Archive for the ‘Miscellaneous’ Category

Hi again!
Today I’m going to talk about ntop and how to install the latest stable version in Debian Squeeze.

Ntop is an extraordinary tool that helps you to know more about your network traffic. Luca Deri’s tool has a lot of features and I use it mainly to know quickly what kind of traffic is being generated in my network thanks to its web interface with summaries and rrd charts.

Years ago I used it to identify SQL Slammer worm and since then this tool is in my arsenal to analyze weird network behaviour.

Ok. In case you didn’t notice I love configure and make but ntop is so popular that you can find ntop in the backports repository:

  1. Add the following line to your /etc/apt/sources.list: deb http://backports.debian.org/debian-backports squeeze-backports main
  2. apt-get update
  3. apt-get install ntop
  4. Type the admin user password for ntop’s web interface
  5. Ntop will be started.
  6. Open a browser and go to http://x.x.x.x:3000 where x.x.x.x is the ip address of the host where ntop is installed.. of course!
  7. Debian will install a ntop init.d service, so if you want to stop ntop: /etc/init.d/ntop stop

Ok!. If you want to use the latest stable version … yes configure and make !!:

  1. apt-get install build-essential libtool automake autoconf libpcap-dev libgdbm-dev zlib1g-dev rrdtool librrd-dev libssl-dev python-dev libgeoip-dev graphviz libgraphviz-dev
  2. cd /opt
  3. Download ntop (e.g wget http://switch.dl.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz )
  4. tar xfz ntop-4.1.0.tar.gz
  5. cd ntop-4.1.0/
  6. ./autogen.sh
  7. make
  8. make install
  9. ldconfig – So libraries can be found (Thanks Garrie!)
  10. You’ll find ntop files in /usr/local according to ./configure:Data files are in     /usr/local/share/ntop
    Config files are in   /usr/local/etc/ntop
    Run directory is      /usr/local/var/ntop
    Plugin files are in   /usr/local/lib/ntop/plugins
    Database files are in /usr/local/var/ntop
    Libraries have been installed in: /usr/local/lib
  11. chown -R nobody:nogroup /usr/local/var/ntop
  12. Ok now from the command line run: ntop
  13. Ntop will ask you for the admin passwordntop startup – waiting for user response!Please enter the password for the admin user:
    Please enter the password again:
  14. Access to http://x.x.x.x:3000
  15. Nice charts!
  16. Use Ctrl-C from the command line to stop ntop.

Ok. That’s all.  Any comments are welcomed!

P.S: I’m trying to write new posts about Snorby and Suricata but I need more time! 😀


Read Full Post »

KeePass is a great open source password manager with many features (passwords are stored in an encrypted database, strong password generator…). which I’ve been using since 2006 in my Windows machine.

Now I want to use it in my Fedora 15 and thanks to Mono you can run it on Linux machines following these instructions. Anyway, these are the steps for Fedora 15:

  1. Download the portable version of KeePass and unzip it into a folder.
  2. Install Mono and Xdotool packages:

    yum install mono-addins mono-core mono-data mono-data-sqlite mono-extras mono-mvc mono-wcf mono-web mono-winforms mono-winfx libxdo xdotool

  3. Go to the KeePass folder and from the command-line execute: mono KeePass.exe
  4. That’s all folks!

UPDATE: Thank you B!n@ry for your comment. You can use KeePassX: yum install keepassx


Read Full Post »

I’m starting with my malware lab but before you read maybe you are interested in REMnux a Linux Distribution for Reverse-Engineering Malware that offers many analysis tools.

My lab will consist in two virtual hosts, one of them will be the victim where all the malware will be executed and the other will act as a server offering “Internet” services to the victim. The hosts will be placed in the network (Server and Client

The first service I’m going to configure is DNS and for this task I’ll use DJBDNS. Two years ago I started to hear about D.J Bernstein DNS which wasn’t affected by Dan Kaminsky‘s DNS flaw announce. I like security, so why not use tinydns for this task? The DNS server will be configured to answer queries for the malware.lab domain and it’ll act as a fake root name server.

You can install Tinydns using aptitude but I like to compile things 🙂 These are the steps I’ve followed.

  1. apt-get install build-essential
  2. useradd Gtinydns -s /bin/false
  3. useradd Gdnslog -s /bin/false
  4. mkdir -p /package
  5. chmod 1755 /package
  6. cd /package
  7. wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
  8. tar xvfz daemontools-0.76.tar.gz
  9. rm -f daemontools-0.76.tar.gz
  10. cd admin/daemontools-0.76/
  11. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  12. cd src/
  13. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  14. cd ..
  15. package/install
  16. cd /package
  17. wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
  18. tar xvfz ucspi-tcp-0.88.tar.gz
  19. rm ucspi-tcp-0.88.tar.gz
  20. cd ucspi-tcp-0.88/
  21. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  22. make
  23. make setup check
  24. cd /package
  25. wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
  26. tar xvfz djbdns-1.05.tar.gz
  27. rm djbdns-1.05.tar.gz
  28. echo gcc -O2 -include /usr/include/errno.h > conf-cc
  29. make
  30. make setup check
  31. reboot
  32. tinydns-conf Gtinydns Gdnslog /etc/tinydns
  33. ln -s /etc/tinydns /service/tinydns
  34. sleep 5
  35. svstat /service/tinydns
  36. cd /service/tinydns/root
  37. ./add-ns . (this server will answer all DNS queries with the same address If you have problems be sure you add this entry to the /etc/tinydns/root/data file  (   +*.:    )
  38. ./add-host server.malware.lab
  39. ./add-host client.malware.lab
  40. ./add-ns 10.168.192.in-addr.arpa (It will resolve inverse queries)
  41. make

And that’s it (41 steps!), I have a DNS server running… If you need more information visit DJBDNS page.

DJBDNS has been designed to be secure and it’s very easy to manage it (at least compared with BIND)

See ya!

Read Full Post »

A long time ago I used PGP to encrypt files but I forgot how to use it. Today I sent a message to a CERT (but this is another story…) and I had to encrypt a file  so I downloaded GnuPG binary for Windows and started reading the GnuPG mini-howto.  I’ve managed to remember the steps for using this tool:

  1. Generate you private and public keys with gpg –gen-key
  2. Select the type of key. DSA and Elgamal is a good choice
  3. Specify the expiry date for the key
  4. Introduce your name and email
  5. Protect the key with a passphrase
  6. Accept the information and generate entropy 🙂
  7. Import the public key for the recipient of the message with gpg –import file
  8. List the keys to know their UID with gpg –list-keys
  9. If you trust the recipient’s public key, sign its key with gpg –edit-key  RecipientUID
  10. Use the sign task and then quit
  11. Encrypt the file with gpg -e file -r RecipientUID
  12. You’re done!

I know, there are many good tutorials out there but I don´t want to forget all this again! 😀 If you find errors or want me to add more steps tell me!!

Soon I’ll post new things about honeypots

Read Full Post »