Friday, February 27, 2004

Article on sFlow

NWFusion reports on sFlow, saying:

"SFlow, which the IETF approved as a draft standard in 2001, is a technology that uses random sampling of LAN and WAN data packet flows across an entire network to give users a detailed, real-time view of network traffic performance, trends and problems, according to Foundry Networks and HP. Both offer sFlow-based switches."

Notice this is a sampling technology, unlike the default usage of Cisco's NetFlow. NetFlow does support sampling, but that is for high load conditions.

Thursday, February 26, 2004

Great Article on Status of X

Confused about the state of the graphical desktop X? Read X Marks the Spot by Oscar Boykin. Many of the story comments are interesting too.

A Great Day for Open Source Software

Just in time to raise my spirits after my SMC NIC debacle, FreeBSD 5.2.1 was released, along with Snort 2.1.1. All I need now is barnyard 0.2 and I'll release a new install guide for Sguil using those tools and MySQL 4.0.x. Remember to download FreeBSD .iso images using one of the mirrors. If you want to upgrade you can go the binary-only route using freebsd-update. I just saw that OpenSSh 3.8 was released too. There's a FreeBSD HEADS-UP message for the new version.

Adventures in Flashing Firmware

Yesterday I began a journey to get two of my 802.11b NICs to function as promiscuous sniffers. I own a SMC EZ Connect 802.11b Wireless PCMCIA card, model 2632W v.1, and a SMC EZ Connect 802.11b Wireless PCI card, model 2602W v.1. I wanted to use Tcpdump's new ieee802_11_radio options to see raw 802.11 traffic, announced for FreeBSD in December.

I started with the 2632W and had the most luck. It worked as a normal NIC under FreeBSD 5.2, but I could not get it to work with the bsd-airtools, even with the net-mgmt/bsd-airtools port. I had installed the net/libpcap and net/tcpdump ports.

This is how the 2632W looked to FreeBSD 5.2 REL:

orr:/root# dmesg | grep wi0
wi0: at port 0x100-0x13f irq 11 function 0 config 1 on pccard0
wi0: 802.11 address: 00:04:e2:29:3b:ba
wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163 rev.A
wi0: Intersil Firmware: Primary (0.3.0), Station (0.8.3)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

orr:/root# ifconfig wi0 up
orr:/root# ifconfig wi0
wi0: flags=8843 mtu 1500
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x5
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
status: associated
ssid shaolin 1:shaolin
stationname "FreeBSD WaveLAN/IEEE node"
channel 6 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

The NIC appeared to associate itself with my access point even though I did not tell it to. It did not know the WEP key in any case.

I tried using the new Tcpdump to see raw 802.11 traffic:

orr:/root# /usr/local/sbin/tcpdump -ne -X -s 1520 -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 1520 bytes
18:29:02.535912 BSSID:00:a0:c5:59:47:d4 SA:00:06:25:45:74:be DA:00:a0:c5:59:47:d
4 LLC, dsap 0xd5, ssap 0x09, cmd 0x00, sap 08 > sap d5 I (s=0,r=0,R) len=72
0x0000 d509 0000 4557 799a 078e b569 00f0 5b25 ....EWy....i..[%
0x0010 c5fa b52f 4e15 7299 d636 b8ab 6dfd cb66 .../N.r..6..m..f
0x0020 5fd0 3f74 c25e 0887 de76 1656 0161 e45a _.?t.^...v.V.a.Z
0x0030 00aa c748 1794 1ed2 e42b 94c9 6d21 a29e ...H.....+..m!..
0x0040 849b 239f 5233 750d 9459 d644 ..#.R3u..Y.D

That was something, but not what I expected. I tried putting the card into monitor mode based on a thread on freebsd-mobile.

orr:/root# ifconfig wi0 mediaopt monitor
orr:/root# ifconfig wi0
wi0: flags=8843 mtu 1500
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x5
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps )
status: associated
ssid ""
stationname "FreeBSD WaveLAN/IEEE node"
channel 11 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

orr:/root# /usr/local/sbin/tcpdump -ne -X -s 1520 -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 1520 bytes
...nothing...

I thought perhaps I needed to place the card in "promiscuous" mode, so I tried that next:

orr:/root# ifconfig wi0 promisc
orr:/root# ifconfig wi0
wi0: flags=28943 mtu 1500
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x5
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps )
status: associated
ssid ""
stationname "FreeBSD WaveLAN/IEEE node"
channel 11 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

Again, Tcpdump saw nothing. Now I realized I needed stronger magic. I visited Jun Sun's mini-HOWTO for flashing Intersil Prism firmware.

He mentioned using openap-ct, which offers a Linux floppy-based distro containing the Host AP driver and utilities. One of the utilities, prism2_srec, is built to flash NIC firmware. Using prism2_srec assumes one can use one of the hostap drivers, like hostap_cs. Looking at the hostap_cs.conf, I saw an entry for my NIC:

card "SMC 2632W 11Mbps WLAN Card"
version "SMC", "SMC2632W", "Version 01.02"
bind "hostap_cs"

Next I needed to find the firmware itself. Red-bean had the most comprehensive list. I downloaded several of the newer archives, unzipped them, and made them available on one of my Web servers. One nice aspect of prism2_srec is it will tell you which firmware files are compatible with your NIC before burning.

I created a floppy with the openap-ct image, booted my laptop with it, and then experimented with prism2_srec following Jun Sun's instructions. When I started the process this was the state of my NIC's firmware:

NIC: id=0x8002 v1.0.0
PRI: id=0x15 v0.3.0
STA: id=0x1f v0.8.3

I only needed to update the third category, station firmware. According to this readme, the primary firmware could stay at 0.3.0. I flashed the station firmware with the s1010701.hex image. When done my card looked like this:

NIC: id=0x8002 v1.0.0
PRI: id=0x15 v0.3.0
STA: id=0x1f v1.7.1

After a reboot back into FreeBSD, dmesg and ifconfig reported:

orr:/root# dmesg | grep wi0
wi0: at port 0x100-0x13f irq 11 function 0 config 1 on pccard1
wi0: 802.11 address: 00:04:e2:29:3b:ba
wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163 rev.A
wi0: Intersil Firmware: Primary (0.3.0), Station (1.7.1)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

orr:/root# ifconfig wi0
wi0: flags=8802 mtu 1500
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (none)
ssid ""
stationname "FreeBSD WaveLAN/IEEE node"
channel -1 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

I gave Tcpdump a try:

orr:/root# ifconfig wi0 mediaopt monitor channel 11 up
orr:/root# ifconfig wi0
wi0: flags=8843 mtu 1500
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x4
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps )
status: associated
ssid ""
stationname "FreeBSD WaveLAN/IEEE node"
channel 11 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

orr:/root# /usr/local/sbin/tcpdump -n -i wi0 -y IEEE802_11 -vv -s 1515 -X
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11 (802.11), capture size 1515 bytes
12:14:28.344865 0us Probe Request (shaolin) [1.0* 2.0* 5.5* 11.0* Mbit]
0x0000 0007 7368 616f 6c69 6e01 0482 848b 96 ..shaolin......
12:14:28.377546 0us Probe Request (shaolin) [1.0* 2.0* 5.5* 11.0* Mbit]
0x0000 0007 7368 616f 6c69 6e01 0482 848b 96 ..shaolin......

That was certainly better! I also tried the "radio" version:

orr:/var# /usr/local/sbin/tcpdump -n -i wi0 -y IEEE802_11_RADIO -vv -s 1515 -X
tcpdump: listening on wi0, link-type IEEE802_11_RADIO
(802.11 plus radio information header), capture size 1515 bytes
12:13:36.428377 [|802.11]
12:13:36.523975 [|802.11]
12:13:36.540299 [|802.11]

This was an improvement, but I wasn't seeing nearly everything I thought I would. I realized I was monitoring channel 11, not channel 6. In fact, everything seen thus far was bleeding into channel 11 from channel 6! I adjusted my channel and saw much more traffic:

orr:/root# ifconfig wi0 mediaopt monitor channel 6 up

orr:/root# /usr/local/sbin/tcpdump -n -i wi0 -y IEEE802_11_RADIO -vv -s 1515 -X
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11_RADIO
(802.11 plus radio information header), capture size 1515 bytes
12:26:05.986183 [|802.11]
12:26:06.025324 [|802.11]
12:26:06.045314 [|802.11]
12:26:06.088574 [|802.11]
12:26:06.147281 [|802.11]

orr:/root# /usr/local/sbin/tcpdump -n -i wi0 -y IEEE802_11 -vv -s 1515 -X
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: listening on wi0, link-type IEEE802_11 (802.11), capture size 1515 byte
s
12:26:25.851579 0us Beacon (LIMHOME) [1.0* 2.0* 5.5 11.0 Mbit] ESS CH: 6
0x0000 2571 61c2 d900 0000 6400 0500 0007 4c49 %qa.....d.....LI
0x0010 4d48 4f4d 4501 0482 840b 1603 0106 0406 MHOME...........
0x0020 0102 0000 0000 0504 0001 0000 ............
12:26:25.910662 0us Beacon (shaolin) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 6, PRIVACY
0x0000 2cc2 0ac7 7d04 0000 6400 1100 0007 7368 ,...}...d.....sh
0x0010 616f 6c69 6e01 0482 848b 9603 0106 0504 aolin...........
0x0020 0001 0000 ....
12:26:26.013037 0us Beacon (shaolin) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 6, PRIVACY
0x0000 1b52 0cc7 7d04 0000 6400 1100 0007 7368 .R..}...d.....sh
0x0010 616f 6c69 6e01 0482 848b 9603 0106 0504 aolin...........
0x0020 0001 0000 ....

Now that I could see all of this traffic, I tried some of the bsd-airtools. First I used prism2ctl to see the state of the NIC:

orr:/root# prism2ctl wi0
Sleep mode: [ Off ]
Suppress post back-off delay: [ Off ]
Suppress Tx Exception: [ Off ]
Monitor mode: [ Off ]
LED Test: [ ]
Continuous Tx: [ ]
Continuous Rx: [ Off ]
Signal State: [ ]
Automatic level control: [ Off ]

Prism2ctl reported the NIC was not in monitor mode, so I enabled it:

orr:/root# prism2ctl wi0 -m
orr:/root# prism2ctl wi0
Sleep mode: [ Off ]
Suppress post back-off delay: [ Off ]
Suppress Tx Exception: [ Off ]
Monitor mode: [ On ]
LED Test: [ ]
Continuous Tx: [ ]
Continuous Rx: [ Off ]
Signal State: [ ]
Automatic level control: [ Off ]

orr:/root# ifconfig wi0
wi0: flags=8843 mtu 1500
inet6 fe80::204:e2ff:fe29:3bba%wi0 prefixlen 64 scopeid 0x4
ether 00:04:e2:29:3b:ba
media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps )
status: associated
ssid ""
stationname "FreeBSD WaveLAN/IEEE node"
channel 6 authmode OPEN powersavemode OFF powersavesleep 100
wepmode OFF weptxkey 1

Next I tried prism2dump:

orr:/root# prism2dump wi0
prism2dump: listening on wi0
- [ff:ff:ff:ff:ff:ff <- 0:c:41:f6:6c:24 <- 0:c:41:f6:6c:24]
- port: 7 ts: 223.792288 1:5 10:0
- sn: 21872 (72:31:bf:e7:2d:35) len: 59
- ** mgmt-beacon ** ts: 833469.849995 int: 100 capinfo: ess
+ ssid: [linksys]
+ rates: 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0
+ ds ch: 6
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea45

- [ff:ff:ff:ff:ff:ff <- 0:a0:c5:59:47:D4 <- 0:a0:c5:59:47:d4]
- port: 7 ts: 223.815868 0:38 110:0
- sn: 17952 (1f:cf:13:ad:ea:bb) len: 36
- ** mgmt-beacon ** ts: 4938366.259564 int: 100 capinfo: ess priv
+ ssid: [shaolin]
+ rates: 1.0 2.0 5.5 11.0
+ ds ch: 6
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea45

That worked as advertised. I also tried dwepdump and dwepcrack:

orr:/root# dwepdump wi0 /var/dwep.dump
* dwepdump v0.2 by h1kari *
* Copyright (c) Dachb0den Labs 2002 [http://dachb0den.com] *
starting pcap capture loop...
device: wi0
logfile: /var/dwep.dump
packets received: 1

orr:/root# dwepcrack /var/dwep.dump
usage: dwepcrack [-j ] [-b [-e] | -w [-f ]] [-s] [wordfile]
-j: number of processes to run (useful for smp systems)
-b: brute force key by exhausting all probable possibilities
-e: search the entire key width (will take a while)
-w: use weak ksa attack
-f: fudge the probability scope by specified count (might take a while)
-s: file uses 104-bit wep
orr:/root# dwepcrack -b /var/dwep.dump
* dwepcrack v0.5 by h1kari *
* Copyright (c) Dachb0den Labs 2003 [http://dachb0den.com] *
starting brute force crack on smallest packet:
packet length: 36
init vector: 01:53:6d
default tx key: 3
progress: ....................................................................

I even got dstumbler to work.

Next I turned to the SMC 2602W v.1 PCI NIC. This card destroyed me. I spent hours trying to get it to work. The problem is the card is literally a SMC 2632W v.1 PCMCIA card plugged into a PLX riser that sits in a PCI slot. First I tried the openap-ct solution, but the hostap_plx module did not like it. This ruled out using prism2_srec.

I tried to get fancy by using Knoppix. I found that the linux-wlan-ng prism2_plx driver recognized the card under Knoppix, but I couldn't use this to my advantage. The linux-wlan-ng project provides prism2dl to flash firmware, but I wasn't ready to install a whole new Linux distribution and include these drivers. I did waste some time using these Red Hat 9.0 kernel RPMs with hostap built-in on my Red Hat 9 box. They didn't help, and I found these RPMs too late.

Abandoning Linux, I turned to Windows. A visit to www.smc-europe.com revealed the same WinUpdate program Jun Sun mentioned on his page. Unfortunately my Optiplex GX100 box running Windows 2000 did not recognize the NIC. It complained it could not communicate with the driver. I tried flashing the Dell's BIOS to the latest version, but still no luck.

While moving the NIC between machines I must have unseated the RAM in the Dell Optiplex. It refused to boot but gave me a one beep - three beeps - two beeps error code. Checking Dell's Phoenix BIOS beep codes I learned 1-3-2 meant "RAM Refresh verification failure." All I thought to do was reseat the RAM, which fixed the problem.

I thought using a DOS-based flash method might be my last option. Intersil provided a utility called FLASH.EXE, which is available here, along with its .pdf manual and a flash.ini file. I gave this program a try but it could not find the NIC either. I decided to install a new copy of Windows 2000 on the newest tower PC I had, my Shuttle SB52G. After wasting time doing that, I gave the WinUpdate program a try. It acted flaky, also saying it couldn't contact the NIC (just as the newly installed SMC drivers complained -- what's wrong with SMC?), but, lo and behold, a miracle occurred. Somehow I was still able to flash the firmware. I brought the station firmware up to the same 1.7.1 version on the PCMCIA NIC. I thought my problems were solved!

Alas, under both FreeBSD 4.9 STABLE (on the hard drive) and FreeBSD 5.2 (under FreeSBIE), I got these messages:

Feb 26 13:06:37 bourque /kernel: wi0: port 0xc400-0xc43f,0xc
000-0xc07f mem 0xe8050000-0xe8050fff irq 5 at device 5.0 on pci1
Feb 26 13:06:37 bourque /kernel: wi0: 802.11 address: 00:04:e2:29:4c:3c
Feb 26 13:06:37 bourque /kernel: wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163 rev.A
Feb 26 13:06:37 bourque /kernel: wi0: Intersil Firmware: Primary 0.03.00, Station 1.07.01
Feb 26 13:06:37 bourque /kernel: wi0: time out allocating memory on card
Feb 26 13:06:37 bourque /kernel: wi0: tx buffer allocation failed
Feb 26 13:06:37 bourque /kernel: wi0: failed to allocate 1594 bytes on NIC
Feb 26 13:06:37 bourque /kernel: wi0: mgmt. buffer allocation failed
Feb 26 13:08:55 bourque /kernel: wi0: time out allocating memory on card
Feb 26 13:08:55 bourque /kernel: wi0: tx buffer allocation failed
Feb 26 13:08:55 bourque /kernel: wi0: failed to allocate 1594 bytes on NIC
Feb 26 13:08:55 bourque /kernel: wi0: mgmt. buffer allocation failed
...and so on...

Flashing the firmware made no difference. These errors are similar to those reported here and here.

I decided to abandon the SMC 2602W v.1 NIC and buy a Linksys WMP55AG A+G PCI NIC. FreeBSD's ath driver works with the Atheros chip. Once I get the NIC, I'll report my findings.

Wednesday, February 25, 2004

New net-mgmt Ports Category

Today I got my new ports email from FreshPorts and saw a new ports category: net-mgmt. This contains some of my favorite programs, like Argus and fprobe. I don't agree with many of the ports being in this category though. Why are ISIC, NBTScan, and Packit in net-mgmt when Nemesis, NAT, and IPsorc still in net?

Monday, February 23, 2004

Article on SPARC Compiler Optimization

OSNews featured an article by Tony Bourke on SPARC Optimizations with GCC. Tony does a good job explaining the different SPARC CPUs in Sun hardware and how to compile applications with various flags.

Saturday, February 21, 2004

Tcpdump with Privilege Separation in OpenBSD

I read at the OpenBSD Journal of a privilege separation version of Tcpdump being committed to OpenBSD current. You can see the changes in the OpenBSD source tree. (Browsing CVS source trees, as can also be done with FreeBSD, feature alone makes the BSD's coherent, understandable operating systems.

Tcpdump also has a browsable CVS Web interface.

Privilege separation is a topic I first learned about through Niels Provos' OpenSSH modifications. There appears to be interest in having Tcpdump run with less privileges. I found this thread on Tcpdump-workers take a different approach.

etting Flash to Work on Mozilla 1.6 and FreeBSD 5.2 REL

freebsd.png" align=left>I hadn't had luck getting Macromedia Flash support to work on FreeBSD with Mozilla until today. I read this thread and learned I needed to install the www/linux-flashplugin6 and www/linuxpluginwrapper ports. I noticed the linuxpluginwrapper port installed these items:

/usr/bin/install -c flash6.so /usr/local/lib/pluginwrapper/flash6.so
/usr/bin/install -c acrobat.so /usr/local/lib/pluginwrapper/acrobat.so
/usr/bin/install -c java3d.so /usr/local/lib/pluginwrapper/java3d.so
/usr/bin/install -c java3d_snd.so /usr/local/lib/pluginwrapper/java3d_snd.so
/usr/bin/install -c jai.so /usr/local/lib/pluginwrapper/jai.so

I made a file called /etc/libmap.conf as directed:

# Flash6 with Mozilla/Firebird/Galeon/Epiphany
[/usr/local/lib/linux-flashplugin6/libflashplayer.so]
libpthread.so.0 liblthread.so.3
libdl.so.2 pluginwrapper/flash6.so
libz.so.1 libz.so.2
libstdc++-libc6.2-2.so.3 liblstdc++.so.4
libm.so.6 libm.so.2
libc.so.6 pluginwrapper/flash6.so

# Acrobat with Mozilla/Firebird/Galeon/Epiphany
#[/usr/local/Acrobat5/Browsers/intellinux/nppdf.so]
#libc.so.6 pluginwrapper/acrobat.so

Note the Acrobat entries are commented out. I prefer to have Acrobat launch outside Mozilla. I also made this change:

orr:/usr/local/Acrobat5/Browsers/intellinux# ls
nppdf.so
orr:/usr/local/Acrobat5/Browsers/intellinux# mv nppdf.so nppdf.so.orig

To avoid the annoying "plugin not installed" message, I made this change:

orr:/usr/X11R6/lib/mozilla/plugins# ls
libnullplugin.so.orig

Now I can visit the Monster Garage home page and see the Flash animations.

Update: I've decided to disable Flash. For some reason Mozilla consumes huge chunks of CPU and refuses to die after I exit. I've had to manually kill the processes left behind:

orr:/home/richard$ ps -auxww | grep moz
richard 87241 84.5 13.4 59224 51632 ?? R 8:53PM 10:46.83 ./mozilla-bin
richard 87229 0.0 0.1 908 344 ?? Is 8:53PM 0:00.00 /bin/sh -c mozilla
richard 87230 0.0 0.1 932 368 ?? I 8:53PM 0:00.01 /bin/sh ./run-mozilla.sh ./mozilla-bin

Oh well. I'll watch for improved versions. I may try the ideas here soon.

Open Source Lab Prepares "Beaver Challenge"

The Oregon State University Open Source Lab is preparing to host the 2004 Beaver Challenge. This contest seeks to benchmark different open source operating systems on Dell PowerEdge 2650 servers. The challenge states:

"There will be two classes that each team will compete in. There will be a base class where everyone must follow the rules outlined below. The second class will have no rules except for the fact that every team must document all changes made to the base install."

I recommend reading the methodology to see the full rule set.

The FreeBSD-Hackers mailing list shows a call for tuners for the "unlimited" competition. There's also a FreeBSD forum at OSU. Results of the challenge will be posted for all to benefit.

New Set of FreeBSD Packages Available

In my never-ending question to understand FreeBSD application management, I took note of this post to the freebsd-current mailing list:

From: Kris Kennaway (kris_at_obsecurity.org)
Date: Fri, 20 Feb 2004 16:59:48 -0800
To: current@FreeBSD.org

I don't normally announce these here, but since there's recently been a "flag day" people may like to know that I've uploaded a full set of 9189 post-libpthread i386 5.2-CURRENT packages to ftp-master. You can use e.g. portupgrade -afPP to update your installed ports if you want to avoid the need to recompile everything that uses libc_r. Packages for other architectures will follow over the next week or so.

Kris

SecurityFocus Article on Keeping Windows Patched

Jonathan Hassell wrote the first of a planned three articles on patching Windows. The first article describes Microsoft's Software Update Services (SUS).

One of the tenets of operating defensible networks is that they can be kept current. In future articles, Jonathan will look at third party open source and commercial options for Windows patch management.

Hopefully this will change, but a visit to www.jonathanhassell.com shows the default Windows Small Business Server home page...

New Security News Site

I'm adding new Web site, Hacker Intel, to my TaoSecurity Interests page. Hacker Intel reminds me of the now defunct Hacker News Network. I'll check in with the site daily as it seems to post short summaries of security news on a daily basis.

In related news, PacketStorm is back on my Interests page as it is being updated again.

Advice for Programmers in a Rush

While reading the Slashdot story Tech Training Schools Going Bust, I saw a link to Teach Yourself Programming in Ten Years. This essay argues it takes ten years to master a subject, so trying to "learn Java in 21 days" will result in failure. The author provides advice on the proper way to learn computer-related subjects.

Thursday, February 19, 2004

Systrace Support for FreeBSD

While writing the last chapter of my book I checked into the status of Systrace support in FreeBSD. I mentioned Systrace last August. Since then, Vladimir Kotal has been working on porting Systrace to FreeBSD. I haven't tried his patches yet but I applaud his work. Systrace is a system-call monitoring and enforcement mechanism that brings a great deal of security functionality to Unix systems.

Excellent SecurityFocus Article on Modem Uncappers

Kevin Poulsen, the best original writer in the security scene, published an article on TCNiSO. This group wrote Sigma, a program giving owners of certain Surfboard cable modems control of the device. Sigma only works with DOCSIS 1.0 cable modems, but the TCNiSO crew has plans for working with newer specifications. The article is an excellent read.

Microsoft Security Updates Free on CD

If you're a dial-up user who avoids patching Windows, check out the Windows Security Update CD. It's available for Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE). When I placed my order this is what I got:

B82-00170 1 Win Update 2004 English NA Feb Direct 2CD Windows Security Kit

For enterprise Windows users there's the Microsoft Security Guidance Kit CD v1.0. It's free too, so I ordered one:

P73-00958 1 Windows Svr Std 2003 English Direct CD Security Readiness April 2004

Expert Opinion on Microsoft Source Leak

I downloaded this analysis (.doc) of the Windows source code leak from a Dutch Windows news site, Bink.nu. The author is a Dutch programmer named Tamura Jones, who wrote a book called Undocumented Windows. Jones makes several good points, which I reproduce below.

"This is not the first time that Microsoft source code leaked onto the net. In 2000, the source code for MS-DOS 6 was leaked. It received considerable less attention, as most journalist considered it obsolete, despite the fact that it still had millions of users around the world, and that MS-DOS is actually the basis for many versions of Windows still in use today. That leaked source is still being passed around...

In October of 2000, Microsoft had to confirm that crackers had broken into their network and actually gained access to the Windows source code. That breach was done using the Qaz trojan. Microsoft has stated that this time round, their security has not been breached...

Evidence inside the Windows 2000 source code leaked on Thursday 12 February 2004 suggests that this particular leak originated at long-time Microsoft partner MainSoft. The leaked source would implicate Eyal Alaluf, MainSoft's Director of Technology...

MainSoft is a commercial company that provides a product called MainWin. The MainWin product makes it relatively easy for third-party software companies to make the programs they already created for Windows available on Unix as well.
The MainWin product is based on actual Windows source code...

The leaked source is more than three year old. The newest files in the Windows 2000 source code are dated 25 July 2000. The source probably corresponds to Windows 2000 Service Pack 1, while the current Service Pack for Windows 2000 is Service Pack 4. The Windows NT 4 source code probably corresponds to Windows NT 4 Service Pack 3, while the current Service Pack for Windows NT 4 is Service Pack 6a, and a Service Roll-up Pack has already followed it...

Here’s a table summarising the official figures [on Windows source code lines] collected from various Microsoft sources:

Year: Product: Million Lines of Code
1993: Windows NT 3.1: 6
1996: Windows NT 4.0: 16.5
1999: Windows 2000: 29
2001: Windows XP: 45
2003: Windows 2003: 50

None of these numbers means much. The issue is not what percentage got out, but what got out. The real observation is that what got out is not just any part, but an important part of Windows, and you do not even need to read the leaked code to figure that out.

MainSoft's MainWin product allows developers to create Unix versions of their existing Windows programs. There are all kinds of technicalities, but the basic idea behind the MainWin product is very simple: MainWin pretends to be Windows.

MainSoft has incorporated considerable parts of the Windows code into its MainWin product. In a very real sense, large parts of the MainWin product do not just pretend to be Windows, but are Windows.

In support of the MainWin product, Microsoft provided MainSoft with a license in its Windows Interface Source Environment (WISE) program. The WISE license provides source code access to the very core of Windows, the basis the rest of Windows is built on. The WISE program is so exclusive that it is not listed on Microsoft Shared Source Licensing Programs page. What is provided under the WISE license is so essential, that only a few companies ever got one. That fact alone already indicates the value Microsoft places on this particular source code license.

The source that leaked is part of what MainSoft got under that rather exclusive WISE license, and what it got is the hottest part of Windows."

I found a January 1995 document archived on a site in China about WISE. Here are some extracts:

"The Windows Interface Source Environment (WISE) is a licensing program from Microsoft to enable customers to integrate Windows-based solutions with UNIX and Macintosh systems. Microsoft has licensed the Windows family source code to Mainsoft Corporation, Bristol Technology Inc., Insignia Solutions Inc., and Locus Computing Corporation. Using the products being developed by Mainsoft and Bristol, developers will be able to write to the Win32® API and OLE on different UNIX platforms...

WISE SDKs enable developers to write to Windows APIs and use the resulting applications on Macintosh and various UNIX systems. To get a Windows-based application running on a Macintosh or UNIX system using a WISE SDK, the application source code must be recompiled on those systems...

A WISE SDK consists of tools to port code from a PC and libraries to compile Windows code on the Macintosh or UNIX system."

I also found a 21 Sep 98 story announcing Mainsoft and Microsoft agreed to licensing terms for "Windows NT 5.0" source code. According to this 1 Nov 00 story, "Mainsoft is one of only two companies—Bristol Technologies Inc. is the other—with access to the source code under the Windows Interface Source Environment agreement." I found this 29 Oct 95 story claiming "When IBM purchased Lotus Development Corp., it acquired Lotus's license to Microsoft's Windows Interface Source Environment (WISE), giving it access to the source code in Windows 95 and Windows NT, including Microsoft's OLE object technology."

So it seems Mainsoft may be in trouble for trying to get Windows programs to run on Unix. If you want to run Unix programs on Windows, take a look at Interop Systems. They work with the Windows Services for Unix.

Updated: Tamura Jones wrote me last week. He clarified a few points that I updated in the story above.

Monday, February 16, 2004

History of Operating Systems and Languages

I was aware that Éric Lévénez was the author of the UNIX history chart, but I just discovered his Windows and programming languages diagrams. They are truly amazing and very educational.

Sunday, February 15, 2004

Informative Register Article on Solaris 10

After hearing and reading misinformed commentary on Microsoft's source code leak elsewhere, I was pleased to be reminded that the Register has clueful writers. One of them, Ashlee Vance, reported on Solaris 10. I've had a soft spot for Solaris since 1997, when I first used it as an Air Force lieutenant. I've only just started playing with Solaris 8 on my Ultra 30, never mind Solaris 9. (Incidentally, major kudos to Sun for providing easy access to these earlier versions with intuitive URLs!)

According to Ms. Vance:

"One of the major new additions to Solaris 10 is the N1 Grid Containers product. Sun has gone through some name changes with the product since we first reported on the technology, but the premise of the software has stayed the same. The containers are Sun's answer to logical partitions (LPARs) on AIX and HP-UX and the virtual machines touted by VMware/EMC for Windows and Linux servers. The software permits users to carve up a server into multiple partitions and to set up processing, memory and bandwidth limits for each partition."

I have both AIX and HP-UX boxes in my lab, yet have not had the chance to really try these logical partition functions. It is on my to-do list.

Live CDs for the Rest of Us

Not everyone wants to use a Linux-based live CD like Knoppix. I mentioned various live CD projects last year, but hadn't tried any but Knoppix until today.

Slashdot informed of Bart's Preinstalled Environment (BartPE), a Windows-based live CD. I downloaded the software and created a Windows Server 2003-based .iso image using the evaluation copy Microsoft sent me. I tested the .iso within VMWare on my FreeBSD 5.2 REL laptop. It seemed to work fine.

I decided to give FreeSBIE, the FreeBSD-based live CD a try. I downloaded the version which uses FreeBSD 5.2 REL and tested it within VMWare. It's impressive, with X ready to go just like Knoppix. A large screen shot follows. When 5.2.1 REL is released, I expect the FreeSBIE team to create a new .iso. I'll burn that one to CD to carry with me.

Saturday, February 14, 2004

Musings on Microsoft's Bad Week

By now everyone knows about Microsoft code being "made available on the Internet", according to the linked press release. Microsoft claims:

"On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft?s corporate network or internal security, nor is it related to Microsoft?s Shared Source Initiative or its Government Security Program."

This probably doesn't comfort Mainsoft, claimed by some to be involved in the leak.

I found it amusing that news outfits like NPR and Wired and CNN found the amount of profanity in the Windows source to be newsworthy. A Slashdot post provided the following help grep syntax:

grep -Hirn "INSERT PROFANITY HERE" ./*

In case you're wondering about the switches:

-H, --with-filename
-i, --ignore-case
-r, --recursive
-n, --line-number

The Slashdot follow-up is probably the best place for a comprehensive look at the issue.

The silver lining to this cloud is a hope that this event will prompt a serious debate on the merits of open source vs. closed source software. O'Reilly is leading the charge with good articles on the merits of open source software. Also, people must finally recognize that open source software is not inherently more vulnerable because anyone can review it. With this Microsoft source disclosure, the world has to acknowledge that Microsoft's code has been available to the underground and is just as easily reviewed as OSS.

On related Microsoft news, today I received Introducing Microsoft Windows Server 2003 in the mail. This was sent after I participated in a phone survey last week on Microsoft's Get The Facts program. I signed up to get a free evaluation copy of Windows 2003 Server, so Microsoft called me. I repeatedly told the survey taker I was concerned with Microsoft's security problems. She was reading a script and tried to pigeon-hole my answers into her form. She tried to steer me towards "server consolidation" and "upgrading from Windows NT 4.0" when I told her I was more interested in "upgrading" to 2003 for security reasons. I told her I ran multiple versions of UNIX and had no plans to change.

Update: This post to full-disclosure claims to be the first public vulnerability discovered as a result of scrutinizing the Windows source code.

Amazon Glitch Reveals "A Reader From..." Identities

I'm so sad I missed this when it was active. AP and the New York Times report that Amazon.ca accidentally replaced the anonymous "A Reader From" monikers with the real names of reviewers on its Web site. For example, instead of reading a glowing five star review by "a reader from Chicago" for a book by author John Rechy, the name "John Rechy" appeared -- showing the author reviewing his own book!

Fake reviews at Amazon.com have been a problem for years. The hundreds of fake reviews of Hack Attacks Revealed hit home for me, especially when the fictitious "l peterson" reviewed the book. Publisher Wiley printed a "review" by this fake person in the inside cover of Hack Attacks Encyclopedia, where "l peterson" said "Speaking for the Air Force Computer Emergency Response Team..." That really angered me, as I had just left the Air Force and that unit and confirmed there was no such person in the AFCERT.

Printing from FreeBSD to a Printer on Windows XP

We have a HP DeskJet 970 series printer connected to a Windows XP system. I wanted to print from my FreeBSD laptop to this printer. I decided to try installing Windows Print Services for UNIX, a sort of LPD for Windows, using these instructions. Once done the Windows system was listening on port 515 for print jobs.

If the DeskJet understood Postscript, I should have been able to print directly from FreeBSD using the lpr command. Without Postscript support, I needed to use a filter to accommodate the printer. Inspired by Michael Lucas' recent articles on Apsfilter, I gave it a try. Unfortunately I could not get Apsfilter to work with my printer, so I turned to CUPS.

I installed CUPS using the CUPS port. Through trial and error I figured out I needed to start cups-lpdfrom inetd by adding this line to /etc/inetd.conf:

printer stream tcp nowait lp /usr/local/libexec/cups/daemon/cups-lpd cups-lpd

This means I made sure the native lpd was not running, and inetd was running, by adding this to /etc/rc.conf:

inetd_enable="YES"
lpd_enable="NO"

After starting inetd manually, I started CUPS with a renamed /usr/local/etc/rc.d/cups.sh script. That launched a Web server at http://localhost:631/. I could not reach the Web server via http://orr.taosecurity.com:631 even though sockstat output showed port 631 TCP available on all interfaces:

orr:/home/richard$ sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root cupsd 6892 0 tcp4 *:631 *:*
root cupsd 6892 2 udp4 *:631 *:*
root sendmail 429 4 tcp4 127.0.0.1:25 *:*
root sshd 423 3 tcp46 *:22 *:*
root sshd 423 4 tcp4 *:22 *:*
orr:/home/richard$

Once I logged in as user root with root's password, I was able to add my remote printer. I selected "LPD/LPR Host or Printer", with device URI "lpd://192.168.2.8:515/scout". The IP is the machine where the printer is connected, pot 515 is the LPD port, and 'scout' is the name of the queue. I chose "HP" as the "Model/Driver" and the last "HP DeskJet 900 CUPS+Gimp-Print" series entry(of which there were 15 identical items).

Once done I was able to print a test page within the CUPS Web administrative interface. Getting my applications to work was another story. CUPS installs a new 'lpr' binary in /usr/local/bin/lpr. Apparently using this lpr one can print using CUPS. Unfortunately I could not use the stock /usr/bin/lpr to print, so I moved the stock version to /usr/bin/lpr.orig and made this link:

ln -s /usr/local/bin/lpr /usr/bin/lpr

Now I can print from OpenOffice. Under Mozilla I was able to specify /usr/local/bin/lpr. I believe I could have also tried installing Samba on my FreeBSD machine, but I didn't feel the need to do that. I can mount remote Windows shares on the XP box using FreeBSD's mount_smbfs:

mount_smbfs -I 192.168.2.8 //administrator@scout/temp /mnt

That command mounts the remote share 'temp' on host 'scout', IP 192.168.2.8, as user 'administrator', to my local /mnt share.

In other FreeBSD news, I've moved to Fluxbox as my new window manager. I was using FVWM with an Afterstep theme, which I decided was somewhat silly. Fluxbox seems to be working out fine for now. I like the simple syntax in the ~/.fluxbox/menu file:

[begin] (Fluxbox-0.9.8)
[exec] (aterm) {aterm -bg black -fg white -sl 1000}
[exec] (mozilla) {mozilla}
[exec] (sguil) {/usr/local/bin/sguil.sh}
[exec] (ethereal) {aterm -e sudo ethereal}
[exec] (acroread) {acroread}
[exec] (openoffice) {openoffice-1.1}
[exec] (xv) {xv}
[exec] (gv) {gv}
[exec] (gtksee) {gtksee}
[exec] (gtk-gnutella) {gtk-gnutella}
[exec] (xmms) {xmms}
[exec] (gmplayer) {gmplayer}
[exec] (vmware) {vmware}
...and so on...

Thursday, February 12, 2004

Understanding My Laptop's Graphics Capabilities

While perusing the FreeBSD-current news archive, I read a thread on comparing glxgears performance. I had never used this tool so I fired it up and saw my Thinkpad a20p laptop's performance:

Xlib: extension "XFree86-DRI" missing on display ":0.0".
303 frames in 5.0 seconds = 60.600 FPS
361 frames in 5.0 seconds = 72.200 FPS
360 frames in 5.0 seconds = 72.000 FPS
360 frames in 5.0 seconds = 72.000 FPS
360 frames in 5.0 seconds = 72.000 FPS

The error message bothered me, and these numbers looked much lower than those in the thread, so I started poking around. I found Eric Anholt's DRI page extremely helpful. I learned DRI is the Direct Rendering Infrastructure, "a framework for allowing direct access to graphics hardware in a safe and efficient manner... The first major use for the DRI is to create fast OpenGL implementations." The DRI page for ATI, the maker of my Rage Mobility 128 card showed it was supported. However, using Eric's troubleshooting page, I failed to see DRM (the Direct Rendering Modules provided DRI) loaded by the kernel. Checking my /var/log/XFree86.log.0 file, I saw attempts to load DRI and DRM:

(II) LoadModule: "dri"
(II) Loading /usr/X11R6/lib/modules/extensions/libdri.a
(II) Module dri: vendor="The XFree86 Project"
compiled for 4.3.0, module version = 1.0.0
ABI class: XFree86 Server Extension, version 0.2
(II) Loading sub module "drm"
(II) LoadModule: "drm"
(II) Loading /usr/X11R6/lib/modules/freebsd/libdrm.a
(II) Module drm: vendor="The XFree86 Project"
compiled for 4.3.0, module version = 1.0.0
ABI class: XFree86 Server Extension, version 0.2
(II) Loading extension XFree86-DRI
(II) LoadModule: "dbe"
(II) Loading /usr/X11R6/lib/modules/extensions/libdbe.a
(II) Module dbe: vendor="The XFree86 Project"
compiled for 4.3.0, module version = 1.0.0
Module class: XFree86 Server Extension
ABI class: XFree86 Server Extension, version 0.2
(II) Loading extension DOUBLE-BUFFER

There were no errors, but I did see this later in the log:

(II) R128(0): Direct rendering disabled

Clearly this was a problem. The first issue I decided to tackle was not seeing drm loaded by the kernel. My laptop runs FreeBSD 5.2 REL. I found a r128.ko kernel module in the /boot/kernel directory, so I tried loading it via kldload:

drm0: port 0x2000-0x20ff mem 0xf0200000-0xf0203
fff,0xf8000000-0xfbffffff irq 11 at device 0.0 on pci1
info: [drm] AGP at 0xf4000000 64MB
info: [drm] Initialized r128 2.5.0 20030725 on minor 0

That's better! I added

r128_load="YES"

to my /boot/loader.conf file to enable this at boot time. Unfortunately, this did not solve my "Direct rendering disabled" problem. Thanks to this thread I added this to my /etc/X11/XF86Config next:

Section "DRI"
Mode 0666
EndSection

This was supposed to ensure that all users could use DRI, but it had no effect on my immediate problem. In the same helpful thread I learned I might be asking too much of my 2000-era graphics card. There might not be enough memory left to run DRI, so I made these changes to the /etc/X11/XF86Config file:

Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 16
DefaultFbbpp 16
SubSection "Display"
Depth 16
Modes "1400x1050"
EndSubSection
EndSection

By dropping my color depth from 24 to 16, and specifying the frame buffer to be 16, this might give X enough memory to run DRI. Sure enough, it worked!

(II) R128(0): Direct rendering enabled

Trying the glxgears program, I got much better results, and no error messages:

7969 frames in 5.0 seconds = 1593.800 FPS
7977 frames in 5.0 seconds = 1595.400 FPS
6978 frames in 5.0 seconds = 1395.600 FPS
5559 frames in 5.0 seconds = 1111.800 FPS
7393 frames in 5.0 seconds = 1478.600 FPS
7438 frames in 5.0 seconds = 1487.600 FPS

With DRI enabled, I was able to load the Enemy Territory game from the FreeBSD port. At some point I hope to get the TV capabilities of my laptop working using the GATOS drivers and software.

I created a .xserverrc file with these contents to ensure my laptop uses 100 DPI:

exec X :0 -dpi 100

Packet Storm Lives

I just read this at Packet Storm:

On January 12, 2004, Packet Storm had its connectivity turned off without any forewarning.

After the plug was pulled, it took approximately two weeks to get a straight answer from our provider as to whether or not we were going to get turned back on. It seems that when bandwidth is donated to a worthy cause, the cause is not so worthy when it comes to returning phone calls. In the end, our hosting was cancelled. Due to the abrupt turnoff, we did not have time to set up safe hosting elsewhere.

If you have a strong, fast, and secure location that can host 4-12U's of rack space, please contact fringe[at]dtmf.org with any information.

Packet Storm has no plans to fall under corporate sponsorship again and we hope that the security community understands that this transition does not mean we are going anywhere.

We do plan to get the site back up to speed and updated within the next week, but mail and cgi services will be unavailable. They will be restored once we have a permanent home. Please do not bother attempting to send in submissions until you hear otherwise.

Again, many thanks to all of our supportive mirrors that are taking on all the traffic while we are in the middle of fixing this ordeal.

Thanks again for your patience,
Packet Storm Staff

Tuesday, February 10, 2004

Another Critical Microsoft Hole

Today Microsoft announced their Security Updates for February 2004. Security consultancy eEye told Microsoft about one of the flaws, called MS04-007 by Microsoft, six months ago. The vulnerability affects code using Microsoft's ASN.1 library (MSASN1.DLL).

The OpenSSL team reported a vulnerability and fix for ASN problems in September 2003. The Slashdot thread makes good points about how Microsoft claims to fix errors faster and better than open source software. The following was published by The Register last October to recount an interview with Bill Gates at the TechNet/MSDN seminar in The Hague:

"Microsoft is making progress. The company writes more secure code, essentially because of tools that show where problems might occur. It is also fixing problems much faster than it used to. Gates: 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.'"

Who is Microsoft kidding?

I'm appalled by Microsoft's security record. My next commercial system will not run Windows; none of my infrastructure devices run Windows now. When we decide to buy a new system with a commercial OS, it's going to be a Mac.

If you think this announcement is the end, check out eEye's pipeline. They've got better future prospects than Big Pharma, with seven more advisories on deck. They told Microsoft about four of them over two months ago, and still we're waiting for patches. I'm sure the underground isn't waiting.

You can read centralized information on this vulnerability at the US-CERT. From what I understand the US-CERT is taking an operational security role, dealing with the public and so on. The CERT is transitioning to more of a research role, providing serious technical expertise but stepping out of operational duties.

Setting Custom Prompts

O'Reilly's UNIX Power Tools, 3rd Ed inspired me to change the default prompts on my FreeBSD systems. My user account uses bash, so I made the following entry in ~/.profile to ensure my prompt shows my username, system name, and present working directory when I log in. The single straight quotes ensure that $PWD is substituted every time I change directories. If I had used double straight quotes, then $PWD would be fixed at whatever my current directory was when the shell was started. Single straight quotes helps us use "dynamic substitution." Using the back ticks sets the value of the system name.

PS1='$USER@`hostname -s`:$PWD '

Here's the result:

richard@orr:/home/richard$

Changing .profile affects prompts seen when logging in to the terminal and remotely via SSH. This entry in ~/.profile doesn't influence the prompt seen by terminals started within X, as they are not "interactive" shells. (I still haven't figured that one out.) To ensure terminals in X share the same prompt, I made the same entry in the .bashrc file.

For tcsh, the default shell for root on FreeBSD (csh and tcsh are the same binary), I made this entry in /root/.cshrc after the 'set mail' line:

set prompt = "%n@%m:%/# "

Tcsh doesn't support much dynamic substition, but a read of the tcsh man page showed several variables built into the shell provide what I need. %n is the username. %m is the hostname up to the first period. %/ is the present working directory. All together the result looks good:

root@orr:/root#

Keep in mind these prompts start to take up valuable terminal space. You can eliminate the %n in the csh prompt as the # shows you are root. If you primarily deal with a single user account, or don't care to know your login name, similarly eliminate the $USER@ from the bash prompt.

I will review UNIX Power Tools when done reading it, but I can already recommend buying it.

Using Session Data to Look for Worm Activity

Currently a slew of worms are scanning port 3127 TCP, looking for systems infected by MyDoom.A. They include MyDoom.B, Doomjuice, and Vesser.

I collect session data using a variety of means, including Argus. I have the Argus daemon write what it sees into a directory. The elaborate date in the file name is a result of calling the date command like so:

DATE=`/bin/date "+%Y%m%d-%H%M%S"`

When the process is running, it looks like this:

/usr/local/src/argus-2.0.6/bin/argus_bpf -c -d -i ngeth0 -w
/nsm/argus/20040206-085201.bourque.taosecurity.com.ngeth0.arg - ip

This process stores Argus data in the /nsm/argus directory. To quickly search the directory, I use the following at the command line:

-bash-2.05b$ for i in `ls`; do ra -n -r $i - dst port 3127 |
grep -v stream >> /tmp/3127.ra; done

This yields results like the following:

28 Jan 04 16:47:32 tcp 80.181.182.157.2391 -> myIP.3127 RST
28 Jan 04 16:47:33 tcp 80.181.182.157.2391 -> myIP.3127 RST
28 Jan 04 16:47:34 tcp 80.181.182.157.2391 -> myIP.3127 RST
03 Feb 04 00:31:04 tcp 63.208.193.241.3127 -> myIP.3127 RST
03 Feb 04 17:32:55 tcp 24.168.219.7.3127 -> myIP.3127 RST
03 Feb 04 21:42:12 tcp 212.58.12.98.3723 -> myIP.3127 RST
03 Feb 04 21:42:13 tcp 212.58.12.98.3723 -> myIP.3127 RST
03 Feb 04 21:42:14 tcp 212.58.12.98.3723 -> myIP.3127 RST
04 Feb 04 03:55:59 tcp 129.1.61.23.3228 -> myIP.3127 RST
04 Feb 04 03:55:59 tcp 129.1.61.23.3228 -> myIP.3127 RST
...continues until today...

The RST means the connection attempt ended with a RST. From my small vantage point on the Internet, scanning for port 3127 TCP appeared 28 Jan 04, and my system did not respond.

This sort of analysis is part of Network Security Monitoring. This is how you verify your machine is not compromised with a minimum amount of effort.

Monday, February 09, 2004

Review of Security Warrior Posted

Amazon.com just published my five star review of Security Warrior. From the review:

"Security Warrior is a heavyweight contender. Peikari and Chuvakin offer a dark counterpart to O'Reilly classics like Practical UNIX and Internet Security (PUAIS) and Securing Windows NT/2000 Servers for the Internet. If you've been waiting for the next good security book from O'Reilly, "Security Warrior" (SW) is it.

Part I, "Software Cracking," was my favorite section. This material is largely not for beginners, which marked a welcome change from many competing books. Part I gave an introduction to assembly language, followed by reverse engineering exercises on Windows, Linux, and Windows CE. I admit a good portion of the section was beyond my skill level, but I was able to "patch" binaries to alter program flow and even use a buffer overflow to execute previously unreachable code in a sample program. These sorts of "hands-on" exercises were informative and enjoyable.

Saturday, February 07, 2004

FreeBSD Guru on Updating Ports

Keeping the ports tree up-to-date is a big concern for FreeBSD users. Kris Kennaway posted a comparison of 'make index' and the portupgrade command 'portsdb -U'. Already one change has been made to the portupgrade port to address Kris' findings.

Dru Lavigne wrote articles about Ports Tricks, Portupgrade, and Cleaning and Customizing Your Ports. Michael Lucas and Dan Langille have also written articles on using the ports tree. This thread in the freebsd-ports archive discusses ways to keep ports trees up-to-date on multiple machines.

Update": This post reminded me of how to create your own packages in FreeBSD. To create a package with all of its dependencies, change to the directory of the tool you wish to build in the /usr/ports tree. Once there, running 'make package-recursive' will create a package from the ports tree and all of its dependencies. They will be stored in the /usr/ports/packages/All directory.

Friday, February 06, 2004

Annoying DNS Issues in Mozilla

I've finally figured out why visits to some Web sites take forever. I've maintained for years that "if something works, but takes a long time, blame DNS." Sure enough, a combination of Mozilla's behavior and uncooperative DNS servers are conspiring against Web users.

Here's how Mozilla resolves a host name when the remote DNS server cooperates. First Mozilla causes a DNS query for an AAAA record. This is an IPv6 record. The name server (here a forwarding name server) replies that it doesn't know an AAAA record for xlonhcld.xlontech.net. Mozilla promptly asks for the A record, which is returned in the last packet. So far so good.

18:24:04.604363 192.168.2.5.49203 > 172.27.20.1.53: 56494+ AAAA? xlonhcld.xlontech.net. (39)
18:24:04.611197 172.27.20.1.53 > 192.168.2.5.49203: 56494 0/1/0 (104)
18:24:04.611474 192.168.2.5.49204 > 172.27.20.1.53: 56495+ A? xlonhcld.xlontech.net. (39)
18:24:04.619886 172.27.20.1.53 > 192.168.2.5.49204: 56495 18/7/0 A[|domain]

This is what happens with sites that don't answer AAAA queries properly. Mozilla asks for the AAAA record four times

18:20:11.292864 192.168.2.5.49188 > 172.27.20.1.53: 4329+ AAAA? dclkcorp.rpts.net. (35)
18:20:16.304730 192.168.2.5.49189 > 172.27.20.1.53: 4329+ AAAA? dclkcorp.rpts.net. (35)
18:20:26.319837 192.168.2.5.49190 > 172.27.20.1.53: 4329+ AAAA? dclkcorp.rpts.net. (35)
18:20:46.334627 192.168.2.5.49191 > 172.27.20.1.53: 4329+ AAAA? dclkcorp.rpts.net. (35)

After 75 seconds it gives up and asks for the A record. The name server promptly responds and the page loads.

18:21:26.345147 192.168.2.5.49192 > 172.27.20.1.53: 4330+ A? dclkcorp.rpts.net. (35)
18:21:26.378344 172.27.20.1.53 > 192.168.2.5.49192: 4330 2/6/6[|domain]

Here are the replies for the AAAA record requests. I haven't figured out the purpose of the ICMP port unreachable messages.

18:21:59.533098 172.27.20.1.53 > 192.168.2.5.49190: 4329 ServFail 0/0/0 (35)
18:21:59.533170 192.168.2.5 > 172.27.20.1: icmp: 192.168.2.5 udp port 49190 unreachable
18:22:00.197621 172.27.20.1.53 > 192.168.2.5.49189: 4329 ServFail 0/0/0 (35)
18:22:00.197688 192.168.2.5 > 172.27.20.1: icmp: 192.168.2.5 udp port 49189 unreachable
18:22:11.193955 172.27.20.1.53 > 192.168.2.5.49188: 4329 ServFail 0/0/0 (35)
18:22:11.194029 192.168.2.5 > 172.27.20.1: icmp: 192.168.2.5 udp port 49188 unreachable
18:22:44.194926 172.27.20.1.53 > 192.168.2.5.49191: 4329 ServFail 0/0/0 (35)
18:22:44.195000 192.168.2.5 > 172.27.20.1: icmp: 192.168.2.5 udp port 49191 unreachable

The Mozilla team has had this bug report open for a long time. Unfortunately, the remote name servers are to blame, as shown by this Internet draft. The issue was also discussed on freebsd-current.

For sites that don't answer AAA requests properly, like doubleclick, entries like these in /etc/hosts might work:

::0 ad.doubleclick.com
::0 ad.doubleclick.net

::1 is also an option, which is localhost.

The Mozilla bug report offered this code to check IPv6 resolutions using gethostbyname2:

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>

int main(int argc, char *argv[])
{
struct hostent *hent;
char addrstr[64];
int i;

if (argc != 2) {
fprintf(stderr, "Usage: %s \n", argv[0]);
exit(1);
}

hent = gethostbyname2(argv[1], AF_INET6);
if (hent == NULL) {
fprintf(stderr, "gethostbyname2 failed: %d\n", h_errno);
exit(1);
}
printf("h_name = %s\n", hent->h_name);
if (hent->h_aliases) {
for (i = 0; hent->h_aliases[i]; i++) {
printf("h_aliases[%d] = %s\n", i, hent->h_aliases[i]);
}
}
if (hent->h_addrtype == AF_INET) {
printf("h_addrtype = AF_INET\n");
} else if (hent->h_addrtype == AF_INET6) {
printf("h_addrtype = AF_INET6\n");
} else {
printf("h_addrtype = %d\n", hent->h_addrtype);
}
printf("h_length = %d\n", hent->h_length);
if (hent->h_addr_list) {
for (i = 0; hent->h_addr_list[i]; i++) {
printf("h_addr_list[%d] = %s\n", i,
inet_ntop(hent->h_addrtype, hent->h_addr_list[i],
addrstr, sizeof(addrstr)));
}
}
return 0;
}

It compiles fine on FreeBSD 5.2 REL and shows how different sites respond. Here's a site that responds with an IPv6 address:

orr# ./gethost2 www.netbsd.org
h_name = www.netbsd.org
h_addrtype = AF_INET6
h_length = 16
h_addr_list[0] = 2001:4f8:4:7:290:27ff:feab:19a7

Here's a site with no IPv6 address:

orr# ./gethost2 www.bejtlich.net
gethostbyname2 failed: 4

Here's what happens when I query for a site with an entry in /etc/hosts:

orr# ./gethost2 ad.doubleclick.net
h_name = ad.doubleclick.net
h_addrtype = AF_INET6
h_length = 16
h_addr_list[0] = ::

This is how a site with a broken respond behaves. The program times out after waiting for a minute and 15 seconds.

orr# time ./gethost2 www.apcc.com
gethostbyname2 failed: 2
0.000u 0.004s 1:15.04 0.0% 0+0k 0+0io 0pf+0w

Watching the Mozilla bug report, a fix appears to be in the works.

Using Binary Security Updates for FreeBSD and OpenBSD

A few security advisories for FreeBSD and OpenBSD were announced. The latest for FreeBSD involves the System V Shared Memory interface. If you're running a GENERIC kernel you may be able to use Colin Percival's binary updates, like this:

bourque# uname -a
FreeBSD bourque.taosecurity.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0:
Mon Oct 27 17:51:09 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC
i386
bourque# freebsd-update -v fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/kernel...
/kernel.GENERIC...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'
bourque# freebsd-update -v install
Backing up /kernel...
Installing new /kernel...
Backing up /kernel.GENERIC...
Installing new /kernel.GENERIC...
...reboot...
-bash-2.05b$ uname -a
FreeBSD bourque.taosecurity.com 4.9-SECURITY FreeBSD 4.9-SECURITY #0:
Thu Feb 5 04:20:23 GMT 2004 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

Here's what updating my FreeBSD 5.2 REL notebook looked like:

orr# uname -a
FreeBSD orr.taosecurity.com 5.2-RELEASE FreeBSD 5.2-RELEASE #0:
Sun Jan 11 04:21:45 GMT 2004 root@wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
orr# freebsd-update -v fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/kernel...
/boot/kernel/sysvshm.ko...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'
orr# freebsd-update -v install
Backing up /boot/kernel/kernel...
Installing new /boot/kernel/kernel...
Backing up /boot/kernel/sysvshm.ko...
Installing new /boot/kernel/sysvshm.ko...
...reboot...
bash-2.05b$ uname -a
FreeBSD orr.taosecurity.com 5.2-SECURITY FreeBSD 5.2-SECURITY #0:
Thu Feb 5 10:24:52 GMT 2004 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

Two OpenBSD advisories have been posted in the last month. The binary patch from binpatch addresses the message handling flaws in isakmpd(8). There is no binary patch posted yet for the reference counting bug in shmat(2) announced yesterday.

bash-2.05b# wget http://www.openbsd.org.mx/pub/binpatch/3.4/i386/binpatch-3.4-i386-009.tgz
--09:07:55-- http://www.openbsd.org.mx/pub/binpatch/3.4/i386/binpatch-3.4-i386-009.tgz
=> `binpatch-3.4-i386-009.tgz'
Resolving www.openbsd.org.mx... done.
Connecting to www.openbsd.org.mx[208.33.29.188]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 480,408 [text/plain]

100%[====================================>] 480,408 30.74K/s ETA 00:00

09:08:11 (30.74 KB/s) - `binpatch-3.4-i386-009.tgz' saved [480408/480408]
bash-2.05b# ls -al
total 500
drwxr-xr-x 2 root wheel 512 Feb 6 09:08 .
drwxr-xr-x 4 root wheel 512 Feb 6 09:07 ..
-rw-r--r-- 1 root wheel 480408 Jan 15 17:03 binpatch-3.4-i386-009.tgz
bash-2.05b#
bash-2.05b# md5 binpatch-3.4-i386-009.tgz
MD5 (binpatch-3.4-i386-009.tgz) = 44260e1d04a687f67ae9e0e928c447c8
bash-2.05b# tar -xzvpf binpatch-3.4-i386-009.tgz -C /
./sbin/isakmpd
./usr/share/ipsec/isakmpd/VPN-3way-template.conf
./usr/share/ipsec/isakmpd/VPN-east.conf
./usr/share/ipsec/isakmpd/VPN-west.conf
./usr/share/ipsec/isakmpd/policy
./usr/share/ipsec/isakmpd/singlehost-east.conf
./usr/share/ipsec/isakmpd/singlehost-east.gdb
./usr/share/ipsec/isakmpd/singlehost-setup.sh
./usr/share/ipsec/isakmpd/singlehost-west.conf
./usr/share/ipsec/isakmpd/singlehost-west.gdb
...No reboot needed as this does not affect the kernel...

These sorts of binary upgrades are a good alternative for those running stock systems on slow hardware or in constrained environments (e.g., lack of compiler).

Assembly and OS Threads at Slashdot

Slashdot has covered two interesting topics recently: Learning Computer Science via Assembly Language and Building Your Own Operating System. I learned of two online books to assist with these topics: PC Assembly Language and Programming from the Ground Up.

If you want to run UNIX on your Commodore 64, try LUnix.

Wednesday, February 04, 2004

Configuing ssh-askpass and ssh-agent

I decided to set up ssh-agent and ssh-askpass on my laptop to allow easier access to other systems on my LAN. First I created a public/private key pair:

bash-2.05b$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/richard/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/richard/.ssh/id_dsa.
Your public key has been saved in /home/richard/.ssh/id_dsa.pub.
The key fingerprint is:
OB:FU:SC:AT:ED:FO:RS:EC:UR:IT:YR:EA:SO:NS richard@orr.taosecurity.com

Next I added the contents of /home/richard/.ssh/id_dsa.pub to newly-created authorized_keys files in the ~/.ssh/ directory on every server to which I wished to connect.

To ease log-in, I changed my laptop's .xinitrc file to look like this:

ssh-add < /dev/null
exec fvwm-themes-start

I also ensured my .profile had these entries:

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
eval `$SSHAGENT $SSHAGENTARGS`
trap "kill $SSH_AGENT_PID" 0
fi

Now when I execute 'startx', I see ssh-askpass prompt for the keyphrase I entered when generating the DSA key pair above. I can log in to all the servers who have my laptop's public key in their authorized_keys file without entering a password.

FreeBSD Ports Gettext Problems Over

If you've been having troubles upgrading FreeBSD ports due to conflicts between version of devel/gettext, your problems are over. Joe Marcus Clarke's post to freebsd-ports indicates he's set all ports requiring gettext to use the newest version. The problem originated with the way the gettext port was modified in late January. I just updated all ports on my FreeBSD 4.9 STABLE system and am doing the same on my FreeBSD 5.2 RELEASE box now. Everything seems to work ok.

Review of The Art of UNIX Programming Posted

Amazon.com just posted my four star review of The Art of UNIX Programming. From the review:

"I found histories of "UNIX vs. UNIX" and "UNIX vs the world" very informative. TAOUP presents concise explanations of licensing, RFC creation, and UNIX philosophy. I was happy to see that an open source project to which I contribute (Sguil) met many UNIX design criteria, like text-based communication between small collaborating daemons. I plan to follow TAOUP's recommendations for documentation so helpfully discussed in chapter 18 when I release the next set of Sguil guides.

TAOUP offers numerous priceless quotes from UNIX pioneers, but ESR himself offers my favorite: "Open source is what happens when code reuse gets a flag and an army." I hope UNIX advocates everywhere carry TAOUP into battle against their proprietary, monopolistic OS foes. With a few more nods to the enemy and a more balanced comparison of languages, TAOUP will be unbeatable."

Tuesday, February 03, 2004

Is PacketStorm Dead?

One of my favorite sites, www.packetstormsecurity.org, hasn't been updated since the second week in January. Email to staff@packetstormsecurity.org and staff@packetstormsecurity.nl is being refused:

This is the Postfix program at host fallback-2.mail.widexs.nl.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

: connect to
pop.packetstormsecurity.nl[213.206.75.252]: Connection refused

Is this the end for PacketStorm?

Monday, February 02, 2004

Kung Fu Coming to DVD

I'm in the last month of writing The Tao of Network Security Monitoring, so I haven't had much time to fool around with FreeBSD or other items of technical or security interest. However, I'm still happy. The New England Patriots won Superbowl XXXVIII, considered by some to be the best ever.

Now, after perusing Amazon.com, I just learned that on 16 March 2004, the entire First Season of the classic 1970s TV series Kung Fu will be released on DVD by Warner Home Video. I expect the second and third seasons to appear later this year. The Kung Fu TV series is the reason I first started studying martial arts seriously in 1994.