Tom Decaluwé

I have been a great fan of Wireshark/Ethereal for many years now and love the feature richness of the product.

Microsoft has had netmon for quite some time now but has only recently (re)introduced experts which MS is hoping will bring the feature richness from wireshark to the Netmon world. “Let the battle begin I would say”

As a Techguy you should however always keep your eyes open for the good things in all products and eventhough wireshark is still superior as of today Netmon has some great features that might be worth looking at today.

The moral of my story, download both Wireshark and netmon, use both tools in the most efficient situation according to what you need and interoperate between the two when ever handy!

What I find nice in Netmon 3.3:

- Process based capture => this had been a netmon trade for a while but netmon unlike wireshark can filter at the application layer 7. This is great but only works ofcourse when capturing on the local host.

- Autoscroll => while wireshark has had this for a loooong time it’s made it’s way to netmon but you do have to turn it on explicitly. (This is not a bad thing as looking at live catures except from begin cool when you boss walks by gives no added value except eat a lot of CPU cycles)

- multiple network cards => wireshark is limited to capturing on one single NIC at any given time. You can of course open multiple instances of wireshark to trace two NIC’s but then you have two windows. With netmon you can select as many NIC’s as you want and capture all traffice in one big capture file. Practically speaking I don’t realy think there is a lot of benefit but you can do it if you want. A NIC thing to note is you can add and remove NICs live during captures.

- Another nice neat feature is the ability to add comments to SAVED captures. I have always been a great fan of documenting at the resource level as creating tones of word doc’s with info and comments just lead to loads of old doc’s that nobody knows what they are for. With this you can document interesting things you see straight in your captures.

the # at the frame level shows you there is a comment on that line and in the right bottom side you can read what your comment was.

- And last but not least is the one thing you have got to love. What microsoft calls simple search expert is in my eyes super search for netmon. Yes we have string search in wireshark, but netmon goes on the path of regular expressions with pre built expressions right out of the box. That right baby right out of the box !!!

Creditcards, telephone numbers,… it’s all their ready for you to point and click

This is the result of a quick sniff and putting the email filter on, but just think of what you can do.

And don’t forget to press the More>> button

Enjoy Wireshark and Netmon, both a great tools with practical usages, combine both and be the master!

When running a wireshark capture on a windows system the default behaviour is to capture the traffice to your windows profile in a specific wireshark container.

When running a capture on a network interface you must realise that this means saving every byte of data being transferred through the NIC onto disk. On a very busy server this can mean a lot of disk space in a very short time and cause your system disk to run full. This will cause wireshark to crash and could cause your system to start running very sluggish.

It’s important that you as an administrator take control of this behaviour and redirect this temp file to a disk with enough free I/O and disk space.

How to take control of the default capture behaviour in wireshark:

1) What is the default location

open wireshark > about > folder > temp

This is the default location automatically loaded by wireshark. This path is loaded automatically when wireshark starts up and is determined by the TEMP or TMPDIR environmental variable. It’s always a good idea to head over to this directory and remove any lingering capture temp files.

2) To change the default behaviour

You could change the TEMP variable but this could influence other apps that you don’t want to. A better option is to create a variable TMPDIR in your user environmental variables. (you could also put it in the system variables if you have multiple users on the same system)

Add the TMPDIR variable and set the location you want the temporary captures to store.

3) head back to the help > about > folders to confirm the change has taken place 

start a capture and you should see a file appear.

By default wireshark will remove this file when you restart / Clear the current capture of when you shutdown wireshark.

However if for some reason wiresark.exe crashes you will end up with a lingering temp file that will never be cleaned up automatically. So it’s a good idea to check in on this folder from time to time to clear out any old files.

The benefit of course is that this linger file is a normal pcap file and you can open it to check the trace just up to the point where the crash occurred.

Since it’s release back in 2006 ISA has held a high reputation as there have been 0 security bulletins in over 3 years.

http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx

Patch Tuesday 14 April 2009 has however changed this spotless track as the first security bulletin has been release fixing two issues within ISA 2004 / 2006 and TMG

Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077

A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.

• Cross-Site Scripting Vulnerability - CVE-2009-0237

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.

Both issues are more than serious enough to validate patching your ISA servers that are publishing websites to the outside world ASAP. I have patched my systems and have had no issues.

This update requires your ISA’s to be rebooted after the update is installed and will stop the ISA services during installation.

On the bright side it is well worth mentioning this vulnerability was detected by MS internally after and shows how committed Microsoft and the ISA team is towards building secure and reliable software. No cover-up story, un mentioned fixes or other bull sh*t, just an open and honest bulleting with an honest patch to fix the problem.

So get cracking, patch your ISA’s now and you’ll once again have the best firewall out there!

As conficker is still spreading throughout the internet somebody came up with an easy way to check if you system is infected or not just by going to a website. One of confickers actions is to block your access to any number of security sites. So a webpage was created with remote images to a number of well known security sites.

If one or more images does not appear on your screen, there is a good chance you are infected with conficker.

Want to check your own pc?

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If the result is anything but the below table, it’s well worth doing an extra virus scan.

Last weekend we hosted an It-Talks session on Wireshark. One of the demos we wanted to give was on how you can use wireshark to decrypt SSL traffic providing you have the private key.

As there where some issues with the demo I have setup this blog post and a demo video on how to do this.

The purpose of this tutorial is to show you the power of Wireshark, how you can decrypt traffic to see what your ISA publishing server sees and that you should realy pay great attention on where and how you store your private key certificates.

you can find a tutorial video at:  http://www.it-talks.be/video/wireshark_ssl.rar

Decrypting ssl traffic is done in 3 steps.

Step1: exporting the SSL certificate to a pkcs12 certificate

Step2: export the private key from the pkcs12 cert to a single RSA private key file

To export the private key you will need to download a copy of openssl. There are many sites you can use to download this tool.

After downloading the tool use the following command to export the private key to an RSA file

openssl pkcs12 -in internal_demonet_local.pfx -out demokey.pem -nodes –nocerts

openssl <key type> –in <your cert file.pfx> –out <your output file> –nodes –nocerts

If you open the file in notepad you can see this is an RSA private key

Step3: Configure wireshark

Right click on a data packet and choose follow TCP stream. You will see the encrypted data reconstructured.

Click Edit > preferences

Drill down to protocols > SSL

Here you must fill in 2 fields:

- top field is the actual decryption data. You need to fill in a string as follows (all one long line no enters)

10.10.20.100,443,http,C:\Documents and settings\secadmin\Desktop\certificates\demokey.pem

   -> 10.10.20.100 => the ip address of the SSL site you are accessing (not your ip the servers ip)

   -> 443 => the servers destination port

   -> http => the protocol (ensure you type lower case!)

   -> path to your exported private RSA key

You will see some of the packets that where gray before are now decrypted and turn green HTTP

Right click a data packet and you will see follow ssl stream is now available.

The end result is the decrypted reconstructed webpage.

SSH is a great protocol for secure remote administration, copying and port redirections. There are many ways to get an SSH daemon on your windows based servers and have the run a bash shell unix clone.

I have used this for many years as it also allows you  do certificate based logon’s without requiring entering any passwords. This is great for automating tasks on remote systems.

When trying to execute a script to change the directory I kept getting an unexpected errer “No such file or directory”

The scenario is as follow:

1. I install copssh on my windows server to activate the ssh service and cygwin environment. You can pick up a free copy of copssh at itefix http://www.itefix.no/i2/node/27

2. In the home directory of my windows servers ssh user I created a .sh script to change directory to c:\temp and list the directory there. As you can see I need to use the cygdrive mount point to access my  directory.

3. I then logon to my ssh server and as you can see the test.sh file is located where it should be.

4. When I tried to execute the file however I get a No such file or directory error.

5. Naturally the first reflex is there is an error in the commands so I cat out the script and cut / pas each individual command. As you can see the system has no problems accepting the command and going to the directory.

So what’s the problem?

6. The file was created using NOTEPAD, this is a windows application and typical in windows apps is to end a line of a hard enter or carriage return line feed CRLF.

Unix environments however typically use a plain linefeed at the end of a line instead of a CRLF. Even though we can’t see these line end’s they are there and the cause of the issue.

An easy way to tackle this issue is by using a free text editor called ConTEXT to convert windows files to unix files and back. You can download this tool at http://www.contexteditor.org/

7. After doing the conversion and then opening the file using notepad you can see the typical square’s between the command and everything on a single line. This is how windows interprets the LF character.

8. If we now rerun the command it executes without a problem.