Thursday, December 31, 2009

Tools-Visual Lookout

Visual Lookout provides high level views as well as detailed and historical views that provide traffic information in real-time or on a historical basis.

In addition the user can request a "connections" window for any server, which provides a real-time view of all the active network connections showing

who is connected,

what service is being used,

whether the connection is inbound or outbound, and

how many connections are active and how long they have been connected.

Traffic is an important measure when identifying possible hacker attacks or even Denial of Service (DOS) attacks. A change in traffic patterns from normal values is an important first clue to possible unwanted visitors. Visual Lookout provides the ability to view any of the important traffic metrics as a graphical representation both from a real-time and historical perspective. Visual Lookout provides the ability to capture connection activity for any server or computer system that it is monitoring. The search feature locates any connection activity based on inbound or outbound port or IP address/domain name, and can replay the history period of interest as though the session were in real time.

Tool: SmartWhois

SmartWhois is a network information utility that allows the user to find all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator and technical support contact information.





Unlike standard Whois utilities, SmartWhois can find the information about a computer located in any part of the world, intelligently querying the right database and delivering all the related records in a short time. The program can retrieve information from more than 20 servers all over the world. SmartWhois can also save obtained information to an archive file. This is particularly useful in tracking incidents and incident handling. It allows users to load this archive the next time the program is launched and add more information to it. Thus, the list is updated on a regular basis. This feature allows building and maintaining a user defined database of IP addresses and hosting names. Alternatively, users can also load a list of IP addresses as a text file and have SmartWhois process the whole list. SmartWhois is available for download at www.tamos.com SmartWhois is capable of performing both IP address/hostname and domain name queries. TamoSoft, Inc. also hosts a tools interface at http://all-nettools.com/tools1.htm

---

Wednesday, December 30, 2009

Tool: VisualRoute Trace

VisualRoute is a graphical tool that determines where and how traffic is flowing on the route between the desired destination and the user trying to access it, by providing a geographical map of the route, and the performance on each portion of that route.




VisualRoute delivers the functionality of key Internet "ping," "whois," and "traceroute" tools, in a visually integrated package. In addition, VisualRoute has the ability to identify the geographical location of routers, servers, and other IP devices. This is valuable information for identifying the source of network intrusions and Internet abusers. It helps in establishing the identify of the originating network, the web software that a server is running, detecting routing loops and identifying hosts that have the ICMP TTL bug.

VisualRoute's traceroute provides three types of data: an overall analysis, a data table, and a geographical view of the routing. The analysis is a brief description in of the number of hops, areas where problems occurred, and the type of Web server software running at the destination site. The data table lists information for each hop, including the IP address, node name, geographical location and the major Internet backbone where each server resides.

The World map gives a graphical representation of the actual path of an Internet connection. Users can zoom in/out and move the map around to position it as desired. A mouse click on a server or network name opens a pop-up window with the whois information including name, telephone and email address, providing instant contact information for problem reporting.

The screenshot above shows traceroute done to www.google.com VisualRoute can be downloaded at http://www.visualware.com/download

Tool: NeoTrace (Now McAfee Visual Trace)

NeoTrace is a diagnostic and investigative tool. It traces the network path across the Internet from the host system to a target system anywhere on the Internet. Automatic retrieval of data includes registration details for the owner of each computer on the route (address, phone, email address) and the network each node IP is registered to. Easy to read views of the data include a world map showing the locations of nodes along the route, a graph showing the relative response time of each node along the path, and a configurable list of node data.



In the screenshot shown above, we have done a traceroute for www.google.com The 3.20 version had node view, map view and list view. Note that the DNS entries have been retrieved for the various nodes and the map view allows the user to see relatively easily if a particular system is based geographically where it claims to be.

There are two aspects to traceroute - depth and breadth. There are two basic methods for searching graphs - breadth and depth. Breadth searches branch out examining all nodes within a certain hop distance, slowly increasing until the destination is discovered. Depth first search follows one path until it is exhausted, and then backs up slowly recalculating all the permutations of the preceding paths. Traceroute generates an UDP message to an unused port and sends this message with an increasing TTL value. The search ends when a port unreachable message is received.


There are many ICMP error messages that can be generated. One of these messages is ICMP port unreachable (since ports exist in TCP or UDP). However, the port unreachable message must be distinguished from such messages generated from different applications - such as from a packet filtering device

Trace route

Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live.

Traceroute reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs .

As each router processes a IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator.

Routers with DNS entries reveal the name of routers, network affiliation and geographic location.

The best way to find the route to the target systems is to use the traceroute utility provided with most operating systems. Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation and geographic location.

Let us see how traceroute works. Traceroute sends out a packet destined for the destination specified. It sets the TTL field in the packet to 1. The first router in the path receives the packet, decrements the TTL value by 1, and if the resulting TTL value is o, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. Traceroute records the IP address and DNS name (if available) of that router, then sends out another packet with a TTL value of 2. This packet makes it through the first router, then times-out at the next router in the path. This second router also sends an error message back to the originating host. Traceroute continues to do this, recording the IP address and name of each router until a packet finally reaches the target host, or until it decides that the host is unreachable. In the process, traceroute records the time it took for each packet to travel round trip to each router.

Let us see what a tracert 216.239.36.10 command at the command prompt for windows results in.


C:\>tracert 216.239.36.10
 

Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30 hops:

  1  2171 ms  1405 ms  1530 ms  194.170.2.57

  2  2685 ms  1280 ms   655 ms  dxb-emix-ra.ge6303.emix.ae
[195.229.31.99]

  3  1622 ms  2377 ms  2061 ms  eqixva-google-gige.google.com
[206.223.115.21]

  4  2498 ms   968 ms   593 ms  216.239.48.193

  5  1108 ms  1683 ms  2062 ms  ns3.google.com [216.239.36.10]

  Trace complete.

While this is what a simple traceroute might result in, there are web interfaces where a more detailed traceroute can be done and more information obtained. One such interface is available at http://www.opus1.com


traceroute to 216.239.36.10 (216.239.36.10), 30 hops max, 40 byte
packets

1 manny.Firewall.Opusl.COM (192.245.12.95)
[AS22772/AS3908/AS6373/AS5650] [email protected]  4.883 ms

2  Opus-GW (207.182.35.49) [AS22772/AS6373] [email protected]
14.648 ms

3  66.62.80.165 (66.62.80.165) [AS6983] root@[email protected]
addr.arpa  18.554 ms

4  laxl-core-02.tamerica.net (66.62.5.194) [AS6983] root@in-
[email protected]  47.849 ms

5  216.239.48.94 (216.239.48.94) [AS15169] [email protected]
108.391 ms

Saturday, December 26, 2009

Tool-ARIN


ARIN allows search on the whois database to locate information on networks autonomous system numbers (ASNs), network-related handles and other related point of contact (POC).

ARIN whois allows querying the IP address to help find information on the strategy used for subnet addressing.

The ARIN page also has a set of additional tools and links to other sites such as RWhois.net. ARIN would be a good starting point for information gathering as the information retrieved is more elaborate than a standard Whois lookup.

The purpose of discussing information gathering - and footprinting in particular - is that this is the information that both the hacker and the systems administrator can gather in a non-intrusive manner. All the approaches discussed so far are completely passive (with the exception of traceroute, as it can be detected) and undetectable by the target organization. The information gathered during this phase will be used continuously throughout the penetration test.

Doing a footprinting for an organization can help its systems administrator know what nature of information lies outside the organization and the potential threat it can pose to the organization. He can take preventive measures to see that these are not used as a means of exploit and increase user awareness regarding the use of information assets.

Up to date domain contact information is important not only for addressing administration issues but can also be used by security personnel on other networks to warn of pending attacks or active compromises. By not revealing essential information, more harm can be done.



OrgName:
Google Inc.
OrgID:
GOGL
Address:
2400 E. Bayshore Parkway
City:
Mountain View
StateProv:
CA
Postal Code:
94043
Country:
US

Net Range:
216.239.32.0 - 216.239.63.255
CIDR:
216.239.32.0/19
Net Name:
GOOGLE
Net Handle:
NET-216-239-32-0-1
Parent:
NET-216-0-0-0-0
Net Type:
Direct Allocation
Name Server:
NS1.GOOGLE.COM
Name Server:
NS2.GOOGLE.COM
Name Server:
NS3.GOOGLE.COM
Name Server:
NS4.GOOGLE.COM
Comment:
Reg Date:
2000-11-22
Updated:
2001-05-11

Tech Handle:
ZG39-ARIN
Tech Name:
Google Inc.
Tech Phone:
+1-650-318-0200
Tech Email:

Attack Methods 
From the Nslookup query, an attacker can find name servers, mail exchange servers and also what class they belong to. The mail exchange servers can be further resolved into IP addresses. He can then enumerate the network further by doing a reverse IP lookup.






In this case, we look up 216.239.33.25 which is the IP of smtp1.google.com
The query gives the following result.
25.33.239.216.in-addr.arpa
PTR
smtp1.google.com
33.239.216.in-addr.arpa
NS
ns1.google.com
33.239.216.in-addr.arpa
NS
ns2.google.com
33.239.216.in-addr.arpa
NS
ns3.google.com
33.239.216.in-addr.arpa
NS
ns4.google.com
ns1.google.com
A
216.239.32.10
ns2.google.com
A
216.239.34.10
ns3.google.com
A
216.239.36.10
ns4.google.com
A
216.239.38.10
Note that the IP actually points to .arpa domain. Further, we also retrieve more information on the name servers.

Anonymizers- Make your web surfing anonymous


         Anonymizers are services that help make your own web surfing anonymous.
    *

      The first anonymizer developed was Anonymizer.com, created in 1997 by Lance Cottrell.
    *

      An anonymizer removes all the identifying information from a user's computers while the user surfs the Internet, thereby ensuring the privacy of the user.


      Many anonymizer sites create an anonymized URL by appending the name of the site the user wishes to access to their own URL, e.g.:

      http://anon.free.anonymizer.com/http://www.yahoo.com/

      After the user anonymizes a web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Most anonymizers can anonymize at least the web (http:), file transfer protocol (ftp:), and gopher (gopher:) Internet services.


      However, anonymizers have the following limitations:
          o

            HTTPS. Secure protocols like "https:" cannot be properly anonymized, since the browser needs to access the site directly to properly maintain the secure encryption.
          o

            Plugins. If an accessed site invokes a third-party plugin, then there is no guarantee that they will not establish independent direct connections from the user computer to a remote site.
          o

            Logs. All anonymizer sites claim that they don't keep a log of requests. Some sites, such as the Anonymizer, keep a log of the addresses accessed, but don't keep a log of the connection between accessed addresses and users logged in.
          o

            Java. Any Java application that is accessed through an anonymizer will not be able to bypass the Java security wall.
          o

            Active X. Active-X applications have almost unlimited access to the user's computer system.
          o

            JavaScript. The JavaScript scripting language is disabled with url-based anonymizers

      Some anonymizer sites are:
          o

            Anonymizer.com
          o

            Anonymize.net
          o

            @nonymouse.com
          o

            Iprive.com
          o

            MagusNet Public Proxy
          o

            MuteMail.com PublicProxyServers.com
          o

            Rewebber.de
          o

            SilentSurf.com
          o

            Surfola.com
          o

            Ultimate-anonymity.com

What is Proxy?

Proxy is a network computer that can serve as an intermediate for connection with other computers. They are usually used for the following purposes:
As firewall, a proxy protects the local network from outside access.
    *

      As IP-addresses multiplexer, a proxy allows to connect a number of computers to Internet when having only one IP-address
    *

      Proxy servers can be used (to some extent) to anonymous web surfing.
    *

      Specialized proxy servers can filter out unwanted content, such as ads or 'unsuitable' material.
    *

      Proxy servers can afford some protection against hacking attacks.


      The program Win gate is often used as proxy. Quite a number of such proxies are open to easy access. Anonymous proxies hide the real IP address (and sometimes other information) from websites that the user visits. There are two sorts; ones can be used in the same way as the non-anonymous proxies above, and web-based anonymizers.


      Using a non-anonymous proxy:


      HTTP_X_FORWARDED_FOR = 62.64.175.55, 194.72.9.37. This shows the IP address (first number) and possibly the IP address of the proxy server used (second).


      Using an anonymous proxy:


      HTTP_X_FORWARDED_FOR = 66.51.107.3 This now only shows the IP address of the proxy.

Friday, December 25, 2009

Cheops-Network management tool-equivalent of a Swiss-army knife


Cheops (KEE-ops) is a Network management tool for mapping and monitoring the network. It has host/network discovery functionality as well as OS detection of hosts.


Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a Swiss-army knife, unifying your network utilities. Cheops does for the network what a file manager does for the file system.

Cheops can optionally determine the OS of hosts on the network, selecting appropriate icons for them. Cheops can show the routes taken to access areas of the network. This feature is designed for larger networks, with routers, sub nets, etc. This mapping not only makes hierarchy clearer, but can show unusual routing issues.





DOWNLOAD @ http://cheops-ng.sourceforge.net/index.php

Cheops includes a generalized TCP port scanner to see what ports on the network are in use. It can be used to retrieve version information for certain services, to be sure any given host is up-to-date with the latest revision of its services.


Cheops includes a simple integrated SNMP browser, including write capability, using the UCD SNMP library. Cheops also supports a plug-in interface, which includes support for SNMP plug-ins, similar in concept to those of HP Openview.

Cheops can monitor critical servers, and immediately notify the concerned person through its event log, standard e-mail, and soon via paging, when things go wrong. The network administrator can know exactly which system is up or down, and just when problems occur. Right clicking on a host quickly shows a list of common services it supports, and rapid, easy access to them. The co-developer has given cheops a makeover and it is called Cheops-ng (new generation)

Passive Fingerprinting

    
* Passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it.
    * However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
    * Passive fingerprinting is less accurate than active fingerprinting.


Like active fingerprinting, passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.

 Note  The four areas that are typically noted to determine the operating system are:

TTL - What the operating system sets the Time To Live on the outbound packet

Window Size - What the operating system sets the Window Size at.

DF - Does the operating system set the Don't Fragment bit?

TOS - Does the operating system set the Type of Service, and if so, at what?


Passive fingerprinting need not be fully accurate nor does it have to be limited to these four signatures. However, by looking at several signatures and combining the information, the accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:oxo ID:56257
***F**A* Seq: 0x9DD90553
Ack: 0xE3C65D7Win: 0x7D78


Based on the 4 criteria, the following is identified:

TTL: 45

Window Size: 0x7D78 (or 32120 in decimal)

DF: The Don't Fragment bit is set

TOS: 0x0

This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host.

The next step is to compare the Window size. The Window Size is another effective tool, specifically what Window Size is used and how often the size changes. In the above signature, it is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more accurate if measured after the initial three -way handshake (due to TCP slow start).

Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value. This seems to be more session based then operating system. In other words, it's not so much the operating system that determines the TOS, but the protocol used. Therefore, based on the information above, specifically TTL and Window size, one can compare the results to the database of signatures and with a degree of confidence determine the OS (in this case, Linux kernel 2.2.x).

 Threat  Passive fingerprinting can be used for several other purposes. It can be used by crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a 'potential victim', such as a web server, one only needs to request a webpage from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that can be detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the proxy firewalls based on the signatures we have discussed. Organizations can use Passive Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not authorized on the network.

Active Stack Fingerprinting: This technique is called OS fingerprinting


    * Fingerprinting is done to determine the remote OS
    * Allows attacker to leave smaller footprint and have greater chance to succeed
    * Based on the fact that various OS vendors implement the TCP stack differently
    * Specially crafted packets sent to remote OS and response is noted. This is compared with a database to determine the OS

Concept  The term OS fingerprinting defines any method used to determine what operating system is running on a remote computer. OS fingerprinting is an essential part of network reconnaissance, because the attacker has a greater probability of succeeding in his attack if he can formulate his attack strategy based on operating systems specific vulnerabilities.

Note  Remote OS fingerprinting is carried out by noting the way the remote system responds to specifically crafted TCP packets. These can range from examining the default TCP window size in a packet, to measuring the amount of data in ICMP packets, and even gauging TCP initial sequence numbers. Similar to port scanning, there are several methods to successfully fingerprint an OS. Querying the services running on a target machine is often the simplest means for OS fingerprinting.

 Note  Active stack fingerprinting is based on the principle that an operating system's IP stack has its own unique way of responding to specially crafted TCP packets. This arises due to the different interpretations that vendors abide with while implementing the TCP/IP stack on the particular OS. In active fingerprinting, a variety of malformed packets are sent to the remote host, and the responses compared to a database.

For instance, in N map, the OS fingerprint is done through eight tests. Each of these tests is described below.

The first test is named T1 for test 1. In this test a TCP packet with the SYN, and ECN-Echo flags enabled is sent to an open TCP port.

The second test is named T2 for test 2. It involves sending a TCP packet with no flags enabled to an open TCP port. This type of packet is known as a NULL packet.

The third test is named T3 for test 3. It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open TCP port.

The fourth test is named T4 for test 4. It involves sending a TCP packet with the ACK flag enabled to an open TCP port.

The fifth test is named T5 for test 5. It involves sending a TCP packet with the SYN flag enabled to a closed TCP port.

The sixth test is named T6 for test 6. It involves sending a TCP packet with the ACK flag enabled to a closed TCP port.

The seventh test is named T7 for test 7. It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP port.

The eighth test is named PU for port unreachable test. It involves sending a UDP packet to a closed UDP port. The objective is to extract an ICMP port unreachable message back from the target machine.

But this is not all. The last test that Nmap performs is named TSeq for TCP sequenceability test. The test tries to determine the sequence generation patterns of the TCP initial sequence numbers also known as TCP ISN sampling, the IP identification numbers also known as IPID sampling, and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port.

Tool: Net Scan Tools Pro


NetScanTools consists of many independent network functions joined together in a single tabbed window. Most functions are designed to run in separate threads so several tabs can be used simultaneously. This program operates best on the newer Windows platforms.

NetScanTools Pro has a scanner tab - Port Prober, which will be discussed here. Port Probe (a port scanner) is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP Addresses and lists of ports to probe, specifying timeouts and the protocol to connect with. Additionally, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.

    

The types of port connections supported are:

TCP Full Connect. This mode makes a full connection to the target's TCP ports and can save any data or banners returned from the target. This mode is the most accurate for determining TCP services, but it is also easily recognized by Intrusion Detection Systems (IDS).

UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of that message indicates either the port is used, or the target does not return the ICMP message which can lead to false positives. It can save any data or banners returned from the target. This mode is also easily recognized by IDS.

TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one operation.

TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the SYN packet.

TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. Again, the attacker can have full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the custom TCP packet. The Analyze feature helps with analyzing the response based on the flag settings chosen. Each operating system responds differently to these special combinations. The tool includes presets for XMAS, NULL, FIN and ACK flag settings.

The four types of probe patterns are:

Sequential Probe. This method scans a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings.

Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a single host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Range radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers shown in the Port List.

Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.

Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.

The tool also includes Ping before probe. This option allows the attacker to skip (automatically or by user response to a message) hosts that do not respond to pings. He can control the number of threads used to probe the host and the delay between launching each thread. He can also vary the amount of time to wait for a response to a probe of the port and the amount of time to wait after a connection for a banner to be sent.

Ethical Hacker and Scanning Tools


Ethical Hacker and Scanning Tools

Can an ethical hacker simulate the scanning techniques to ensure the security of the network? The first and foremost armor is knowledge itself. The results of a scanner can be misleading if the ethical hacker does not have a good knowledge of common vulnerabilities, commonly affected hosts, and patterns indicating misuse.

Apart from this, performing an exhaustive scan against all the systems in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems, and the dynamic nature of network deployments (wireless, DHCP, etc.). Therefore mere scanning does not a security check complete.

Tool: ipEye, IPSecScan

ipEye is a command-line driven port scanner written by Arne Vidstrom. It is a lightweight powerful tool bearing similarities with the command shell tools seen with UNIX. However, this port scanner is restricted to the Windows platform - 2000 and XP. Another drawback of this tool is that the hacker needs to know the specific IP before he can initiate a scan.

The basic usage for ipEye is:

ipEye -p [optional parameters]

The scantype parameter can take values of: -syn = SYN scan, -fin = FIN scan, -null = Null scan, - xmas = Xmas scan

However, the FIN, Null and Xmas scans don't work against Windows systems. Of these scan types, only the SYN SCAN is valid when scanning a Windows system. ipEye will scan the requested ports, given a valid IP address, and return a list of the FIN, Null and Xmas scans don't work against Windows systems.

"Closed" indicates that there is a computer on the other end, but there is no service that listens at the port.

"Reject" indicates the presence of a firewall or packet filtering device (sending a reset back) protecting the port.

"Drop" indicates the presence of a firewall or packet filtering device that drops packets directed to port, or it indicates that the particular system is not alive on the target network.

"Open" indicates that there is a service listening at the port.



                                                    

Note in the above scan we see ports 135 and 139 as open.

 

       
Let us see the same scan done with IPSecScan. IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.



In the scan above we have specified a range of IP addresses from 192.168.2.1 to 192.168.2.118. Note that the scan returns "Disabled" for some IPs - such as IP 192.168.2.1. This indicates that the system either doesn't support IPSec, has IPSec disabled, or that it is configured not to reveal that it has IPSec enabled.


IPsec is the short for IP Security. It is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer.


IPsec = AH + ESP + IPcomp + IKE


Authentication Header (AH): provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If a packet is received with AH and the checksum operation is successful, it indicates that the packet was originated by the expected peer (the packet was not generated by impersonator) and that the packet was not modified in transit. Unlike other protocols, AH covers the whole packet, from the IP header to the end of the packet.


Encapsulating Security Payload (ESP) provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If a packet is received with ESP and successfully decrypted it indicates that the packet was not wiretapped in the middle, if the sender and the receiver share a secret key, and no other party knows the key.


ESP provides encryption service to the packets. However, encryption tends to give negative impact to compression on the wire (such as ppp compression). IP Compression (IPcomp) provides a way to compress packet before encryption by ESP.


As discussed above, AH and ESP need shared secret key between peers. For communication between distant locations, there is a need to provide ways to negotiate keys in secrecy. Internet Key Exchange (IKE) makes this possible.


IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel.


Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.


For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.


 Note  security of IPsec protocols depend on the secrecy of secret keys. If secret keys are compromised, IPsec protocols can no longer be secure.


Reference for readers: Old IPsec suite - RFC1825, New IPsec suite - RFC2401

..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... ....................................................
..................................................................................................................................................................... ....................................................  

What is Nslookup?

What is Nslookup

    *

      Nslookup is a program to query Internet domain name servers. Displays information that can be used to diagnose Domain Name System (DNS) infrastructure.
    *

      Helps find additional IP addresses if authoritative DNS is known from whois.
    *

      MX record reveals the IP of the mail server.
    *

      Both Unix and Windows come with a Nslookup client.
    *

      Third party clients are also available - E.g. Sam Spade


      Nslookup employs the domain name delegation method when used on the local domain. For instance, typing 'hr.targetcompany.com' will query for the particular name and if not found, will go one level up to find 'targetcompany.com'. To query a host name outside the domain, a fully qualified domain name (FQDN) must be typed.

      The attacker can use dig and host command to obtain more information on UNIX systems.

..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... ....................................................
..................................................................................................................................................................... ................................................  

What is ITIL and Disciplines of ITILv2 and ITSM and IT Service management


ISO/IEC 20000 :- Standard for ‘Service Management’ capabilities  audited and certification.
I TIL - Provides body of knowledge for achieving the above standard.
I TIL – Public framework that describes that describes best practice in ITSM.

What is I TIL

    *  I TIL is the collection of best practices of IT service management
    *  It can be implemented to any IT organization
    *  I TIL focus on management of IT services
    *  In IT life cycle, 70-80 % of time & cost is spent on operational phase
    *  I TIL does not dictate to any organization , what you “should” do
    *  It provides series of options & disciplines which can be implemented by each organization as per their needs & requirements
    * I TIL does not required completely new ways of thinking & acting – It provides structured context for existing methods & activities to increase quality of services


Disciplines of ITILv2

    * Service support
    * Service Delivery
    * Security Management
    * ICT infrastructure management [ICT- Information & communication technology]
    * Application management
    * Planning to implement services management
    * The businessmen perspective
    * Software Asset Management
    * I TIL Small-Scale Implementation


ITSM – IT Service management
ITSM focus is – Strategic business value generated by IT

2 main disciplines

Service support
Service Delivery


11 practices of ITSM
 
Service support

   1. Incident management
   2. Problem management
   3. Configuration management
   4. Change management
   5. Release management
   6. Service desk


Service delivery

   1. Service level management
   2. Capacity management
   3. Service continuity management
   4. Availability management
   5. Financial  management for IT services

---

Benefits of ITIL

Reduce cost by improving processes
Improve IT services in terms of quality
Improve customer satisfaction
Documented processes & procedures
Improve productivity by focus ion on required areas
Improved use of staff skills & experience



Benefits of I TIL to customer & user

Become more customer focused instead of more technology focused
Services are described in customer language rather then described in technical language
Quality, availability, reliability & cost of services are managed better
More focused on corporate objective rather then technology
Improved communication between IT & business customer by specifying SPOC



Problems

Can take long time to implement
Results are coming very slow
Lack of commitment can hamper the process
Lack of training

Thursday, December 24, 2009

What is ITIL - A brief introduction

§ ITIL is the collection of best practices of IT service management
§ It can be implemented to any IT orgnization
§ ITIL focus on management of IT services
§ In IT lifecycle, 70-80 % of time & cost is spent on operational phase
§ ITIL does not dictate to any orgnization , what you “should” do
§ It provides series of options & deciplines which can be implemented by each organization as per their needs & requirments
§ITIL does not required completely new ways of thinking & acting – It provides structured context for existing methods & activities to increase quality of services

§ Service Delivery – Setting up agreements & monitoring targets

§ Service Support – Delivers services as per specifed in agreements

Tuesday, December 22, 2009

Footprinting - Attack Methods

Attack Methods





The attacker may choose to source the information from:


* A web page (save it offline, e.g. using offline browser such as Teleport pro


* Yahoo or other directories. (Tifny is a comprehensive search tool for USENET newsgroups.


* Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for searching large numbers of news group archives without having to use a tool.


* Using advanced search (e.g. AltaVista),


* Search on publicly trade companies (e.g. EDGAR).


* Dumpster diving (To retrieve documents that have been carelessly disposed)


* Physical access (False ID, temporary/contract employees, unauthorized access etc)

There are four RIRs, each maintaining a whois database holding details of IP address registrations in their regions. The RIR whois databases are located at:
*
ARIN (North America and sub-Saharan Africa)
*
APNIC (Asia Pacific region)
*
LACNIC (Southern and Central America and Caribbean)
*
RIPE NCC (Europe and northern Africa)
Tools
There are tools available to aid a whois lookup. Some of them are Sam Spade (downloadable from www.samspade.org). Smart Whois (downloadable from www.tamos.com). Netscan (downloadable from www.netscantools.com) and GTWhois (Windows XP compatible) (www.geektools.com) etc.






Sunday, December 20, 2009

What is Footprinting?

Defining Foot printing

    *

      Foot printing is the blueprinting of the security profile of an organization, undertaken in a methodological manner.
    *

      Foot printing is one of the three pre-attack phases. The others are scanning and enumeration.
    *

      Foot printing results in a unique organization profile with respect to networks (Internet / Intranet / Extra net / Wireless) and systems involved.

      There is no single methodology for foot printing, as a hacker can choose several routes to trace the information. Foot printing therefore, needs to be carried out precisely and in an organized manner. The information unveiled at various network levels can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, access control mechanisms and related lists, phone numbers, contact addresses, authentication mechanisms and system enumeration.

      The information gathering activity can be broadly divided into seven phases:

          o The attacker would first unearth initial information (such as domain name),

          o locate the network range of the target system (using tools such as Nslookup, whois etc),

          o  ascertain the active machines (for instance by pinging the machine),

          o discover open ports or access points (using tools such as port scanners),

          o detect operating systems (for instance querying with telnet),

          o uncover services on ports and

          o ultimately map the network.

      This not only speeds up the real attack process, but also aids in helping the attacker prepare better for covering his tracks and thereby leave a smaller or minimal footprint.

      Initial Information:

      Commonly includes:
          o

            Domain name lookup
          o

            Locations
          o

            Contacts (Telephone / mail)

      Information Sources:
          o

            Open source
          o

            Who is
          o

            Nslookup

      Hacking Tool:
          o

            Sam Spade

            Open Source Foot printing is the easiest and safest way to go about finding information about a company. Information that is available to the public, such as phone numbers, addresses, etc. Performing whois requests, searching through DNS tables are other forms of open source foot printing. Most of this information is fairly easy to get, and within legal limits. One easy way to check for sensitive information is to check the HTML source code of the website to look for links, comments, Meta tags etc

Saturday, December 19, 2009

What do Ethical Hackers do?

  *
"If you know the enemy and know yourself, you need not fear the result of a hundred battles." - Sun Tzu, Art of War

*

Ethical hackers tries to answer:
o

What can the intruder see on the target system? (Reconnaissance and Scanning phase of hacking)
o

What can an intruder do with that information? (Gaining Access and Maintaining Access phases)
o

Does anyone at the target notice the intruders attempts or success? (Reconnaissance and Covering Tracks phases)
*

If hired by any organization, an ethical hacker asks the organization what it is trying to protect, against whom and what resources it is willing to expend in order to gain protection.
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... ....................................................
..................................................................................................................................................................... .................................................... .

Hacktivism

 *
Refers to 'hacking with / for a cause'.
*

Comprises of hackers with a social or political agenda
*

Aims at sending across a message through their hacking activity and gaining visibility for their cause and themselves.
*

Common targets include government agencies, MNCs, or any other entity perceived as 'bad' or 'wrong' by these groups / individuals.
*

It remains a fact however, that gaining unauthorized access is a crime, no matter what the intent.

Most hacktivists aim at sending across a message through their hacking activity and gaining visibility for their cause and themselves. Common targets include government agencies, MNCs, or any other entity perceived as 'bad' or 'wrong' by these groups / individuals. It remains a fact however, that gaining unauthorized access is a crime, no matter what the intent.

Hacker Classes - Black hats, White Hats, Gray Hats,

Continuing to my old post who-are-hackers.html

Hacker Classes

*

Black hats
o

Individuals with extraordinary computing skills, resorting to malicious or destructive activities. Also known as 'Crackers.'
*

White Hats
o

Individuals professing hacker skills and using them for defensive purposes. Also known as 'Security Analysts'.
*

Gray Hats
o

Individuals who work both offensively and defensively at various times.
*

Ethical Hacker Classes
o

Former Black Hats
+

Reformed crackers
+

First-hand experience
+

Lesser credibility perceived
o

White Hats
+

Independent security consultants (maybe groups as well)
+

Claims to be knowledgeable about black hat activities
o

Consulting Firms
+

Part of ICT firms
+

Good credentials

Hacking Phase 5 - Covering Tracks

Phase 5 - Covering Tracks

*

Covering Tracks refers to the activities undertaken by the hacker to extend his misuse of the system without being detected.
*

Reasons include need for prolonged stay, continued use of resources, removing evidence of hacking, avoiding legal action etc.
*

Examples include Steganography, tunneling, altering log files etc.
*

Hackers can remain undetected for long periods or use this phase to start a fresh reconnaissance to a related target system.

Hacking Phase 4 - Maintaining Access

Phase 4 - Maintaining Access

*

Maintaining Access refers to the phase when the hacker tries to retain his 'ownership' of the system.
*

The hacker has exploited a vulnerability and can tamper and compromise the system.
*

Sometimes, hackers harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, RootKits, Trojans and Trojan horse Backdoors.
*

Hackers can upload, download or manipulate data / applications / configurations on the 'owned' system.

Hacking Phase 3 - Gaining Access - The hacker exploits the system

Phase 3 - Gaining Access

*

Gaining Access refers to the true attack phase. The hacker exploits the system.
*

The exploit can occur over a LAN, locally, Internet, offline, as a deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking, password filtering etc.
*

Influencing factors include architecture and configuration of target system, skill level of the perpetrator and initial level of access obtained.
*

Business Risk - 'Highest' - The hacker can gain access at operating system level, application level or network level.

Thursday, December 17, 2009

Hacking Phase 2 - Scanning

Phase 2 - Scanning

    *

      Scanning refers to pre-attack phase when the hacker scans the network with specific information gathered during reconnaissance.
    *

      Business Risk - 'High' - Hackers have to get a single point of entry to launch an attack and could be point of exploit when vulnerability of the system is detected.
    *

      Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners etc.

Wednesday, December 16, 2009

Hacking Phase 1 - Reconnaissance

    *      Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. It involves network scanning either external or internal without authorization    *

      Business Risk - To see if someone is watching and responding. Could be future point of return when noted for ease of entry for an attack when more is known on a broad scale about the target.
    *

      Passive reconnaissance involves monitoring network data for patterns and clues.
          o

            Examples include sniffing, information gathering etc.
    *

      Active reconnaissance involves probing the network to detect
          o

            accessible hosts
          o

            open ports
          o

            location of routers
          o

            details of operating systems and services

Essential Terminology

Essential Terminology

    *

      Threat - An action or event that might prejudice security. A threat is a potential violation of security.
    *

      Vulnerability - Existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system.
    *

      Target of Evaluation - An IT system, product, or component that is identified/subjected as requiring security evaluation.
    *

      Attack - An assault on system security that derives from an intelligent threat. An attack is any action that attempts to or violates security.
    *

      Exploit - A defined way to breach the security of an IT system through vulnerability.



THIS IS THE FIRST POST IN LEARN HACKING

YOUR ETHICAL HACKING COURSE STARTS NOW
........................................................................................................................... ..................................................
........................................................................................................................... .................................................. 

Can Hacking Be Ethical?

Can Hacking Be Ethical?

    *

      The noun 'hacker' refers to a person who enjoys learning the details of computer systems and stretch their capabilities.
    *

      The verb 'hacking' describes the rapid development of new programs or the reverse engineering of already existing software to make the code better, and efficient.
    *

      The term 'cracker' refers to a person who uses his hacking skills for offensive purposes.
    *

      The term 'ethical hacker' refers to security professionals who apply their hacking skills for defensive purposes.


      Now its all upon you, how you wanna to take it.


WITH THIS POST YOUR INTRODUCTION TO HACKING IS FINISHED NOW YOU WILL START LEARN HACKING FULL 4 FREE.IF YOU WANT TO BECOME A GOOD HACKER THEN , LEARN WITH COMPLETE CONCENTRATION SO, NEVER BORED IN LEARN Ethical HACKING ONLINE .
........................................................................................................................... ..................................................
........................................................................................................................... ..................................................