Set of usefull filters with wireshark

I believe all the listed filters in the below will be usefull for everyone, as it did for me. These are mainly about short listing the number of packets to be looked at during a session of analyzing a packet capture file.

Filter out a given source ip range
!(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255)

Filter out a given destination ip range
!(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255)

Filter out both given source and destination ip ranges
!(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255) || !(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255)

Filter out Spanning-tree Protocol messages
!stp

Filter out loopback messages
!loop

Filter out the below IP range and the Spanning-tree Protocol messages
!(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255) || !(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255) && !stp

The format “ip.addr==175.157.7.0/24″ works now as well. That is a much cleaner solution.
!ip.addr==175.157.7.0/24 && !stp

Read More

Whether to enable "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

Use of "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"is the standard recommendation in order to align with many security compliance standards. The United States Federal Information Processing Standard (FIPS) standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. The requirement to use approved and validated algorithms applies only to the protection of sensitive data. Systems and applications are free to use weak or non-validated cryptographic implementations for non-security purposes based on its security context.

Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. For example if this is enabled, it does not allow to use SSL 2.0 or 3.0 and enforce to use TLS instead. Further with .Net framework, if FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory.

Even through the security best practise is to enable "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing", it is up to the individuals to decide their way of implementation based on their security context of applicability.

Reference:
http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

Read More

Configure wvdial.conf in Ubuntu 14.04

I wanted to configure my Etisalat broadband connection with Ubuntu 14.04. Network Manager has already been uninstalled.

In order to connect to the broadband network, I followed the below listed proceedure.

Wvdial, the software I used to connect, is  an  intelligent  PPP  dialer, which means that it dials a modem and starts PPP in order to connect to the Internet.  It is something like the chat(8) program, except that it uses heuristics to guess how to dial and log into your server rather  than  forcing  you to write a login script.

To install wvdial
$sudo apt-get install wvdial

As the next step the modem was connected to my PC.

To configure wvdial at the very first time, below command was used.
$sudo wvdialconf

I edited the /etc/wvdial.conf as shown below.
[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init3 = AT+CGDCONT=1,"IP","etisalat3g"
Modem Type = Analog Modem
Baud = 9600
New PPPD = yes
Modem = /dev/ttyUSB0
ISDN = 0
Phone = *99#
Password = " "
Username = " "

Since I don't have any credentials to connect to the network, I kept the username and password field as blank.

The APN was specified as an initialization parameter
Init3 = AT+CGDCONT=1,"IP","etisalat3g"

As the final step, I was able to successfully connect to the broadband network with the command.
$sudo wvdial

Read More

Configure Wireless Network: Edit /etc/network/interfeces of Ubuntu 14.04

To discover the available wireless interfaces
$sudo lspci |grep Wireless
$sudo lspci |grep Network

To discover the available wireless networks
$sudo iwlist wlan0 scan

To ask the wireless interface to associate with an identified access point
$sudo iwconfig wlan0 essid

If there is an encryption to supply the secret key [Assume WEP]
$sudo iwconfig wlan0 key

Now to ask for an ip address
$sudo dhclient wlan0

Or else to manualy configure the interface
$vi /etc/network/interfeces

The configuration for wireless interface with a dynamic IP address File: /etc/network/interfeces
----------
----------
auto wlan0
iface wlan0 inet dhcp
     wpa-ssid
     wpa-psk

The configuration for wireless interface with a static IP address File: /etc/network/interfeces
----------
----------
auto wlan0
iface wlan0 inet static
        address 192.168.2.185
        netmask 255.255.255.0
        gateway 192.168.2.1
        network 192.168.2.0
     broadcast 192.168.2.255
     dns-nameserver 8.8.8.8
     wpa-ssid
     wpa-psk

Note: Auto tag is to automatically start and connect to the wireless network.

To stop and start the wireless interface
$sudo ifdown wlan0
$sudo ifup -v wlan0

Read More

Firewalking with nmap

Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow.

Below description is about how to use nmap to perform firewalking. Some of the scripts arguments are also listed below for your reference.

firewalk.max-probed-ports
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.

firewalk.max-retries
the maximum number of allowed retransmissions.

firewalk.recv-timeout
the duration of the packets capture loop (in milliseconds).

firewalk.max-active-probes
maximum number of parallel active probes.

firewalk.probe-timeout
validity period of a probe (in milliseconds).

Example Usage

• nmap --script=firewalk --traceroute
• nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1
• nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms
• nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7

Sample output is shown below.

$nmap --script=firewalk --traceroute 10.168.0.11

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-11 17:25 IST
Nmap scan report for 10.168.0.11
Host is up (0.0033s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8009/tcp open  ajp13
8080/tcp open  http-proxy

TRACEROUTE (using port 1025/tcp)
HOP RTT     ADDRESS
1   2.63 ms 192.168.2.1
2   2.20 ms 10.168.0.11

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

Reference:
http://nmap.org/nsedoc/scripts/firewalk.html

Read More

Install and Use Nmap/Zenmap 6 in Ubuntu 14.04

For the installation, you follow the steps listed below.

1. If you don't have the alien command, install it with a command such as $sudo apt-get install alien
2. Download the Nmap RPMs for your platform (x86 or x86-64) from http://nmap.org/dist/nmap-6.46-1.i386.rpm or from http://nmap.org/dist/nmap-6.46-1.x86_64.rpm depending on your target operating system. Since my operating system is a 64bit edition I am using the nmap-6.46-1.x86_64.rpm version of Nmap.
3. Verify the download integrity as described in the section called “Verifying the Integrity of Nmap Downloads”.
4. Generate a Debian package with a command such as $sudo alien nmap-6.46-1.x86_64.rpm
5. Install the Debian package with a command such as $sudo dpkg --install nmap-6.46-1.x86_64.rpm.deb
6. Steps 2–5 can be repeated for the other Nmap RPMs such as Zenmap, Ncat, and Nping.
• To download Zenmap - http://nmap.org/dist/zenmap-6.46-1.noarch.rpm
• TO download Ncat - http://nmap.org/dist/ncat-6.46-1.x86_64.rpm
• To download Nping - http://nmap.org/dist/nping-0.6.46-1.i386.rpm

After the installation of Nmap using the above proceedure, you will probably face the following error while you are executing the nmap command or Zenmap:
nmap: error while loading shared libraries: libsvn_client-1.so.0: cannot open shared object file: No such file or directory .

The solution is:

a) Install subversion:
$apt-get install subversion 

b) make this symlink:
$ln -s /usr/lib/libsvn_client-1.so.1.0.0 /usr/lib/libsvn_client-1.so.0  (This should work for most of the cases.)

or

$ln -s /usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1.0.0 /usr/lib/libsvn_client-1.so.0 (In my case this works, not the above.)

To run Zenmap/Nmap:
$sudo Zenmap or $sudo nmap

Refer the website http://nmap.org/6/ for command references.

Read More

Forcing Password Complexity in Red Hat Linux

My requirement was to enforce the password complexity for all the users of my RHEL 5 server (This will works for RHEL 4/5 also). This would be helpful to you also.

Password complexity is a set of rules which define what set of characters and how many of each characters must be in a password. My policy requirement was to have:

• Minimum Length = 10
• Number of digits = 1
• At least one uppercase letter
• At least one lowercase letter
• At least one other character.

As a precautionary method, always I used to backup existing configuration file. To create a backup of the existing file:
$ cp /etc/pam.d/system-auth /root/system-auth

First I looked for the line containing the pam_cracklib module in the file /etc/pam.d/system-auth. In RHEL 5 and RHEL 6 it looks like this:
password requisite pam_cracklib.so try_first_pass retry=3

In RHEL 4 it looks like "password requisite /lib/security/$ISA/pam_cracklib.so"

This is the place where we need to edit and add my password policy configurations. I changed the line as given below to reflect the my password policy configuration requirements.

password requisite pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

Same can be configured in RHEL 4 as "password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1"

I had existing users on my system and I wanted to make sure they are complied with the password policy. They were enforced the change their password during the next login. To do this I needed to lock the user account, expire their password, and unlock the user account. Here are the simple step to accomplish this.

Lock the account:
$ usermod -L kushan

Expire their current password:
$ chage -d 0 kushan

Unlock the account:
$ usermod -U kushan

Check the status of their password. (This will show the current configuration of the user "kushan":
$ chage -l kushan

Description of the parameters used above is given below.

• retry=N: Prompt user at most N times before returning with error. The default is 1.
• minlen=N: The minimum acceptable size for the new password (plus one if credits are not disabled which is the default).
• reject_username: Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected.
• dcredit=N: (N >= 0) This is the maximum credit for having digits in the new password. The default for dcredit is 1.
• lcredit=N: (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1.
• ocredit=N: (N >= 0) This is the maximum credit for having other characters in the new password. The default for ocredit is 1.
• ucredit=N: (N >= 0) This is the maximum credit for having upper case letters in the new password. The default for ucredit is 1.

Read More