Sunday, August 11, 2013

Network & Network Security Quickpost - Last call NFAT edition

I just couldn’t wrap up the weekend without sharing these links. I’m so going to be nodding off in my training class tomorrow. Must bring Thermos of extra coffee with me! Don’t want to make the teacher unhappy!

So many network tools, tricks, and nuggets came out last week I’m still exciting thinking about how to use them all!

Security Advisory: Two Vulnerabilities in NetworkMiner - NETRESEC Blog - Don’t let the boring post title fool you! Based on this, Erik Hjelmvik has released a new version of NetworkMiner! Now sparkling at version 1.5 (free/pro editions)

NetworkMiner packet analyzer - Download NetworkMiner version 1.5 (free) here.

While I was doing some super-fast (but apparently productive) beta testing for Erik on some Windows 7 and Windows 8/8.1 systems, I noticed I wasn’t getting great results from my test captures made with and being processed in NetworkMiner. My “doh”. Erik kindly reminded me of his post NETRESEC RawCap - A raw socket sniffer for Windows where he pointed out that using Windows raw socket sniffing has some problems. I had forgotten I didn’t yet install Wireshark/WinPcap on these particular test systems. From Erick’s post:

Microsoft's newer operating systems (later than WinXP) have limitations associated with raw socket sniffing of external interfaces, i.e. everything that isn't localhost. Known limitations in Windows Vista and Win7 are:

  • Windows 7 - Can't capture incoming packets
  • Windows Vista - Can't capture outgoing packets
Due to these limitations in the raw sockets implementations of Microsoft's current operating systems we suggest running RawCap on Windows XP if you need to capture from external interfaces.

Baselining Dropbox With Wireshark (by Tony Fortunato) - LoveMyTool blog video presentation.

Editing Tracefiles With TraceWrangler (by Tony Fortunato) - LoveMyTool blog video presentation. This short video presentation on a new (Alpha release) tool, TraceWranger blew me away. There are methods of sanitizing trace files for sharing/training but they are fraught with challenges for mere mortals. This new tool is amazing and I really hope the developer Jasper Bongertz gets the support needed to encourage his continued refinement and development of this valuable tool for analysts.

Nmap - Now at version 6.40 - Free Security Scanner For Network Exploration & Security Audits.

Message Analyzer Beta3 Refresh has Been Released (Build 6215) - MessageAnalyzer - Lost in all the news was a quiet announcement of the next generation of Microsoft’s own network traffic analysis tool MessageAnalyzer getting a Beta 3 refresh release. The interface is very different (to me) from Wireshark, but since I used NetMon a ton to supplement my Wireshark work, it is taking some getting used to.

HolisticInfoSec: toolsmith: C3CM Part 1 – Nfsight with Nfdump and Nfsen - HolisticInfoSec blog - Russ McRee’s post rocks on so many levels. Well worth the read and review.

Firefox Developer Tool Features for Firefox 23 - Mozilla Hacks – the Web developer blog. In case you missed it, Firefox 23 was released last week. Included in it (besides the new app icon update) was a new network tool called “Network Monitor.” 

I so love this! “F12” is the new “must know” hotkey in these modern browsers!

If only Mozilla (or Chrome or IE 10) were “approved” web-browsers in our enterprise. This feature alone would so help with network and web-app diagnostics and troubleshooting from the end-user desktops.

What’s that you say? One single element of your cloud-based web-application seems to time out in IE 8, crashing your session? The network is fine, site bandwidth is fine. Your PC is fine. Seems like it could be a server-side application issue. Let me make a ticket for your issue and send it up. (Response often comes back, “There is no problem…must be a client-side issue…check the PC and bandwidth, follow our response template and let us know…”) (Sigh…)

Turns out Chrome web browser can do this trick as well

Turns out that Internet Explorer (IE9, IE10, IE11) also have a “F12” feature for network analysis in the browser.

And in IE11, it’s about to bring the house down on the competition!

Debugging and Tuning Web Sites and Apps with F12 Developer Tools in IE11- IEBlog. OMG!!! I am so crushing on the new “F12” profiling and responsiveness tool interface in IE 11! Please tell me this is going to be backwards compatible with Win 7. (Why yes, Virginia, it is…)


Anyway, back to more Firefox 23 release news and details.

Troubleshooting TCP/IP Connectivity Issues with This Command-Line Utility Portqry.exe - Next of Windows. Been using portqry.exe from the command line along with the PortQueryUI GUI fro some time. Dead helpful in a pinch!

PuTTY: a free telnet/ssh client - just released at version beta 0.63 for you console fans! See the extensive Changes page for all the details

KiTTY - let’s not forget about this fork version of PuTTY that has some additional bells-and-whistles!

  • News - latest KiTTY news is update minor update in late May 2013.
  • Recent changes - tracking site-changes at KiTTY’s house
  • KiTTY Portable - why “yes” there is a build version as well for KiTTY fans.

Finally, at home I run Mozilla Firefox, Portable Edition and Google Chrome Portable rather than installing them directly on my system. However I was trying to use some of NirSoft’s Browser Tools to explore and check my Google Chrome(ium) cache and wasn’t finding anything at all.

Strange.  Bug in the tool?

Turns out the answer was “of course not dummy” it’s the dummy’s bug.

Where is the Google Chrome Portable cache folder? - Bruce Pascoe kindly puts it like this:

Chrome Portable, like FFP, doesn't save the cache by default.

Note that unlike Firefox however, there's no way to turn the cache off completely in Chrome, so while it's running the cache is stored in the local temp directory (%TEMP%), but then it's immediately deleted when you exit Chrome.

So anyway, yeah, no surprise that you couldn't find it.

and cleared up a bit by “The MAZZTer”

The cache folder is saved in %TEMP%\GoogleChromePortable.

Where the %TEMP% is the user’s temporary file location under their profile.


This is interesting as it explains why the NirSoft tool ChromeCacheView wasn’t finding anything while pointing to the default user profile location in my Portable Apps application structure that ChromeHistoryView didn’t seem to have any issue with parsing. So even though the files were removed when the program terminated, it most likely did not “secure” delete them, so (depending on overwrite activity of the file system/free-space scrubber utilities) it might be possible to carve and recover them from a system that the portable-apps version of Chrome was used on. And that sounds like a challenge for another day…


--Claus Valca

1 comment:

Chump2010 said...

Opera has it too. Its part of Opera Dragonfly...this is Opera 12 and previous ones. The latest one (15) is still just a chrome clone at the moment as they add in more features.