Why Open Source in Company ?

4. Your needs, your choiceWhen you're going to begin another organization and you need to make open-source programming the main thrust behind all innovation choices. Outside of it being an unfathomably respectable and good cause, what are the key information guides you require toward completely see before actualizing this technique?

The inquiry may appear to be stacked. Truth be told, each business is diverse, and the driving innovation that helps a business to succeed fluctuates. Indeed, even along these lines, there are a few universals that stand valid over the playing field. Those universals apply to open source and shut source alike. Anyway when you're considering beginning up an organization (or relocating a current organization), what do you have to consider while doing as such with open-source programming?

Lets Try few options......

1. Save Money using Open source .

This civil argument needs to at long last (and authoritatively) be put to rest. Study after study has been done- -some of which are supported studies by contributed gatherings -however the reality of the situation is both beginning and continuous expenses will be lower in the event that you pick open source. A significant number of the old studies indicated one specific thought that is, generally, no more applicable -expense connected with preparing clients. Here's the thing, 90% of what individuals do now is done inside a web program. Let's be honest, most end clients today could get by with a Chromebook and still have the capacity to accomplish their employments. Nobody needs to be prepared on the best way to utilize a web program. Moreover, if your clients must be prepared on the best way to utilize electronic programming, the stage won't make any difference.

When you add to this the huge expense you'll save money on your organization's spine (server stages and programming), the reserve funds truly begin including. Furthermore, on the server side, will be utilizing open source at any rate. You can't escape it now. Anyway, when you know deciding on CentOS or openSUSE as your server stage could spare you a huge number of dollars in authorizing expenses, why might you pick some other course? Ask any director who has worked with Linux servers, and you'll discover those servers require far less upkeep and upkeep than the contender arrangements.

2. Nothing is New ......

Consider this... endeavor level organizations are now relying upon open source. They aren't simply fiddling in different and sundry open-source ventures -they rely on upon an exhibit of open-source programming to keep them useful. We're talking lofty information, and it doesn't get any greater than that. A considerable measure of new companies who consider the open-source way accept they are an island, uncontrolled on an ocean. That couldn't possibly be more off-base. All that you are considering has been done and finished with incredible achievement. Consider organizations like Google, Amazon, Facebook, and Twitter- -all of which place the foundation of their business on open-source programming. In the event that they can do it, you can do it. Furthermore, when you're uncertain of how to continue, you just need to take after their cases. Stay aware of Google's open-source blog or Facebook's open-source ventures.

3. Headaches will lessen

At the point when working inside an exclusive biological system, one of the greatest issues that will deplete your financial plan and your profit is framework cleaning. With enough end clients, the IT office can rapidly get to be overpowered with malware and infection cleanup demands. When you utilize open-source stages, (for example, Linux), this won't be the situation. Despite the fact that there are bounty who will contend against the utilization of Linux on the desktop, envision how your main concern would feel if gainfulness was sometimes stopped by malware and infections? I'm not saying that benefit will never be put on respite, yet you'll see an enormous decrease in your stoppage recurrence. Your IT office can then concentrate on what's truly vital, for example, servers, systems, and security.

4. Your Choice, Your Selection

When you're working with restrictive frameworks, you work how you're advised to function. On the off chance that you need Windows or OS X, you utilize their interfaces and hold fast to how they manage. Despite what might be expected, on the off chance that you work with open source, you work your direction. On the off chance that you don't care for the way something acts or looks, you transform it. In the event that you don't care for the default client interface that ships with Ubuntu Linux, utilize an alternate flavor. Concerning customization and open source, there are no constraints. This is your business, and you ought to have the capacity to make the innovation comply with your needs- -not the other route around. With open source, you get that.

5. Very Few Hurdles to Overcome.

It won't be 100% smooth cruising (yet nothing is in the realm of business). In the event that you have end clients that don't work out of a web program, you may end up with document incompatibilities. Say, for instance, you have customers that send you Word or Exceed expectations archives that depend on expanded highlights. You may find that LibreOffice or Google Docs won't "decipher" those highlights with 100% precision. At the point when that happens, what do you do? You may need to make good for an Office 365 permit for that specific client. Then again, what happens in the event that you have a specific bit of exclusive programming your business relies on upon?

Here's the thing... you don't need to jump away from any confining influence source waters and never surface. There's nothing the issue with blending nature. In the event that you can't work with a specific bit of programming, then you need to make a special case. The fortunate thing about open-source programming is that it plays well with special cases. You drop a Windows machine into your system, and nothing will blast or rodent you out to the open-source police. The uplifting news is that a mind-boggling measure of end clients don't exploit the progressed highlights inside Microsoft Office that have a tendency to tear similarity with open-source arrangements.

6. Can easily Try Before You “BUY”

With each possible bit of open-source programming, you can attempt before you put either time or cash into a solitary bit of programming. Indeed, even the working framework itself! You can download an ISO picture of a Linux appropriation and run it without rolling out any improvements to your framework (called a Live Cd or USB). You could download almost every Linux dissemination accessible, attempt all of them out, and settle on your decision in light of that process- -all without needing to introduce a solitary stage. Also, with most open-source online arrangements, (for example, HRM, CRM, and CMS devices), there are demos to attempt or even virtual pictures you can start up in VirtualBox (once more, without needing to introduce said instruments). An awesome spot to discover virtual machines to test is Turnkey Linux. Turnkey permits you to effectively test frameworks, for example, GitLab, Light Stack, SugarCRM, ownCloud, OrangeHRM, and a great deal more.

I anticipate, inside the following five years, there will be a great deal all the more little  to medium-sized organizations deciding on open-source arrangements on both servers and desktops. The scene is not at all like it was five years back. Open source is no more simply a testing or play area for designers or an environment for the PC "l33t." Open source is a suitable alternative for the advanced age. In case you're considering beginning an organization on an open establishment or relocating your current organization over to open-source programming, consider these musings and advance with your arrangement.

Internet with Digits

Happy 40th B'Day to Ethernet

We take for granted how computers in the workplace are all connected together. Sharing files with coworkers, sending documents to a network printer, and accessing data from a networked server are all routine procedures thanks to the invention of Ethernet technology. On Ethernet’s 40th anniversary, the IEEE History Center shares excerpts from the oral history interview it conducted with Ethernet’s co-inventor Robert Metcalfe in February 2004.

The technology’s genesis dates to 1973, when Xerox PARC, in Palo Alto, Calif., built the Alto personal computer. Robert Metcalfe—who was working there at the time and finishing his Ph.D. dissertation for Harvard—was assigned to design a network for the machine as well as a card that could be plugged into it to enable communication with the Advanced Research Projects Agency Network (ARPANET), the world's first operational packet-switching network and the precursor to the Internet. Xerox PARC was also building a laser printer that could print 500 dots per inch at a speed of one page per minute. The hope was to use it as a central printer for all of Xerox PARC’s personal computers. Hundreds of computers had to be connected.

“If you do the math on that printer,” Metcalfe explained in his interview with the IEEE History Center, “that was a lot of bits per second…500 times 500, times 8.5, times 11, per minute…that’s a big number. RS-232 was then the standard for interconnecting terminals, and it frequently ran below 19.2 kilobits per second. It was not even close to what was needed.”

To keep the printer busy, the PARC network had to run in megabits, not kilobits, per second. On 22 May 1973, Metcalfe distributed a memo describing the high-speed local network he had in mind. He called it the EtherNet, which was soon rewritten asEthernet. In June, Metcalfe teamed with David Boggs, another PARC employee and an experienced amateur radio operator, to build the network. The similarities between amateur radio—where multiple transmitters use the same frequency and have developed an etiquette for not interfering with each other—and a network of computer terminals communicating over the same wires, made Boggs’s experience particularly valuable.

WHAT MADE IT WORK

Ethernet was not the first attempt to build what would come to be called a local-area network, or LAN. (The acronym LAN would not even come into use for about eight years.) Metcalfe was influenced by the ALOHAnet, which relied on radio to connect computer users in the Hawaiian Islands—it was the first public demonstration of a wireless packet data network. Norm Abramson, professor of electrical engineering and computer science at the University of Hawaii and the director of ALOHAnet, wrote a paper evaluating it. After Metcalfe read Abramson’s paper, he rethought ALOHAnet’s traffic model, which assumed that if two packets of information collided, the users would keep typing and resending packets in the absence of an acknowledgment having been received. The assumption was that if two terminals sent packets at the same time and they interfered with each other, they would each try again but not at the same time.

Metcalfe believed, however, that users who did not receive an acknowledgment were more likely to stop typing and would wait before transmitting again. Thus the packet traffic would decrease, resulting in fewer collisions. With fewer collisions, more of the data would be able to get through. This is the same principle as a traffic jam on a highway: There may be a lot of cars on the road, but no one is getting anywhere. When there are fewer cars on the highway, they are moving, and more of them reach their destinations. With Ethernet, as with any network, the idea is to fill the communication channel with the most traffic that can still move efficiently.

For Ethernet networks, Metcalfe designed a “back-off algorithm” to control the retry time and thus the traffic volume. When the network saw light traffic, it would randomize the retry time over a short interval. But as the traffic load increased, the terminals would take more time before resending. A collision would be evidence that a channel was busier than anticipated, and so the retry time would be lengthened. This insight made Ethernet hugely more efficient. Fewer people were typing, and so a higher percentage of data packets were able to get through. Collision detection made Ethernet different and made it fast.

Metcalfe and his colleagues chose coaxial cable for Ethernet’s physical pathways because they wanted to be able to add or subtract nodes without bringing the network down. They also wanted to be able to insert nodes without cutting wires. David Liddle, who worked down the hall from Metcalfe and Boggs, pointed out something called a cable television tap. This allows tapping into a coaxial cable without cutting it. Ethernet was designed to be media-independent, however. By using the word ether in its name, the PARC people alluded to the possibility that Ethernet could be based on coaxial, twisted-pair or optical fiber wiring and, eventually, on Wi-Fi. Another important operating principle for Ethernet was that it would be vastly distributed; there would be no central control.

“In 1973, the Internet [which at that time was basically the ARPANET] on a good day ran at 50 kb/s,” Metcalfe reflected in his oral history. “Ethernet ran at 2.94 megabits per second.” Over the years, people urged Metcalfe to round the number up to 3. He always resisted, as a matter of emphasis: If one rounds 2.94 Mb to 3 Mb, the rounding error is more than 50 kb/s. “Ethernet’s round-off error was bigger than Internet,” said Metcafe. “That’s how fast Ethernet was running.”

Xerox filed for a patent application for Ethernet on 31 March 1975, listing Robert Metcalfe, David Boggs, Chuck Thacker, and Butler Lampson as its inventors. U.S. Patent No. 4063220, “Multipoint data communication system (with collision detection),” was issued on 13 December 1977.

For his work on Ethernet, Metcalfe was awarded the 1988 IEEE Alexander Graham Bell Medal and was the recipient of the 1996 IEEE Medal of Honor, IEEE’s highest award.

Learn more about the technologies that IEEE 802.3 “Standard for Ethernet” has helped enabled by visiting the IEEE Standards Association website. It includes a video of a conversation with Metcalfe, an “Ask Me Anything” session with him on Reddit, and a list of IEEE 802.3 Ethernet milestones.

http://theinstitute.ieee.org/technology-focus/technology-history/ethernet-turns-40

How to find the IP Address of E-Mail Sender . .

Option A: Gmail may include the IP Address

Gmail doesn’t include the IP address of the sender when the sender is using Gmail’s web interface to send email. However if he or she is using a desktop client (like Microsoft Outlook) or a mobile device to send that email, the IP address is often included in the outgoing message.

Open the message in Gmail, click on More –> Show Original and search for the line “Received: from “ – it may have the IP address of the sender that you can map to a physical location with the help of Wolfram Alpha.

Option B: Find the Sender’s Time Zone

When the IP address is not available, you can determine the sender’s very-approximate location from the time-zone of the originating computer. Go your Gmail Labs page and enable the “Sender Time Zone” feature.

Now open any message in Gmail and click on the down arrow that says “Show details”. The message will display the the current time in the sender’s time zone as shown in the following screenshot.



Next you can use this timezone map to determine countries where the current time is the same as the time displayed in the Gmail message. Obviously this not the most foolproof method as two different countries can be in the same time zone but when the IP address is not available in Gmail, this is the closest you can get.

On a related note, the time zone of your outgoing Gmail messages is determined from your computer’s time zone. If you would like your Gmail messages to show a different time zone, just go to your computer’s data and time settings and change the time zone.

Connecting to Remote Desktop

the best solution is Remote Desktop Connection , in which the technician can freely use the customer’s computer, without having to make an appointment. The Techinline Remote Desktopallows this, and novelty of the product is that- Everything is done entirely through the browser.

How it Works?

Website automatically notifies you to download them after logging in.

Having a Remote Access is simple and similar to what all we do with other such software. You need to obtain Client ID after logging in. Hand over this unique ID to someone who you want to give access to.

Person on another side after receiving ID will enter the same from his computer.

Thereafter, the customer accepts requests for technical assistance and accesses the computer remotely. We have various permissions to access like with or without Keyboard and Mouse Control.

What I liked Most about it?

• Connecting right from Browser- No Software needs to be installed and access is made from browser itself.
• Keeps the complete log of session
• Drag and Drop File Sharing- Transfer the files directly during the active session without uploading to any server & then download.
• Secure- While sharing our machine, we worry about Security part but Techinline offers SSL,two-factor authentication, code signing certificates. Strong 128-bit encoding makes it almost impossible to steal information.
• Cross Browser Compatible- No matter which web browser you use or the person on other side use, install Techinline Addon and you are ready to roll.

Overall, a new player in Remote Desktop with different approach. Rookies will be happy to use it without getting confused and Home Users can use it hassle free.

How to install wireless BMC4311 with Fedora 14

[root@nilesh ~]# yum install b43-fwcutter

Loaded plugins: langpacks, presto, refresh-packagekit
Adding en_US to language list
Setting up Install Process
Package b43-fwcutter-013-2.fc14.i686 already installed and latest version
Nothing to do

[root@nilesh ~]# cd /tmp/

[root@nilesh tmp]# wget http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2

Command not found.
Install package 'wget' to provide command 'wget'? [N/y] [root@nilesh tmp]# y
Command not found.

[root@nilesh tmp]# yum install wget

Loaded plugins: langpacks, presto, refresh-packagekit
Adding en_US to language list
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package wget.i686 0:1.12-2.fc13 set to be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package         Arch            Version                Repository         Size
================================================================================
Installing:
wget            i686            1.12-2.fc13            fedora            480 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 480 k
Installed size: 1.8 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 480 k
wget-1.12-2.fc13.i686.rpm                                | 480 kB     00:03    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : wget-1.12-2.fc13.i686                                    1/1

Installed:
wget.i686 0:1.12-2.fc13                                                      

Complete!

[root@nilesh tmp]# wget http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2

--2011-05-03 08:18:57--  http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2
Resolving downloads.openwrt.org... 78.24.191.177
Connecting to downloads.openwrt.org|78.24.191.177|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3888794 (3.7M) [text/plain]
Saving to: “broadcom-wl-4.150.10.5.tar.bz2”

100%[======================================>] 3,888,794    128K/s   in 30s    

2011-05-03 08:19:28 (125 KB/s) - “broadcom-wl-4.150.10.5.tar.bz2” saved [3888794/3888794]

[root@nilesh tmp]# cp broadcom-wl-4.150.10.5.tar.bz2 /lib/firmware/

[root@nilesh tmp]# cd /lib/firmware/

[root@nilesh firmware]# tar -jxf broadcom-wl-4.150.10.5.tar.bz2

[root@nilesh firmware]# cd broadcom-wl-4.150.10.5

[root@nilesh broadcom-wl-4.150.10.5]# cd driver/

[root@nilesh driver]# ls

config         wl_ap_mimo.o  wl_apsta_micro.o  wl_apsta.o      wl_sta_mimo.o
wl_ap_micro.o  wl_ap.o       wl_apsta_mimo.o   wl_sta_micro.o  wl_sta.o

[root@nilesh driver]# b43-fwcutter -w /lib/firmware/ wl_apsta_mimo.o

This file is recognised as:
ID         :  FW13
filename   :  wl_apsta_mimo.o
version    :  410.2160
MD5        :  cb8d70972b885b1f8883b943c0261a3c
Extracting b43/pcm5.fw
Extracting b43/ucode15.fw
Extracting b43/ucode14.fw
Extracting b43/ucode13.fw
Extracting b43/ucode11.fw
Extracting b43/ucode9.fw
Extracting b43/ucode5.fw
Extracting b43/lp0bsinitvals15.fw
Extracting b43/lp0initvals15.fw
Extracting b43/lp0bsinitvals14.fw
Extracting b43/lp0initvals14.fw
Extracting b43/a0g1bsinitvals13.fw
Extracting b43/a0g1initvals13.fw
Extracting b43/b0g0bsinitvals13.fw
Extracting b43/b0g0initvals13.fw
Extracting b43/lp0bsinitvals13.fw
Extracting b43/lp0initvals13.fw
Extracting b43/n0absinitvals11.fw
Extracting b43/n0bsinitvals11.fw
Extracting b43/n0initvals11.fw
Extracting b43/a0g1bsinitvals9.fw
Extracting b43/a0g0bsinitvals9.fw
Extracting b43/a0g1initvals9.fw
Extracting b43/a0g0initvals9.fw
Extracting b43/b0g0bsinitvals9.fw
Extracting b43/b0g0initvals9.fw
Extracting b43/a0g1bsinitvals5.fw
Extracting b43/a0g0bsinitvals5.fw
Extracting b43/a0g1initvals5.fw
Extracting b43/a0g0initvals5.fw
Extracting b43/b0g0bsinitvals5.fw
Extracting b43/b0g0initvals5.fw
[root@nilesh driver]#

I got some selinux warning so I disabled it and run the command again.

[root@nilesh driver]# b43-fwcutter -w /lib/firmware/ wl_apsta_mimo.o

This file is recognised as:
ID         :  FW13
filename   :  wl_apsta_mimo.o
version    :  410.2160
MD5        :  cb8d70972b885b1f8883b943c0261a3c
Extracting b43/pcm5.fw
Extracting b43/ucode15.fw
Extracting b43/ucode14.fw
Extracting b43/ucode13.fw
Extracting b43/ucode11.fw
Extracting b43/ucode9.fw
Extracting b43/ucode5.fw
Extracting b43/lp0bsinitvals15.fw
Extracting b43/lp0initvals15.fw
Extracting b43/lp0bsinitvals14.fw
Extracting b43/lp0initvals14.fw
Extracting b43/a0g1bsinitvals13.fw
Extracting b43/a0g1initvals13.fw
Extracting b43/b0g0bsinitvals13.fw
Extracting b43/b0g0initvals13.fw
Extracting b43/lp0bsinitvals13.fw
Extracting b43/lp0initvals13.fw
Extracting b43/n0absinitvals11.fw
Extracting b43/n0bsinitvals11.fw
Extracting b43/n0initvals11.fw
Extracting b43/a0g1bsinitvals9.fw
Extracting b43/a0g0bsinitvals9.fw
Extracting b43/a0g1initvals9.fw
Extracting b43/a0g0initvals9.fw
Extracting b43/b0g0bsinitvals9.fw
Extracting b43/b0g0initvals9.fw
Extracting b43/a0g1bsinitvals5.fw
Extracting b43/a0g0bsinitvals5.fw
Extracting b43/a0g1initvals5.fw
Extracting b43/a0g0initvals5.fw
Extracting b43/b0g0bsinitvals5.fw
Extracting b43/b0g0initvals5.fw
[root@nilesh driver]#

Now just try the to establish connection with your wireless card and check working or not.

Please always check your logs when ever you want to do some setup.

In my case

#tail -f /var/log/messages

May  2 22:29:09 nilesh kernel: [   27.735949] b43-phy0 ERROR: Firmware file "b43/ucode13.fw" not found
May  2 22:29:09 nilesh kernel: [   27.735961] b43-phy0 ERROR: Firmware file "b43-open/ucode13.fw" not found
May  2 22:29:09 nilesh kernel: [   27.735969] b43-phy0 ERROR: You must go to http://wireless.kernel.org/en/users/Drivers/b43#devicefirmware and download the correct firmware for this driver version. Please carefully read all instructions on this website.

-

Hping Examples

1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply

hping3 -1 0daysecurity.com

2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.

hping3 --traceroute -V -1 0daysecurity.com

3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).

hping3 -V -S -p 80 -s 5050 0daysecurity.com

4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked. It can just be done by adding --traceroute to the last command.

hping3 --traceroute -V -S -p 80 -s 5050 0daysecurity.com

5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).

hping3 -c 1 -V -1 -C 17 0daysecurity.com

6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..

hping3 -c 1 -V -p 80 -s 5050 -F 0daysecurity.com

7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.

hping3 -c 1 -V -p 80 -s 5050 -A 0daysecurity.com

8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP Xmas scan, sending no reply.

hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF 0daysecurity.com

9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

hping3 -c 1 -V -p 80 -s 5050 -Y 0daysecurity.com

10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS

11. DOS Land Attack:

hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VICTIM_IP

• --flood: sent packets as fast as possible. Don't show replies.
• --rand-dest: random destionation address mode. see the man.
• -V <-- Verbose
• -c --count: packet count
• -d --data: data size
• -S --syn: set SYN flag
• -w --win: winsize (default 64)
• -p --destport [+][+] destination port(default 0) ctrl+z inc/dec
• -s --baseport: base source port (default random)

Anex A Hping3 Help

usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received

Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode

IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode

ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options

UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+] destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime

Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode

ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)

Which ports is my Linux computer / Server listening to?

Introduction

Security, always a concern in these days, yes, it may be your house, your car even yourself, we are all in danger, and so are our servers and computers.

Well, to protect you Linux computer you can take a lot of actions, and one of them is to know which ports is your Linux listening to, this way if some of them are not needed you can shut the service down.

Which ports is my Linux listening to?

We’ll use netstat to find out which ports is our computer listening to.

netstat -t --listening
The output could look like this:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:ipp *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:ipp *:* LISTEN
That is the example of my office computer, your output may change, and if it is a public server, you should have a lot less ports opened.

Find alive hosts in a network with ICMP nmap

Introduction

If you want to know which servers or hosts are alive and responding to ping in your local network, you can use nmap

Using nmap to discover ‘alive’ machines on a Network

To use this command and get an effective response, the servers or hosts you are pinging need to respond to it, today a lot of hosts by default have a firewall, and will not respond to pings, so be aware of that.

The command is:

nmap -sP 10.1.1.*
This will have a response like this:

Nmap scan report for 10.1.1.1
Host is up (0.0060s latency).
Nmap scan report for 10.1.1.192
Host is up (0.0023s latency).
Nmap scan report for 10.1.1.193
Host is up (0.061s latency).
Nmap scan report for 10.1.1.198
Host is up (0.0046s latency).
Nmap scan report for 10.1.1.200
Host is up (0.0044s latency).
Nmap scan report for 10.1.1.254
Host is up (0.030s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.94 seconds
Those are the machines on, in a holy day at my office.

vnStat - a network traffic monitor for Linux and BSD

vnStat - a network traffic monitor for Linux and BSD

BIRTH OF THE FAMOUS NAMES....!!!

MERCEDES
This was actually the financier's daughter's name. 

---

ADOBE
This came from name of the river Adobe Creek that ran behind the house of founder John Warnock.

---

APPLE COMPUTERS
It was the favorite fruit of founder Steve Jobs. He was three months late in filing a name for the business, and he threatened to call
his company Apple Computers if
the other colleagues didn't suggest a
better name by 5 O'clock that evening.

---

CISCO
It is not an acronym as popularly believed.
It is short for San Francisco .

---

COMPAQ 
This name was formed by using COMp, for computer, and PAQ to denote a small integral object. 

---

COREL The name was derived from the founder's
name Dr. Michael Cowpland. It stands for COwpland REsearchLaboratory.

---

GOOGLE 
The name started as a joke boasting about the amount of information the search-engine would be able to search. It was originally named 'Googol', a word for the number represented by 1 followed by 100 zeros. After founders- Stanford graduate students Sergey Brin and Larry Page presented their project to an angel investor, they received a cheque made out to 'Google' ...thus the name.

---

HOTMAIL
Founder Jack Smith got the idea of accessing e-mail via the web from a computer anywhere in the world. When Sabeer Bhatia came up with the business plan for the mail service, he tried all kinds of names ending in 'mail' and finally settled for hotmail as it included the letters "html" - the programming language used to write web pages. It was initially referred to as HoTMaiL with selective uppercasing. 

---

HEWLETT PACKARD

Bill Hewlett and Dave Packard tossed a coin to decide whether the company they founded would be called Hewlett-Packard or Packard-Hewlett.

---

INTEL

Bob Noyce and Gordon Moore wanted to name their new company ' Moore Noyce'but that was already trademarked by a hotel chain so they had to settle for an acronym of INTegrated ELectronics.

---

LOTUE (Notes)

Mitch Kapor got the name for his company from 'The Lotus Position' or 'Padmasana'. Kapoor used to be a teacher of Transcendental Meditation of Maharishi Mahesh Yogi. 

---

MICROSOFT

Coined by Bill Gates to represent the company that was devoted to MICROcomputer SOFTware. Originally christened Micro-Soft, the '-' was removed later on.

---

MOTOROLA

Founder Paul Galvin came up with this name when his company started manufacturing radios for cars. The popular radio company at the time was called Victrola. 

---

ORACLE

Larry Ellison and Bob Oats were working on a consulting project for the CIA (Central Intelligence Agency). The code name for the project was called
Oracle (the CIA saw this as the system to give answers to all questions or something such). The project was designed to help use the newly written SQL code by IBM. The project eventually was terminated but Larry and Bob decided to finish what they started and bring it to the world. They kept the name Oracle and created the RDBMS engine. Later they kept the same name for the company.

---

SONY

It originated from the Latin word 'sonus' meaning sound, and 'sonny' a slang used by Americans to refer to a bright youngster.

---

SUN 
Founded by four Stanford University buddies, SUN is the acronym for Stanford University Network. Andreas Bechtolsheim built a microcomputer; Vinod Khosla recruited him and Scott McNealy to manufacture computers based on it, and Bill Joy to develop a UNIX-based OS for the computer.

---

YAHOO! 
The word was invented by Jonathan Swift and used in his book 'Gulliver's Travels'. It represents a person who is repulsive in appearance and action and is barely human. Yahoo! Founders Jerry Yang and David Filo selected the name because they considered themselves yahoos. 

Stop brute force attacks with these iptables examples

First let's define with the help of Wikipedia what a dictionary attack is:

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.

A dictionary attack uses a brute-force technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a normal brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

So as you can see, we have two "types of brute force attacks" those which use dictionary and those that does not. With this technique we will be protected from both of them.

This technique, uses iptables to block a particular IP, that has passed the threshold of a certain number of connections in a given period of time.

I will show here, some basic IPtables rules to protect a web server from brute force attacks, but this example can be adapted to other scenarios.

   
Basic rules, only open port 80 (http) and 22 (ssh)

This is written as a script that may be run each time your server start, or can configured to run iptables as daemon, as I will show you later.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT                   
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -P INPUT DROP

This IPtables script example, will close all port but ssh and www ports, but our server is still open to brute force attacks, so let's close this by adding two more rules that will only permit a certain number of connections to our server from a given IP.
Stop brute force attacks

Here is the example that will stop the brute force attacks.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT                   
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 \
--hitcount 2 -j DROP
iptables -P INPUT DROP

If we now run

sudo iptables -L

This is the output

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: UPDATE seconds: 600 hit_count: 2 name: DEFAULT side: source
           tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            tcp option=!2 reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

The last two lines do the trick. Here is a simple explanation of what they do:

This line:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

Starts a table with each IP that starts a connection to ssh port.

And this one:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 \
--hitcount 2 -j DROP

Counts the number of connections that IP makes to our server in time frame of 600 seconds, if the number of connectios passed 2 (hitcount). The server will not accept any more connections from that IP for 600 seconds.

You can adjust those values to better fit your needs.

Make it automatic

If you are running Debian or Ubuntu you may run:

sudo /etc/init.d/iptables save

If you are running Arch Linux run:

sudo /etc/rc.d/iptables save

And add iptable to the daemons part in the /etc/rc.conf file.
Logging the connections

If you want to keep a log of the failed connections write something like this:

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT                   
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 \
--hitcount 2 -j LOG
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 \
--hitcount 3 -j DROP
iptables -P INPUT DROP

Look that the LOG line has a hitcount number minor that the DROP line, this will make iptables to write a line like this:

Apr 26 20:44:44 arch kernel: IN=eth0 OUT= MAC=00:19:d1:ea:e6:3f:00:11:2f:8f:f8:f8:08:00 SRC=97.107.x.x DST=200.87.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=37839 DF PROTO=TCP SPT=50094 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Networking Tools

http://www.bwmonitor.com/

http://www.cacti.net

http://www.topology.org/comms/netmon.html

Firewall Identification & Traceroute,Firewalking,Hpinging,ICMP,NMAPing

Introduction:

Application gateways and Packet filtering gateways are two types of firewalls basically available in market. Application gateways are those proxies and they are causing some computational problems in computers due to heavy CPU usage, therefore on busy networks Packet filtering devices are more preferable. However, the vendors are trying to embed these two inevitable characteristics of firewall into one.

Installing a firewall into a gateway is not a security panacea. Those who attended BlackHat (www.blackhat.com) conference this July in Las Vegas still remember the presentations about FW-1 penetration. Security vulnerabilities are discovered every year with just about every firewall in the market. However, the worst thing might be the misconfigured, unattended and unmaintained ones. Is this laziness? Who knows, but it helps hackers.

There are many tools out there to test the security of our applications. However penetrating into computer networks are sometimes bottleneck because of firewalls.

As those skilled hackers, we need some methodologies to intrude into systems in our pen-tests. I will basically try to cover the methods used widely at wild. We need to understand the ACLs(access control lists) of a firewall or a router, we need to map what is behind the firewall, we wanna know what is allowed in and so on.

As one of our main aim is not to trigger intrusion detection software, we don’t wanna deploy full connection (3-way handshake)port scanning. Because, port scanner’s triggers this systems easily because of the enormous amount of SYN/ACK packets sent back and forth to every port of the firewall just to check them. Therefore, we don’t like noisy staff in our pen-tests.

Moreover, we should know that, most of the firewalls do not respond to ICMP echo requests (ping), as long as it is configured with an expert firewall administrator.

==================================================

Firewall Identification & Traceroute:

Traceroute is a network debugging utility, which attempts to map all the hosts on a route to a certain destination host/machine. It sends UDP datagrams by default or ICMP ECHO Request packets with TTL (time to live) fields set to 1 just before reaching the final target. Once the target reached, as TTL field gets zero, the target will discard the datagram and generate an ICMP Time Exceeded packet back to its originator. By the way, Windows systems use ICMP ECHO Request by default and you can not use UDP method with Microsoft’s traceroute implementation, "tracert".

Lets assume that a network is protected by a access control device, a firewall or some sort, and it denies everything in but dns traffic. A regular traceroute will be as follows:

[willyhacker]#traceroute 10.10.0.10

traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets

1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms

2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms

3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms

4 * * *

5 * * *

As you see from the preceding example, we can not go beyond 10.10.0.6 which most probably means that there is a blocking device at hop 4. To understand this we have to dig a little deeper.

When traceroute is deployed with default UDP datagram option, it will increase the port number at every time it send a UDP datagram. Hence, we need a equation which will give the starting port number to reach to final target. So the starting port number is

(Target port – (number of hops * number of probes)) -1

where number of hops is from our probing box to the firewall, and number of probes is by default 3.

Knowing this, know lets look at our tracerouting

[willyhacker]#traceroute –p43 10.10.0.10

traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets

1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms

2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms

3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms

4 10.10.0.8 (10.10.0.8) 4.972 ms 4.980 ms 6.361 ms

5 * * *

BOOM !, we penetrated in to firewall, which is 10.10.0.8 and get into the network which is most probably a DMZ. However we could not get a reply from 10.10.0.10. The reason is basic, we did not hit to UDP port 53 of this box. As traceroute has incremented our port number again and it has got stuck to ACL on the firewall.

Don’t worry, Mike Shiffman (the author of famous firewalk), has a remedy for that. With his modified version of traceroute, traceroute 1.4a5 you can grab it from (www.packetfactory.net)

[willyhacker]#traceroute –S –p53 10.10.0.10

traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets

1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms

2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms

3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms

4 10.10.0.8 (10.10.0.8) 4.972 ms 4.980 ms 6.361 ms

5 10.10.0.10 (10.10.0.10) 6.1022 ms 5.660 ms 8.531 ms

boom, there we go.. So, what we know is that, we know the IP address and an ACL of firewall (allow TCP/UDP port53 in), a box behind the firewall. This juicy information can help us for further penetration in our tests.

As a result, to test other open ports we can try other ports, with a home grown script, it can be done systematically.

============================================================

Firewalking:

Firewalk is just another utility written by Mike Schiffman, and can also be found at www.packetfactory.net. The aim of this little handy tool is to find open ports on a filtering device, Firewall. It works by checking a live system behind a firewall, without touching this system to discover which services are permitted, which ports are open on that firewall.

A second potential advantage of firewalk is mapping the unknown network behind the filtering device. By sending packets to every host behind the firewall, an attacker can generate accurate topology of the network behind the firewall.

The firewalk scan works by sending out TCP or UDP packets with an IP TTL evaluated to expire just one hop past the firewall. If the filtering device allows the traffic in, then it will send the packets to target where the TTL will get zero and the target will elicit a TTL exceeded on transit back to attacker. If the filtering device does not allow the traffic in, then we will not see any packet back which means the port is closed.

[willyhacker]#firewalk -n –P135-140 –pTCP 10.10.0.5 10.10.0.20

Firewalking through 10.10.0.5 (towards 10.10.0.20) with a maximum of 25 hops.

Ramping up hopcounts to binding host...

probe: 1 TTL: 1 port 33434: [10.10.0.4]

probe: 2 TTL: 2 port 33434: [10.10.0.6]

probe: 3 TTL: 3 port 33434: [10.10.0.8]

probe: 4 TTL: 4 port 33434: [10.10.0.10]

probe: 5 TTL: 5 port 33434: Bound scan: 5 hops [10.10.0.10]

port 135: open

port 136: *

port 137: open

port 138: *

port 139: open

port 140: *

However, what we see on our tests is that, some firewalls recognize that the packet will expire when they get to the target host before applying ACL rules. And they elicit an ICMP TTL Expired packet back to attacker and this leads to false-positives.

To learn more about firewalk, you can check the following URL www.es2.net/research/firewalk

==================================================

Hpinging:

This tools is basically a TCP ping utility, however it has some additional functionality. You may grab it from www.kyuzz.org/antirez It allows user to play with some options of the TCP packet which may let it pass through some filtering devices even if they are blocked, and reports the packets it gets back. . By using the –p switch, we can set a fixed destination port, as in the case of traceroute and pass through the firewall. We can even fragment TCP packets as well, but it is basically a TCP ping sweeping utility.

[willyhacker]# hping 10.10.0.10 –S –p 53 –f

60 bytes from 10.10.0.10. flags=SA seq=0 ttl=124 id=17051 win=0 time 45.3

60 bytes from 10.10.0.10. flags=SA seq=1 ttl=124 id=19551 win=0 time 134.9

as you see whenever a port is open (TCP 53/DNS), we receive back SYN/ACK flags set packets.

Moreover, sometimes the filtering devices can not handle fragmented packets and let them in, thus we can map the network behind the filtering device.

==================================================

Stateless Firewalls & Source Port Scanning:

This method can apply to those filtering devices which does not keep the state of traffic. Namely, it wont work against stateful filtering devices. So what is the idea, basically think of such a device which will never remember if the connection has begun from inside or outside. Boom! I see your sparkling eyes. Right, FTP, or yes, DNS. Anyothers? Several… If we send a packet with the source port 20 in FTP, which is the default DATA port, we can check the system behind the firewall and map the network behind the firewall.

For this, we will use nmap, we will discover its features for other methods later on this paper. The –g switch of nmap will let us do that.

[willyhacker]# nmap –sS –P0 –g 20 –p 139 10.10.0.10

as you see, we use the SYN scan (-sS) without pinging (-P0) the target system.

If it comes out that the port is open, then it has two significant meanings, one the system probed is alive behind the firewall, which is good for network mapping, and second, FW ACL does not block TCP 139 port, which is a good starting point for hacking Windows based systems.

The authors of Hacking Exposed have also mentioned this method in their second edition and they got a very handy tool for utilizing this method to get into system, fpipe, you may grab it from www.foundstone.com This utility is a modified port redirector and you can set the source port to 20 with the help of it.

============================================================

ICMP Enumerating with icmpenum:

Ping is maybe the most known ICMP packet ICMP ECHO REQUEST (type 8) and the reply is ICMP ECHO REPLY (type 0). Therefore most firewall admins blocks incoming pings, however they do not care about other types of ICMP packets, which can be handy for gathering juicy information from the target.

To do use the other options of ICMP, our favorite tool is icmpenum from Simple Nomad. You may grab it from his personal site www.nmrc.org

Rather than ICMP ECHO packets, we may send ICMP TIME STAMP REQUEST and ICMP INFO packets to the system. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks who block ICMP Echo packets but have failed to block Timestamp or Information packet, or for upstream sniffing of trusted addresses.

[willyhacker]#icmpenum –I 2 –v 10.10.0.0

10.10.0.2 is up

10.10.0.4 is up

10.10.0.6 is up

10.10.0.8 is up

10.10.0.10 is up

in this preceding example, we have enumerated all alive hosts by sending ICMP TIME STAMP requests in the 10.10.0.0 network.

As we have mentioned earlier, it can spoof packets with –s switch and can listen in promiscuous mode with –p option.

[willyhacker]#icmpenum –I 3 –s 10.10.0.50 –p –v 10.10.0.10

In this example, we have spoofed the IP address 10.10.0.50 with –s switch and we get to promiscuous mode with –p option with ICMP INFO packets.

To summarize, this tool allows us to determine alive hosts behind the filtering devices with the help of ICMP types ECHO, INFO, TIME STAMP REQUEST. In many of pen-tests, I deploy this little and handy utility for checking the alive hosts behind the firewall and it works most of the time.

==================================================

Playing with the ICMP Packages:

The folk Ofir Arkin, has released a whitepaper about the hazards of ICMP and its usage about operating system guessing and filtering device testing. I strongly suggest you guys to take a check his study. This part of our study heavily depends on his study and findings. I have tested his findings in a laboratory and used some ideas in my pen-tests. I found them especially handy in network topology mapping and in ACL discovery. You can find his detailed document from www.blackhat.com, he has given a speech this year at BlackHat Europe.

We can use various methods to elicit an ICMP error message back from a probed host and discover its existence. Some of the methods are as follows:

• Mangling IP headers

o Header Length Field

o IP Options Field

• Using non-valid field values in the IP header

o Using valid field values in the IP header

• Abusing Fragmentation

• The UDP Scan Host Detection method

With the first method we are using bad IP headers in the IP datagram that would generate an ICMP Parameter Problem error back from the probed machine to the source IP address of the probing datagram. The second method use non-valid field values in the IP header in order to force the probed machine to generate ICMP Destination Unreachable error message back to the malicious computer attacker. The third method discussed uses fragmentation to trigger an ICMP Fragment Reassembly Time Exceeded error message from the probed machine. The last method uses the UDP Scan method to elicit ICMP Port Unreachable error message back from a closed UDP port(s) on the probed host(s).

The tool we will be using for playing with the ICMP packages is called ISIC written by Mark Frantzen. You can grab it from

http://expert.cc.purdue.edu/~frantzen

the user can specify how often the packets will be fragmented, have IP options, TCP options and etc.

In the next example I have sent 20 IP Packets from a LINUX machine to a Microsoft Windows NT WRKS 4 SP4 machine. The datagrams were not fragmented nor bad IP version numbers were sent. The only weird thing sent inside the IP headers was random IP Header length, which have produced ICMP Parameter Problem Code 2 error message as I anticipated.

[root@stan packetshaping]# ./isic -s 192.168.5.5 -d 192.168.5.15 -p 20
-F 0 -V 0 -I 100
Compiled against Libnet 1.0
Installing Signal Handlers.
Seeding with 2015
No Maximum traffic limiter
Bad IP Version = 0% Odd IP Header Length = 100%
Frag'd Pcnt = 0%
Wrote 20 packets in 0.03s @ 637.94 pkts/stcpdump trace:
12:11:05.843480 eth0 > kenny.sys-security.com > cartman.sys-security.
com: ip-proto-110 226 [tos 0xe6,ECT] (ttl 110, id 119,
optlen=24[|ip])
12:11:05.843961 eth0 P cartman.sys-security.com > kenny.sys-security.
com: icmp: parameter problem - octet 21 Offending pkt:
kenny.sys-security.com > cartman.sys-security.com: ip-proto-110 226

[tos 0xe6,ECT] (ttl 110, id 119, optlen=24[|ip]) (ttl 128, id 37776)

If we probe the entire IP range of the targeted network with all combinations of protocols and ports, it would draw us the targeted network topology map, and will allow us to determine the access list (ACL) a Filtering Device (If present, and not blocking outgoing ICMP Parameter Problem Error messages) is forcing.

Moreover, if you wanna play with the low-level row TCP/IP packages in order to test your systems, firewalls and filtering devices, I do suggest using CASL (custom auditing and scripting language). Cybercop from NAI, www.nai.com has a unique feature which allow us to play with the low-level packets in a GUI interface. We can create any choice of our packets as scripts and run them against the firewalls or whatever system we want. By combinig this tool to the findings of Ofir arkin, we can get the idea what is happening on the victim site and determine the ACL and map the network topology. By the way, don’t forget to run your choice of sniffer on your attacking box to review the packets elicited from the target.

==================================================

NMAPing: (network mapping)

I must mention about the nmap, which you can get from www.insecure.org/nmap and it is such a wonderful tool, you cant do without it. It has many different switches, which eases our jobs from many different perspectives. Until recently this tool was mainly a UNIX tool, however the folks at eEye (www.eeye.com) has released an NT version which performs the same functions as in the UNIX version.

Albeit, it is basically a port scanner, its features let us do some quiet scanning for port probes. Yet, I should mention that, there are some intrusion detection SW out there capable of catching nmap scans.

As I mentioned, most of the firewalls do not respond to ICMP echo requests (ping), thus we will use the –P0 switch which disables ICMP pinging. –sS switch will perform a TCP SYN stealth scanning and so on. To get all the features of nmap type

[wilyhacker]# nmap –h

from your box.

A filtered port in nmap signifies one of three things.

No SYN/ACK packet is received

No RST/ACK packet is received

An ICMP type 3 message (Destination Unreachable) is received.

Nmap pulls all three of this conditions and report it as "filtered" port. To understand this nmap gathers the ICMP packages sent back to the attacker box. ICMP packets houses all the data necessary to understand what is happening.

The "unfiltered" port is reported only when we scan a number of ports and receive an RST/ACK packet back. In this state, either our packets are passing through the filtering device, but the target box do not listen on that port, OR the firewall is responding on behalf of the target with IP spoofing with RST/ACK flags set.

Anyway, I don’t wanna get into details of nmap, as there are many papers out there explaining the details of nmap, however as it is understood, it can be handy for network mapping behind firewalls and we can discover filtering device ACLs.

============================================================

Conclusion:

The aim of this paper was to give some idea about firewall penetration testing and network topology mapping behind firewalls. We have touched many different salts of firewall scanning tools, and there are many more at wild.

This methods are deployed in pen-tests to discover what is behind the filtering device and to figure out the ACL of this device. To do a successful pen-test, we need to know what is happening behind the closed doors. Who is watching the door? , what is he/she checking? and so on. Harvesting a wealth of information is the main step for a successful hacking, and to gather this information we have to penetrate through firewalls.

Watch your servers at wild

Mab-