Beautifying your Wireshark on macOS

Beautifying your Wireshark on macOS

Need to do some fast and crazy Wireshark hacking? Or are you using Wireshark everyday on OSX and hate the ugly default GTK styling? Let's rice Wireshark!

Step 1: Change your GTK 2.0 Theme

We'll use DG09's Lion Theme for GTK 2.0. I've made two minor changes for Mavericks.

[Preview: http://dg09.deviantart.com/art/Lion-Theme-Beta-207837762]
[Download: https://static1.squarespace.com/static/.../DG09-LionGTK.mod.tgz]

Read More

Gelf: L1 Emulation, L2 Tunneling, using an HTTP Client

Gelf: L1 Emulation, L2 Tunneling, using an HTTP Client

Simply: Gelf uses an HTTP client to bridge two or more networks. The iPhone is the primary use case; it has access to both AT&T's mobile network as well as an ad-hoc network. You can bridge the two using Gelf, without running any code on the iPhone, aside from client-side HTML and JavaScript.

This achieves a non-jailbroken, non-rooted, poor-man's network tether. Here's the catch, Gelf needs to run on a device inside each target network. Gelf functions as the L2 tunnel end-points, and the L1 emulation: achieved through an HTTP client.

Read More

CODEGATE 2012 - Network 100 Writeup

Take a look at Eindbazen's write-up on Network 100.

I wanted to do the same write-up, highlighting an alternate path. (This will be the last CODEGATE 2012 write-up of mine, since both Leetmore and Eindbazen have all the other challenges we solved well documented.)

You start with a file: A0EBE9F0416498632193F769867744A3

And a note:

Someone have leaked very important documents. We couldn't find any proof without one PCAP file. But this file was damaged.

¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.

Cryptographic algorithm is below. Msg = "ThisIsNotARealEncryption!SeemToEncoding"
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78

Answer: Decrypt(Msg)

Read More

Dual VPNing and why ICMP is a Friend

The security lab I've been developing is located on my university's campus network. If I want to work from home (which I did this week), I need to VPN on to campus. If I then want to work within the security lab I need to VPN on to the lab. I call this dual VPNing! For both VPN connections I opt out of using the VPN as my gateway. So essentially I utilize the campus VPN for a secured connection to my security lab VPN server, then the security lab VPN to access the lab NAT. This leaves my innocent laptop with quite a large routing table, but she's a trooper and doesn't complain.

Read More

Fun with Network Forensics: Discovering a Rouge Bridge

This is a short write up on some interesting things I found while completing a midterm project for a Network Forensics class I took last year. My network forensics group decided to map the traffic for contemporary Windows-based denial of service vulnerabilities. Our project utilized a live network of volunteer hosts connected to the university network. We used NetFlow data collected by Flow Tools. While searching for possible exploits I found a hidden network bridge. The bridge used a non-human host registered to a roaming port in a networking closet. The host was eventually found to use a rouge process which proxied connections from an external residence on to campus. A malicious user could have used this bridge to proxy requests from their home through the university.

Read More

Fun with Home Network Forensics

This semester I took a course called network forensics. It was a very interesting course, project based, which allowed the students to design any network forensics-related project they wished. For our project, completed with a classmate of mine, we analysed Cisco NetFlow data for our Fraternity house. There was quite a few administrative hoops to jump though, including authorization by the university's IRB (since we collected information about their students). I thought I'd share some of my experiences from the project. This summary will try to guide anyone interested in simple forensics with setting up a collection environment for their home network. Unfortunately it isn't a HOWTO or drop in system. Though if you try what I describe, you're bound to have some fun!

Read More

Tunneling (Proxying) ntop through Apache

ntop is a great application. One of its best features is the ready-to-go web server it comes with. You can tell ntop to launch an http or https only (or both) server when it starts. By default ntop will listen on port 3000 for incoming http/https requests.

Unfortunately I like to keep everything organized. I'd like to access my ntop without having to poke any more holes into my firewall. Optimally I wanted to configure an apache virtual host to point to some tidy folder (perhaps /usr/share/ntop/webserver) and then rely on my already configured apache to host up the ntop web files. Well it's not the easy, but it is possible!

Read More