Wednesday, October 31, 2007

Nessus 3.06 on Ubuntu 7.10 _Gutsy Gibbon_

Post upgrading to Gutsy Gibbon on one of my test systems I needed to install an application that I regularly use (Nessus). To install this I downloaded the standard Nessus 3.0.6 deb package from and attempted install via the package manager. The installation attempt produced the following Error: Dependency is not satisfied: libssl0.9.7. Normally I wouldn't write about this, but given the fact that I noticed several locations on the internet (various forums and blogs) about this issue being unresolved for many users I figured I would post what worked for me.

The first thing that I did was install libssl-dev "sudo apt-get install libssl-dev". After installing libssl-dev I again attempted to install the Nessus 3.0.6 deb package and received the same error " Error: Dependency is not satisfied: libssl0.9.7". My next step was to download libssl0.9.7_0.9.7g-5ubuntu1.1_i386.deb directly from and install this deb package. That's what did the trick, Nessus is now up and running and everyone (me) is happy.


Monday, October 29, 2007

HeX-VA (Virtual Security Appliance)

I am pleased to announce the release of the HeX Virtual Appliance!

To facilitate quick and easy use of the tools that are built into the HeX Live CD, we have installed the Live CD on four Virtual Machines to create four Security Virtual Appliance Images. These images are intended to aide in the rapid deployment and usability of the HeX Live Toolkit and we are dubbing it HeX-VA. The images are designed for use with Parallels, Qemu, VMware and Virtualbox virtualization technologies. If you have any problems using these images or have any suggestions, please feel free to contact us or stop by #rawpacket on freenode.

Thanks to geek00l for the screenshots and continued hard work on this project! I have included the US Mirrors below for your downloading pleasure. If you are not US based, there are other Malaysian mirrors listed on the official site under the Virtual Appliance project section.

HeX-Paralleles | md5 | sha256
HeX-Qemu | md5 | sha256
HeX-VMware | md5 |sha256
HeX-Virtualbox | md5 |sha256

I'll be posting some detailed directions shortly on the usage of NTop and some specifics on tuning it for your environment (by request).


Screenshots of various HeX-VAs:

Friday, October 26, 2007

HeX 1.0.1 Release (Bug Fixes)

So, due to several flaws that people were experiencing with HeX 1.0R we are releasing an updated version (1.0.1). The fixes in this version include increased bootup speed; during the extraction and loading of the data into mfs /var, the IO process of several different system types was causing an apparent system hang, this has been resolved.

Another major issue that was occurring was with the msfweb not loading properly or not functioning when loaded. It turns out that this was actually a firefox related issue; deleting ~/.mozill/firefox and using the global Firefox configuration fixed the problem (note that this also fixed javascript issues in ntop and darkstat).

As geek00l says, we are "shamelessly" releasing this fixed version. As always please give it a roll and let us know if you experience any issues. You can report bugs using our Trac interface, the Mailing List or via IRC in #rawpacket on freenode.

Download URLs:

Tuesday, October 23, 2007 Beta

The beta site is live (and has been for a while, but I did not think to post about it) :-\

This site is the brainchild of Richard Bejtlich who announced the beta at Please swing by and drop some pcap data or just some comments / requests.

The site is located at


Monday, October 22, 2007

InProtect, on track for alpha release

...We hope to have an alpha/beta release of the upcoming InProtect 0.80.0 within two weeks.

Good positive progress has been made tuning all of the elements of the engine itself for improved performance in lowering the overall load of the scheduling engine itself. We are currently working on migration scripts for users using both the 0.22.5 and 0.22.5JC versions.

You will see some big database changes and enhancements to the GUI in the form of role-based permissions, a per-user customizable dashboard at login, cleaned up table indexes and optimized queries and much much more.


Saturday, October 20, 2007

Ubuntu Upgrade...or not (with compiz)

Perhaps it was a lack of patience on my part, or poor forward planning on Ubuntu's part, but I could no longer continue to attempt upgrading after what was likely the 30th failed attempt. As a result of this upgrade attempt outcome I decided to backup the /home/* directories and perform a clean install.

As one would expect the standard install succeeded with no problem. The expected options were available from custom partitioning to setting initial user and permissions during the installation. The only real issue that I had was with the "seamless" compiz implementation that I had heard so much about.

For this installation I used an HP laptop that I have, this laptop contains an ATI X series video card and therefore supports 3D acceleration. I was disappointed that the compiz (3D) desktop acceleration did not work out of the box, so here is what I did to make it work: Initially I simply tried to enable Extra effects after enabling the proprietary video card. This only produced the error "Composite extension not found"...after enabling in xorg.conf (as described below) I received the fairly generic error "Unable to enable visual effects" or similar... So here are my steps to enable compiz on Ubuntu 7.10 with ATI drivers (what worked for me)

  • Enable all of the repos that have proprietary software and the like System -> Administration -> Software Sources.
  • Enable the proprietary video card driver from the Restricted Drivers Manager.
  • Make sure composite extensions are enabled : vi /etc/X11/xorg.conf
Section "Extensions"
Option "Composite" "1"
  • Install xserver-xgl "sudo apt-get install xserver-xgl
  • Install compizconfig-settings-manager "sudo apt-get install compizconfig-settings-manager" *this is not a requirement but gives you a level of customization that is nice.
  • Restart X
  • Try it out System -> Preferences -> Appearance -> Visual Affects (select what you want here...I used Extra then Custom from the last apt-get install)
Everything else worked nicely, enabled the proprietary fwcutter for my wireless card and it worked, no more mucking with it as in previous versions, very nice!

All in all, I give this version a Thumbs Up despite the upgrade mess, seems more stable so far and clean.

Hope this helps someone out :-)


Friday, October 19, 2007

Ubuntu Upgrade to 7.10 Strike 2

As I write this, I have attempted roughly 10 "upgrades" via the Update Manager with the same result each time as displayed below.

Obviously this is producing some anxiety on my behalf, as I am anxious to upgrade. That said, I fear that the upgrade process, much like previous upgrade processes from the Ubuntu folks, is a complete joke.

In preparation for the joke to be a fact, I kicked off the download and noted again that the servers are getting hammered... bitTorrent anyone?


Thursday, October 18, 2007

Ubuntu 7.04 to 7.10 Upgrade Notes pt 1

Time to see if the Ubuntu folks have cleaned up their upgrade process. Previous upgrade attempts have been painful to say the least (this means pre-7.10).

I kicked the process off at about 21:30 EST by updating my existing 7.04 installation with all of the latest package updates as noted in the Ubuntu upgrade process documentation. The update went smoothly with the simple exception that a boatload of other users must be doing the same thing and loading up the repos. I did have to restart the updates a few times to get all files to download (again, likely related to repo overload, considering the fact that I regularly update my Ubuntu systems and this is not a normal occurrence). It should be noted that the Upgrade to 7.10 option was available prior to updating my packages, but IAW the upgrade documentation I performed the package update first.

The first thing we do after making sure all packages are updated is click on the Upgrade button to kick off the 7.04 to 7.10 upgrade process and again click Upgrade in the release notes. This kicked off the upgrade process and started to download the Upgrade Tool (again a little slow...likely load related). Once the Upgrade Tool finished downloading and kicked off, more downloading and waiting as the Upgrade Tool runs through upgrade preparations, software channel modifications, fetching upgrades, installing upgrades, clean up and system restart.

This is where the trouble began, again I suspect due to load on the distribution servers. After waiting for about an hour on file 50 of 56, I canceled the process and started again in the hopes that it would jumpstart the download. Unfortunately this did not work, so I left it to fetch overnight, and woke up to the screenshot to the right.

With all of the excitement and everyone else attempting to update and upgrade at the same time, I'll be intermittently trying to complete my upgrade over the next week in the hopes that it will complete. That being said, I have spoken with a few of my associates that were able to fetch all of the upgrade files (~6 hours of downloading at painfully slow rates) and they had their upgrade fail roughly halfway through the process, thereby rendering their system useless and forcing a clean install of 7.10.

The same associate of mine "giovani" also suggested using bittorrent for the mass distribution medium, to alleviate some of the pain that we are all feeling with the seemingly overloaded repos. Something definitely needs to be done, bittorrent or otherwise, to clean up these load produced upgrade and update failures.

More to follow...


Optimizing MySQL on FreeBSD part 1

I have written a few other times at a few separate locations about tuning MySQL in the past, so I'm going to attempt and write a bit of updated material and keep it all in one place, this blog. I will be following up in the next few months concerning additional tuning steps that can be taken.

Recently while browsing the interweb, I came across a nifty little perl script written by Major Hayden of

I put a copy of this perl script here for ease of downloading and use. To get it, simply download -> extract it -> make executable. Of course you need perl installed to use it...

Some examples of output that I received when I ran the script ./ on one of my higher transaction test servers:
General recommendations:
Reduce your overall MySQL memory footprint for system stability
Enable the slow query log to troubleshoot bad queries
Reduce or eliminate persistent connections to reduce connection usage
Adjust your join queries to always utilize indexes
Variables to increase:
*** MySQL's maximum memory usage exceeds your installed memory ***
*** Add more RAM before increasing any MySQL buffer variables ***
max_connections (> 125)
key_buffer_size (> 11.1G)
query_cache_size (> 256M)
join_buffer_size (> 1024.0M, or always use indexes with joins)
Variables to decrease:
wait_timeout (<>
I modified most of the variables in question in my /etc/my.cnf and restarted mysqld and let it run for a few days. I then ran the script again and got the following output:
MySQL High-Performance Tuner - Major Hayden
Bug reports, feature requests, and downloads at
Run with '--help' for additional options and output filtering
Please enter your MySQL login: root
Please enter your MySQL password:
[OK] Currently running supported MySQL version 5.0.41-log
-------- General Statistics --------------------------------------------------
[--] Up for: 6d 5h 5m 20s (8M q [16.393 qps], 139K conn, TX: 2G, RX: 4G)
[--] Reads / Writes: 65% / 35%
[!!] Maximum possible memory usage: 442.7G (1341% of installed RAM)
[OK] Slow queries: 0%
[OK] Highest usage of available connections: 49%
[OK] Key buffer size / total MyISAM indexes: 12.0G/11.1G
[OK] Key buffer hit rate: 99.8%
[OK] Query cache efficiency: 31.5%
[OK] Query cache prunes per day: 0
[OK] Sorts requiring temporary tables: 0%
[!!] Joins performed without indexes: 2838670
[OK] Temporary tables created on disk: 0%
[OK] Thread cache hit rate: 99%
[OK] Table cache hit rate: 78%
[OK] Open file limit used: 13%
[OK] Table locks acquired immediately: 99%
-------- Recommendations -----------------------------------------------------
General recommendations:
Reduce your overall MySQL memory footprint for system stability
Enable the slow query log to troubleshoot bad queries
Adjust your join queries to always utilize indexes
Variables to increase:
*** MySQL's maximum memory usage exceeds your installed memory ***
*** Add more RAM before increasing any MySQL buffer variables ***
join_buffer_size (> 1.5G, or always use indexes with joins)
All in all, this is a highly useful script to get some quick stats and easy adjustment variables to help tune your MySQL server. I should also note that this is not specific to FreeBSD, but I happen to be a FreeBSD junkie and this this was all tested on a FreeBSD 6.2 Rel box.


Canonical releases Ubuntu 7.10

Canonical Ltd. released the latest version (7.10) of the Ubuntu Server, Desktop, Kubuntu and Edubuntu Editions today. You can get more information about these releases and download them at the official Ubuntu site.

The Ubuntu developers have also created an upgrade path for users that are currently on the 7.04 ("Feisty Fawn") release. As stated on their website, the migration is as simple as insuring that all updates have been applied to your Feisty Fawn installation then opening System -> Administration -> Update Manager -> Select Upgrade (you may need to check for new updates). At this point you simply follow the on-screen instructions.

I will be testing this process tonight on my HP laptop and posting my results when complete.


HeX Live 1.0 Release

After 6 months of heavy development and debugging I am pleased to announce the release of the HeX Live CD 1.0 Release. What is HeX Live? HeX Live is the worlds first and foremost Network Security Monitoring & Network Based Forensics liveCD. The intent is to provide a wide array of highly usable tools in a pre-packaged format that the analyst can use to investigate and monitor real-time network activity, whether security related or in the course of reviewing traffic to determine bandwidth over utilization sources and so on...

This will be the final major release of HeX LiveCD until the release of FreeBSD 7.0 Rel, this is of course pending no major bugs are located in HeX 1.0R. If there are any major bugs found, then a bug-fixed HeX will be released prior to FreeBSD 7.0 Rel.\\

For a detailed list of what applications can be found on HeX Live 1.0R check out the actual project at

I have also included in this posting the CD covers that were created by vickz, fantastic work man! You can download the HeX LiveCD 1.0R from the following locations:

  1. US Server (East Coast) | MD5 | SHA256 | User Guide
  2. Malaysia Server | MD5 | SHA256 | User Guide
I will try to get some decent screenshots posted soon so that everyone can see just how slick the HeX LiveCD 1.0R really is. I would also suggest that you download it and play with it. There are a good number of tools on here for packet monkeys of all ages and skill to have a good old time!

I'll leave it at that for now, and again would like to thank the community for their support and feedback throughout the development process of this tool.

Shout to Geek00l for organizing everything and kicking some a$$!
Shout to ch4flgs_ and zarul for everything!
Shout to all others involved in this project (esp for putting up with me)


Wednesday, October 10, 2007

Loose lips sink ships!

During recent interweb browsing and reading I came across the following and have to comment, it's been in the news lately but this just brought it up again for me;

WASHINGTON — Al Qaeda's Internet communications system has suddenly gone dark to American intelligence after the leak of Osama bin Laden's September 11 speech inadvertently disclosed the fact that we had penetrated the enemy's system.

The intelligence blunder started with what appeared at the time as an American intelligence victory, namely that the federal government had intercepted, a full four days before it was to be aired, a video of Osama bin Laden's first appearance in three years in a video address marking the sixth anniversary of the attacks of September 11, 2001. On the morning of September 7, the Web site of ABC News posted excerpts from the speech.

But the disclosure from ABC and later other news organizations tipped off Qaeda's internal security division that the organization's Internet communications system, known among American intelligence analysts as Obelisk, was compromised. This network of Web sites serves not only as the distribution system for the videos produced by Al Qaeda's production company, As-Sahab, but also as the equivalent of a corporate intranet, dealing with such mundane matters as expense reporting and clerical memos to mid- and lower-level Qaeda operatives throughout the world.

Has the media lost all of their capability to make good discretionary decisions? Further, typically they have subject-matter experts, one would think that such experts would know better. But I suppose that it is all about the ratings and making that next buck!

While intranets are usually based on servers in a discrete physical location, Obelisk is a series of sites all over the Web, often with fake names, in some cases sites that are not even known by their proprietors to have been hacked by Al Qaeda.

Similar to a botnet etc... effectively a chain of pwned servers. This is certainly not a new concept and usage of such a concept in conjunction with services such as ToR (The Onion Router) would make tracking Obelisk users virtually impossible.

One intelligence officer who requested anonymity said in an interview last week that the intelligence community watched in real time the shutdown of the Obelisk system. America's Obelisk watchers even saw the order to shut down the system delivered from Qaeda's internal security to a team of technical workers in Malaysia. That was the last internal message America's intelligence community saw. "We saw the whole thing shut down because of this leak," the official said. "We lost an important keyhole into the enemy."

We most certainly did lose an important keyhole, ya think? If a keyhole is what you would call it. The intel received from such a source could easily help thwart future planned terrorist and military actions etc...

By Friday evening, one of the key sets of sites in the Obelisk network, the Ekhlaas forum, was back on line. The Ekhlaas forum is a password-protected message board used by Qaeda for recruitment, propaganda dissemination, and as one of the entrance ways into Obelisk for those operatives whose user names are granted permission. Many of the other Obelisk sites are now offline and presumably moved to new secret locations on the World Wide Web.

The founder of a Web site known as, Nick Grace, tracked the shutdown of Qaeda's Obelisk system in real time. "It was both unprecedented and chilling from the perspective of a Web techie. The discipline and coordination to take the entire system down involving multiple Web servers, hundreds of user names and passwords, is an astounding feat, especially that it was done within minutes," Mr. Grace said yesterday.

I agree with Mr. Grace, to an extent, it would be a feat indeed if individual personnel were involved. I think that it's also plausible to think that this network operated much like a botnet. From that perspective there could have been a simple command or series of commands that initiated the automatic shutdown or action to be taken in the event of a security breach.

The head of the SITE Intelligence Group, an organization that monitors Jihadi Web sites and provides information to subscribers, Rita Katz, said she personally provided the video on September 7 to the deputy director of the National Counterterrorism Center, Michael Leiter.

Ms. Katz yesterday said, "We shared a copy of the transcript and the video with the U.S. government, to Michael Leiter, with the request specifically that it was important to keep the subject secret. Then the video was leaked out. An investigation into who downloaded the video from our server indicated that several computers with IP addresses were registered to government agencies."

Yesterday a spokesman for the National Counterterrorism Center, Carl Kropf, denied the accusation that it was responsible for the leak. "That's just absolutely wrong. The allegation and the accusation that we did that is unfounded," he said. The spokesman for the director of national intelligence, Ross Feinstein, yesterday also denied the leak allegation. "The intelligence community and the ODNI senior leadership did not leak this video to the media," he said.

Ms. Katz said, "The government leak damaged our investigation into Al Qaeda's network. Techniques and sources that took years to develop became ineffective. As a result of the leak Al Qaeda changed their methods." Ms. Katz said she also lost potential revenue.

A former counterterrorism official, Roger Cressey, said, "If any of this was leaked for any reasons, especially political, that is just unconscionable." Mr. Cressey added that the work that was lost by burrowing into Qaeda's Internet system was far more valuable than any benefit that was gained by short-circuiting Osama bin Laden's video to the public.

I personally think that it's more than unconscionable, I dare say it's borderline treason!

While Al Qaeda still uses human couriers to move its most important messages between senior leaders and what is known as a Hawala network of lenders throughout the world to move interest-free money, more and more of the organization's communication happens in cyber space.

"While the traditional courier based networks can offer security and anonymity, the same can be had on the Internet. It is clear in recent years if you look at their information operations and explosion of Al Qaeda related Web sites and Web activities, the Internet has taken a primary role in their communications both externally and internally," Mr. Grace said.


Tuesday, October 9, 2007

HeX Live Pending Release

For all of you anxious packet monkeys out there, the HeX LiveCD 1.0R will soon be available. We are running through extensive tests and bug fixing excersizes right now, but anticipate releasing this new version within the next week. I'll post an update once released, as well as the standard US mirrors.

This project has also been gaining a good amount of momentum and continued community support. I would like to thank all involved, esp geek00l and chfl4gs_ (the core founders)!

If you want some additional information concerning this project, please check out!


InProtect Wiki and Update

The project continues to gain speed and support from the community (thanks again everyone!). The core team is currently meeting every other Sunday, in the secret InProtect cave, to hash out the roadmap and future plans. Unfortunately I was not in town for the most recent meeting and away from the interweb and therefore did not make the meeting.

However I still have some updates that I can post;
The InProtect Wiki is now online and we will be working hard to keep it updated with the latest goodies, FAQ, etc...!, please check it out and let us know what we can do to improve it or what you would like to see added.

I continue to get visitors to #inprotect on and appreciate all of the continued feedback.

We anticipate having the CVS -to- SVN conversion done shortly and subsequently publishing an Alpha release of the new version. We will also be updating the InProtect home page with meeting notes, roadmap and so on, in the near future!


Monday, October 1, 2007

FIXED::[Bug 1641] NessusClient 3.0.0 Beta 4 Crash on Server Connect

I must say that I am quite pleased with Renaud Deraison of for his rapid response and remediation of the bug that I discovered last week (NessusClient 3.0.0 Beta 4 Bug). There was an uninitialized pointer when a class was created from an XML file (rather than dynamically), which in turn created a bad memory access and therefore crashed the client. has posted a fixed version, Beta 5 of the 3.0.0 NessusClient at their typical download location:

I would also like to add to my previous posting about the feature set of the NessusClient and it's inability to export to XML (this is still true) but can be worked around (too a degree anyway). When you scan a host and if you chose to save the session, upon exiting the NessusClient, it creates a .nessus file which is pure XML (albeit it's a different XML format than the CLI xml), and which contains much more information about the scan than the other formats (it contains all the scan results, the policies, the targets associated to each scan, etc...

Thx again Renaud!