Thursday, October 29, 2009

GSEC exercises: tcpdump

Tonight I'm doing some lab work for the GSEC recertification. I started this morning by compiling a cram sheet for module 401.1, mostly consisting of info on TCP/IP header decoding and things to make my life easier.

I started out to build a little diagram of a TCP/IP packet in hex with each header a different color so that my ADD brain could decipher quickly and easily what fields are what protocols. Then at this site I found what I was looking for:

4510 0068 7e87 4000 4006 3862 c0a8 011e
c0a8 0128
0016 0479 b6c8 a8de 621e 87db
5018 4470 1813 0000
e492 152f 23c3 8a2b
4ee7 dbf8 0d48 88e8 0110 2b01 4295 39f4
52c9 a05b 31d7 e3ae 1c62 2dbd d955 d604
b5d2 63d1 8fbc 4ab7 1615 b382 571c 70e0
a368 a03f 425b 6211


I changed the colors to work with a white background, but here in red you see the IP header (20 bytes), and in cyan you see the TCP header (another 20 bytes).

Each 4 hex numbers is 2 bytes. Then just remember that they start counting at zero for the "offset," or rather how far from the first bit/byte each field is found.

The first option we take is the "-i" which instructs tcpdump which interface to listen on. This is useful if you have multiple NICs or perhaps if you are using VMWare to run your lab. I did notice that traffic coming out of the VM will be captured by the host on lo, but not on eth0. Packets from host to VM can be captured on eth0, however. I'm assuming that is because the network card is actually bridged through the physical interface, so traffic coming from the VM never touches the wire. That's good to know, actually, as I prepare to take this into the real world.

Next I use "-x" which dumps the packet in hex. Hex is a bugger for me, personally, to work with, but it really gives you a good feel for what fields are where in the frame. I find that, as I do this more I pick up a field here and there, starting with the first byte of an IP header, which indicates protocol type. A "4" indicates that this is IPv4 (so, if it were IPv6 it would ovbviously be a 6) and the second byte (at bit offset 4) is a 5, indicating that the IP header is in 32-bit words (4 bytes == one 32-bit "word", 5*4=20 bytes)

Other important options are "-X" which gives you the ASCII output as well and "-s" which allows you to determine how much of the packet you want to capture. (-s is for "snaplen, or snapshot length). Using -s0 means "capture the whole packet." Remember that one when you are ready to mount your attack on the local FTP server...

I have been using tcpdump for many years now, and for some reason I have never noted the "host" or "and()" parameters. Using these you can specify a hostname or IP address to filter your capture on (handy if you are trying to watch an attack). Syntax would be:

tcpdump -i eth0 'host 192.168.1.1 and (192.168.1.5 or 4.2.2.2)'

This allows you to capture any traffic between host 1 (192.168.1.1) and either host 2 (192.168.1.5) or host 3(4.2.2.2). Using these parameters you can really fine-tune your capture, and I now use this quite a lot. It shuts down much of the noise a normal LAN has these days. Oh, you can also use "and not" to keep traffic from any given host from being captured. Nice when you work remotely like I do often and don't want to capture all the VNC traffic between your workstation and the remote host.

There you have it, folks. Tcpdump. There are a boatload of great tutorials out there, and quite honestly I'd rather use Wireshark. But sometimes for a quick 'n' dirty capture it's nice to run a quick tcpdumpa nd see who's communicating with whom. Not to mention you get to feel like you're in the Matrix as you watch all that hex fly by...

Wednesday, October 28, 2009

GSEC Update

I finished my initial run-through of the SANS GSEC coursework tonight. I have been feeling a bit pressured, because there are 6 volumes in the course, each of which included about350 pages plus a couple hundred pages in lab work. I've been pressing on, using the 20+5 method for discipline and focus (20 minutes of hyper-focus study, 5 minutes of "blowing off steam" doing whatever I felt like doing).

Tonight I finished the coursework, and I left the labs until later. The reason being many of the labs are using tools I am very familiar with and use daily - tcpdump, hping, John the Ripper, Microsoft Security Baseline Analyzer, PGP, etc. With the reading portions finished tonight I have the following things left to do:

1) Lab work. I intend to go through each lab and refamiliarize myself with the tools, hopefully picking up a few new ideas for vulnerability and penetration testing.
2) 2 Practice exams. These are 3-hour exams, so I'll have to do them on the weekends. I'll utilize them like I did the CCNA practice exams, recording any question I'm not 100% sure of off the bat and restudying the weak areas. The GSEC exam itself is open book, open paper. In essence, I can bring in anything I want as long as it is not electronic. That brings me to the next task:
3) Cram sheet compiled of the post-it notes I've filled the books with.

So I scheduled my exam for November 16th, but in light of the fact that I have finished the courseware a little early I may just schedule that up a week. I'd like to get this over with so I don't have to worry about any certification exams for a while. I'd like to get back to playing guitar daily, building boutique effects pedals and enjoying my family again.

But of course, today I was offered a 2-day course on Watchguard Firewalls that will prep for Watchguard certification. Sheesh! This may never end!

Friday, October 16, 2009

GSEC - Week 3

It has been a long hard road of studying for the upcoming GSEC recertification. I just finished a round of study, and tonight was exceptionally fun.

I'm on Module 4 of the GSEC curriculum, which is on Secure Communications. This is not new material, but I find it really fascinating to consider the inner workings of cryptography. Cryptography means "secret writing" and it's a method of hiding data in plain site by applying complex algorithms to existing data to obfuscate the original message. Most people don't know it, but every time you see "https" in the address bar of your web browser, you are employing encryption to hide things like credit card numbers from n'er-do-wells.

Of course, I couldn't begin to explain complex number theory. But the concepts are mind-blowing to me. Tonight a began looking into Virtual Private Networks, and while I work with these daily at work I like getting back to the basics of what exactly is going on when I configure a firewall to tunnel data from one site to another. More of this in the near future.

I've also looked briefly at security policies (the lynchpin of any security posture in corporate America) and I was glad I did, because jsut after my refresher I was contacted by a customer who was in the middle of an audit requiring security policies. I was able to draft some policies for them adn they put their own corporate spin on them and we got them through it. Now, those weren't the most thorough policies I've ever written, but they got the job done.

Another thing that I've been fascinated with again are penetration tests. The tools for this are outstanding, and a lot of people have put a lot of work into making these available. I hope to look at pentesting more after this exam is over and blog about my experiences there. I'm using VMWare Workstation and several different pre-built VM's expressly for pentest labs. Virtual Machines have made this so much easier than it was when I started in information security. Now instead of having a half dozen machines all running, I run one big machine with several virtual machines inside it. When I FUBAR one, I just click "restore to last snapshot" and the thing is right back where I started. Awesome technology.

At any rate, I'm off to bed. I have an episod of "Big Bang Theory" to watch with my lovely wife and I can't wait to relax a little. Tomorrow is hockey practice and I'm not feeling very well so I want to be rested before I have 20 5-year-olds all trying to catch "Coach Greg."