Category: Uncategorized

GCIA Exam

Hi all,

It has been such a long time since my last post. I have been very busy.  Last week I took GCIA exam and passed it. I thought I could share my experience. So far I took 3 exams from GIAC.  Those are GCFA, GCIH and GCIA.  GIAC certifications are very valuable certifications and it is always a plus to have them in your resume. Personally I value those certifications in the interviews I conduct.

GCIA exam was the hardest GIAC exam I had so far. If you want to pass this exam make sure you know followings:

  • Snort (yes, lots of question about snort and they are very detailed.)
  • Very deep level understanding of TCP/IP
    • How to calculate ip header
    • How to calculate tcp header
    • How to calculate data in a packet
    • Shortly interpreting hex
  • SIEM tools
  • ICMP,UDP,TCP,IPv6

I didn’t have time to study but my experience in network forensics helped a lot to answer the questions in the test. Here some strategic test tips:

  • You can skip 5 questions. If you want to go back and answer those questions you have to answer all 5, you cannot skip any other questions unless you answer those questions. My suggestion do not use skip questions option too quickly. I did that because I didn’t know that…
  • Watch your progress in every 15 questions. GIAC tells you what percentage of questions you answer correctly in every 15 questions. Don’t stress out if you score very low, some questions hard some are very easy so you will have chances to increase your score later.
  • If you don’t know the answer of an question, try to eliminate wrong answers in multiple choices.
  • You have 240 minutes, it is more than enough, relax… If you think it is not enough for you to solve 150 questions, do not take this test. It is not for you.
  • The test is not easy, study material or if you have experience use that. Some questions are directly related with giac material (testing your memory not really your knowledge i.e. some not popular command line options in snort) so knowing study materials will do better than trusting your experience in some questions. In real world you have google,yahoo,bing or man pages for command line options. I am not good for memorizing and don’t really think it is very important. IF you know how to get information then you’re good in real world. You don’t need to overload your memory with them. However in the test it is a different story.

How To Protect Yourself From Frauds

Cyber world is a dangerous place. Governments, and private industries become more and more aware of this danger in every single day. What about the citizen Joe and citizen Anna? Are they aware of the cyber threats? Do they know  how cyber threats can take all of their hard earned money they put into banking accounts? Or somebody  who is thousands of miles away from them can impersonate them and make their friends to send money to that person? There are great variety of frauds in cyber world. Most of them are around for more than ten years. Most of them use similar techniques with old traditional fraudsters use in the physical world.

There are number of sites that has very good information about prevention of frauds. One of them is this site. Just watch the videos on the site and you will get idea of how those frauds can waste people time and make their life miserable. Just watch the video below. We will cover frauds in detail later.

 

CEH Module 5: Scanning (NMAP)

Today I would like to write about CEH module 5, that is Scanning. The last module was covered on this blog was Footprinting can be found here If you want to see all the modules written about CEH, you can click “Certified Ethical Hacker” section at the right side bar.

Even tough I will talk about some general scanning techniques, my focus will be on practical knowledge of nmap that is heavily is tested on your CEH exam. I will not go deep on the nmap, you can do lots of cool stuff with it, but my focus will be its general usage for the ceh exam.

NMAP

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

You need to know some basic options, scan types, IP addresses’ and ports’ formats in nmap.

OPTIONS

-sT: connect scan -sX:XMAS scan
-sS: syn scan (half open) -sP: ping scan
-sF: fyn scan -sU:UDP scan
-sO: raw scan -O: OS detection

3 way hand shake will be performed on the connect scan, that is why this option is slow and will have lots of footprints on the target system.
Syn scan will only send SYN packets to targets. If the port is open then we will receive SYN+ACK other wise we will receive RST that indicates the port is closed…
Ping scan: This also known as ping sweep. Basically nmap will be pinging all the given machines and determine live hosts.
UDP scan: In case you want to see UDP ports, you need to run a UDP scan.

IP addresses

192.168.0.1-255
scanme.nmap.org/24
192.168.0.1/26

Port

-p23,25,80
-p1-1000

Examples

nmap -sS scanme.nmap.org/24 -p1-65535
nmap -sT -O 192.168.0.1-25 -p23

TCPview: Simple and Useful Tool

Netstat is a great utility to check network connections. It gives local and remote addresses (with the port numbers and protocol name if it was a well know protocol) and state of the connections.

Sometimes we need to have more information than netstat provide us.  For example, what if we need the actual process name which listens a specific port netstat tell us?

We can use TCPview. TCPView is a Windows program that will show us detailed listings of all TCP and UDP endpoints on our system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.

Let’s download the TCPview from here.

If you like command line more like me, you can use tcpvcon which comes with the TCPview.They do same job.

Say we want to know a process number, the process path and end the process which listens specific port.

Start TCPview and highlight the process number.  Right click and then click the ‘Process Properties’.

When we think our windows machine is compromised, we can use TCPview to check networking connections and corresponding process name. Then, we can  use Wireshark to listen the connections to gather more info.

One last thing. TCPview update the connection table every second but we can change this from ‘View’.

A Powerful Vulnerability Scanner: Nessus- Part II

In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.

Updating Plug-ins

After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures.  Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]

nessus_Download

Updating plug-ins (for the first time) can take up to 20 minutes so be patient.

Client Configuration

Start Nessus Client  from Start->Applications->Tenable->Nessus Client.

Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.

nessus_client

We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or 123.4.5.67)

Second option is IP range. Basically, we can provide a valid ip range such as 192.168.0.1-192.168.0.254.

We can also scan a subnet by providing its network and subnet address. (Network Address: 192.168.0.0; Subnet mask: 255.255.255.0)

We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.

Choose what ever option you like and then click ‘Save’.

Connecting to the Nessus Server

We will use ‘connection manager’ to connect to the Nessus server.

First, click the Connect button at the lower left side. It should bring connection manager.

Nessus_ConnectionManager

As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.

You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.

After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.

Nessus_Certificate

Policies

Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section.  Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.

Plugin Selection

To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.

Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Let’s start scanning by clicking ‘Scan now’ button at the below.

Reports

After scan completes, you can see the result under the ‘Report’ section.

Nessus_Report

Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.

Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.

Nessus_Report2

We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.

We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)

Conclusion

In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server,  how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.

Southern Illinois University Innovative Systems Conference (SIUIS4)

I attended SIUIS4 on this Saturday. The organizer was Southern Illinois University Innovative Systems group, a student-run interdisciplinary effort aimed at helping students at SIUC and around the area. The event, titled “SIUIS4,” included a premier professional networking event featuring more than 20 speakers as well as technical presentations, panel discussions, paper symposiums, competitions and workshops, among other items.The conference is still at its baby steps. However, there were some good talks and discussion. Especially, I like the discussion about IPv6. It was informative and interesting one. I will have a blog post about IPv6 soon.SIUIS4