The other day I posted raw data comparing nmap, PortBunny and Unicornscan... I thought today I'd provide some of my thoughts on what the data shows us.

In the end I scanned 5 hosts running a variety of operating systems and I think I gave a fairly decent small scale spread and one initial comment I'd like to make is on the scanning of the HP LaserJet 4MV... While not all scanners found all the ports, they were all able to scan it... which I found fairly impressive... especially considering I've crashed it numerous times in the past playing with advanced options in port scanners and packet creation programs.

Now for the anlysis... Was there a winner? At first I didn't think so... but once I created the graph it became fairly evident that there was. Before I declare the winner... let's take a look at what we saw.

Unicornscan

I was fairly impressed with unicornscan the first time it ran... at least from a speed standpoint. That is until I ran nmap and PortBunny. While unicornscan (on a standard scan, default ports) was able to provide consistent speeds... it was clear that on systems with fewer open ports... there was a huge disadvantage in the design of unicornscan... The consistent speeds were still occurring. If we look at my shell box for example (Ubuntu 6.06 PPC on an old 350Mhz iMac), we see that unicornscan took what appears to be a respectable 9.2 seconds. However, nmap took only 1.5 seconds and PortBunny was less than a second at 0.7 seconds.

The full port scan also didn't bode well for unicornscan. On two hosts, the printer and the gateway, it failed to find any open ports... These are both slower systems (the older printer, and a soekris 486 for the gateway) so perhaps they couldn't keep up with the speed of the scan... or perhaps unicornscan was scanning too fast even for itself.

In the end, after seeing the results of nmap and PortBunny I was rather unimpressed with unicornscan.

nmap

I was quite impressed with nmap. During the default scan it tied PortBunny with lowest number of missed ports (of course this is due primarily to the various scanners default port list) and on a full port scan, it was the only scanner to find all open ports. In addition to having the lowest miss port rate... it boasted the fastest times... coming in 17.5 minutes faster than PortBunny on a full port scan, and 16 seconds faster on a default scan.

Additionally when I provided nmap with the '-T5 --max-retries 0' options, it blew PortBunny out of the water... it missed two additional ports over PortBunny on one of the 5 hosts, however the time difference was 5.3 seconds to 74 seconds... nmap was 68.7 seconds faster.

PortBunny

Given all the hype surrounding PortBunny and the fast that is is a "Linux Kernel-Based Port Scanner" (which is supposed to work to it's benefit), I was expecting great things... instead I was seriously disappointed. There wasn't a single scan where PortBunny fully out performed nmap... You have to set nmap to get ridiculous scan speed (scanning "almost too fast") in order for PortBunny to even manage to find more ports than nmap and then it takes ~15 times longer to find those 2 extra ports... Without those "almost too fast" options, nmap still performs faster than PortBunny and with more accuracy.

There was one host where PortBunny was able to outperform nmap, however that was with nmap doing a default scan... when timing options were adjusted, once again PortBunny failed to beat nmap.

Decision

When I started this challenge, I wasn't sure what the outcome would be... the only prediction I had was that unicornscan would be defeated by both PortBunny and nmap. This proved to be true... Between nmap and PortBunny, due to the hype around PortBunny and the claims that I had seen... I really wasn't sure. I expected it to be a close battle between the two... at most a TKO... but in the end it was a straight-up KO and in reality PortBunny was never really a contender.

Winner: nmap

There's been quite a bit of mention lately of PortBunny, the new port scanner from Recurity Labs. The scanner is Linux kernel-based and provides a TCP SYN Scan. I figured that I'd put the scanner to the test against nmap and Unicornscan.

Here's the rundown of the setup used:

Software + Version:

• Unicornscan 0.4.7-2
• nmap 4.53
• PortBunny 1.0

Scanning Host:
OS: Ubuntu 7.10
Kernel: 2.6.22-14-generic
Processor: Intel Pentium M 2.13Ghz
RAM: 1GB

Install Process:

1. Obtain archive
2. Extract archive
3. ./configure *No custom config options used for any of the software*
4. make
5. make install

Tested via Python:
Test Script (Note: I can't get my lines to tab properly, so tab over the four lines following def test):

import time, os

def test ( prog ) :
startTime = time.time()
os.system( prog )
endTime = time.time()
print ( 'Execution Time: %f' % ( endTime - startTime ) )

Targets:

• vista - Vista Home Premium
• shell - Ubuntu 6.06.1 LTS (2.6.15-28-powerpc)
• minibox - OS X 10.4.11
• printer - HP LaserJet 4MV
• gateway - m0n0wall 1.231

Scan Notes:

• PortBunny requires an IP Address, it won't run against hostnames.
• PortBunny doesn't sort the results list.
• Unicornscan missed all ports on printer and gateway when scanning ports 1 - 65535.
• PortBunny missed a port on printer when scanning ports 1 - 65535.
• nmap missed 2 ports on printer when scanning with -T5 --max-retries 0.

Results:

Raw Data, including ports found, after the jump.

Read more...

This is actually pretty cool... It's a new tool (Web-based) that came across the Web Application Security Consortium mailing list. Let's take a look at the tool in action first, example with ComputerDefense.org.

Showing records 1 - 13 out of 13 for www.computerdefense.org (82.165.158.149).

Those are indeed the domains I own, that reside on the same IP as ComputerDefense.org. Currently the database is restricted to .com, .net and .org but it's still fairly impressive. A method of determining vhosts is a great asset to penetration testers and security researchers.

The tool is available from a group called CRUSH.  It requires that you validate you aren't a bot via a text / colour based CAPTCHA, however after the first time, you are good to make subsequent requests.

I'm going to have fun playing with this tool, taking a look at certain companies / websites and seeing what other domains they host on the same server...

I was attempting to grab a web page via netcat the other day, and my GET / HTTP/1.0<enter><enter> appeared to simply hang. I mentioned this to a colleague who pointed out that netcat only sends line-feed (LF / 0x0A), not carriage-return line-feed (CRLF / 0x0D0A). I did some playing around and it turns out that you can simulate CRLF while using *nix by sending the following Ctrl+V<enter><enter>. Ctrl+V<enter> is translated into CR and then <enter> alone sends the expected LF.

This unfortunately doesn't work in Windows, so I'll pose a question to my readers. Does anyone know of a way to simulate CRLF using netcat in Windows?

Previously, I've written about IDA Pro freeware, which at the time was IDA Pro 4.3. It seems that the folks at DataRescue have decided to release a new version. IDA Pro 4.9 is now available as freeware and as they point out, it lacks the functionality of IDA Pro 5.x but it's still a fairly recent version to work with. Anyone interested can grab it from the DataRescue IDA Pro Freeware page. It'll go quite nicely with the new Reverse Engineering Code with IDA Pro book that was recently released by Syngress. Unfortunately, it won't be available in Canada until mid-November (at least via Chapters.ca) and that was who I had ordered it with, so I'll be waiting a little bit still. Either way, happy reversing with IDA Pro 4.9 Freeware.

I decided to buy a hosted VPS the other day and I'm still in the process of setting everything up and ironing out the kinks. I finally got around to installing some software, which included silc. For those of you that don't know, silc is like encrypted IRC.

So when you get a VPS they give you root access and it's up to you to configure / lockdown the system however you want. So the first thing I did was create a user account. I created the account htregz (some of you may remember it's what I originally posted under here, and it's a name I generally use)... I setup silc (which involves providing a passphrase so that a keypair can be generated) . It worked without a hitch and I connected to a few of the silc networks I occasionally visit. However, I decided that I'd use ht instead of htregz, so I created a new account, removed the htregz account and connected as ht. Again I went to run silc, so that I could provide a passphrase... however this time errors were generated. I tried a couple of things but nothing was successful, so I removed the ht account and recreated the htregz account. Again with the htregz login I was able to get silc up and running without a hitch. At this point I was intrigued so I created a dummy account with a two letter username (te for test). The te account was created exactly the same as the htregz account.

 [root@XXX/]# useradd -G wheel -m -s /bin/bash htregz
[root@XXX /]# passwd htregz
Changing password for user htregz.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@XXX /]# useradd -G wheel -m -s /bin/bash te
[root@XXX /]# passwd te
Changing password for user te.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@XXX /]#

I logged in as te and once again, I couldn't get silc up and running... the error message was:

 [te@XXX ~]$ silc
Could not create public key identifier: Success
Could not create public key identifier: Success
Wrong permissions in your private key file `/home/te/.silc/private_key.prv'!
Trying to change them ... Failed to change permissions for private key file!
Permissions for your private key file must be 0600.

Apparently silc cannot successfully handle two-character usernames.

For those that are wondering about my version of silc, it is:

SILC Client 1.1.2 (Irssi base: 0.8.11+ - SILC base: SILC 1.1.2) (20070704 20070704)

Chalk one up for VMWare... One of the (minor) problems with VMWare is that getting VMWare tools installed reliably in a VM can be a bit of a pain.... some *nix distributions just don't play nice.  VMWare has responded to this problem by releasing an open source version of VMWare Tools called Open VM Tools.

Functionality includes:

*  File transfer between a host and guest
* Improved memory management and network performance under virtualization
* General mechanisms and protocols for communication between host and guests and from guest to guest

So I was surfing the net today, and a "sponsor site" on one of the random pages I was BananaSecurity.com. I had to check it out with a name like that, so I browsed on over. They advertise interesting software... essentially it's screen saver biometrics using a web cam. When your face is recognized the BananaSecurity screensaver unlocks your computer. Now in their "Notice" link they refer to themselves as BS, which leads me to "trust" the product. The concept seems interesting but is it really there.

So... has anyone been to BananaSecurity.com before? and better yet has anyone tried out the software? I'm looking for thoughts and opinions...

I, for one, have always been impressed with Grisoft's products. Their free AVG Anti-Virus is on par with any paid offerings from their competitors and, in many cases, it's better. It's also much less of a resource hog. So I was actually quite excited when I saw a press release today (yesterday now I suppose) from Grisoft stating that they were offering Anti-Rootkit software. While I haven't tried the software myself, I'd encourage everyone to give it a try and see how it works. Feel free to share your feedback as well.

Press Release Snip:

"Rootkits are computer code that attempt to hide their actions and processes, making the job of detecting the code and the harmful processes very difficult," explains Larry Bridwell, Global Security Strategist of GRISOFT. "AVG Anti-Rootkit is developed to detect and destroy rootkits effectively, without bothering users with false alarms."

Note: I said "yesterday now" because I typed this at 12:35 on the 11th, but apparently the server time is off because this showed up as 11:35 on the 10th.

I know, it's a mouthful and a little repetitive  but I didn't name it. One of the RSS feeds that I subscribe to is the ASPN Python Cookbook. The recipe (source as text here) that was listed today was quite cool and useful. It's a small proxy server that dumps the hex output of the traffic that passes through it. It relies on the twisted network libraries and may be a little rough around the edges but it's looks quite interesting. It's like combining simpleproxy and tcpdump, without the ability to generate nice pcap files to load into Wireshark.

Sample Output:

you@oslo $ hexproxy.py 8080:www.google.com:80

2007-02-18 17:47:11,217 INFO listening on 8080 -> www.google.com:80
2007-02-18 17:47:11,217 INFO ready (Ctrl+C to stop)
2007-02-18 17:47:18,265 INFO client 11389528 opened connection -> server www.google.com:80
2007-02-18 17:47:18,312 INFO client 11389528 -> server www.google.com:80 (401 bytes)
-> 0000   47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A    GET / HTTP/1.1..
-> 0010   48 6F 73 74 3A 20 6F 73 6C 6F 3A 38 30 38 30 0D    Host: oslo:8080.
-> 0020   0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A    .User-Agent: Moz
-> 0030   69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77    illa/5.0 (Window
-> 0040   73 3B 20 55 3B 20 57 69 6E 64 6F 77 73 20 4E 54    s; U; Windows NT
-> 0050   20 35 2E 30 3B 20 65 6E 2D 55 53 3B 20 72 76 3A     5.0; en-US; rv:
-> 0060   31 2E 38 2E 31 2E 31 29 20 47 65 63 6B 6F 2F 32    1.8.1.1) Gecko/2
-> 0070   30 30 36 31 32 30 34 20 46 69 72 65 66 6F 78 2F    0061204 Firefox/
-> 0080   32 2E 30 2E 30 2E 31 0D 0A 41 63 63 65 70 74 3A    2.0.0.1..Accept:
-> 0090   20 74 65 78 74 2F 78 6D 6C 2C 61 70 70 6C 69 63     text/xml,applic
-> 00A0   61 74 69 6F 6E 2F 78 6D 6C 2C 61 70 70 6C 69 63    ation/xml,applic
-> 00B0   61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C    ation/xhtml+xml,
-> 00C0   74 65 78 74 2F 68 74 6D 6C 3B 71 3D 30 2E 39 2C    text/html;q=0.9,
-> 00D0   74 65 78 74 2F 70 6C 61 69 6E 3B 71 3D 30 2E 38    text/plain;q=0.8
-> 00E0   2C 69 6D 61 67 65 2F 70 6E 67 2C 2A 2F 2A 3B 71    ,image/png,*/*;q
-> 00F0   3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 4C 61 6E    =0.5..Accept-Lan
-> 0100   67 75 61 67 65 3A 20 65 6E 2D 75 73 2C 65 6E 3B    guage: en-us,en;
-> 0110   71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E    q=0.5..Accept-En
-> 0120   63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 65 66    coding: gzip,def
-> 0130   6C 61 74 65 0D 0A 41 63 63 65 70 74 2D 43 68 61    late..Accept-Cha
-> 0140   72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31    rset: ISO-8859-1
-> 0150   2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71    ,utf-8;q=0.7,*;q
-> 0160   3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69 76 65    =0.7..Keep-Alive
-> 0170   3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F    : 300..Connectio
-> 0180   6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D    n: keep-alive...
-> 0190   0A                                                 .

2007-02-18 17:47:18,453 INFO client 192.168.1.12:1722 < - server www.google.com:80 (1357 bytes)
<- 0000   48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D    HTTP/1.1 200 OK.
<- 0010   0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20    .Cache-Control:
<- 0020   70 72 69 76 61 74 65 0D 0A 43 6F 6E 74 65 6E 74    private..Content
<- 0030   2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C    -Type: text/html
<- 0040   0D 0A 53 65 74 2D 43 6F 6F 6B 69 65 3A 20 50 52    ..Set-Cookie: PR
...