gbiondo.org

Tags: Uncategorized // Add Comment »

I have been involved in a penetration test, lately. I find this kind of activities very creative and funny, although it’s everything but easy.

Whenever I do such a thing, I have the following impressions:

• I am practicing an exorcism - I don’t know what is the really next thing I’ll find. I don’t know how the assets (which are - by all means - my ‘enemies’ in this context) will answer
• I am alway feeling like I am learning new tools, technologies and tricks
• I always find a terrible problem: presenting the results. I mean - it’s going to someone and tell him “hey, these are your dork-ities”. Unfortunately, you have to say that to who is paying you!

This time I learned how to use a powerful mix of tools:

• nmap
• amap
• xsltproc

Together they help doing all the pentest basic things, so port scanning and banner grabbing, in a very elegant way.

First thing: nmap-ping the host. In this example, we’ll work with a host in my internal network, whose ip is 192.168.2.100. We would like to understand what ports are open, first, on this host. As anticipated, nmap is the solution. Running a command such as:

nmap -T Insane  -vvv  -p0-65335 -PB -sS -oA TCP-nmap-full \

-PN -n 192.168.2.100  --packet-trace

Just to translate:

• -T insane: I am not looking to evade an Intrusion Detection/Prevention System; nor I am going to care about the traffic in my network. I can run this probe with a fast pace without worries.
• -vvv: verbosity level. Very very verbous
• -p0-65336: ports to scan
• -sS: TCP SYN Scan. Most basical version, we don’t need much more.
• -PN: don’t ping before scanning (as I know the host is up and running)
• –packet-trace: it’s not functional for the probe - it’s just letting you see what happens by displaying the packets’ flow.
• -oA: allows us to define the base filename for the output. We are going to use the .xml for our purposes.
• -n: prevents nmap from doing DNS resolution
• -PN: skips host discovery. I know the host is up and running

After a few seconds, nmap gives us back this output:

Read data files from: /usr/share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 93.994 seconds
 Raw packets sent: 65336 (2.875MB) | Rcvd: 130675 (5.488MB)

This is not what we are aiming for, yet, nonetheless it shows it was sent a packet per port.

The interesting part of the output, on the other hand, was:

PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Now we know which TCP ports are open on this machine. It’s not over yet. We want to have the same report for the UDP protocol. We already gave the idea above on how to create nmap commands, we’ll leave the exercise to the reader.

Another aspect that may be worthwhile to explore is system/services discovery. We’ll do it with nmap, once again:

nmap -T Insane  -sV -vvv  -p80-445 -O --packet-trace -oA \

OSServs -PN 192.168.2.100

(here, with the -O i just specified I wanted to know about the operating system, and with -sV, to probe services’ versions).

Outputs of these commands are not only on my terminal, as i dumped everything to files:

gbiondo@Gaia:~/gbiondo.org$ ls
OSServs.gnmap  report-nmap-full.gnmap  UDP-nmap-full.gnmap
OSServs.nmap   report-nmap-full.nmap   UDP-nmap-full.nmap
OSServs.xml    report-nmap-full.xml    UDP-nmap-full.xml

We are going to use the .xml files and to convert them in nifty HTML pages. Here I read some interesting hint; chiefly the XML output needs a proper stylesheet in order to be rendered in an HTML file. The link given above explains properly how to change the files. Here we’ll just report the changes:

substitute

<?xml-stylesheet href="/usr/share/nmap/nmap.xsl" type="text/xsl"?>

with

<?xml-stylesheet href="http://nmap.org/data/nmap.xsl" type="text/xsl"?>

in all XML files.

A simple

xsltproc report-nmap-full.xml > report-nmap-full.html

xsltproc OSServs.xml > OSServs.html

will translate the original files in HTML, according to the stylesheet defined above. Keep in mind that stylesheets can be customized; thus, if you need to run often these kind of network mapping; or if you work in the IT Security industry, you may want to customize the stylesheets with your company’s look and feel.

Here’s a sample of the output:

I promised also some banner grabbing detail. I am going to use amap; which is a wonderful banner grabber from THC-the hacker’s choice. You can get more information here; this is a site i strongly suggest to visit.

We want to grab banners on 192.168.2.100; on the tcp ports 80, 139, 445. First, let’s update the engine of amap:

amap -W

Basically, this commands connect to the THC body of knowledge and downloads the signature of the banners; just like an antivirus does with the virii signatures.

The most basic usage of amap is amap <target> <ports>. Let’s try it.

amap 192.168.2.100 80

amap v5.2 finished at 2009-05-31 10:28:33
root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 80
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:28:50 - MAPPING mode

Protocol on 192.168.2.100:80/tcp matches http
Protocol on 192.168.2.100:80/tcp matches http-apache-2
Protocol on 192.168.2.100:80/tcp matches webmin

Unidentified ports: none.

root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 139
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:29:48 - MAPPING mode

Protocol on 192.168.2.100:139/tcp matches netbios-session

Unidentified ports: none.

root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 445
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:30:01 - MAPPING mode

Protocol on 192.168.2.100:445/tcp matches netbios-session

Unidentified ports: none.

Now, amap works by sending triggers and analyzing responses; it’s the default mode (-A switch).

This is good for a pentester, but it’s not supplying any evidence. A better result, in terms of evidences, could be achieved by issuing a pure banner grabbing (-B) or a hex dump (-d) command like:

amap -A -d -o output.amap 192.168.2.100 80

the output is very descriptive - Unfortunately, wordpress doesn’t allow me for uploading a text file; so I’ll paste some sample of the output below:

amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:35:32 - MAPPING mode
Protocol on 192.168.2.100:80/tcp matches http
Identified response from 192.168.2.100:80/tcp (by trigger http):
0000:  4854 5450 2f31 2e31 2032 3030 204f 4b0d    [ HTTP/1.1 200 OK. ]
0010:  0a44 6174 653a 2053 756e 2c20 3331 204d    [ .Date: Sun, 31 M ]
0020:  6179 2032 3030 3920 3038 3a33 353a 3332    [ ay 2009 08:35:32 ]
0030:  2047 4d54 0d0a 5365 7276 6572 3a20 4170    [  GMT..Server: Ap ]
0040:  6163 6865 2f32 2e32 2e38 2028 5562 756e    [ ache/2.2.8 (Ubun ]
0050:  7475 2920 5048 502f 352e 322e 342d 3275    [ tu) PHP/5.2.4-2u ]
0060:  6275 6e74 7535 2e36 2077 6974 6820 5375    [ buntu5.6 with Su ]
0070:  686f 7369 6e2d 5061 7463 680d 0a4c 6173    [ hosin-Patch..Las ]
0080:  742d 4d6f 6469 6669 6564 3a20 5375 6e2c    [ t-Modified: Sun, ]
0090:  2032 3120 5365 7020 3230 3038 2030 393a    [  21 Sep 2008 09: ]
00a0:  3034 3a34 3920 474d 540d 0a45 5461 673a    [ 04:49 GMT..ETag: ]
00b0:  2022 3938 3964 632d 3264 2d34 3537 3634    [  "989dc-2d-45764 ]
00c0:  3361 3062 3265 3430 220d 0a41 6363 6570    [ 3a0b2e40"..Accep ]
00d0:  742d 5261 6e67 6573 3a20 6279 7465 730d    [ t-Ranges: bytes. ]
00e0:  0a43 6f6e 7465 6e74 2d4c 656e 6774 683a    [ .Content-Length: ]
00f0:  2034 350d 0a43 6f6e 6e65 6374 696f 6e3a    [  45..Connection: ]
0100:  2063 6c6f 7365 0d0a 436f 6e74 656e 742d    [  close..Content- ]
0110:  5479 7065 3a20 7465 7874 2f68 746d 6c0d    [ Type: text/html. ]
0120:  0a0d 0a3c 6874 6d6c 3e3c 626f 6479 3e3c    [ ...<html><body>< ]
0130:  6831 3e49 7420 776f 726b 7321 3c2f 6831    [ h1>It works!</h1 ]
0140:  3e3c 2f62 6f64 793e 3c2f 6874 6d6c 3e0a    [ ></body></html>. ]
Protocol on 192.168.2.100:80/tcp matches http-apache-2

Good job, isn’t it? it’s the Apache default page (and this tells me I had a very poor configuration of my machine, but transit).

Finally: these tools are very flexible and prone to scripting. Here I gave only the basics, shall you want to discuss some aspect, feel free to drop a comment below.

Tags: IT Security // Add Comment »

From a friend’s note:

“If you’re a person who likes to control what’s on their network, get Adblock Plus (FOSS) for your browser and use the following filters as a minimum precaution:

http*://static.ak.fbcdn.ne

t/rsrc.php/*/*/*/*/*/css/feed/socialads.css
http*://static.ak.fbcdn.net/images/icons/ads*
http*://www.facebook.com/ac.php?i=*
http*://www.facebook.com/swf/SoundPlayer.swf
http*://creative.ak.facebook.com/ads*/*
http*://static.ak.fbcdn.net/images/ads_feedback/*
http*://*.channel26.facebook.com/*
http*://www.facebook.com/ads/*
http*://ads.*.facebook.com/*

accessibility.blockautoref resh true
noscript.forbidMetaRefresh true“

Tags: social networking // Add Comment »

I never thought I needed to apply all the skills I have built these years in IT forensics for a real case in which I was involved, but…

… but so it seems. To keep the things very short, I am victim of a stalker, a former girlfriend who is ruining my life since 2006. Let me say fuckin’ hell, and excuse for the french.

I never wanted to report anyone but this thing went somehow too far -this person is constantly calling and menacing, invading my privacy, calling me over three hundred times in a night, eavesdropping my communications, invading my spaces - even my cyberspaces. Even stalking this website.

Now, fortunately this person left tons of proofs and evidences, just like sms, emails and so on. These evidences have to be gathered and classified (hmmpfff - what a nasty stuff). I will report on these pages how did I do the whole thing.

Til’ then… I’d say “take care” - but unfortunately, the only one who needs to take care is, without any doubt, myself.

Tags: Forensics, IT Security, Mobility // Add Comment »

On next sunday (2009-02-22), I am going to hold an open bootcamp course pertaining on:

• wifi and wardriving
• port scanning with nmap

If you’re interested, please, feel free to drop a comment and/or send me an email.

Tags: bootcamps and courses // Add Comment »

I am currently about to close a project within DHL/DGF that involved me from the very beginning. Nothing too complex, but it’s very funny and I am happy I have been working with one of the best project managers I have ever been in touch with.

I finished a review of the contents of a book pertaining on Capacity Planning for some ITIL committee. It was a good fun. I will receive another version (for acceptance) somewhere between march and april. It’s an interesting thing - though I may not agree totally with the Author, I should admit it is quite aligned to my style.

Traveling - all this travelling really fulfilled me. I have met wonderful people from wherever in old Europe, and - you know what? - it feels nice to feel European. Hard to explain, but moving from a Latin culture to a Teutonic one, then meeting several people from wherever, on the long run enriches you. I am happy I left Milan, and I am happy I met all the people I met. Even the jerks :) 

Tags: general nonsense, work // Add Comment »

Now as I resigned from DHL, I have been involved in a DHL Global project, as a security policy developer.  

Instead of regretting leaving, I want to see it like this: I have had enough satisfaction on that role. Probably I have used all my skills, and I need to build more to reach new goals.  

I should look back more often…

Tags: career, general nonsense // Add Comment »

HOTs

1. Quit with smoking
2. Autonomy - www.autonomy.com
3. Blackballer - www.killermobile.com
4. Resigned from DHL, joined Trust In People
5. Jan/Feb hakin9 issue

NOTs

1. Cold turkey crises from nicotine
2. Leaving DHL
3. Shit happening in Gaza
4. Facebook
5. Tortuga, by V. Evangelisti

Tags: general nonsense // Add Comment »

Like most of the people, I have more than one phone. Generally speaking, I tend to switch off my work phone during weekends, my private phone during working hours, and so on. Unfortunately, I need to have a third phone for other kind of business (i.e. - my freelance activities).

For several reasons, sometimes it happens that someone has more than one of your numbers - this, along with the fact that many people don’t respect the others, leads you to the need to “switch people off” while having the phone switched on.

Even worse: I hate when someone calls me hiding their number. I tend not to answer, as I find that very rude. 

I asked myself several times how come mobile phone vendors didn’t include a filtering feature in the firmware. At the beginning, I used to assign to “switchable-off” people a mute ringtone. It didn’t work against SMS, though. After being brought to the edge of a nervous breakdown, yesterday, I discovered this software - which really helps! Basically, it blocks every communication attempt from a chosen contact, or from people you don´t have in your contact lists.

I have now a Nokia N96, and blackballer integrates quite directly with the phone. The installation is a very straightforward process, and the customization-setup is fairly easy. You can chose either a contact, or a group of contacts, and `switch them off´ very easily.

Now I can enjoy my phone, blocking unwanted calls. Brilliant….

Tags: IT, Mobility, Uncategorized, general nonsense // Add Comment »

So, I haven’t been writing here for quite a while. I tried to save some time to do it, but I was way too busy, lately.

I am reviewing a book for the ITSM library about Capacity Planning. It’s been kind of a pleasant surprise to be involved in such a project, I didn’t expect something like that to happen. Anyway -  that’s it. I should deliver this thing by the 12th of February, so a very large deadline. It’s a good fun.

My work at DHL is business as usual. I have been transitioned to an internal organization called DGF, whose projects have a broader scope (chiefly - it’s a matter of designing worldwide solutions). I have been a couple of days in Prague, lately. “I came, I solved, I went” - it’s kind of a nice feeling, I like to be the deus-ex-machina. I am going to come back there in two or three weeks time.

Other ongoing activities: I am trying to write some notes on Fault Trees and Markov Models. I hate the fact I have almost no time to do this, days are way too short. Especially when people pops up and steal your precious time for the sake of speaking about the same old stuff… should I consider hermitage??

Hope to write here more often…

Tags: Capacity Planning, general nonsense, updates, work // Add Comment »