Archive | October, 2014
Video

Port Knocking with Knockd and Knock for National Cyber League (NCL)

From Wikipedia “In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).”[1]

Install the Knockd Service and Client

sudo apt-get install knockd

A challenge may include using knock client and the default knockd sequence to open a new port(s). It is recommended that you scan the client namp -sV -p- -T5 [ipaddress]. This will show the current open port(s) and service/version information. Try the knocked default sequence knock -v [ipaddress] 7000 8000 9000.

There will be no immediate indication that a port has opened after knocking, as you will have to re-scan and compare to find the new open port. More than likely there is a time limit on how long the new port will stay open and available for access.

PROTIP: You may have to use “wget” to extract the flag. The command wget --no-check-certficate https://webaddress:port might extract the page hosted on the open port.

KnockdEfault Evaluator v1.1 – knock-knock

The two tools in this package are knockdefault.py and knockd_on-off.py. The first of these is a scanner to identify default configs and the latter is a utility to interact with identified vulnerable services.[2]

root@kali:~# git clone https://github.com/hack1thu7ch/knock-knock.git
root@kali:~# cd knock-knock/
root@kali:~# ./setup.sh
root@kali:~# ./knockdefault.py

 

Web Citations:
[1] http://en.wikipedia.org/wiki/Port_knocking
[2] http://www.shortbus.ninja/default-knockd-cloaking-configurations/

The Migration to Moon, Mars and Beyond

Earth is the cradle of humanity, but one cannot remain in the cradle forever — Russian physicist and rocketry pioneer Konstantin Tsiolkovsky

Leave a Comment

Scanning for Single Critical Vulnerabilities

Where I work, we have a decent sized IP space and scanning can be problematic. Within our IP space, we can have ~20 Million IP’s available. Traditional scanning using NMAP, while effective, can take a long time even with aggressive scan setting. By leveraging new scanning technologies like Masscan (hxxps://github.com/robertdavidgraham/masscan), this scanning can be done in minutes. With moderate settings, I don’t want to crash firewalls, it takes about 15 min per port.

While this example is specific to Heartbleed, I use this technique for any of the exploit-of-the-day. By using a fast port scanner to reduce the number of hosts to only the systems running the service in question, you can dramatically speed up your scan time. Additionally, within the first couple of days of an exploit, you may be using a custom script to scan rather than a plugin from an enterprise solution.

Another use case is a vulnerability found during incident response. If I determine a specific vulnerability was used to compromise a server, I then use this technique to determine other possible compromised systems. If they were not compromised, then we have them patch.  — Tom Webb

Masscan

Installing  the utility is easy

git clone https://github.com/robertdavidgraham/masscan

cd masscan/

make; make install

Masscan uses a similar command line to nmap.

masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000

10.0.0.0/8 -oG 10-scan-ssl - -max-rate 10000
  • -oG Grepable output
  • -p port to scan
  • 10.0.0.0/8 network to scan
  • -oG Output in grepable format
  • 10-scan-443 is filename created by scan
  • --make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable.  In this example, its an nmap plugin.

NMAP

cd /tmp

svn co https://svn.nmap.org/nmap

cd nmap

./configure;make;make install

To get the input file in the correct format, use the following command to get just a file with a single IP per line.

grep -v '#' 10-scan-443 |awk '{print $2}' >/tmp/nmap

To run nmap, make sure you have the right ports specified, the specific script you need and specify the correct input file.

nmap -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000 --script=ssl-heartbleed.nse -iL /tmp/nmap -oA /tmp/ssl-vul-test

 

SOURCE: https://isc.sans.edu/diary/Scanning+for+Single+Critical+Vulnerabilities/18881

Leave a Comment

Create an Idea Index

Professional blogger and avid reader Maria Popova uses the Idea Index, which eliminates the guesswork of referring back to important passages of a book. Study Hacks Blog explains how the method works:

Around thirty-one minutes into the interview, Popova explains how she takes notes on books:

  • As she reads, she creates an index at the front of the book that lists its most interesting ideas.
  • Every time she encounters a passage relevant to one of these ideas she adds the page to the relevant line in the index. If its a new idea, she creates a new line for it.
  • As she reads more, the index grows.

Here’s what’s great about this idea index method: When you pick up a book read long ago, you can quickly recall what it has to offer by glancing at the index. Then, if you want to grab some quotes about one of these ideas, the index tells you exactly where to look (no more reading every annotation!).

SOURCE: http://fourhourworkweek.com/2014/10/21/brain-pickings/

Leave a Comment
Image

Look Closely! by Rich Shelton

F-18 Blue Angel zooming through the Golden Gate bridge