http://www.pingtrip.com/ 2013-04-21T12:28:22-04:00 GenBlog tag:www.pingtrip.com,2012:1363047308 2013-03-11T20:16:45-04:00

[Thug](https://github.com/buffer/thug) is a low-interaction client honeypot used for analyzing web-based, client-side attacks. As client-side attacks become more obfuscated and difficult to analyze, Thug can be used to emulate the behavior of a web browser (16 different User-Agents at time of writing) to detect malicious web pages while creating detailed logs and saving payloads. While looking into Thug I found that there wasn't an existing guide for installing it on FreeBSD. The Thug [build documentation](http://buffer.github.com/thug/doc/build.html) is good, but I found it makes a number of assumptions on prerequisites already being installed. After some trial and error I've documented the entire process I used to get Thug running on a fresh FreeBSD 9.1 image.

Dave tag:www.pingtrip.com,2012:1359702903 2013-03-12T20:08:29-04:00

>I'm using a custom NanoBSD image with PacketFilter (PF) as my home firewall/gateway and indexing the PF activity into Splunk. Being able to report on and graph the firewall data is valuable Intelligence when planning your next HoneyPot project; among other things. >The write-up that follows isn't specific to NanoBSD and should work with any PF installation (FreeBSD, OpenBSD, pfSense, etc). I should also mention that I originally implemented this with real-time logging by running `tcpdump` on pflog0 and piping the output to `logger`. For the most part it worked, but Splunk would have random events that were missing the first line of the tcpdump output. Instead of burning cycles trying to determine where the random data was being dropped, I settled on a 5-minute "push" interval of the _/var/pflog_ file to Splunk. I haven't encountered the issue since. >The PF-to-Syslog portion of my implementation is based on the OpenBSD documentation for [PF](http://www.openbsd.org/faq/pf/logging.html#syslog) with a couple minor tweaks. Whereas the Splunk portion is completely custom and involved many nights of RegExp wrestling and LOTS of test packets with [Nping](http://nmap.org/nping/). _As a quick side-note: if you're looking for a utility for writing and testing RegExps on OS X check out [RegExRX](https://itunes.apple.com/us/app/regexrx/id498370702?mt=12). Well worth the $4.99._

Dave tag:www.pingtrip.com,2012:1341001279 2012-07-07T07:50:55-04:00

I ran into an issue while customizing my new MacBook Pro where after installing the first Perl module the CPAN executable simply vanished (or at least appeared to!). After some digging I discovered that the file permissions for a number of CPAN/Perl scripts had been modified at some point during the module installation and the 'execute' flag removed. Below are a few of the affected executables in the `/usr/bin` directory, notice how the 'execute' bit isn't set: -rw-rw-rw- 35 root wheel 807 Jul 4 11:52 cpan -rw-rw-rw- 35 root wheel 807 Jul 4 11:52 cpan2dist -rw-rw-rw- 35 root wheel 807 Jul 4 11:52 cpanp -rw-rw-rw- 35 root wheel 807 Jul 4 11:52 cpanp-run-perl

Dave tag:www.pingtrip.com,2012:1297520981 2011-02-12T10:29:41-04:00 2012-07-07T07:52:10-04:00

~? If there was ever a time when I was over-thinking a problem this was certainly one of those times! I've edited this post to summarize the original research and include the unbelievably simplistic solution.~? I run a number of [Sguil](http://sguil.sourceforge.net/) deployments, of which some are on hardware that is extremely under-utilized, so I set out to determine what it would take to run multiple Sguil deployments on the same server. The required configuration changes were relatively simple for most of the processes (Sguil agents, Snort, DaemonLogger, PADS, Barnyard) until I got to SANCP. The FreeBSD package at the time of this writing (v1.6.1_4) doesn't utilize a PID file, nor does it have a configuration option for defining one. This makes it very difficult to run multiple instances since without a PID file the rc.subsystem defaults to checking for the process name in the process table; thus leading to `sancp already running?` errors.

Dave tag:www.pingtrip.com,2012:1290128271 2010-11-18T20:57:51-04:00 2012-07-07T07:53:37-04:00

On a recently built FreeBSD 8.1 amd64 server I'm experiencing segmentation faults when I ctrl-c out of `tcpdump` on a busy network interface.

Dave tag:www.pingtrip.com,2012:1287241183 2010-10-16T10:59:43-04:00 2012-07-07T07:55:09-04:00

After spending multiple hours trying to diagnose a performance issue with NFS in my lab, I've suddenly stumbled upon a situation in which I can honestly say, I'm completely bewildered. When copying a 256MB test file to the NFS mount the transfer takes ~70 seconds, which equates to roughly 3.6MB/s, i.e. **very** slow. The client and sever hardware is modern and equipped with Gigabit NICs and an accompanying Gigabit switch. With this hardware I'd expect average transfer speeds of 30-40MB/s, with the hard drives being the bottleneck. So here's where it gets strange...

Dave tag:www.pingtrip.com,2012:1252091040 2009-09-04T15:04:00-04:00 2013-03-12T06:59:44-04:00

**[Hacme Shipping](http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm)** is a ColdFusion Web Application from the Foundstone, Inc series of vulnerable "Hacme" tools. As its name implies, Hacme Shipping is a mock Shipping application much like one you would find major on-line retailers using, except loaded with insecure code (on purpose!). So in continuing the theme of my previous post, which detailed the process of [Installing Hacme Bank](http://www.pingtrip.com/weblog/2008/09/installing-hacme-bank-on-xp-pro), this article will hopefully provide another easy to follow, step-by-step guide to installing and configuring the application.

Dave tag:www.pingtrip.com,2012:1220836832 2008-09-07T21:20:32-04:00 2012-07-07T07:56:50-04:00

Whether you're evaluating a new vulnerability assessment tool, or looking to hone your application hacking skills, the [Hacme Bank](http://www.foundstone.com/us/resources-free-tools.asp) application by FoundStone, Inc offers a perfect "victim" for you to use as a testing target. Hacme Bank simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover. In this write-up I'll walk you through the necessary steps for getting the application up and running on a Windows XP Professional VMWare image. I prefer this setup for a couple of reasons. First, if an unrecoverable error condition occurs (while hurling malicious packets at the application perhaps?) you can simply revert the Virtual Machine back to a known good state. Second, by positioning Hacme Back on an isolated machine I'm able to use my everyday penetration testing rig as the attack platform.

Dave tag:www.pingtrip.com,2012:1217635811 2008-08-01T20:10:11-04:00 2012-07-07T07:57:44-04:00

This is a continuation of my collection of articles pertaining to [dual-booting Leopard](http://www.pingtrip.com/weblog/2008/04/leopard-and-kubuntu-on-a-macbook-pro) and [Kubuntu on a MacBook Pro](http://www.pingtrip.com/weblog/2008/04/kubuntu-on-a-macbook-pro). This article is just a quick rundown of the software packages that are always installed on my laptop.

Dave tag:www.pingtrip.com,2012:1217374049 2008-07-29T19:27:29-04:00 2012-07-07T07:58:25-04:00

Awhile back I wrote about [adding custom tags to the Markdown Plugin](http://www.pingtrip.com/weblog/2008/04/adding-custom-tags-to-markdown) in which I created two new custom tags, a "Note" and a "Warning" block. This time around I'm adding an additional custom Markdown tag which is an "Update" tag for when you want to signify that a portion of a previously published article has been altered.

Dave tag:www.pingtrip.com,2012:1207951112 2008-04-11T17:58:32-04:00 2012-07-07T07:58:58-04:00

In this article I'll be tinkering with one of Movable Types default plugins, [John Gruber's Markdown](http://daringfireball.net/projects/markdown/), which is one of the text formatting choices available when working in the Entry Editor. The brilliance of Markdown comes from it's powerful translations, combined with it's utter ease of use. Granted, it's not your typical WYSIWYG and did pose a slight *comfort curve* (the time and effort it takes to adjust to a new way of editing; for me at least!), but after writing only three articles with it I'm hooked!

Dave tag:www.pingtrip.com,2012:1207397267 2008-04-05T08:07:47-04:00 2012-07-07T07:59:37-04:00

Due to the recent growing popularity of dual-booting the MacBook Pro I decided to move the Kubuntu portion of my [Leopard and Kubuntu on a MacBook Pro](http://www.pingtrip.com/weblog/2008/04/leopard-and-kubuntu-on-a-macbook-pro) article into it's own entry. My hope is to find the time to tweak this article enough so it provides a thorough, step-by-step walk-through that others can use.

Dave tag:www.pingtrip.com,2012:1207355496 2008-04-04T20:31:36-04:00 2012-07-07T08:00:53-04:00

Thanks to a fun personality quirk of mine I find myself re-imaging my MacBook Pro on a regular basis, so I figured documenting the process would be a brilliant idea. The goal is actually twofold: to streamline the process for myself and to provide a baseline for folks attempting to re-create any of my experiments on their own MBPs. The directions which follow apply to **my** dual boot MacBook Pro, your mileage may vary...

Dave