01.24.08

LinkedIn App for BlackBerry?

Posted in IT at 9:43 pm by Tyler Reguly

It doesn't exist.... the title is nothing more than wishful thinking... but think about it... it makes perfect sense.

There's a Facebook for BlackBerry app... this is to get the "younger crowd" using the BlackBerry Pearl ( and potentially the curve) but the BlackBerry was initially designed with business in mind, so why does a LinkedIn app not yet exist for the BlackBerry?

Even if it gave access to nothing but your contact list... I think it would be seen by many as highly useful.

Thoughts?

01.14.08

Port Scanner Challenge: And the Winner is?

Posted in IT, Reviews, Security, Software, Tools at 11:33 pm by Tyler Reguly

The other day I posted raw data comparing nmap, PortBunny and Unicornscan... I thought today I'd provide some of my thoughts on what the data shows us.

In the end I scanned 5 hosts running a variety of operating systems and I think I gave a fairly decent small scale spread and one initial comment I'd like to make is on the scanning of the HP LaserJet 4MV... While not all scanners found all the ports, they were all able to scan it... which I found fairly impressive... especially considering I've crashed it numerous times in the past playing with advanced options in port scanners and packet creation programs.

Now for the anlysis... Was there a winner? At first I didn't think so... but once I created the graph it became fairly evident that there was. Before I declare the winner... let's take a look at what we saw.

Unicornscan

I was fairly impressed with unicornscan the first time it ran... at least from a speed standpoint. That is until I ran nmap and PortBunny. While unicornscan (on a standard scan, default ports) was able to provide consistent speeds... it was clear that on systems with fewer open ports... there was a huge disadvantage in the design of unicornscan... The consistent speeds were still occurring. If we look at my shell box for example (Ubuntu 6.06 PPC on an old 350Mhz iMac), we see that unicornscan took what appears to be a respectable 9.2 seconds. However, nmap took only 1.5 seconds and PortBunny was less than a second at 0.7 seconds.

The full port scan also didn't bode well for unicornscan. On two hosts, the printer and the gateway, it failed to find any open ports... These are both slower systems (the older printer, and a soekris 486 for the gateway) so perhaps they couldn't keep up with the speed of the scan... or perhaps unicornscan was scanning too fast even for itself.

In the end, after seeing the results of nmap and PortBunny I was rather unimpressed with unicornscan.

nmap

I was quite impressed with nmap. During the default scan it tied PortBunny with lowest number of missed ports (of course this is due primarily to the various scanners default port list) and on a full port scan, it was the only scanner to find all open ports. In addition to having the lowest miss port rate... it boasted the fastest times... coming in 17.5 minutes faster than PortBunny on a full port scan, and 16 seconds faster on a default scan.

Additionally when I provided nmap with the '-T5 --max-retries 0' options, it blew PortBunny out of the water... it missed two additional ports over PortBunny on one of the 5 hosts, however the time difference was 5.3 seconds to 74 seconds... nmap was 68.7 seconds faster.

PortBunny

Given all the hype surrounding PortBunny and the fast that is is a "Linux Kernel-Based Port Scanner" (which is supposed to work to it's benefit), I was expecting great things... instead I was seriously disappointed. There wasn't a single scan where PortBunny fully out performed nmap... You have to set nmap to get ridiculous scan speed (scanning "almost too fast") in order for PortBunny to even manage to find more ports than nmap and then it takes ~15 times longer to find those 2 extra ports... Without those "almost too fast" options, nmap still performs faster than PortBunny and with more accuracy.

There was one host where PortBunny was able to outperform nmap, however that was with nmap doing a default scan... when timing options were adjusted, once again PortBunny failed to beat nmap.

Decision

When I started this challenge, I wasn't sure what the outcome would be... the only prediction I had was that unicornscan would be defeated by both PortBunny and nmap. This proved to be true... Between nmap and PortBunny, due to the hype around PortBunny and the claims that I had seen... I really wasn't sure. I expected it to be a close battle between the two... at most a TKO... but in the end it was a straight-up KO and in reality PortBunny was never really a contender.

Winner: nmap

01.13.08

Port Scanner Challenge: nmap, Unicornscan, PortBunny

Posted in IT, Reviews, Security, Software, Tools at 11:33 pm by Tyler Reguly

There's been quite a bit of mention lately of PortBunny, the new port scanner from Recurity Labs. The scanner is Linux kernel-based and provides a TCP SYN Scan. I figured that I'd put the scanner to the test against nmap and Unicornscan.

Here's the rundown of the setup used:

Software + Version:

Scanning Host:
OS: Ubuntu 7.10
Kernel: 2.6.22-14-generic
Processor: Intel Pentium M 2.13Ghz
RAM: 1GB

Install Process:

  1. Obtain archive
  2. Extract archive
  3. ./configure *No custom config options used for any of the software*
  4. make
  5. make install

Tested via Python:
Test Script (Note: I can't get my lines to tab properly, so tab over the four lines following def test):

import time, os

def test ( prog ) :
startTime = time.time()
os.system( prog )
endTime = time.time()
print ( 'Execution Time: %f' % ( endTime - startTime ) )

Targets:

  • vista - Vista Home Premium
  • shell - Ubuntu 6.06.1 LTS (2.6.15-28-powerpc)
  • minibox - OS X 10.4.11
  • printer - HP LaserJet 4MV
  • gateway - m0n0wall 1.231

Scan Notes:

  • PortBunny requires an IP Address, it won't run against hostnames.
  • PortBunny doesn't sort the results list.
  • Unicornscan missed all ports on printer and gateway when scanning ports 1 - 65535.
  • PortBunny missed a port on printer when scanning ports 1 - 65535.
  • nmap missed 2 ports on printer when scanning with -T5 --max-retries 0.

Results:

Port Scanner Comparison

Raw Data, including ports found, after the jump.

Read the rest of this entry »

01.10.08

MS08-001 Disassembly Flash

Posted in IT, Security, Vulnerabilities at 12:51 pm by Tyler Reguly

By now many people will have seen this, it appeared on Slashdot and Halvar posted it to his blog, but for those that haven't... this is a pretty cool flash to watch. MS08-001 Disassembly.

rIP - Reverse IP Tool

Posted in IT, Security, Tools at 12:40 pm by Tyler Reguly

This is actually pretty cool... It's a new tool (Web-based) that came across the Web Application Security Consortium mailing list. Let's take a look at the tool in action first, example with ComputerDefense.org.

Showing records 1 - 13 out of 13 for www.computerdefense.org (82.165.158.149).

capri-beauty.com computerdefense.org
hometownssm.com hometowntoronto.com
htregz.com korahgrads.com
numerophobe.com pythongod.com
reguly.org securitybloggers.net
spammailbag.com themoviegeeks.net
topsykrett.com

Those are indeed the domains I own, that reside on the same IP as ComputerDefense.org. Currently the database is restricted to .com, .net and .org but it's still fairly impressive. A method of determining vhosts is a great asset to penetration testers and security researchers.

The tool is available from a group called CRUSH.  It requires that you validate you aren't a bot via a text / colour based CAPTCHA, however after the first time, you are good to make subsequent requests.

I'm going to have fun playing with this tool, taking a look at certain companies / websites and seeing what other domains they host on the same server...

01.07.08

eEye and malware?

Posted in IT, Security at 12:25 am by Tyler Reguly

First off... I wasn't dead... I took some holidays around Christmas and went up north to visit the family... Two weeks and I spent less than an hour in total touching a computer... it was great.

Anyways, I'm back and I looked at my bloglines, well over 2000 articles to read... I skimmed a few but basically just ignored them all (in IT/IS news really does change that quickly)...

One blog post that did catch my attention was Kurt Wismer's post over at Anti-Virus Rants.

Background: In 2005, two eEye researchers presented BootRoot, a PoC boot sector-based NDIS backdoor.  Much of this PoC code is now being seen in an 'in-the-wild' attack.

So Kurt dislikes the fact that the eEye team released a PoC... apparently it is irresponsible and fundamentally wrong. I have to say I fully disagree with Kurt. The PoC has been modified, which means the individual knew what they were doing to some extent and simply reused code... on top of this, the research was published over 2 years ago... in 2 years, someone should have been able to develop a defense against this... instead people chose to ignore it.

I have to ask you this Kurt... How do you feel about the following:

All of the above either release proof of concepts, or discuss them... Are you against all of these as well? Should we boycott OWASP because they have PoC demo's of various web-based attacks? Should we ignore the legit uses of Metasploit because of the malicious users?

Take a look at the talks given at BlackHat 2005. A large number of them contain information that, at the time, could give attackers the upper hand... So why pick on eEye, two years after the fact... just because someone decided to reuse some code from their Poc?