Fork me on GitHub

Disassembling network traffic into asm instructions v0.3.0

The fresh released version of haka (v0.3.0) features a new module allowing to disassemble network data into instructions. This is useful to detect obfuscated shellcodes at network level as suggested in [raid05]1 for instance. The disassembler leverages on Capstone engine which supports several architecture (x86, arm, mips, etc.).

Here we will try to answer to question 8 of a well-known network forensic challenge. The challenge provides a pcap and asks to dump the shellcode used to exploit a vulnerability and then to provide the list of actions done by this shellcode.

  1. [raid05] Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Recent Advanced in Intrusion Detection, pp. 207-226 (2005)

Visualizing alerts using kibana and elasticsearch v0.2.1

As you have already noticed, haka 0.2.1 features new modules enabling to export data to an elasticsearch server. We leveraged on these modules in the Hakabana package to monitor in real-time network data (protocols, flows, geoip info, etc.) through a kibana dashboard.

The 0.2.1 version introduces also an elasticsearch alerting module allowing to insert haka alerts into an elasticsearch server. In the following, we present the main steps to visualize these alerts using a kibana dashboard.

kibana ips dashboard

Haka meets Kibana - Hakabana

We are pleased to announce the release of new haka packages:

  • Haka 0.2.1: Haka in an open source security oriented language which allows to describe network protocols and apply security policies on (live) captured traffic. This new version features new modules allowing to export network events such as protocol details and haka alerts to an elasticsearch server.

  • Hakabana 0.2.1: Hakabana is a monitoring tool that leverages on the newly added modules to extract various information on the network: bandwidth, geoip data, http and dns details and made them available through a kibana dashboard. Hakabana provides easy customization enabling to export your own data (e.g. write a new dissector and expose some of its fields).

RMLL — Material

First of all, we want to thank all RMLL organizers and especially the chairs of the security track: Christophe Brocas and Mathieu Blanc. You did a great a job.

If you have missed our presentation, we made the slides available here.

Finally, for those who want to (re)play the workshop, we provide here an ISO image. Its a debian image that ships with up to date haka binaries. When you launch the virtual machine, you will find shortcuts on the desktop for the workshop along with full haka documentation. Happy diving into Haka !

RMLL 2014

The 15th Libre Software Meeting will be held July 5-11. We will be happy to meet you at RMLL 2014 to:

  • Attend our presentation “Hackers do the Haka”. The talk will be given on Tuesday 8th.
  • Dive into our workshop scheduled on Thursday 10th morning: 9h30-12h30. We prepared a lot of funny scripts just for you.

SSTIC 2014 Slides

You have missed our presentation. Don’t worry, we made the slides available here.

Thanks to SSTIC organizers effort, all presentations have been recorded. We will provide very soon a link to (re)play it.

SSTIC 2014 Paper

As you have already know, we will give tomorrow a short presentation of our paper “Un langage orienté réseaux et sécurité” at SSTIC. For interested readers, the long version paper is available for download here. Slides will be made available soon after the session.

Note that the content of the paper is related to the version 0.1 of Haka. Many improvements have been made since the initial release. A new version featuring a grammar for protocol dissection will be published very soon.

Detecting Heartbleed with Haka v0.2

As most of you must have heard, a very nasty bug was discovered few weeks ago in the OpenSSL project, a widely used open source implementation of the SSL/TLS protocol. This bug which is better known as the heartbleed bug, relies on a wrongly implemented SSL extension called "heartbeat".

As you know, the initial version of Haka doesn't ship with a SSL dissector. However, the 0.2 version — which will be released soon — features a new grammar allowing to specify network protocols and their underlying state machine. Thanks to that grammar, we were able to write, with a little effort, a dissector covering almost the full specification of SSLv3 protocol. This specification will be covered in upcoming post.


Defeating Nmap Scans v0.1 v0.2

The well-known scanning tool Nmap allows users to discover running services on a target machine. In this tutorial, we use Haka to fool Nmap scans by crafting reset packets.

When launching a NULL (-sN), FIN (-sF) or XMAS (-sX) scan, Nmap forges a malicious packet with some flags activated. Nmap concludes that a port is closed on the target machine if it receives a RST packet.

Thanks to Haka API, we can forge RST packets and fool Nmap queries letting him think that all ports are closed on the target side. The following script starts by loading ipv4 and tcp dissectors. The next line disable the tcp-connection dissector to avoid Haka dropping all packets do not belonging to a valid connection. Finally, we define the secuity rule which will create a RST tcp packet if a nmap scanning packet is detected. In the last lines, we inject the newly crafted packet and drop the Nmap forged packet.


Our paper “Haka - Un langage orienté réseaux et sécurité” has been accepted for presentation at SSTIC conference.

Hope to see you there to attend our presentation !

Interactive Packet Filtering Mode v0.1

Haka is endowed with an interesting feature allowing to filter packets interactively. With this mode activated, a Haka shell prompt is diplayed to the end-user which will have access to the full Haka API to play with packet content: accessing and modifying packet fields, dropping packets, logging suspicious events, alerting, etc. The Lua console supports auto-completion and therefore is a good starting point to dive into the Haka API.

SQLi Attack Detection v0.1

SQL injection attacks (SQLi) are common web attacks that consist in injecting SQL commands through http requests, enabling thus sensitive data disclosure or authentication scheme bypass. SQLi are the most dangerous software attacks according to the SANS Institute ranking.

Initial Release

We are proud to announce the first release of Haka: an open source security language.

Haka simplifies the way to express security controls on collected traffic and makes it a suitable framework to build quickly an efficient intrusion detection system or a networking forensics tool.

Haka is intended to be used by all security communities: developpers, researchers, etc. So we hope you will enjoy using it and start contributing to it.

We are currently working on the next release which will introduce a grammar to specify protocols and hence avoid fastidious and error-prone coding of protocol dissectors. Stay tuned!!!