Chris Sanders

It happens pretty often that I’ll come across an interesting PCAP file that I want to share with others. Unfortunately, divulging these packet captures can give away certain sensitive information such as an organizations internal IP range, IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors, and more.

Fortunately, there is a tool which helps alleviate some of these issues. The tool is called Tcprewrite and is actually a part of the Tcpreplay suite. Tcpreplay is used to send packets from a PCAP back across the wire, but the suite actually contains a few other useful tools.Tcprewrite itself can be used to add and modify packet fields within PCAP files. For example, if you wanted to replace the layer two addressing information within a PCAP so that all of the packets have a specified source and destination MAC address you could use the following syntax:

tcprewrite --enet-dmac=00:55:22:AF:C6:37 --enet-smac=00:44:66:FC:29:AF --infile=input.pcap --outfile=output.pcap

Tcprewrite can do neat things at layer four as well, including remapping ports used in sessions. The following example will remap all port 80 traffic to port 8080.

tcprewrite --portmap=80:8080 --infile=input.pcap --outfile=output.pcap

The examples shown above were taken directly from the tcprewrite wiki page (http://tcpreplay.synfin.net/wiki/tcprewrite) where you can find quite a few other usage examples.

The real value of tcprewrite, and the reason for this article, is its ability to randomize the addressing information in a PCAP file. This is done with the following syntax:

tcprewrite --seed=423 --infile=input.pcap --outfile=output.pcap

In this line, the seed option is used in the randomization of the addresses. This will replace all of the IP addresses in the IP headers of the packets and will also modify any ARP packets in the traffic accordingly.

From what I’ve been able to determine this option doesn’t randomize and rewrite and MAC addresses, which is a bit of a problem since MAC addresses can give away the vendor of a piece of hardware. The last thing I want is the entire world knowing that I use Cisco/Juniper/Enterasys/Etc based external firewalls. The ability to rewrite MAC addresses is there but its not random. What you can do in this case is to split a PCAP file into two separate files representing each direction of traffic. This can be done with tcpdump or tcpprep, which is a part of the tcprewrite suite as well. Using tcprewrite you can split the traffic like this:

tcpprep --auto=bridge --pcap=input.pcap --cachefile=input.cache

From there you can use syntax similar to what was shown above to replace the MAC addresses. This isn’t randomized so you will basically have to make something up. At the very least I’d recommend replacing the OUI section of the MACs. That syntax would look something like this:

tcprewrite --enet-dmac=00:44:66:FC:29:AF,00:55:22:AF:C6:37 --enet-smac=00:66:AA:D1:32:C2,00:22:55:AC:DE:AC --cachefile=input.cache --infile=input.pcap --outfile=output.pcap

It wouldn’t be too much of a stretch to write a python script that uses tcpprep and tcprewrite to automate the randomization of MAC addresses as well.

You can download tcprewrite as part of the tcpreplay suite at http://tcpreplay.synfin.net/ or just apt-get/yum install tcpreply. The tool is Unix only (or you can use Cygwin if you are tied to Windows).

I’ve been slowly working through an article series entitled “Understanding Man-In-The-Middle Attacks” for the last few months. The last article of this series was published a couple of weeks ago so I thought I’d post a quick roundup of them all. This series covers four different types of attacks, how they work, how to execute them, and how to protect yourself from them. These articles are being hosted on WindowsSecurity.com, whom I write for on a monthly basis.

You can read each article at its corresponding link:

• Part 1 – ARP Cache Poisoning

• Part 2 – DNS Spoofing

• Part 3 – Session Hijacking

• Part 4 – SSL Hijacking

I woke up this morning and was very excited to see a post on a blog a frequent, Packet Life. It looks like the folks at QA Cafe have just launched a new project called CloudShark. I’ve been playing with CloudShark all morning and I’m very impressed. A colleague of mine wrote something similar to this a while back with intentions of publishing it but never did, so I’m glad someone set forth on a similar project. I plan on using CloudShark as a component of this blog, so from now on any packet captures I post will have a “view online” link that should display the captures directly in your browser.

The best resource for more information on CloudShark seems to be their FAQ:

What is CloudShark?

CloudShark is a web site that displays network capture files right in your browser instead of running desktop tools such as Wireshark. You upload, link, or email your capture files and we’ll display them.

Why CloudShark?

We work with network capture files on a daily basis. After trying to view capture files on mobile devices without Wireshark support, we realized it was time to move packets to the cloud. The CloudShark idea was born. CloudShark was created to make viewing capture files easy from any device ranging from desktops to smart phones. After creating our own solution, we decided to make it available to everyone as CloudShark.org.

How does it work?

* Generate your capture file or use an existing capture file
* Email it, upload it, or link it
* CloudShark does the rest by providing a decode session
* If you email CloudShark with an attached capture file, we’ll email you back with a link to your decode session
* Send your capture files as an attachment to cap@cloudshark.org
* If you are in the browser already, we’ll drop you into your decode session

Are my capture files publicly accessible?

While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don’t use CloudShark.

Is there any limit to the size of the capture file I can upload?

Capture files are currently limited to 512 Kbytes. Larger files will be rejected.

Can I delete my decode session after I am done with it?

Not directly. Eventually it will be deleted when the disk space is recycled.

How long is my decode session available?

CloudShark is not a file storage site. We’ll try to keep your files around, but obviously there is a limit to the amount of files we can keep around. If the link to your decode session is no longer working, you may need to upload the capture file again. In the future we may provide persistent storage, but for now you should store your capture files somewhere else.

What capture formats are supported?

CloudShark uses tshark to do the actual decoding. tshark supports several capture files from other tools besides Wireshark. See http://wiki.wireshark.org/FileFormatReference.

I have a capture file hosted on my web site. Is there an easy way I can link a CloudShark decode session to this capture file?

Yes. You can create a CloudShark link that includes a URL to your capture file. Here is an example:

http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap

Who are you?

CloudShark was created by QA Cafe. We are the creators of CDRouter, the leading CPE testing solution. We spend a lot of time working with capture files. You can visit us at qacafe.com.

Is this project connected to Wireshark.org?

No, not directly. We do use Wireshark, tshark actually, on our back end.

How can I contribute?

If you have any ideas, you can contact us at info@cloudshark.org.

Kudos to the folks at QA Cafe for putting this together! You can visit CloudShark at http://www.cloudshark.com and you can follow Cloudshark developments on Twitter at @Cloudshark.

I’m speaking at the Kentuckiana ISSA meeting on June 4th in Louisville, KY.

The topic is “Then What Happened…Stories and Lessons in Incident Response”

Dive into recent attack packet analysis with Chris Sanders to reveal the dirty truth about recently investigated incidents.

Learn key factors in how exploits were detected, the analysis method used to determine sources…
You will also see methods used to determine the severity level of exploits and the power they may really have in your environment…

I’ll be covering some exciting things including some of the fundamental skills for intrusion analysts, tips for building your incident handling team, “packet math”, and analysis of recent attacks including a newly release 0-day.

Look forward to seeing you there! For more information including directions, check here http://www.issa-kentuckiana.org/.

I’ve been using Snort has a host-based IDS on my laptop for quite a while now and rather than expanding my attack surface by installing a database server for logging, I am simply logging to the standard flat file format. In this format all snort alerts are logged to an alert.ids file in the C:/Snort/log directory. In previous instances I’ve just reviewed this log frequently but I’ve had the desire for quite some time to have something a bit more realtime. I’m not sure if I’ve found the best solution, but I’m currently using RainMeter to display the most recent Snort alerts on my desktop.


I did run into one problem which had a solution I think others might be interested in. Snort logs the newest alerts it recieves at the bottong of the alert.ids file, which makes gathering the most recent alerts via perl regular expressions a bit of a complicated task. I brought this problem to my analysis team at EWA and Jason Smith, who has just started learning Perl,  developed a script that alleviates this problem. The script takes the last alert in the alert.ids file and places it at the top of a new “parsed” file. The second to last alert in the alert.ids file is then placed as the second alert in the parsed file, and so on and so forth. Also, as a bit of expanded functionality the script only grabs the first four lines of every alert which gives the alert name, classification, priority, and basic packet information. This makes for a more condensed and concise output.


You can download the script here: snort_parser.zip


As for implementation, I have setup a scheduled task that runs the script every 5 minutes so that the RainMeter on my desktop is updated very frequently. One small issue I noticed was that when this task ran it would pop up a command prompt window momentarily which was quite annoying. In order to combat this I created a VBS script that runs the perl script in the background. Rather than running the perl script, the scheduled task runs the VBS script which calls the perl script as an argument so that the process is invisible to me.


You can download the VBS script here: silent_launcher.vbs


Feel free to download, use, and distribute these files as you see fit.

I’m going to be out and about a few different places the early part of this year. If you are going to be at any of these events and want to get together and talk shop or have a bite to eat, give me a shout.

• ShmooCon, Washington DC – Feb 5-7
• SANS 2010, Orlando FL – Mar 6-15

I’m also planning on attending HOPE [Tentative] (NYC), Phreaknic (Nashville), Defcon (Vegas), and Black Hat (Vegas) this year.

I’ve recently been accepted into the SANS Institute mentor program and will be mentoring my first course next spring in the Bowling Green, KY area.

Please join Mentor Chris Sanders starting on March 18 for Security 504: Hacker Techniques, Exploits and Incident Handling.

Experience this local class and SANS award winning security training first hand in the popular Mentor format!

Chris Sanders will be leading this 36 CPE credit class in Bowling Green, KY.

For complete course details and registration information, please click on http://www.sans.org/info/52263.

About the course:

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Students study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

These courses are great for folks who want SANS level training but don’t have the travel budget to go to a conference for a week. I’m very excited to bring something like this to my area…security training around here is slim pickins! Bowling Green is very centrally located and is only an hour from Nashville, TN, two hours from Louisville, KY, two hours from Lexington, KY, and two hours from Paducah, KY.

Also, I will be donating 20% of my teaching fee to the Rural Technology Fund, a 501(c)(3) non-profit organization which provides scholarships to high school students pursuing technical majors.

Free free to e-mail me with any questions, or visit the course website here: http://www.sans.org/info/52263.

I attended the Kentuckiana ISSA Louisville InfoSec conference on the 8^th of this month and I wanted to be sure and put something up about what a great event it was.

I participated in the CTF event that was put together by Adrian “Irongeek” Crenshaw (http://www.irongeek.com and @irongeek_adc). This is only the second CTF I’ve participated in (the first being the SANS Sec 504 CTF in San Diego) and I was really pleased with it.

You can view a write up and a brief video on the technical details of the CTF here: http://www.irongeek.com/i.php?page=videos/louisville-infosec-ctf-2009.

My team ended up coming in fourth. The winning team was led by Dave Kennedy (http://securestate.blogspot.com/) who won by a pretty good margin, and the second, third, and fourth place teams all finished within about ten minutes or so of each other.

This was the second event I’ve attended that involved the Kentuckiana ISSA and Adrian and I’ve really enjoyed being involved. I think I’ll be joining ISSA in the very near future.

I wasn’t able to attend many of the talks due to being involved with the CTF but my colleagues who did spoke very highly of all of the speakers.

A big thanks to Adrian and the Kentuckiana ISSA for organizing this! I can’t wait until next year!

I haven’t exactly kept this one a complete secret, but I’ve confirmed with the great folks over at No Starch Press and have begun work on the second edition of Practical Packet Analysis. The second edition will contain over 60% new content including ALL new scenarios and capture files, a very unique take on security at the packet level, much more detailed coverage of wireless packet analysis, and even VoIP! A target release date has not been officially set, but expect something in Q1-Q2 2010.

Howdy Folks,

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

The fine folks over at GFI were kind enough to send me a copy of the latest release of their LANguard product which is currently at version 9.0. As a disclaimer, GFI does advertise on my site, but this is not a paid advertisement, and our business relationship is has no influence on my review of the product.

I’ve used various GFI products for several years and remember using LANguard many years ago while working for the Department of Education. As I have taken on a more security-focused role in my new position with EWA GSI I have found myself using LANguard again and am enjoying the newest version of the product just as much as I did the older versions.

The big three features LANguard boasts are vulnerability management, patch management, and network auditing. I’ll address each of those individually.

Vulnerability Management

My primary use of LANguard has always been in this category. Some of my earliest learning experiences with network security were centered on LANguard security scans and in my current security role I’m making use of it right where I left off.

The scanning engine boasts over 15,000 scanning signatures and does seem to be quite thorough. I compared GFI LG scans side by side with Nessus scans on the same hosts and found the reporting from the LG scans were picking up quite a few more items of interest when it came to Windows hosts. The scanning options are quite robust and the reporting and remediation interface couldn’t be much better. 

Patch Management

I’ve previously always used WSUS for patch management. However, if you’ve used WSUS you know that it can sometimes be unreliable and the reporting and troubleshooting features associated with it are still greatly lacking. I’m no longer directly managing a network so I evaluated the patch management features of LG on my home network and was pleasantly surprised.

I ran several scans against the devices on my networks and some of the virtual machines in my test networks that I had purposely halted automatic updates on. LG reported the missing updates on these machines and I was able to efficiently deploy those updates to the machines. I’ve always thought OS updates should be something that “just works” and LG fit the bill on this.

Network Auditing

There is a LOT of competition in this area but I was really impressed with what LG could offer here. I think a network auditing solutions biggest weak point is usually the reporting interface, and just as with the other areas of LG, the reporting is pristine. Not only can you perform on the spot audits, but you can also check for things such as illegal software installations by running comparisons against baseline audits.

Pricing

GFI has released a full-featured FREE version of LANguard to be used for up to 5 IPs. After that, pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

Conclusion

I’ve always thought GFI was a great company with some really great products and LANguard 9.0 only helps to reinforce this opinion. I will continue to use the product alongside Nessus for my security scanning needs and would fully recommend it for network management and auditing.

You can check out LANguard and other GFI products at http://www.gfi.com.

The newest issue of (In)Secure Magazine has been released today. This issue contains an article I’ve written entitled “Using Wireshark to Capture and Analyze Wireless Traffic”.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.

The great folks over at the TechGenix website WindowsSecurity.com have published my article on Locking Down Windows Server 2008 Terminal Services. This article is a fairly detailed list of things you can do to make sure your Terminal Server infrastructure is more secure.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

I wanted to take a moment and link over to a project I have been working on for quite some time. I’ve recently founded a 501(c)(3) non-profit organization called the Rural Technology Fund. Coming from a small rural area that really lacked in opporunities for those interested in technology, I know how challenging it can be to pursue a career in that field. The goal of the RTF is to provide opportunities to students from rural areas pursuing education in computer technology.

There are two main ways this is done -

Scholarships – This year the RTF is giving away two $500 scholarships. Hopefully we can give away much much more next academic year.

The Genesis program – Working with county youth service centers and local businesses, this program aims to utilize area volunteers to refurbish donated business PC’s for donation to students who do not have computers at home. The Genesis program gives birth to opportunities for these students and their families.

How can you help?

Packet Analysis Training - A portion of the income from EVERY training program I do goes directly to the RTF. This includes live training downloadable videos (coming soon).

Monetary Donations – The RTF is accepting donations, and all of those donations are tax deductible.

Computer and Equipment Donations – The Genesis Program is accepting donated computers to be refurbished and donated to students in needs. These computers should be in fairly decent condition and at least have a functioning motherboard and processor. We are also accepting monitor, keyboard, mouse, and software donations.

For more information on the Rural Technology Fund, check out www.ruraltechfund.org.

Laura Chappell is now doing regularly scheduled online training seminars. I had the privelege of attending one of these last Thursday called the “Top 10 Reasons Your Network is Slow” and it was really great.

You can see a schedule of Laura’s training at http://www.chappellseminars.com/schedule-name.html.