Showing posts from August, 2006

Review of Essential SNMP, 2nd Ed Posted

Image just posted my four star review of Review of Essential SNMP, 2nd Ed . From the review : Essential SNMP, 2nd Ed (ES2E) fills a gap in being a modern book about an important management protocol. SNMP is used extensively by network management stations (NMS) like Nagios, which is now the subject of two independent books. E2SE does a good job covering SNMP issues important to administrators and NMS users. However, the book's organization and subject matter could be improved in the 3rd edition. This is why I've been blogging on SNMP today. That's 12 book reviews for the month of August. Whew.

Sending and Receiving SNMP Traps

SNMP is turning into more voodoo than I expected. I decided to document the following examples for future reference. SNMP traps are messages sent from agents to network management systems (NMS). A simple trap receive is Net-SNMP's snmptrapd. I started it as shown so I could watch messages roll in. orr:/root# snmptrapd -f -Lo 2006-08-31 21:45:50 NET-SNMP version 5.2.3 Started. As you can see, snmptrapd listens on port 162 UDP. orr:/home/richard$ sockstat -4 | grep snmptrapd root snmptrapd 5080 9 udp4 *:162 *:* Now I will use the snmptrap program to generate traps. First, a SNMP v1 trap for uptime. orr:/home/richard$ snmptrap -v 1 -c read localhost '' localhost 6 1 '' Here is what snptrapd sees. 2006-08-31 21:47:16 [] (via UDP: []:63651) TRAP, SNMP v1, community read SNMPv2-SMI::enterprises.3.1.1 Enterprise Specific Trap (1) Uptime: 16:45:42.27 Here is the SNMP v1 trap packet. Simple Netw

Updating Cisco Switch to Support Encrypted SNMP v3

I realized I had an IOS image for my Cisco switch that supported crypto, as required for encrypted SNMP. I decided to reflash my switch to add this support. This is an example of a blog entry for my future reference. I don't expect any Cisco-ites to learn anything from this. First I see what version of IOS is installed. 2950T-24#show ver Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Tue 04-Mar-03 02:14 by yenanh Image text-base: 0x80010000, data-base: 0x805A8000 ROM: Bootstrap program is CALHOUN boot loader 2950T-24 uptime is 3 hours, 20 minutes System returned to ROM by power-on System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin" cisco WS-C2950T-24 (RC32300) processor (revision J0) with 20839K bytes of memory. Processor board ID FHK0720Z0R3 Last reset from system-reset Running Enhanced Image 24 FastEthernet/IEEE 802.3 int

SNMP v3 on Cisco Switch

Using these instructions I set up SNMP v3 on my Cisco 2950-T switch. 2950T-24>enable Password: 2950T-24#conf t 2950T-24(config)#snmp-server view readview internet included 2950T-24(config)#snmp-server group readonly v3 auth read readview 2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass Adding an snmpv3 user could cause a bootup delay, do you wish to continue? (y/n)[confirm]y 2950T-24(config)#exit 2950T-24# I was not able to use DES encryption because the switch does not have a crypto image. This output has the clues I need to track down what image I'm using. orr:/home/richard$ snmpwalk -v3 -u richard -l authNoPriv -a MD5 -A bejtlichpass system SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Tue 04-Mar-03 02:14 by yenanh SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::ente

SNMP Comments Part II

Earlier today I described how to modify the sysLocation MIB entry using SNMP v1 or v2c. I can do so with SNMP v3 too. Here is the syntax, followed by packet captures. I disabled encryption so we could read the protocol. orr:/home/richard$ snmpset -v 3 -u richard -l authNoPriv -a MD5 -A bejtlichpass sysLocation.0 s Manassas SNMPv2-MIB::sysLocation.0 = STRING: Manassas Here is the SNMP v3 set. Simple Network Management Protocol msgVersion: snmpv3 (3) msgGlobalData msgID: 1062947135 msgMaxSize: 65507 msgFlags: 05 .... .1.. = Reportable: Set .... ..0. = Encrypted: Not set .... ...1 = Authenticated: Set msgSecurityModel: USM (3) msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) Engine Enterprise ID: net-snmp (8072) Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random Engine ID Data: 0F7E0663 Engine ID Data: Creation Ti

SNMP v1, v2c, and v3

The book pictured at left spends more time on SNMP v1 and v2c than it does on SNMP v3. For example, it provides packet captures for v1 and v2c but not v3. SNMP v1 is everywhere, but we should use SNMP v3 where possible. I thought it would be helpful to show all three formats in one place. Here is my snmpd.conf for SNMP v1 and v2c. ########################################################################### # # snmpd.conf # # - created by the snmpconf configuration program # ########################################################################### # SECTION: Access Control Setup # # This section defines who is allowed to talk to your running # snmp agent. # rwuser: a SNMPv3 read-write user # arguments: user [noauth|auth|priv] [restriction_oid] rocommunity read rwcommunity write This is the syntax for a SNMP v1 snmpget. orr:/home/richard$ snmpget -v 1 -c read sysLocation.0 SNMPv2-MIB::sysLocation.0 = STRING: somewhere Here is the SNMP v1 get. Simple Network M

SNMP Comments

I've been reading the book pictured at left, which I hope to review with the next few days. In the text they show examples using Net-SNMP tools to read and change system attributes using SNMP. One of the examples involves something like the following. They show modification of the sysLocation value. orr:/home/richard$ snmpget -v 1 -c read sysLocation.0 SNMPv2-MIB::sysLocation.0 = STRING: somewhere Here I'm reading the system location. Where does "somewhere" come from? I look at /usr/ports/net-mgmt/net-snmp/Makefile and find this: CONFIGURE_ARGS+=--enable-shared --enable-internal-md5 --with-mib-modules="${_NET_SNMP_MIB_MODULES}" --with-default-snmp-version="${DEFAULT_SNMP_VERSION}" --with-sys-contact="${NET_SNMP_SYS_CONTACT}" --with-sys-location="${NET_SNMP_SYS_LOCATION}" --with-logfile="${NET_SNMP_LOGFILE}" --with-persistent

September Issue of (IN)SECURE Magazine Posted

Mirko Zorz told me a new issue (IN)SECURE Magazine is available online as Issue 1.8 September 2006 (.pdf).

FreeBSD Snort 2.6.0 Port Available

The FreeBSD security/snort port now offers 2.6.0. Just run portsnap fetch && portsnap update and you're ready. I'm not sure if/when Snort will be added to the ports tree. I haven't tried 2.6.1 Beta, yet.

Attacks Against WEP and Bump Keys

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP. At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias . MSNBC and Slashdot ran stories, and this week a NBC affiliate reported on the problem as well. This week Marc Tobias is blogging on the subject, and I've learned that locks by Abloy and Medeco are resistant to bump keys. Finally, the blogosphere has some commentary on the problem. It seems to me that attacks against WEP and bump keys are examples of the same problem. In either case, a determined intruder with sufficient tools and expertise

Pandemic Reporting Like Digital Security Incident Reporting

The 12 August 2006 issue of the Economist featured the story Global Health: A Shot of Transparency (subscription required). It reminded me of the state of reporting digital security incidents. At the moment, the world's pandemic-alert system is distressingly secretive. Some countries, such as Vietnam, have been fairly open about new outbreaks of the sorts of infectious disease that might lead to pandemics, and have even invited foreigners in to help diagnose the problem. Most, however, have not been so forthright. Public-health experts point to China and Thailand, both of which suffered outbreaks of potential pandemic illnesses in the past few years (SARS in China and avian influenza in Thailand) as examples of places that do not fully disclose the relevant details... The reasons for countries' reluctance to share information are understandable, though hardly defensible. Some believe that full disclosure could cause locals to panic and foreign tourists to stay away... Larry

Virtual Desktop Infrastructure Seminar

Last week I attended a seminar featuring VMware and Wyse pitching their Virtual Desktop Infrastructure . (Is it just me or does VMware's site seldom render properly in Firefox?) The Wyse rep passed around the Wyse S10 pictured at left. It lists for $299, "runs BSD" (called "ThinOS"), and features a 450 MHz AMD Geode CPU. Although it has USB ports you can't use them for thumb drives or CD-ROM drives. (More powerful units support those devices.) It has a PPTP client with support for SSL VPNs on the product roadmap. Also on the roadmap is 802.1X, PoE, and wireless support. The S10 is basically a box to access remote desktops using RDP , ICA , or a Leostream connection broker . The box can be managed remotely, and can have its firmware flashed remotely. This is the future of "business computing." It may also be the future of non-power-user consumer computing, at least for people with modest, office-like (email, Web, etc.) needs. The loca

Atom Feed Truncated -- Not My Fault

If you're subscribed to , sometime today Blogger decided to post summaries and not full stories. I changed nothing, I have full content publishing selected, and I even republished the whole blog. The RSS feed at is publishing whole content though. Update: It looks like the Atom feed fixed itself.

Notes from Cisco TV on CCNP

I'm listening to the first episode of CCNP TV . It's not really TV, more like slides plus audio. I'm listening because I wanted to know about the CCNP changes mentioned earlier. The new material will all use Cisco IOS 12.4. I found this change interesting: assume I earn my CCNP; in the future, I can recertify using any Professional level exam, like one from CCSP. Mixing and matching of old and new exams will be allowed within the guidelines explained in these two press releases. Parts of this webcast were hilarious. Despite Cisco's drive into voice, none of the callers could communicate with the hosts. The caller who got closest to speaking should have been told "turn your radio down!" because the broadcast was on a 30 second-or-so delay. The host also asked two questions twice each, and the other panel members pretended like it didn't happen. I heard the terms "billion dollar marketplace" and "revenue opportunity" repeate

Review of Inside Network Perimeter Security, 2nd Ed Posted

Image just posted my three star review of Inside Network Perimeter Security, 2nd Ed . From the review : I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog , in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

Again, External Threat Is More Prevalent

I almost fell out of my chair when word of the following story reached my Bloglines account: Study: Rethink the Outsider Threat . I published my thoughts on the prevalence of external threats in my first book , and I reiterated those thoughts recently . Now I appear to have some outside help. From the article: The report took data from the Department of Justice Computer Crime and Intellectual Property Section's network intrusion and data-theft prosecutions between 1999 and 2006. (See How Much Does a Hack Cost?) Phoenix Technologies commissioned the report, but the data came from DOJ cases... Outside attackers committed 79 percent of the crimes where user accounts were infiltrated[,] and former employees were the perpetrators in 21 percent of these types of breaches. And overall, 57 percent of attackers had no relationship with the victim organizations , 22 percent were former employees, 14 were current employees, and 7 percent had a customer or supplier relationship or similar &


Thanks to this SANS ISC story, I learned of Liveview . It's a program that converts disk images made with dd into VMware images. I decided to try the program on one of the images from Real Digital Forensics . We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get. Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at to patch the image. orr:/home/richard$ ls -al *.gz -rw-rw-rw- 1 richard richard 181673834 Aug 29 15:06 BRJDEV.dd.gz -rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz orr:/home/richard$ ls -al patch0001.bin -rw-r--r-- 1 richard richard 42635114 Mar 7 12:16 p

Using FCC Filings to Learn About Wireless Cards

One of the cool hints I learned in Ted Wallingford's 802.11 book involved finding your specific hardware in the FCC Equipment Authorization System Generic Search . My Linksys WPC54gv3 , for example, has these exhibits . I entered Q87 as the Grantee Code and -WPC54GV3 as the Product Code (including the leading dash). You can get these codes by reading them on your NIC. Using the Internal Photos .pdf, I can see that this NIC uses a Broadcom chipset. Plenty of other information is available too.

WildPackets OmniPeek Personal

Three years ago I attended a WildPackets traffic analysis seminar, which I liked. In June WildPackets announced the availability of the free (as in beer) OmniPeek Personal product. I learned of it from Average Admins . After using OmniPeek personal for a short time, I have to say I still prefer Wireshark for straightforward packet analysis. I'm sure I'm going to hear from diehard WildPackets fans that OmniPeek is the cat's meow, but hear me out. I realize that the power of OmniPeek lies in its network analysis features. OmniPeek and other WildPackets products are like "network troubleshooters in software." That's great, since Wireshark doesn't support many of those features. That is not a daily issue I face, however. My first problem with OmniPeek is that it runs on Windows. Why didn't I complain about that with NetWitness ? Well, NetWitness is a network forensics product, like EnCase is a host forensics product. I'm willing to deal

NSM Wiki created

David Bianco of Vorant created a Network Security Monitoring Wiki to share information on effective use of Sguil and other NSM tools. You might also like David's blog . If you've got custom queries you run in Sguil, or performance reports, or related issues, please share them on the Wiki. If you have questions about Sguil use, post them to the Sguil users list via email to sguil-users [at] Questions on Sguil development should go to sguil-devel [at] As always, you can discuss Sguil and NSM on in channel #snort-gui.

June 2006 Issue of (IN)SECURE Magazine Posted

Yes, I missed this event from two months ago! I just realized that a new edition of Mirko Zorz's (IN)SECURE Magazine is available online as Issue 1.7 June 2006 (.pdf).

Review of Penetration Testing and Network Defense Posted

Image just posted my three star review of Penetration Testing and Network Defense . This was another disappointment that duped me into trying to read it. From the review : Penetration testing is becoming a hot topic again, but the available books on the subject continue to underwhelm. Penetration Testing and Network Defense (PTAND), published in the fall of 2005, would be a four star book if it had been published two years earlier. Stephen Northcutt, unlike all other reviewers, noticed this fact as well. When you combine this problem with PTAND with several other deficiencies, the result is a book you can unfortunately skip. On a brighter pen testing note, I read that work is progressing on version 3.0 of Pete Herzog 's Open Source Security Testing Methodology Manual (OSSTMM). Maybe we'll see a new version in a few weeks? Also, the Active Filter Detection tool implements a cool function needed by OSSTM.

Non-Review: Practical VoIP Security

Here's a first for the TaoSecurity Blog . As mentioned in a pre-review , I planned to read Practical VoIP Security and then write a review . I'd had a bad experience reading VoIP Security , so I hoped this new book would be better. Wrong. My policy for writing reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security , I couldn't make it past the first chapter. In fact, by page 4 -- the third page of text -- I was frustrated. In three pages the author (who was the lead author and technical editor) had mentioned terms like PBX, SS7, H.323, SIP, SNMP, VoIP, and SIGTRAN (which never appears again in this book!) without explaining any of them. I am familiar with all except the last, but I should not have to rely on past knowledge when reading the introductory pages of a "practical" book. The first chapter, overall, is a rambling collection of ideas that do nothing to prepare the reader for wha

Security Engineering Book in Digital Form

I just read at Light Blue Touchpaper that one of my top ten books of the past ten years is now available online . Now you have no excuse not to read this incredible book (reviewed here ). It seems funny that the blog commenters asking about making a single .pdf have not heard of Pdftk . Thanks to jimmythegeek for getting this news to me faster than my Bloglines feed.

More Snort and Sguil Tuning

Let's assume you built a new Sguil sensor and have tuned Snort using advice in my Tuning Snort article. What I like to do next is wait a day or so and then run the following query to look for problematic alert types. mysql> select count(*) as total, event.signature from event where event.status=0 group by event.signature order by total desc; +-------+------------------------------------------------------------------------+ | total | signature | +-------+------------------------------------------------------------------------+ | 43416 | SHELLCODE x86 NOOP | | 4145 | POLICY SMTP relaying denied | | 3394 | WEB-MISC PCT Client_Hello overflow attempt | | 2148 | WEB-CGI calendar access | | 1645 | tag: Tagged Packet

NoVA Sec First Meeting Pictures at

Paul Zedeck was kind enough to send pictures from the first NoVA Sec meeting last week. Please visit the NoVA Sec Blog for details. I try to avoid cross-posting, so keep an eye on that blog for word on the next NoVA Sec meeting.

Network Forensics with NetWitness

Ten days ago I had the privilege of attending a day of product training for NetWitness . NetWitness is a real network forensics tool produced by a company of the same name. Anyone who's read my books or attended my training knows I am a big fan of open source tools. NetWitness, however, is built to facilitate investigating network traffic. It's important to differentiate between packet collectors, protocol analyzers, and network forensics tools. Dumpcap is the prototypical packet collector. Simpler than Tcpdump and much simpler than Tshark , all Dumpcap does is record packets. It's especially suited for this role, however, because it offers native trace rotation capabilities. Tcpdump, Tshark, and Wireshark are all protocol analyzers. Yes, Tcpdump is a protocol analyzer, although it is not as robust as Tshark or Wireshark. Protocol analyzers are suited for packet-centric inspection. For example, I used Wireshark extensively while learning about 802.11 traffic.