Nmap For The Network Engineer: Part 2

Host Discovery with Nmap

Nmap has a number of great options for host discovery. The big thing to remember Nmap will always attempt to discovery live hosts before port scanning and will only port scan hosts it detects. If all you want to do is a simple network sweep you have to use the -sn argument to disable port scanning even if you specify other discovery methods. Without -sn Nmap will do discovery of target using any specified method but will then do a port scan on top of that. Conversely if you use the -Pn argument Nmap will try to scan hosts even if they don't respond to any of the host discovery methods. Beyond that Nmap will always use ARP as its default method for discovering hosts on the same subnet. The default behavior for hosts on remote subnets is to probe with ICMP echo request + ICMP timestamp request + TCP SYN to 80 and TCP SYN to 443 to increase the odds of successful discovery. One last thing, if Nmap was called without root / system privileges it will only be able to try and initiate a TCP three-way handshake for remote hosts.

Here is a miniature cheat sheet I drew up specifically for host discovery. I will eventually draw up something similar for all the major scanning options and combine them into a single cheat sheet but for now enjoy this one.

Below I included some sample outputs, the associated tcpdump, and a short description of each argument.

The -sn argument will tell Nmap to disable port scanning. This allows you to only do a simple host discovery. When -sn is used without any other options it defaults to doing a simple ICMP echo request and ICMP timestamp query and stop there.

The -PS[p] arguement allows you to see if a host is a live using a TCP SYN packet. If you put a number in for [p] it will send a SYN to that port, otherwise Nmap defaults to port 80.

Using -PA[p] will send TCP ACK for host discovery. Again adding a number for [p] will tell Nmap to send an ACK to that specific port. If omitted it will default to 80.

Using -PE will only result in a standard ICMP echo request.

The -PP argument will invoke ICMP timestamp requests.

With -PM it will try to use ICMP address mask requests

When using -PR Nmap will only use ARP requests.

The -PO[id] command gives some interesting options. With this you can test for responses with a number of different IP protocols. Wikipedia has a pretty good list of the different IP protocols (http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)


Annoying P2V problem

Just fixed an annoying problem with a P2V of a Windows 7 laptop. The VMware converter would throw the error "FAILED: Unable to find the system volume, reconfiguration is not possible" on the reconfiguration phase and bomb out at 98% completion. If you tried to boot the VM anyway you would get a BOSD with error 7B.

After a bit of Google-Fu I found the following steps were successful in repairing the the VM to a point where the converter could properly run the reconfiguration on the VM.

1. Boot the VM to a Windows 7 ISO and select the repair option
2. Open a command prompt and run the following commands
     c:\>  bootrec.exe /fixmbr
     c:\>  bootsect.exe /nt60 all /force
     c:\>  attrib -h -s C:\boot\BCD
     c:\>  del C:\boot\BCD
     c:\>  bootrec.exe /rebuildbcd
3. Shutdown the VM
4. Open the VM in the converter and reconfigure the machine
5. The VM should now boot properly


Nmap For The Network Engineer: Part 1

Over the years Nmap has evolved from just a simple port scanner. It has become a swiss army knife of network scanning and has a number of tools built in including traceroute, port scanning, ping sweeps, OS fingerprinting, and versions scanning. Even beyond that there is the Nmap scripting engine which has incredible flexibility but is beyond the scope of what I am covering, maybe something for a future post.

Lets start with traceroute. Nmap's implementation of traceroute is very different from any other kind of trace route out there. When you start a traceroute to a remote host Nmap will guess the number of hops to the remote host and adjust that up or down based on the responses until it gets the exact number. Once that number is known Nmap will then decrement the TTL until it it reaches 0 or it hits a hop/router it has already discovered. In short Nmap works backwards. This is pretty inefficient for single hosts, however, in larger complex environments with multiple subnets and multiple network branches it becomes substantially more efficient then traditional traceroute since Nmap never repeats a trace over known hops.

Here is a little diagram outlining what it looks like visually.

I'll cover the other major functions and release a cheat sheet for common and most used switches when I get the time to write one up.


Wireless SSID Cloaking

Is wireless SSID cloaking good for security? Short answer, no. Cloaking doesn't provide any real measure of security and in some circumstances could actually negatively impact security.

Long answer. Cloaking the SSID only prevents an access point from including the name of the SSIDs in the beacon and probe response frames but does nothing for any active wireless clients transmitting data. The 802.11 standard requires the SSID name be a part of all data carrying frames, there is no way around this. If someone has a active sniffer running that can read the full 802.11 frame then they will see the SSID regardless if the AP is set to run SSID cloaking. Also, using encryption (WPA/WPA2/WEP) does not hide the SSID in the 802.11 frame since the SSID is part of the frame header and the encryption only hides the frame payload.

This gets even dicier because in some circumstances SSID cloaking can actually be a security risk. When configured to join a non-broadcasting network Windows will  cycle through the PNL first looking for any broadcasting networks and if non are found Windows will then send out probes containing the SSID of the cloaked network. If an attacker is sniffing wireless they can see the SSID in the probes and then use a tool like Karma / Karmetasploit to go phishing for computers setup to auto-connect.


A little bit about warning banners

I had a good talk today over warning banners and what should go into them so I thought I would share a bit about what was discussed.

Why have a warning banner? The big reason for having a warning banner is to limit the presumption of privacy. After all, you could argue that you never knew gaining access to an unintended system was wrong because nothing told you it was off limits. Even worse you could go after IT and security staff for monitoring or recording your actions without your consent. However, with proper use of a warning banner you can protect yourself by expressly stating that such actions are in violation and that proper steps have been taken to monitor and report criminal activity.

Now that we know why warning banners are needed the question is just what should go into one? First, and most importantly, you absolutely need to state that any use of the resource being accessed may be monitored and recorded. This is the holy grail of warning banner content and trumps any other single item you can stuff into one. Next you should be careful to state that any access is limited strictly to authorized personal and activity and that any unauthorized attempt to access, use, or modify the resource is strictly prohibited. There should also be a clause stating that any unauthorized use could result in either criminal or civil charges and if the monitoring reveals evidence of criminal activity then the company may provide that information to law enforcement.

Now I am not a lawyer nor do I pretend to be one. If you make a warning banner have some legal counsel approve it (in writing) to make sure the verbiage is solid and accurate. This is extra important if you are setting this up in countries outside your own because some may have very explicit laws regarding privacy and what you are and aren't allowed to do.


Easy high level security tips and questions

Over the last few years I have had to deal with a lot of smaller business and the general lack of security has been horrifying. Every single small business I have been to has, without any exceptions, failed at some of the most basic things. In light of this I have started to cobble together an easy to read high level security review/questionnaire that even non-technical people can understand with the hopes of mitigating some of the easy things and putting them on the right path.

High-Level Security Checklist

Overview – Approach environments asking these questions
·      Confidentiality
o   Who has access to what information or resources?
·      Integrity
o   Has any information been changed and who changed it?
·      Availability
o   Is your information or resources readily accessible when needed?
·      How often are backups run?
·      Do you have offsite storage for backups?
o   Keeping tapes in a car is not secure
o   Keeping them in a home is not really secure
o   Store them in place that can be locked up and out of harms way!
·      Do you run test restores?
·      In the event recovery is needed how quickly can the off-site backups be obtained?
·      If stored with an individual can they easily be reached anytime?
·      What type of backup medium is being used?
o   Tape
§  How often are tapes replaced?
§  Cost of proper upkeep can add up
o   Cloud
§  What is the providers privacy policy?
§  What is the providers liability for lost data?
Patches and Software Updates
·      Are windows updates configured?
·      Are looking for Java updates
o   Can java be updated?
§  Some web applications can be an issue
o   Is it using automatic updates?
§  Again careful if you have sensitive web applications.
·      Are looking for Adobe updates?
o   Adobe products are among the most notorious for having frequently patched security holes
·      Are you updating you web browsers?
·      Other third-party applications
o   Third-party application updates are often the hardest type of patching to stay current on
Least Privileges
·      Do people run as admin on local computers?
o   Not making users local administrators and or leaving UAC turned on can limit and mitigate the effect of malware
·      File sharing permissions
o   Are there unused file shares on servers and desktops?
·      Do your administrators actively use domain administrator accounts or user accounts?
o   Using a domain admin account for general purpose can be a huge risk and makes it easy to comprise an environment
·      Use different passwords for different purposes
o   People tend to use the same password for everything
·      Are passwords written down or stored in a secured format?
o   Not uncommon to find password written on sticky notes in plain sight on or around a users desk
o   If stored is it in a place other people can easily access?
§  Physically written down in a desk drawer?
§  In a text file on the computer?
o   Many applications store passwords insecurely
§  Web browsers with saved passwords are notorious
·      Do users share passwords or use shared accounts?
o   This should be kept to a absolute minimum
o   When looking at auditing trails how can you tell which user made a change?
·      Complexity requirements
o   How long do passwords last before needing to be changed?
§  Too long between changes is bad
§  If changing a password occurs too often users tend to write them down and often store them insecurely
o   How long are you passwords?
§  Absolute minimum should be 8
§  Recommended to uses long password phrases
§  More important then traditional complexity
o   Do you require specific character sets?
§  Less important then length
§  Most password crackers substitute common letter to symbol replacements (1 to !, a to @, s to $) as it tries different dictionary words
o   Are you passwords based on dictionary words?
§  Can easily be tested with password auditing
§  Dictionary words with numbers after then and or character substitution are not effective
·      Important but its not a silver bullet
·      Not about total prevention its but rather reducing your attack surface to manageable levels
·      Are you up to date on your subscriptions and definitions?
·      Do you have appropriate rules for traffic / email / content filtering
o   Are you blocking inbound traffic?
o   Are you blocking outbound traffic?
·      Are you blocking inbound traffic from regions you don’t do business in (you don’t do business outside the US so block traffic from china)
·      Are you using a VPN solution for remote access?
·      Are you using WPA/WPA2 with AES
o   WEP is NOT secure and very easily hacked
o   TKIP encryption has known flaws and not recommended
·      MAC address filtering doesn’t help
·      SSID cloaking can give a false sense of security and even be risk in itself and is not recommended
·      Do you have data that requires using disk encryption?
o   PGP / Truecrypt
·      Do you need email encryption
Data Removal
·      How do you decommission old computers?
·      Do you erase data before getting rid of a computer?
o   Just deleting from Windows is not enough and leaves the original files intact in a way that it can be easily extracted
o   Secure erase with third-party tools is recommended
Disaster Recovery
·      Do you have a disaster recovery plan?
o   Does it cover data loss?
o   Does it cover equipment loss?
§  Is there spare equipment available if needed?

Web GUI for IOU

Been a while since my last post. Lots of changes going on, new job, new place, and more so time has really been constrained. On a side note can't wait till Defcon 20. See you in Las Vegas!

I recently run across an interesting page about a web GUI for running IOU. I haven't had a chance to check it out yet but it seemed pretty cool.