.:Computer Defense:.

Two Python libraries have caught my attention lately, the first is lxml and the second is matplotlib. Ideally I wanted to write something short, just to get a feel for the basics of them. The goal was figuring out what I could do quickly so that I could play around with arguments and output, yet still have an actual result. I also wanted a nicely formatted useful XML file to parse. I ended up going with nmap's XML output. I also decided that I would plot the frequency of ports in the file.

Is this useful... perhaps? I could see a sys admin wanting a count of specific open ports on the network or a pen tester wanting to know the most common ports on a target network.

The python script is extremely basic and is called via nmap_port_frequency.py <XML Input> <png Output>. The result is an image similar to this:

The above image is the output from scanning three hosts.

One of my favourite new commands has become hexdump. From time to time I go through my nepenthes hexdump folder to take a look at what I've recently seen.

These hexdumps on their own are fairly useless:

treguly@ns:/home/nepenthes/hexdumps$ cat ffa6fd1e9b143a4bd5ac705a570e3b21.bin
D CKFDENECFDEFFCFGAAAAAAAAAAAAAAAA EGFCEPEOFECACACACACACACACACACAAA
ÿSMBrSÈÿþbPC NETWORK PROGRAM 1.0LANMAN1.0Windows for Workgroups 3.1aLM1.2X002LANMAN2.1NT LM 0.12

However, when you make use of hexdump it becomes much more readable.

treguly@ns:/home/nepenthes/hexdumps$ hexdump -C ffa6fd1e9b143a4bd5ac705a570e3b21         .bin
00000000  81 00 00 44 20 43 4b 46  44 45 4e 45 43 46 44 45  |...D CKFDENECFDE|
00000010  46 46 43 46 47 41 41 41  41 41 41 41 41 41 41 41  |FFCFGAAAAAAAAAAA|
00000020  41 41 41 41 41 00 20 45  47 46 43 45 50 45 4f 46  |AAAAA. EGFCEPEOF|
00000030  45 43 41 43 41 43 41 43  41 43 41 43 41 43 41 43  |ECACACACACACACAC|
00000040  41 43 41 43 41 41 41 00  00 00 00 85 ff 53 4d 42  |ACACAAA......SMB|
00000050  72 00 00 00 00 18 53 c8  00 00 00 00 00 00 00 00  |r.....S.........|
00000060  00 00 00 00 00 00 ff fe  00 00 00 00 00 62 00 02  |.............b..|
00000070  50 43 20 4e 45 54 57 4f  52 4b 20 50 52 4f 47 52  |PC NETWORK PROGR|
00000080  41 4d 20 31 2e 30 00 02  4c 41 4e 4d 41 4e 31 2e  |AM 1.0..LANMAN1.|
00000090  30 00 02 57 69 6e 64 6f  77 73 20 66 6f 72 20 57  |0..Windows for W|
000000a0  6f 72 6b 67 72 6f 75 70  73 20 33 2e 31 61 00 02  |orkgroups 3.1a..|
000000b0  4c 4d 31 2e 32 58 30 30  32 00 02 4c 41 4e 4d 41  |LM1.2X002..LANMA|
000000c0  4e 32 2e 31 00 02 4e 54  20 4c 4d 20 30 2e 31 32  |N2.1..NT LM 0.12|
000000d0  00                                                |.|
000000d1

Of course, you could always pipe any output you have into hexdump. I have to say that I only really like it with the -C option, otherwise I haven't found a use for it yet.

A question came to the nmap-dev mailing list regarding resolving IP Addresses in bulk. Doug replied with a command to do just that.  I decided that it was handy to keep around but I wanted to clean it up a little, so I turned it into this:

nmap -sL $1 2>/dev/null |
perl -ne 'print unless /^Host [\d.]+ /' |
grep 'not scanned' |
cut -d ' ' -f 2,3 |
sed -e 's/\(.*\) (\(.*\))/\2 resolves to \1/'

Which leads to output similar to this:

198.133.219.10 resolves to fed.cisco.com
198.133.219.11 resolves to asp-web-sj-1.cisco.com
198.133.219.12 resolves to asp-web-sj-2.cisco.com
198.133.219.13 resolves to fedtst.cisco.com
198.133.219.14 resolves to www.netimpactstudy.com
198.133.219.15 resolves to deployx-sj.cisco.com
198.133.219.16 resolves to contact-sj1.cisco.com
198.133.219.17 resolves to scc-sj-1.cisco.com
198.133.219.18 resolves to scc-sj-2.cisco.com
198.133.219.19 resolves to scc-sj-3.cisco.com
198.133.219.20 resolves to jmckerna-test.cisco.com
198.133.219.21 resolves to events.cisco.com
198.133.219.22 resolves to bam-prod-1.cisco.com
198.133.219.23 resolves to redirect.cisco.com
198.133.219.25 resolves to www.cisco.com
198.133.219.26 resolves to partners.cisco.com

Odd Title... but it's 3:30am.

The first thing I wanted to mention was KiTTY ( via /dev/random). It's a fork of PuTTY, which is nice given PuTTY is on a rather slow development cycle, and new features are almost non-existent. Some of the features include folders within the saved sessions box (although, not implemented as "friendly" as they could be), transparency (this didn't work for me), login scripts (also didn't work for me) and integrated scp support. The features list is actually quite a bit longer than that, feel free to read it on the KiTTY website. As mentioned, a number of the features didn't work for me. I'm going to give it a try on a second computer before I rule it out, but I wanted to mention it now. A second bad experience would most likely lead to me never using it or mentioning it here, and it may work wonderfully for others.

The second thing I wanted to mention is that Komodo Edit 5.0 (the free version of Komodo IDE) is now available. Some of the biggest things are limited to Komodo IDE unfortunately, such as Source Code Checkout capabiliies and the ability to "beautify" your code. It does provide some UI clean-up and an update to Firefox 3.0 in the Edit version though.

One of the problems that I had was that my favourite plugin, Sourcetree ended up attached to the left pane instead of the right pane, which is very unnatural to me. It took me a couple of hours, but I dove into plugins for the first time, opening the jar file and pulling out the javascript. After I tracked down the name of the two panes online (not easily documented), I was able to modify the code and re-archive it. If anyone wants a step by step, or just my modified file, let me know.

I've always commented that I'm not a big fan of NoScript... I find browsing "modern" websites to be almost impossible with the plugin installed. For this reason, I don't know how popular it is with "the masses". That being said, I use it because a hindrance is better than a gaping security hole.

However, I've now found what I feel to be the best feature in NoScript. The ability to force HTTPS. Sites like Linkedin have always had issues with provided adequate HTTPS support. There are other sites that are HTTPS only, yet don't redirect HTTP to HTTPS. I've always found these issues to be frustrating. NoScript has solved these problems.

I've inserted a number of common websites I visit into the force HTTPS dialog and now, even if they have flakey HTTPS support that pushes you to HTTP on every request, I'm always using HTTPS. If I type in a address manually to a site that's configured only for HTTPS, NoScript forces the connection over to HTTPS and I no longer curse and go to the address bar to add the 's'.

This is an amazing feature and has greatly increased the value of NoScript in my eyes. Given that this isn't the core focus of the plugin, it's probably the single greatest addition that could have occured.

Update

Marcin just pointed out that LinkedIn public profiles don't exist over HTTPS (treguly (http) works, treguly (https) doesn't)

To resolve this, simply add www.linkedin.com/in/ to the "never force https connections" portion of NoScript.

For the longest time I've been using Bloglines to read RSS feeds. I've used standalone readers in the past (NewsFox and Viigo) but I've found that there's no way to sync them (I read feeds on 3-4 computers, as well as my phone) and that was a real problem for me. Bloglines is very clean and fast. It's easy to use and works well when I'm on my phone. However more and more I've been noticing it "down for maintenance", and I've noticed others use Google Reader so I decided to give it a go.

I exported my feeds from Bloglines and imported them into Google Reader. I noticed right away that the layout was familiar (since it was similar to GMail), however I would prefer if I could have subscriptions at the top of the left pane, with Home, Trends, etc below them. As I browsed, I noticed that there were a few other annoyances. One of the things I enjoy about Bloglines is that if don't want to read a certain feed, I can simply click on it as I work my way through new feeds. With Google Reader, if you don't visit the article, it isn't actually marked as read. While technically more accurate, it's not what I'm accustomed to, and unfortunately there isn't a setting to change this. The other annoying issue, was related to Google Reader on my Blackberry... instead of being able to browse based on subscription, the items from the feeds are grouped together and displayed chronologically. This is horrid design compared to Bloglines mobile solution, however I'm finding I can live with the pain in order to have the standard Google Reader UI.

The thing that finally won me over to Google Reader is shortcut keys. I love keyboard shortcuts. The less often I have to use the mouse, the better and Google Reader is great for that. g + u and then you can type the name of the feed you want to read. Even better though is for when I'm browsing my feeds. I can use Shift+n (down) or Shift+p (up) to scroll through my subscription list, Shift+o will open that subscription and then n (down) or p (up) will let me scroll through items in that feed, using enter to open/close the items. It is extraordinarily handy and I highly recommend it to anyone that hasn't tried it yet.

Greetings All,

First... I'm definitely not dead... that first month of marriage kept me busier than I'm used to being, but I definitely plan on posting more.

This post is actually rather exciting for me. If you read back through my blog, my iniital posts (and the reason I registered a domain) were because I wanted an easy way to keep track of new versions of software. I happened to register this domain, so I wanted to call it the Computer Defense Version Tracker (CDVT). My plan was to develop a file scheme, where software authors could place a small cdvt file in their root and I would fetch and parse the file, creating an updated list of versions of software. A number of authors were on board with the idea, but it never built much steam.

Having progressed my development skills quite a bit in the past two and half years (or at least I like to think I have), I realized I could write a simple screen scraper to do the work. So here's the "new and improved" CDVT, which I'm currently calling version 0.1. The download consists of two files, cdvt.py and cdvt.xml. The XML file contains references to each piece of software that is being checked. The python does the work. You can provide a couple of inputs when you run the file, and if you provide incorrect input, you'll get this error:

htregz@securitysentience:~/cdvt$ python cdvt.py
CDVT 0.1 by Tyler Reguly (ht@computerdefense.org)
Error: Output Type not provided
Usage:  cdvt.py <output type> <output interface>
        output type:            csv or text
        output interface:       stdout or file

This should be fairly straight forward, you can generate csv or plain text and either print to the screen or write to a file.  The next version will parse proper arguments and allow you to specify a filename. Right now the filename will be either versions.csv or versions.txt (depending on the output type).

Output from the text mode looks like this:

htregz@securitysentience:~/cdvt$ python cdvt.py text stdout
2.4 Kernel:                     2.4.36.6
2.6 Kernel:                     2.6.25.7
Aircrack-ng:                    1.0-rc1
Cain & Abel:                    4.9.14
ettercap:                       NG-0.7.3
Kismet:                         Kismet-2008-05-R1
Metasploit Release:             3.1 Release
Metasploit SVN Revision:        5533
NetStumbler:                    Version Info Not Available
Nikto:                          2.02
nmap:                           4.65
Notepad++:                      4.9.2
Pass the Hash:                  1.3
PsTools:                        2.44
PuTTy:                          0.60
Snort:                          2.8.2.1
TCPDump:                        3.9.8
VMWare Server:                  1.0.6
VMWare Workstation:             6.0.4
Wireshark:                      1.0.0

Since I do perform screen scraping, it isn't the fastest process in the world, but it isn't overly slow either. When you see the message 'Version Info Not Available', that means that the page that's scraped wasn't available or the regex couldn't match. In the above case, the NetStumbler download page is currently returning a 404 error.

I would love feedback, suggestions of apps to add and anything else. Feel free to email me or leave a comment.

Download

This morning I talked about W3AF beta6 being available. Only now did I finally get time to install it... I wanted to test drive the UI, and it ended up being quite the task to get it installed. Part way through I realized that this would be a someone time consuming process and started documenting everything I had to do. I figured that others will most likely want to play with the UI on Windows XP so I'm going to share my documentation:

Installing w3af with UI on Windows XP with Python 2.5

Download pygoogle
Extract pygoogle
From your extracted directory run 'python setup.py install'

Download fpconst
Extract fpconst
From your extracted directory run 'python setup.py install'

Download SOAPpy
Extract SOAPpy
Edit <extractdir>\SOAPpy\Client.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Types.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Server.py; move the import __futures__ line to Line 1
From your extracted directory run 'python setup.py install'

Download gtk+ runtime
File: gtk2-runtime-2.12.1-2007-10-28-ash.exe
Install

Update gtk+ runtime
File: glib-2.16.2.zip
Extract Files
Copy files from \bin over gtk2-runtime install (default: C:\Program Files\GTK2-Runtime\lib)

Install pyGTK files
PyGTK 2.12.1-2
PyGobject 2.14.1-1
PyCairo 1.4.12-2

Download pyOpenSSL
Current Version: 0.7
Install

Download OpenSSL
Current Version: 0.9.8g Light
Install

Download w3af
Extract to directory
Browse to the w3af folder, create a shortcut to file w3af.
Modify shortcut target -- path\to\python25 path\to\w3af -g
Double Click shortcut

I just discovered this today when Komodo Edit said it had an update available... the release notes lead me to OpenKomodo and I eventually stumbled across an ActiveState press release.

ActiveState today announced an updated, open-sourced release of Komodo Edit, the popular and free editor for dynamic languages including Perl, PHP, Python, Ruby, and Tcl, plus support for browser-side code including JavaScript, CSS, HTML, and XML.

Komodo Edit, based on the award-winning Komodo IDE, offers sophisticated support for all major scripting languages, including in-depth autocomplete and calltips, multi-language file support, syntax coloring and syntax checking, Vi emulation, and Emacs key bindings. Komodo Edit is built on the Mozilla code base, and is now licensed under the same terms as Firefox: Mozilla Public License (MPL), GNU General Public License (GPL), and GNU Lesser Public License (LGPL).

This an amazing product, and this is huge news. The plugin system is also great and there are already a few cool plugins available.

The other day I posted the Port Scanner Challenge, and a follow-up article declaring a winner.

This lead to a couple of things...

First, Robert E. Lee (who is associated with UnicornScan) started a blog to perform his own independent tests. I encourage everyone to look at the results... but I remind everyone that Robert is tied to UnicornScan and therefore you may have to take some of the results with a grain of salt.
Second, Fabian, of Recurity Labs (Author's of PortBunny), contacted me regarding the results I had seen, specifically the Vista results. They had reproduced the results in their lab, and ended up releases an update to PortBunny. The updated version showed significant improvements. On the Vista host, with default settings, PortBunny scan times were reduced from ~18.3 seconds to ~1.2 seconds, and on a full port scan (1-65535), scan times were reduced from ~642.5 seconds to ~30 seconds. The updated version of PortBunny can be downloaded here.

Additionally, Fabian included an explanation of how packet retransmission works with PortBunny, which I found rather interesting:

PortBunny sends so called packet-batches which consist of a couple of
probes (usually 9) and a trigger-packet. If a trigger-drop is detected
either because a timeout-clock is hit or due to the fact that 3 later
trigger-responses have been received, all probes which did not get
responses are retransmitted. This is done to acknowledge that, when
firing at this rate, the trigger dropped, so its possible that any other
packet of the batch may have dropped as well.

However, retransmission is not done straight away: That wouldn't be too
wise because the response may just be a couple of milliseconds away.

Instead, we just add the port to the back of the list of ports to scan.
As a result, we can wait the maximum amount of time for the response to
still reach us before we resend.

We only assume that a port is filtered if no response is received for
the probe but the trigger-response for the batch the probe was in was
received.

Now, we do this until all ports have results and then we check whether
the total amount of filtered ports is smaller than 30% of the total
number of ports. If this is so, we perform two rounds of rescanning of
the filtered ports.

Lastly, Fabian also included some of the more interesting changes in this updated version of PortBunny:

(1) The Python-UI contained a Bug which drastically decreased
performance on gigabit-ethernet: To query the device-file, a python
FileObject was used and its read-method was called without specifying a
buffer-size. In fast networks (such as gigabit-ethernet) this lead to
the situation were a huge amount of results was delivered to userspace
in a single read. The information was then parsed using a regular
expression which, due to the size of the buffer, took way longer to
complete than the actual scan

(2) The development-version now discards bad triggers as soon as better
ones are found. This means that ICMP or UDP-triggers as well as
TCP-SYN-triggers which produce TCP-SYN-ACK responses are discarded as
soon as a single closed port is found (in which case we can use this
port for triggering). This increases performance on the one hand (when
ICMP-traffic is limited which is quite frequently the case for
destination-unreachable messages) and accuracy on the other hand because
triggers are preferred by the scanner which are handled just like the
probes so rate-limitations on TCP-SYNs are detected correctly.

(3) Scans were too "bursty" for many setups which included
burst-limitations. Especially when the round-trip-time was small, the
target would feel like it was processing an (almost) never ending burst
of data. We've made some changes to reduce the "burstiness" as you can
see in the Vista example.

(4) TCP-Reno was taken a little to literally: Reno says that the initial
congestion threshold should be close to infinity so that the sender can
find the limitations of the network quickly (and "muscle" itself into
the connection). NMAP chooses 50 as an initial congestion threshold,
PortBunny chose 80000. While 80000 was closer to infinity than 50, it
doesn't seem like a good choice in many environments when using Reno for
port-scanning because the accuracy of the start-phase of the scan is
reduced drastically. NMAP was totally right to choose a lower number so
we've changed that as well.

(5) We've included a new trigger: The TCP-ACK trigger. This works in
many situations where we had to use fallback-triggers such as the
UDP-trigger in the past.