Tag Archives: how to

Effective Security Project Management

After running several projects I observe very interesting things about the management of the security projects.

Stakeholders usually have very limited focus. For example if there is a project about network security, they don’t think how to implement some part of the projects into  say an application security project.

Moreover stakeholders usually have lack of long term thinking. You should never spend all of your money to achieve a single thing unless it is so critical. In other words you have to be very effective, efficient and smart. If you are doing a project to reduce abuse in your internal computing resources, don’t try to save the day. Try to save the weeks, months, and years. This is not hard to do.

When you design your project, assume that you are playing with lego. With lego you can build home, and you can break down the home and build a car with the same lego pieces. Your projects should be the same. Moreovoer there will be some “plugins”. This means if you want to achieve X, dont just build X. Do this

Build A, B and C and make them to work together to get X as a result of those three plugins.


Moreover the functionality of A, B and C shouldn’t so similar to each other. Make them somewhat diverse by thinking your only condition is that the total    result should be X.

Then next time when you are working for a different project, say project Y, think about using at least one plugin you have here i.e.


This makes you use your resources in a smart way and you have a long term thinking.

Always think smart since this will make your projects better and powerful…


PCI Vulnerability Scans – Part II: PCI and Wireless

In my  previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs.

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

_ WLAN cards inserted into system components

_ Portable wireless devices connected to system components

(e.g., by USB, etc.)

_ Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (e.g., wireless IDS/IPS, NAC), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizationʼs incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

PCI wants you to detect rogue access points. However there is a flaw here. PCI doesn’t require you to monitor your network for rogue access points. It just want you detect them quarterly…

Well, what if attacker deploy an AP after you run your quarterly scan? You will be vulnerable lots of networking attack for a 3 more months and you will think you’re secure since you have PCI certification… This is another example of why you should not think you are secure just because you have a certification…

Anyway, let’s return our subject. So we need to determine rogue AP quarterly. Himm. Let’s see. We can do this by scanning all wireless APs and comparing the BSSIDs (mac address) of the APs that have same SSID with our APs. If we see any AP that has our SSID but not in our asset, that AP is a rogue AP.

A. Windows

Go to Start, type powershell, on the blue screen of power shell run these two following commands:

Netsh wlan show networks mode=bssid -> To get all BSSIDs

Netsh wlan show networks mode=ssid-> To get all SSIDs


KisMAC is a free, open source wireless stumbling and security tool for Mac OS

You can download it at http://kismac-ng.org/

After you run the KisMAC, click Start Scan in the bottom right corner.

C. Linux

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring

mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

Linux users can download Kismet at http://www.kismetwireless.net

Note: Please read the full manual, but for the quick starters, here is the bare minimal instruction to operate Kismet:

• Download Kismet from http://www.kismetwireless.net/download.shtml

• Run “./configure”. Pay attention to the output! If Kismet cannot find all the  headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.

• Make sure that all the functionality you need was enabled properly in configure. Almost all users will need pcap and libnl support for proper operation.

• Compile Kismet with “make”.

• Install Kismet with either “make install” or “make suidinstall”.

Note: you must read the “suid” installation and security” section of the Readme or your system may be insecure.

• If you have installed Kismet as suid-root, add your user to the “kismet” group

• Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is

less secure than privsep mode, where packet processing is segregated  from admin rights.

• When prompted to start the Kismet server, choose “Yes”.

• When prompted to add a capture interface, add your wireless interface. In nearly all cases, Kismet will autodetect the device type and supported

channels. If it does not, you will have to manually define the capture type   (as explained later in this README).

• Logs will be stored in the directory created when you started using Kismet, unless it changed via the “logprefix” config file or “–log-prefix” startup option.

• READ THE REST OF THIS README. Kismet has a lot of features and a lot of configuration options. To get the most out of it, you must read all of

the documentation.


With these tools you can get all SSIDs and BSSIDs on your area (It is good idea to capture packets in different areas of your buildings so that you have better chance to detect any existed rogue APs.


Update: I have received couple of e-mail about PCI scope on wireless. Here is what PCI says about it:

If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless
local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI
DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and
4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider
deploying wireless technology only for non-sensitive data transmission.”

I believe it is pretty straight forward.  If there is no separation of wired/wireless networks with a firewall on your cardholder data environment you cannot think wireless network is out of your scope…

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.


Hiding Data: Slack Space on Linux

I am going to cover slack space in various operating systems. the first post would be about the slack space in Linux.

What is Slack Space?

Before going to explain slack space, one should know what blocks (on Linux) and clusters mean (on Windows).  Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Linux write nulls on slack space. This means to find data in slack space on Linux systems are rare. However, it is not impossible.

Today, I am going to show how to hide data on slack spaces using a tool called bmap.


Bmap ,a data hiding tool, can utilize slack space in blocks to hide data.

It can  perform lots of functions interesting to the computer forensics community and the computer security community. However, in this article we will focus on its data hiding capability.

Installing Bmap

Click this link and save the tar.gz file on your Linux desktop.tar xvzf bmap-1.0.17.tar.gz

After untaring the file, we now can go inside of the directory and compile the program.
cd bmap-1.0.17

Optional: I placed bmap into /sbin so don’t need to go into the bmap directory each time I want to run the program.
ln -s yourBmapFilePath /sbin/bmap

Hiding Data on Slack Space

In the following example we will hide some text into slack space. Let’s see what options we have with bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named Ismail.txt. Let’s see what sectors this file uses.
bmap --mode map ismail.txt

As you can see from the output of bmap, ismail.txt uses 8 sectors starting from 3113400. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

echo "I'm hiding this and you cannot easily see it" | bmap --mode putslack ismail.txt
stuffing block 389175
file size was: 8
slack size: 4088
block size: 4096

Now check what we have in slack space:

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096
I'm hiding this and you cannot easily see it

(This command also gives the block number of the file, 389175)

We can now wipe the data we put on slack space.
bmap --mode wipe ismail.txt

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096


Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.

How to make iPad Secure?

The iPad has been a very popular new device sold by Apple. But the iPad isn’t really enterprise ready, in terms of manageability and security. IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. If you use this device you may be concerned about the iPad security. Here is some information you might be interested in.

Although Apple has an enviable reputation for producing secure computers, there has been many concerns expressed with the security and safety in devices like the iPad. This device uses a standard called iOS 4.

A recent report indicated that a Russian software was developed which can enable people to gain access to password protected iOS data backups.

Even more disturbing is the fact the iOS keeps virtually a complete log of everything a user types of the keyboard. This includes credit card information, account numbers, etc.

In addition these types of mobile devices require frequent updates which increase the risk of security breaches even more so.

It was reported by a French research firm called VUPEN Security that there are two major flaws which leaves iOS vulnerable. One is a memory corruption error which occurs when is processes a pdf file. And the other is an iOS kernel error.

This means that an app could get low level access to the operating system. Apple has tried to prevent this through the use of private API’s. However this has had questionable benefit.

How to Secure IPad?

AT&T has confirmed that the e-mail addresses of over 100,000 iPad 3G owners using its 3G network have been exposed. According to the carrier, it first learned of the issue on June 7 and resolved it on June 8.

Admittedly, AT&T’s security breach isn’t all that groundbreaking. If only e-mail addresses were stolen, it’s not the end of the world, since that wouldn’t be enough to use to steal more private information.

But that doesn’t mean it’s the end of the story. The iPad is just like any other computer, complete with the potential to access sensitive information. Realizing that, it’s incumbent upon iPad owners to engage in practices and use software that will make it easier for them to keep their private data secure.

Unfortunately, no product is safe from the crosshairs of malicious hackers. Try as consumers might to use products that will keep them secure, all it takes is one mistake or a network flaw beyond their control to wreak havoc on their personal lives. Let’s take a look at some things that iPad owners can do to keep their data private and secure.

1. Keep syncing

It might sound rather simplistic, but users should keep syncing their iPads with their computers as often as possible. The reason why is twofold. For one, the desktop computer acts as a removable storage device for the data on the tablet. Secondly, Windows machines or Mac OS X computers have better security controls than the iPad. If data is extremely important and consumers want to keep it away from prying eyes, having it in a more secure environment is always preferable.

2. Use security apps

The iPad runs iPhone OS. In other words, all the security tools that are available in Apple’s App Store that are designed for the iPhone will also work with Apple’s tablet. In some cases, the security tools aren’t all that useful, so exercising some vigilance before downloading certain applications is a good idea. But there are other apps that monitor network connections, keep passwords safe and much more. Although it’s easy to only browse iPad apps, some iPhone security apps will come in quite handy.

3. Work on trusted WiFi networks

Any iPad owner should be positive that the WiFi network he or she is on is trusted and safe. In far too many cases, WiFi connections on unprotected networks just aren’t as safe as they should be. And although it’s more difficult for folks to access information on an iPad than on, say, a Windows PC, sending sensitive information over that network can be dangerous, to say the least. Once again, the iPad is little more than a newly designed computer. Owners must always keep that in mind.

4. Stay off 3G wherever possible

Although AT&T’s 3G network has enjoyed relative security thus far, iPad owners should keep their tablets off the network as much as possible. When connecting over 3G, users are at the mercy of the network. They don’t necessarily know that it’s secure at all times, and they need to rely on the quality of AT&T’s service. But when surfing the Web on a WPA (Wi-Fi Protected Access)-protected router in their homes or organization, they have more control over security settings and what can be done to keep data secure. Little changes like that can go a long way in keeping iPad data safe and secure.

5. Remember Windows rules apply

iPads may not be running Windows, but some of the lessons learned in the PC ecosystem still apply in the iPad world. For instance, surfing to unknown, untrusted sites is never a good idea. Users should also refrain from opening attachments sent by people they don’t know. Unfortunately, these simple rules just aren’t followed by many iPad owners because they believe they’re safe. As AT&T’s network snafu has shown, there is no one who is absolutely safe from danger. Maintaining vigilance when using the iPad is the most important component of keeping it secure.

6. Physical security matters too

Physical security doesn’t always get the kind of play that network security does, but it’s arguably more important. If users really want to keep their sensitive information private, they need to be more careful with the iPad. They shouldn’t leave it on the table at a Starbucks when they pick up their drink at the counter. They also shouldn’t leave it lying around in plain view in the office for anyone to pick up. Those who want to steal sensitive information would rather have the device in hand than connect to it from other parts of the world.

7. Trust is a dangerous thing

Trust can wreak havoc on a person’s life when it comes to computer security. There’s little debating that there are few, if any, Websites that should be absolutely trusted. Not even e-mails from friends can be trusted, especially if they include unexpected attachments. In too many cases, Web users believe that simply because they have been to a site each and every day for the past three years, they will remain safe on that site. That’s a faulty belief. With some simple phishing scams or spoofing, all kinds of trouble can erupt. Don’t trust anything—even when using the iPad.

8. Passwords mean everything

Passwords are extremely important. With strong passwords, users can have a little more peace of mind if an iPad is stolen and is in the hands of a malicious hacker. Too often, folks use the same passwords for all their different online identities. The password someone uses to log in to Gmail is the same password he uses for online banking. The password he inputs to tweet with friends is the same as the code he uses when he needs to pay down his credit card balance. That’s not a good thing. As soon as attackers have one password, they will try it everywhere else. At the same time, the difficulty of breaking a password must always be kept in mind. iPad owners can’t use “1234″ for a password. They should be using alphanumeric passwords that have capital letters and symbols. It might sound like a pain to type in such passwords every time, but owners will be happy they did so if the iPad is stolen.

9. Lock it down

The iPad comes with password protection. And anyone who wants to keep data safe should lock it down with a strong password. In the iPad’s settings menu, owners can opt to turn on the device’s passcode lock. Once this has been done, every time the screen is turned on, users will be required to input a password to access the iPad’s home page. Again, it’s a pain for those who don’t want to have to input a passcode each time. But when it comes to security and the safety of private data, it’s arguably one of the best things a user can do.







CEH Exam Module 3: Footprinting

We covered the first module. I skipped the second one since you can read that Law section in your study book or any other place. I may have a post about it later.

Foot printing is one of the most important step in hacking. You need to know what your targets are capable of. Do they have IDS? Do they have firewall? What are the firewall rules? Who is their system admin? What is his e-mail address? …

There are lots of sites that you can gather info. My favorites are google, archive.com, PiPl.

Foot Printing Tools

For your CEH exam you need to know bunch of foot printing tools. I cannot mention all of them here, but I will tell the most important ones.

Google: Google and hacking tool? Yes, google can be used as a hacking tool. However, you need to know how to make effective searches.

I.) Phrase search (“”): By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change. This is useful if you need exact strings in your search.

II.) Search within a specific website (site:): Google allows you to specify that your search results must come from a given website. For example, the query nessus site:nytimes.com will return pages about nessus but only from nytimes.com. This can be very useful if you already know what site can give best info about your target.

III.) Terms you want to exclude (-)
Attaching a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results. The minus sign should appear immediately before the word and should be preceded with a space. For example, in the query anti-virus software, the minus sign is used as a hyphen and will not be interpreted as an exclusion symbol; whereas the query anti-virus -software will search for the words ‘anti-virus’ but exclude references to software.

IV) Fill in the blanks (*): The *, or wildcard, is a little-known feature that can be very powerful. If you include * within a query, it tells Google to try to treat the star as a placeholder for any unknown term(s) and then find the best matches. For example, the search Google *  will give you results about many of Google’s products. Note that the * operator works only on whole words, not parts of words.

Whois: Whois important tools that can list very important information about the websites such as e-mail addresses, contact names, phones, expiration date of the websites. On your linux machine you can run whois domainName and get details of the domain. You can also use whois.com

Whatismyipaddress.com: This is a website that give details of a given IP.

Traceroute: With traceroute you can get some information about the network. Traceroute list the routers between you and the target. This can be really useful information if you lunch a networking attack against the router.

Nslookup/host/dig : All of these tools do same job: List ip addresses for a given domain name. It basically query.

For example, if you want to learn IP address of google.com, type

C:\Users\ismail nslookup google.com
Non-authoritative answer:
Name:    google.com

Dig has more capacity besides giving you IP address of a domain (that can be done by pinging the server right? ).

There is a good article at slicehost website that cover some details of dig.

robot.txt: The Robot Exclusion Standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a website which is otherwise publicly viewable. Robots are often used by search engines to categorize and archive web sites, or by webmasters to proofread source code. The standard is unrelated to, but can be used in conjunction with, Sitemaps, a robot inclusion standard for websites.

As an ethical hacker, you can check if the webserver has a robot.txt file by looking www.example.com/robot.txt Some system admins think disallowing search engines searching directories may have sensitive information is a security measure that prevent others see these directories in search results. HOWEVER, by listing your sensitive directories in robot.txt will just make hackers to focus on these directories and worse thing you already saying where to attack…

I would not recommend using robot.txt. Instead secure these important directories by encrypting, or using access control methods.

As an ethical hacker always check robot.txt because there are lots system admins who does not know security very well.


Foot printing is an important phase of hacking. In this phase, the goal is get as much as information about the target. This information will be critical part of the attack vectors that be used in the next phases.

There are much more tools than what I covered here. You need to know them for the CEH exam. I will also cover more in later.

Tip: Study active and passive foot printing, know the difference.

Networking Setup on Debian Based Systems

Setting up network on linux machine can be a little challenging if you want to do static ip address.

First you need to be familiar with networking files and commands in linux.

Briefly ifconfig is the command you will use oftenly.

ifconfig will list network interfaces with their IP, and broadcast, netmask.
To see your gateway use route -n

Where is your dns servers?
Well check /etc/resolv.conf

If you want to use dhcp (which is by default on all Debian based systems) you should not touch any of these.

However what if you need to use static configuration?

Then lets take a look at our interfaces file /etc/network/interfaces

Typical static logical device configuration

# The primary network interface
auto eth1
iface eth1 inet static
# The secondary network interface
auto eth0
iface eth0 inet dhcp

Here eth1 was configured to use a static IP:
netmask, network, broadcast and gateway ips are also defined here as well as dns-nameservers.

auto means interface will automatically be up after boot.
as you see eth0 use dhcp configuration.

If you want to just change the gateway i then

ifconfig eth1 down
route add default gw 192.1o.119.254
ifconfig eth1 up

For more info you can check this document: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch03_:_Linux_Networking#How_to_Change_Your_Default_Gateway

Certified Ethical Hacker Exam

I have to blog my CEH experience otherwise I will not do it in the future. I promised myself that I will blog about CCNA exam and gave some tips about it and I wouldn’t. This time I will keep my promise to myself: time to write about CEH.

I passed CEH exam this Monday. According to EC Council (the organization who prepares CEH) The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Security guys who want to take a certification exam but cannot decide between CEH and Security+, I will recommend CEH because it covers similiar topics with Sec+ and it also helps you test your skills in security tools such as snort, hping2, nmap, etc.

I have to tell you that I find the exam a little unprofessional. There was a question that asking to interpret the output above but there was nothing at above! I called the Testing Center Staff and let her to note this and send it to the EC-Council. I also saw some typos. You prepare a world wide exam and make this type of mistakes? It just shows how much Ec-Council cares about the exam.

Anyway, let’s return the our topic.

There are two ways to take the exam: Self Study and Training.

If you have enough experience in the security field or took some computer security courses in the college, I would say Training would be waste of money. Instead spend your money to build a test enviroment. Lots of tools are covered in the CEH are free. You may not even need to buy another computer since you can use virtual machines. If you have Windows then use VMWare player. If you have mac or linux use Virtual box. All of them are free.

You have to fill out this form in order to be able to have self study option:


For more info about the exam, visit https://www.eccouncil.org/certification/certified_ethical_hacker.aspx

You will see lots of subjects if you check CEH exam in its offical website.  I will try to cover most of them in this blog rest of the year.

First Module: Introduction to Ethical Hacking

# What does a Malicious Hacker do?

* Phase1-Reconnaissaance

o Reconnaissance Types

* Phase2-Scanning

* Phase3-Gaining Access

* Phase4-Maintaining Access

* Phase5-Covering Tracks

Phase1: Reconnaissance (Footprinting)

There are two types of footprinting: Passive and Active.

Whois, traceroutes, google, dumster diving are examples of passive footprinting.

Ping, traceroute, nslookup, dig, host are example of active footprinting.

After finding enough information about the target, next step would be scanning target hosts.

Phase2: Scanning

In this phase attacker wants to collect as much as information possible. He uses scanners like nmap, hping, nessus, etc.

The main goal in this phase is learning networking enviroment of the victim.

Phase3: Gaining Access

After having enough information about his target, attacker wants to have a control on the victim’s machine. In this phase he needs to understand what he has from previous phases. For example if he see port 135-139 and 445 are open, there would be a chance to connect the machine by openning a null session.

Phase 4: Maintaining Access

Hackers usually want to keep their access with their victims. In order to do this, they plant rootkits, trojans, open backdoors.

Phase 5: Covering Tracks

I think this is the hardest part for a hacker because modern operating systems and applications logs everything login failure, succesfull access, IPs, times….

This is actually a good thing for “ethical hackers” because we want to track intruders in case of an attack. Of course there are some ways to cover your tracks as much as possible but what I am saying none of these methods can gurantee you that you cover all of your tracks.

This module is just for some general background information. We will have much more fun with next modules (well not the next one but after the next- next one is about the laws.)

A Powerful Vulnerability Scanner: Nessus- Part II

In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.

Updating Plug-ins

After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures.  Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]


Updating plug-ins (for the first time) can take up to 20 minutes so be patient.

Client Configuration

Start Nessus Client  from Start->Applications->Tenable->Nessus Client.

Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.


We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or

Second option is IP range. Basically, we can provide a valid ip range such as

We can also scan a subnet by providing its network and subnet address. (Network Address:; Subnet mask:

We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.

Choose what ever option you like and then click ‘Save’.

Connecting to the Nessus Server

We will use ‘connection manager’ to connect to the Nessus server.

First, click the Connect button at the lower left side. It should bring connection manager.


As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.

You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.

After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.



Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section.  Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.

Plugin Selection

To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.

Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Let’s start scanning by clicking ‘Scan now’ button at the below.


After scan completes, you can see the result under the ‘Report’ section.


Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.

Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.


We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.

We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)


In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server,  how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.