[::.Personal::.]
Resume

[::. UPDATES .::]

[::. November 19, 2011, 01:30 .::]
Had an awesome chat again with few security professionals on irc. I learned new tools that I can use for my pen tester certification adventure. It is so awesome because I got to chat with HD Moore. He gave some words of wisdom and information on how I can achieve my dreams. This is what he told me:

just learn everything you can
a pentester is just a glorified technical writer with sysadmin skills
practicing sysadmin, development, and writing reports is all useful
lots of great guides
try to find a way to spend time doing it now

That is unbelievable! I love irc. I've been using it since late 1994.

[::. September 23, 2011, 23:17 .::]
It takes me 1.5 hours to reach Chicago Union Station just the train alone. To use time wisely, I borrowed my wife's iPad and I uploaded eBooks. I've been reading two books and they're awesome. One book is Metasploit - Pen Tester's Guide and the other book is Hacking - The Art of Exploitation. Even though my current job is totally unrelated to security, I have to maintain my security skills. I have plans of taking online courses provided by Offensive Security. I'm aiming for two certifications which I heard is the world's toughest hands-on security exam. It's OSCP and OSCE certifications.

[::. January 7, 2010, 21:30 .::]
I finally completed kvm on my Fedora. It's running Windows 2003, Windows XP Professional, CentOS, and another Fedora. This is the only way I'll be able to not forget my security skills. I'll be setting up vulnerable apps and try to use different tools such as nmap, nessus, nikto, and metasploit to exploit the holes. I am doing this because I have plans of getting a Pen Tester certification.

[::. February 15, 2009, 19:57 .::]
I needed to check files that come in daily from another system. It was becoming a problem since I have to be awake at 3am to check if the files have arrived. Thanks to our Nagios system and NRPE plugin. NRPE is a stand alone daemon/service that can be installed either in Windows or UNIX. It can accept connections from remote machine and allow you to remotely execute a command. NRPE returns the string back to the requesting machine.

So I wrote a simple Windows Shell script that will check if files are available. This script gets called by Nagios via NRPE. Nagios notifies managers and other support team via emails and pagers if the files aren't available yet or if there are some problems with the downstream.

You can download the scripts from here. As a bonus, I added other scripts that I used such as cpu checking, etc.

[::. August 15, 2004, 01:37 .::]
I'm back guys and I am here to share how we can use PHP to convert HEX to BINARY. Huh, get a scientific calculator then you're done. Well, I am not going be tackling mathematics here, but what I was referring to is the HEX number that we see in Ethereal captures and binary file encoded as decimal but written as in ASCII. Back in 1992(college days), I wrote a Pascal program that will check if a file is a flic(.fli) file by reading the header of the file. FYI, flic is a type of animation format just like MPEG.

Anyways, while pondering about the things I did during my college days, it just came into my mind about searching google for a tool that will allow me to capture the file that was embedded in an HTTP traffic or probably an add-on to Ethereal sniffer. I wasted 3 hours searching and saw some threads but most of them were not helpful. So, I just thought of applying the old techniques I used in manipulating files back in my colleges days. Sure you guys remember those PC-tools or PCshell or even NDD. :)

But before I started coding, I had to analyze the "Follow TCP Stream" capture in Ethereal of an HTTP traffic that had an embedded jpg against the output of hexdump or od tool from a real jpg file in FreeBSD. From there, I was able to find out how the jpg file's header is encoded. Now for the real thing, I used chr(hexdec($the_hex_code))). What my code does is loop through the Ethereal capture, put all the hex in an array, then convert each hex to decimal, then decimal to ascii and write to a file. Below is the exact excerpt of the code I used to generate the binary file.

for ($i=0;$i < count($onebigarr); $i++) { if ($i >=($_POST["start"]-1)) { $err = fwrite($fd1,chr(hexdec($onebigarr[$i]))); } }

I will leave the Ethereal capture for your assignment. Well, the working code is actually found on this link. Input should be a plain text file.

Have fun....

[::. April 04, 2004, 14:08 .::]
It's been a long time since I last updated this site. I got sooo busy after the October 2003 companywide realignment. Well, I'm happy about it because the new team where I am right now manages about 300+ banking applications, 20+ IIS servers, 40+ solaris and about 15+ mssql database servers.

Anyways, I highly believe in opensource technology. There are so many things you can do most especially if you are creative. I will share my ideas or rather the real thing here in this column. It's just that, I can't afford to miss sharing ideas back to the opensource community. The experience I felt in opensource since 1995 until now compares to nothing. I just can't explain the feeling when I am untarring, compiling, troubleshooting a code for 2 or more days, writing my own code or even patching the code. :) I might be exaggerated but this is how I really feel. And because of this, I tried presenting one of the top 5 opensource tool to my team and I am very happy to say that Nagios captured their attention.

I will not talk here about Nagios' capablity of monitoring daemon or services but rather monitor statistics or performance counters of a machine and how to plot those counters within the Nagios interface. The recipe used in this kind of configuration are rrdtool, some php knowledge, nsclient(for Win2k), and access to unix's vmstat. I got this idea from Apan but I got so very limited most especially when plotting multiple counter variables. So, I had to write it my way. Here is a screenshot of the vmstat output plotted from within Nagios _main interface.

By creating a serviceextinfo.cfg file and having nagios load this file when it starts, we are able to create an icon on the Nagios interface just beside the service. Here is a screenshot which shows the graphplot-like icon. But of course, you should not do this until you have created hosts.cfg and services.cfg.

Before you can create that kind of graph, you have to make an rrdtool database and here is the command I used to create that rrddb. More tutorial can be found in rrdtool website. Now that we have the rrd db created, it is populated by my libexec/solaris_check.sh. I wrote it from scratch because no one has ever written a vmstat plugin yet. But I hope you still remember the Rule of Thumb for run queue length(r), blocked queues(b) and processes that are swapped out(w) and the 4 times the number of your processors. I will update solaris_check.sh to parse the r,b,w columns.

When you click on the service icon, it calls the graphsolarisload.php we defined in serviceextinfo.cfg which indirectly calls unixsystem.cgi. This is just a plain .sh program. This is also the program that creates the graph in .PNG graphic format.

Well, it took me time to get it working and I'm sure, you will be able to get it running too. Drop me an email if you have any questions about it and I will be glad to assist. Or, if you wanted something similar to your environment, I can work with you during weekends. ;-) Wa da ya think???????????

[::. September 28, 2003, 10:57 am .::]
This morning, while I was having my cereal and at the same time watching the cursor blinking on my SSH session, I decided to look at how NMAP's different stealth options sends the portscan to the target port and ip address. I didn't add DECOY parameter since it will just mess up my sniff. I just got full-charged after attending Network Associates' TCPIP Troubleshooting and Protocol Analysis. That's why I am doing this.

This very short article will also give network administrators or security wannabees a bird's eyeview how traffic is received or sent by the sender and receiver.

Let's start. For my testing, I will only be scanning port 80 on the other end. I used "TCP connect" to port scan my FreeBSD box. The command line was:
nmap -vv -sT -P0 -n 192.168.1.105 -p 80. Here is the result which includes both nmap result and traces. You would also noticed that it only took 1 second which is quite fast.

Next was TCP Stealth SYN scan. The command line I used was nmap -vv -sS -P0 -n 192.168.1.105 -p 80. Here is the result. You will notice that it didn't complete the 3 WAY handshake. So it could be considered as a halfsyn scan too.

Another option I tried was NULL scan. I was impressed with the traces. Just go over the traces. Although, it takes more time to get the results. But it's gonna be harder for a firewall guy to decide if this source IP address was really portscanning his network. So it has its pros and cons. The command used was nmap -vv -sN -P0 -n 192.168.1.105 -p 80. Here is the result.

Similar with NULL Scan is Xmas scan. The command line I used wasnmap -vv -sX -P0 -n 192.168.1.105 -p 80. It also took a long time before I got the results.

Last option I tested was Stealth FIN Scan. The performance was also similar with the last 2 previously mentioned options. The command line I issued was nmap -vv -sF -P0 -n 192.168.1.105 -p 80 and here is the result.

[::. September 19, 2003, 8:03 pm .::]
I have always appreciated the beauty of technology most especially when you use it beyond its boundaries. Like HTTP protocol. If you would look at an HTTP sniffed trace by tcpdump, it is in its plain text. Having an understanding about networks and security, you can take advantage of HTTP protocol and use it as a transport for other TCP protocols. The only reason that you would be doing this is to access your unix-like o.s. at home from your office and that the corporate also employs proxy type of access. Shoot!!!! :(

I have tested this type of access via Squid Proxy server, another open source proxy server. FYI, the process which I am referring here is called Network Access Control Systems bypassing. WARNING: Please do not try this if you don't want to lose your job!!! :)

RECIPE(s): http-tunnel and an opensource Unix-like box such as FreeBSD, OpenBSD or Linux. This link shows the usage of the tool and also gives the exact commands that you can mimic for your own testing.

[::. August 25, 2003, 1:33 am .::]
Just want to share the parameters I used to configure php which enables GD support for graphing, mssql support for Microsoft SQL connectivity via FreeTDS and other graphic file formats support such as png and jpeg. I was tasked to develop another network application w/c will utilize NetIQ database. NetIQ application is a very cool product but there are features that our manager was searching for which he couldn't find in it.

So, I decided to write a php application that will connect to the netiq db, calculate every throughput and response time retrieved from the db, and finally, graph the datapoints.

Anyways, here is the product of my craftsmanship.

[::. August 22, 2003, 8:56 pm.::]
Yo! I'm just ecstatic being able to put back my server up and running. Look at that, it was almost a month of struggle with no fast internet access. I was very patient with my netzero and aol connection. And worst thing about it is that, I forgot that SBC charges local tolls. But anyway, Fox Valley Internet got me hooked up via their wireless presence using Canopy, Motorola's new technology.

I was really impressed when I tested my bandwidth at 2wire. Here is the result. Here is another result from a test conducted at dslreports. Have phun!!!

[::. July 15, 2003 .::]
Hey guys, just want to give you a heads-up about this website. I will be taking my webserver down temporarily on July 26, 2003. I will be moving to a house I bought and hopefully, on July 28, DSL will be installed. I will do my best to bring back the server up and running as soon as possible.

That's it. So July 26, 2003 is the big day.

[::. Jun 7, 2003 .::]
Lately, I've been receiving a lot of spams and infected attachments on emails. So, I decided to reconfigure my qmail server with virus and spam filtering. I was faced with a big problem. I couldn't find /usr/local/src/qmail dir anymore. This folder contained a lot of patched which I did 2 years ago. I still tried to make it work but the system never cooperated. The reason I wanted to keep this production qmail because I have tons of email addresses related to security, firewalls, hacking and so on.

So I was stucked! Fortunately, Postfix is there for the rescue.

Postfix perfectly works with Amavis, Razor amd Spam-Assassin. So I had another issue, any SMTP service by default will listen on port 25. The fix I did is to modify qmail to listen on a different port, in my case, 11125 and have Postfix relay to another port. Here is my /services/smtp/run. I wanted to have Postfix receive all incoming mails from the internet, then forward it to the filters, then if safe, forward to qmail on 127.0.0.1 port 11125.

So how did I tell Postfix that if mail is clean, deliver it to qmail? Postfix's transport_map is here again for the rescue. Below is the line you need to tell Postfix to relay it to another SMTP server.

restricted.dyndns.org smtp:[127.0.0.1]:11125

And also, here is the sketch of the process.

[::. Feb 19, 2003 .::]
Here is a snippet of my code which I wrote to help me analyse our company's network traffic generated by 20 different type of transactions. It is currently being used in our production environment.

Rough flow of process includes (a) Weblogic boxes create logs with information such as amount of time in milliseconds the application was able to finish the transaction, timestamp, transaction type, server ip address etc. (b) perl code which uses oracle DBI to do a sql insert to the Oracle server using the logs of Weblogic (c) php code which pulls information from the Oracle db which also creates a graph based from the recordset return by Oracle. Click here to display a live output of my code.

It then calculates the average round trip of every transaction based on the sampling rate I specify. After it has calculated the average time for one day, it generates a graph. It will display the average milliseconds per number of transaction.

[::. Dec 31, 2002 .::]
I was trying to find a way to block kazaa. I do use kazaa but it was nice studying how kazaa tries to find a control connection. You will be amazed when you see this netstat output. I modified my firewall rules so that it will only allow certain ports for outgoing traffic. I only allowed port 21,22,23,25,80,443,5100,5050,5999 and 6659 >< 6671. From the output, we saw how kazaa client was trying to connect to different ip and different destination ports. You Haxors!!! You rock!!! :)

[::. Dec 19, 2002 .::]
I've been very quiet lately. Anyway, to fill the void in my room, I decided to study how FTP works both in PORT or PASV mode. You are better of studying RFC 959. This tutorial is for those people who loves seeing numbers, flags, TCP 3way handshakes and tcp sessions instead of high-level commands like GET, MGET or LS in ftp.

I will only include captured packets here. From the 2 examples of captured packets, you will understand how FTP works and you will be able to figure out how to tweak/fix your firewall rules. Click here for active ftp and here for passive ftp. BONUS, 192.168.1.105 is the ftp server and 192.168.1.102 is the ftp client. Useless TUTORIAL huh!!! ;>

[::. Nov 11 , 2002 .::]
I just finished building a new firewall. I am running now an Invisible Firewall (IF) using (PF) Packet Filter + Bridging in OpenBSD. So now, here is how my home network is configured.

INTERNET -> mycablemodem -> PF IF bridge -> PF NAT -> MyPrivNET

Related links that I used as reference:

The OpenBSD Packet Filter HOWTO
Creating a Combined Ethernet/Wireless Firewall
Guide to Building an OpenBSD PPPoE Gateway, with Firewall
OpenBSD firewall using pf
Building a Firewall with OpenBSD 3.0
How-To Harden OpenBSD Using Packet Filter
Using OpenBSD 3.0 As A Firewall/Gateway for Home DSL or Cable
Transparent Packet Filtering with OpenBSD
OpenBSD Bridging Firewall Configuration

... archived