Learn from Mistakes

That’s what people always say when someone fails.
In my case, I still can’t learn from my mistake.
I still don’t understand why I failed.
I still can’t accept the fact that I failed.

In the D-day, I walked to Cisco office from my hotel around 7.30. The lab itself started around 8.15.

My first problem: the pre-configuration of my equipment was wrong. The IP addressing was completely different between what’s written in my questions and what’s already configured by Cisco. I spoke to the Proctor and he told me he would fix it in no time.

While waiting, I spent my time to read the whole questions. I was really happy. Because I have done all what the questions asked in my home lab. I told my self I would pass today. I have done everything in my lab. Nothing new in the questions. I have done them all, and I have tested them.

After 30 minutes, my Proctor told me he has fixed the pre-configuration. He mentioned that he would give me 15 minutes extra time to compensate the time that I lost. I didn’t say anything. I told myself, who need 7 hours and 45 minutes anyway?
I would complete the lab before 2 pm.

And I did. I completed all my labs before 2 pm. I spent the rest of the time to re-check my configuration. Three times.
In the question, sometime Cisco provides you command output or screenshot of what you should achieve with your configuration.
I did them all.
My command output and my screenshot were exactly the same with them.

After the time’s over, I came to my proctor and asked him to grade my lab directly. He told me he’s not the one who would grade my lab.
I was really disappointed.
I told him, during the exam I discussed a lot of thing with him, explain to him why I configured something with certain way. But if someone else will grade my work, then he would not have any clues about this discussion.
One example, I told him that I found a bug in ISDN with 12.15T software code. I can’t answer the question because there is a bug, not because of my configuration. I can discuss this issue with my proctor. But the other proctor who will grade me would not know this. If he just checked my configuration and it didn’t work, he would think that my answer is wrong.
My proctor told me, don’t worry about that. Cisco has already noticed about that bug.

But I assume they didn’t.
At least this is what’s shown from my Lab report the next day.
I lost 50% points in ISDN.
As expected, I got 100% points for Switching, IGP, BGP, AAA and IDS sections. But I don’t get full points for PIX Firewall and VPN. I can’t believe it. Especially for my VPN. I'm really confident with VPN. During the exam, I completed VPN configuration only in few minutes. And I tested them several times.
What can be wrong?
I got very low score in Network Attack, and IOS features.
I can’t believe my eyes.
I may not be able to get 100% in those sections, but how come it’s really low?

My proctor told me in the exam, as long as your output is exactly the same, as long as you can answer all the requirements without violating the obvious rules, then you will get the point. But did the other proctor who graded my work have the same concept with this?

I’m not looking for an excuse.
CCIE is about 1 or 0: You pass or you fail.
But my question is, why did I fail?
If I can achieve all the requirements that they asked me in the question, why didn’t they give me points?

It’s really frustrating. It’s really frustrating because I don’t know what is my mistake.

That’s the email I sent to Cisco. I told them I have done everything asked in the questions in my lab. I have done them all. I have tested them all.
If it’s wrong, it means something completely wrong with my concept.
And that makes me feel really bad.

No more posting until I find out the reasons.

7

Seven deadly sins. Seven ways to die.

No, this post is not about that seven. This is about seven days left for me before my CCIE Security lab attempt in Brussels.
I have only seven more days to practice.
I have only seven more days to clear all my doubts.
I have only seven more days to test all Cisco security technologies listed in the blueprint.

During this period, I'm trying to practice my speed.
Any technology section in the lab blueprint has to be done in 5 minutes. BGP through PIX in 5 minutes, IGP authentication and redistribution in 5 minutes, LAN to LAN IPSec in 5 minutes and so on.
The basic idea is simple: if I'm fast enough to complete the "obvious" tasks in the lab, I will have time to find the answer for the "hidden" tasks.

Other than speed, I have been trying to work on the accuracy to answer the requirements in each task.
There is no other way other than read the sample configuration in Cisco website, check the documentation CD, understand the technology and all posibilities can be asked from it, and test it in my home lab.
Fast typing is not enough, I need to know how to answer correctly.
Configuring the device is not enough, I need to know exactly why I configure the device that way.

God is on my side. I have 2 days off from work due to the national day in this country, and my boss has agreed to let me take vacation until I come back from Brussels.
Speaking about my boss, we have an agreement that I should spend one day from this seven days to hang out with my family. Completely one day. Only then he would let me get my vacation.

As part of the agreement, I will go out with my family this Thursday.
Which is today. Which is in the next few hours, since now it’s almost 2 am local time.
Hey, the agreement only mentions that I should go out with my family. Nobody said to enjoy and have fun, right?

I'll do my best, boss. Even it’s going to be difficult especially with routing protocol running inside DMVPN and atomic signature in IDS that always give me some problems.
Well, I may need to encrypt the path between my apartment to the shopping center, and allow only my wife and my kid to pass through using ESP-3DES and Diffie-Hellman group 2.

Seven days.
I will find out whether I'm just an ordinary guy with a big mouth,
or someone who can really accomplish something,
in seven days.

Thirteen

..13 days before CCIE Lab

Progress according to dotproject: 83.7%
Hours spent in the lab: 597
New technical skill gain: 134%
Lab blueprint has been covered: 92%
Confidence Level: 85%
Physical health: 72%
Non-technical preparation: 98%
Mariagge life happiness: medium

Social life: none

Legend

If you make yourself more than just a man, if you devote yourself to an ideal, then you become something else entirely. A legend.
Are you ready to begin?

--Batman Begins

The Invitation Letter

T Minus 40

Only 40 days left.
I have prepared myself over the past several months in order to join the Club of 600. I sleep 4 hours at night and spend more time with my lab instead with my family.
I have all material available in the market for CCIE security: 6colabs, hello computer, ipexpert, ccbootcamp, internetwork expert, bhaiji’s book, and trinetnt.
I have done most of them, and thanks to my 4 years experience with Cisco security products I can say that I’m very comfortable with CCIE lab blueprint now.

But I’m still not fast enough.

Not fast enough to type, to think, to answer, and to find the solution.
Fast typing is not enough, you need to be able to think fast too.
You need to know how to answer since all questions in CCIE are not straight forward.
And if you haven’t heard about it, Cisco considers you as an expert not only because you can provide solution, but to know where to find the solution as well.

This is where the online documentation CD becomes handy. I use the search feature by typing the following keyword to find Cisco specific features or configuration example, while making sure all the results are still within the scope of the documentation CD: +univercd
Documentation CD is available online and accessible through Web browser, but if you don’t put that keyword in your search, you may get the results from Cisco normal website and not from the documentation CD website (anything after /univercd)
And this is forbidden in the real lab.

Regarding my Visa to enter Pegassus Park, Cisco first sent me wrong invitation letter so I could submit my visa application to Netherlands Consulate on last Wednesday only after they sent the correct letter. I have the flight and hotel reservation already, so Schengen visa is the only non-technical thing left.

One more thing, 2 days ago my wife, my daughter and I made a vote related to what is the best way for me to study. And the result is: 66.6% agreed to kick me out from the bed room. They said the sound of my typing starts killing them and affecting their dream.
So start from yesterday I have to sit in the dining room where I put all my Cisco equipments. It’s noisy, cold and dark since I’m trying to keep the room temperature at 20 degree.
Well it’s going to be hard 40 days for sure.

Practice, practice, practice.

That’s the only way to pass CCIE lab.
That’s the only way to achieve your immortality.

My Home Lab

Place where I spend most of my time.

dotProject for CCIE

I'm not an organized person. It's very easy for me to mix things and end up being confused because I've never kept the track of myself.
For that reason I have been trying to do some improvement, for example by writing a blog. Well I'm not a good blogger as you can see from number of posts I made within the last several months. But hey, something is better than nothing, right?

For my CCIE journey, I decided to use project management tool called dotProject.
It's an open source web-based tool and I think it's really cool. Just take a look at the screenshot:

I have been trying to put everything I have done and what I'm going to do during my journey.
Don't expect me to explain how to install dotProject, just RTFM!

If you look closer, you can see that I have been busy to get my lab from eBay on June. On the last week of June I passed my written test, a test that must be taken before you can register to CCIE lab. I started practicing Cisco security technology in my lab on July. But from August to mid-September there is a gap, no activities recorded in dotProject.
What's happened?

Well, I spent my time during that period to learn MPLS and Quality of Services. I even passed Cisco CCIP certification. Why did I skip my original plan and learned somehing else?
Because it's fun. What else?

From mid-September I have returned back on track.
Since I don't have much time left before my first attempt (the schedule is still not fixed, I'm still waiting for my Visa to go to Brussel) I have to study even more.
I have only 24 hours a day and I have my family too.
So the only way to get close to the target "500 hours hands-on lab" is:
by sacrificing my sleeping time.

My daily schedule, until I pass the exam:

06:30 Wake up, read some news on the Internet
07:00 Take my daughter to school
07:30 Sit and have discussion with my wife
08:00 Go to office
13:00 Lunch break, go home
13:30 Short nap
14:00 Back to office
17:00 Go home, family time
(if my family still take nap, I take my 2nd nap with them)
21:30 Wait until everybody's sleeping
22:00 Start my lab
03:00 (sometime more) Stop geeking out, go to bed
06:30 Wake up, back to the schedule for next day

During the weekend: Go to sleep as much as I can, go out with my family, go home and back to lab

Being a CCIE is not easy

Being a CCIE means...
- You have to carry a very high expectation on your shoulder just because 'E' stands for Expert
- You pass CCIE in Routing & Switching but people expect you to know everything from cabling, wireless, ip telephony, optical, MPLS, security, QOS, etc
- You may have a cool job title but you still have to mount devices, doing project, presales, giving training, troubleshoot, consulting regardless of your title
- People think you get very high $$ salary
- You become the last resort of troubleshooting, when everybody give up they give the console to you
- You open a case with Cisco TAC asking for help, just to find out the engineer assigned to your case knows the problem less than you
- You order a CCIE shirt from Cisco and the shipping cost is !@#$%^&*) more expensive than the shirt itself
- When you complete a marvelous task, they say: "well you are a CCIE, it should be easy for you" and when you don't perform well they say: "how come CCIE can't do this simple task?"
- You try to explain the problem to non-technical boss and he says
"man, stop nagging!"

Club of 600

It's been a while since my last post.
During the past couple of weeks I have taken a big decision to become a multiple CCIEs.
What the heck is multiple CCIEs?
If you don't know what CCIE is, click here.
It's the highest certification from Cisco Systems.
You have to take written exam and 8-hours lab to get it.

I'm a CCIE.
I have some other certifications too, but CCIE is the toughest.
It's been 4 years since I passed the exam in Tokyo, Japan.
Today I'm full of dust.. old and rusty.
Since I love to being on the edge, I have to get new challenges everytime.

When I took the exam, there were only around 7,000 CCIEs in the world.
As per June 1, 2005 there are 12,212 total of wolrdwide CCIEs.
This is the number of people like me who pass 1 CCIE lab exam.
In the same link you can see the most interesting part, at least for me:

"Many CCIEs have gone on to pass the certification exams in additional tracks, becoming a multiple CCIE. Below are selected statistics on CCIEs who are certified in more than one track.
Total with multiple certifications worldwide: 600"

Club of 600 experts! How cool is that?
Okay, I know it's going to cost me $$$, my social life, and a lot of time to pass. Just like what happened 4 years ago.
But that's the beauty of CCIE.
And I'm ready.
Will keep you guys updated.

Sguil on Gentoo

Finally, I can manage to install Sguil on Gentoo.From its website:
"Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts."

Basically, Sguil has 4 components:
- sensor, running snort IDS and using Barnyard to send the alert to database
- database, running mysql as central repository of all the alerts
- sguil server, connecting the client to sensors and as front-end interface for any SQL queries to database
- sguil client, graphical front end interface for users which is very cool and can be used to chat within users as well!

Sguil now is considered the best monitoring tool for snort IDS. ACID is the alternative but it can't provide "real-time" alert as Sguil does, since ACID use web-based interface that needs to be refreshed all the time.



I won't write the step-by-step installation here, because the documentation is very clear.
I recommend to follow the instruction from Richard Bejtlijh in here.
The documentation is focused on the installation under freebsd. For Gentoo users, if you can't find the required packages in "emerge -s", then you have to download from the source.
Btw, my sguild is still not running TLS since I haven't yet found the tcltls source code.

For window$ client, follow the instruction how to install the client in here.
For Mac OS client:
- install X11
- install Tcl/Tk Agua
- download sguil client

If you don't modify the sguil.conf file, you will be connected to demo sguil server. Use 'sguil' for both username and password.
If you have setup your own server, just modify the "set SERVERHOST" parameter in the sguil.conf file.

Enjoy.

Google Hacking

I got the book couple of weeks ago and almost finished reading it.
I'm not a good book reviewer, so I can say only one thing:
just buy this book!
If you think you have known enough about google, just because you have been using it for years, read the book and think again.
Still not convinced? Go to the author site and check the forum.
Hope you are scared enough just like I am ;)

Mac Mini is Not Mini

Yes!
After waiting for couple of months, finally I got my Mac Mini!
The configuration is 1.42 GHz, 80 GB harddrive, combo CD-RW/DVD, airport extreme and bluetooth. All together comes with around $870.
I know it's more expensive than the list price in Apple site, but hei, I don't live in US!

First impression: the box is so cute.
It looks really small in the picture, and it is really small.
The size is almost the same with my first external CD writer.

Switched it on, Apple logo appears, spent some time to fill the registration and username, and get fully functional OS X panther.
Performance: acceptable. It's definitely not mini.
I didn't upgrade the memory so it's still 256 MB. But it's enough for home user applications.
The best part from Mac Mini: it's so cute and very quite.

The first thing I did, obviously, was installing Firefox.
Then enabled SSH, Apple file sharing, firewall, and started transferring my music collection to it.
The purpose is clear: to make it as entertainment center.

Unfortunately my kid and my wife love it too and decided not to allow me to do funny staff on it.
My Mac Mini now is under their custody.
Well, I have to wait until they get bored.
But at least I'm glad they don't have to deal with Window$ ever again.

Thank you Steve Jobs, to make all of this possible.

Stuck in a Moment

Busy, busy, busy.
What a lame excuse.
But I don't have a better excuse for not updating my blog.
My new boss is here, so I have to work a bit harder to show him my existence.
I have been busy with some network and security monitoring stuff.
Don't worry, they will be published here once they are ready.

And other thing that cursed my time is my wireless course.
I conducted wireless network crash course last week called:
The Invisible Network Revealed.
The title is cool, but the course was not that cool.
I had a problem with both my Powerbook and IBM T42.
They betrayed me during the d-day.
My powerbook refused to connect to the Infocus projector.
And my IBM T42 self-destructed its hard drive when I tried to connect it to the same projector.
I did the course eventually even I felt that it was awful.

Anyway, busy time doesn't always mean no fun.
I was having a good time in the middle of desert, watching the RF signal flies:



The power of 20 dBi Yagi antenna is in my hand!

I have so many things to upload to this site.
But I believe it's gonna take a while.
Keep in touch.

My Immortality is Powered by Amy Lee

Now playing: Evanescence, anywhere but home.

WRT54G Story Continues

Yesterday I bought another WRT54G from local store. After heavy bargaining and bluffing, I got it for $78. Now that I have 2 WRTs, I can put one at home for normal AP and one inside my car for “anything else”. Nice plan, huh?

From the outside box, there is no different between the new WRT and the one that I purchased couple of months ago. But after I removed it out from the box and read the version number on the back, it’s written “WRT54G v2.2”. My first WRT is v2.0.
I checked the box again and there is nothing at all that can give me a clue about the version of the device inside. Only I notice WRT54G v2.2 has serial number started from CDF7xxx while v2.0 has serial number CDF5xxx. But I’m not 100% sure.

Anyway, from our best friend Google I found out that there are currently 4 versions of WRT54G in the market:
v1.0, v1.1, v2.0 and v2.2.
Read the nice presentation from Neal Dudley here. It contains the pictures of all versions of WRT54G from external and internal view.

According to Simon in Linksysinfo forum, until now only the latest HyperWRT firmware and official firmware from Linksys can be used to flash v2.2. From somewhere I read that v2.2 actually uses the same Broadcom chipset, but now the LAN ports controller is part of the chipset.
Quick check from cpuinfo output confirms that both 2.0 and 2.2 versions are using the same chipset:
(none):[~]# cat /proc/cpuinfo
system type : Broadcom BCM947XX
processor : 0
cpu model : BCM3302 V0.7
BogoMIPS : 199.47

So now I’m stuck with WRT54G v2.2 and I can’t use my favorite Sveasoft Satori to flash the router. Should I use the new WRT as normal AP and the previous 2.0 as my mobile scanner? Well, I don’t like to spend 78 bucks only to get normal AP, so I downloaded the latest HyperWRT firmware and upgraded my new router.
Everything looks good. Now I have the option to increase the transmit power to 84 mW and I like the idea to put “reboot” button on the web interface. However, SSH is not available by default, only telnet. The good thing about HyperWRT is it has an option to modify the startup script. I put telnet command and “route add default gw 10.1.1.1” in startup script to make sure both will be available even I reboot the router. I don’t understand why there is no option to put default gateway for LAN interface on the web interface, even though I can achieve the same thing by putting the mentioned route command in startup script.

How about Kismet? Well, since there is no SSH, I have to run wget to get the kismet drone binary and config files. It consumes more effort since now I have to setup a web server with all the files. Sure it’s a linux system, honey. So I should be able to install any packages, right? The problem is the file system of HyperWRT is mounted as read only. We can write new files in /tmp directory only. And as you may guest, all these new files will go away once we reboot the router.

So I decide to try with “unofficial” Sveasoft Alchemy firmware which can be downloaded from freeWRT site. Hey listen, I don’t mind to pay $20 annually but I can’t pay with Paypal. I have sent Sveasoft support an email and requested to let me pay through other way.

The reason why I love Sveasoft software is because they build feature-rich firmware. I’m using Alchemy 6 Mod v16 and I can see there is an option to mount SMB file system. I haven’t tried to mount any drives yet but I believe it rocks!!!

How about the performance? I see that I can boost the power to 251 mW. Hmm, doesn’t it sound so tendentious?
So I run netstumbler to verify. I put one Linksys in Channel 1 and the other in Channel 11. WRT54G v2.0 running Satori is on channel 1 with 28 mW Xmit power and the result can be seen below:



As we can see, the performance is constant in one point. Then I compare with WRT54G v2.2 running Alchemy on channel 11 with maximum 251 mW:



Well, the picture has spoken. The performance of Alchemy is not as stable as Satori. And even when I use WRT v2.2 Alchemy as normal AP, my laptop got disconnected several times.

I need to run more test to double check. But I believe I have already made my mind: Satori will stay at home and Alchemy will get the honour to be in my car. Unless it’s proven that I can’t use Alchemy to even run stable Kismet off course.

Is it true that we can use only HyperWRT and Sveasoft Alchemy for WRT54G v2.2? Some people say even you don’t turn the router into blue colored brick, there is a chance to lose the LAN ports if the firmware we use is not compatible with the new LAN controller chipset. Then you can re-flash the firmware only from the wireless network.

I would like to try it by myself, but not tonight.
OpenBSD Layer 2 bridging firewall has been waiting.
If you like to read the e-mail from Sveasoft to Google regarding the copyright violation by FreeWRT site, please check out this link. For me, I prefer to subscribe and get the firmware officially.
The decision is yours.

Kismet on WRT54G the Easiest Way

Linksys WRT54G is awesome.
It's an ADSL wireless router with linux-based software inside, licensed under GPL.
The price is reasonable, Amazon sells it for $60. I got mine from local store for about $80. The only drawback with WRT is it's not compatible with ADSL service offered by the only ISP in this country, Etisalat. But you know what? It means your chance to bargain the price is even better!
The most interesting feature from WRT is you can replace the software with third party firmware. Hey, it means we void the warranty! This is acceptable in the world where the only way to find the truth is by hacking. Suck the knowledge by testing and trying. Fill the brain with the answers of uncertainty.

Anyway, today we are going to make Linksys WRT54G as wireless IDS. This ADSL router will become the sensor or drone for famous wireless tool Kismet. As per its website, Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

There are several people that already have mentioned how we can run Kismet on WRT. From Rasmus’ Toys Page, RenderLab, Kismet forum, to Netstumbler discussion forum.
Just remember the following:
- WRT54G is only the drone, the sensor that collects wireless information. We need another computer or notebook running kismet server. Please don't run Micro$oft Window$ even it's possible, and we need to have SSH/SCP client as well
- When running kismet in WRT, we can’t use it as wireless access point at the same time
- All kismet files that we copy to WRT are kept temporarily in /tmp directory, and it will be flushed every time we reboot the device
- By doing this hack, there is a chance to ruin the router, screw the software and turn the device into blue colored brick, nice dual-antenna decoration for your living room … hmm, it’s worth $60, isn’t it?

Now, let's our adventure begins!
1. Read this blog until you understand what you are going to do.
2. If you are new to kismet, try to install it in your notebook and play around a bit to get familiar with the interface and configuration file.
3. Get the third party firmware. I’m using Sveasoft Satori-4.0 version firmware, so if you guys want to follow my steps, download it from Linksysinfo site. You must register but it’s free anyway. Btw, this is the last free version available from Sveasoft. To get the new version (alchemy) you need to donate $20 to them. But hey, $20 is nothing for cool firmware they produce. Unfortunately I can't subscribe since UAE is not in paypal country list.
4. Connect to WRT with your browser. Default IP address is 192.168.1.1, so type http://192.168.1.1 in your browser and put “admin” in password when prompted. You may change the IP address or your password as you wish. My WRT is using 10.1.1.10 IP address.
5. Replace linksys original software by going to Administration, Firmware Upgrade. Click browse and find the firmware, then push upgrade. If you are a religious man, start praying. Hopefully everything fine and you can complete the upgrade.
6. The router will reboot automatically and when it comes back you should see Satori-4.0 in Firmware Version.
7. Now go to Administration, Management and enable SSH.
8. We need to put our public key in Authorized Keys column. Assuming you are using Linux or *BSD with OpenSSH client in your notebook, generate the public-private key pairs:
[root@immortal ~]# ssh-keygen –t rsa

9. Grab the content of your public key from .ssh/id_rsa.pub file, and paste it in WRT's Authorized Keys.
10. Now you can SSH from your notebook to the router without putting any password.
11. Download the pre-compiled kismet drone binary from here. It’s bz2 file so you can decompress it using bz2 –d option, then untar the file by using tar –xvf option to get kismet folder.
12. Kismet folder contains /etc and /bin folder. We need to edit kismet_drone.conf file. In my case, for example, I modified the network in allowed host from default 192.168.0.0/16 to 10.0.0.0/8 network. Kismet server can connect to the drone from anywhere, as long as it still in “allowed host” scope. Btw, if you don’t know the meaning of /16 or /8, RTFM!
I assume my WRT54G is v2, since I don’t need to modify the source in kismet drone configuration file: source=wrt54g,eth1,wrt54g
13. Now we can upload the whole kismet folder to our WRT using scp:
[root@immortal ~]#scp –r kismet root@10.1.1.10:/tmp/kismet

Don’t forget to change the IP address according to your router address.
14. SSH to your WRT, and run the kismet drone:
(none):[~]# /tmp/kismet/bin/kismet_drone
Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Disabling channel splitting.
Source 0 (wrt54g): Enabling monitor mode for wrt54g source interface eth1 channel 6...
Source 0 (wrt54g): Opening wrt54g source interface eth1...
Kismet Drone 2004.04.devel_nikki_2004.05.23 (Kismet)
Listening on port 3501 (protocol 8).
Allowing connections from 10.0.0.0/255.0.0.0
WARNING: Setting driver in STA mode to enable channel hopping

Yes, it’s on, baby! Kismet drone is running and ready to accept the connection from kismet server on port 3501.
15. You need to run kismet server in your notebook. If you haven’t installed it, do so by compiling from source or type “emerge kismet” for Gentoo users.
We have to modify the kismet configuration file, /etc/kismet.conf by default, to use kismet drone as source:
source=kismet_drone,10.1.1.10:3501,drone

If you like kismet server to drop the privilege to normal user, put the username in suiduser configuration: suiduser=himawan

16. Change your working directory to any directory where the user that you specified in suiduser can write the kismet log files, then start kismet as root:
[root@immortal tmp]# kismet

If everything’s ok, you should get the kismet panel interface just like below:



Well, it’s not difficult, isn’t it?
Just remember, every time you reboot WRT, you have to upload the kismet directory again using SCP.

Now what?
To make WRT54G running as real IDS, we have to analyze the log files in kismet server. Kismet will dump the wireless traffic its captured to Kismet-date.dump file. Then we can read the file using tcpdump –r option or ethereal. Or maybe test the traffic against snort rules?
I’ll check this later on. Now what I have in my mind is to use this router to do …
WARDRIVING!

Use Firefox

Take back the web!

eBay is Bliss

Isn't it?
Perhaps, if you live in US.
I have been using eBay for couple of years.
I bought things from notebook, wireless card, PDA, sun workstation, and even baseball shirt.
If you look at the price, it's very easy to get temped to buy.
To bid. To snip the bid. Watch all the suckers lose the auction only in the last minute.

But the problem for me is: I live in middle east.
I bought an item for $10 and the seller asked $35 for the shipping cost.
One shirt for only $25 but $60 for delivery charge.
The other day, one seller sent me the wrong item.
Or even broken item. (maybe it was broken when the seller shipped it?)
And yeah right, they said I can get refund by filling the form from my post office. But first I had to take the picture, downloaded the insurance form, filled the complaint. Sent everything to the seller, and got replied that there would be another form I had to download from USPS office and filled.
And then? No more news. No more reply from the seller.

So should I still use eBay to buy something?
You bet, I will. I can live with the risk.
That's what make the effort worth even more.
Hello power sellers, I'm looking for Sony Aibo ERS-7 !

PIX Firewall-ing (Part 3)

To allow people from the Internet to connect to the servers located inside our internal network, we need to do 3 steps:
1. Create a static translation between one public IP address to the real IP address of our servers
2. Create an access control list to allow access to the server public IP address
3. Apply the access list on the interface

Suppose we have a web server with real IP address 192.168.1.5. This server will be translated to public IP address 1.1.1.5.
First, we have to create static translation with static command:
pixfirewall(config)#static (inside,outside) 1.1.1.5 192.168.1.5

The format of the command is: static (higher security interface,lower security interface) public_IP_address internal_IP_address
To verify the translation is correct we can use 'show xlate' command:
pixfirewall(config)#show xlate
Global 1.1.1.5 Local 192.168.1.5

Now we need to create access control list. Access control list is a rule set for any traffic allowed or not allowed to particular destination. PIX uses 'default deny' concept, it means it you don't permit it explicitly in the rule set, the traffic will be denied.
The format is: access-list name_of_the_ruleset permit/deny protocol source destination eq ports. Protocol can be TCP, UDP, ICMP or even IP protocol such as ESP etc. If we don't specify any ports, it means we allow any ports for that protocol.
In this case, we want to allow access to our web server from anywhere on the Internet with destination port is port 80 or HTTP.
pixfirewall(config)#access-list externalrule permit tcp any host 192.168.1.5 eq 80

Remember, the destination IP address is the public IP of the web server, and not the real IP. Suppose we have 1 network 192.168.1.0/24 full of web servers (what kind of network is that?) and we want to allow anyone to connect to those all servers using HTTP:
pixfirewall(config)#access-list externalrule permit tcp any 192.168.1.0 255.255.255.0 eq 80

To apply the access-list on the interface, type the following:
pixfirewall(config)#access-group externalrule in interface outside

Until PIX OS 6.2, the access list can have only one direction, “in” means traffic flowing into interface outside from Internet. Consider yourself as firewall, you have one interface called outside, and any traffic coming to you from that interface will be inspected using access list named externalrule.

Ok, so now Internal network can go to the Internet and people from the Internet can connect to our web server using HTTP protocol.
What's next?
Let's put the name for the firewall:
pixfirewall(config)#hostname kungfuzen
kungfuzen(config)#

We need to put the password to connect to PIX remotely and enable the password to switch from user mode to privilege mode:
kungfuzen(config)#passwd password_for_telnet_or_ssh
kungfuzen(config)#enable password password_to_switch_to_priv_mode

PIX can be managed remotely by telnet or SSH from trusted interface. PIX can be managed only by SSH from outside interface. To enable SSH, we need to specify the domain name and generate key first:
kungfuzen(config)#domain-name pixsucks.com
kungfuzen(config)#ca generate rsa key 2048
For >= 1024, key generation could
take up to several minutes. Please wait.

Where 2048 is the key modules size. Save the key with following command:
kungfuzen(config)#ca save all

Then specify from where you can connect to PIX
kungfuzen(config)#ssh 0.0.0.0 0.0.0.0 inside
kungfuzen(config)#ssh 1.1.1.1 255.255.255.255 outside

PIX uses SSH version 1 and user name 'pix' so to connect from SSH client in *nix from inside, use this command:
[user@unix ~]$ ssh -l pix -c DES 192.168.1.1
pix@192.168.1.1's password:

Use the password as what we set with 'passwd' command. You will get the user mode prompt. Switch to privilege mode by typing 'enable' and put the password as what we specify using 'enable password'.

I think this will be the end of my PIX Firewall tutorial. There are so many features left in PIX that you can explore by yourself: application inspection using fixup, HTTP authentication, VPN, IDS feature, turbo access list. flood guard, failover etc. This link will take you to Cisco documentation for Cisco PIX 6.3.
Come on, you guys are grown-up, so I don't think I need to explain all Cisco PIX commands here. Just RTFM and use '?” anytime you are in doubt. Cisco website and google are your friends. Try all 'show' commands to check the status or the configuration.

In case this firewall doesn't belong to you, just erase the configuration completely by typing:
kungfuzen#write erase

Reboot the PIX, and.. voila! Back to factory default.
Now, put firewall back inside the box, wrap it, sell it in eBay or deliver the box to the real owner. As you wish. Good day.

I'm in love

Today I'm in love.
Not to any female students in the University where I spend most of my time (have I mentioned that one of my biggest customers is American University? And my company signed the contract with them to put me dedicatedly as a network and security consultant).
I'm not falling in love to any secretaries in my office either.
But to OpenBSD. I'm in love with OpenBSD.
It's funny since I have been with OpenBSD from version 3.2. But I have never been using it for something useful other than as firewall to protect my home lab or PC labs in my office. Curse me!

Have you ever seen the movie where two best friends fall in love after several years of their friendship? They didn't have the feeling before, until one incident happened and clicked their mind?

It happened to me too. Couple of days ago I re-arranged my book shelf and found the Absolute OpenBSD book from Michael Lucas. I started reading the book and some strange feeling came to me. My hand was shaking, my heartbeat became faster and faster, I could hardly breathe... The book is so good and made it really hard for me to stop reading. OpenBSD rocks! How come I have just realized that OpenBSD is so beautiful after being with it for almost 2 years?
Easy to install yet provide minimum and secure default packages, BSD airtool for wireless auditing, BSD ports mechanism, scrubbing and bandwidth management, and nice T-shirts for only $20!
So since yesterday, I started installing this OS in several PCs. One will be my next NTP server, one will be my Squid server, and one installation in Sun hardware for testing. And btw, finally I received my Acer TravelMate notebook that I gave to my company for repair. It took them almost 2 months to fix it. Well the problem was only with the charger but with free repair cost I should not complaint, should I?

Now I'm trying to install Gentoo and OpenBSD in that notebook. I have finished the BSD part, and now waiting for my Gentoo stage 1 installation to build my base system. The objective is clear: dual-boot notebook with wireless tools in both OS.

Gento... is just like my first wife. And OpenBSD, is just like another girl I have a crush with after having couple of years marriage.
Thanks to you, Michael.

Hey, this post should be about configuring Cisco PIX Firewall.
The part where I should explain how people can connect to internal servers from the Internet. Well, after completing 3 blogs, several installation of OpenBSD, and about 9 hours Lord of The Rings DVDs non-stop, looks like the next thing I need to do is to hit my bed.
Until our next meeting...

PIX Firewall-ing (Part 2)

Now to configure PIX we need to go to configuration mode. Type 'enable' from user mode prompt to get privilege mode prompt (#).
pixfirewall>enable
pixfirewall#

In privilege mode, we still can't modify the configuration but we can upgrade the software, reload, and run some debug for troubleshooting. Since this is a new firewall, there is no password to switch from user mode to privilege mode.

Now let's go to configuration mode, by typing 'configure terminal'
pixfirewall#conf t
pixfirewall(config)#

In PIX, you don't have to type the complete command. As long as the word we type is unique pointing to only one command, PIX will accept the command.
Firewall_name(config)# is global configuration mode prompt where normally in Cisco IOS we can configure only parameters that affect the device globally. For example, in Cisco router, in global mode we configure the name of the device. And to configure the IP address for one interface, you must go to that interface configuration mode and get the router(config-if)# prompt.
But this is not the case with PIX, global config mode is the only mode available to configure the firewall.

By default the interfaces are disable, so let's enable them:
pixfirewall(config)#interface ethernet0 auto
pixfirewall(config)#interface ethernet1 auto

Auto means the interface will negotiate the hardware speed automatically with the hub/switch where it's connected to.

Let's give the IP address to the interface, accordingly to the external network and internal network, using interface alias name:
pixfirewall(config)#ip address outside 1.1.1.2 255.255.255.0
pixfirewall(config)#ip address inside 192.168.1.1 255.255.255.0

All hosts in internal network need to use PIX inside interface IP address as default gateway. PIX itself needs to know its default gateway to send the traffic to external network or Internet, so let's specify the gateway (for example, Internet router ethernet IP address):
pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.1

Now, unless we are freaks who have enough public IP for Internal network, I assume we use private IP so we need to NAT them to be able to go to the Internet.pixfirewall(config)#nat (inside) 1 0 0
pixfirewall(config)#global (outside) 1 1.1.1.3

How to read 'nat' command: any network behind interface inside (0 0 means 0.0.0.0 0.0.0.0) will be translated based on rule number '1' in any interfaces set with 'global'
How to read 'global' command: in interface outside, set translation rule number '1' so any network NAT-ed with this rule will be translated as 1.1.1.3 IP address.

We can also use PIX firewall outside interface IP address as translation IP.
pixfirewall(config)#global (outside) 1 interface

It means: inside network (in this case 192.168.1.0/24) will be translated to interface outside IP address (1.1.1.2) when they try to go to the Internet.
We can also use range of public IP address to translate internal network:
pixfirewall(config)#global (outside) 1 1.1.1.10-1.1.1.20

You know what?
That's the only configuration you need to connect your internal network to the Internet. Just try to connect one PC on internal network, give IP address and default gateway accordingly, and this PC should be able to go to the Internet. Obviously you need to have Internet line and proper DNS setting but I won't discuss it because you are so lame if you don't know this!

With this minimal configuration, your internal network should be able to go to the Internet without any restriction and from the Internet no one should be able to connect to you.

Don't forget to save the configuration to make sure it will be available even if we reboot the firewall, by typing 'write memory' or 'wr m' for short:
pixfirewall#wr m

You can save the configuration from global mode or privilege mode, but not from user mode (> prompt). By the way, to go back to privilege mode from global mode just type 'exit'. To go back to user mode from privilege mode, type 'disable' since typing 'exit' from privilege mode will log you out from PIX.

As summary, 6 steps you need to do to be able to connect your internal network to the Internet and protected by PIX firewall:
1. Enable the interfaces
2. Give IP address for all interfaces
3. Put default route to outside network, pointing to Internet router ethernet interface for example
4. Put NAT in interface inside with translation rule number
5. Put Global in interface outside matching the translation rule number and the public IP address, can use PIX outside interface IP address or range public IP address
6. Save the configuration

How about if we want people from the Internet connect to our servers inside the Internal network?

(To be continued in part 3)

PIX Firewall-ing (Part 1)

Cisco PIX Firewall is one of the best commercial firewall in the world. Pay attention to the word 'commercial'. I'm not comparing this expensive appliance with my love PF or even IP Tables, those two are free and powerful too! But like it or not, in the world where companies trust branded products and vendors, Cisco PIX really kicks in the firewall market.

Being an appliance means PIX has its own underlying operating system. And this is one of its advantage. Close-source is an evil, but for PIX it means no service running as default. And less people know about the PIX underlying OS means script kiddies with full of exploits for multi-purpose OS need to work hard to find specific exploit for PIX.
It doesn't mean PIX doesn't have any vulnerabilities. On November 2002, for example, Cisco announced the vulnerability in ISAKMP and HTTP authentication. Not running default services doesn't mean you don't want to enable them for your requirement, right?

Anyway, I'm not here to curse PIX. I'm a CCIE, remember? And I make money by selling Cisco products.
Today I'm going to explain how to make PIX firewall up and running in few minutes. But before we start, there are some concepts need to be noted:

PIX firewall is a stateful firewall, it means PIX tracks the TCP and UDP conversation. Different with PF where we have to put 'keep state' keyword, PIX does this automatically without additional configuration.

PIX distinguishes its interfaces by putting parameter called security levels.
For example, in PIX 506E with two interfaces, by default it has already put the alias name for those interfaces as 'outside' and 'inside'. As per their name, outside interface should be used to connect to outside the internal network (for example Internet), and inside interface should be connected to internal network we want to protect.

Interface outside has security level 0 (lowest trusted) and interface inside has security level 100 (highest trusted).
Traffic coming from the network connected to interface with higher security level can flow without any restrictions to the network connected to interface with lower security level. In contrary, traffic coming from the network connected to interface with lower security level, can't flow to the network connected to interface with higher security level, unless we permit it explicitly using Access Control List.
Using default configuration, internal network should be able to go to outside network or Internet, and traffic from outside network or Internet should not be able to go into the internal network unless we explicitly put the access control list.
If PIX has more than 2 interfaces, the other interfaces can have security level between 0 to 100, and the same rule implies.

Enough talking, let's configure one Cisco PIX506E. This is one of the cheapest Cisco PIX firewall available that can have only 2 interfaces maximum. You need to get Cisco PIX for sure. I'm not interested to hear from where you get it, just open it from the box and switch it on.

After we boot our brand new PIX, we'll end up with “(firewall_name)>” prompt. This is what Cisco called as user mode prompt. The command we can execute is limited, just type “?” to see available commands.

(By the way, I assume you guys a bit familiar with basic Cisco command and OS. To connect to brand new Cisco devices without configuration, you must use cisco console cable, roll-over cable with serial port in one end and RJ45 normal ethernet plug on the other end. So connect the serial port to your PC com port, and the RJ45 port to 'console' port in Cisco. Then use serial console terminal such as Hyper Terminal in Window$, or minicom, tip, zmodem etc in *nix. Just remember to set the speed to 9600.)

The first thing we need to do is checking the hardware capabilities using “show version” command.
pixfirewall>show version

From show version output, we can get following information:
- PIX OS Version number
- PIX Device Manager (Web based administration tool) version number
- System uptime
- Hardware information such as CPU and flash drive size... see, PIX 506 is only a crap Pentium II 300 Mhz and 32 Mb RAM. So much for a thousand bucks, huh?
- Number of interfaces and interfaces name
- Licensed feature such as failover, encryption for VPN (DES/3DES), how many maximum interfaces total we can have
- Serial number, needed to generate Activation key
- Running activation key
- Last modified configuration, when and by whom

Remember, PIX is commercial product that works on license, so if you don't see any feature you need (such as 3DES or failover), then you need to buy upgrade license and generate new activation key using the serial number of the firewall.

(To be continued in part 2)

Find Me

N25o18.744' E55o29.792'

I'm not a coder

I'm not special
I'm ordinary
I'm mediocre
I can talk only baby perl
My scripting sucks
I don't speak C fluently
I'm not an expert
I'm not a coder

Which OS?

I used to have about 10 computers at home. It was combination between 2 Pentium 4 machine, 3 Intel notebooks, 1 Sun Cobalt, 1 Ultra 5, 1 AMD Duron machine, 1 Powerbook G4 and 1 Pentium II box.
Well, I'm not trying to show off here, and anyway I have removed most of them. Currently I have 'only' IBM T42 notebook, 1 P4 machine, Powerbook G4, Sun Blade 100 and the Pentium II box.

Why should I have more than 1 machine?
Because I used to search for immortality, hunted down the uncertainty, tried to stay at bleeding-edge technology by installing several OS in different machines and test them.

And what's the conclusion?
For normal desktop, office work and multimedia, I believe Mac OS X is the best. Panther has very beautiful aqua interface and at the same time offers BSD console, so it won't stop me installing tcpdump, snort, hping and all tools I need to run everytime I get bored.
My powerbook stays as the multimedia center until I get the cute-looking MAC mini.
So this is the OS that I would give to my wife and kid. Beauty and virus-free.

For security stuff, including wireless, I decided to install Gentoo dual-boot with WinXP in my IBM. Hey, the XP comes with my T42, so I keep them to make sure I get the OS that I (must) purchased with the notebook. Micro$oft still gets my money anyway, so why should I throw their OS away?
And most of my customers are still running Windows, so I still need this OS to check particular client software or for WPA configuration testing, for example.
I made 2G FAT partition so I can share the files between OS. Yes, guys, I know that the current kernel even can support read-write NTFS partition. Just as precautions.

Gentoo is good to make me stay at bleeding-edge. I have two main purposes with Gentoo: penetration testing tools (including wireless wardriving stuff) and intrusion detection analysis. Later when my skill is appropriate I want to use it as forensic as well.
Meanwhile I keep my Blade running Snort IDS to monitor my small network and at the same time acts as a place to compile necessary testing exploits.

How about *BSD? Well, I use OpenBSD as firewall to protect my personal lab. I love PF very much and this powerful OS can live in my Pentium II machine. Try to run XP on that machine!

Personally I love Debian as well. I have been using Woody and one of Sarge-based distro, Xandros, for about a year without any complaints. I like knoppix-std too. Live CD is a good concept to distribute security tools knowledge without installing the OS.
My brain is limited, so I have to focus. I decided to stick with Gentoo. Especially since Gentoo allows me to build the system (almost) from scratch. Btw, I have tried Linux From Scratch as well :)

Is it enough? Unfortunately no.
Corporate customers still stick with big name and stable vendors. Here comes Sun Solaris and Red Hat Enterprise Linux. That's why I still have one machine running Fedora and currently downloading Sun Solaris 10 iso CDs. Sight...

But that's the beauty of life. Everything is so different. Diversity.
And one thing for sure: open-source is bliss.

About Certifications

Anyone who knows me always asks the same questions: why do you have so many certifications? aren't you tired to study all the time? do you think it's worth the effort and time you spent?

Well, I don't have exactly the answer.. I have so many certifications because they help me learning something new, yes I'm tired to study all the time but this is the life I chose and I believe all my certifications are worth my effort since they made me what I am today.
But to explain more, I need to reveal one little secret of me:
I don't have any background in computer field.
I don't have any computer science degree.
My university degree is .. Mechanical Engineering!
I know it's not uncommon. Many people who work in Information Technology come from different background.

So, considering my situation 6 years ago. I graduated from Mechanical Engineering, but I have a passion to work in Internet Security. At that time I knew only a bit system administration tasks in RedHat Linux.
To learn more about computer at that time I decided to pursue MCSE Windows NT Server.
I was amazed with domain concept, client - server relationship, trusting domain, DNS and all the things I learned in my quick-and-cheap 12 days MCSE class.
I started taking the exam: MCP Win NT server, NT workstation, Networking essential...
Until one shinny Sunday morning when two of my friends visited me and discussed about new networking class from Cisco named CCNA. I was really interested so I decided to dump MCSE and take the CCNA class.
It was 10 magic days for me. I learned routing, switching, frame-relay and all CCNA stuff. By the end of the training, I took the exam and became the first attendant of the class who passed.

Well, life was becoming easier after I passed CCNA (hey, remember it was early 2000!). One multi-national oil company offered me my first job in IT. This is the same company who refused my application when I applied as a Mechanical Engineer 6 months before!
I spent my 3 months probation period by finishing the second Cisco certification step: CCNP. Hex, this company has more than 150 routers running EIGRP, BGP, Frame-Relay, ISDN. All that I needed to pass my CCNP. After 9 months in the company, I had already possessed CCNP, CCDP and CCIE qualification test. All without any trainings from the company. Only by reading the material and practice.

Still don't believe certifications can help for your future? Continue reading..

One day a technical manager from IBM Global Services came to me and offered me a job. He promised that IBM would send me to CCIE Lab anywhere in the world in any cost as long as I can pass my CCIE in maximum 2 attempts. But if I failed, they would kick me out. Well, sounds like very interesting offer to me. So I join them immediately.

IBM is the best place to work. The working culture is excellent, people are really polite, and Human Resource personnels are helpful. As promised, IBM sent me to CCIE Lab with first class flight. I passed my CCIE Lab in Tokyo, Japan. It was my second attempt. My first attempt was in Brussels, Belgium, where there I failed in my second day. At that time CCIE was still 2-days lab exam.

So, I was a CCIE already and I worked in the best place to work. What else?
Well, I realized at that time my interest is still Internet Security. So I decided to learn about firewall. And what is the easy way to learn and making money at the same time? Take Checkpoint CCSE certification. The exam made me study about firewall and security concept. At the same time I helped my company since we sold Checkpoint Firewall products, and being certified guaranteed our services to the customers.

After CCIE, life was completely different. I used to receive job offer every several days. Eight months after I passed my CCIE, I decided to leave IBM and move to one IT company in Middle East. The job is challenging; they have completely different culture and at the same time the region is willing to grow to catch the technology. Cisco is the main player in Networking, Security, Wireless and IP Telephony.
So to secure my job and learn more into security I took Cisco security CCSP certification.
Up to that moment, I realized that I have to focus on the field that I really interested in. I learned deeper about Unix by taking Sun certifications, understood more about wireless security using Planet3 CWSP, took Ethical Hacker to learn tools for penetration testing, learned how to design and assess perimeter network using SANS Institute GCFW, and the latest certification I took was (ISC)2 CISSP to learn about security management and stuff.

As consultant who deals with corporate customers, I can see that it's easier to convince them with all those certification titles behind my name. Well definitely this is only one of the reason. Nothing can beat real experience, good personality and friendly approach.

So... as summary, IT professional certifications are good for me for following reasons:
1. Learn new stuff
2. Secure the job, and to get better job :)
3. To measure how deep I have learned about something

I know most people can survive without certifications. But hey, this is the easiest way.. don't you think so?

Gentoo Sex

While bootsrapping my blade, I found an article how to fly with gentoo.

The article is good, but it's the quote in the end that killing me:
gentoo sex is updatedb; locate; talk; date; cd; strip; look; touch; finger; unzip; uptime; gawk; head; emerge --oneshot condom; mount; fsck; gasp; more; yes; yes; yes; more; umount; emerge -C condom; make clean; sleep

Heheh, I'm still trying to imagine the act.. drrrrrrrrrr!

Gentoo, everyone...?

I used to be a Red Hat user.
It all started when I was still in my university.
I had a hardcore-linux friend who taught me there is another OS than Micro$oft Window$.
Thanks to him, I spent my 50 bucks monthly living cost to purchase "Red Hat 4.2 Unleashed" book. Hey, back there in my country 50 bucks is more than enough for a student to live and still have fun.

Anyway, since few months ago I have decided to move to Gentoo.
Red Hat is no longer exist, leave its users like me with no choice: migrate to Fedora, or join Enterprise territory.
I choose to abandon them completely. No offense to community who shed their blood to continue developing Fedora, but the idea to provide free software at the beginning then start charging after people get used to it doesn't make sense to me at all.

So here I am now, staring at two monitors: 21-inch HP P1110 connected to Sun Blade 100, and 14-inch IBM T42 LCD display.
I'm doing Stage 1 installation on my Sun, and emerge -u world on my IBM. I keep the Window$ XP and IBM partition on my T42 though, just in case.

Some people say Gentoo is difficult to install. Well, I guess they are wrong. Gentoo community has put a lot of effort to make Gentoo Installation Handbook. Use it. RTFM. Google is your friend.

This is not my first installation. Perhaps, my 7th..or 8th? Gentoo power lies on its Portage. Once I get the system up and running, I don't need to worry about how to install new packages or upgrade my system. Just type the magic word: emerge.
Curious? Read the Gentoo Portage Introduction.
So what are you waiting for? Go to www.gentoo.org now and start reading the story of Larry the Cow. Enjoy.

0-day

Hi, my name is Himawan.
I'm not an expert. Not yet.
I'm just another guy working in networking and security field in UAE.
It's a small country in middle east.
Google keyword: burj al arab.

During my experience working in IT field, I have possessed several professional certifications:
Cisco CCIE (#8171), CISSP, SANS GCFW, Planet3 CWSP, Cisco CCSP, EC-Council CEH, Sun SCSA/SCNA, and Checkpoint CCSE.
But none of those certifications is important.
I'm just a student. And my subject is the Internet.
And I have to keep learning...