Hunting Packets

Security has the best map in IT

huntingpackets — Thu, 28 Oct 2010 04:27:31 +0000

This one is mostly for the internal security guys as there is nothing stealth about this, sorry pentesters but you have enough of the cool toys. As I have noticed in the past at medium to bigger shops security usually has the best network/asset map. This is due to the basics of our jobs in looking at fine details, most other IT teams move from one project to another keeping the plates spinning. To aid in getting a basic map of systems I created this simple shell script that will create a csv that will include IP, ping status, NETBIOS name and DNS entries.

First create your IP list in excel. These steps assume that we are listing out /24 networks.
- A1 will be the first three octets of the IP. Copy that down to cover the subnet.
- 192.168.6.
- B1 will be 1. Do a “fill series” so that it goes by 1 all the way down to 254.
- C1 will be “=A1&B1″. This will give you each IP.
- Repeat this for each subnet in your list.
- Copy all cells from column C into a simple text editor.
- I find it good to create 3 lists as they will have different scan times and sources.
- inside_infra.txt
- inside_users.txt
- outside.txt
- Below is a sample of what you will see in the text file. With this list we can create a script to scan each item.
192.168.6.1
192.168.6.2
192.168.6.3
192.168.6.4

Create the following 3 folders next to each other so calls in script will line up.
- scripts
- results
- ip_lists

Copy the script below into the “scripts” folder and the ip lists you created into the “ip_lists” folder.

######################################################################
#! /bin/sh

# read text file and run all below for each entry
for ip_addr in $(cat ../ip_lists/inside_infra_ip_list.txt);do

# ping sweep
ping_answer=$(ping -c 1 $ip_addr | grep “bytes from” | cut -d” ” -f 2)
if [ "$ping_answer" = 'bytes' ]
then
system_up=$(echo up)
else
system_up=$(echo down)
fi

# netbios sweep
netbios_name=$(nbtscan -s , $ip_addr | cut -d”,” -f 2 | sed s/\ //g)

# write to csv file
echo $ip_addr,$system_up,$netbios_name,$clean_dns >> ../results/ip_ping_netbios_dns_list.csv

done
######################################################################

As you can see there is a bunch of details to clean up the output so the csv is nice (no leading or trailing spaces).

Also, there can be many DNS entries for some hosts. I have divided them by a “|” so you can parse out with excel if you like. If we used something like comma or tab then it could cause issues during the first load.

You will need to install nbtscan if your linux OS of choice does not have this by default. For Ubuntu is is “sudo apt-get install nbtscan”.

Change the input and output file names in the script to your needs.

Change into the scripts folder and run it.
- sh ./iplist_full_scan.sh

After it is done look in the results folder for your output.

Here is what you will see in excel. Columns are IP – Ping result – Netbios Name – DNS Name (could be many)

192.168.6.1    up    WINDOWS_SERVER    windows_server.example.local
192.168.6.2    down            ips.example.local
192.168.6.3    up            linux_server.example.local
192.168.6.4    up

You will notice patterns like those above. Not all servers respond to ping. Not all server have Netbios names and not lots of non server equipment might not have either but will respond to ping.

Does your IDS CPU go spike in the night?

huntingpackets — Thu, 14 Oct 2010 05:00:35 +0000

Those single threads killing your IDS? Do you have a single core at 100% and the rest under 10%? Sometimes the issue is not a bad rule or strange traffic. Rule profiling does not always help. The issue could be a new backup or DR sync that the sysadmins started and did not tell you about. Here is a simple way I have found to find the “top talkers” in view of your IDS.

1. Capture the SRC IP/Port and DST IP/Port data. This is a small part of what you would get with “flow” data.

sudo tcpdump -i fp2 -nn > /tmp/top_talkers.txt

notice we don’t use “-s 0″ or “-vv” as we only need the basics of each packet (src ip/port and dst ip/port)
notice we are not writing the packets (-w ) only the output of the screen to file
the data we are collecting is smaller than a pcap would be but depending on the amount of data in view of the IDS your disk may fill up quickly. If your CPU is at 100% you only need to capture for about 5 minutes to find your top talkers.

2. Now we need to grab the fields we want (src ip/port and dst ip/port), sort them, and order them based on counts of unique combos.

cat /tmp/top_talkers.txt | sort | uniq -c | sort

The end of your list will look something like this. The syntax is . .

34903 192.168.1.3.2051 192.168.1.2.42062:
67945 192.168.1.2.42062 192.168.1.3.2051:

3. Work with your sysadmin team on what each system is and what type of traffic is running on those ports. If it happens each night and it is single host to single host we can add a filter so the traffic is spit out before the long list of rules. Remember unless your budget is unlimited your IDS environment is a game of filtering what you don’t think is a risk so you can monitor more traffic that you think might before your max your hardware out.

Please comment if you have another way of doing the same. It is good to share as the vendor does not always have a way to troubleshoot it all.

back to life

huntingpackets — Thu, 14 Oct 2010 04:16:28 +0000

After 2 years without adding anything I think it is time to start again.

ms08-067 – it starts

huntingpackets — Sun, 26 Oct 2008 02:31:48 +0000

new project

huntingpackets — Thu, 28 Aug 2008 00:20:27 +0000

New project for the home network – “network black box”. More details and a build doc later.

dns fun

huntingpackets — Fri, 25 Jul 2008 08:44:07 +0000

My ISP has patched their DNS and my firewall dns process (pfsense) does not need patch so I should be good. Now I just need to ride the storm of infected systems at work over the next few weeks as people bring them in from home. The bots shall come marching!

another good podcast

huntingpackets — Thu, 17 Jul 2008 18:05:51 +0000

This time from WatchGuard. Usually the podcasts by a company are no good. WatchGuard has done something great. They split the “company propoganda” and the good stuff. If you own a WatchGuard device then you will like the ones that start with “firebox special”, if you don’t just skip them and listen to the others. The hosts, Scott and Corey do a great job and running you through an exploit or vulnerability instead of just listing off news items like some of the other security podcasts do.

http://www.watchguard.com/education/radiofreesecurity.asp

(also in ITunes catalog)

podcast recomendation

huntingpackets — Wed, 09 Jul 2008 17:27:21 +0000

I am always in search of a good podcast. Lately i have found Ricky Business. It is from Australia and meets all of my “likes” below.

http://itradio.com.au/security/

1. Good audio – there are many that start but don’t invest in good equipment. There is nothing harder than trying to listen to a podcast that has horrible audio.

2. Boring content. I don’t want to listen to something that sounds like someone is reading the newspaper. I can do that. I like podcasts that sound like I am eavesdropping on a group of gurus at a security conference.

3. Keep it to the subject matter. There are a few out there that get too childish. I am all for jokes but when it is more than your subject matter that is too much.

side effects of this job

huntingpackets — Sat, 14 Jun 2008 04:07:52 +0000

Thanks to looking at url obfuscation all day I know write 50% as %50.

sslexplorer on ubuntu server 8.04 – all cli

huntingpackets — Fri, 30 May 2008 23:41:32 +0000

The new sslexplorer gui installer works great but what if you want it to run on a server without the desktop

Note – before you start
- Many of the commands below will run from cli as non root but will give you an error until later, to avoid this during this installation run “sudo -i” each time you start a session with the server during install. Issue of this are, write errors, cant start web server on port lower than 1024, …
- All terminal commands below are in boxes

Default 8.04 ubuntu server
- add sshd

Install java and unzip

apt-get install sun-java5-jdk unzip

Patch server and reboot for clean start

apt-get update
apt-get upgrade
reboot

Download sslexplorer (not the gui one)

wget http://download.3sp.com/appstore/files/sslexplorer_unix.zip

- if link above is bad then make your own, view source on http://3sp.com/showSslExplorer.do
- grab a coffee, 42mb from a slow server

Unzip and untar download file

unzip sslexplorer_unix.zip

- zip file has tar file of sslexplorer and pdf of unix installer

tar -zxvf sslexplorer_unix.tar.gz

Install the service

cd sslexplorer/install/platforms/linux/
./install-service -j /usr/lib/jvm/java-1.5.0-sun

- you can also ditch the -j option and set JAVA_HOME for this app to run
- if it works you should get something like this….

Detecting Java
Using /usr/lib/jvm/java-1.5.0-sun
Detected OS debian (x86)
Adding system startup for /etc/init.d/sslexplorer …
/etc/rc0.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc1.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc6.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc2.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc3.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc4.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc5.d/S20sslexplorer -> ../init.d/sslexplorer
Service installed

Go back to the root of the sslexplorer folder and start installer

./install-sslexplorer

- it will fire up the temp page on http://server_ip:28080
- go there in your browser and run the wizard
- if you need help on wizard check the pdf that came with installer

Go back to shell and check service status

/etc/init.d/sslexplorer status

- it will probably not be started so start it up

/etc/init.d/sslexplorer start

- give it a sec and go to the page – https://your_ip , if you have a login prompt you are good to go.