VirtualBox Guest Additions | SuSE Install

10 Jul

VirtualBox (now Sun xVM) Guest Additions are a set of drivers and utilities that are shipped as a subset of VirtualBox for the purpose of being installed inside a Guest Computer to improve its performance and cooperation with the rest of the Product.

If you are running openSUSE as a guest OS and want to install the VirtualBox Guest Additions then follow the procedure below:
Install GNU C Compiler, Make and Kernel Source
The VirtualBox Guest Additions require the GNU C compiler, make utility and the Kernel-Source packages to be installed if not previously installed.

Switch user to Root and install the packages

user@opensuse:~> su -

password:

opensuse:~# yast2 –install gcc gcc-c++ make kernel-source

This installs the GNU C, C++ compilers, Kernel-Source package and the make utility.

Now, from the host OS, on the Guest OS Virtualbox Devices menu, click “Install Guest Additions…” this mounts a virtual CD volume on the openSUSE guest OS under

/media/cdrom/VBOXADDITIONS_<version>

here it is

/media/cdrom/VBOXADDITIONS_1.6.2_31466

Change directory to that window and run the install script

opensuse:~# cd /media/cdrom/VBOXADDITIONS_1.6.2_31466/

opensuse:~# ./VBoxLinuxAdditions.run all

This should install the VirtualBox Guest Additions. Now restart the openSUSE guest OS for the additions to take effect. The Guest Additions improve guest performance and user experience including display settings etc.

Advertisements

NMAP 2 XML | Generate NMAP Reports

12 Jun

I was looking a technique outside of Metasploit’s db_nmap command, which stores NMAP results in a database for later analysis, that enables me to generate some kind of reporting on scanned hosts.

Enter NMAP’s -oX switch. This switch coupled with the default style sheet of http://insecure.org/nmap/data/nmap.xsl generates this :

nmap -A -oX --stylesheet http://insecure.org/nmap/data/nmap.xsl scanreport.xml http://www.example.com

 

  • xsltproc is the first external example. It applies different type of XSLT to the NMAP results in the following way: xsltproc nmap-output.xml -o nmap-output.html
  • Saxon a similart xslt processor. You can try in the following way: java -jar saxon9.jar -s:nmap-output.xml -o:nmap-output.html
  • xalan-java which is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. You can try it in the following way: java -jar xalan.jar -IN nmap-output.xml -OUT nmap-output.html
  • PowerShellScript . This script converts an XML file into a .NET object within properties. Perfect if you need to write a software that keeps as input the NMAP xml output format. For example if you are building your own report software or a NMAP wrapper.
  • NMAP-XML Flat File converts NMAP xml file format into a HTML or EXCEL table. It’s written in java and it’s pretty “download ‘n run”. java XMLNMAPReader nmap-output.xmll > OutputFile.[html/xls]
  • PBNJ. Well it does much more that parsing NMAP XML, but for this post it is able to save NMAP xml file into a database.
  • NMAP2DB is a great tool for popolating SQLite databases with NMAP results
  • Ruby Nmap Parser Library. Great library for rubyans providing Ruby interface to Nmap’s scan data. It can run Nmap and parse its XML output directly from the scan, parse a file containing the XML data from a separate scan, parse a String of XML data from a scan, or parse XML data from an object via its read() method.

10 NMAP Examples

12 Jun

Using NMAP for a current project, I wanted to identity more than just basic scan techniques. Here are 10 examples of NMAP in action :

Get info about remote host ports and OS detection
nmap -sS -P0 -sV -O

Where < target > may be a single IP, a hostname or a subnet

-sS TCP SYN scanning (also known as half-open, or stealth scanning)

-P0 option allows you to switch off ICMP Pings

-sV option enables version detection

-O flag attempt to identify the remote operating system

Other options:

-A option enables both OS fingerprinting and version detection

-v use -v twice for more verbosity.
nmap -sS -P0 -A -v < target >

Get list of servers with a specific port open

nmap -sT -p 80 -oG – 192.168.1.* | grep open

Change the -p argument for the port number. See “man nmap” for different ways to specify address ranges.

Find all active IP addresses in a network
nmap -sP 192.168.0.*

There are several other options. This one is plain and simple.

Another option is:

nmap -sP 192.168.0.0/24

for specific subnets.

Ping a range of IP addresses
nmap -sP 192.168.1.100-254

nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.

Find unused IPs on a given subnet
nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp

Very useful when you require a free ip on a target network.

Scan for the Conficker virus on your LAN ect.
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.0.1-254

replace 192.168.0.1-256 with the IP’s you want to check. The –script= option is very useful if you start to toy with the multitude of NMAP vulnerability scripts out there.

Scan Network for Rogue APs.
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8

I’ve used this scan to successfully find many rogue APs on a very, very large network.

Use a decoy while scanning ports to avoid getting caught by the sys admin
sudo nmap -sS 192.168.0.10 -D 192.168.0.2

Scan for open ports on the target device/computer (192.168.0.10) while setting up a decoy address (192.168.0.2). This will show the decoy ip address instead of your ip in targets security logs. Decoy address needs to be alive. Check the targets security log at /var/log/secure to make sure it worked.

List of reverse DNS records for a subnet
nmap -R -sL 209.85.229.99/27 | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘

This command uses nmap to perform reverse DNS lookups on a subnet. It produces a list of IP addresses with the corresponding PTR record for a given subnet. You can enter the subnet in CDIR notation (i.e. /24 for a Class C)). You could add “–dns-servers x.x.x.x” after the “-sL” if you need the lookups to be performed on a specific DNS server. On some installations nmap needs sudo I believe. Also I hope awk is standard on most distros.

How Many Linux And Windows Devices Are On Your Network?
sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”

Hope you have fun, and remember don’t practice these techniques on machines or networks that are not yours.

How to install mod_security | Apache2 | Ubuntu 11.10

3 Apr
What is mod_security?
Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the “snort” of web applications. Check our their official website for more details modsecurity.org.

As an example, lets say “super haxor,” starts up their kiddie “Auto Haxs 4000” script and begins to pummel your web server with every known vulnerability for every known web application – perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor’s requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.

In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.

mod_security adds another layer of protection to your web server and frees up your time usually spent surfing apache logs.

How do I install mod_security?

This guide covers installing mod_security on Ubuntu 11.10 for Apache 2. In this example, we are going to install from source.

Use the Source

Download the latest mod security tars from the mod_security site. modsecurity downloads. You will only need the current modsecurity-apache archive.

Now get the necessary packages for compiling mod_security on Ubuntu with this command:

$ sudo apt-get install automake g++ apache2-threaded-dev dpkg-dev libxml2 libxml2-dev

Now compile and install mod_security with the following commands:

$ cd <modsecurity download directory>/apache2
$ ./configure
$ make
$ sudo make install
Apache Conf Files

Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.

Create a file called /etc/apache2/mods-available/security2.load with the following contents:

LoadFile /usr/lib/libxml2.so 
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so 
<IfModule !mod_security2.c> 
error_mod_security2_is_not_loaded 
</IfModule>
<IfModule mod_security2.c>
Include /etc/apache2/modsecurity_crs/*.conf 
</IfModule> 

Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it. Be aware that some of the optional rules explained later on may require some of the .data files in addition to the .conf files.

$ sudo mkdir /etc/apache2/modsecurity_crs
$ sudo cp -R <mod_security download directory> /rules/*.conf /etc/apache2/modsecurity_crs/

You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:

SecUploadDir /var/log/modsecurity/SecUploadDir 
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log 
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir 
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log 
SecDataDir /var/log/modsecurity/SecDataDir 
SecTmpDir /var/log/modsecurity/SecTmpDir 

After the settings were made I created the directories and set proper permissions with the following commands:

$ sudo mkdir /var/log/modsecurity
$ sudo mkdir /var/log/modsecurity/SecDataDir
$ sudo mkdir /var/log/modsecurity/SecTmpDir
$ sudo mkdir /var/log/modsecurity/SecUploadDir
$ sudo mkdir /var/log/modsecurity/SecAuditLog
$ sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
$ sudo mkdir /var/log/modsecurity/SecDebugLog
$ sudo chown -R www-data:www-data /var/log/modsecurity
$ sudo chmod -R a-rwx /var/log/modsecurity/
$ sudo chmod -R u+rwx /var/log/modsecurity/

There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.

Enable and Test

You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.

$ sudo a2enmod security2
$ sudo /etc/init.d/apache2 reload

Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.

Lastly
You may also need to enable mod_unique_id as my error.log for apache was throwing out this requirement. This can be done by
$ sudo a2enmod unique_id
$ sudo /etc/init.d/apache2 reload
Conclusion

If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.

Setup L2TP/IPSec VPN | Ubuntu

23 Mar
Configure L2TP/IPSec VPN on Ubuntu

I need a working L2TP/IPSec VPN for my MacBook and iPhone. I used to have PPTP since it is easy to configure. However, by nature, VPN’s without security are prone to “sniffing”. The extra security of IPSec is a nice to have. You need several components in order to run L2TP/IPSec.

IPSec

IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your Mac/iPhone and your server. openswan is the preferred daemon to run IPSec. Install it on your Ubuntu server:

$ sudo aptitude install openswan 

There are several ways to handle encryption for IPSec. I use Pre-Shared Key since it is easy to tweak. Change /etc/ipsec.conf to this:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftnexthop=YOUR.SERVER.EXTERNAL.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


and change /etc/ipsec.secrets to

YOUR.SERVER.IP.ADDRESS %any: PSK "YourSharedSecret" 

Remember to change YOUR.SERVER.IP.ADDRESS and YourSharedSecret accordingly. Run the following command for openswan to stop complaining

for each in /proc/sys/net/ipv4/conf/* 
do 
 echo 0 > $each/accept_redirects 
 echo 0 > $each/send_redirects 
done 

Check if IPSec is correctly setup

$ sudo ipsec verify 

Don’t worry about the disabled Opportunistic Encryption Support. Just make sure other checks are passed OK. Then restart openswan by running

$ sudo /etc/init.d/ipsec restart 

Now you can add a L2TP/IPSec connection on your OS X and see if IPSec is working. Use whatever account and password. We are not there yet. The only thing you need to make sure is that you connect to the right server with the right shared secret as specified in /etc/ipsec.secrets on your server. Monitor /var/log/system.log on your OS X by running

$ tail -f /var/log/system.log 

while OS X is trying to connect to your server via L2TP/IPSec. It will fail eventually because we haven’t configured L2TP yet, but if you see a line in the system log saying something like

Apr 30 18:12:48 bender pppd[1507]: IPSec connection established 

IPSec is good to go.

L2TP

L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we need to use it together with IPSec. Interestingly, both Apple and Microsoft tend to refer L2TP as the secure VPN technology but totally ignore the fact that security is provided by IPSec. The commonly used L2TP daemon is xl2tpd from the same buys behindopenswan. Install it by running

sudo aptitude install xl2tpd 

Change /etc/xl2tpd/xl2tpd.conf to

[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

ip range is the set of internal IP addresses that will allocate to clients connected. Make sure it does not overlap with your exisiting IP addresses being used, and not in conflict with the ones on the client’s network. Since most home routers use 172.16.X.X and 192.168.X.X range, you might want to avoid that. local ip is the internal IP for the L2TP server. Make sure it is NOT in the ip range allocated to clients.

PPP

I also run PPTP service using PPP, so I would like to use the same daemon to handle user managenet. Install ppp by running

$ sudo aptitude install ppp 

if you do not have it. Create this file /etc/ppp/options.xl2tpd with the following content

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Note I am using Google Public DNS in the ms-dns field. If you want to use other DNS servers, change the IP addresses accordingly. Add a test user in /etc/ppp/chap-secrets to try out if L2TP works.

# user server password ip test l2tpd testpassword * 

Now restart xl2tpd by running

$ sudo /etc/init.d/xl2tpd restart 

In addition, if you use iptables for firewalling, make sure it forwards packets so you can browse the Interent after connecting to VPN. Run the following command

$ iptables --table nat --append POSTROUTING --jump MASQUERADE 
$ echo 1 > /proc/sys/net/ipv4/ip_forward 
Almost Done

Update the L2TP/IPSec VPN connection on your OS X with the test user account and try connect. If it can connect and authenticate successfully, congrats! You are done. Now go enjoy the better security. However if you are running Ubuntu 9.10 you will probably have to work a little bit more. openswan 2.6.22 in Ubuntu 9.10 does not play well withxl2tpd (though older openswan 2.4.x in Debian 5 and Ubuntu 8.04 should be fine): you can connect via IPSec, but it never talks L2TP. You need to upgrade to openswan 2.6.24. As of now there is no ready-made .deb package for you to upgrade. Time to get your hands dirty compiling from source code!

There are know issues in setting up L2TP/IPSec VPN on a Debian Lenny server. It has openswan 2.4.12. Turns out that version has a  bugtoo, which prevents clients with changing IP address to connect with a shared secret. So the best bet right now is to compile openswan 2.6.24 from source.

Compiling Openswan from Source

SSH into your server and choose a temporary directory to do the following

$ sudo aptitude install libgmp3-dev gawk flex bison 
$ wget http://www.openswan.org/download/openswan-2.6.24.tar.gz 
$ tar xf openswan-2.6.24.tar.gz 
$ cd openswan-2.6.24 
$ make programs 
$ sudo make install 

The process might take a while so please be patient. You need a decent Linux kernel (2.6.6+) for this to work. Read openswan-2.6.24/README if you are using Linux kernel 2.4.x or do not want to use Netkey. You do not need the packaged openswan installed by aptitude anymore. Remove it (but keep all config files) by running

$ sudo aptitude remove openswan 

Then restart the openswan installed from source

$ sudo /etc/init.d/ipsec restart 

Try connect from OS X. It should work now.

One More Thing

For some reason openswan does not start correctly after reboot, so I put the following lines in my /etc/rc.local

$ iptables --table nat --append POSTROUTING --jump MASQUERADE 
$ echo 1 > /proc/sys/net/ipv4/ip_forward 
for each in /proc/sys/net/ipv4/conf/* 
do 
 echo 0 > $each/accept_redirects 
 echo 0 > $each/send_redirects 
done 
$ /etc/init.d/ipsec restart 
Troubleshooting

On the server side you can monitor /var/log/auth.log and see what is going on with the connection. On OS X you can monitor/var/log/system.log. These two should give you enough information to determine which part is malfunctioning in case of failure. Openswan’s mailing list is a good place to go if you cannot figure out what is wrong.

-Do not forget to port forward Port 500,4500 TCP/UDP to your L2TP VPN Server.
-Do not forget to edit your IPTABLES if you have a firewall enabled :
e.g.
> -A INPUT -p 50 -j ACCEPT
> -A INPUT -p udp -d 12.34.56.78 –dport 500 -j ACCEPT
> -A INPUT -p udp -d 12.34.56.78 –dport 4500 -j ACCEPT

nmap scan via TOR | hidemyip

9 Mar
Description

This tutorial shows how to configure the tools to do a Nmap portscan through the Tor network. This technique can be used in the shape of a pentest but it can also be used by attackers. Please be careful of the type of nmap scans you do as some options send your ip. You can add an entry to iptables to drop all outbound traffic to the destination for a particular scan. See further on for a how to.

Pre-requisites

First ensure you have installed necessary tools:

Configuration

In the following example, we do a Nmap portscan with tortunnel via proxychains. The reason why we need tortunnel is that it enables to scan faster. Indeed, by default, Tor uses a minimum of 3 hops. Thanks to tortunnel, we directly use a final exit node, which makes the scan much faster.

First install tor and configure it and install proxychains:

$ sudo apt-get install tor tor-geoipdb proxychains 
$ sudo service tor status 
tor is running $ sudo vi /etc/tor/torrc
# add the line below to allow local ip range to use tor proxy # SocksPolicy accept 10.1.1.0/24

Also install tortunnel:

$ sudo apt-get install libboost-system1.40-dev libssl-dev
$ cd /data/src/
$ wget http://www.thoughtcrime.org/software/tortunnel/tortunnel-0.2.tar.gz
$ tar xvzf tortunnel-0.2.tar.gz
$ cd tortunnel-0.2/
$ ./configure
$ make
$ sudo make install

Then configure proxychains to work with tortunnel. Edit the configuration file:

$ sudo vim /etc/proxychains.conf

And modify it as follows:

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5 127.0.0.1 9050
Find an exit node and start torproxy

We then have to find an exit node that is stable, fast and valid. Most tor exit nodes do not support nmap scanning. You could use this :

$ curl http://128.31.0.34:9031/tor/status/all | grep --before-context=1 'Exit Fast Running V2Dir Valid' | awk '{ print $7 }' | sed '/^$/d'

to return a list of exit nodes that support nmap scanning.

Then start torproxy with the found exit node using the -n switch and bind to local port 9900 :

$ torproxy -n 178.73.***.** -p 9900
torproxy 0.3 by Moxie Marlinspike.
Retrieving directory listing...
Connecting to exit node: 178.73.*.*:9001
SSL Connection to node complete.  Setting up circuit.
Connected to Exit Node.  SOCKS proxy ready on 9900.
Start scan
Ssh-img013.png
Warning -> Beware of the parameters you use for the scan since some of them will disclose your IP address. More information below.

For our scan, we use Nmap with following arguments:

  • -Pn: to skip the host discovery (since it sends ICMP address, it would disclose our IP address)
  • -sT: full Connect() scan to ensure that all packets use the Tor network.

To ensure that our IP address won’t be disclosed to the target, you can add following rule to your firewall:

$ sudo iptables -A OUTPUT --dest <target> -j DROP

Now, run Nmap ad follows:

$ proxychains nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-09 22:40 CET
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:23-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:22-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:443-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:80-<><>-OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:21-<--timeout
Nmap scan report for LMontsouris-156-25-20-161.w80-14.abo.wanadoo.fr (80.14.163.161)
Host is up (13s latency).
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 60.86 seconds
Nmap results and tcpdump traces

Nmap results – without tor

$ nmap -Pn -sT 74.50.**.***

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-11 05:21 CET
Nmap scan report for 74.50.**.***
Host is up (0.16s latency).
Not shown: 992 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
443/tcp   open     https
445/tcp   filtered microsoft-ds
10000/tcp open     snet-sensor-mgmt
20000/tcp open     dnp

Nmap done: 1 IP address (1 host up) scanned in 23.38 seconds

tcpdump traces – without tor
Our IP address is disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-without-tor.cap "host 80.14.163.161"
reading from file scan-without-tor.cap, link-type EN10MB (Ethernet)
05:21:58.052164 IP 80.14.163.161.51027 > 74.50.**.***.21: Flags [S], seq 3307142116, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.052249 IP 74.50.**.***.21 > 80.14.163.161.51027: Flags [R.], seq 0, ack 3307142117, win 0, length 0
05:21:58.053041 IP 80.14.163.161.46436 > 74.50.**.***.3389: Flags [S], seq 3300984040, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.053058 IP 74.50.**.***.3389 > 80.14.163.161.46436: Flags [R.], seq 0, ack 3300984041, win 0, length 0
05:21:58.054538 IP 80.14.163.161.46034 > 74.50.**.***.80: Flags [S], seq 3299162143, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.054567 IP 74.50.**.***.80 > 80.14.163.161.46034: Flags [S.], seq 2576119236, ack 3299162144, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0
05:21:58.055538 IP 80.14.163.161.60357 > 74.50.**.***.8080: Flags [S], seq 3303516262, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.055552 IP 74.50.**.***.8080 > 80.14.163.161.60357: Flags [R.], seq 0, ack 3303516263, win 0, length 0
05:21:58.057287 IP 80.14.163.161.43407 > 74.50.**.***.22: Flags [S], seq 3301543264, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.057303 IP 74.50.**.***.22 > 80.14.163.161.43407: Flags [S.], seq 2572644408, ack 3301543265, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0

Nmap results – with tor

$ proxychains nmap -Pn -sT 74.50.**.***
(...TRUNCATED...)
Nmap scan report for 74.50.**.***
Host is up (0.35s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 420.35 seconds

tcpdump traces – with tor
Our IP address is not disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-with-tor.cap "host 80.14.163.161"
reading from file scan-with-tor.cap, link-type EN10MB (Ethernet)
Conclusions

The results of the scans have shown that Tor enables to realize a Nmap portscan while not disclosing our IP address. Nevertheless, some limitations:

  • Our scan must use the full Connect() handshake
  • It is much slower than a normal scan (420 seconds with Tor against 23 seconds without using Tor), although we only used one exit node.
  • The anonymity of the second scan remains relative. Indeed, since we only use one node, this latest could be able to disclose our identity.

Shoutout to http://www.aldeid.com/ for this post

The Command Line Challenge

7 Mar

When I started using Linux I avoided the command line as much as possible. Then I started realizing that the command line is in fact very useful. Then I started digging in what you can actually do on the command line and I never stopped learning ever since.But I had a problem. I found it difficult to learn commands when you actually have GUI applications that replace them. It’s hard to get into the environment and become proficient if you only do some tasks on the command line. Back then you had to use it for some things, but distros like Ubuntu have the unofficial goal of preventing the user to go to the command line. I knew that If I really wanted to master the art of the command line I would have to make it my only environment. So I created the Command Line Challenge.

The idea is simple: Use only the command line for a period of time. If you think of this like a game, the levels would be:

  • Easy: 1 day.
  • Medium: 1 week.
  • Hard: 1 month.
  • Ultimate Geek: 6 months.

I started with the easy level just to realize it’s possible to do it at least one week. In order to have a working command line environment for an every day use, you may have to install the following software.

Browsers

I used both lynx and elinks. lynx has more options and is more powerful in general, but elinks has a better rendering and looks. elinks is not able to log into Facebook (a feature rather than a bug maybe?)

Text Editing.

Vim. That’s pretty much everything you need. Actually if you use emacs with lots of plugins to do a lot of stuff you’re probably ready to take the challenge. I recommend Vim because I use it every day. If by using only a  text editor you’re able to learn to develop without an IDE you get bonus points.

Email.

If you’re not using mutt right now then you’re missing a lot. mutt if fast, highly configurable and runs on our command line. There’s a mutt challenge too, that challenge is about that if mutt is able to do everything that you can do in Gmail, but that’s a topic for another post. I find mutt even more powerful. Here’s a guide to keep mutt synchronized with your gmail account.

Music

Frankly, I’m surprised that there are plenty of options to listen music on the console. I guess sysadmins love music too. My favorite choice is cmus. It has vim-like key bindings so it just feels natural if you’re used to mutt or vim. There are plenty of other options likemoc or mp3blaster but if you live the vimian way of life like me stick with cmus. You can also use mpd a nice daemon that plays music, specially useful if you want a music streaming solution. You can control it via vimpc

Chat

Laughing in front of a black screen because somebody told you a joke make the people around you think you’re some kind of a psycho but chatting is well supported in our powerful consoles. If you can use irssi to chat in irc channels, but that’s not all, you can download bitlbee to tunnel different IM protocols to irc. So you can have all your conversations centralized in an irc way. If you don’t like that approach you can use finchan ncurses version of the popular pidign.

Pictures.

Yes. You can see pictures on the command line without a graphical interface. How? Directly from caca labs, comes libcaca! A graphics library that outputs text instead of pixels, so that it can work on older video cards or text terminals. Be sure to check in your distribution because in Arch the package is called libcaca but all the binaries you need to see pictures (cacaview) come in that package too.

Videos.

Videos are just pictures passing by really fast, so videos are also possible. For that you’ll need the fantastic mplayer or vlc. You need to specify to use the caca driver with mplayer like this:

mplayer -vo caca video

With vlc you can use the nvlc to use vlc in a nice ncurses interface. What’s the quality of these videos? Well you can’t ask much, but for anime or cartoons the videos are actually fairly good.

File manager.

Just because you’re on the command line that doesn’t have to stop you from using a file manager. Lots of people use midnight commander even in a graphical environment.  I prefer to use a more vim-friendly approach. I like ranger because I already know all the key bindings that I need. I like it so much it’s my default file manager(shame on you nautilus)

Tmux

Tmux is terminal multiplexer. What does that mean? In simple terms is like a window manager for your terminal. You can have tabs, split windows and a nice status bar among other things. My life is not the same after I met tmux. There’s an excellent tutorial and a book about how can you improve your productivity with tmux.

These are just options so you can dive into the command line directly without being a terrible painful experience. The truly art of the command line is to learn the bash, how to write scripts to avoid repetition and more important, to understand that in UNIX a word is worth more than one hundred clicks. Have a cheatsheet with you with all the basic commands and remember that man is your friend.

I recommend you should go and have a look at Matt Might’s blog. He posted some really interesting articles about what you can do with a UNIX command line. I speciallyrecommend this one.

So, challenge accepted?

 Update: Also I you use twitter I recommend you bti and tyrs. If you think you need to learn the basics before diving in I recommend linuxcommandline.org I believe there’s a new book about it.