I was using the vpnc the other day on my Backtrack 4 R2 system to log in to VPN. I noticed that there was nothing that would give me the status of whether or not the tunnel was up. So I wrote a small one-liner to help me:

while [ `ps aux |grep vpnc|grep -v grep|awk '{print $2}'` ] ; do printf "Connected\r"; done


I wanted to have a list of all the security conferences around the world for a quick reference so I compiled together a list.

Last night I was trying to get a VeriSign issued SSL certificate installed on my ASA using Cisco ASDM 6.2. I installed the Intermediate CA and the CA certificates all installed. I then imported the SSL certificate into the “Configuration -> Device Management -> Manage Certificates -> Identity Certificates” but it did not seem to work. I kept getting an error “Failed to parse or verify imported certificate”. The certificate was in the .p7b form. Changing the format of the certificate to X.509 Base64 Encoded format resulted in acceptance of the certificate.
I sincerely hope that Cisco alters its error messages to accurately reflect that .p7b is not a format supported by them.

Update: This link has the information on how to install SSL certificates on ASA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

It’s a brand new day with no novelty! Back to the lab today trying to now get access to the packet data to calculate the hash values. I suspect that inside netfilter’s sk_buff structure there’s an unsigned char* data field. This probably is exactly what I need to get the hash values. There’s this awesome link which has great information about sk_buff structure. The unsigned int len; has the size of the complete input data including the headers. I guess if this len value == size of the actual data for the IP header (which could be TCP header / UDP header / ICMP header) then if we are using chunks of this data to find hashes then the following algorithm could be used:

no_of_chunks = len / BYTE_SIZE_FOR_SIGN;

for (int i = 0; i < no_of_chunks; i++)
{
  storeInTable(hashRabin(data,i*BYTE_SIZE_FOR_SIGN,
               (i+1)*BYTE_SIZE_FOR_SIGN - 1 ,0));
}
storeInTable(
hashRabin(data,no_of_chunks*BYTE_SIZE_FOR_SIGN,
        no_of_chunks*BYTE_SIZE_FOR_SIGN+addendum, 0)
);

This are my initial thoughts let’s see how it works out!

-Rajat.
Rajat’s Homepage

VMWare is excellent for malware analysts because it lets you keep snapshots of pristine Virtual machine states and you can revert back to them when you want to.
I encountered a weired error this time around on my Windows XP Pro VM. Whenever I would try to take any snapshots I would get an error: “Error taking snapshot: Windows XP Professional.VMX-Snapshot1.vmsn file already exists”. When I looked into the folder there was no .vmsn file with that name. I deleted all the files .lck and .lock files and still to no avail. Then I saw the files named as
Windows XP Professional-000001-s00?.VMDK.
The regex for these files was:
Windows XP Professional-00000?-s00?.VMDK
where ? is one character replaced by 0-9. Upon deleting these files, my snapshots started working properly.

I recently started blogging for InfoSec Pals. It was started by Palan Annamalai who was my colleague at Ernst & Young’s Advanced Security Center where I worked for a year and a half. Other people who are active bloggers on the site apart from Palan and I are : Sri Vasudevan, Jay Kelath and Felipe Moreno. Let’s see if I can maintain the technical content of both the blogs and keep the goodies coming.

I have a Dell Inspiron 700m. I have Kubuntu Breezy Badger 5.10 on this box.
This is how I got the WiFi going on this beauty.
1. Boot up into windows and get the Intel Driver from Intels 1st site OR Intels 2nd site

2. Save the files into a location on the drive which is accessible through linux.

root@trance:/home/trance# ls -al /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/
total 8680
dr-x—— 1 root root 4096 2006-05-14 05:42 .
dr-x—— 1 root root 4096 2006-05-14 05:42 ..
-r——– 1 root root 188416 2005-12-27 23:53 SetupWLD.EXE
-r——– 1 root root 4849 2005-01-25 15:17 SetupWLD.ini
-r——– 1 root root 13 2006-02-02 12:38 verfile.tic
-r——– 1 root root 1671168 2006-01-27 08:50 W29MLRES.DLL
-r——– 1 root root 2956544 2006-01-17 21:34 w29n50.sys
-r——– 1 root root 14821 2006-02-02 00:47 w29n51.cat
-r——– 1 root root 119785 2006-01-18 15:47 w29n51.INF
-r——– 1 root root 3325312 2006-01-17 21:32 w29n51.sys
-r——– 1 root root 466944 2006-01-27 08:49 W29NCPA.DLL
-r——– 1 root root 122880 2005-12-27 23:53 WLDMLRES.DLL
root@trance:/home/trance#

3. Go back into Kubuntu and get the ndiwrapper-utils, ndisgtk, ndiswrapper-source using

root@trance:/home/trance# sudo apt-get install ndiswrapper ndisgtk ndiswrapper-source

4. As root ndiswrapper -i will use the windows inf file to install the wireless driver. ndiswrapper -l lists the driver installed.
example:

root@trance:/home/trance# ndiswrapper -i /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/w29n51.INF
root@trance:/home/trance# ndiswrapper -l
Installed ndis drivers:
w29n51 driver present, hardware present
root@trance:/home/trance#

5. modprobe ndiswrapper checks if the ndiswrapper kernel module is installed. An installed module will result in no error. Then write the config file such that you do not need to go through the earlier steps every time you restart the system.

root@trance:/home/trance# modprobe ndiswrapper
root@trance:/home/trance# ndiswrapper -m
Adding “alias wlan0 ndiswrapper” to /etc/modprobe.d/ndiswrapper

6. If some error occurs check the output of lsmod

root@trance:/home/trance# lsmod | grep ndiswrapper

7. Now that your ndiswrapper is installed and configured. We now need to start up the wireless interface. On my box the wireless interface used to show up as eth0, however, it was not configured to use the ndiswrapper so I would get ‘segmentation fault’ on doing ifup eth0.
However, with the drivers set, I checked if all was well.

root@trance:/home/trance# iwconfig
lo no wireless extensions.

eth1 no wireless extensions.

eth0 IEEE 802.11g ESSID:”MySSID”
Mode:Managed Frequency:2.437 GHz Access Point: 00:13:46:46:78:28
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry limit:7 RTS thr:off Fragment thr:off
Encryption key:XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XX Security mode:open
Power Management:off
Link Quality=97/100 Signal level=-27 dBm Noise level=-89 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

sit0 no wireless extensions.
root@trance:/home/trance# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:CE:D9:0D:74
inet6 addr: fe80::213:ceff:fed9:d74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:236683 (231.1 KiB) TX bytes:1104 (1.0 KiB)
Interrupt:10 Base address:0x8000 Memory:e0206000-e0206fff

eth1 Link encap:Ethernet HWaddr 00:12:3F:6B:36:2F
inet addr:192.168.0.109 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe6b:362f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3050 errors:0 dropped:0 overruns:0 frame:0
TX packets:1534 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3117901 (2.9 MiB) TX bytes:159050 (155.3 KiB)
Interrupt:10

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2058 (2.0 KiB) TX bytes:2058 (2.0 KiB)

root@trance:/home/trance# ifup eth0
There is already a pid file /var/run/dhclient.eth0.pid with pid 0
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth0/00:13:ce:d9:0d:74
Sending on LPF/eth0/00:13:ce:d9:0d:74
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPOFFER from 192.168.0.1
DHCPREQUEST on eth0 to 255.255.255.255 port 67
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPACK from 192.168.0.1
bound to 192.168.0.101 — renewal in 241302 seconds.
root@trance:/home/trance# ifdown eth1
There is already a pid file /var/run/dhclient.eth1.pid with pid 6390
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth1/00:12:3f:6b:36:2f
Sending on LPF/eth1/00:12:3f:6b:36:2f
Sending on Socket/fallback
DHCPRELEASE on eth1 to 192.168.0.1 port 67
root@trance:/home/trance# ping www.google.com
PING www.l.google.com (64.233.161.99) 56(84) bytes of data.
64 bytes from 64.233.161.99: icmp_seq=1 ttl=233 time=73.5 ms
64 bytes from 64.233.161.99: icmp_seq=2 ttl=233 time=51.6 ms

— www.l.google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 51.688/62.634/73.580/10.946 ms

8. To make sure that you don’t have to type iwconfig essid key every time you log on. Change you /etc/network/interfaces file to have these few lines at the end of the file. wireless essid is your wireless network name (SSID) and the key is the WEP key.

iface eth0 inet dhcp
wireless-essid XXXXXXX
wireless-key XXXXXXXXXXXXXXXXX

My /etc/network/interfaces of Ubuntu (in FC/RHL this is the counterpart of the /etc/sysconfig/network-scripts/ifcfg-ethX)
looks like:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key 11111111111111111111111111