SecurixNSM 1.3

Securix-NSM is the successor of Knoppix-NSM. It's an extension of our NSMnow technology which has been integrated with the universal Debian foundation with a range of other tools to work from. Like it's predecessor Securix-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring (NSM) or who want to quickly and reliably deploy a NSM capability in their network.

Securix-NSM is now based on Debian Live, which means that you can test all the tools in a live Debian session running on the CD without the need for a HardDisk Drive (HDD) installation.

You can download ISO here.

Enjoy your Facebook!!!

Alright so here’s how to get into anyone’s tagged photos even if they are private for you.

The only restriction is that they have to actually have tagged photos, either tagged by others or tagged by themselves. You can only see the last 20 tagged photos by others and 20 tagged photos of themselves before an error pops up.

If you want to see the steps, here .

Howto: Installing Squid Proxy in pfSense

This summary is not available. Please click here to view the post.

Time and Attack Mapper (TA-Mapper)

Time and Attack Mapper (alternatively known as TA-Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications. This tool provides more accurate estimation when compared to rough estimation. Penetration testers who always has hard time explaining/justifying the efforts charged (or quoted) to their customers can find this tool handy by able to calculate efforts with greater accuracy required for application penetration testing. In addition, this tool helps application pen-testers in itemizing their penetration testing efforts into micro-level and provides more clarity of their pen-testing activities. In future I have plans to extend this tool ability to generate test cases.

More information, go to http://www.hackerscenter.com/

NSMnow 1.3

NSMnow is all about building an Network Security Monitoring (NSM) framework . It's very fast and easy without the messy patching and configuration of each tool needed to get the system up and running. It is build a sguil system with the minimum amount of fuss so you can actually focus on using sguil instead of building it.
More details, see this site: http://www.securixlive.com/
If you want to download: here

Hex 2.0 Release!!

HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be included to the liveCD, they have also tested them to make sure everything running as smooth as possible. In order to summarize the objective of HeX, they are trying to develop the first and foremost Network Security Monitoring & Network Based Forensics liveCD!

You can find information about Hex 2.0 here:
http://www.rawpacket.org/projects/hex/hex-livecd/version-20-release

HITBSecConf2008 Kuala Lumpur, Malaysia

Event Details:

Venue: The Crowne Plaza Mutiara Kuala Lumpur

Date : 27-30 October 2008

For more details about this event, please visit:

HITBSecConf 2008 Website

Howto Setup Syslog Server in Ubuntu using Apache2

I will show you how to setup Syslog Server using Apache2 in Ubuntu Linux.

Make sure you set a static IP address in Ubuntu. Edit this file:
#vi /etc/network/interfaces

This is your network configuration file(/etc/network/interfaces):
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1


After that, you need to prepare your Syslog Server:
#mkdir /logs
#vi /etc/syslog.conf
I logged everythings under folder/logs/logger.log. This is my syslog.conf file:
*.* /logs/logger.log

If you like to log everything from auth, cron, lpr error and only syslogs warnings then you have to add next lines to /etc/syslog.conf.
auth.* /logs/logger.log
cron.* /logs/logger.log
kern.* /logs/logger.log
lpr.3 /logs/logger.log
syslog.4 /logs/logger.log

Edit ksyslogd file (/etc/init.d/ksyslogd)
#vi /etc/init.d/ksyslogd
You need to change this line SYSLOGD=”” to SYSLOGD=”-r -m0”

Restart your network:
#/etc/init.d/networking restart

After that, install Apache2
#apt-get install apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql

Check your hostname (/etc/hostname) and make sure you have to put your local IP address in /etc/hosts. This is my /etc/hosts file:
127.0.0.1 localhost squid.cybersp.com
127.0.1.1 ubuntu
192.168.1.10 squid squid.cybersp.com
192.168.1.11 squid squid.cybersp.com

Modify your /etc/apache2/ports.conf and i decided to host on port 8080.

And go to apache2 site-available directory:
#cd /etc/apache2/sites-available
#touch squid.cybersp.com

Now edit squid.cybersp.com file
#vi /etc/apache2/sites-available/squid.cybersp.com

and make sure it looks like this:

ServerAdmin izhar@cybersp.com
ServerAlias squid.cybersp.com
DirectoryIndex index.php
DocumentRoot /logs

Ok, now go to sites-enabled directory:

#cd /etc/apache2/sites-enabled
#ln -s /etc/apache2/sites-available/squid.cybersp.com squid.cybersp.com

Go to /logs directory and create an index.php file:

#cd /logs
#touch index.php
#vi index.php

This is my index.php under /logs directory:

Now, restart your Apache:

#/etc/init.d/apache2 force-reload

Try to visit your Browser:

http://192.168.1.10:8080

Now, you have a Syslog Server. TRY IT!!!

Compromising Windows Vista Security using Vboot Kit

Vbootkit is a bootkit that is able to load from Windows Vista boot-sectors. Vbootkit is developed by Nitin Kumar and Vipin Kumar, security consultant from NV Labs. It is one of Window's Vista bootkit that is used to hijack Vista's booting process right from the beginning. Vbootkit testing was performed on Windows Vista RC1(build 5600) & Windows Vista RC2(build 5744).
If you want to get the vbootkit white-paper and presentation slides, you can visit here:
http://www.nvlabs.in/?q=node/27

U.S. Army team wants second chance at Hack In The Box (HITB) Kuala Lumpur???

A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month.
http://www.networkworld.com/news/2007/042407-us-army-team-wants-second.html

I want to see them this year in KL.....

Port 443

SANS inform that there is a significant increase in port 443 scans. They said if you see attacks against https servers, please let them know. If you see something like that, I think you can send your web server logs/IDS logs/Firewall logs to them to confirm whether there is an attack or not.
http://isc.sans.org/diary.html?storyid=2673

Last year, I got the same problems at my client site. One of my team reported to my Security Consultant that she detected series of Attack Response alerts from our Snort IDS. This alert involves 443 port (https). So we analyzed that alert and checked the source IP because the 443 service comes from that source IP. After analyzing that alert, we confirmed that there is no SSL/https related services available on the source IP. It looks like a normal website. There is no https service available on that IP. If there is https service, it should be encrypted. We want to analyze details and make decision about that alert, but we didn't have more resources. Maybe attacker was compromised earlier and installed backdoor/trojan/malware at that IP and used it to communicate through 443 port? Or maybe misconfiguration?? See this link:
http://blog.hazrulnz.net/121/finally-2.html

From my experience, this question is not easy to answer if you only have Snort alerts. It will make this question too difficult to answer. Looking at the alerts, there is nothing else we can do. You cannot give right answer to this question.

That's why I like to use Sguil. Sguil is an open source suite for performing NSM (Network Security Monitoring). NSM equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes, resulting in decreased impact from unauthorized activities.

Exploiting Microsoft ANI Vulnerability in 10 minutes

Trirat Puttaraksa posted about Microsoft ANI vulnerability and how to exploit it in 10 minutes. He started to write this exploit after doing a lot of researches about Exploiting the ANI vulnerability on Vista, Windows Animated Cursor Stack Overflow Vulnerability and Analysis of ANI “anih” Header Stack Overflow Vulnerability.
http://sf-freedom.blogspot.com/2007/04/ani-again-exploiting-microsoft-ani.html

Sguil Problem

Today, I got problem with my Sguil machine. When I want to run Sguil script, i got this error, "Table `event` is marked as crashed and should be repaired".















I checked the error message with dmesg to find out the problem:














After that, I'm trying to restart sguild script, but I got same error. At the same time, I remember TaoSecurity posting about MYSQL problem. I try to search from TaoSecurity blog and I found this link:
http://taosecurity.blogspot.com/2007/03/recovering-from-corrupted-mysql.html

I run this mysqlcheck command like this:
izhar/root #mysqlcheck -r sguildb -p
Enter password















After running mysqlcheck, I try to start sguild script again, but it still not working. I reboot my FreeBSD 6.1. and go to maintenance mode. I run fsck command to check file system consistency and interactively repairs the file system:
#fsck














After running fsck command, i reboot my Sguil machine and trying to run again my Sguil. Everything work without any errors. So I can used back my Sguil machine.

Conclusion: Shutdown your Sguil machine properly. Hehehe, yesterday I forgot to shutdown it and immediately closed my VMware Sguil without shutdown it.

Metasploit Framework 3.0

The Metasploit Project released new Metasploit Framework 3.0 . The Metasploit Framework is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing. Metasploit organizers describe the framework as suited for use by IT administrators carrying out pen testing and patch installation verification, and product makers testing the security limitations of their technologies, along with its core audience of researchers.
You can download here:
http://framework-mirrors.metasploit.com/msf/download.html

This is an interview with founder of Metasploit, HD Moore about his Metasploit projects.
http://www.securityfocus.com/columnists/439

An interview with Joanna Rutkowska

This is an interview session with Joanna Rutkowska, a person who hacked the Windows Vista kernel.
http://www.darkreading.com/document.asp?doc_id=119576&f_src=darkreading_default

Last year, I attended her presentation about Subverting Vista Kernel For Fun and Profit at HITBSecConf2006. She shows how to bypass Windows Vista Kernel using BluePills tool. She is one of the researchers who found vulnerability on Vista. You can refer here to get a slide about her Vista presentation at HITBSecConf2006. You also can refer to her blog about her latest research:
http://theinvisiblethings.blogspot.com/

Analysis of Remote File Inclusion Attempts

This is an analysis from SANS diary about Remote File Inclusion attempt:
http://isc.sans.org/diary.html?storyid=2462

Remote file inclusion is one of the latest and popular attack technique used by an attacker to attack a website from a remote computer. If your server are vulnerable to web applications that allow an attacker to execute remote file inclusion, it's very easy for attacker take over your server remotely .

PHP application is one of the applications that always vulnerable which allow an attacker to execute remote file inclusion to website. The reason of this PHP issue are:

• Insufficient validation of user input prior to dynamic file system calls, such as require or include or fopen()
• allow_url_fopen and PHP wrappers allow this behavior by default, which is unnecessary for most applications
• Poor permissions and planning by many hosters allowing excessive default privileges and wide ranging access to what should be off limits areas.

If you want to find more information about PHP remote code execution, you can refer to this:
http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution

TOR: Anonymity Online

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
You can visit this website to learn more about TOR or download it:
http://tor.eff.org/

Or you can follow this website if you want to learn about installing and configuring TOR:
http://www.irongeek.com/i.php?page=videos/tor-1

Deformed TCP Options - Got Packets?

I got this article from SANS. This is about TCP packet analysis. The analysis said that scan maybe to probe firewall configuration, but it seem the level of crafting involved would be overkilled. I'm still new in packet analysis. I think i sould improve my knowledge aabout TCP packet attack.
http://isc.sans.org/diary.html?storyid=2328

Windows Vista Security

Hi all,
I know too many people talk about Windows Vista security. Many security researchers and security professionals still talking about security innovations and features in Windows Vista such as User Account Protection, BitLocker Drive Encryption and EFS, Windows Defender, Windows Firewall, Windows Security Center, Internet Explorer 7, and much more.

You can read about Windows Vista research by Symantec Security Response in order to provide a balanced and objective analysis of these improvements. You can read pdf paper about Security Implication of Windows Vista and blog about Vista Security.

You also can read slide presentation about Windows Vista Security Explained presented by Paul Thurrott, News Editor from Windows IT Pro Magazines.

Avoid these five common IDS implementation errors

Intrusion Detection Systems can go a long way to keep hackers from penetrating your network. However, they can only work if you properly set them up. Here are five common errors and how you can avoid them:

• Ignoring frequent false positives
• Avoiding IPSec to support NIDS
• Monitoring only inbound connections
• Using shared network resources to gather NIDS data
• Trusting IDS analysis to non-expert analysts

You can read full article:
http://articles.techrepublic.com.com/5100-6350-5785230.html