About me Security Paintball


Welcome to the security section...

This is a very nice screenshot from the Matrix movie. However it tells us a lot about the methodology a hacker is using to exploit a specific target. Of course this is a movie, normally pure crap if you see how these guys are hacking in movies like "Hackers". But here you basically see two phases of an attack attempt. Phase 1 Information Gathering - Phase 2 exploiting the target with typical tools that we see and use in the area of IT security. There can be even more phases like "erasing logfiles" and "leave a backdoor". However to start here we beginn with Phase 1. If you want to go deeper into IT security you should typically not use an operating system like Windows (especially because with the newest service pack Microsoft removed the ability of "raw packets" from WindowsXP). Go for a linux system, a UNIX system, BSD derivates or a special security distribution on a small bootable device (e.g. Memorystick or a CD/DVD). This also helps you to understand how those systems are built up and how do they work. If you do not increase your knowledge you will never be able to go over the level of a so called script kiddie. By the way, start to build up your own Web-Servers, Email-Servers and learn what you have to keep in mind to secure them. However I will also submit some tools and hints for Windows as well. Regarding the information I provide here I assume you have at least basic network knowledge and that the OSI model is common to you.

Information Gathering

In this phase you try to identify the target environment. It can be a single host or it can be a range of IP-adresses. Use tools and URLs like http://www.samspade.org to acquire more specific information about a target using public available databases like DeNiC (in Germany) and RIPE.

In addition to that investigate in tools like "whois" and "dig". Dig is a special tool to enumerate DNS Servers. The enumeration of DNS servers is very helpful to identify interestings targets and to clarify if the DNS server is a security risk as well. Sometimes when you quering a DNS server you'll probably be able to perform a zone transfer. The result of such a transfer is very helpful to choose valuable targets.

Scanning & Network enumeration

After the targets are once identified the next phase is to see what kind of services are "offered" to the customer. It is a litle bid like "knocking on the door" and see what happens. Basically you have to differ between port scanning and vulnerability scanning. First of all we start with port scanning:

What is port scanning ? It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. There are 65535 TCP and UDP ports in theory on each IP stack instance. The ports below 1024 are normally named as "well known" ports or reserved ports. In this range we often find very common services like HTTP (TCP port 80) SMTP (TCP port 25) and others. This is a small extraction of well known ports and the related services:

0 to 1023

1024 to 49151

Unregistered Ports

These are ports that may be in common use, but that are not formally registered with IANA. Where the use conflicts with a registered use, the notation CONFLICT is used.

Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. By setting different TCP flags or sending different types of TCP packets the port scan can generate different results or locate open ports in different ways. One of the best tools to perform port scanning and network enumeration is Nmap.

Nmap is free port scanning software distributed by Insecure.Org and designed to detect open ports on a target computer , determine which services are running on those ports, and infer which operating system the computer is running (this is also known as fingerprinting ). It has become one of the de-facto tools in any network administrator's toolbox, and is used for penetration testing and general computer security.

Like most tools used in computer security , Nmap is useful to both system administrators and crackers (or script kiddies ). System administrators can use it to test for possible unauthorized servers in the workplace, whereas crackers use it to "scope out" a potential target. Nmap is often confused with a host vulnerability assessment tool such as Nessus . Nmap is stealthy, built to evade intrusion detection systems , and less likely to interfere with the normal operation of the networks or computers being scanned. You can download it here.

Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.

As I am too lazy to write my own Nmap-HOWTO you will find a very good overview right here. Please have a special look at the chapter of "idle scanning".

More content to come soon...