Bug and Fix in isp.py in BT4

While trying to learn more about BT and it's many tools, I discoverd a small bug in one of them
This lead to trying to find a fix for it. I suppose that I was successful.

The tool in question is isp.py locate in ~./pentest/misc/
Upon trying to run the default command one will get the following
------------------code------------------------------
root@bt:/pentest/misc/isp# python isp.py
Traceback (most recent call last):
File "isp.py", line 10, in
conf.verb = 0
NameError: name 'conf' is not defined
root@bt:/pentest/misc/isp
------------------code------------------------------

So to fix open up the isp.py in a text editor and locate the following line near the top from scapy import * and change it to from scapy.all import* and exit.

Now try running again.

------------------code------------------------------
root@bt:/pentest/misc/isp# python isp.py
WARNING: No route found for IPv6 destination :: (no default route?)
isp.py: "I Spoof Packets with my ISP", by Sebastien Raveau
Usage: isp.py [alternate DNS server on the Internet]

WARNING: this gives false-positives when run behind some NAT
routers! If anybody has an idea of how to prevent that, please
leave a comment under the blog post explaing how this tool works:
http://blog.sebastien.raveau.name/2009_02_01_archive.html

Failed to reach DNS server at resolver1.opendns.com
Try again or try isp.py
------------------code------------------------------


There you have it.

Google Chromium in BT4

This is a small guide to adding the Google browser Chromium to Back Track 4.

Note: Following this guide may break your system and no one will take responsibility for it but you.
OK the first thing you need to do is add the PPA's to your apt sources list.
-------------------------CODE-----------------------------
root@dorkbox:~# nano /etc/apt/sources.list
-------------------------CODE-----------------------------
Add the following to the list
-------------------------CODE-----------------------------
# Chromium browser PPA
deb http://ppa.launchpad.net/chromium-daily/ppa/ubuntu intrepid main
deb-src http://ppa.launchpad.net/chromium-daily/ppa/ubuntu intrepid main
-------------------------CODE-----------------------------
Save and exit.
Next get the key
-------------------------CODE-----------------------------
root@dorkbox:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FBEF0D696DE1C72BA5A835FE5A9BF3BB4E5E17B5
-------------------------CODE-----------------------------
Note the above should be one line.
Next update apt
-------------------------CODE-----------------------------
root@dorkbox:~# apt-get update
-------------------------CODE-----------------------------
Last apt-get the browser.
-------------------------CODE-----------------------------
root@dorkbox:~# apt-get install chromium-browser
-------------------------CODE-----------------------------
Three other packages should get pulled as well.
chromium-browser chromium-browser-inspector chromium-codecs-ffmpeg

Back Track 4 Final is out.

That's right Back | track 4 Final is now out.
With a new release comes a new website with a new forum and a new irc channel as well irc.freenode.net, channel #backtrack-linux

Enjoy

Using apt-Cacher

I was doing a bit of research and came across this today.

Apt-Cacher is a method by which you can centrally cache and share packages already stored within your network. It also allows the option of caching any downloaded packages in the future. This allows me to download a package once and transparently share it with an unlimited number of machines within my network. This way I only use my Lanwidth (LAN-bandwidth), and not my limited WAN connection."
Setup would be:
---------------code---------------------------------------------
# aptitude install apt-cacher
To have auto startup
---------------code---------------------------------------------
# sed -i.orig 's/AUTOSTART=0/AUTOSTART=1/' /etc/default/apt-cacher
# /etc/init.d/apt-cacher restart
---------------code---------------------------------------------
Configure the acl for access (default is allow access to any IP)
it is located in /etc/apt-cacher/apt-cacher.conf.
To import the packages in your box to the cache
---------------code---------------------------------------------
# /usr/share/apt-cacher/apt-cacher-import.pl -s /var/cache/apt/archives/
---------------code---------------------------------------------
To give other machines on the network access to the cache edit the apt-conf file in /etc/apt to reflect the machines IP address:
---------------code---------------------------------------------
Acquire:http:"http:localhost.localdomain:port"
---------------code---------------------------------------------

Installing gnome-do in BT4

If you have not heard of gnome-do it is basically a launcher. But it can do alot more.
Warning: Adding Repos or PPA's that are outside of the control of Remote-Exploit may cause problems, as such me( and the remote-exploit team)are not responsible. I may be able to help but then again I may not. Gnome-do is very new and as such all of the issues (bugs) have not been worked out.

Ok to install Gnome-do you will need to add the PPA's to your repos list using your favorite text editor.
---------------code---------------------------------------------
root@dorkbox:# nano /etc/apt/sources.list
---------------code---------------------------------------------
Add the following two lines.
---------------code---------------------------------------------
deb http://ppa.launchpad.net/do-core/ppa/ubuntu intrepid main
deb-src http://ppa.launchpad.net/do-core/ppa/ubuntu intrepid main
---------------code---------------------------------------------
The key should be added to your keyring as well.
---------------code---------------------------------------------
root@dorkbox:# gpg --no-default-keyring --keyring /tmp/gnome-do.keyring --keyserver keyserver.ubuntu.com --recv

A5D19FDCAA6ABB440CD3464628A8205077558DD0

root@dorkbox:# gpg --no-default-keyring --keyring /tmp/gnome-do.keyring --export --armor

A5D19FDCAA6ABB440CD3464628A8205077558DD0 | apt-key add -

root@dorkbox:# rm /tmp/gnome-do.keyring
---------------code---------------------------------------------
Then
---------------code---------------------------------------------
root@dorkbox:# apt-get install gnome-do
---------------code---------------------------------------------
Gnome-do will add some packages that it needs in order to run. We will need to add a compositing manager we will come back to this later. Next add the gnome terminal, this is used to take advantage of any application that will run from a terminal (i.e. Back Track tools)
So to get it:
---------------code---------------------------------------------
root@dorkbox:# apt-get install gnome-terminal
---------------code---------------------------------------------
Once apt finishes we need to set gnome-terminal as the default terminal emulator (Do not worry you can change this later if you need to.) In order to change it
---------------code---------------------------------------------
root@dorkbox:# update-alternatives –-config x-terminal-emulator
---------------code---------------------------------------------
You will then see the following.
---------------code---------------------------------------------
Selection Alternative
———————————————–
1 /usr/bin/xterm
2 /usr/bin/uxterm
3 /usr/bin/koi8rxterm
4 /usr/bin/lxterm
*+ 5 /usr/bin/gnome-terminal.wrapper
6 /usr/bin/konsole
7 /usr/bin/xfce4-terminal.wrapper

Press enter to keep the default[*], or type selection number:
---------------code---------------------------------------------
Before you type a number make note of your default in case you need to change back later on. Ok you can find gnome-do in the menu under Utilities. An easy way to work with it is to pull it to the desktop or panel to make a short-cut.

From Gnome-Do

Now click on it and it should open a window on the desktop in the upper right hand corner should be a little drop down arrow. Click it to bring up the preferences dialog. Under plugins look for gnome-terminal and check it and then refresh and close it.

From Gnome-Do

You can mess with the other preferences on your own. Ok now that you have everything setup click on the purple gnome-do icon or use the "super key" plus the space bar. Superkey may also be a windows key. This should bring up the basic gnome-do sceen. From there you can start typing commands or the names of applications. Try typing msfconsole. It should then give you options after a few letters. If you find run then tab over to the other side of the screen and hit enter. It should start the msfconsole running.

From Gnome-Do

If you tab to the second half of the screen and use the up down arrow keys to cycle through the other options. There should be a copy to clipboard as well as a few others. If a command does not work then re-type it and look for the "run in terminal" command. Another feature of Gnome-do is that of Docky. Docky is basically a front-end of Gnome-do and it allows you to create a launcher panel on your desktop. Using Docky you can drag and drop items onto the panel or drag off of the panel to delete.

From Gnome-Do

There is a lot you can do with both Gnome-do and Docky I will leave it up to you to explore it. If you don't have a Compositing Manager then you will need one to take advantage of all the cool features. Now if you run the "classic" mode of Gnome-do then you won't need one.The easiest way to do this would be to add xcompmgr. There are other managers but xcompmgr is light on resources in the background. In order to set it up use aptitude to grab it.
---------------code---------------------------------------------
root@dorkbox:#aptitude install xcompmgr
---------------code---------------------------------------------
Of course this will also pull other dependecies along. You can then start compositing manually via the ‘xcompmgr‘ command. With basic compositing enabled you should now be able to use the enhanced features of Gnome-Do, including the Mini Interface, Docky, Glass Interface and Nouveau. So now that you have everything needed start xcompmgr using the command above, then open the preferences for gnome-do again and this time go to the appearance tab and select docky. Now you should see the launcher panel at the bottom. If it does not show up then you may need to change the appearance themes a couple of times. Now go into your menu and find yourself a few tools that you would want to add to docky and drag them over. Some of the icons may show as up as an "X" I have not found a fix for this yet.


That's it. Again remember that gnome-do is new software and as such things may not work right. But with a little fun you can now launch your applications in a new way.
I encourage everyone who tries this to add their tips and tricks to this thread.

Change the Default Terminal Emulator

Changing the default Terminal Emulator or tty is something that is easy to do, but most people never need to. One of the reasons that you may need to change the terminal is because some programs may not work with your systems default.
So in order to do this on Debian based systems open a shell and use the update-alternatives command.
root@dorkbox:# update-alternatives –-config x-terminal-emulator
This will return the following:
There are 7 alternatives which provide `x-terminal-emulator’.

Selection Alternative
———————————————–
1 /usr/bin/xterm
2 /usr/bin/uxterm
3 /usr/bin/koi8rxterm
4 /usr/bin/lxterm
*+ 5 /usr/bin/gnome-terminal.wrapper
6 /usr/bin/konsole
7 /usr/bin/xfce4-terminal.wrapper

Press enter to keep the default[*], or type selection number:
So as you can see the * represents the current default terminal and entering a number from the list above will change to the one you want.
Make a note of your current one so that you can change back if you later need to.

Well that's it. Not hard to do.

Using NeXpose in Back Track 4

So here is Using NeXpose in Back Track 4. In this video, I will setup a simple scan of a Windows server. After the scan I briefly show the results that are produced.
If you haven't seen the install video, then it is here on the blog so take a look at it too.
I hope you enjoy it.

The Links.
Blip.tv
Vimeo
Youtube


And of course embedded here:

Installing NeXpose in Back Track 4

Small video on installing NeXpose from Rapid7 into Back Track 4.
I thought about making a text with picture tutorial but after taking the needed screen shots, I thought it would be just as easy to record the screen.

Blip.tv Link
Vimeo Link
Youtube Link

Of course you can also watch it here.

Up and Running with OpenVAS in Back Track 4 part 2

As promised here is part two of Up and Running with OpenVAS in Back Track 4. This time we will update the NVT (network vulnerability tests) database.
Then we will setup a scan against a generic vanilla install of windows server 2008.
I hope you enjoy and find it useful.
The video can be found on blip.tv here
You can also get it at Vimeo here.
You can also find it at the Remote-Exploits (Back Track) Forums here.

Up and running with OpenVAS in BT4

Just as the title says this is a small video on getting OpenVAS setup and running.
A brief walk through on adding a user to the system, creating a certificate for the user, starting the server and client, setting up a task with scope and running the task, within Back | Track 4.
The video is available here on blip.tv
And here on vimeo
Enjoy!
You can also watch it below.

Up and Running with OpenVAS in Back Track 4 from archangel.amael on Vimeo.

In the next video I will walk through updating the OpenVas Server and running a task in the dork-lab network.

BT4 Pre-final Public Release

BT4 Pre-final Public Release is available.
Follow the jump for more.

Using APT-GET Quick Reference

Using apt-get
This is a small quick reference post on using apt-get in BT
There is a ton of info about it throughout the internet. I merely wanted to post the basics for those that may be to lazy, or unwilling to look elsewhere.
So first and foremost:
There are 3 basic installers in BT4 apt-get the basic command line package
management system. aptitude is a curses based front end for apt-get.
And synaptic which is a gui version. Other than that there really are no major
differences.
Now lets look at some of the commands that are available for us.
First
Code:

# man apt-get

The manual page read it.
Code:

# apt-cache pkgnames

Gives us the names of all the installed packages we have on the system.
The list is not really to organized so add a | pipe and sort to the end and then it will alphabetized.
Code:

# apt-cache search programname

add the name of a program that you want to search for. The command will show software packages with the expression you entered. One problem with apt is that it really needs the exact name of a package for better results.
Code:

# apt-get install packagename

Pretty simple since all the work is now done for you.
There is a caveat to this method of package installation. You can't pass any
configuration options to the program. To remove a package just the opposite
should be done.
Code:

# apt-get remove packagname

This will remove the package but may not remove all configuration files. In order for that do instead
Code:

# apt-get remove --purge packagename

Next updating software.
First:
Code:

# apt-get update

This updates the list of currently installed software, this is the same list that we saw earlier. Next actually updating said list.
Code:

# apt-get upgrade

Now the thing about this command is that it will upgrade to the most recent
version of all packages on the system. This may or may not always be the best way of doing business. Some packages may not work as well as the older ones. Use with care. use a -s before upgrade to simulate, or see which software will be updated. A better way is to use dist-upgrade
Code:

# apt-get dist-upgrade

This will upgrade all packages with conflict resolution and discarding less important packages for more important ones. There are many other commands but the above should help get you started working with apt. Hope it helps.
Credits: This tutorial was created with help from the Debian APT How-To which can be found here: Debian -- Debian Documentation Project
And the man page

BackTrack 4 Pre Final

There is a new blog for Back-Track 4 located at Offensive-Security
The pre-final will be available for those who are subscribed to informer.
If you don't know what it is check it out. Basically Johnny Long uses the platform to help needy children in Africa. Even if you don't care about BT the work he does is worth the donation.

Update to latest Frefox

There have been some problems getting the default firefox to update on bt4
the reason this seems to not work is that the normal install routine for firefox is to save the firefox script to /opt
When using the firefox updater it looks for the script in /opt and as such it can not find it.
One needs to remember that normal *nix boxes are setup for several users to be able to access and have their own settings for applications saved into a "home" directory. Since BT is designed for one user "root" things are a bit different.
Firefox in bt is saved under /usr/bin/firefox as a symbolic link to /usr/lib/firefox
So if you want to make your firefox install a bit more like a "normal" distro you can follow along.
First download the latest firefox from here


Next grab a shell and back up your bookmarks and settings:
Code:

root@dorkbox:~# cp -R ~/.mozilla ~/.mozilla.backup

Now move to the directory containing your new FF
Code:

root@dorkbox:~#cd opt

Then
Code:

root@dorkbox:/opt/#tar -jxvf firefox-3.0.10tar.bz2

Next
Code:

root@dorkbox:/opt/#rm firefox-3.0.10.tar.bz2

Then
Code:

root@dorkbox:/opt/#nano /usr/bin/firefox

Find the part that has the following:
LIBDIR=/usr/lib/firefox-3.0.5
and change it to
LIBDIR=/usr/lib/firefox-3.0.10
save and exit.
Then move to /usr/bin/ and change firefox-3.0 to firefox-3.0.old Then rm the old firefox script in the same directory.
(FYI NOTE: The script is called "firefox")
Copy the new firefox script from firefox-3.0.10 to /usr/bin
Then nano /usr/bin/firefox find the line that looks like the following;
moz_libdir=/usr/local/lib/firefox-3.0.5 (it might have been a little different.
Change it to
moz_libdir=/usr/lib/firefox-3.0.10
save and exit.

Now you should be able to enjoy your pr0n from within BT as always.
It should start from a shell, and the panel icon as well as the menu icon.

NOTE: There may be an easier way or better way to do this but it works for me.

Using the watch command in linux

A small tutorial for using watch to monitor things in Linux.
First and foremost get a shell
root@dorkbox:~#watch --help
gives us some basic help on using watch of course there is also the man page
root@dorkbox:~#man watch
OK so for now lets not worry about any usage flags but instead focus on the using the command. We can use the command for many things but let's look at using it with monitoring or memory usage. To find out about memory usage you can use the following command.
root@dorkbox:~# cat /proc/meminfo

This will return something like the following.
MemTotal: 623008 kB
MemFree: 35336 kB
Buffers: 85560 kB
Cached: 137220 kB
SwapCached: 24480 kB

Notice that this is the truncated output.

So now lets command the two commands and combine them to continuously show our memory usage.

root@dorkbox:~# watch cat /proc/meminfo

Which will give us the following:
Every 2.0s: cat /proc/meminfo Sun Apr 19 01:20:01 2009

MemTotal: 623008 kB
MemFree: 46396 kB
Buffers: 82636 kB
Cached: 131044 kB
SwapCached: 24480 kB

Again the output is truncated.


As you see the output will be updated every 2.0 seconds.

We will look at more later on.
Enjoy

SMART disk monitoring How-To

A small tutorial for getting S.M.A.R.T. disk monitoring.
You can monitor the health and temperature of your hard disks
Note this will only work if your disks support the S.M.A.R.T. feature.
Code:

root@dorkbox:~#apt-get install smartmontools
root@dorkbox:~#apt-get install hddtemp

When hddtemp runs it will pop up a window about running the deamon at startup it recommends not to do so, you can choose either way.
If you want to reconfigure this just run dpkg-reconfigure hddtemp to do so.

Code:

root@dorkbox:~#apt-get install sensors-applet

You can add a panel applet with this.

There is a front end of for smartmontools, to install GSmartControl using the package available here:

Then use
Code:

root@dorkbox:~#dpkg -i gsmartcontrol_0.8.4+nmu1_i386.deb

to install it.
There is also an AMD64 package if needed.
once it finishes running dpkg will complain about needing some missing libraries, just
Code:

root@dorkbox:~#run apt-get -f install

and the gsmartcontrol will install them as well.

To run the app
go to: K menu> System> GSMartControl

There may an easier way to do this, it was just the easiest that I found at the moment. Hit back if you need some help or have problems.
Thank you

UFW Howto in BT4

This is a small howto for UFW the uncomplicated firewall for BT4
The majority of this info comes from the man page.
There are other tutorials on the net for using this.
There is also a gui we will talk about it a bit latter.

First and foremost if you have something to add please do so.
ufw is a front end for iptables.
So in order for us to start ufw go to the command line
Code:
root@bt:~# ufw

Usage: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set profile policy to ALLOW, DENY or SKIP

root@bt:~#

So lets look at some of the usage flags.
enable/disable are self explanatory.
Code:
# ufw enable

we get back
Code:
root@bt:~# ufw enable
Firewall started and enabled on system startup
root@bt:~#

Of course we would then have to reboot. When you do it will show up as enabled in the boot sequence. If it checks out you get the [OK].
Now lets look at default and ALLOW DENY
allow will as it states allow all defaults to take place which right now means that our
firewall really does nothing. deny will stop all incoming and forwarded packets but
it will not stop outgoing packets. So at the minimum this is better than nothing.
Here is what it looks like
Code:
root@bt:~# ufw default deny
Default policy changed to ‘deny’
(be sure to update your rules accordingly)
root@bt:~#

The same reminder is given every time. We will look at rules in a bit, first lets look at logging you can either turn it on or off.
Code:
#ufw logging on
logging enabled

The logs are stored at /var/log/messages or/kern.log and /syslog there is not a seperate log for ufw as of yet.
You can gather information from them by using grep
Code:
#grep ufw /var/log/syslog

Now let’s look at the rules. There are again two options allow/deny rule.
So here is where it can get a bit more complicated, complex. This is how we add certain ports and protocols.
Code:
# ufw allow 80
rule updated

So now port 80 http is open. Close it again with
Code:
# ufw deny 80

Now with just the port it will allow or deny traffic from both tcp and udp.

Now we can specify with the protocol like the following 80/tcp
We can also delete a rule and it will revert to whatever the default policy had at the beginning.
More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying the
address to the rule set.
Code:
# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:
Code:
#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.
If you want to allow only tcp append it to the end of the port 22/tcp
You can also use a netmask. Next let’s look at services. You can set services that can be found in
Code:
#cat /etc/services

For instance we want to allow telnet then we simply give
Code:
# ufw allow telnet

That simple.
Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.

We can also delete a rule and it will revert to whatever the default policy had at the beginning. More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying the
address to the rule set.
Code:
# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:
Code:
#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.
If you want to allow only tcp append it to the end of the port 22/tcp
You can also use a netmask. Next let’s look at services. You can set services that can be found in
Code:
#cat /etc/services

For instance we want to allow telnet then we simply give
Code:
# ufw allow telnet

That simple.
One caveat though is that the service must be installed on the host.
Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.
So for example
Code:
#ufw --dry-run deny ssh

If the rule will not work or the syntax is wrong it will spit back an error.
Also when adding rules the first match wins according to the man page.
So make your specific rules first then the general ones.

There are more to the rules as well as support for applications themselves.

Next thing we can look at is adding the gui interface, if needed.
The link is here, this download is a ".deb" package, you can install it using
Code:
#dpkg -i gufw_0.0.7c-all.deb

There are more things that can be done and if anyone needs help with it make a post here about it.

There have been some new tools released over the past few days and I would like to put up some basic info on some of them. Here are a few new or newer voip testing tools.

VoIPER0.06
VoIPER is a VoIP security testing toolkit incorporating several VoIP fuzzers and auxilliary tools to assist the auditor. It can currently generate over 200,000 SIP tests and H.323/IAX modules are in development.

SipBomber0.8
SipBomber is sip-protocol testing tool for Linux originally developed by Metalink in 2003 for internal use and released later as GPL open source product.


Sip Rogue
You can find more info about Sip Rogue in the Book Hacking VoIP Exposed.


These tools can be found in the newest version of Back|Track.

Multipart PortScanning Tutorial Part 7

Multipart PortScanning Tutorial Part 7

In this edition we will be looking at the results of some Xmas Tree scans.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!

[b]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]
[url="http://forums.remote-exploit.org/showthread.php?t=14195]Part6[/url]

OK so let's look at what a Xmas Tree scan is.
[quote]Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
[b]From the nmap online documentation. [/b] [/quote]

So what does this mean?
Well for starters we know about the three-way handshake with TCP/IP. So what we are doing is sending packets out that have the "FIN", "PSH" and "URG" flags set.
So let's look at these flags. The first one "FIN" tells the target that we are finished with our connection. And normally it would send back and "ACK" Packet.
The second is the "PSH" or push packet. TCP designates data being sent to an application by using the "PSH" flag. To ensure that data sent from a node has been received TCP uses an "ACK" flag that specifies which "PSH" packets have been received. "ACK"s are sent in response to "PSH" data grams in two different scenarios:
1. When data has been received by a node.
2. When the "ACK" delay has been reached.
The third flag is the "URG" flag. The "URG" flag is used to tell a node that information needing immediate attention is present within a packet.
A "URG" also tells a receiving node that the sender requests all buffered data to be passed to the application. Normally TCP holds data in a memory buffer until enough is collected then it is passed to the application needing said data. With the "URG" flag TCP sends the data immediately. Ok so now might be a good idea to take a break!

Now that we know what the packets mean let's take a look at why this can be important to the pen-tester.

First when we do a Xmas tree scan and the target sends us a "RST" or reset packet then we know that a target port is closed. But if the target port is open then there will be silence. This is the same thing when doing a "FIN" scan. All of this takes place due to RFC 793 Transmission Control Protocol.
During a Xmas tree scan nmap categorizes the response as either closed or open|filtered. The open|filtered result is combined because firewalls often drop these packets. Because it's impossible to determine if a missing response was due to an open port or a filtered network connection, there's no way to tell the difference between an open or filtered port. Different implementations of the TCP/IP stack will handle these scans in different ways. Windows for example will reply with a "RST" regardless of the status of the port. If an open|filtered port is picked up then the node is not windows based. Special attention must be given when the results show all ports as closed as this may not be true.
Ok so now if you are still with me let's take a look at some scans.
First in the default mode with a look at the flags.
[code]
#nmap -sX -v -v 192.168.1.5 [/code]
-sX xmas tree scan
-v verbosity
[b] And our results. [/b]
[code]

Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-01 13:30 EDT
Initiating ARP Ping Scan at 13:30
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:30, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:30
Completed Parallel DNS resolution of 1 host. at 13:30, 0.05s elapsed
Initiating XMAS Scan at 13:30
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 21 out of 70 dropped probes since last increase.
Completed XMAS Scan at 13:30, 16.56s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are closed
MAC Address: 00:12:34:56:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.024 seconds
Raw packets sent: 1821 (72.842KB) | Rcvd: 1718 (79.024KB)
[/code]
As you can see we really didn't learn much about our target. The only thing that we learned is that the ports all appear to be closed.
But this is not really the case. I know that there are open ports because the target is actually a print server.

[b]This time lets look more in depth at our target.[/b]
[code]
#nmap -sV -v -v -F -sX -O 192.168.1.5
[/code]
-sV service version
-O Operating system
-F Only scan ports listed on services.

[b] Now the relevant results[/b]
[code] Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely removed [/code]
This time we can see that nmap returned us a print server. The device type is still incorrect. This can mean the difference between accessing the network and being shut out.
This print server like most usually have TCP ports 515, 631 open. There is usually one or two more like http or telnet open as well.

So we see that even though the two scans are not 100% accurate we did gain some valuable information about our target. Again a lot of devices will not respond to this type of scanning but there are some that will. Using the Xmas tree scan we can also help mask our intentions from a IDS. But remember most system administrators worth their weight in salt will ensure that there IDS's pick up this type of scan. There are ways around this as well.
Try playing with this type of scan and see what kind of results you get.

Drop a line if this has helped or hindered you.

Multipart PortScanning Tutorial Part 6

Because there has been some interest I will try to do a couple more tutorials on [URL="http://nmap.org/"]nmap[/URL]. I am using the latest version available.

[B]In this edition we will be looking at the results of some "ACK" Scans[/B].

Disclaimer: This information is for educational purposes only and not to commit a crime! If you do something that causes you to hose your box don't cry to me. All IP Address' MAC Address' etc. have been munged!
[B]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]

[B]Next lets talk a minute about what a "ACK" scan is.[/B]
[quote]-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
[URL="http://nmap.org/docs.html"]From the nmap online documentation[/URL]. [/quote]

So what does this mean to us. First when dealing with TCP/IP we all know how the connections work, so when a connection is finished one would normally see an ACK or Acknowledgment. Meaning that the connection was made and a transfer of some sort took place. So when we scan for hosts by sending out ACK packets what we are doing is telling the target machine that we have "received the transmission". But since this is our first real communication with said target. It will not no how to respond. This is turn will generate RST or reset packets. Now if we look above we see that nmap will label them as unfiltered, and in turn they are reachable. This second part is really the only part we care about. By sending out ACK packets we can then determine if a host is alive and possibly not set of IDS alarms. Now there is a caveat to this. If there are a lot of ACK packets hitting a target then an IDS will most likely see this and of course set off the alarm.
There are several ways we can mitigate this with nmap. Which I will show more of in a later tutorial.
[b]So our first default scan should look something like this.[/b]
[code]#nmap -v -v -sA 192.168.1.5 [/code]
Now I included the -v -v for verbosity level two just to get all of the information out of this basic scan that we can.
[b]Now lets look at the results. [/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 12:26 EDT
Initiating ARP Ping Scan at 12:26
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 12:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.05s elapsed
Initiating ACK Scan at 12:26
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Completed ACK Scan at 12:26, 15.39s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.828 seconds
Raw packets sent: 1836 (73.442KB) | Rcvd: 1716 (78.932KB)[/code]

Now the only thing that we learned is that the target is there, which we should already have known before we started scanning it. Blindly scanning a target is how we set off alarms!
Ok now lets look at it again only this time we will be trying to find out some info on the OS and what services are running.
But remember we do not want to trip the alarm so we are going to be a little sneaky with our throttling. Note this may or may not hide us, That is not the real point here.
[code]
#nmap -sV -v -v -F -T Paranoid -sA -O -PN 192.168.1.5
[/code]
This time we have several flags set.
-sV for service versions.
-v -v again verbosity level 2
-F to only scan the ports listed on the service version scan. No sense scanning all possible ports as this could trigger alarms.
-T Paranoid again to help mask what we are doing.
-sA is for the ACK scan itself.
-O for OS detection
-PN so that we do not ping the target before scanning. Again to mask what we are doing from the target itself.
[b]And of course the output[/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 13:04 EDT
Initiating ARP Ping Scan at 13:04
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:04, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:04
Completed Parallel DNS resolution of 1 host. at 13:04, 0.05s elapsed
Initiating ACK Scan at 13:04
Scanning 192.168.1.5 [1276 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 45 out of 150 dropped probes since last increase.
Completed ACK Scan at 13:04, 11.45s elapsed (1276 total ports)
Initiating Service scan at 13:04
Initiating OS detection (try #1) against 192.168.1.5
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.5 appears to be up ... good.
All 1276 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF(Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely Removed
Network Distance: 1 hop
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.866 seconds
Raw packets sent: 1343 (55.504KB) | Rcvd: 1283 (59.160KB) [/code]

So this time we picked up a bit more detail. I will say that what was reported by the scan's OS details is incorrect but they device type is. Also note that the mac address is listed as Cisco-Linksys. This along with the device type is the most relevant info we have gained. In order for us to actually penetrate the target we need more information. Which I will leave up to you to learn about.

So again we have covered using an ACK scan with nmap. There are more options, reasons, and ways of using this type of scan. I have showed you only the basics.
When I get the chance I will be showing more options for IDS spoofing and evasion techniques. I have purposely left this info out of this tutorial!

If this has helped or hindered you say something. :)