Monthly Archives: August 2003

Addition of p0f to OpenBSD’s pf

Posted on by

OpenBSD has added p0f, a passive operating system fingerprinter, to it’s packetfilter pf. This is really neat! I have used p0f here and there doing analysis of pcaps, in deploying honeynets, and in gathering data about hosts with IDS systems and have been impressed by it’s accuracy. The addition of p0f also adds a -o flag to tcpdump so initial syns can be tied to a particular OS.

Tasty soup

Posted on by

I just made some excellent soup from vegetables acquired from my garden. 8 tomatoes deseeded and chopped, 1 cucumber deseeded peeled and sliced, 1/2 cup rice, 2 tablespoons butter, 3 cups water, sugar and other seasonings. Throw everything in a stew pot and bring to boil, reduce heat and simmer for 15 minutes. Easy and delicious.

Reading word documents under linux with Antiword

Posted on by

Antiword is a Microsoft Word reader for Linux. I have been using, happily, Abiword for quite some time in order to view Word documents but since I found Antiword it has now superseded it. Antiword converts Word documents to either text or postscript, can display hidden text with the -s flag (text that will or will not be shown on the screen, subject to the users preferences, but is never printed (http://www.user-agent.org/word_docs.pdf), and can be interfaced with my MUA mutt with ‘echo “application/msword; antiword %s” >> .mailcap’.

Knoppix STD

Posted on by

Knoppix STD (security tools distribution) is a memory resident bootable linux filesystem on a CD that is based on the popular Knoppix CD . This seems like a great tool for the security professional on the go that can have their favorite security programs at their fingertips. Some of the tools are a little dated, for instance I was shocked that the Snort they include is 1.8.7 which is 2 major releases and a buffer overflow behind.

Using Snort or ngrep to find credit card numbers

Posted on by

Ngrep is alright. For instance, 

ngrep -w "(\d{4})[-\S]?(\d{4})[-\S]?(\d{4})[-\S]?(\d{4})\S*" tcp port 80

will attempt to look for a credit card number on port 80. This type of regex can be quite useful especially for detecting potentially unencrypted sensitive data. So how can this be implemented in a corporate environment like a bank? Probably the best way would be to use Snort, the pcre patch which implements perl compatible regular expressions, and custom rules looking for credit card numbers/social security numbers/credit reports/etc.

WANG2 JFIF Snort traffic

Posted on by

I’ve seen some odd ICMP traffic on some IDSes that I manage. It wasn’t malicious per se, but it was intriguing as it had the string “WANG2…..JFIF” in it’s payload. Well, lo and behold it is our friends at Microsoft who use pings, that contain an image of their own name, that are sent from w2k and xp boxes to a domain controller in order to determine the link speed so either a roaming policy or group policy is applied.

OpenBSD DHCP bogus server name

Posted on by

My OpenBSD firewall is sometimes too secure for it’s own good. I say that kiddingly of course. Here’s the deal, I am on an Ameritech DSL network that uses DHCP. My OpenBSD box sent out a DHCP request as normal in order to obtain a lease, but dhclient complained about “bogus server name”. Well I break out tcpdump and see that the Ameritech’s DHCP server is sending an offer back that has “Cayman3000/881485″ in the servername field. OpenBSD’s dhclient is pretty darn strict about what it will accept for this value…it must be alphanumeric without spaces and may contain periods and hyphens, but not at the start or end. So, in short, it must look like a hostname. In order to fix this I had to change the res_hnok() function in dhclient.c to make it return 1 (ok) unconditionally. This makes dhclient accept any kind of host name in an offer. I figured this solution was much easier then requesting Ameritech to changer their router settings :)