Ayoi’s

not this Brute Force

This is the big question when we try to categorized this type of attacks. Whether this SSH Brute Force attack falls under reconnaissance/scanning/information gathering or already at the exploitation phase which can be categorized as Attempted Unauthorized Access. Some said it should be categorized under Reconnaissance, while others preferred it to be categorized as Attempted Unauthorized Attempt.

Continue Reading »

I think this is one of the most overlooked items when putting machines/systems/application on the wire. Perhaps when we build up as example a machine that will host web applications that will be offered to the public via internet, or for our business partner via extranet and perhaps for internal purpose only via Intranet, we might concentrate on the auditing the source code to eliminate any possible flaws, opened ports, necessary services required to run on the machine, platform harderning and many others.

Continue Reading »

Last few weeks I did a presentation on our department general work flow. I’ve prepared some presentation slides, some handouts indicates the work flow (I try my best to be as clear as possible) and everything was fine at that time. Soon afterward one of my colleagues complained that it seems that the stakeholders affected in the work flow either did not understand partially on my presentation or totally clueless on that. Hence I end up scratching my heads trying to figure out what went wrong (No wonder my CSO is having lesser hair )

Continue Reading »

Well my itchy fingers playing around the courses offered by SANS and GIAC. And then out of curiosity I just access the demo of SANS on Demand for the course 517: Cutting Edge Hacking Techniques. It is just a demo and I can see the glimpse of what the course will cover for 2 days. Basically I think it is extention of the course that I’ve taken, Hacker Techniques, Exploits and Incident Handling where IF I passed the exam, then I will be a GIAC (Global Information Assurance Certification) Certified Incident Handler -GCIH.

So this on-demand course demo let me accessed 2 sets of slides that covers 2 topics and the assessment will be done on the second topics. To be honest, the questions are not that difficult but you might failed the assessment once you DID NOT look carefully.

Oh yeah, you need an account at SANS Portal to access the demo btw.

So hopefully I will get the real certification later on

Oh yeah, while having a light drink with my colleagues discussing about the current problems that we faced and the required solutions, one of my colleagues provide one good story which IMHO enlighten our mood for the day. The story is like this.

He went for interview for a Firewall Analyst at one of the Multinational Companies here in Malaysia. During the interview, he was asked by one of the interviewers this question,

“Besides snort, can you give another example of sensor?”

Continue Reading »

I seldom post any politics related topics in this blog as I am more bipartisan type of guy plus I dun want this blog to be a political blog. But as yesterday, for the first time in Malaysian Political history, a debate session between an opposition political leader and a representative of the government on the issue of fuel hike was held. To be honest, the theme of the debate is about the promise by the opposition coalition that once they assume the federal power then the price of the fuel will be reduced on the next day.

Continue Reading »

First of all, I would like to congratulate my friend, mr geek00l and mel (I believe he is one of the brains behind the company as well ) on the establishment of their new company Defcraft SDN. BHD. Well we can call them the young technopreneur and of cause professionally, Defcraft will become one of the competitors for the company that I work currently as well. Anyway I wish them all the best and a very good luck. Competition aside, they still one of my friends in this industry and I still hope that we still can share few things tho

Well I guess in this industry, the best way is to share our knowledge, skills and methodologies to fend off any cyber attacks and the emerging of new threats and attack trends. IMHO, nowadays the main worry is how can we really mitigate the client side attacks. BOTnets are becoming more and more serious, when usually we just gathered few eggdrops to dos certain users in IRC channels, then it evolves to perform a larger scale of attacks to the IRC servers as well, and I do believe this kind attacks have financial motivation behind it. Now, with the emergence of RBN model, these bots are more than an attack tool but it become as advertising tool in form of spamming and others. And yes, nowadays it is totally about money.

I used to agree that we should educate the managers instead of users but now, I think we need to educate both of them. Policies will become useless when nobody appears to adhere them. So for that I do believe we, the so called security professionals need to work together in order to at least minimize the impact or mitigate the risk of this type of attacks. Possible?

On the other hand, my company seems to perform some good exercise which will make certain quaters of the stakeholders more than happy. Even though personally I am not affected by this exercise but I do welcome it as it shows that the wind of change finally arrived

Again congratulations to my friends and perhaps someday we can have TT together eh?

Don’t worry, it is not about my twin btw.

Can you spot the difference (especially in sense of the traffic behavior) of this two packet captured files?

I use windump on my Windows XP machine and the command I executed to produce these outputs is

wd -Snnr packet_capture_file.pcap dst port 22

Packet Capture 1

20:25:00.696718 IP 192.168.4.128.1813 > 192.168.4.126.22: S 2151807408:2151807408(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>

20:25:00.698859 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369704931 win 64000

20:25:00.751279 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807409:2151807437(28) ack 1369704970 win 63980

20:25:00.760521 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807437:2151807941(504) ack 1369705706 win 63612

20:25:00.760616 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807941:2151807957(16) ack 1369705706 win 63612

20:25:00.900008 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807957:2151808229(272) ack 1369705986 win 63472

20:25:01.094824 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808229:2151808245(16) ack 1369706770 win 64000

20:25:01.095211 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808245:2151808297(52) ack 1369706770 win 64000

20:25:01.211169 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706822 win 63974

20:25:06.746347 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808297:2151808365(68) ack 1369706822 win 63974

20:25:07.627074 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808365:2151808465(100) ack 1369706890 win 63940

20:25:07.747682 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706958 win 63906

20:25:09.354328 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808465:2151808741(276) ack 1369706958 win 63906

20:25:09.361925 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808741:2151808841(100) ack 1369707026 win 63872

20:25:09.559764 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707094 win 63838

20:25:11.762118 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808841:2151809117(276) ack 1369707094 win 63838

20:25:11.768410 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809117:2151809217(100) ack 1369707162 win 63804

20:25:11.973704 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707230 win 63770

20:25:13.357811 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809217:2151809493(276) ack 1369707230 win 63770

20:25:13.365031 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809493:2151809593(100) ack 1369707298 win 63736

20:25:13.482591 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707366 win 63702

20:25:14.856313 IP 192.168.4.128.1813 > 192.168.4.126.22: F 2151809593:2151809593(0) ack 1369707366 win 63702

20:25:14.864991 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707367 win 63702

Packet Capture 2

16:30:59.167586 IP 192.168.2.8.32862 > 192.168.2.9.22: S 1789751218:1789751218(0) win 5840 <mss 1460,sackOK,timestamp 25550657 0,nop,wscale 2>

16:30:59.168266 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969780 win 1460 <nop,nop,timestamp 25550658 20899740>

16:30:59.194809 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>

16:30:59.194814 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751219:1789751240(21) ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>

16:30:59.203125 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751240:1789751392(152) ack 1673970440 win 1780 <nop,nop,timestamp 25550660 20899774>

16:30:59.210623 IP 192.168.2.8.32863 > 192.168.2.9.22: S 1783492046:1783492046(0) win 5840 <mss 1460,sackOK,timestamp 25550662 0,nop,wscale 2>

16:30:59.210642 IP 192.168.2.8.32864 > 192.168.2.9.22: S 1787890826:1787890826(0) win 5840 <mss 1460,sackOK,timestamp 25550663 0,nop,wscale 2>

16:30:59.210647 IP 192.168.2.8.32865 > 192.168.2.9.22: S 1788072431:1788072431(0) win 5840 <mss 1460,sackOK,timestamp 25550664 0,nop,wscale 2>

16:30:59.212077 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906519 win 1460 <nop,nop,timestamp 25550665 20899783>

16:30:59.238583 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854406 win 1460 <nop,nop,timestamp 25550665 20899784>

16:30:59.238588 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861893 win 1460 <nop,nop,timestamp 25550665 20899784>

16:30:59.238592 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>

16:30:59.238596 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492047:1783492068(21) ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>

16:30:59.238600 IP 192.168.2.8.32866 > 192.168.2.9.22: S 1780193083:1780193083(0) win 5840 <mss 1460,sackOK,timestamp 25550667 0,nop,wscale 2>

16:30:59.238604 IP 192.168.2.8.32867 > 192.168.2.9.22: S 1781912197:1781912197(0) win 5840 <mss 1460,sackOK,timestamp 25550668 0,nop,wscale 2>

16:30:59.280609 IP 192.168.2.8.32866 > 192.168.2.9.22: . ack 1685157275 win 1460 <nop,nop,timestamp 25550668 20899812>

16:30:59.280614 IP 192.168.2.8.32867 > 192.168.2.9.22: . ack 1686380212 win 1460 <nop,nop,timestamp 25550669 20899812>

16:30:59.280619 IP 192.168.2.8.32868 > 192.168.2.9.22: S 1786479460:1786479460(0) win 5840 <mss 1460,sackOK,timestamp 25550670 0,nop,wscale 2>

16:30:59.280623 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751392:1789751536(144) ack 1673970440 win 1780 <nop,nop,timestamp 25550670 20899816>

16:30:59.280627 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>

16:30:59.280631 IP 192.168.2.8.32864 > 192.168.2.9.22: P 1787890827:1787890848(21) ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>

16:30:59.280635 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>

16:30:59.280639 IP 192.168.2.8.32865 > 192.168.2.9.22: P 1788072432:1788072453(21) ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>

16:30:59.280643 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492068:1783492220(152) ack 1687907179 win 1780 <nop,nop,timestamp 25550671 20899849>

There are some significant differences between those two packets and from the pattern itself we can probably identify what happen on trace 1 and trace 2.

So what do you think?

I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.

For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.

On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.

Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.

Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.

Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.

Q2: Based on this information=handshake2.txt point out the handshake packets.

A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.

Q3: What kind of event that you can derive from this trace file :trace1.pdf

A3: Port Scanning using SYN flag or nmap -sS.

Q4: And what kind of event that you can derive from this trace file? : trace2.pdf

A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses.

Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.

Q6: With the existence of IPS, what do you think on the relevance of IDS

A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.

So that’s it.

Yes, my HOD asked me to conduct an interview session tomorrow for Security Analyst posts available here. Well as usual I’ve prepared a series of questions to ask the candidates. And no, I wont reveal the questions here. It is not that I dun want to be called “poyo” again but I think this time the questions will be really really really easy and very basic. No tcpdump output stuff, no incident identification from packet dumps, no snort alerts interpretation stuff, and no more on what-do-you-think-about-IDS-IPS-stuff either. What’s the point of asking those questions when I know 90% of the candidates will possible failed to answer those questions.

How bout asking on IDS deployment in a network? Maybe not as I think maybe nobody can or will answer that. Maybe I shud ask about basic network diagram? I used to ask the candidate to draw a simple diagram of a network that has basic security devices either inline or passive but then still nobody answer it. I didn’t expect anybody to answer perfectly. Nobody is perfect and nobody is NOBODY. (Wifey used to reply “I am Nobody” when I say “nobody is perfect).

So for tomorrow, I just looking for anybody that has the right attitude, the passion and the level of knowledge that they had for the post. (When you have the right attitude, have the passion, I do believe that you have the basic knowledge and skills as the result of DIYs, googling and try-and-error methods. Agree?)

So for the candidates who will attend the interview session tomorrow, I wish them good luck and please…

Do some simple google search anything about ICT Security, and of cause about Security Analyst.

Good luck.