Archive for October, 2010


pfSense – Open Source Firewall Distribution….

October 29, 2010

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

pfSense features:-….


  • Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
  • Able to limit simultaneous connections on a per-rule basis
  • pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
  • Option to log or not log traffic matching each rule.
  • Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
  • Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
  • Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
  • Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
    • Enabled in pfSense by default
    • Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
  • Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.

State Table

The firewall’s state table maintains information on your open network connections. pfSense is a stateful firewall, by default all rules are stateful.

Most firewalls lack the ability to finely control your state table. pfSense has numerous features allowing granular control of your state table, thanks to the abilities of OpenBSD’s pf.

  • Adjustable state table size – there are multiple production pfSense installations using several hundred thousand states. The default state table size is 10,000, but it can be increased on the fly to your desired size. Each state takes approximately 1 KB of RAM, so keep in mind memory usage when sizing your state table. Do not set it arbitrarily high.
  • On a per-rule basis:
    • Limit simultaneous client connections
    • Limit states per host
    • Limit new connections per second
    • Define state timeout
    • Define state type
  • State types – pfSense offers multiple options for state handling.
    • Keep state – Works with all protocols. Default for all rules.
    • Modulate state – Works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) on behalf of the host.
    • Synproxy state – Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.
    • None – Do not keep any state entries for this traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances.
  • State table optimization options – pf offers four options for state table optimization.
    • Normal – the default algorithm
    • High latency – Useful for high latency links, such as satellite connections. Expires idle connections later than normal.
    • Aggressive – Expires idle connections more quickly. More efficient use of hardware resources, but can drop legitimate connections.
    • Conservative – Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization.

Network Address Translation (NAT)

  • Port forwards including ranges and the use of multiple public IPs
  • 1:1 NAT for individual IPs or entire subnets.
  • Outbound NAT
    • Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.
    • Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.
  • NAT Reflection – in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks.


CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.

pfsync ensures the firewall’s state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.

Load Balancing

Outbound Load Balancing

Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities. Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis.

Inbound Load Balancing

Inbound load balancing is used to distribute load between multiple servers. This is commonly used with web servers, mail servers, and others. Servers that fail to respond to ping requests or TCP port connections are removed from the pool.


pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.


IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.). It can also be used for mobile client connectivity.


OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems. See the OpenVPN website for details on its abilities.

PPTP Server

PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. See this Wikipedia article for more information on the PPTP protocol.

The pfSense PPTP Server can use a local user database, or a RADIUS server for authentication. RADIUS accounting is also supported. Firewall rules on the PPTP interface control traffic initiated by PPTP clients.

PPPoE Server

pfSense offers a PPPoE server. For more information on the PPPoE protocol, see this Wikipedia entry. A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.

Dynamic DNS

A Dynamic DNS client is included to allow you to register your public IP with a number of dynamic DNS service providers.

  • DynDNS
  • DHS
  • DyNS
  • easyDNS
  • No-IP
  • ZoneEdit

A client is also available for RFC 2136 dynamic DNS updates, for use with DNS servers like BIND which support this means of updating.

Captive Portal

Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal.

  • Maximum concurrent connections – Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
  • Idle timeout – Disconnect clients who are idle for more than the defined number of minutes.
  • Hard timeout – Force a disconnect of all clients after the defined number of minutes.
  • Logon pop up window – Option to pop up a window with a log off button.
  • URL Redirection – after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
  • MAC filtering – by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
  • Authentication options – There are three authentication options available.
    • No authentication – This means the user just clicks through your portal page without entering credentials.
    • Local user manager – A local user database can be configured and used for authentication.
    • RADIUS authentication – This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.
  • RADIUS capabilities
    • Forced re-authentication
    • Able to send Accounting updates
    • RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client’s MAC address as the user name and password.
    • Allows configuration of redundant RADIUS servers.
  • HTTP or HTTPS – The portal page can be configured to use either HTTP or HTTPS.
  • Pass-through MAC and IP addresses – MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.
  • File Manager – This allows you to upload images for use in your portal pages.

DHCP Server and Relay

pfSense includes both DHCP Server and Relay functionality

Well , as for me , i had tried pfSense in VM (Virtual machine) and it work really great. It can act as a router or a firewall in your LAN and WAN. There are lots of documentation out there to assist all of you if you all are going to use pfSense. And above all , its free….You can use pfSense up to  501MB sec up throughput…..I really recommended you all to try it….you can download the iso file and run it in live cd or just use the VMWare Player to run it as a virtualization guess operating system. Hope you guys gonna enjoy it !…

– some of these articels are excerpt from :

p/s:- Toorcon San Diego 2010 USA Conference had just end up their conference…You all can see their talk agenda here….


Shodan , computer search engine…..

October 22, 2010

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners.

Web search engines, such as Google and Bing, are great for finding websites. But what if you’re interested in finding computers running a certain piece of software (such as Apache)? Or if you want to know which version of Microsoft IIS is the most popular? Or you want to see how many anonymous FTP servers there are? Maybe a new vulnerability came out and you want to see how many hosts it could infect? Traditional web search engines don’t let you answer those questions.

Much like Google and other search engines, SHODAN also lets you use boolean operators (‘+’, ‘-‘ and ‘|’) to include/ exclude certain terms. By default, every search term has a ‘+’ operator assigned to it. Shodan search can be narrow by filtering it by country , hostname , net , operating system that it used , port , and there are also SSL filters.

To use the additional features like filters when queiring a search , you need to have a user account and log in. After you log in , you can use search filters like country , specify your country and it will seacrh only in your specific country zone.  Shodan is great for penetration testing . Shodan had been presented in Shmoocon 2010 , a hackers conference talk that was held in United States. The talk was great and it shows how we can hack Cisco router and switch password and enter their webgui setup.  But this is only work for default password , as the user have to guess it..

Well , for all your guys out there who wanna try it , here is the website:-

Till then , have fun guys….


Windows Forensic and Incident Recovery – By Harlan Carvey..

October 16, 2010

This book is recommended for those who in the computer forensic. It discusses the method and techniques on how to do forensic on windows based operating systems , using the latest tools and some perl script scripting , written by the author. Harlan Carvey is popular among the computer security community , had been spoken as a speaker in Defcon , Black Hat and many other computer talks. His techniques and methods had been showed in Hak5 podcasting program , dedicated for hacking. For your guys info , there is only one book is available in Perpustakaan Negara Malaysia (PNM) . I just discovered the book yesterday , had a preview the content of the book , and it’s really a great book for those who consider computer forensic as their proffesion.

Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete incident response toolset that combines today’s best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book’s tools and techniques apply to every current and professional version of Windows: NT, 2000, XP, and Windows Server 2003. Coverage includes:

  • Developing a practical methodology for responding to potential attacks
  • Preparing your systems to prevent and detect incidents
  • Recognizing the signatures of an attack—in time to act
  • Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools
  • Using the Forensic Server Project to automate data collection during live investigations
  • Analyzing live forensics data in order to determine what occurred

Until then  guys , see you all next week for more great stuff…!

p/s: Here is a link for a talk about Windows Local Kernel Exploitation , written by SK Choong , a security consultant of SCAN Associate Sdn Bhd . in HITB SecConf 2004. It’s Cool…check it out!




Hack In The Box Security Conference (HITB) Malaysia 2010….

October 11, 2010





Welcome to Hack In The Box 2010 Malaysia this year. This year , it helds at Crowne Plaza Mutiata Hotel at Jalan Sultan Ismail , K.L , starting 11th – 14th October , 2010. I had been able to attend the lab training session today , starting at 9.00 a.m today….This morning session about Web 2.0 Hacking , advanced attacks and defense (Ajax , RIA and SOA).

The Hack In The Box Crew is very friendly , show me the place and the lab room…But if you all wanna consider buying the HITB merchandise (eg: t-shirt , sticker…etc)…you have to see Belinda Choong (the HITB admin or overlord)…Maybe in 13th-14th they will be displaying a booth to sell these stuff…so do check it out guys….

For the agenda , here is the list (Taken from HITB website):-

11th & 12th October 2010

TECH TRAINING 1 – Web 2.0 Hacking – Advanced Attacks and Defense (Ajax, RIA and SOA)
Trainer: Shreeraj Shah (Founder, BlueInfy)
Seats Left: 25

TECH TRAINING 2 – SAP Security In-Depth
Trainer: Mariano Nuñez Di Croce (Director of Research and Development, ONAPSIS)
Seats Left: 25

TECH TRAINING 3 – Hunting Web Attackers
Trainer: Laurent Oudot (Founder, TEHTRI Security)
Seats Left: 25

TECH TRAINING 4 – Malcode & Threat Analysis
Trainer: Dr. Jose Nazario (Arbor Networks)
Seats Left: 25

13th and 14th October 2010
Time: 0900 – 1800

Capture The Flag Weapons of Mass Destruction 2.0
Lock Picking Village by TOOOL USA
HITB Lightning Talks
Recruitment Drive by HITB Jobs
Industry Exhibition & Technology Showcase

Till then , see you guys there….happy hacking!….


Juniper Networks – ScreenOS and Junos Network Operating System….

October 9, 2010



ScreenOS is an operating system that includes Juniper Networks firewall/IP Security (IPSec) virtual private network (VPN) devices , a real time , security specific operating system that provides everything you need to set up and manage these devices. ScreenOS includes a robust set of security such as an ICSA-certified IPSec VPN gateway for interoperable secure communication , deep inspection capabilities for application-level attack protection , virtualization features for network segmentation , and internal and external management interfaces to facilitate deployment. ScreenOS is a fairly starightforward CLI to get used to…

The features of ScreenOS is:-

1. Network Address Translation (NAT)

2. Interfaces , zones and virtual routers.

3. Mitigating Denial of Service attacks.

4. DDNS , DNS and DHCP.

5. IP routing , policy based routing

6. Traffic shaping

7. User authentication.

8. Application Layer Gateway (SIP , H323 , RPC , RTSP , etc)

9. Contect security ; managing firewall policies.


11. RIP , OSPF , BGP and NSRP.

12. Multicast: IGMP . PIM . Static mroutes.

13. Wireless ; Virtual Systems (VSYSes).

Junos® is a reliable, high-performance network operating system for routing, switching, and security. It reduces the time necessary to deploy new services and decreases network operation costs by up to 41%. Junos offers secure programming interfaces and the Junos SDK for developing applications that can unlock more value from the network.

This week , i’ve been studying how to use and configure ScreenOS using a Juniper network appliances. ScreenOS is much likely like CISCO IOS software . It has Command Line Interface , and the way they configure the router and switch is much likely the same as CISCO IOS..Juniper is certainly one of the best product out there when considering buying a network equipment, and I recommend it!…



Burp Suite ver…..

October 4, 2010

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

The Burp Suite is made up of tools (descriptions take from the Port Swigger website):

Proxy: Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.

Spider: Burp Spider is a tool for mapping web applications. It uses various intelligent techniques to generate a comprehensive inventory of an application’s content and functionality.

Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications. It is designed to be used by penetration testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Intruder: Burp Intruder is a tool for automating customised attacks against web applications.

Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analysing their responses. It is best used in conjunction with the other Burp Suite tools. For example, you can send a request to Repeater from the target site map, from the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and manually adjust the request to fine-tune an attack or probe for vulnerabilities.

Sequencer: Burp Sequencer is a tool for analysing the degree of randomness in an application’s session tokens or other items on whose unpredictability the application depends for its security.

Decoder: Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognising several encoding formats using heuristic techniques.

Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data. In the context of attacking a web application, this requirement will typically arise when you want to quickly identify the differences between two application responses (for example, between two responses received in the course of a Burp Intruder attack, or between responses to a failed login using valid and invalid usernames), or between two application requests (for example, to identify the different request parameters that give rise to different behaviour).

For my advice , try to download and use burpsuite as your web application testing. It’s a good one to have. I’ve Installed it, and it’s really great!…Here is the download link:-

Till then , have fun..!