’s LAN, the attacker can trick the victim’s web browser into accessing machines on the victim’s own network. Most computers on a home LAN won’t be running a web server, so on the face of it, this might not seem especially useful. However, one kind of machine typically does run a web server: the router.

If access to the router’s administrative interface can be gained, the attacker can reconfigure it. An example would be routing all DNS lookups through a malicious server which would allow traffic to be monitored and intercepted. Gaining access to the router can be simple as many home routers still have their default password and original firmware isn’t updated. Another possibility is that security flaws could allow the hacker to bypass the password entirely.

Browsers add another layer of protection against this attack as they do attempt to block this type of attack. However, the variation created by Heffner bypasses browser protections. The bypasses aren’t new either, they have been known for a long time. His attack isn’t really all-new but rather a combination of previous knowledge.

The best way to protect against this attack is to change the password on the home router and change the default IP address along with keeping firmware up to date.