Category Archives: networking
- Database Honeypots
- Web honeypots
- Service Honeypots
- Anti-honeypot stuff
- kippo_detect This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
- ICS/SCADA honeypots
- Data Analysis
- Proxy honeypot
- Open Relay Spam Honeypot
- Botnet C2 monitor
- IPv6 attack detection tool
- PHP honeypot
- Honeypot Database
- Research Paper
- Honeynet statistics
- Visual analsysis for network traffic
- dynamic code instrumentation toolkit
- Front-end for dionaea
- Tool to convert website to server honeypots
- Malware collector
- Sebek in QEMU
- Malware Simulator
- Distributed sensor deployment
- Network Analysis Tool
- Log anonymizer
- Botnet traffic detection
- Low interaction honeypot (router back door)
- honeynet farm traffic redirector
- IDS signature generator
- Fake wireless access point
- HTTPS Proxy
- System instrumentation
- Honeypot for USB-spreading malware
- Data Collection
- Honeyd viewer
- Passive network audit framework parser
- Honeyd to MySQL connector
- VM Introspection
- Binary debugger
- Mobile Analysis Tool
- Low interaction honeypot
- Honeynet data fusion
- VM cloaking script
- Honeyd ported to Windows
- IDS signature generation
- Web interface to packet analyzer
- lookup service for AS-numbers and prefixes
- Data Collection / Analysis Tool
- WordPress spam honeypot
- Web interface (for Thug)
- Snort binary carving
- Data Collection / Data Sharing
- PE-executables analyses
- Distributed spam tracking
- Python bindings for libemu
- Client honeypot
- Controlled-relay spam honeypot
- Visualization Tool
- central management tool
- Network connection analyzer
- Virtual Machine Cloaking
- A script to visualize statistics from honeyd
- Honeypot deployment
- Honeyd UI
- Honeynet analysis tool
- Automated malware analysis system
- Low interaction
- Low interaction honeypot on USB stick
- Honeypot extensions to Wireshark
- Data Analysis Tool
- Telephony honeypot
- Commercial high interaction honeypot
- Visual analysis for network traffic
- Binary Management and Analysis Framework
- PDF document inspector
- Distribution system
- HoneyClient Management
- Network Analysis
- Hybrid low/high interaction honeypot
- Sebek on Xen
- SSH Honeypot
- Glastopf data analysis
- Distributed sensor project
- a pcap analyzer
- Client Web crawler
- network traffic redirector
- Honeypot Distribution with mixed content
- Honeypot sensor
- File carving
- File and Network Threat Intelligence
- data capture
- SSH proxy
- behavioral analysis tool for win32
- Live CD
- Commercial honeynet
- Server (Bluetooth)
- Honeyd stats
- Dynamic analysis of Android apps
- Dockerized Low Interaction packaging
- Network analysis
- Sebek data visualization
- Threat Intel feed aggregator / network grapher
- SIP Server
- Honeyd plugin
- Botnet C2 monitoring
- low interaction
- Malware collection
List copied from: https://github.com/paralax/awesome-honeypots/blob/master/README.md
A new book into my pariticular library.
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide
I was following to close Laura Chappell and after a hard day in the office I decided to buy this book.
I was feed up to see some of the options in a capture and using Wireshark at 10 or 20 % of the capacity.
I said to mylef, this is not the right path to understand and to analyze a network.
It is time to chage and to try to understand a bit more this fantastic tool.
Who knows is this is my new certification challenge…. Let´s see. At the moment I started with the chapter in which is explaining all the options in the program.
If you are thinking in buy the book you have some options:
I thought that this would be a new step but seems like all other kind of inventions in the it world. At the end it is only with hte purpose of money as usual. The amount of money for big companies or even small companies is important at this time.
Apart of the economic part, is the people ready for ipv6? Iwould say that in terms of knowledge I don´t know so many people who khow that 10.0.0.1 is translated to ipv6 to 2001:0db8:1234::a00:1. From my point of view, I am not ready for ipv6. What about the subnetting tables, classful ranges, etc….
I was following so close the IPv4 exhaustion but it was something like the 2000 efect. And now…?!!! World keeps turning!!!
I don´t expect a change in next 5 years. In the last years, the inccrement of ips has been exponential due to the new technologies. Who at this time is not using a smartphone or tablet … ? Each of this devices with a 3G connection is using an ip to connect to internet, then… let´s see how this happens.
I paid £29.99 (40% off) 🙂
This is the last book acquired by me. I recomend this book 100%. If you want to understand in deep about TCP/IP, this is a good book. I do not know another ones but this one explains in a good manner all this matter. I do not recommend to beginners. A minimum background in networking is recommended to get some benefit reading this book.
The author is W. Richard Stevens, one of the most famous writers in networking topics. Books written by him:
1990 – UNIX Network Programming – ISBN 0-13-949876-1
1992 – Advanced Programming in the UNIX Environment – ISBN 0-201-56317-7
1994 – TCP/IP Illustrated, Volume 1: The Protocols – ISBN 0-201-63346-9
1995 – TCP/IP Illustrated, Volume 2: The Implementation (with Gary R. Wright) – ISBN 0-201-63354-X
1996 – TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols – ISBN 0-201-63495-3
1998 – UNIX Network Programming, Volume 1, Second Edition: Networking APIs: Sockets and XTI – ISBN 0-13-490012-X
1999 – UNIX Network Programming, Volume 2, Second Edition: Interprocess Communications – ISBN 0-13-081081-9
2003 – UNIX Network Programming Volume 1, Third Edition: The Sockets Networking API – ISBN 0-13-141155-1 (with Bill Fenner, and Andrew M. Rudoff)
2005 – Advanced Programming in the UNIX Environment, Second Edition – ISBN 0-32-152594-9 (with Stephen A. Rago)
Why not implement a router in the switch itself and do the forwarding in hardware?
Although this setup is possible, it has one limitation: Layer 2 switches need to operate only on the Ethernet MAC frame. This scenario in turn leads to a well-defined forwarding algorithm which can be implemented in hardware. The algorithm cannot be extended easily to Layer 3 protocols because there are multiple Layer 3 routable protocols such as IP, IPX, AppleTalk, and so on; and second, the forwarding decision in such protocols is typically more complicated than Layer 2 forwarding decisions.
Do Layer 3 switches completely eliminate need for the traditional router ? No, routers are still needed, especially where connections to the wide area are required. Layer 3 switches may still connect to such routers to learn their tables and route packets to them when these packets need to be sent over the WAN. The switches will be very effective on the workgroup and the backbone within an enterprise, but most likely will not replace the router at the edge of the WAN (read Internet in many cases). Routers perform numerous other functions like filtering with access lists, inter-Autonomous System (AS) routing with protocols such as the Border Gateway Protocol (BGP), and so on. Some Layer 3 switches may completely replace the need for a router if they can provide all these functions.
Layer 3 switches were not designed to replace routers, they were designed to fill a niche that new network designs found they needed.
The reason of this post is same as BGP. Unanswered question in an interview. Question that should know due to my background.
Multi Protocol Layers System protocol is a generic Layer 2 packet switching protocol. It uses a mechanism that allows setting MPLS labels to data packets in order to indicate their destination. An MPLS label improves the efficiency of an IP network by helping the routers to steer a packet to its final destination over a network. MPLS can be implemented over both the IPv4 as well as the IPv6 networks. MPLS also helps in the integration of the data link layer information such as the bandwidth, latency and utilization parameters with the network layer. Since MPLS attempts to integrate layer 2 with the layer 3, it is often referred to as a “Layer 2.5 protocol”.
The Multi Protocol Label Switching (MPLS) can be used to carry a wide variety of traffic including the IP packets, ATM, SONET and Ethernet frames.
MPLS works by prefixing packets with an MPLS header, containing one or more “labels”. This is called a label stack. Each label stack entry contains four fields:
- A 20-bit label value.
- A 3-bit Traffic Class field for QoS (quality of service) priority (experimental) and ECN (Explicit Congestion Notification).
- A 1-bit bottom of stack flag. If this is set, it signifies that the current label is the last in the stack
- An 8-bit TTL (time to live) field.
Possible problems whith MPLS:
At layer 3, the ISP’s must manage a routing table for each VPN and store parts of that table at every site where the VPN Is accessed.
At layer 2, resolves the scaling problem by having customers manage their own routing tables.
At layer 3, has no encryption built in. Underlying MPLS architecture poses a risk for data splills.
At layer 2, has no encryption built in. Underlying MPLS architecture poses a risk for data splills.
MPLS capabilities have expanded massively, for example to support service creation (VPNs), traffic engineering, network convergence, and increased resiliency. MPLS is now the de-facto standard for many carrier and service provider networks and its deployment scenarios continue to grow.
BGP Protocol is the one in charge of all internet traffic decissions. It maintain a table of IP networks wich designate network reachability among autonomous systems(AS). This is an path vector protocol. What it means that? It means that maintains the path information that gets updated dynamically. Updates which have looped through the network and returned to the same node are easily detected and discarded. This algorithm is sometimes used in Bellman–Ford routing algorithms. Each entry in the routing table contains the destination network, the next router and the path to reach the destination.
Path Vector Messages in BGP: The autonomous system boundary routers (ASBR), which participate in path vector routing, advertise the reachability of networks. Each router that receives a path vector message must verify that the advertised path is according to its policy. If the messages comply with the policy, the ASBR modifies its routing table and the message before sending it to the next neighbor. In the modified message it sends its own AS number and replaces the next router entry with its own identification.
BGP neighbors, or peers are stablished by manual configuration between routers to create a TCP session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain the connection(60 seconds by default). When BGP is running inside an AS, it is refered to as Internal BGP(IBGP). When it runs between autonomous systems, it is External BGP(EBGP). In the IBGP the default administrative distance is 200.
Routing decisions based on path, network policies and/or rulesets.
BGP peer uses a simple finite state machine(FSM), that consists in six states:
For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another. The first state is the “Idle” state. In the “Idle” state, BGP initializes all resources, refuses all inbound BGP connection attempts and initiates a TCP connection to the peer. The second state is “Connect”. In the “Connect” state, the router waits for the TCP connection to complete and transitions to the “OpenSent” state if successful. If unsuccessful, it resets the ConnectRetry timer and transitions to the “Active” state upon expiration. In the “Active” state, the router resets the ConnectRetry timer to zero and returns to the “Connect” state. In the “OpenSent” state, the router sends an Open message and waits for one in return. Keepalive messages are exchanged and, upon successful receipt, the router is placed into the “Established” state. In the “Established” state, the router can send/receive: Keepalive; Update; and Notification messages to/from its peer.
BGP maintains its own “master” routing table, called the Loc-RIB (Local Routing Information Base), separate from the main routing table of the router. For each neighbor, the BGP process maintains a conceptual Adj-RIB-In (Adjacent Routing Information Base, Incoming) containing the NLRI received from the neighbor, and a conceptual Adj-RIB-Out (Outgoing) for NLRI to be sent to the neighbor.
Most common problems within BGP protocol are:
– Configuration problem. Human errors are always in the air.
– Problems with neighbors establishments. Could be associated with the above problem, network traffic….
– Transit traffic saturating resources in a multihomed network.
– High volume of routing information, which requires a large amount of memory. As huge as the network as huge as the technology that you should use.
– Routes missing from the BGP or routing table due to issues with advertising or redistributing routes.
– MTU ( Maximum Transmit Unit) mismatch issues. It is quite important set the correct MTU.
In general, both problems are associated to a human errors. Because the administrators should make an scalable configuration.
Today in a job interview, the interviewer asked me “-What do you know about BGP?” and I told him: ” I do not know”.
Sometimes when you are not using a technology even if you were using it before, it is easy that you can forget it. But with a simply concept review, in less than 1 hour you can be up to date in that technology because you are just reviewing concepts that you were studying before. But if you do not know about this technology it is difficult to understand in one hour. Anyway….., that’s why I have posted about BGP.
As I always say: “Take the positive things”. In that contest, the positive is that I should study a bit more. 😉
Honestly, thanks interviewer!!
Surfing the internet I have founded a few interesting videos.
You can find all this videos in http://www.wireshark.org/
Honeypot is a software or computer that simulate a vulnerable system to attract attackers. This is a sweet for hackers or people who wants to play in the illegal side. This kind of “security systems”(from now SS) are used to know attack methods, possible systems failures or solutions to that failures. I mean SS because knowing different patterns, you can shield your infrastructure to prevent this type of attacks.
A honeypot is used to distract an attacker making a system more attractive. For example, is more appealing a computer called “server” than “computer”. Is more attractive a file called “passwords” than “images”. This are two examples of thousands.
A honeypot is then used to monitor the network. When an attacker is trying to crack your system, you have an opportunity to know more about the attacker.
For all of the above, a honeypot is a prevention and detection system.
Kind of honeypots:
Depending of function:
Production: Only capture information.
Research: Capture extensive information and used to research, military, or government organizations.
Depending of interaction with attacker:
Low interaction: Emulate services. Attacker think that is cracking a system but it is a software that is emulating this service.
High interaction: Attacker interact with it totally. All is real
At the beginning this honeypots were in most of the cases too expensive physical machines. At this time a honeypot can be a virtual machine in a virtual network with a virtual ip 🙂
I will test this kind of software to post comments in future.
Multicast traffic is typically sent by one source and received by a group of recipients that migh be spread throughout a network and that might change over time. A typical example of multicast traffic is video stream.
Types of packets:
– Unicast: Packets that are sent from one source address to a single destination host address.
Unicasts are forwarded by a router or Layer 3 switch by finding the destination IP address in its routing table. A Layer 2 switch relies on the destinationś MAC address. Unicast forwarding is turned on by default, and is the type of routing familiar to you already.
– Broadcast: Packets sent to a broadcast destination address.
Broadcasts are one way to comunicate the exact same information to a group. Broadcasts are single transmissions that are received and acted upon by all devices.Is useful when a destination address is unknown.
Ehernet broadcast are sent to the reserved MAC address FFFF.FFFF.FFFF. Layer 2 switches flood broadcasts out all ports in the same VLAN. IP broadcast use the reserved destination IP 255.255.255.255. Routers do not forward broadcasts by default.
– Multicast: Packets sent to a special group-based destination address.
Multicast addresses are “group” addresses. An IP device joins a group by recognizing group IP addresses and reprogramming its network interface card(NIC) to cop traffic destined for the group MAC. Because a multicast goes to a different MAC, some hosts will pay attention to it and others will ignore it. For example, EIGRP uses 126.96.36.199 and corresponding MAC 0100.5E00.000A Routers pay attention to this traffic, but your PC can safaly ignore it.
Multicast traffic is generally unidirectional and sent in a best-effort connectionless format. UDP(connectionless) is commonly used, whereas TCP(connection-oriented) is not. By default, Layer 2 switches flood Ethernet multicast to all ports on the destination VLAN.
End systems and intermediate devices must have a way to distinghish multicast traffic from unicasts or broadcasts.
At Layer 3, this is done by reserving class D IP addresses(188.8.131.52 through 184.108.40.206) for multicasting. Network devices can quickly distinguish multicast IP addresses by looking at the first four bits, which are always 1110. Ethernet devices similarly have a range of addresses set aside for multicast. The low-oder bit in the first byte of a MAC address is a unicast/multicast bit, and setting it indicates the frame is a multicast. Beyond this single bit, IP multicast are mapped to a specific range of MAC addresses to aid hosts in discriminating between multicasts.
Multicast IP Addressing
In addition to the Class D multicast address space, some IP multicast addresses have been reserved for particular uses, such as the following:
* Link-local addresses(220.127.116.11/24) – Used on a local segment (TTL=1) only. Routers do not forward these packets because of TTL. These are known as fixed-group addresses because they are well-known and predefined. Examples:
Address —————————————- Destination
18.104.22.168 ————————————– All hosts
22.214.171.124 ————————————– All OSPF routers
126.96.36.199 ————————————– All OSPF DRs
188.8.131.52 ————————————– All RIPv2 routers
184.108.40.206 ———————————— All EIGRP routers
* Source-specific multicast(220.127.116.11/8) – An extension of multicasting wherein hosts only receive traffic from a particular server instead of from any server using a multicast channel.
* GLOP (18.104.22.168/8) – Allocates 256 multicast IP addresses to each registered autonomous system (AS). The 16-bit AS number is used for the middle-two octets, so that AS 1000 hast 22.214.171.124/24.
* Administratively scoped addresses (126.96.36.199/8) – This space can be used in private multicast domains, much like the private IP address ranges from RFC 1918. These addresses are not supposed to be routed between domains; this way, they can be reused.
Within the administratively scoped addresses, 188.8.131.52/14 is reserved for site-local multicast and the rest of 184.108.40.206/10 is reserved for organization-local scope.