Semi forgotten Port Scanning News ;-)

Syverson, Paul F., Gene Tsudik, Michael G. Reed and Carl E. Landwehr, "Towards an Analysis of Onion Routing Security," Workshop on Design Issues in Anonymity and Unobservability Berkeley, CA, July 2000. PostScript, PDF

This paper presents a security analysis of Onion Routing, an application independent infrastructure for traffic-analysis-resistant and anonymous Internet connections. It also includes an overview of the current system design, definitions of security goals and new adversary models.

Syverson, Paul F., Michael G. Reed, and David M. Goldschlag, "Onion Routing Access Configurations," DISCEX 2000: Proceedings of the DARPA Information Survivability Conference and Exposition, Volume I Hilton Head, SC, IEEE CS Press, January 2000, pp. 34--40. PostScript, PDF

Onion Routing is an infrastructure for private communication over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Thus it hides not only the data being sent, but who is talking to whom. Onion Routing's anonymous connections are bidirectional and near real-time, and can be used anywhere a socket connection can be used. Proxy aware applications, such as web browsing and e-mail, require no modification to use Onion Routing, and do so through a series of proxies. Other applications, such as remote login, can also use the system without modification. Access to an onion routing network can be configured in a variety of ways depending on the needs, policies, and facilities of those connecting. This paper describes some of these access configurations and also provides a basic overview of Onion Routing and comparisons with related work.

M A I N N E R V E - FFT - alternative TCP-based traceroute

About: FFT is an alternative traceroute program for displaying the route packets take to an IP network host. Unlike Van Jacobson's traceroute, which is available on almost every platform today, FFT uses TCP in order to elicit ICMP TIME_EXCEEDEDs or TCP_RST. As a result, FFT often executes much faster and sees behind some configurations of packet- filter based firewalls.

Changes: Manual or automatic network device selection, status suppression, and better looks when automated through a Web form. FFT is now truly a traceroute replacement.

Neohapsis Archives - NTBugtraq - Re W2K DNS port usage changes - From [email protected]

Subject: W2K DNS port usage changes
From: Russ ([email protected])
Date: Tue Mar 21 2000 - 15:03:28 EST

• sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Chris Brenton: "Re: W2K DNS port usage changes"
• Previous message: Tom Yergeau: "Re: Terminal Service for Win2k fails when High Encryption is selected and 128-bit encryption pack has been applied"
• Next in thread: Chris Brenton: "Re: W2K DNS port usage changes"

---

Problem:
 

Windows 2000 Server or Advanced Server DNS Service uses dynamic UDP ports (above 1023) for all standard query messages.

For a W2K DNS server which is facing the Internet (acting as primary for zones, or performing root server lookups for client requests) being protected (at least in part) by router Access Control Lists (ACLs), it must now permit unrestricted UDP inbound access to any high UDP port on the W2K DNS box in order for it to work.

Note, this is a change from NT 4.0 DNS server which always performed all such lookups using UDP 53 as a source port (thereby allowing router ACLs to restrict access to port UDP 53 on the DNS server.)

I have not checked to see if this is, or isn't, in line with current DNS RFCs. What it means, however, is that a UDP port scan can be performed on any W2K box with a DNS configured as above (which is being protected, at least in part, by router ACLs) as long as the source port of the scan is UDP 53. Since RPC is still in use on W2K, numerous services may be listening on high UDP ports which you wouldn't want interrogated.

I would be interested to hear about other DNS servers and whether they use dynamic source ports for such queries.

Status:

Microsoft had implemented a registry key that would permit you to restrict the source port on the DNS server to a single port. The "SendPort" key was intended to serve this functionality, however, it doesn't work...;-[  Microsoft are researching a fix (presumably fixing whatever is broken in the "SendPort" functionality).

Meanwhile, might be wise to ensure that your Internet-facing DNS server isn't running Windows 2000.
 

Cheers,
Russ - NTBugtraq Editor

Strategic Scanning and Assessments of Remote Hosts (SSARH)  -- pretty basic hacker guide to remote scanning; 

This paper is being written for security administrators in hopes that they will be able to notice security flaws in their networks and systems. Be it known that this paper is NOT a hacking text and we will not go into the topic of compromise, but this will show our target audience how to begin a strategic attack on a remote host. We will cover basic assessment techniques involving open ports, RPC Services, open mount points, and various ways to 'gain' information on your target before the actual attempt at compromise.

[Jan 6, 2001] Network Computing Feature Security Vulnerability Assessment Scanners Page 1 January 8, 2001 by Jeff Forristal and Greg Shipley (Network Computing)

Some of us were a bit skeptical of the open-source Nessus project's thoroughness until it discovered the greatest number of vulnerabilities. That's a hard fact to argue with, and we are now eating our words. Nessus identified every hole that we set up, with the exception of some Sendmail 8.7.1 buffer overflow (HP-UX) and the problems with our wu-ftpd 2.4.2 (academic) Beta 18 (Linux) deployment. Make no mistake, these are not small holes; either of them could be used to compromise your environment. However, Nessus Security Scanner still got the highest overall score simply because it did more things right than the other products.

Nessus Security Scanner's architecture is a little different from the other scanners we tested, as it uses a client/server model. This allows a central server to do all the scanning while results are monitored and reviewed on distributed administrative clients. The scanning engine is Unix-based, while the administrative consoles can be run under Windows or Unix X Windows. Nessus Security Scanner supports command-line interaction as well. During our testing, however, we ran both the console and the engine on a single machine running Linux. Another difference is that not only is Nessus Security Scanner open source, but the architecture for creating vulnerability checks is quite open as well. Nessus uses a scripting language called NASL (Nessus Attack Scripting Language), which lets mere mortals actually create vulnerability configuration checks. While creating checks in NASL is not a piece of cake, it's not rocket science either.

On the reporting front, Nessus Security Scanner tends to fall a little short, and the GUI could be a little better organized. For example, all found vulnerabilities in the GUI are indexed by port and system, which is a real pain in the butt when you're delegating remediation efforts.

Once we discovered how to export information to an HTML report, however, we found that the data was a lot easier to work with than when it was in the GUI.

One thing we particularly like is Nessus Security Scanner's "honesty" when it guesses about vulnerabilities and possibly presents inaccurate data. For example, if the product made an assumption about a particular service that might not be entirely accurate, it warned us of this assumption. This is much appreciated, especially after wading through pages and pages of false positives generated by products like CyberCop Scanner. If the people contributing to the Nessus project beef up the reporting mechanism with regard to product fixes and add some more vulnerability checks, Nessus Security Scanner could easily surpass its commercial competitors--products such as CyberCop Scanner and Internet Scanner--in more than just finding vulnerabilities.

Found 15 out of 17 vulnerabilities -- Nessus Security Scanner, www.nessus.org.

Scanning for Systems on Subnets. By Sandra Henry-Stocker

In this issue, we're going to build a script that describes a subnet -- including the network address, subnet mask, and all available IP addresses. Next week, we will follow up on this by examining how this information can then be used, along with some other tools, to collect information about each of the systems. In short, we will be providing some rudimentary discovery tools used to verify a network's configuration or to build a basic network map.

The shownet script requests that the user provide a network address in the form 10.11.12.0/28 where 10.11.12.0 represents the network address (or the address of one particular host in the subnet) and the 28 signifies the number of bits devoted to the network portion of the address. In this particular example, the host portion of the address uses 4 bits (32 - 28). Hence, each subnet comprises 16 different addresses -- two reserved for the network and broadcast addresses and 14 available for host addresses.

Although written to work with class C and smaller networks, the script could be modified for networks of arbitrary size. On the other hand, the idea of generating more than 16 million IP addresses less than appealing and situations defining subnets with more than 256 hosts are undoubtedly much more rare than subnets smaller than 256 hosts.

------------------------------ cut here --------------------------------
#!/usr/bin/perl -w
# gen_addrs: generate IP addresses based on network and netmask
print STDOUT "Please enter a network address? ";
$addr = ?STDIN?;
chomp($addr);
if ($addr =~ /\//) {
($net,$mask) = split /\//, $addr;
} else {
print "You must enter network address in 1.2.3.4/24
format\n";
exit;
}
# separate bytes in address
($b1,$b2,$b3,$b4) = split /\./, $net;
# determine how many bits used for host addresses and subnet ranges
$bits = 32 - $mask;
$bytes = int($mask / 8);
$numhosts = 2 ** $bits -2;
$netaddr = "";
if ($bytes ? 3) {
print "sorry -- this script does not handle larger
than class C networks\n";
exit;
}
$incr=2**$bits;
# find network address
for ($net=0; $net ?= 252; $net=$net+$incr) {
if ($b4 ?= $net) {
$host = $net;
}
}
$network = $b1 . "." . $b2 . "." . $b3 . ".";
$netaddr = $network . $host;
$bc = $host + $numhosts + 1;
$bcast = $b1 . "." . $b2 . "." . $b3 . "." . $bc;
open (ADDRS, "?$netaddr");
print ADDRS ": netaddress: $netaddr\n";
print ADDRS ": bcast: $bcast\n";
print ADDRS ": numhosts: $numhosts\n";
print ADDRS ": ===========================\n";
for ($n=1; $n ?= $numhosts; $n++) {
++$host;
$nextaddr = $network . $host;
print ADDRS "$nextaddr\n";
}
++$host;
print "Your output is in $netaddr\n";
close (ADDRS);
------------------------------ cut here --------------------------------

First, our script determines the starting point -- the network address. If the least significant byte of the address fed to the script is not a 0 or a power of 2, then it is assumed to be the address of a particular host in the network. Based on this value and the subnet's size, the script determines the network address. Next, the script prints the network address, subnet mask, and the number of hosts before deriving and printing the address for each of the hosts.

boson% ./shownet
Please enter a network address? 1.2.3.4/28
Your output is in 1.2.3.0
boson% more 1.2.3.0
: netaddress: 1.2.3.0
: bcast: 1.2.3.15
: numhosts: 14
: ===========================
1.2.3.1
1.2.3.2
1.2.3.3
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
1.2.3.8
1.2.3.9
1.2.3.10
1.2.3.11
1.2.3.12
1.2.3.13
1.2.3.14

Dsniff 2.3 Dsniff is a suite of sniffing tools for penetration testing. http://www.monkey.org/~dugsong/dsniff. See also  SecurityPortal - The End of SSL and SSH -- usual pretty superficial analysis from Kurt Seifried -- the paper that switch manufactures would be happy to sponsor :-)

Changes: add VRRP parsing to Dsniff, from Eric Jackson. Require pcap filter argument for tcpkill, tcpnice. Add Microsoft PPTP MS-CHAP (v1, v2) parsing to dsniff, based on anger.c by Aleph One. Fix pcAnywhere 7, 9.x parsing in dsniff. Add -t trigger[,...] flag to dsniff, to specify individual triggers on the command line. Convert most everything to use the new interface.

New programs: dnsspoof, msgsnarf, sshmitm, webmitm.

Fix inverted regex matching in *snarf programs. Consistent arpspoof, macof, tcpnice, tcpkill output. Rename arpredirect to arpspoof (maintain consistent *sniff, *snarf, *spoof, *spy nomenclature). Consistent pcap filter argument to dsniff, *snarf programs. Add trigger for Checkpoint Firewall-1 Session Authentication Agent (261/TCP), as suggested by Joe Segreti.

Add SMTP parsing to dsniff, as requested by Denis Ducamp. Add rexec and RPC ypserv parsing to dsniff, as requested by Oliver Friedrichs. Add HTTP proxy auth parsing back to dsniff, it got lost in the shuffle, reported by Denis Ducamp. Add NNTPv2 and other AUTHINFO extensions to dsniff.

CiscoAuditingTool g0ne <g0ne at shell.scrypt.net> - May 23rd 2000, 22:30 EST

Cisco Auditing Tool is a Perl script which scans cisco routers for common vulnerabilities. It checks for default passwords, easily guessable community names, and the IOS history bug. Includes support for plugins and scanning multiple hosts.

LinuxPR: Insecure.Org announces immediate, free availability of Nmap Security Scanner 2.50 [May 1, 2000]

strobe version 1.03

Strobe is a security/network tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilization maximizing, and process resource minimizing manner.
Location of original: ftp://suburbia.apana.org.au/pub

Shadow Scan Home pages -- Interesting scanner [Russian] Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP Scaner, Site Info (is intended for fast definition of services started on the host), Network Port Scanner, Tracert, Telnet, Nslookup, Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt, Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info Shadow Hack and Crack - WinNuke, Mail Bomber, POP3, HTTP, SOCKS, FTP Crack (definitions of the password by a method of search), Unix password Crack, Finger over SendMail, Buffer Overlow, Smb Password Check , CRK Files. Also ShadowPortGuard - code for detection of connection on the certain port has some interesting possibilities.

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019