I saw mention of the DualComm Ethernet switch/tap on my twitter feed a few weeks back from @Pauldotcom. It is really difficult to sniff traffic without a hub or business level switch. Or you could do a pass through feed using a dedicated pc. The DualComm tap provides a very simple and affordable way to tap traffic by putting a port replicator feature in a small switch.
So I ordered the USB Powered 10/100 Ethernet Tap DCSW-1005. It cost $59.95 and they take paypal.
It works like a champ. I plugged it into a spare apple usb power plug where all my network hardware is. Then I patched the cable from my router wan port to the port two of the switch. Port one then went to my cable modem. I tested and found all my Internet connectivity works fine without issue or performance hit. Then I just plugged the port five from the Ethernet tap to a old Thinkpad laptop I have for such things. I did have to order a Linksys USB Network adapter to have the second interface on the Thinkpad for sniffing the traffic. The onboard nic is used for normal network access, ssh, etc. Testing Ntop, Dsniff, URLSnarf etc all work perfectly. It was amazing that I could not find the USB wired network adapter in any local stores. I had to order that Linksys adapter from Amazon.
All said and done. The DualComm DCSW-1005 works great! And having it be usb powered means no dedicated power adapters to be lost or mislabeled. If you need an Ethernet tap for your security work this is a great find.
PS If you are like me and forget how to put an interface into promisc mode under Ubuntu linux. Andrew Hay has a great post on promisc mode setup I keep handy.
The latest round of adobe patches are a pain for IT staff to implement. If you allow automatic updates then many machines updating the full reader installer from Adobe is likely to knock out your wan or Internet links. Too much traffic.
Manually running around and installing the update is also a pain for IT and consumes a lot of man hours. So I love to make script packs for them to automate things.
To use these scripts you need to do several prep things.
Download and put nmap binaries for windows in the folder you will run the scripts from.
You will need to install the winpcap driver for the nmap scans to work.
Download the adobe reader installer and put it on a network share.
Create a toss off domain user account that simply can map to the network share of the acrobat. I put it in a subfolder of that share called acro93 for the version I am installing. Because if you have your domain setup reasonably well you want only authenticated users to connect to shares etc. You will delete this account once done.
Next come the scripts. We have the master script we call acrobat.bat. This script pushes a second bat file into each target host. You need to put your target hosts into a text file in a format that would be accepted by nmap. A subnet, indvidiual ips, hostnames your pc can resolve.
Perhaps you have made yourself a logging vm, or even a logging machine out of an old laptop using my pdf instructions. At home I actually turned a real old IBM Thinkpad A22m into a unbuntu logging machine. Just like my directions only no vmware.
I send all my network hardware logs via syslog to the machine. BUT I also did one simple change to the syslog.conf on every mac in my house. Now all my mac logs collect into my machine for searching in Splunk.
Just open Terminal on your mac.
sudo vi /etc/syslog.conf
edit the file and add the following line, substituting your own logging machine IP address.
Make sure to use an actual ip address in place of loggingmachineipaddress. I tried using the bonjour or mdns name like logger.local and my macs never consistently sent logs. So changing to IP address it seemed to work after that.
Next if you are in Leopard you can do the following two terminal commands to restart syslog and pick up the config change. Otherwise you could also just reboot your mac.
Recently I wanted to build a log collection virtual machine. I settled on a combination of syslog-ng and splunk. Syslog-ng lets you do filtering, message rewriting and routing to multiple destination types. Splunk v4 gives you a nice ability to search the gathered logs. So you can follow my two documents. The roll your own covers the building of the vm. The getting started covers doing the last setup tweak to use and collect certain event types I decided would make a good stating example set.
We use Ubuntu sever 32bit 9.10 with syslog-ng v3 and splunk v4 in this tutorial. I built mine in vmware fusion on my mac. But you should be able to adapt to your own box/virtualization of choice.
Lately I have been working on making a vmware virtual machine for combining syslog-ng version 3 and splunk. I wanted to leverage syslog-ng for routing of messages and for rewriting messages from an existing kiwisyslog server.
Let’s say you have all your network gear sending events to an existing kiwisyslog install. You can add an action to foward the messages and include the original source IP. The problem is that the original IP becomes part of the message. When it reaches splunk you would rather it see the messages as having come from the original host so you get the best mapping to host fields in splunk searches.
So we use syslog-ng to receive the forwarded messages then rewrite the message before it is picked up by splunk. We tell syslog-ng to listen on udp port 3514. This is the port we tell kiwisyslog to forward events to. Next we tell syslog-ng to write the events to a fifo linux queue while applying the rewrite. It is easy from there to tell splunk to pull events from the fifo.
So click more to see the config I used in syslog-ng to make this work. The solution is a combination of telling syslog-ng to NOT parse the incoming messages then to apply the rewrite rule. I do plan on writing a pdf guide on building the logging vm from scratch soon. But for now you can check out the config below.
Normally I just run a sudo tcpdump at a command line. But I wanted to play around in the wireshark gui of the latest build 1.0.8 for OSX Leopard.
So I downloaded the latest DMG for Wireshark 1.0.8 for Intel Leopard. Dragged the Wireshark app to my Applications folder and ran it. Wireshark would not see any network interfaces.
What I found is that I need to do the following then wireshark can see the interfaces. BTW no: sudo open “Applications/Wireshark.app” would not work either. I suspect because its an x11 app.
sudo -S chown username /dev/bpf*
Note you substitute your short username for the “username” field above. But who wants to do that every time you reboot? Even if you script it. So I of course made an automator.
Drag over the “Ask for Text” object. Use a prompt like “Enter Password:”
Drag over Run Shell Script. put in the sudo chown from above. Also change the pass input to: to stdin
Lastly drag over Launch Application. Choose the Wireshark.app.
Save it as an automator application. Maybe on your desktop. And now you have a simple double click method to perform the chown of the network interfaces so Wireshark.app can see them. It will prompt you for your user password (assuming you are an admin user or added your account to sudoers using the visudo command) and pass it to the sudo statement for you then launch wireshark.
I have written a lot of command line scripts to automate certain tasks over the years. What is cool is the new blog Command Line Kung Fu. I made a comment about a post from it on twitter and mentioned I did a bat file once to dump a list of all running processes on the windows pcs on your network. Several folks asked I post my script.
I use nmap to do the ping sweep and feed the list of ips to a loop for pslist to work on. Obviously you have to run this under an account that has admin credentials on all the target systems. Worst case is that it just fails to run, wont run at all against non windows hosts and leaves a lot of noise in properly configured logs across your hosts. None of which are really bad things. Here is the bat file contents I use.
You could further limit the hosts by first using something like an nmap port scan for one of the microsoft netbios ports or use something like nbtscan to make a list. Use that for an input file for your nmap ping sweep to help ensure you try and spend time on hosts only currently responding. It is also fun to substitute things like psloggedon or psexec for more interesting loops.
nmap -sP -iL %1 -oG pingsweep.txt
find “Status: Up” pingsweep.txt > pingtemp.txt
for /F “eol=- tokens=2” %%i in (pingtemp.txt) do pslist \\%%i >> pslists.txt
Good thing AT&T is such a short name. Seems some of their network support staff for managed networks are not too bright. If the name were longer these guys might forget where they work.
A friend emailed me this week about a network problem.
It seems the AT&T support department that handles support for his employer gave them a /23 IP range. They used PUBLIC IP space for an internal lan network. THEN it gets better. They broke the space two /24s. Ok nothing wrong there. They setup /24s to Vlan1 and Vlan2. BUT then these guys create one DHCP pool with the /23 subnet. And now the AT&T support group can’t explain to the customer company why things don’t work right. Sheesh. All it would take is two minutes to redo the DHCP as two /24 pools corresponding to the subnetted vlans. Still who uses PUBLIC IP ranges on an internal network? I guess you get what you pay for when you outsource your IT department to AT&T.