Ayoi's

SSH Brute Force..Reconnaissance or Attempted Unauthorized Access?

ayoi — Wed, 23 Jul 2008 04:50:29 +0000

This is the big question when we try to categorized this type of attacks. Whether this SSH Brute Force attack falls under reconnaissance/scanning/information gathering or already at the exploitation phase which can be categorized as Attempted Unauthorized Access. Some said it should be categorized under Reconnaissance, while others preferred it to be categorized as Attempted Unauthorized Attempt.

In my opinion, both of these category can be used, however it depends on how this brute force attack was launched or performed. In other words, IF tools like Hydra, GuessWho was used then for this type of attack can be categorized as Reconnaissance/Information Gathering/Scanning.

Why?

Let do some simulation on this. The tool that I use is Hydra 5.4 running on Redhat 9. So the attacker machine is using 10.10.3.126 as its IP Address. For the target, I have to install OpenSSH for windows on my Windows 2003 Enterprise machine as I have problem with my FreeBSD’s snapshot file. Oh yes, as I need to run this simulation in controlled environment, so this simulation will be performed by my Virtual Machines in my Virtual Network. So the target (win2k3) will has 10.10.4.128 as its IP Address.

Also for clarity purpose, I’ve created a user (ayoi) with the password set to “kambing” while for attacking purpose, the Hydra will use a password list created by me where it has only 3 password that are “password, password1 and kambing”. If I want to use John The Ripper password list (3107 entries for JTR 1.7), Hydra will perform 3107 login tries, with 194 tries for each of the 16 tasks (by default) and will generate 27330 packets. So with my own password list, Hydra will only perform 3 tasks, 3 login tries with 1 try per task and will only generate 76 packets which is kewl for us

First as we want to capture the packet as well, we run our all time favourite sniffing tool;tcpdump on the attacker machine

[root@t4linux root]# tcpdump -s 0 -nn -i eth0 -w “`date +%Y-%m-%d-%H:%M`.`hostname`.pcap” host 10.10.4.128 and tcp port 22 &

Then we can execute Hydra;

[root@t4linux tools]# hydra -l ayoi -P password1.lst 10.10.4.128 ssh2
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2008-07-22 16:39:48

Ok now is the interesting part. Remember that I said for brute force/dictionary/password guessing attacks performed via this kind of tools can be categorized as Information Gathering/Reconnaissance/Scanning? As in Hydra case, that’s what it does. It just perform (I might call it dictionary attack as well) brute force by trying to logon to the system using the combination of users and passwords listed in the defined password file. Once this tool identified the right combination of the username and password to access the system, it will disconnect itself and prompt the result either to the attacker’s console or to any defined output file.

Just like the example below:

[DATA] 3 tasks, 1 servers, 3 login tries (l:1/p:3), ~1 tries per task
[DATA] attacking service ssh2 on port 22
[STATUS] attack finished for 10.10.4.128 (waiting for childs to finish)
[22][ssh2] host: 10.10.4.128 login: ayoi password: kambing
Hydra (http://www.thc.org) finished at 2008-07-22 16:39:48

Let’s analyse based on the packets generated by this activity

For the sake of the space in my blog, I’ll post the packets that performed successful password guessing. How do I know which one? As in the traffics, there are 3 connections initiated by the attacker where the 1st one is to test the 1st password, the second for the second password and the third one meant for the correct password (based on the password list I’ve supplied to Hydra that is).

Oh yeah, I will post the last 5 packets to show how Hydra will disconnecting itself when either correct or incorrect password guessed.

So these are the traffic tail end.

16:39:49.812628 IP 10.10.3.126.33569 > 10.10.4.128.22: P 3690477673:3690477757(84) ack 1946435082 win 7904

16:39:49.830210 IP 10.10.4.128.22 > 10.10.3.126.33569: P 1946435082:1946435166(84) ack 3690477757 win 63671

16:39:49.850464 IP 10.10.3.126.33569 > 10.10.4.128.22: F 3690477757:3690477757(0) ack 1946435166 win 7904

16:39:49.850698 IP 10.10.4.128.22 > 10.10.3.126.33569: . ack 3690477758 win 63671

16:39:49.860120 IP 10.10.4.128.22 > 10.10.3.126.33569: F 1946435166:1946435166(0) ack 3690477758 win 63671

16:39:49.860196 IP 10.10.3.126.33569 > 10.10.4.128.22: . ack 1946435167 win 7904

Can you see that in fact the connection terminated gracefully? Also another interesting thing is take note on the window size. Compared to normal SSH access, the default 65K size will be used especially from the requestor but in this case also similar with other scanning tools, the window size would be smaller as they don’t have any intention to establish only one session

. So they need to perhaps use as small as possible available buffer and this enable them to create as many sessions as possible (not only SSH sessions)

Just like Nessus scanning tools from Tenable Security. It will perform vulnerability scanning activities on the systems, try to find any possible flaws and bugs that can be exploited BUT the moment it discovers any vulnerability, does Nessus continue with exploitation phase or it stopped and record the findings for the final report? So when your IDS screaming about Nessus activities, under which category these alerts will fall? Reconnaissance/Information Gathering/Scanning or Attempted Unauthorized Access?

However if you try to guess a system password manually, the moment you eventually managed to guess the correct combination of username and password, are you going to disconnect your self, write down the information and reconnect back later OR, you just continue using that access?

What category for this kind of activity will be?

Do your systems have Warning Banners?

ayoi — Tue, 22 Jul 2008 08:14:44 +0000

I think this is one of the most overlooked items when putting machines/systems/application on the wire. Perhaps when we build up as example a machine that will host web applications that will be offered to the public via internet, or for our business partner via extranet and perhaps for internal purpose only via Intranet, we might concentrate on the auditing the source code to eliminate any possible flaws, opened ports, necessary services required to run on the machine, platform harderning and many others.

However do we ever emplace any warning banners within the main page of our authentication required web page? As example like web based email login page, business partners login page or perhaps for the general public as well when your organization offers web application services to them.

Why Warning Banners?

First of all, warning banners will limit the presumption of privacy of the users. Let say you provide a remote access services (ssh/rlogin/telnet/VPN) to your network for your staff to enable them working from remote places. It’s a good practice which will save a lot of travel time and resource mobilization. But what if some day you’ve detected that the machine that provide remote access behave strangely or you’ve discovered that some of the sensitive files have been missing/copied/transferred from the machine? So as a good security personnel you will start your investigation, analyzing the logs, collecting evidence, scrutinize the keylogger logs, performing the incident handling phases accordingly and after spent few days doing these, you’ve managed to gather all the necessary information and evidence to nail down the culprit.

Then you present the evidence to the HR for further action. So the HR calls the culprit, questioning him on what he has done and decided that dicipline actions will be taken against him.

But then the culprit says,

“How do I know that what I’ve done is wrong? I have a legitimate access to the machine, there’s no notice that says what I can or can not do, in fact it says

Welcome to FreeBSD!

Before seeking technical support, please use the following resources:...."

Btw I didn’t know that my activities in the machine will be recorded and monitored. I think you guys have intrude my privacy and my rights on that machine.”

Kewl eh?

That’s why it is better to have a warning banner that will make the users aware about the policy of using those assets. A warning banner should inform the users that:

a). Authorized activity permitted by the policy on that particular machine or device.

b). Any abuse of usage or unauthorized activity or unauthorized access will face civil or criminal penalties.

c). All the activity will be monitored and will be recorded

d). Any possible criminal activities or evidence recorded can be submitted to the law enforcement for further actions.

However it is important that the words or phrases that you are going to use in the warning banners to be reviewed by the legal department and endorsed by them. Also ensure that this endorsement should be in writing so that we can record it.

There are many samples of this warning banners either in sense of the content or the emplacement of the banner itself. Papers like the one available at unixwork.net titled “Login Warning Banners: A Discussion about Login/Warning Banners, Their Emplacement and Their Uses” discuss on the emplacement of the warning banners, their purpose and of cause it does provide a simple how to create and emplace this banners in Windows based and Unix based operating systems.

So do your systems have Warning Banners?

Not just a job…

ayoi — Mon, 21 Jul 2008 07:49:47 +0000

Last few weeks I did a presentation on our department general work flow. I’ve prepared some presentation slides, some handouts indicates the work flow (I try my best to be as clear as possible) and everything was fine at that time. Soon afterward one of my colleagues complained that it seems that the stakeholders affected in the work flow either did not understand partially on my presentation or totally clueless on that. Hence I end up scratching my heads trying to figure out what went wrong (No wonder my CSO is having lesser hair )

To be honest, I am totally clueless on how to motivate this stakeholders. They are the critical elements in our department and of cause their needs are the highest priority even in my list as well. Sometimes I am puzzled by this condition, what do they want actually?

Trainings? I’ve tried to conduct a series of training before but it turned out that most of my audience are from other department which I am grateful but deep inside a lil bit disappointed. I did ask via email on the type of training that they might required but alas, no response.

Environment? To be honest, I’ve worked in 8 companies before and so far this is the best working environment I ever had (besides few down points but hey, every company has their own problem rite?). We have experts here (Not saying about me) and this company encourages learning environment, knowledge sharing and skills enhancement.

Recently the company performed an exercise of restructuring the salary which IMO involve this stakeholders. Some of them now perhaps even getting more than what I earned. So I think this monetary factor can be discounted as well. Or maybe not.

IMO, to be success or to progress in this field, you need to have the right attitude (I think it applies to other field of works as well). Right attitude in sense of what?

The first thing is passionate about the job.

IF you accept this job just for the sake of having a job then it won’t suit you at all. Even a structured work like accounting, you still need to have the passion. Yes accounting has its own process, its own goal but to produce the final accounts statement is not that easy. For a start just stop using the accounting application and try to produce the final accounts manually. Try to produce the Balance Sheet, the Profit and Loss account and yeah the Cash flow statement without using the application. You still need to adhere the accounting policy that your company used like the depreciation policy, the FRS (Financial Reporting Standards), the SSAP (Statement of Standard Accounting Practice). Not to mention on taxation calculations, window dressing etc. Easy?

So how about being a security analyst? Easy? IMHO, the title itself requires the person to have adequate knowledge and skills in security plus you need to keep yourselves update with the current trend and technologies. Some people said doing the job is lacking hands on approach. I can’t see anything more hands on than being an analyst. Like me, from time to time I’ll study the attacks from its methodology to the impacts that it may caused by performing simulations on my *ehem old *ehem laptop and its codes (if possible). From there I will perhaps build appropriate detection mechanism (if yet available in current IDS rules), and also it can assists me when performing incident handling via advising a proper contaiment or eradication and remediation process and steps to the client.

Also from time to time I will study the current and future technology that might be useful for our future solutions and developments.

Again if you keep giving excuses on performing your tasks, perhaps you should ask yourselves whether you are in the right profession because for me, it doesn’t matter what you want to be, if you don’t have the right attitude, don’t have the career goals then perhaps you will going nowhere.

Because if this guy with only SPM as his paper credential can do it, why can’t you?

A good sign eh?

ayoi — Fri, 18 Jul 2008 09:07:58 +0000

Well my itchy fingers playing around the courses offered by SANS and GIAC. And then out of curiosity I just access the demo of SANS on Demand for the course 517: Cutting Edge Hacking Techniques. It is just a demo and I can see the glimpse of what the course will cover for 2 days. Basically I think it is extention of the course that I’ve taken, Hacker Techniques, Exploits and Incident Handling where IF I passed the exam, then I will be a GIAC (Global Information Assurance Certification) Certified Incident Handler -GCIH.

So this on-demand course demo let me accessed 2 sets of slides that covers 2 topics and the assessment will be done on the second topics. To be honest, the questions are not that difficult but you might failed the assessment once you DID NOT look carefully.

Oh yeah, you need an account at SANS Portal to access the demo btw.

So hopefully I will get the real certification later on

What is another sensor?

ayoi — Thu, 17 Jul 2008 08:32:51 +0000

Oh yeah, while having a light drink with my colleagues discussing about the current problems that we faced and the required solutions, one of my colleagues provide one good story which IMHO enlighten our mood for the day. The story is like this.

He went for interview for a Firewall Analyst at one of the Multinational Companies here in Malaysia. During the interview, he was asked by one of the interviewers this question,

“Besides snort, can you give another example of sensor?”

Well first, that kind of question is very very confusing and not that clear. Does the interviewer means another IDS application? or another appliance or the location of the sensors?

So my collegue blurt out all the possible answers that perhaps might be able to answer the question ranging from the IDS applications up to the sensors emplacement in the network but still the answers that he gave are wrong.

Giving up, my colleague eagerly waiting for the exact answer that the interviewer is looking for. So with the snobbish face (because of my colleague failure to answer his question) he said,

“The other sensor that I meant is PROMISCUOUS!”

yeah, it is shocking and UNBELIEVABLE

Well I guess ..

Debate… What are you thinking?

ayoi — Wed, 16 Jul 2008 08:59:51 +0000

I seldom post any politics related topics in this blog as I am more bipartisan type of guy plus I dun want this blog to be a political blog. But as yesterday, for the first time in Malaysian Political history, a debate session between an opposition political leader and a representative of the government on the issue of fuel hike was held. To be honest, the theme of the debate is about the promise by the opposition coalition that once they assume the federal power then the price of the fuel will be reduced on the next day.

Never mind that the opposition leader is Dato’ Seri Anwar Ibrahim who was known for his oratory capability that able to mesmerize the audience either local or international.

Never mind about that Dato’ Seri Anwar Ibrahim was a former collegian of Malay College Kuala Kangsar, the same school I spent my 5 youth years.

Never mind that during the “reformasi” years, I used to hang a small tag that has a picture of Dato’ Seri Anwar and a word “REFORMASI” in my car.

Never mind that (I suspect) because of the MCKK background, the sodomy charges on Dato’ Seri Anwar is looked like legitimate for “them”.

But the main thing here is how Dato’ Seri Anwar can at least explain his stand/promise/mechanism/methods of reducing the fuel price and how the government, represented by the Minister of Information, Dato’ Ahmad Shabery Chik explain to the people why the government need to increase 40%+ of the fuel price.

So me and wifey watched this historical debate at one of the mamak’s restaurants at Kinrara. And the crowd is surprisingly (not surprisingly la) overwhelmed the tables and chairs and the restaurant workers have to take our their “spare” tables and chairs.

Of cause, I am expecting a very intellectual debate where each speaker or panellist will support his argument with facts and figures because as Dato’ Seri Anwar Ibrahim is a former Finance Minister and former Deputy Prime Minister, he has the inside knowledge on how government do their work while as for Dato’ Ahmad Shabery Chik, he can request all the information needed that can be used in his arguments.

Throughout the debate, it seems Dato’ Seri Anwar Ibrahim never failed my expectation. Of cause because he’s a seasoned politician, know when to sooth the crowd, how to express or convey his points in short period of time and how to act respectable during the session. I guess his debating experience during his school days is very valuable. Even though he didn’t elaborate his plan in details, but the idea on how to help reducing the burden of the people is doable and logic. And throughout the debate session itself the main points emphasised by the former Deputy Prime Minister are the sudden price hike is burdening the people, the importance of optimizing national resources (optimizing and not wasting) and the needs to identify the economy leakages and perform the immediate remediation. Of cause this fall under the government responsibilities.

And to be honest, I am totally disappointed with the performance of the Information Minister. You have around 4-5 minutes to explain to the people on government stance and justification for the price hike but instead you wasting those time by attacking your counterpart personality, history and past. We are not wasting 1 hour to hear that and if I want to know that, I’d rather read politics blogs. You spent most of the time evading from answering the question by (sometimes) even mumbling about other non related things.

As example, you said the former DPM was a firebrand student who critize everbody back in 1974 and promotes street demonstrations which is not our culture. Well if I’m not mistaken, when the British plan to introduce Malayan Union, our forefathers express their disagreement via demonstrations. Why? Because it seems at that day, the British did not (or pretending) to listen the people’s opinions. So they bring it on the streets nationwide which in the end the British has to listen. Well, are our government listening to our voices?

What can I conclude from the debate?

a). Dato’ Seri Anwar’s plan will only become a plan. I dun think our government is listening

b). It seems like this debate was held to attack on Anwar’s character nationwide

c). How can our Information minister sounds like misinformed minister?

d). It doesn’t matter if you opponent is a seasoned politician or a school boy, you need to prepare with adequate information as your arsenal. Stay focus on the topic and PLEASE answer the damned questions.

e). Now I know why most of our graduates are unemployed or non competent. Just look at the Advisor to the Information Minister. I am embarrassed.

Unbelievable..

p/s: Anyway to Dato’ Ahmad Shabery Chik, I take my hat off for you as at least you have the courage to have a debate with a more senior, more seasoned politician, compared to your bosses ;P

Congratulations to my friends

ayoi — Mon, 14 Jul 2008 03:33:01 +0000

First of all, I would like to congratulate my friend, mr geek00l and mel (I believe he is one of the brains behind the company as well ) on the establishment of their new company Defcraft SDN. BHD. Well we can call them the young technopreneur and of cause professionally, Defcraft will become one of the competitors for the company that I work currently as well. Anyway I wish them all the best and a very good luck. Competition aside, they still one of my friends in this industry and I still hope that we still can share few things tho

Well I guess in this industry, the best way is to share our knowledge, skills and methodologies to fend off any cyber attacks and the emerging of new threats and attack trends. IMHO, nowadays the main worry is how can we really mitigate the client side attacks. BOTnets are becoming more and more serious, when usually we just gathered few eggdrops to dos certain users in IRC channels, then it evolves to perform a larger scale of attacks to the IRC servers as well, and I do believe this kind attacks have financial motivation behind it. Now, with the emergence of RBN model, these bots are more than an attack tool but it become as advertising tool in form of spamming and others. And yes, nowadays it is totally about money.

I used to agree that we should educate the managers instead of users but now, I think we need to educate both of them. Policies will become useless when nobody appears to adhere them. So for that I do believe we, the so called security professionals need to work together in order to at least minimize the impact or mitigate the risk of this type of attacks. Possible?

On the other hand, my company seems to perform some good exercise which will make certain quaters of the stakeholders more than happy. Even though personally I am not affected by this exercise but I do welcome it as it shows that the wind of change finally arrived

Again congratulations to my friends and perhaps someday we can have TT together eh?

Spot the difference

ayoi — Fri, 11 Jul 2008 11:04:18 +0000

Don’t worry, it is not about my twin btw.

Can you spot the difference (especially in sense of the traffic behavior) of this two packet captured files?

I use windump on my Windows XP machine and the command I executed to produce these outputs is

wd -Snnr packet_capture_file.pcap dst port 22

Packet Capture 1

20:25:00.696718 IP 192.168.4.128.1813 > 192.168.4.126.22: S 2151807408:2151807408(0) win 65535

20:25:00.698859 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369704931 win 64000

20:25:00.751279 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807409:2151807437(28) ack 1369704970 win 63980

20:25:00.760521 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807437:2151807941(504) ack 1369705706 win 63612

20:25:00.760616 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807941:2151807957(16) ack 1369705706 win 63612

20:25:00.900008 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807957:2151808229(272) ack 1369705986 win 63472

20:25:01.094824 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808229:2151808245(16) ack 1369706770 win 64000

20:25:01.095211 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808245:2151808297(52) ack 1369706770 win 64000

20:25:01.211169 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706822 win 63974

20:25:06.746347 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808297:2151808365(68) ack 1369706822 win 63974

20:25:07.627074 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808365:2151808465(100) ack 1369706890 win 63940

20:25:07.747682 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706958 win 63906

20:25:09.354328 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808465:2151808741(276) ack 1369706958 win 63906

20:25:09.361925 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808741:2151808841(100) ack 1369707026 win 63872

20:25:09.559764 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707094 win 63838

20:25:11.762118 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808841:2151809117(276) ack 1369707094 win 63838

20:25:11.768410 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809117:2151809217(100) ack 1369707162 win 63804

20:25:11.973704 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707230 win 63770

20:25:13.357811 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809217:2151809493(276) ack 1369707230 win 63770

20:25:13.365031 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809493:2151809593(100) ack 1369707298 win 63736

20:25:13.482591 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707366 win 63702

20:25:14.856313 IP 192.168.4.128.1813 > 192.168.4.126.22: F 2151809593:2151809593(0) ack 1369707366 win 63702

20:25:14.864991 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707367 win 63702

Packet Capture 2

16:30:59.167586 IP 192.168.2.8.32862 > 192.168.2.9.22: S 1789751218:1789751218(0) win 5840

16:30:59.168266 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969780 win 1460

16:30:59.194809 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969800 win 1460

16:30:59.194814 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751219:1789751240(21) ack 1673969800 win 1460

16:30:59.203125 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751240:1789751392(152) ack 1673970440 win 1780

16:30:59.210623 IP 192.168.2.8.32863 > 192.168.2.9.22: S 1783492046:1783492046(0) win 5840

16:30:59.210642 IP 192.168.2.8.32864 > 192.168.2.9.22: S 1787890826:1787890826(0) win 5840

16:30:59.210647 IP 192.168.2.8.32865 > 192.168.2.9.22: S 1788072431:1788072431(0) win 5840

16:30:59.212077 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906519 win 1460

16:30:59.238583 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854406 win 1460

16:30:59.238588 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861893 win 1460

16:30:59.238592 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906539 win 1460

16:30:59.238596 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492047:1783492068(21) ack 1687906539 win 1460

16:30:59.238600 IP 192.168.2.8.32866 > 192.168.2.9.22: S 1780193083:1780193083(0) win 5840

16:30:59.238604 IP 192.168.2.8.32867 > 192.168.2.9.22: S 1781912197:1781912197(0) win 5840

16:30:59.280609 IP 192.168.2.8.32866 > 192.168.2.9.22: . ack 1685157275 win 1460

16:30:59.280614 IP 192.168.2.8.32867 > 192.168.2.9.22: . ack 1686380212 win 1460

16:30:59.280619 IP 192.168.2.8.32868 > 192.168.2.9.22: S 1786479460:1786479460(0) win 5840

16:30:59.280623 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751392:1789751536(144) ack 1673970440 win 1780

16:30:59.280627 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854426 win 1460

16:30:59.280631 IP 192.168.2.8.32864 > 192.168.2.9.22: P 1787890827:1787890848(21) ack 1678854426 win 1460

16:30:59.280635 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861913 win 1460

16:30:59.280639 IP 192.168.2.8.32865 > 192.168.2.9.22: P 1788072432:1788072453(21) ack 1673861913 win 1460

16:30:59.280643 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492068:1783492220(152) ack 1687907179 win 1780

There are some significant differences between those two packets and from the pattern itself we can probably identify what happen on trace 1 and trace 2.

So what do you think?

Interviews, Analyst and other stuff..

ayoi — Fri, 11 Jul 2008 05:13:12 +0000

I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.

For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.

On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.

Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.

Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.

Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.

Q2: Based on this information=handshake2.txt point out the handshake packets.

A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.

Q3: What kind of event that you can derive from this trace file :trace1.pdf

A3: Port Scanning using SYN flag or nmap -sS.

Q4: And what kind of event that you can derive from this trace file? : trace2.pdf

A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses.

Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.

Q6: With the existence of IPS, what do you think on the relevance of IDS

A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.

So that’s it.

Another interview..And good luck!

ayoi — Wed, 09 Jul 2008 08:21:27 +0000

Yes, my HOD asked me to conduct an interview session tomorrow for Security Analyst posts available here. Well as usual I’ve prepared a series of questions to ask the candidates. And no, I wont reveal the questions here. It is not that I dun want to be called “poyo” again but I think this time the questions will be really really really easy and very basic. No tcpdump output stuff, no incident identification from packet dumps, no snort alerts interpretation stuff, and no more on what-do-you-think-about-IDS-IPS-stuff either. What’s the point of asking those questions when I know 90% of the candidates will possible failed to answer those questions.

How bout asking on IDS deployment in a network? Maybe not as I think maybe nobody can or will answer that. Maybe I shud ask about basic network diagram? I used to ask the candidate to draw a simple diagram of a network that has basic security devices either inline or passive but then still nobody answer it. I didn’t expect anybody to answer perfectly. Nobody is perfect and nobody is NOBODY. (Wifey used to reply “I am Nobody” when I say “nobody is perfect).

So for tomorrow, I just looking for anybody that has the right attitude, the passion and the level of knowledge that they had for the post. (When you have the right attitude, have the passion, I do believe that you have the basic knowledge and skills as the result of DIYs, googling and try-and-error methods. Agree?)

So for the candidates who will attend the interview session tomorrow, I wish them good luck and please…

Do some simple google search anything about ICT Security, and of cause about Security Analyst.

Good luck.