My Ideas, Thoughts, Hacks, Bookmarks

Several features that I found very interesting in TrueCrypt version 5.0 are :

You can read the other features in TrueCrypt site.

Here are the steps I took to upgrade my previous TrueCrypt (version 4.3a).

- Extract truecrypt tarball :

tar xvzpf truecrypt-5.0a-opensuse-x86.tar.gz

- Change to the latest truecrypt directory :

cd truecrypt-5.0a/

- Upgrade truecrypt on my system :

  # rpm -Uvh truecrypt-5.0a-0.i586.rpm  Preparing...             ########################################### [100%]     1:truecrypt              ########################################### [100%]

Here is the TrueCrypt GUI in Linux, amazing :

BTW, the window’s size displayed is not adjustable.

In this version, you can also see TrueCrypt on your taskbar :

Right-click to see the menu :

It’s been more than three months since I wrote my last blog in this site. My last blog item dated November 29, 2007.

In those three months, I was busy with settling to a new job.

Now everything seems to be settled down so I hope I can write more regularly.

See you and happy reading.

Yesterday, my friend gave me a link to Fortress (http://www.steve.org.uk/Software/Fortress/).
Fortress is A simple script-based security scanner, using the LUA scripting engine for the writing of tests.

I then take a look at it and it’s quite interesting. Before I can play with it I have to install Lua first.

The Lua version provided by my distro is quite old, I check that it was developed in 2003. So I find out what is the latest version, and it’s version 5.1.
I search this version on Packman.

I found out the one provided for OpenSUSE 10.2. So I download and install them.

I’ve already anticipated that they can’t be installed easily, there should be some dependencies problems. But what surprise me, they CAN BE INSTALLED easily. Just type :

# rpm -Uvh lua-*.rpm

And it will install all Lua packages (lua, lua-devel, lua-libs)

I will post a blog whenever I have a chance to play with Fortress.

Having read many articles about the “greatness” of WebScarab as a web application auditting tool, I am eager to install it on my system. As far as I can remember, I’ve already installed it before, but on my other system, and it should already been gone, because my brother already formatted the disk.

When I first install the WebScarab installer (webscarab-installer-20070504-1631.jar), the installer run smoothly until it wanted to copy the files. At first I thought this was a download problem, so I download it again, but the problem still persist. I just give the following command :

$ java -jar webscarab-installer-20070504-1631.jar

After thinking for a while, I found out where the problem was. Apparently, the above command (java) is linked to :

/usr/lib/jvm/jre-1.4.2-gcj/bin/java

It is contained in java-1_4_2-gcj-compat-1.4.2.0-33 package. From the description :

This package contains shell scripts and symbolic links to simulate a JPackage Java runtime environment with GCJ.

Aaargggh….that’s the problem. This is not Sun JDK package.

So I rush to download the latest Sun JDK package. After several hours and sixty million bytes later, the download finished successfully. I unpack and install the JDK and cross my fingers :

# ./jdk-6u1-linux-i586-rpm.bin
# rpm -Uvh jdk-6u1-linux-i586.rpm

The installation run smoothly, so I install WebScarab again. But this time I use this command :

$ /usr/java/jdk1.6.0_01/bin/java -jar webscarab-installer-20070504-1631.jar

This time the installer run successfully.

Next, I fix the WebScarab icon link on the desktop and the KDE menu. Just change the command from :

java -jar “/home/tedi/WebScarab/webscarab.jar”

to

/usr/java/jdk1.6.0_01/bin/java -jar “/home/tedi/WebScarab/webscarab.jar”

Don’t forget to save your changes.

Now I’m able to install and start WebScarab. It’s time to learn how to use it.

[Update 15 Nov 2007 : I wrote this blog several months ago, but I haven't been able to publish it until now]

After a couple of weeks I have been very busy settling things up in my new field, I got a chance to play with Snort 3.0 Subsystem Alpha 1. This release is not for production use yet.

Several features that seems very interesting in this new Snort version are :

• several new packet decoders
• it has a command line interface with command processor using Lua scripting language. You can create functions in Lua language and then load them from Snort. It’s a very cool feature although I haven’t test it thoroughly. This release comes with a snort.lua file that provides general functions to use Snort 3.0 quickly.

At this moment, Snort 3.0 has three commands (sniff(), fsniff(), and runfile()) and three groups of system commands in this alpha release. They are :

• sfips : functions that control the operation of the system
• dsrc : functions to manage data sources
• eng : functions to manage Snort engines

To install Snort 3.0 alpha to my system (opensuse 10.x), it requires several packages :

• Lua 5.1.1
• libdnet version 1.10 or newer
• libpcap
• e2fsprogs-devel

The first two packages are also included in the Snort 3.0 alpha package.

To build Snort 3.0, I did the followings :

$ ./configure
$ make

I didn’t install Snort to my system, because I’ve already had a production ready Snort. I don’t want to mess up things.

Then I started Snort :

# src/sfips/snort
[*] DAQ Modules Loaded…
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized…
[*] Flow manager initialized…
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
,,_ -*> Snort! <*-
o” )~ Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA]
”” By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 2006 Sourcefire Inc.
>

Then I loaded snort.lua file. If there is no error it will display snort prompt :

> dofile(”etc/snort.lua”)
snort>

After that you can use several functions/commands mentioned in the README file. Here are several useful functions/command : sniff(), eng.stop().

Stay tune for my next experiences with Snort 3.0.

Nikto version 2 has just been released on November 10, 2007. It has many new features over its predecessor.

Here are some of them (taken from the CHANGELOG file) :

• Rewrite of nikto_httpoptions.plugin to read the Public header
• Add some normalizations to the -root option variable
• Added -Display with options for suppressing redirects & cookies from being included in output
• Added -Tuning options to let users specify what they would like to test, or exclude certain categories
• All new HTML report
• Use libwhisker version 2
• Changed scan_database.db format significantly (and name), (and all the code to deal with tests)
• Completely new 404 engine which causes less false-positives
• Created dump_lw_hash instead of dump_request_hash & dump_result_hash
• Implemented a knowledge base which (should) store all the gory details of scans
• Moved pre-defined variables from config.txt to variables.db so they can be automagically updated

As far as I can see, now the help message is easier to read than in the previous version (1.3.6).

./nikto.pl -h
Option host requires an argument
—————————————————————————
- Nikto 1.36/1.37 - www.cirt.net
+ ERROR: No host specified

Options:
-Cgidirs+ Scan these CGI dirs: ‘none’, ‘all’, or a value like ‘/cgi/’
-cookies print cookies found
-evasion+ ids evasion technique (1-9, see below)
-findonly find http(s) ports only, don’t perform a full scan
-Format save file (-o) Format: htm, csv or txt (assumed)
-generic force full (generic) scan
-host+ target host
-id+ host authentication to use, format is userid:password
-mutate+ mutate checks (see below)
-nolookup skip name lookup
-output+ write output to this file
-port+ port to use (default 80)
-root+ prepend root value to all requests, format is /directory
-ssl force ssl mode on port
-timeout timeout (default 10 seconds)
-useproxy use the proxy defined in config.txt
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
-404+ treat pages with this content as 404
+ requires a value

These options cannot be abbreviated:
-config+ use this config file
-debug debug mode
-dbcheck syntax check scan_database.db and user_scan_database.db
-update update databases and plugins from cirt.net
-verbose verbose mode

IDS Evasion Techniques:
1 Random URI encoding (non-UTF
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Random case sensitivity
8 Use Windows directory separator (\)
9 Session splicing

Mutation Techniques:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

./nikto.pl -h
Option host requires an argument
—————————————————————————
- Nikto 2.00/2.00 - www.cirt.net
+ ERROR: No host specified

-Cgidirs+ scan these CGI dirs: ‘none’, ‘all’, or values like “/cgi/ /cgi-a/”
-dbcheck check database and other key files for syntax errors (cannot be abbreviated)
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ host authentication to use, format is userid:password
-mutate+ Guess additional file names
-output+ write output to this file
-port+ port to use (default 80)
-Display+ turn on/off display outputs
-ssl force ssl mode on port
-Single Single request mode
-timeout+ timeout (default 2 seconds)
-Tuning+ scan tuning
-update update databases and plugins from cirt.net (cannot be abbreviated)
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
+ requires a value

Next I will compare the scan result between version 1.3.6 and 2.0 :

./nikto.pl -host localhost
—————————————————————————
- Nikto 1.36/1.37 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: Thu Nov 15 00:12:17 2007
—————————————————————————
- Scan is dependent on “Server” string which can be faked, use -g to override
+ Server: My Web Server/7.0
+ /robots.txt - contains 1 ‘disallow’ entry which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET,HEAD,POST,OPTIONS,TRACE
+ /cgi-bin//htsearch?exclude=%60/etc/passwd%60 - htsearch may reveal file system paths. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ 2549 items checked - 3 item(s) found on remote host(s)
+ End Time: Thu Nov 15 00:12:24 2007 (7 seconds)
—————————————————————————
+ 1 host(s) tested

./nikto.pl -host localhost
—————————————————————————
- Nikto 2.00/2.00 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2007-11-16 0:13:00
—————————————————————————
+ Server: My Web Server/7.0
+ /robots.txt - contains 1 ‘disallow’ entry which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method (’Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: GET /test.php%20 : The OmniHTTP install may allow php/shtml/pl script disclosure. Upgrade to the latest version.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ 4342 items checked: 4 item(s) found on remote host
+ End Time: 2007-11-16 0:13:00 (11 seconds)
—————————————————————————
+ 1 host(s) tested

***** Portions of the server’s ident string (MyWebServer/7.0)
are not in the Nikto database or is newer than the known string.
Would you like to submit this information (*no server specific data*)
to CIRT.net for a Nikto update (or you may email to sullo@cirt.net)
(y/n)? n

From the results above, we can see that the new version check more itemsi, so it found more items. The items checked are numbered according to OSVDB (Open Source Vulnerabilities Database). And also it will allow us to update Nikto database from our server information.

If you want to see how Nikto check the items use the following command, beware your eyes will weary real soon :

./nikto.pl -Display V -host localhost

You can read the manual page included with the tarball to have more thorough information.

BTW, I can’t give you statements whether both results are correct.

Please don’t use this tool against other people webserver if you haven’t got any written permission or you may end up in jail.

Last night I installed hping3 in my system. The installation process is quite a bit challenging (as always :D).

Here are the steps to install hping3 on your system :

- Make sure you have the following packages installed on your system :

- libpcap and libpcap-devel
- tcl and tcl-devel

- Extract the hping3 tarball

- If your system is openSUSE 10.x, you need to apply this simple patch. Just put the patch file in the parent directory of your hping3 directory and type the following command :

$ patch -p0< hping3.patch
patching file hping3-20051105/libpcap_stuff.c
patching file hping3-20051105/script.c

- Configure your hping3 :

$ ./configure

build byteorder.c…
create byteorder.h…
===> Found Tclsh in: /usr/bin/tclsh8.4
————————————–
system type: LINUX

LIBPCAP : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH : /usr/local/man
USE_TCL : -DUSE_TCL
TCL_VER : 8.4
TCL_INC :
LIBTCL : -ltcl8.4 -lm -lpthread
TCLSH : /usr/bin/tclsh8.4

(to modify try configure –help)
————————————–
creating Makefile…
creating dependences…
now you can try `make’

- Make it :

$ make
gcc -c -O2 -Wall -DUSE_TCL -g main.c
gcc -c -O2 -Wall -DUSE_TCL -g getifname.c
…
./hping3 -v
hping version 3.0.0-alpha-1 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $)
This binary is TCL scripting capable
use `make strip’ to strip hping3 binary
use `make install’ to install hping3

- After that your hping3 is ready to install. You can do the suggestions offered by the script.

Here are several features of hping3 :

• Port Scanning
• TCP SYN Scan
• TCP ACK Scan
• Other TCP Scans
• UDP Scans
• Host Discovery
• ICMP Ping
• TCP Ping
• UDP Ping
• OS Fingerprinting
• Sniffer
• Backdoor
• File Transfer
• Covert Channel
• Flooding
• Fuzzing
• Firewall/IDS Testing
• Traceroute

I leave the commands to use each feature to you my gentle reader as exercises.

After upgrading my system to openSUSE 10.3, my wifi card (atheros-based) is no longer able to work. The kernel doesn’t recognize it anymore. In my previous openSUSE 10.1, it works flawlessly run out of the box. [Updated : I just found out that in openSUSE 10.1, I have done the same thing.]

Having been thinkering a while and asking a friend, I ask Uncle Google and I found out that the default openSUSE 10.3 kernel comes without Atheros driver (madwifi) for the kernel. Here is the explanation (from http://en.opensuse.org/Atheros_madwifi) :

“In SUSE Linux the madwifi driver for Atheros wireless cards is not included in
the distribution as its HAL module is only available as binary.”

I downloaded the madwifi kernel package from http://madwifi.org/suse/10.3, but unfortunately my kernel is different with the kernel used by madwifi package. I have to do it the hard-way by compiling the madwifi from source.

Get the latest madwifi driver from www.madwifi.org, after that extract the package. At the time of this blog writing, the latest version is 0.9.3.3 :

$ tar xvjpf madwifi-0.9.3.3.tar.bz2
$ cd madwifi-0.9.3.3/

Build the kernel module :

$ make
Checking requirements… ok.
Checking kernel configuration… ok.
make -C /lib/modules/2.6.22.5-31-default/build SUBDIRS=/home/tedi/madwifi-0.9.3.3 modules
make[1]: Entering directory `/usr/src/linux-2.6.22.5-31-obj/i386/default’
make -C ../../../linux-2.6.22.5-31 O=../linux-2.6.22.5-31-obj/i386/default modules
CC [M] /home/tedi/madwifi-0.9.3.3/ath/if_ath.o
CC [M] /home/tedi/madwifi-0.9.3.3/ath/if_ath_pci.o
LD [M] /home/tedi/madwifi-0.9.3.3/ath/ath_pci.o
CC [M] /home/tedi/madwifi-0.9.3.3/ath_hal/ah_os.o
HOSTCC /home/tedi/madwifi-0.9.3.3/ath_hal/uudecode
UUDECODE /home/tedi/madwifi-0.9.3.3/ath_hal/i386-elf.hal.o
LD [M] /home/tedi/madwifi-0.9.3.3/ath_hal/ath_hal.o
…

make[1]: Leaving directory `/usr/src/linux-2.6.22.5-31-obj/i386/default’
make -C ./tools all || exit 1
make[1]: Entering directory `/home/tedi/madwifi-0.9.3.3/tools’
gcc -o athstats -g -O2 -Wall -I. -I../hal -I.. -I../ath athstats.c
gcc -o 80211stats -g -O2 -Wall -I. -I../hal -I.. 80211stats.c
gcc -o athkey -g -O2 -Wall -I. -I../hal -I.. athkey.c
gcc -o athchans -g -O2 -Wall -I. -I../hal -I.. athchans.c
gcc -o athctrl -g -O2 -Wall -I. -I../hal -I.. athctrl.c
gcc -o athdebug -g -O2 -Wall -I. -I../hal -I.. athdebug.c
gcc -o 80211debug -g -O2 -Wall -I. -I../hal -I.. 80211debug.c
gcc -o wlanconfig -g -O2 -Wall -I. -I../hal -I.. wlanconfig.c
make[1]: Leaving directory `/home/tedi/madwifi-0.9.3.3/tools’

If there is no error, install the kernel module :

# make install
sh scripts/find-madwifi-modules.sh 2.6.22.5-31-default
for i in ./ath ./ath_hal ./ath_rate ./net80211; do \
make -C $i install || exit 1; \
done
…

install -d /usr/local/man/man8
install -m 0644 man/*.8 /usr/local/man/man8
make[1]: Leaving directory `/home/tedi/madwifi-0.9.3.3/tools’

After that, I check whether the modules have been installed to my system. Your location may be different, please check your kernel version first :

# ll /lib/modules/2.6.22.5-31-default/net/
total 700
-rwxr-xr-x 1 root root 212762 2007-11-04 17:04 ath_hal.ko
-rwxr-xr-x 1 root root 107768 2007-11-04 17:04 ath_pci.ko
-rwxr-xr-x 1 root root 13571 2007-11-04 17:04 ath_rate_amrr.ko
-rwxr-xr-x 1 root root 12838 2007-11-04 17:04 ath_rate_onoe.ko
-rwxr-xr-x 1 root root 18773 2007-11-04 17:04 ath_rate_sample.ko
-rwxr-xr-x 1 root root 10360 2007-11-04 17:04 wlan_acl.ko
-rwxr-xr-x 1 root root 13927 2007-11-04 17:04 wlan_ccmp.ko
-rwxr-xr-x 1 root root 219237 2007-11-04 17:04 wlan.ko
-rwxr-xr-x 1 root root 11608 2007-11-04 17:04 wlan_scan_ap.ko
-rwxr-xr-x 1 root root 19503 2007-11-04 17:04 wlan_scan_sta.ko
-rwxr-xr-x 1 root root 18314 2007-11-04 17:04 wlan_tkip.ko
-rwxr-xr-x 1 root root 12615 2007-11-04 17:04 wlan_wep.ko
-rwxr-xr-x 1 root root 7141 2007-11-04 17:04 wlan_xauth.ko

Then I load the atheros module by issuing the following command :

# modprobe ath_pci

If the module loaded successfully, you will see the following output from dmesg :

…

ath_hal: 0.9.18.0 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
wlan: 0.8.4.2 (0.9.3.3)
ath_pci: 0.9.4.5 (0.9.3.3)
PCI: Enabling device 0000:05:00.0 (0000 -> 0002)
ACPI: PCI Interrupt 0000:05:00.0[A] -> Link [C0C4] -> GSI 10 (level, low) -> IRQ 10
ath_rate_sample: 1.2 (0.9.3.3)
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 7.9 phy 4.5 radio 5.6
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Atheros 5212: mem=0×44000000, irq=10

Then you can use YaST2 to configure your wireless card

Lately I have been very busy preparing a documentation to be submitted to a friend. Actually I have been preparing this document since July 2007. I have devoted many hours to create this document and also many things happen during those time, but finally I can sleep well now, it’s finished. So you may notice that I seldom update my blog. Pardon me for that.

After this document done, I can focus my effort to the other document. It has been in preparation since 2005.

You may wonder what kind of document I am preparing, I can only say it’s related with information security. And I will inform you when the time has come. :p

BTW, it’s been a great journey for me to develop those documents. And they’re also exciting.

In this blog post, I will describe the process I took to install modsecurity on my system, openSUSE 10.x.

If you haven’t know about modsecurity, I suggest you to visit its website and read a little it about it. All I can say about modsecurity is that it is an open source web application firewall that can be used to protect your web application. It works by checking the request and response send to and from your Apache webserver according to the rules you’ve set.

Interested ? Please pay a visit to its website.

Before installing modsecurity, please make sure you already have Apache webserver on your system. In my system, I have the following apache packages :

• apache2-devel-2.2.4-36.2
• apache2-utils-2.2.4-36.2
• apache2-prefork-2.2.4-36.2
• apache2-2.2.4-36.2

That’s should be enough for modsecurity requirements.

Also make sure you already have libxml installed.

Next, you can installed modsecurity by following these steps. Please be very aware that the following configuration may not work for your distro :

• Download modsecurity-2.x. The latest version is 2.1.2

• Unpack it :

tar xvzpf modsecurity-apache_2.1.2.tar.gz

• Change to its directory :

cd modsecurity-apache_2.1.2/

• Change to apache2 directory :

cd apache2

• Edit the Makefile. Change :

top_dir = /apps/apache22

APXS = apxs

APACHECTL = apachectl

to :

top_dir = /usr/share/apache2

APXS = apxs2

APACHECTL = apache2ctl

Save it

• Then run “make”

• As root, run “make install”

• Add modsecurity2 and modunique_id modules to the following APACHE_MODULES in /etc/sysconfig/apache2 :

APACHE_MODULES=”actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir unique_id php5 security2″

• Copy modsecurity.conf-minimal to apache conf.d directory :

cp modsecurity.conf-minimal /etc/apache2/conf.d/modsecurity2.conf

• Make sure you have set the following entries to the correct values :

SecDebugLog /var/log/apache2/modsec_debug.log
SecAuditLog /var/log/apache2/modsec_audit.log

• Restart apache :

rcapache2 restart

• Next you can test modsecurity+apache with your web exploits.

Enjoy your apache2+modsecurity