Andrew Hay » HowTo’s

Configuring a Promiscuous Interface on Ubuntu 9.04

Andrew Hay — Thu, 05 Nov 2009 21:08:44 +0000

If you’ve got a bad memory (like me) you might some day find yourself searching for a way to configure an interface on your Ubuntu 9.04 system to use as a sniffer interface. Here is how you do it:

1) Edit the interfaces file:

you@ubuntu:~$ sudo vim /etc/network/interfaces [sudo] password for you: enter your password

2) Go to the last line of your interfaces file and add the following:

iface eth1 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down

3) Save and exit the file:

:wq

4) Bring your newly configured interface up:

you@ubuntu:~$ sudo ifup eth1

5) Check your interface and look for PROMISC:

you@ubuntu:~$ sudo ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:0c:29:bb:3a:cc inet6 addr: fe80::20c:29ff:febb:3acc/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:31011 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4973602 (4.9 MB) TX bytes:796 (796.0 B) Interrupt:16 Base address:0x2080

Now start snort, tcpdump, or whatever you want to use to start sniffing traffic using your newly configured promiscuous interface.

Installing log2timeline on SIFT – Updated Instructions for Ease of Use

Andrew Hay — Tue, 27 Oct 2009 19:54:46 +0000

If you use the SANS Investigative Forensic Toolkit (SIFT) Workstation for your forensic analysis you can easily add log2timeline to your VMware guest image. In order to get these files using the wget, yum, and cpan methods you must ensure that your SIFT workstation has its interface set to ‘bridged’ or ‘NAT’ mode so that it can get out to the Internet.

Steps to Install log2timeline on SIFT

1. Download the log2timeline archive to your SIFT workstation
[root@SIFTWorkstation ~]# wget http://log2timeline.net/files/log2timeline_0.33b.tgz
2. Extract the archive
[root@SIFTWorkstation ~]# tar zxvf log2timeline_0.33b.tgz
3. Change to the log2timeline directory
[root@SIFTWorkstation ~]# cd log2timeline
4. Install some of the dependancies using yum
[root@SIFTWorkstation ~]# yum install perl-DateTime perl-Net-Pcap perl-Archive-Zip perl-HTML-Scrubber perl-Image-ExifTool perl-Glib
5. Install the NetPacket::Ethernet module
[root@SIFTWorkstation ~]# perl -MCAPNPLUS -e 'install NetPacket::Ethernet'
6. Install the ExtUtils::Depends and ExtUtils::PkgConfig modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::Depends' [root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::PkgConfig'
7. Install the Glib, Cairo, Pango, and Gtk2 modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Glib' [root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Cairo' [root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Pango' [root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Gtk2'
8. Compile log2timeline
[root@SIFTWorkstation log2timeline]# perl Makefile.PL && make && make install
9. Execute the log2timeline script using the ‘-f list’ flag to test the installation
[root@SIFTWorkstation log2timeline]# log2timeline -f list

That’s it. If the log2timeline -f list command displayed all available log file formats you should be good to go. In my experience, if a particular module is missing you will receive an error when running this file (in a different place depending on what is missing).

Now you should probably take a snapshot of your SIFT image so that you don’t revert back and lose your log2timeline application. If you would like more information on log2timeline there is a great article here: http://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ and the log2timeline project page can be found here: http://log2timeline.net/.

Quick and Dirty VPN over SSH

Andrew Hay — Tue, 24 Apr 2007 16:45:26 +0000

A colleague of mine sent me a cool little command to create, a “quick and dirty vpn over ssh”:

It’s a quick and dirty vpn over ssh and only requires that ssh and pppd are installed on each end (generally true for Lunix and *BSD)

pppd updetach noauth passive pty “ssh -x -P 123.45.2.55 -l root sudo pppd nodetach notty noauth proxyarp” 192.168.0.65:192.168.0.66 && route add -net 192.168.0.64/26 dev ppp0

Although this has been around for a while it does allow for an ad-hoc virtual private network without the need to install any special VPN software.

How to disable 3rd party cookies in Firefox 2.0

Andrew Hay — Fri, 03 Nov 2006 11:56:29 +0000

Found an interesting blurb on the Mozillazine Forums:

You used to be able to set this via the standard user interface pre-2.0 but now you must go to the address bar and type:

about:config

You can then search for the following string:

network.cookie.cookieBehavior

change the value from 0 to 1 and restart Firefox.

This will prevent the transfer of cookie information from site-to-site. (i.e. msn.com reading your google.com cookies)

Malware Analysis: Tools of the Trade

Andrew Hay — Tue, 24 Oct 2006 12:24:15 +0000

Excellent information gathering by Lorna Hutcheson in this Internet Storm Center Handler’s Diary Entry. From the diary entry:

First I want to thank everyone who sent in tools for this endeavor. I hope that this list of tools continues to grow and everyone can get good use out of it. If you look at the diary entry that launched this endeavor, you will find the information that I’m looking to obtain about the tools. If you have some that need would be good to list here, please pass them along and I’ll update the list. Some folks sent in entries and checked the box not to have thier names mentioned, so there are no names by those submissions. If you want me to include your name, I’d love to, but you need to give me permission first when you submit the information. All information has been submitted as provided. If you have any additions, I’d be happy to add them!

The List:
1. Malcode Analyst Pack

a. Where you can get it (if known)- iDefense http://labs.idefense.com/labs-software.php?show=8

b. Shareware/Freeware- GPL/Freeware

c. What it does-

This install package contains a handful of small utility type applications that have proven useful while analyzing malicious code.

These are quick tools designed to meet specific needs while in a malcode testing lab environment. Functionality is tailored specifically to these ends, implementation may be crude at some points but all have proven utility.

This package includes:

       • ShellExt      – explorer shell extensions
       • socketTool    – manual TCP Client for probing functionality.
       • MailPot       – mail server capture pot
       • fakeDNS       – spoofs dns responses to controlled ip’s
       • sniff_hit     – HTTP, IRC, and DNS sniffer
       • sclog – Shellcode research and analysis application
       • IDCDumpFix    – aids in quick RE of packed applications
       • Shellcode2Exe – embeds multiple shellcode formats in exe husk
       • GdiProcs      – used to detect hidden processes

d. Tips for using it or gotchas- N/A
e. Is the source of the tool considered trustworthy?- as trustworthy as iDefense is
f. Screen Shots of the tool in action (optional)- there is a wmv of the shellcode logger usage on the site (link at bottom of page)
g. Links to additional resource information about the tool- N/A

2. RegMon, FileMon, Ethereal: Submitted by Ronan Rose

a. Where you can get it (if known)-
RegMon, FileMon and TCPView at www.sysinternals.com

Ethereal: Included with red hat many linux distros

MSVPC: microsoft.com (trial)

b. Shareware/Freeware- unknown – trial versions / freeware

c. What it does:

RegMon: monitors processes accessing the registry.
FileMon: monitors processes accessing file system.
TCPview: lets you see in real time what applications are listening on your ports.
Ethereal: will give you a good view of what is happening on the network at a packet level.
MSVPC: will allow you to set up a network on your PC. I have a 2.4 ghz, 60GB HD and 750 mb ram which allows me to run 3 VMs simultaneously in a LAN – server2003 to provide dns, ftp, smtp etc,
Win2k client as Malware host and to run filemon and reg mon on, and redhat 7.2 vm to use ethereal

d. Tips for using it or gotchas-

In the case of malware with Regmon look for processes polling the “run” keys in the registry . You will need to exclude some processes from both tools (there is quiet alot happening under the bonnet in windows) to improve legability, but if you are still not finding your problem, remember that some malware can inject itself into legit processes, so drop any filters and start again.
Filemon should show you any process that is systematically looking for information on your hard drive.
TCPview lets you see in real time what applications are listening on your ports. Some of the newer malware claims to be able to defeat some of the file, registry, tcp view type apps with rootkits etc. When in doubt, check ethereal – if the network is still busy, then you are still infected!

e. Is the source of the tool considered trustworthy? All tools are trustworthy and come from a reliable source.

f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool-

3. Windows 2000 RAM dump parsing tools: Submitted by Harlan Carvey

a. Where you can get it (if known)- http://sourceforge.net/project/showfiles.php?group_id=164158

b. Shareware/Freeware-

c. What it does-

d. Tips for using it or gotchas- The tools themselves should be platform-independant, and only require Perl. I’ve had previous versions tested on Linux, and even a Mac G5.
e. Is the source of the tool considered trustworthy?
f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool-

4. Wireshark, formerly Ethereal

a. Where you can get it (if known)- http://www.wireshark.org/

b. Shareware/Freeware- Free & Open source

c. What it does- Analyzes network traffic & packets. Useful for observing if and where malware is attempting to deliver/recieve payload(s) and via which protocol(s).

d. Tips for using it or gotchas-
e. Is the source of the tool considered trustworthy? Yes, trustworthy, would run it on primary systems if needed. Open source, can compile from source code if desired. Having access to the full source code for scrutiny adds to the level of trust.
f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool- Numerous links available on the Wireshark home page, www.wireshark.org

5. OllyDbg: Submitted by Vince Maes

a. Where you can get it (if known)- http://www.ollydbg.de/

b. Shareware/Freeware- OllyDbg is a shareware, but you can download and use it for free.

c. What it does- Provides binary code analysis for Windows-based malware. Some of it’s best features are:

-Attaches to running programs
-Analyzes complex code constructs such as call to jump to procedure
-Sets conditional, logging, memory and hardware breakpoints
-Traces execution and logs arguments of known functions.
-And lots more…

d. Tips for using it or gotchas-
e. Is the source of the tool considered trustworthy?
f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool-

6. IDA Pro: Submitted by Vince Maes

a. Where you can get it (if known)- http://www.datarescue.com/

b. Shareware/Freeware- Cost of standard edition is $439 This tool is worth the cost.

c. What it does- Disassembler and debugger with an assortment of community developed plug-ins. Supports a multitude of processors. Use a graphic interface. It allows you to step through malicious code. Best to run in a virtual machine with no network access.

d. Tips for using it or gotchas-
e. Is the source of the tool considered trustworthy?
f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool-

7. Holodeck: Submitted by Vince Maes

a. Where you can get it (if known)- http://www.securityinnovation.com/holodeck/

b. Shareware/Freeware- Cost of single user license $1495.00

c. What it does- Basically a great fuzzing tool. Automated point-and-click fault scenarios, function call logging, operation intercepts, network packet logging, and a debugger just to name a few. There is a book by the developers that contains a light version of the product: How to Break Software Security.

d. Tips for using it or gotchas-
e. Is the source of the tool considered trustworthy?
f. Screen Shots of the tool in action (optional)-
g. Links to additional resource information about the tool-

WEBSITE LINKS:
1. Pedram’s site: http://pedram.redhive.com/ Submitted by Vince Maes