01.14.08
Posted in IT, Reviews, Security, Software, Tools at 11:33 pm by Tyler Reguly
The other day I posted raw data comparing nmap, PortBunny and Unicornscan... I thought today I'd provide some of my thoughts on what the data shows us.
In the end I scanned 5 hosts running a variety of operating systems and I think I gave a fairly decent small scale spread and one initial comment I'd like to make is on the scanning of the HP LaserJet 4MV... While not all scanners found all the ports, they were all able to scan it... which I found fairly impressive... especially considering I've crashed it numerous times in the past playing with advanced options in port scanners and packet creation programs.
Now for the anlysis... Was there a winner? At first I didn't think so... but once I created the graph it became fairly evident that there was. Before I declare the winner... let's take a look at what we saw.
Unicornscan
I was fairly impressed with unicornscan the first time it ran... at least from a speed standpoint. That is until I ran nmap and PortBunny. While unicornscan (on a standard scan, default ports) was able to provide consistent speeds... it was clear that on systems with fewer open ports... there was a huge disadvantage in the design of unicornscan... The consistent speeds were still occurring. If we look at my shell box for example (Ubuntu 6.06 PPC on an old 350Mhz iMac), we see that unicornscan took what appears to be a respectable 9.2 seconds. However, nmap took only 1.5 seconds and PortBunny was less than a second at 0.7 seconds.
The full port scan also didn't bode well for unicornscan. On two hosts, the printer and the gateway, it failed to find any open ports... These are both slower systems (the older printer, and a soekris 486 for the gateway) so perhaps they couldn't keep up with the speed of the scan... or perhaps unicornscan was scanning too fast even for itself.
In the end, after seeing the results of nmap and PortBunny I was rather unimpressed with unicornscan.
nmap
I was quite impressed with nmap. During the default scan it tied PortBunny with lowest number of missed ports (of course this is due primarily to the various scanners default port list) and on a full port scan, it was the only scanner to find all open ports. In addition to having the lowest miss port rate... it boasted the fastest times... coming in 17.5 minutes faster than PortBunny on a full port scan, and 16 seconds faster on a default scan.
Additionally when I provided nmap with the '-T5 --max-retries 0' options, it blew PortBunny out of the water... it missed two additional ports over PortBunny on one of the 5 hosts, however the time difference was 5.3 seconds to 74 seconds... nmap was 68.7 seconds faster.
PortBunny
Given all the hype surrounding PortBunny and the fast that is is a "Linux Kernel-Based Port Scanner" (which is supposed to work to it's benefit), I was expecting great things... instead I was seriously disappointed. There wasn't a single scan where PortBunny fully out performed nmap... You have to set nmap to get ridiculous scan speed (scanning "almost too fast") in order for PortBunny to even manage to find more ports than nmap and then it takes ~15 times longer to find those 2 extra ports... Without those "almost too fast" options, nmap still performs faster than PortBunny and with more accuracy.
There was one host where PortBunny was able to outperform nmap, however that was with nmap doing a default scan... when timing options were adjusted, once again PortBunny failed to beat nmap.
Decision
When I started this challenge, I wasn't sure what the outcome would be... the only prediction I had was that unicornscan would be defeated by both PortBunny and nmap. This proved to be true... Between nmap and PortBunny, due to the hype around PortBunny and the claims that I had seen... I really wasn't sure. I expected it to be a close battle between the two... at most a TKO... but in the end it was a straight-up KO and in reality PortBunny was never really a contender.
Winner: nmap
Permalink
Digg this post
01.13.08
Posted in IT, Reviews, Security, Software, Tools at 11:33 pm by Tyler Reguly
There's been quite a bit of mention lately of PortBunny, the new port scanner from Recurity Labs. The scanner is Linux kernel-based and provides a TCP SYN Scan. I figured that I'd put the scanner to the test against nmap and Unicornscan.
Here's the rundown of the setup used:
Software + Version:
Scanning Host:
OS: Ubuntu 7.10
Kernel: 2.6.22-14-generic
Processor: Intel Pentium M 2.13Ghz
RAM: 1GB
Install Process:
- Obtain archive
- Extract archive
- ./configure *No custom config options used for any of the software*
- make
- make install
Tested via Python:
Test Script (Note: I can't get my lines to tab properly, so tab over the four lines following def test):
import time, os
def test ( prog ) :
startTime = time.time()
os.system( prog )
endTime = time.time()
print ( 'Execution Time: %f' % ( endTime - startTime ) )
Targets:
- vista - Vista Home Premium
- shell - Ubuntu 6.06.1 LTS (2.6.15-28-powerpc)
- minibox - OS X 10.4.11
- printer - HP LaserJet 4MV
- gateway - m0n0wall 1.231
Scan Notes:
- PortBunny requires an IP Address, it won't run against hostnames.
- PortBunny doesn't sort the results list.
- Unicornscan missed all ports on printer and gateway when scanning ports 1 - 65535.
- PortBunny missed a port on printer when scanning ports 1 - 65535.
- nmap missed 2 ports on printer when scanning with -T5 --max-retries 0.
Results:
Raw Data, including ports found, after the jump.
Read the rest of this entry »
Permalink
Digg this post
11.23.07
Posted in Conferences / Training Sessions, IT, Reviews, Security at 11:27 pm by Tyler Reguly
SecTor Day #2
Speakers: Ryan Poppa and Jay Graver
Presentation (pdf)
Download Audio (with Slide Deck) (wmv)
This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.
The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.
The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:
- Case of the Content-Length header (Content-Length/Content-length/content-length)
- The existence of Public or Allow headers
- The order of the options presented in the Public/Allow header
The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 9:53 pm by Tyler Reguly
SecTor Day #2
Speaker: Johnny Long
Download Audio (wmv)
This was my first time seeing Johnny talk and he definitely lived up to the stories I've heard. This wasn't a technical talk by any means, but it was highly entertaining and hilarious.
Before Johnny started his talk, he took advantage of his the platform to fill in the attendees on IHackCharities.org. The basis of the organization is fairly simply... they match hackers/it professionals who are unemployed with charities that are seeking IT-related help... e.g. a charity that needs a web page built for them. In exchange for the few hours of work that the hacker donates, they get references from leading industry professionals who have verified their work. I actually see this as being quite useful and was excited to hear about it. I have to contact Johnny still as he mentioned unemployed professionals, but I'm wondering if the employed can volunteer as well. It's a way that everyone can give back, even if it's just a little bit. This is something that the SecTor organizers should have picked up on and presented to the entire con, as it's definitely a worthwhile cause.
Back to the presentation... Johnny took several popular hacker related movies and demonstrated why scenes were either 'leet' or 'lame'. The movies included Hackers, The Matrix, Swordfish, and Code Hunters... although there were plenty of others. The presentation was a lot of fun, however it might have been more fitting as a keynote so that everyone could have enjoyed it.
Valid uses of security in movies were pointed out, as were the completely wacko ideas. There were typos identified and examples of Hollywood using yet to be discovered technologies. 
The hour flew by and could have most likely been extended, as everyone was drawn into the talk, which included audience participation.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 11:55 am by Tyler Reguly
SecTor Day #2
Speaker: Dan Kaminsky
Presentation (ppt)
Audio (wmv)
This was the first talk I attended on day 2. Dan demonstrated DNS Rebinding attacks and how they can be dangerous to internal networks. The talk was filled with technical data and live demos.
While the demo had been setup in advance it was nice to see how quickly and efficiently the attack could be pulled off if you were prepared.
One interesting event occurred when another speaker (who had presented on DNSSEC) argued that DNSSEC is the solution to this problem. Kaminsky was able to make short work of the individual and put him in his place... even though he attempted to persist with his argument.
There are solutions to some forms of DNS rebinding, unfortunately they could take years to implement, even if they were.
The first would be to rewrite DNS servers to not allow RFC 1912 addresses from external sources.
Another would be to rewrite DNS to operate with its own version of the three way handshake. The server receives an IP after resolving the domain name and rather than pass it to the host, it performs a reverse resolution on the IP, ignoring any mappings that occur in its cache. Sure this increases the load on servers, but I'm fairly certain they'd be able to handle it... A problem that can occur here is with virtual hosts, and unfortunately they are becoming more and more common. The problem here is that you need all virtual hosts to be returned when an IP is resolved, and that doesn't seem likely.
Right now, the most effective step you can take is to have firewall rules on the border of your network to either drop DNS responses with internal IPs or to rewrite them on the fly. This doesn't, however, stop an attack from rebinding to a different external IP.
For more information on DNS Rebinding, there's a great paper available from a team at Stanford CS on the subject.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 10:11 am by Tyler Reguly
SecTor Keynote
Speaker: Steve Riley
Presentation (ppt)
Full Title: Defending Layer 8: How to Recognize and Combat Social Engineering
This talk was interesting, funny and informative... a great way to start the second day.
Steve took the 7 layer OSI model and turned it into a 9 layer model. He added layer 0 to the bottom, physical... but not physical like layer 1... He differentiated by referring to layer 1 as 'cyberspace' and layer 0 as 'meatspace'. Layer 0 is your physical location, your physical security... the building itself where your systems are located. The other added layer was layer 8, a layer that is traditionally added to the OSI model and referred to as the 'human layer'.
To demonstrate layer 0 problems, Steve told a story involving the movement of a data center. The company had moved their data center down to street level, and put it on display behind a glass window facing the street. This included server names and ip addresses, dial-in numbers for modems, etc... It turned out some thieves noticed the display and they drove a truck through the window, grabbing the first computer they came across. The computer ended up being the company's domain controller. An hour later they were lucky enough to get the computer back, however instead of performing forensics... they immediately plugged it back into the network.
Steve's talk was full of stories like that one... little, funny, to the point stories that kept you interested and enhanced the overall presentation. I believe that the SecTor organizers are putting video, or at very least audio, online with the presentations... for all of the keynotes so far that will make a huge difference for those intending to go through the slide decks (which I will link to as soon as I see them posted).
Steve continued on with his discussion on social engineering and offered 10 tips for anyone interested in trying out social engineering. The list included:
- Be Professional.
- Be Calm.
- Know your mark.
- Do not fool a superior scammer.
- Plan your escape from your scan.
- Be a woman.
- Use watermarks.
- Make business cards and fake names.
- Manipulate the less fortunate, the unaware, and the stupid.
- Use a team if you have to.
Each of these steps included details and descriptions... or at very least amusing commentary.
Steve also outlined 8 types of Social Engineering 'exploits', each with an example:
- Diffusion of Responsibility - 'The VP says you won't bare any responsibility'
- Chance for ingratiation - 'Look at what you might get out of this'
- Trust Relationships - 'He's a good guy, I think I can trust him'
- Moral Duty - 'You must help me! Aren't you so mad about it?'
- Guilt - 'What, you don't want to help me?'
- Identification - 'You and I are really two of a kind, huh?'
- Desire to be helpful - 'Would you help me here, please?'
- Cooperation - 'Let's work together. We can do so much!'
Following this, along with additional stories, were steps on discovering data on your target, ways to pull off an attack, ways to defend against an attack. It was definitely a great explanation of social engineering. I think that a lot of people walked away with a lot of useful information.
Permalink
Digg this post
11.22.07
Posted in Conferences / Training Sessions, IT, Reviews, Security at 11:21 pm by Tyler Reguly
Sector Day #1
Speakers: Rohit Sethi and Nish Bhalla
Presentation (pdf)
Audio (wmv)
Tool Website
Full Title: Exploit-Me Series -- Free Firefox Application Penetration Testing Suite Launch
I was really curious to see this one, although I heard the other talks were interesting. My main reason was that I wanted to see how this plugin was different from others, such as my favourite tool: Tamper Data. In the end, the tool is much more like WhiteAcid's XSS Assistant.
The tool, which be available on Nov 26 from SecurityCompass.com, allows you to assign static variables to certain form fields and then XSS the rest of them... testing for a variety of types of XSS, and allowing you to insert your own. They provided video demonstrations of the tool, which will be released under GPL, which I can't wait to get my hands on to play with.
The first half of the talk, leading up to the tool release took a look at problems with current testing tools, which are primarily proxy based (such as Tamper Data). It also explained CSRF, XSS and SQL Injection. The second half was demos of both tools, XSS-Me and SQL Inject Me... as well as a brief discussion of limitations/future improvements and other planned tools.
I'm very excited to see what happens to these tools, especially once they hit the hands of web app geeks everywhere. I was also genuinely impressed by the mention that SecurityCompass (the company at which both Nish and Rohit work) would be staffing someone to develop the Exploit-Me series of plugins.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 10:56 pm by Tyler Reguly
SecTor Day #1
Speaker: Mike Shema
Presentation (pdf)
Audio (wmv)
Webapp worms and browser insecurity... exactly what I wanted to hear about. It was actually quite a tough call because at the same time as this talk, Joanna Rutkowska was speaking on 'Security Challenges in Virtualized Environments'. In the end, my interest in web security won out over my interest in VM security.
Mike is a rather bright guy in the web space with several books to his credit... his talk however left me a little on the disappointed side. That being said, I'm not sure that it's Mike's fault... I think that my expectations were a little high. I'm guessing that the presentation was a great overview for those without a background / interest in webapp security... for those that have always wanted to learn more, but weren't sure where to start. The talk did a great job of getting that across.
Essentially Mike did an overview of web security over the last 2 -3 years, where it's been and where it could go. I picked up a few pieces of historic trivia and I'm pretty sure that the majority of the audience was rather pleased by the end.
Mike touched on research from individuals like Jeremiah Grossman, RSnake and pdp. I found the presentation to be like the sports on the 11 o'clock news. If you've come home and missed the games themselves, then it's a great way to inform yourself of what has happened and be prepared for tomorrow, but if you saw the games then you don't really find the update all that interesting. Which is why I think for a lot of people, Mike's talk was quite useful... a lot of people don't follow web app security on a day to day basis.
I had actually wanted to chat with Mike and find out more on his thoughts but unfortunately the jam-packed schedule prevented any post-talk chatting, and I never did track him down during the CheckPoint Reception... so Mike if you're reading this, fire me off an email.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 10:33 pm by Tyler Reguly
SecTor Keynote
Speaker: Ira Winkler
Presentation (ppt)
It's lunch time, the food is great and the first day is on it's way to being half over. Although I've never seen him talk before, I've heard the hype about Ira Winkler... a great speaker with an interesting background, I was really looking forward to this keynote... and it didn't disappoint.
Ira was full of stories... with his PowerPoint acting as more of a map. The story of an email saying, "Hello, I've finally gotten a company to agree to let me perform a pentest against their systems... what do I do now?" was good for a laugh but it also demonstrated a point... If you have to ask, you probably shouldn't be doing it... it also demonstrated a previous point about people 'not knowing how much they don't know'.
Another story looked at martial arts... That it's important to master the basics. Ira discussed how a white belt and a black belt both know the same moves, because there are only so many ways that you can punch, kick and block. It's the years of application, practice and theory that make it appear as though black belts know so much more than white belts. The same is true in computers and Ira pointed out that there are only two ways to hack a computer:
- Take advantage of configuration problems
- Take advantage of problems built into software
It boils down to being that basic, beyond that you are just honing your skill and your method.
One point that had to be left out because of time limitations, but that I would liked to have heard the story that went with it, was the 'Wizard of Oz' approach. In the story, everyone seeks out the great and almighty wizard, each for their own reason. What they find out when they find the wizard is that they all had everything they needed. Dorothy had the shoes, Lion had courage, Tinman had a heart and Scarecrow had a brain... they didn't know what they were looking for, so how could they know that they already had it.
The talk was captivating and a lot of fun... it was great to hear the stories... I definitely recommend looking through the slide deck... it loses a lot without the talk itself (although I believe the SecTor page will have the talk posted in the future [I'll link to it when it's posted]) but for now you can read through the slide deck from a past conference.
Permalink
Digg this post
Posted in Conferences / Training Sessions, IT, Reviews, Security at 9:59 pm by Tyler Reguly
SecTor Day #1
Speaker: Rares Stefan
Presentation (ppt)
Audio (wmv)
This was the first talk that I attended. Based on what I saw, it was the smallest of the three rooms, however I can't be sure as every talk I attended was in the same room. I rather enjoyed the intimate nature of the setting... a small, yet packed, room made for a great presentation environment (at least it did on the attendee side).
The subject was TCP/IP Perversion and the presenter was Rares Stefan, the Chief Security Architect at Third Brigade. The talk centered around inline drivers that could be placed low enough in the stack that they could modify data being sent without the OS taking notice. The idea was focused around malware, but the demonstration slides made use of what I believe is internal Third Brigade software for testing/development (Note to any Third Brigade employees that read this: I'd love to a chance to play with the software).
So here's an example of what was presented. You (192.168.1.100) fire up Wireshark and start sniffing, then you request a web page (Google.ca: 64.233.161.104):
Source: 192.168.1.100
Destination: 64.233.161.104
GET / HTTP/1.1
Host: www.google.ca
Connection: close
In Wireshark you see the request as you should, however the sniffer on the hub you are connected to sees the following request.
Source: 192.168.1.100
Destination: 82.165.158.149
POST / HTTP/1.1
Host: www.computerdefense.org
Connection: close
Data that has been inserted.
Your sniffer, and therefore any HIPS/HIDS that you have, will not have noticed this change. To any device further down the network (IDS/IPS/Proxy) this is a completely valid request. The network device hasn't seen the original message and your computer hasn't seen the modified message.
This was demonstrated/discussed using Pre-Vista Windows Operating Systems but that doesn't preclude Vista from the possibility of the same issues.
As I said in my SecTor Overview post, I had expected presentations that were quite a bit more technical. This presentation was actually great in that category... while the technical details weren't necessarily communicated, you could see what was happening in the debug window of the software used and the actions taking pace in those images were quite interesting to watch.
The concept of malware that could do this is frightening. If I remember correctly, it was mentioned that presently there isn't any malware taking these sort of actions, but that doesn't mean that we won't see it in the future.
The talk ended up being a great way to start off Day #1, and struck me as a topic that I would love to delve deeper into.
Permalink
Digg this post
« Previous entries