Who is still enjoying the freedom? :)
Good, it seems like my lessons didn’t work yet :)
Just kidding. I want you always to be safe, you heard that?
We dived into the scanning phase by learning nmap scans techniques, and today we’ll see how these scans can be detected using the filters on Wireshark and what the countermeasures are.
For this article I created a lab with 2 PCs; 1 XP machines and 1 BackTrack beta 3.0
I also ran the wireshark for 1 hour and 10 minutes of capturing traffic, this traffic included Web browsing and NMAP Scans.
As you can see, Wireshark captured 213633 Packets in 4354 seconds. But on a real functional network these numbers are very humble; the real numbers will be scary. You have to try it yourself.
So imagine with me that you put Wireshark on your network which consists of 50 PCs all connected to the Internet, all of them are online all of the time, and your network has been scanned by a bad guy, how can you check that using Wireshark (assuming you don’t have an Intrusion Detection installed and assuming you don’t know what type of scan the bad guy used)?
Before we start, there are just 2 things I want to clarify:
1- Each protocol has a number assigned to it, these numbers are assigned by an organization called IANA (Internet Assigned Numbers Authority), IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
For example TCP is assigned the decimal number 6; UDP is assigned the decimal number 17, while IP is assigned the decimal number 4, and so on.
For the whole list of the Assigned Internet Protocol Number, please visit the IANA website http://www.iana.org/assignments/protocol-numbers
2- Remember, in the Whois article we talked about the TCP flags, and that there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
These flags have decimal numbers as well assigned to them:
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128
So for example, if we want the SYN/ACK flag decimal value, we add 2 (which is the decimal value of the SYN flag) to 16 (which is the decimal value of the ACK flag), so the result would be 18.
What about the XMAS scan? From the article “Scanning using Nmap - Part 1” we learned that the XMAS scan sets the FIN, PSH and URG flags, so if we add 1 + 8 + 32, then the decimal values of the flags is 41.
Don’t worry about these numbers; we will understand them as soon as we start analyzing the traffic.
TCP Connect Scan (Plain Vanilla)
“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it responded with a SYN/ACK, and then the attacker will send the last ACK and tear down the connection using the RST.
Threshold:
The TCP 3-Way handshake is very normal to see a lot on your network’s traffic, but if this kind of traffic is explosive and the number of them is extremely high per second on the network, then you have to investigate it and check the IP responsible for these scans.
You are the only one who can specify this threshold, because you are the only one who knows your network’s traffic.
Keep Wireshark running for a whole working day, this will give you an average idea about the traffic on your network, and I said average because one day the network users might be busy working :) so the traffic gets less, or the opposite.
Filter:
The filter we are going to apply to check if a TCP Connect Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 18
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 18 for the tcp.flags because 18 represents the decimal value of the SYN/ACK flag
TCP Connect Scan on Wireshark:
Because my lab is small compared to a real network, the filter is not so obvious, but as you can that the target (192.168.2.64) sends responses back within (1 second) to the attacker (192.168.2.68) telling him what ports are open.
TCP SYN Scan (Half Open)
TCP SYN scan is a little bit stealthier than the previous scan, because it uses a different technique. The attacker sends a SYN to the targets, if the target’s port is open and it responded with a SYN/ACK, then the attacker will immediately tear down the connection using the RST.
Threshold:
As we know, SYN Scan starts as the 3-Way handshake, but instead of completing the handshake, it terminates the connection with a RST flag. So this kind of traffic might appear to be normal, but you have to notice the number of the Half Open connections, if the SYN packets are greater than the SYN/ACK packets, then there is something wrong.
Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 2
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 2 for the tcp.flags because 2 represents the decimal value of the SYN flag.
TCP SYN Scan on Wireshark:
The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of SYN packets in a very small time zone, this for sure indicates a SYN Scan.
Let’s compare the number of SYN flagged packets to the SYN/ACK flagged ones.
Wow, did you see that? When I applied the SYN flag filter, Wireshark displayed 63018 packets.
While when I applied the SYN/ACK flag filter, Wireshark displayed 542 packets. There is a huge difference between both numbers, this difference indicates the huge amount of Half Open connections.
TCP FIN Scan
The FIN Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, which is the FIN flag.
Threshold:
FIN flags are part of any communication between 2 hosts, because this communication has to be ended at a moment, but if you see an explosive number of FIN flagged packets without a previous established connection, then take care of that.
Filter:
The filter we are going to apply to check if a TCP FIN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 1
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 1 for the tcp.flags because 1 represents the decimal value of the SYN flag.
TCP FIN Scan on Wireshark:
The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of FIN packets in a very small time zone, this for sure indicates a FIN Scan.
TCP XMAS Scan
The XMAS Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, by setting the FIN, PSH and URG flags.
Threshold:
XMAS packets should never be seen on your network, so if you see a single XMAS flagged packet, then someone is scanning your network.
Filter:
The filter we are going to apply to check if a TCP XMAS Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 41
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 41 for the tcp.flags because 41 represents the decimal value of the (FIN + PSH + URG flags).
TCP XMAS Scan on Wireshark:
As we said, you should never ever see an XMAS packet on your network for any reason, and as you can see in the picture the attacker 192.168.2.64 is doing an XMAS Scan against 192.168.2.68.
TCP NULL Scan
The NULL Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, by all flags from the packets.
Threshold:
NULL packets should never be seen on your network, so if you see a single NULL flagged packet, then someone is scanning your network.
Filter:
The filter we are going to apply to check if a TCP XMAS Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 0
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 0 for the tcp.flags because 0 means that all flags are removed.
TCP NULL Scan on Wireshark:
As we said, you should never ever see an NULL packet on your network for any reason, and as you can see in the picture the attacker 192.168.2.64 is doing an NULL Scan against 192.168.2.68.
TCP ACK Scan
The idea behind the TCP ACK scan is very simple and very smart; I will give you an analogy to get how it is working.
We don’t know each other, right?
Imagine I met you once in the street, and suddenly I went to you and said “hey man, where have you been all of this time? Not even a single mail, shame on you?” :)
What will you think? You will say “This man knows me for sure, but probably I don’t remember him”, and then you will start answering me “Oh, I’m fine, and sorry for not sending you mails but I was very busy the last few weeks. I got a baby and…” and you will start talking friendly.
TCP ACK Scan almost works the same, it sends an ACK to the target’s ports, the target will think “it seems like I started a connection with this computer before, let’s answer him”
Threshold:
As we know, ACK is the last packet in the 3-Way handshake, thus seeing ACK packet on the network is normal, but if you see an extreme high number of them, then an ACK scan is occurring.
Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 16
We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 16 for the tcp.flags because 16 represents the decimal value of the ACK flag.
TCP ACK Scan on Wireshark:
The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of ACK packets in a very small time zone, this for sure indicates an ACK Scan.
UDP Scan
Because UDP is simpler than TCP; no 3-Way handshaking, no Flags, no Sequence numbers, so the UDP scan is very simplified.
The attacker sends a UDP packet to each port on the Target. There might be here 3 responses; an ICMP Port Unreachable (which indicates a closed port), no response (which means the port might be open or filtered by firewall), or a UDP response
Threshold:
These packets are not supposed to be seen on the network, so whenever you see them, they mean something bad.
Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 17 and ip.len = 28
Or you can change the equal sign to “Greater Than”, the reason is that some scans can add junk data after the UDP packet, instead of sending an IP datagram with no data.
We chose 17 for the ip.proto because this is the Assigned Internet Protocol Number for the UDP protocol, and an IP Total Length (Specifies the length, in bytes, of the entire IP packet, including the data and header) equal or greater than 28, and we chose 28 because the length of the IP header is 20 bytes and the length of the UDP header is 8 bytes, so 20+8=28.
TCP UDP Scan on Wireshark:
The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of UDP packets in a very small time zone, this for sure indicates an UDP Scan.
And the target 192.168.2.68 kept responding with an ICMP message “Destination Unreachable – Port Unreachable” which indicates a closed port.
After we learned how to detect a Scan, we have to know how can we defend or avoid these kind of attacks.
Port Scanning Countermeasures:
1- The first and most obvious countermeasure is to close all of the unwanted ports, most of the administrators (whether Sysadmins or Netadmins) install by default, this type of installation is popular because it’s the easiest, why should I bother myself by trying to find the open ports? How to close these ports? What if closing a port causes me problems with the big boss because something suddenly stopped? And a lot of these excuses.
First, we have to detect the open ports, and to do that:
For Windows users, I like to use Fport (ex Foundstone, McAfee recently) and TCPview (ex Sysinternals, Microsoft recently)
For Linux users, I like the command line lsof “List Open Files”
After finding the unwanted ports, now it’s time to close the process which is using this port (if the process or service not needed).
On Windows, you can use Pskill (ex Sysinternals, Microsoft recently), the command line kill or taskkill, or use “Services” management console from the “Administrative Tools” in the “Control Panel”
On Linux, you can use the kill command line with the specified PID (Process ID), this command line is exactly like the Windows taskkill command, used to kill the chosen process till the next restart.
If you want to close the process permanently, then use the “Services” management console on Windows or edit the /etc/xinited.d/[service] on Linux and include this line disable = yes
2- The second way that will help you defend yourself is to attack yourself before the hacker does. What I mean here is to try using the scanning tools yourself against your network, this way you will be able to see in reality how your network is reacting towards attacks.
BUT, 2 things you have to notice before doing that:
The first is to make sure that you have an approval for doing that, your boss might not be as kind as my boss :)
The second thing to notice, is that scanning tools are creating extra traffic on your network, because they are sending and receiving packets, this will eat from your traffic bandwidth, thus slowing down your network performance. So for that, just monitor your network performance while you are scanning.
3- Use Stateful Packet filter and Proxy devices
Normally, there are 3 types of filtering devices: Static Packet filter, Stateful Packet filter, and Proxy.
The Static Packet firewalls (such as Cisco Routers) are used to block simple traffic depending on simple filters, such as filtering according to the IP address.
While Stateful (such as Cisco PIX Firewall and Checkpoint Firewall) and Proxies keep records of earlier packets, for example if I’m sending you an ACK flagged packet, the Stateful filter device will check the records of the already-opened connections, if it finds that the ACK packet doesn’t belong to a previous communication, then this packet will be dropped.
I hope that you are still enjoying our long journey in Penetration Testing.
Till next article
Take care.
NMAP Detection and Countermeasures
Installing VMware Server on Linux
For the Linux lovers – whom I belong to :)
It’s our turn today to learn the steps for installing VMware Server on a Linux OS
Note: I’m going to copy parts from my previous article “Installing VMware Server on Windows”; it’s the parts that should be common
Because we don’t want to be sent to jail, or lose our jobs – because you might get the idea of testing your knowledge against live networks, right? :) And because we want to practice our hacking techniques, so we have to start with creating a VIRTUAL lab :)
First we’ll create a virtual machine using VMware Server, which is free software that can be downloaded from here http://www.vmware.com/download/server/
A virtual machine is a simulated computer that runs on a real physical computer but acts as if it is a separate computer, so you can have your PC or laptop that has one of the Linux distributions installed and at the same time you can run various Operating systems without the need to format or dual boot.
Here for example, my computer is running Windows, but I was able by using VMware to create a Virtual Machine that has various operating systems installed like Apple, Solaris, and Linux…
Almost any operating system can be installed
In this lab we will learn how to install VMware server on a Linux Fedora Core 8, which is the latest version at the moment of typing :)
Prerequisites:
But before we start downloading and installing VMware, there are some prerequisites needed:
1- Development Libraries
2- Development Tools
3- Kernel-Devel
4- Xinetd
1- The 4 packages needed can be installed in one step which is through the “Add/Remove Software”, but I will do it in more steps using the “Add/Remove Software” and the “Terminal” (for the Terminals lovers) :)
Go to “Applications”, and then from the menu choose the “Add/Remove Software”
2- To install these packages you need to have the ROOT privilege (it’s like ADMINISTRATOR for Windows users)
So, if you are logged as a normal user, you will be prompted to enter a “root” password, but if you are logged already as a “root” then you will go directly to the “Package Manager”
3- In the “Package Manager”, from the “Browse” tab, highlight “Development” and choose from the listed packages:
a- Development Libraries
b- Development Tools
These development packages are required because we’ll need to compile few pieces of the VMware Server package.
Click “Apply” to complete installing the packages.
4- To install the Kernel-Devel and the Xinetd, we need to open a Terminal and type the following commands
a- su (This su command is required if you are logged in as a normal user and not a root, and you will be prompted afterwards to enter the “root” password)
b- yum install kernel-devel (“yum” is an automatic updater and package installer and it stand for “Yellowdog Updater Modified”)
Kernel-devel is required because it includes of the compatible C language headers needed for compiling few pieces of the VMware server package
c- yum install xinetd (“xinetd” is an eXtended Internet service Daemon, and it’s needed to be able to deal with running network services)
Now we are ready for starting the VMware server installation process.
1- On the Download page of VMware Server, click the “Download Now” button, this will take you to the “End User License Agreement” or EULA.
EULA is very important to read because it gives you a general idea about the software you are about to download or install, it also includes your rights and your responsibilities; it tells what you are allowed to do with this piece of software and what you are not allowed to do.
And I’m sorry, but if you want to download or install VMware Server on your machine, then you have to accept the EULA (Take it or leave it)
2- At the bottom of the EULA page, you will see 2 buttons; “Yes” and “No”, to be taken to the download links you have to click the “Yes” button
3- We can see 2 binaries for the Linux OS; “.tar.gz” and “.rpm”
TAR stands for “Tape Archive”, GZ stands for “GNU Zip”, while RPM stands for “Redhat Package Manager”
Both the “tar gz” and the “rpm” are package management systems for Linux, windows users can consider it as a zipped exe (it’s not exactly like that, but it’s the closest to make it clear for windows users)
I’m going to choose the “.tar.gz”, because this is compatible with all Linux distros and Unix OS
4- You will be prompted for the download location, save the file wherever you like.
5- Write the commands as follow:
a- su
b- tar xvfz ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’ (Where the multi X line represents the path of the “.tar.gz” file)
tar is the command used to extract or zip
The x option is to “extract”
The v option is to verbose; to output the name of each file extracted
The f option is to specify the name of the file
The z option is used when you are extracting gzip files
c- ls (this command is just to list the contents of a directory, and I just typed it to check the name of the extracted folder)
d- cd vmware-server-distrib (cd stands for “Change Directory”)
e- ls
f- ./vmware-install.pl (this is the command that will start the VMware Server installation)
The installer will ask a lot of questions; choose the defaults always by hitting the “Enter” button.
Because at this moment, VMware Server is not ready for the latest Linux Kernel (the kernel I’m doing my lab is 2.6.1-42.fc8), you might get this error when it comes to the part of building the vmmon module:
“Unable to build the vmmon module”
Now, we need to solve this problem by installing a patch file.
5- The patch file is called vmware-any-any-updatexxx, where xxx is 115 at the moment. This file can be downloaded from http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update115.tar.gz
The command used is:
Wget http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update115.tar.gz
6- We’ll use the tar command to extract the zipped file
tar xvfz vmware-any-any-update115.tar.gz
f- Change directory to the vmware-any-any-update115 and run the runme.pl file
a- cd vmware-any-any-update115
b- ./runme.pl
The patch will start updating the non compatible VMware modules.
Then it will start the process of completing the VMware Server installation which failed before. You will get a lot of questions; all you have to do is accept the defaults by hitting the “Enter” button
Now we are done successfully :) and VMware is installed successfully as well.
To start your VMware console, go to “Applications”, “Other”, and from the submenu select “VMware Server Console”
And to start creating your first virtual machine, all you have to do is to read another article :)
The article is “Creating you first virtual machine”
I hope I made the steps in an easy way that everyone can follow, and please if you have any recommendations or comments don’t hesitate to contact me.
Also don’t forget to update us all if anything is changed :)
Till next article,
Take care.
Creating the first virtual machine
By installing VMware, we are finished with the first step. Our second step is to create our first virtual machine in our lab. The choice of the operating system depends on you and the way you want to design your lab, and the steps to create a virtual machine are the same for every operating system.
For our blog’s lab, this will vary according to the attack we are practicing. For example, in the Scanning using Nmap - Part 2, we discussed a scanning technique called “Idle Scan”, in this scan we were in need for 3 machines; Attacker, Target, and a Zombie
You can choose to have the 3 machines with Windows OS or Linux or whatever operating system you feel comfort with; you can even make a mix of operating systems; 1 Windows, 1 Linux, 1 Live CD…
It’s all your choice.
Now, to the steps of creating our first machine in our lab.
After installing VMware on your computer, you should see this icon on your desktop
1- Double click this icon to start your “VMware Server Console”
2- The first screen asks you if you want to use the VMware Console that is installed locally, or do you have another console that is installed on another computer and you would like to use it remotely?
Because this is our first and the only VMware Server Console that we will need and use, then we will keep the default choice “Local host” radio button, and click “OK”
3- This is the main window which you will see all the time when you are dealing with your virtual machines.
For creating any new machines, we have to click the “New Virtual machine” link, this will lead you to the “New Virtual machine Wizard”
4- Click “Next >”
5- Now we are going to configure the virtual machine we want to create, there are 2 options here; “Typical” and “Custom”
With “Typical” configuration, you are going to create a machine with the default components (such as a Floppy Disk, Hard Disk, Network Card, 1 Processor…), while with “Custom” configuration you create your machine with additional devices and settings according to your needs (such as number of processors required, size of memory, Type of hard disk IDE or SCSi…)
By the way, all of these settings can be changed later. For example if you created a machine using the “Typical” configuration, you still can change the number of processors, the amount of memory, and the type of hard disk… Everything.
So don’t worry about your choice here.
For our first machine, we will choose the “Typical” radio button, and click “Next >”
6- In the “Select a Guest Operating System” windows, you will be able to choose the operating system that you will install on your virtual machine.
For every operating system vendor you will see a list of the supported virtual machines. For example, in the Linux vendor, you will see Redhat, SuSe, Novell, Mandrake (Mandriva), TurboLinux, Ubuntu, and Others.
Let’s say you are a Gentoo Linux fan, does this mean that you can’t install Gentoo as a virtual machine?
Definitely you can, you can install almost any operating system. For example, Apple Mac is not mentioned here, but you still can choose the “Other” Radio button and start the process of installation (but with little tricks), Open BSD is not mentioned here but again it can be installed with little tricks.
VMware is always updating the list of supported operating systems, and it’s few times when you want to install an operating system and it’s not supported by VMware.
I chose “Windows XP Professional” as the first OS, you choose the virtual machine operating system you prefer and click “Next >”
7- Give a name and a location for your virtual machine, this name will be the folder name of your machine that includes all of the files and settings.
8- Choose the type of the Network you need:
Use bridged networking: If you use bridged networking, the virtual machine is a full participant in the network. It has access to other machines on the network and can be contacted by other machines on the network as if it were a physical computer on the network.
Use network address translation (NAT): If you use NAT, your virtual machine does not have its own IP address on the external network. Instead, a separate private network is set up on the host computer. Your virtual machine gets an address on that network from the VMware virtual DHCP server. The VMware NAT device passes network data between one or more virtual machines and the external network. It identifies incoming data packets intended for each virtual machine and sends them to the correct destination.
Use host-only networking: If you use host-only networking, your virtual machine and the host virtual adapter are connected to a private Ethernet network. Addresses on this network are provided by the VMware DHCP server.
These settings can be changed later as well according to your needs.
For our Lab we’ll select “Use host-only networking”, because you might be connected at the moment to an operational network, and I don’t want you to mess up with this network.
Click “Next >”
9- What is the size of the hard disk of the virtual machine you are creating now? This depends on 2 things:
a- The size of your real hard disk, because it doesn’t make sense if your hard disk is 10GB and you are creating a virtual hard disk with size 8GB
b- What is the virtual machine going to be used for? What are the applications that will be installed on this machine?
For example, if you are just installing a Windows OS, this will be about 2GB maximum, while it might reach 8GB if you are installing Linux, it all depends on the OS and the applications installed.
Decide the size yourself and click “Finish”
10- Here we can see the first empty virtual machine, I say empty because we didn’t install the operating system yet :)
Let’s examine the settings we configured first, and then I will leave you alone with your virtual machine :)
To view or edit the virtual machine settings, click the “Edit virtual machine settings” link
11- Now if you want you can change the memory size, the CD drive, number of processors, add or remove hardware components…
12- If you feel that everything is fine with the settings, then let’s start our OS installation process.
Click “Ok” to go back to the main window “VMware Server Console”.
If you are going to install your operating system from a CD, then put the CD in the CD drive and make sure that you choose the right CD driver in the virtual machine settings
If you are installing from an ISO image, then choose the “Use ISO image” radio button, and click the “Browse…” button to direct it to the ISO file. Click “OK” to go back to the “VMware Server Console”
13- Click the “Start this virtual machine” link to start installing your OS on your first virtual machine
You can follow the same steps before in installing any OS you need.
Have fun :)
Till next article
Take care
Installing VMware Server on Windows
Because we don’t want to be sent to jail, or lose our jobs – because you might get the idea of testing your knowledge against live networks, right? :) And because we want to practice our hacking techniques, so we have to start with creating a VIRTUAL lab :)
First we’ll create a virtual machine using VMware Server, which is free software that can be downloaded from here http://www.vmware.com/download/server/
A virtual machine is a simulated computer that runs on a real physical computer but acts as if it is a separate computer, so you can have your PC or laptop that has Windows operating system installed by default and at the same time you can run various Operating systems without the need to format or dual boot.
Here for example, my computer is running Windows, but I was able by using VMware to create a Virtual Machine that has various operating systems installed like Apple, Solaris, and Linux…
Almost any operating system can be installed
So let’s go ahead and install VMware Server (Free)
1- Download VMware Server from the VMware web site http://www.vmware.com/download/server/
2- You will be prompted for the download location, save the file wherever you like.
3- Double click the exe file downloaded to start the installation process. First, the VMware splash screen appears, then the installation wizard screens.
4- Here starts the installation wizard, telling you the software you are installing, and a warning that this software is owned by the company created it and that it’s copyrighted.
Click “Next >”
5- This is the End User License Agreement or EULA for abbreviation, the EULA is very important to read because it gives you a general idea about the software you are about to install, it also includes your rights and your responsibilities; it tells what you are allowed to do with this piece of software and what you are not allowed to do.
And I’m sorry, but if you want to install VMware Server on your machine, then you have to accept the EULA (Take it or leave it)
So if you want to install the software, select “I accept the terms in the license agreement” radio button and click “Next >”
6- These are the components that are included in the package:
VMware Server: This is the core of the software, without it you don’t have functionality.
VMware Management Interface: This is a web based management tool that allows you to connect to, manage and monitor your hosts from a web browser, this is very beneficial if you would like to manage your hosts remotely (IIS is required to be installed)
VMware VmCOM & VmPerl Scripting APIs: VMware Server includes two scripting modules, these scripting modules can be used for task automation (such as start, stop, suspend or reset a host), properties configurations (such as amount of memory dedicated for each machine, number of processors…)
VmCOM is an interface for programming languages such as Visual Basic, Visual C++, VBScript, and because it’s Microsoft related so it can only be installed on a Windows operating system.
VmPerl on the other side uses Perl as a programming language, thus it can be installed on Windows and Linux.
If you care for programming or scripting, you will enjoy this link http://www.vmware.com/support/pubs/sdk_pubs.html
VMware Diskmount Utility: With the VMware DiskMount utility, a VMware virtual disk file can be mounted as a Windows drive letter for read/write access to the files it contains.
7- Usually, when you put a CD in your CD Drive, it loads automatically. This will bother you if you work with virtual machines a lot, because whenever you load any CD or ISO image on your virtual host it will load as well on the physical computer.
So it would be better if you disable it.
And there is another point here, security wise it’s better to disable autorun, you know why?
What if you got an autorun CD and the autorun file runs a virus or a Trojan on your machine as soon as the CD is loaded.
For more information http://antivirus.about.com/od/securitytips/ht/autorun.htm
If you would like to disable autorun, check the “Yes disable autorun” checkbox, and then click “Next >”
8- To start the process of installing the files, click “Install”
9- Type in your name and the name of the organization, these 2 fields can be filled in with any data you like.
To get the serial number, you have to register yourself first. If you want to register, on the page of VMware Server http://www.vmware.com/download/server/ there is a link that says “register for your free serial number(s)”, click this link and follow the steps there. The serial numbers you requested will be emailed to you immediately.
After filling in all of the information required, click “Enter >”
By now, we have finished installing VMware; the next step for you is to start creating your virtual machines, and installing any operating system you would like to have.
Till next article
Take care
Labs Introduction
Ed Macauley is a basketball player, I don’t know him because of basketball, I know him because of a quote he said once, and I would like to share it with you.
Ed Macauley said “When you are not practicing, remember, someone somewhere is practicing, and when you meet him he will win”
This quote touched me immediately, because we are learning new things every day in life, we know a lot of values that we should all apply, but we don’t practice them, we don’t apply them to life, we don’t enjoy the truth of seeing this knowledge comes true.
One of the Blog friends caught my attention when he talked about practicing and applying what we are learning here, and because of that I will add updated labs all the time for all of us to practice.
We will create a FREE virtual lab with FREE software and tools, so I will start today with a step by step installation process for Windows users followed by Linux users – only because as Linux users, we can use a Live CD that has almost everything we need, this Live CD is called Backtrack, and then it will be according to our needs.
So let's do it.
Scanning using Nmap - Part 2
Hi guys,
How were you first scanning attacks? :)
I hope you all enjoyed getting your hands dirty.
Today, we are going to complete what we started in the last article, where we started talking about the steps of "Scanning and Enumeration", and our first step were to find the live hosts on our target's network, and then we started the second step which was port scanning.
Our main tool was Nmap, and because this tool is full of features so I found that 1 article won't be enough at all to cover the basics of Nmap. That's why we are here again to complete what we started.
TCP ACK Scan:
The idea behind the TCP ACK scan is very simple and very smart; I will give you an analogy to get how it is working.
We don’t know each other, right?
Imagine I met you once in the street, and suddenly I went to you and said “hey man, where have you been all of this time? not even a single mail, shame on you?” :)
What will you think? You will say “This man knows me for sure, but probably I don’t remember him”, and then you will start answering me “Oh, I’m fine, and sorry for not sending you mails but I was very busy the last few weeks. I got a baby and…” and you will start talking friendly.
TCP ACK Scan almost works the same, it sends an ACK to the target’s ports, the target will think “it seems like I started a connection with this computer before, let’s answer him”
The targeted port – if open – will check if there is an existing connection already with this computer, if there is no existing connection already (which is our case here) then the answer will be a RST, and if the port is closed then no responses will be sent back.
And because this scan type is just used to check Packet Filtering, so the response to nmap would be “Filtered” or “Unfiltered”
Filtered indicates that there is a Packet Filtering device (may be a firewall) that filters these type of packets, while unfiltered indicates that there is no Packet Filtering devices and that this port might be open or closed.
So the purpose of this scan is not to find open ports on our targets but to audit the rules of Packet Filtering.
The command used is
nmap –sA 192.168.2.31
IDLE Scan:
What was the main disadvantage of all the previous scans?
Whenever they are detected, they will lead to us, because our IP address will be logged, right?
So how can we avoid something like that? IDLE Scan is the ingenious solution for this problem.
IDLE Scan uses another machine (zombie) as an attacker, and spoofs its IP address whenever it communicates with the Target
* First, I choose a machine that will be the Scapegoat or Pivot Point for our attack. This machine has to be an IDLE machine, which means no active traffic on this machine.
Note – Every IP packet on the Internet has a "fragment identification" number or IPID. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.
* I will send the Zombie a SYN/ACK, the zombie will see that there is no existing connection established between itself and my machine, so it will send a RST (this RST will include the IPID number)
* I will send a forged packet (spoofed) from my computer to the target (it will appear to the target as if it came from the zombie)
* Please concentrate here very well. If the port on the Target is closed, the target will send the zombie a RST. And the zombie will not send further packets, so its IPID will remain as it is.
If the port on the Target is open, the target will send the zombie a SYN/ACK.
The zombie will find that there is no existing connection with the Target machine, so it will send the Target a RST (remember here that because the zombie is idle, so the IPID will be equal to the previous IPID plus 1.
* Now, it’s my turn again. I will send the zombie a SYN/ACK; the zombie will find that there is no existing connection established between itself and my machine, so it will send a RST.
If the IPID in this RST packet is increased by 1, then it means that the zombie didn’t send any packets back to the Target (which means that the port scanned is closed)
If the IPID in this RST packet is increased by 2, then it means that the zombie sent 1 packet back to the Target (which indicates an open port)
Let’s analyze the nmap command and the output on Wireshark
But before we start, I want you to notice the MAC Address for the machines I’m using
The Attacker’s IP is 192.168.2.47 – 00:0C:29:B0:BC:EF (Backtrack OS)
The Zombie’s IP is 192.168.2.45 – 00:0C:29:68:5A:DD (Windows OS)
The Target’s IP is 192.168.2.31 – 00:0C:29:C6:21:DC (OpenSuSe OS)
The command used is:
Nmap –sI 192.168.2.45 192.168.2.31
Here we will notice that there is not a single packet that shows “My Computer” talking to “My Target”; all the communication is between 192.168.2.45 (the zombie) and 192.168.2.31 (the target)
Let’s analyze one of these packets, to see what the truth is.
Aha, though the connection appeared to be from the zombie to the target, but the MAC address shows the truth, it shows that the MAC address of the source is 00:0C:29:B0:BC:EF (which is the MAC address for My Computer)
I liked this one :)
UDP Scan:
Let’s not forget other protocols as well :)
Because UDP is simpler than TCP; no 3-Way handshaking, no Flags, no Sequence numbers, so the UDP scan is very simplified.
The attacker sends a UDP packet to each port on the Target. There might be here 3 responses; an ICMP Port Unreachable (which indicates a closed port), no response (which means the port might be open or filtered by firewall), or a UDP response
Let’s see what we can get from Nmap:
The command used is
nmap –sU 192.168.2.45
Note – if your target is a Linux, be aware that your scan might take 18 hours or even more because on Linux when Nmap doesn’t receive a response for a UDP Scanning from the Target, Nmap keeps trying till it times out, then it tries to resend the UDP packets again in case of a lost connection. Another reason is that Linux is by design limiting Destination Unreachable messages to a message per second (which is a very long time), so imagine how long it would take to scan 65,536 ports on just 1 machine if every message takes 1 second.
From “Wireshark”, we can see that the attacker is sending a UDP packet to different random ports on our target (The cyan blue lines), and the target is responding with an ICMP Destination Port Unreachable if the port is closed (The black lines)
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as udp.port==123 (as in our case here). This will show only the NTP packets, and you will see no responses from the port (which indicates either open or filtered)
Version Scanning:
Do you think it would make any difference in your attack if your target’s web server is hosted on an Apache Server 2.2.8 or on Apache Server 2.0.0?
Sure there is a difference, a great difference, Apache 2.2.8 is one of the latest versions which means that it covered all of the bugs and vulnerabilities found in previous versions, while 2.0.0 means that it’s still includes all of the bugs and vulnerabilities found between version 2.2.8 and 2.0.0.
So it means a lot for an attacker to know what software versions is the target running. And here comes the Version Scanning.
First of all, Nmap installation folder contains a file called “nmap-services-probes”, if you open this file with WordPad (on Windows) or KWrite (on Linux) you will be able to see a series of software services and the expected responses. If there is a software service that is not listed there, then Nmap will not be able to support you in detecting the version of this software.
Version detection on nmap has to be accompanied with any of the port scans (TCP SYN scan, TCP FIN scan…), and if no scan type is mentioned in the command line then the default will be a TCP SYN scan.
When the attacker uses the Version detection scan, Nmap starts with a TCP SYN scan and gathers all of the open ports on the target, then it sends some probing traffic to the port trying to identify the service listening on this port. Each port will operate differently according to the service listening on this port.
Let’s see what we can get from Nmap:
The command used is
nmap –sV 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The grey lines), and the target is responding with RST if the port is closed (The red lines).
If the port is open, then the attacker completes the 3-Way handshake, then it starts generating some traffic to gather more information about the service running on this port.
In our example here, Nmap connects to the SSH service, completes the SSL handshake negotiation and then runs the detection scan to find that the real service behind the SSH is OpenSSH version 4.6.
Guys, what I mentioned in these 2 articles are few of the great options of Nmap; I can’t mention them all otherwise I will end up with a book :).
What I recommend at this moment is to go through a manual page for nmap extracted from a Unix/Linux machine, and start reading and applying what you are reading immediately.
I’m sure we are not finished with Nmap and its great capabilities, but all will come in time.
Till next article,
Take care.
Scanning using Nmap - Part 1
A thief wanted to rob a bank; he started watching the bank since a week now, and he started to take notes about when the employees come, when they leave, when there is big cash in the bank, when this cash is gone, and he decided to rob the bank on the X day.
What do you think is missing here?
The thief has gathered his information from the outside, but he missed the inside part. He didn’t report where the entrances and exits are, where the guards are located, where the monitoring cameras are, and how to disable or evade them; he didn’t see where cash is, what kind of vault they have, how he will escape, what Plan B is…
Wow, this guy missed so many things, and this is what hackers try to avoid. And this is what we call “Scanning and Enumeration”.
In “Scanning and Enumeration” we are trying to gather more information – but this time by a partial delving into our target and grabbing the information that will help us prepare our attack.
From the previous phase, we were able to gather general information about our target, this time we will scan our system to find out:
1- Live systems
2- Open ports
3- Services running
4- Operating systems used
5- Vulnerabilities
Any “Penetration Testing” scanning starts with defining the live systems and drawing a network topology for your target, our mission here is to find host, routers, firewalls…
Both requirements can be achieved using some methods like “Tracerouting” – which we already discussed in a previous article; another method is “Ping Sweeping” – which is technique used by attackers where you send ICMP Echo Request to multiple hosts, trying to find who of these hosts are alive.
Some of the tools that can accomplish “Ping Sweeping” are Nmap, Hping3, netenum, Fping…
Let’s see what we can get from Nmap:
As we have seen, the command used was
nmap –sP 207.x.x.0/24
Or
nmap –sP 207.x.x.1-255
Both commands are the same, but in the first we used CIDR or Classless Inter-Domain Routing, while in the second we added manually the range we want to scan.
Let’s see the result in the Protocol Analyzer “Wireshark”
At the end of the Nmap command, you will see the result of the Ping Sweeping
The good thing about “Ping Sweeping” is:
* You will be able to detect all the live hosts (if ICMP Echo requests are allowed)
* You can run the ICMP scanning in parallel, which means you can scan so many hosts at the same time. And this will be very helpful if you are scanning an entire network
The bad thing about “Ping Sweeping” is:
* This technique is detectable; either by IDS or awaken administrators :), because of the huge amount of ICMP Echo Requests against so many machines at a small time range.
Would you like to know how to avoid that?
Search for “Nmap Timing Options” and enjoy reading :)
* If ICMP Echo Requests are blocked at the perimeter zone, then you are stuck, because Ping Sweeping using ICMP won’t work then.
Note – In this case, we will use a TCP Ping Sweep to scan our target’s network. What happens is that we send an ACK to the targets, and the live ones should respond with a RST.
For example with Nmap, the command will be:
nmap –sP –PT 207.x.x.0/24
Or
nmap –sP –PT80 207.x.x.0/24 (where 80 here is a port number that is allowable through the firewall, and it doesn’t mean that this port should be opened on the scanned machines)
Now after we were able to see the live hosts on the target network, let’s see which of these systems have open doors for our entry, and what services might be running on these systems.
I will tell you the types of scans, and with each scan I will describe how it is accomplished and what’s going on behind the scenes.
But before that, I would like to talk remind you about TCP connections.
We said before that all TCP connections are established using a 3 way handshake SYN, SYN / ACK and finally ACK. And we said that TCP is a Transport Protocol that is responsible for transferring data from one system to another, and it divides the data into pieces and label them with sequence numbers for proper order upon delivery.
“My Computer” sends a packet with Initial Sequence Number or ISN (Let’s call it A) and the SYN flag is set to 1.
“My Target” will respond with a packet that has both the SYN and ACK flags set to 1. The Acknowledgment will add 1 to the sequence it got from “My Computer”, and will create another ISN special for responses (Let’s call it B).
“My Computer” will establish now the 3-Way handshake by sending an ACK, using the ISN of “My Target and adding 1 to it.
From now on, whenever “My Computer” sends any packet to “My Target”, it will be based on the ISN(A)+1. While whenever “My Target” send any packet to “My Computer”, it will be based on the ISN(B)+1.
Now to the scan types :)
TCP Connect Scan (Plain Vanilla):
“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it responded with a SYN/ACK, then the attacker will send the last ACK and tear down the connection using the RST.
As we said previously, that this scan can be detected easily, because it will generate a huge amount of scan targeting all of the ports on our Target, trying to detect what the opened ports are.
Let’s see what we can get from Nmap:
The command used is
nmap –sT 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line)
TCP SYN Scan (Half Open):
TCP SYN scan is a little bit stealthier than the previous scan, because it uses a different technique.
The attacker sends a SYN to the targets, if the target’s port is open and it responded with a SYN/ACK, then the attacker will immediately tear down the connection using the RST.
The good thing about TCP SYN scan is:
* It doesn’t establish a connection (as it sends an immediate RST before the connection is established), therefore these scans are not logged
Note – Though the target itself doesn’t log these types of scans, the perimeter devices has the ability to report such scans, so be aware of that
* Speed, because it sends fewer packets than the previous scan.
Let’s see what we can get from Nmap:
The command used is
nmap –sS 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line).
Notice the Red line directly after the Green line; you will notice that the attacker sends an immediate RST after the SYN/ACK of the target.
TCP FIN, XMAS, NULL Scans (Stealth):
I decided to gather these 3 scans together because they are really working in the same manner; they break the rule of TCP connection establishment.
We have seen that the normal TCP connection establishment starts with a SYN, and then goes further, whether you complete the connection establishment (TCP Connect Scan) or terminate it (TCP SYN Scan).
But these 3 scans (FIN, XMAS, NULL), are acting totally in a different manner; they send an unexpected packet at the start of the connection.
The FIN Scan starts with a FIN packet, the XMAS Scan starts with a packet that has the Flags URG, ACK and PSH set to 1, while the NULL Scan starts with a packet that has all the Flags set to 0.
But why are they doing that? The reason is to confuse the targets, because each target expects a SYN packet for connection establishment. When the target receives a FIN packet (which indicates a normal TCP Connection termination), it will take it because it will think that it’s coming from a previous established connection. While the other 2 (XMAS and NULL) are violating the rules of flag settings, because the target is expecting a 1 flag packet which indicates 1 thing. So when the target receives a packet with all flags set, or all flags removed, then this is confusing.
Note – One important thing you have to know here, these scans are not going to work if your target is a WINDOS based.
Remember in the last article, our homework was to read the RFC793. In this RFC it is indicated that when a port is closed, then a RST is sent back. And no response is sent when the port is open.
Unfortunately, Microsoft doesn’t follow this RFC :) and whenever they receive any of these scans, the response is always RST. That’s why these scans will not work against Windows based systems.
Let’s start with the TCP FIN Scan:
The command used is
nmap –sF 192.168.2.31
Notice that the result indicates Open|Filtered, do you know why?
The reason is that some Firewalls (such as Stateful Firewalls) can drop this kind of packets without sending a response back (so the port might be open, or it might be filtered by the firewall)
From “Wireshark”, we can see that the attacker is sending a FIN to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now, let’s examine the XMAS Scan
The command used is
nmap –sX 192.168.2.31
Notice that result indicates open|filtered, I’m sure you know why :)
From “Wireshark”, we can see that the attacker is sending a packet with all Flags set (FIN, PSH, URG) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now let’s examine the NULL Scan
The command used is
nmap –sN 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a packet with no Flags set (can you see the 2 empty brackets []) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)
Now I'm tired and need a break :)
Don't worry, our talking about Nmap is not finished. But you have to wait till Part 2 :)
Take care guys.
