Interview to Net::Packet creator (GomoR)
Net::Packet is a well known framework to easily send and receive frames from layer 2 to layer 7. Simply to say and simple to use, but what about GomoR, its creator ?? You can know about him in this interview, but don't fool yourself : this is a person who knows about security, choose Perl to develop its own tools, has its owns ideas and likes Martinis with an olive inside. One of a kind.
Please GomoR, introduce yourself to the CaFe.pm group
Well, my job is mainly doing security assessments for various layers, from network to Web applications. I love to develop some vulnerability tests and other security or network programs, and since I do not want to waste time on development, I started to learn Perl, nearly two years ago.
So you decided to use Perl just because it was at hand, was the duct tape, you were introduced to Perl by someone else or any other reason ??
I did choose Perl because of the many modules already available, and because if there is a language that is 'one size fits them all', I think it is Perl. Because I develop programs from a wide range of fields (from network packets, to Web frontend and databases), I took Perl. I learned myself by reading O'Reilly books, and reading source code from different modules. I also love the code that Perl can generate, I like to call my code some form of an art.
Why do you think that some exploit frameworks, like CORE Impact or CANVAS, mainly were developed using Python instead of Perl ??
Well, that's a good question. I heard that Metasploit will migrate to Python also. I have some thoughts about that, I think it is because it is easier to inject a Python interpreter into a remote process memory, and Perl, due to it's file system structure should be trickier. I have a project to work on that (that is, injecting a Perl interpreter into a remote process), just for the challenge. But I don't know when I'll be able to that. Too much things to work on right now.
Why you decided to build Net::Packet when other modules for the same job were build ??
Well, this question is always the same: Why do you reinvent the wheel ?. I mainly reply with two reasons. First, I think that the best way to learn about something is to develop this thing. Example, to learn how a packet is transmitted on the wire, build yourself the packet. The second reason is that I was always rewriting the same functions (open a pcap descriptor using Net::Pcap, craft always the same IPv4 headers using NetPacket or Net::RawIP, open the raw socket, send the packet, analyze always the same fields to match replies for the probe, blablabla). I do not like to always write the same code, especially when this is really easy. So I started to develop Net::Packet from scratch (I have as a task to remove Net::Pcap as a dependency from Net::Packet), with a simple interface, and a powerful layer crafting engine. Basically, you create a frame object, and put in all layers to accomplish your work. So, it is possible with Net::Packet to encapsulate anything in anything (example Net::Packet::VLAN), and easily send the frame, and catch the reply automagically. Descriptors are open automatically, no need to worry about them, and the sniffing of frames is done as a forked process, and the main process can call the receive method in an asynchronous way.
I do not think that current modules can do that :-)
And the major pros and cons between Net::Packet and the other ones ??
I think Net::Packet is quite heavy in memory, and due to the inherence of the framework, could be longer to execute than other ones. Simplicity comes at that price. I did work to optimize memory usage and speed, and did quite success for the speed. I think I gained a 10 factor since Net::Packet 1.28.
Beyond Perl's ability, what the difference between Net::Packet and libraries in other languages such as libpcap/libnet ??
Well, there is no equivalent of Net::Packet in C/C++ that I know of. When I wrote network programs in C, I encountered the same caveats than those I found in Perl and decided me to develop Net::Packet. I can compare libnet to NetPacket or Net::RawIP, and libpcap, well, that is Net::Pcap.
A long time ago I started to write a C library to do Net::Packet work, but development time had killed me.
BTW, Can you mention some work that you have done with Net::Packet ??
Yes, the best OS fingerprinter ever (joke :-) ) : Net::SinFP. I also developped Net::Packet to do OS fingerprint tests easily and without limitation on the way packets are built : http://www.gomor.org/cgi-bin/index.pl?mode=view;page=net_sinfp . This one really lacks pod :-)
And what about this module. Did you wrote it as a proof of concept or was conceived as a module from its beginning ??
This is not a PoC. It was build as a module, because I integrate OS fingerprinting in other projects I work on. So, it is truly a module you can use to do OS fingerprinting in your programs. And the signature database is not empty ;-) . The sinfp.pl file that ships with the module is the standalone program that one can compare to nmap -O. But there is more features than active OS fingerprinting, there is also passive fingerprinting, and it fingerprints over IPv4, and IPv6. This is the first program doing OS fingerprinting for IPv6 stacks. I encourage the reader to read more about SinFP on the previously given link. For this module, I also developped DBIx::SQLite::Simple, to easily access database tables and elements, by mapping table entries to objects : http://www.gomor.org/cgi-bin/index.pl?mode=view;page=dbix_sqlite_simple
Could you compare the Perl community in France with other countries ??
I can't. I'm not involved at all in Perl communities. As a general principle, I dislike communities. We can have a philosophy interview to describe my feeling about that.
OK, I was to ask about the Security Community, but instead I'll ask Could you compare the Security movement in France with ones in other countries ??
My though is the French touch in the security field is going greater and greater. Not as far as a few years ago, there was nearly no frenchies talking about security in world conferences. And now, in France, we have our own security conference that is going better and better over each year. I name it: SSTIC (www.sstic.org). This conference is mainly organized by a french security magazine named MISC (www.miscmag.com). I also wrote two articles on OS fingerprinting in this magazine
And what do you think was the factors that pushed France towards this new status ??
There is always an offset between USA and the old continent. And now, we have filled the gap with the USA. New students are more interested in security, and major worms have raised awairness about security to upper management in top companies. So, there is more and more security jobs in France, and more and more brilliant french people on the scene. But that's a personal opinion, of course.
Another thing, when I started to learn about security, nearly 7 years or so ago, there was not as lot of documentation on the Internet as it has today. So, it is easier today to learn about many fields of the security arena.
Could we say that competition raised the quality, don't you ??
Well, I think competition is always a good thing. I will take a personal example. Before I began research in OS fingerprinting, the better tool (as the general public opinion) was nmap -O. So, I needed to be better than nmap.
Now, I let other people judge if I had some success or not.
I think that there was a public exposure of security from 6 or 7 years to this time, and that helped to spread the word, and make it some think that you can't avoid to speak of.
Well, not in France. Maybe in other countries, but not here. In France, if you want to find easily a job in security, you nearly have to go to Paris. In other cities, you need to be very lucky.
And speaking about security, which one is your opinion regarding to vulnerabilities disclosure that Lynn made in the Black Hat convention ?? (the one that generated the ciscogate) ??
I like this question. From what I have read, its announce was nothing new. FX from phenoelit already spoke about developping IOS shellcodes. The major problem in Lynn's affaire was that he works in America, and especially for ISS. Too bad for him. Cisco and ISS are two firms based in USA. Liberty in USA is becoming closer and closer than from a dictatorial country. What it does, for this nation, was not politically correct at all.
Well, you know, the full disclosure idea generates some problems, mainly when this ones are about money, profit, public exposure and stuff like that :-)
Yes. I do not speak about full disclosure. I just say my personal way of acting is via responsible disclosure. I found some small vulnerabilities in BEA WebLogic product while doing an pentest for my current client, and worked with BEA to solve it. Ok, it takes some time to patch the product for the vendor, but hey, I already worked for a software company before, and I know what it is about.
Sure. Always the extreme points are not well positioned (they have radical position). I think that the truth is in the middle, between this extreme points, and acting responsably.
Yes. And it requires some maturity to be able to see the grey area.
Always, and mainly taking the responsability that depending on what you do can affect millions of persons daily lafe. For good or not.
Exactly. Always be able to evaluate consequences of our acts.
And which are your next-to-do projects ??
A true vulnerability database. Only targetting pentesters.
Can you give me more details, it looks juicy !!
I currently have implemented the database. There is no description of the vulnerability. I keep only information about vulnerabilities that are usefull. For example, a memory exhaustion vulnerability is not quite useful. But a vulnerability that is (or was) exploited massively is. The type of the consequence of exploitation is a major information. A stack-based buffer overflow in a product is of useful information. Usually, in vulnerability databases (VDB), this information is masked in the description field.
I also add the requirements for exploitation, for example valid credentials, or in the case of the latest MS05-039 vulnerability that a null session is required. My VDB could (will) be useable in automated VA tools.
So, the DB API is implemented, and I started to fill the database with data. I currently have 56 major vulnerabilities, with links to exploit codes and all major cross references.
Going back to Net::Packet (where all of this chat began) : What advice will you give to a beginner in network application programming and want to use Net::Packet ??
To read Richard W. Stevens book : TCP/IP Illustrated volume I. And maybe the volume II too, but I personally never read it. And also, read all O'Reilly books about Perl programming. I'm not here to answer questions about Perl (when I answer to questions about my CPAN modules).
And an advice from your own (apart from reading books) ?? ;-)
Read, always read. Never stop reading.
How can anyone colaborate with Net::Packet or any of the projects your are carrying on ??
Give me some packet captures of new layer 2, 3 or 4 protocols. Wait for me to implement them, and test my implementations (whether they work or not).
And speaking of CPAN (in the previous question), any favorite CPAN module ?
Maybe LWP::* , or DBI::* and DBD::*
What do you consider most useful of these modules ??
Hide some low level tasks I do not want to learn about.
And which uses of your work surprised you ??
A man from the NASA ;-) I don't know on which project he is working on, but I like to know Net::Packet is used in NASA :-)
It looks like Net::Packet traveled to ISS !!
Hehe ;-) maybe. But I don't think so.
Do you have any experience (funny or not so) that you had while making Net::Packet and that want to share with us ??
The so called portable code from one OS to another. There is no such thing that portable code before you write the portable functions.
Well, I think that when you write low level code and want to make it portable even a portable language is not enough. You have some extra work to do for that bits that haven't been though to fit in the language.
Yes.
OK. Finally, anything else that you want to tell us and I haven't asked you ??**
Well, I think we have spoke about the major ideas.
