Haka

Disassembling network traffic into asm instructions v0.3.0

The fresh released version of haka (v0.3.0) features a new module allowing to disassemble network data into instructions. This is useful to detect obfuscated shellcodes at network level as suggested in [raid05]¹ for instance. The disassembler leverages on Capstone engine which supports several architecture (x86, arm, mips, etc.).

Here we will try to answer to question 8 of a well-known network forensic challenge. The challenge provides a pcap and asks to dump the shellcode used to exploit a vulnerability and then to provide the list of actions done by this shellcode.

Visualizing alerts using kibana and elasticsearch v0.2.1

As you have already noticed, haka 0.2.1 features new modules enabling to export data to an elasticsearch server. We leveraged on these modules in the Hakabana package to monitor in real-time network data (protocols, flows, geoip info, etc.) through a kibana dashboard.

The 0.2.1 version introduces also an elasticsearch alerting module allowing to insert haka alerts into an elasticsearch server. In the following, we present the main steps to visualize these alerts using a kibana dashboard.

Detecting malicious payloads across multiple packets v0.2

As you can expect, we are currently working hard for the next release which will introduce new interesting features: protocol dissection, pattern matching, API improvements, etc.

Grammar for dissector outlook v0.2

In a previous post, we defined security rules on SSL protocol in order to block heartbleed attack. This post will present a v0.2 feature: the grammar used to specify the SSL protocol. Our grammar can parse binary-based as well as text-based protocols.

This post will focus on the dissection of the ClientHello handshake.

Detecting Heartbleed with Haka v0.2

As most of you must have heard, a very nasty bug was discovered few weeks ago in the OpenSSL project, a widely used open source implementation of the SSL/TLS protocol. This bug which is better known as the heartbleed bug, relies on a wrongly implemented SSL extension called "heartbeat".

As you know, the initial version of Haka doesn't ship with a SSL dissector. However, the 0.2 version — which will be released soon — features a new grammar allowing to specify network protocols and their underlying state machine. Thanks to that grammar, we were able to write, with a little effort, a dissector covering almost the full specification of SSLv3 protocol. This specification will be covered in upcoming post.

Defeating Nmap Scans v0.1 v0.2

The well-known scanning tool Nmap allows users to discover running services on a target machine. In this tutorial, we use Haka to fool Nmap scans by crafting reset packets.

When launching a NULL (-sN), FIN (-sF) or XMAS (-sX) scan, Nmap forges a malicious packet with some flags activated. Nmap concludes that a port is closed on the target machine if it receives a RST packet.

Thanks to Haka API, we can forge RST packets and fool Nmap queries letting him think that all ports are closed on the target side. The following script starts by loading ipv4 and tcp dissectors. The next line disable the tcp-connection dissector to avoid Haka dropping all packets do not belonging to a valid connection. Finally, we define the secuity rule which will create a RST tcp packet if a nmap scanning packet is detected. In the last lines, we inject the newly crafted packet and drop the Nmap forged packet.

Lolcat'ing the web v0.1

Internet is made of cats A great philosopher

With Haka, you can make it happen. As seen in other blog posts, we have shown that we can modify on the fly HTTP requests. What if we change every image requested by a browser to a lolcat image?

Setup basic firewall rules v0.1

The main purpose of the initial release of Haka is to allow users to define easily and quickly security rules and filter unwanted packets/streams. In this article, we show how to setup a simple firewall configuration.

Transform a pcap to an apache log file v0.1

Haka can extract data from pcap; thanks to its http dissector, it can parse all usefull data. One interesting use of this is to recreate apache logs from a pcap file. Imagine you have to treat data from a webserver. There is plenty of tools to analyze data from an apache log file, but what if you have only pcap files?

Detecting Obfuscated Shellcodes v0.1

A shellcode is a malicious payload used to exploit vulnerabilities such as buffer overflow of format string bugs. A shellcode is made of low level instructions allowing to get a shell on the victim machine or to run specific commands. Here is an example of a /bin/sh shellcode:

Haka Debugger v0.1

Haka is featured with debugging capabilities allowing to inspect an existing Haka script file. With this mode activated (--luadebug option), a prompt will be displayed to the user inviting him to identify the faulty code.

Interactive Packet Filtering Mode v0.1

Haka is endowed with an interesting feature allowing to filter packets interactively. With this mode activated, a Haka shell prompt is diplayed to the end-user which will have access to the full Haka API to play with packet content: accessing and modifying packet fields, dropping packets, logging suspicious events, alerting, etc. The Lua console supports auto-completion and therefore is a good starting point to dive into the Haka API.

HTTP Traffic Redirection v0.1

Nowadays, navigating the Internet with an oudated version of a browser could be harmful to your computer as many malwares spread by exploiting vulnerabilities in browers.

SQLi Attack Detection v0.1

SQL injection attacks (SQLi) are common web attacks that consist in injecting SQL commands through http requests, enabling thus sensitive data disclosure or authentication scheme bypass. SQLi are the most dangerous software attacks according to the SANS Institute ranking.