Darknet - The Darkside » unix

stealth techniques – syn

backbone — Fri, 08 Jun 2007 19:13:37 +0000

Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

C:\\>hping -p 81 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)

Next >> Xmas/Fin/Null

Installing Nessus on Debian-based OSs like Ubuntu

Tiago Faria — Tue, 14 Nov 2006 13:17:02 +0000

With this simple tutorial I will explain how to install Nessus client (nessus) and Nessus Daemon (nessusd) and properly register it, so you don’t end up with the limitations of a non-registered version of the vulnerability scanner.

Installing:

I personally use apt-, however, you may choose any other package manager.

apt-get install nessus nessusd -y

This will install the nessus client and server, and the -y is used to answer YES to the confirmation of apt-get.

We have now installed both the client and the server. Let’s proceed to the addition of a user:

nessus-adduser

Display:

gouki@8104:~$ sudo nessus-adduser Using /var/tmp as a temporary file holder

Add a new nessusd user ----------------------


Login : darknet

Authentication (pass/cert) [pass] :

Login password :

Login password (again) :
User rules

----------

nessusd has a rules system which allows you to restrict the hosts

that darknet has the right to test. For instance, you may want

him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :

(the user can have an empty rules set)
Login             : darknet

Password          : ***********

DN                :

Rules             :
Is that ok ? (y/n) [y] y

user added.
About this display:
When asked about Authentication (pass/cert) [pass] : just press enter, as we will not use any.

When asked about rules for the specific user, press CTRL+D, as we will not enter any rules for the user.
Starting the Daemon:
By default, nessusd has not started. To manully force him to, you will need to do the following:
sudo /etc/init.d/nessusd start
Registering Nessus:
Nessus will work without being registered, however, it will have limitations. Unnecessary limitations, since it is easily registered.
Nessus Registration page - Go here and start the proccess.
After you have entered your e-mail address, the instructions on how to register will not work on Debian-based OSs.
On the eMail from the Nessus team, you will be instructed to this path: /opt/nessus/bin/nessus-fetch, however, the path should be replaced by /usr/bin, making the complete registration command: sudo /usr/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX
You should now have a complete and working installation of Nessus. Enjoy and remember, automatic scanners are not 1337! =)
TIP: Before starting to use Nessus, update the plugins by doing the following:

sudo nessus-update-plugins



OSSEC HIDS – Open Source Host-based Intrusion System
Darknet — Mon, 15 May 2006 03:27:39 +0000

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.
It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.
This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.
The correlation rules for squid, mail logs, firewall events and authentication systems have been improved, now detecting scans, worms and internal attacks.
The active-responses were also refined, with support to IPFW (FreeBSD) added.
The installation process was re-organized, now including simpler configuration options and

translation on 6 different languages (English, Portuguese, German, Turkish, Polish and Italian).
You can download the Unix and Windows versions here.
Read more Here.

The full changelog is here.
       



Free Prep Material for LPI Linux Certification (LPI 201 and 202)
Darknet — Sat, 25 Feb 2006 10:50:04 +0000

Here’s a series of well written IBM Linux tutorials to help you learn Linux fundamentals and prepare for system administrator certification. The LPI prep tutorials help you prepare for the topics in LPI exam 201 and the topics in LPI exam 202.
You can find more about the certification at the Linux Professional Institute.
I’ve been meaning to take LPI 201 for quite sometime actually, it looks like a pretty solid foundation to Linux and I know most of it allready, so I should be able to do it without too much problem.
You can find the material at IBM:
Linux Professional Institute Exam Prep
The eight tutorials below help you prepare for the eight topics in LPI exam 201. Exam 201 is the first of two LPI intermediate-level system administrator exams. Both exam 201 and exam 202 are required for intermediate-level certification, or LPIC-2.
You do have to sign up, or just use Bugmenot, the bugmenot extension for Firefox is very useful ;)

To any budding hackers, yes it is recommended you have strong Linux skills.