Category Archives: console

Decoding the SANS Christmas packet challenge using only NSM-Console

In my never-ending quest to find justification for writing NSM-Console, I hereby present the following tutorial on how to decode the SANS Christmas packet challenge using nothing but NSM-Console:

I’m going to be using NSM-Console version 0.4-DEVEL, which adds the features that allow this analysis to be performed without external tools. You can get the development version here. Alright, let’s get this party started:

First things first, the fellows at SANS point you to the first packet in the xmas_Starter.pcap file, so let’s load up NSM-Console with the packet capture

./nsm ~/xmas_Starter.pcap

Next, let’s do a printout of all the packets in this dump (since it’s a small file, there shouldn’t be too many)

Continue reading

3 Comments

Filed under analysis, base64, challenge, christmas, console, decode, encode, fun, geek00l, geekery, hex, nsm, nsm console, packet, ruby, sans, terminal, urlescape

NSM-Console version 0.3 release

Yep, I’ve just been cranking out code lately, so I am proud to present the 0.3 release of nsm-console!

You can download NSM-Console here:

http://navi.eight7.org/~hinmanm/files/nsm-console-0.3.tar.gz

This release was focused a bit more on usability, features and bugfixes rather than the addition of new modules, however, there were still a couple that were added. Since this release has some pretty big changes, let’s start by going over some of the notable ones:

Continue reading

3 Comments

Filed under argus, console, decode, development, encode, fl0p, framework, hex, iploc, lgpl, monitoring, network, nsm, nsm console, opensource, ruby, script, security

Screencast: An introduction to NSM-Console

Well, I’ve been working on this for the last week or so, trying to get it all working the way I wanted, and after around 15 takes, I finally have a screencast for anyone interested in the idea behind and usage of nsm-console.

The version of nsm-console used in the screencast is the 0.3-DEVEL version. UPDATE: Version 0.3 is now out!

The video is in .mov format and is 12 minutes and 40 seconds, it is around 17MB. Don’t forget to right-click and “Download As”!

I’m hoping to have a flash version created soon, I’ll update this entry when I do.

If you have any questions, comments or criticisms, feel free to leave a comment below or email me.

I also updated the “about me” page if you absolutely must know what I look like.

Oh, one more thing, ignore the fact that I say “so” around 30 times in this one video, this is my first screencast, gimme a break. ;)

11 Comments

Filed under console, download, flash, mov, nsm, nsm console, ruby, screencast, video

NSM Console projected module list

Here’s a list of all the planned modules and completed (struck-out) modules for nsm-console: (if a module is struck out, it’s because I’ve finished making a module for it, it isn’t necessarily in the tarball for download)

  • aimsnarf
  • ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
  • tcpxtract
  • tcpflow
  • chaosreader
  • bro-IDS
  • snort
  • tcpdstat
  • capinfos
  • tshark
  • argus
  • ragator
  • racount
  • rahosts
  • hash (md5 & sha256)
  • ra
  • honeysnap
  • p0f
  • pads
  • fl0p
  • iploc
  • foremost – thanks shadowbq!
  • flowgrep
  • tcptrace
  • tcpick
  • flowtime
  • flowtag
  • harimau
  • clamscan

Think of any other useful modules? Leave me a comment and let me know!

P.S. I’m also brainstorming for some pcap/real-time network visualization tools, stay tuned!

3 Comments

Filed under aimsnarf, argus, bro-ids, capinfos, chaosreader, console, flowtag, flowtime, harimau, hash, honeysnap, md5, module, ngrep, nsm, p0f, ra, racount, ragator, rahosts, ruby, script, sha256, snort, tcpdstat, tcpflow, tcpxtract, tshark

NSM Console – A framework for running things

Well, I’ve been hard at work for the last couple of days working on a (hopefully) useful tool for aiding in NSM file analysis (for pcap files, live analysis doesn’t work).

Behold! I present NSM-Console! (read more about it here, watch a screencast here)

Download the framework here.
Keep in mind this framework only includes 3 modules (mostly used just for testing)

NSM-Console in a small (< 500 1000 1500 lines) framework for running nsm modules. Essentially, it’s a framework for running things (but we don’t call it that because it sounds like it wasn’t any work :P ). Here’s the breakdown: Continue reading

3 Comments

Filed under aimsnarf, analysis, console, framework, hex, module, nsm, pcap, plugin, ruby, script, security