Shopping List
Before we start, make sure you have the following ingredients ready to go:

• Fydor’s nmap – The true king of network scanners
• OpenVAS – The glamor queen of vulnerability assessors

Start Here
The first thing you need to determine is if you will be performing a black box test or a glass box (often referred to as crystal box) test. I will only quickly go over the differences here.

The Fairest Box of All
Black box testing is the “simplest” as you are only provided the IP Addresses in scope of the assessment. That’s it. You are not told how many Windows systems to expect, how many firewalls may be in your way or even if an IPS may shut down your scan if you are too aggressive with your timing options (we’ll touch on that later in this article.) It is difficult to accurately predict how long this may take as the composition of every network is different. An extreme example is if you are scanning through ocean floor fiber it could take quite some time when each packet suffers 250ms+ latency.

Glass box testing is typically much quicker to perform as your client will be providing architectural details of how the network is bolted together. It’s best to ask for network diagrams plus a real live human being to help you decipher them. (I mean seriously, how many UML network diagrams have you seen?) This is important not only because they may use abbreviations unknown to you or how closely the diagram aligns with reality or even all the labels they scribbled on by hand are subject to the lost art that is penmanship. Err, graphmanship.

Scope Up!
Once the transparency of your target environment is agreed upon, you will need to define the scope of which portions of the target organization’s network is within scope for the assessment.

Ask for hosts which must NOT be scanned as they will fall over seizing due to poor IP/TCP stack implementations or other programming bugs. Place into “exclude.list”

Place the authorized IP address ranges and domains you were provided into “inscope.list”

Just a Minor Technicality
Ok, we are now ready to dominate the world with our awesomeness! Or at the very least impress your client with a thorough report…

If you are scanning a class B network (10.10.X.X) or smaller, you will likely want to choose -T4 for your speed setting. If you are attempting to map the Internet, stop now. Fydor has beaten you to it

The Need For Speed
The –n switch will disable DNS lookups, reducing overall start to finish time as you no longer need to wait for all those UDP DNS request / responses to file in.

Setting how fast nmap chucks packets onto the network is controlled with:
-T, –scan-delay and —min-hostgroup
-T5 is balls to the wall and –T0 means you never want it to finish…

A safe choice is –T3 (the default) but again you will likely want to use -T4 to save time.

Top Heavy Servers
Scanning for every in-scope IP Address plus 65,535 port combinations to gather an inventory of live hosts could last longer than your contract engagement. You may need to pick 20 to 30 ports. In a perfect scenario, at least one of these ports will be open on every server that you need to find. Use -p to specify destination ports; a good starting list are the following UDP (U:) and TCP (T:) ports:
-p U:53,111,137,T:21-25,80,135,139,443,445,3389,8080

If your client has no idea what services they expect to find on their network, you now have permission to cry like a baby because they will have problems with your report regardless of what you find. T-T
All seriousness aside, thanks to Fydor’s Internet mapping project I mentioned earlier, you can just substitute the defined list with Fydor’s results by adding:
–top-ports 30 (where 30 is the number of ports you want to scan)

I Know That Look…
nmap is more than just a simple inventory scanner. It can also guess what the target operating system and it’s network accessible service names and versions are. It does this by looking at distinguishing features of a packet or connection (such as what the starting TTL value is or how it responds to an unsolicited RST packet sent to a closed port.) This technique is referred to as fingerprinting. If nmap is unsure about a target host, it will guess (and tell you as much) and if it is completely baffled it will politely ask you to submit a fingerprint to add to the nmap database along with what you determine the target to be (by other means.)

-sV will attempt to match the name and version of each open network service that is discovered
-O will attempt to match the operating system of target boxen

New Implants
nmap has received some really neat upgrades since version 4.something such as the ability to run lua scripts during the scan process. An example:
–script smb-os-discovery

Make sure you are using the latest scripts by running:
nmap —script-updatedb

Putting it all Together

Thus far, we have compiled the following nmap command:

nmap –iL inscope.list —excludefile exclude.list –v –sS –n —reason –T4 —script smb-os-discovery –sV –O —top-ports 30

Sweep 1: I highly recommend swapping out –sS with –sL before you run your final scan. Why? A list of hosts to be scanned is a great piece of information to include in your report to PROVE that you only touched systems that you were expressly authorized to touch. Yes, this is just feeding back information they originally provided you… Hey, this is why consultants get paid the big bucks right?

Sweep 2: swap out –sS with –sP to icmp scan for which hosts you are able to receive echo replies from. Consider sending this list to your client immediately to verify that your are in the ballpark prior to the “real” scan. Obviously, this can be skipped if a networking device (such as a router or firewall) is dropping all your icmp echo request probes.

Sweep 3: -sS for the win! This is your traditional half open SYN scan. Nmap will send out a TCP SYN packet to each IP address and port combination as you specified to determine if it returns a SYN+ACK packet, indicating an open port. If it doesn’t hear back from the target, it’s assumed to be closed. (Yes, this is where the increased timing option pays off.)

Wrapping Up

If you are running up against an IPS blocking your aggressive scans by sending you RSTs or dropping your packets silently, try setting –f to fragment (split up) your packets to a smaller portion of their maximum transmission unit (MTU) or size. This may just be enough to fool (or crash) that pesky IPS into letting them all pass on their merry way for total target box domination. Make sure you have permission to try this from the client first…

This was intended to be a pick up and go article and not dig too deep into how network scanning works nor the intricacies of nmap. If you want WAY more info than I’ve provided here, I highly recommend buying Fydor’s nmap book. If you can’t spare a few bucks, it’s also available online for free.

Stay tuned for Part 2, which covers OpenVAS.

Related posts:

1. Thousands of Sacrificial Lambs
2. Writing a DNS sniffer
3. Detecting bad TCP sessions

I get asked this question a lot. I provide below how I typically answer it, hoping that someone out there will find it useful as a template for your responses to similar questions to which you must respond.

BEGIN EMAIL REPLY:

Hi So and So,

First of all, great question.

While I typically recommend home users to select security software products from well known commercial vendors, most of these are large companies that structure their pricing model to force you to repurchase their new version every year instead of simply renewing your subscription. As a consolation prize, you get any new features added each year.

Your customer service experience (or lack thereof) is sadly typical for large software companies; the best way to avoid outsourced call-center style support is to choose a boutique software company that hasn’t a large enough customer base to decide outsourcing customer support as viable. If customer support isn’t something you plan to use and commercial security software feels too expensive, there are a number of companies that release free home-use only versions of their software.

Finally, as far as how to select a new anti-virus solution, I unfortunately put a lot of trust into tech review websites such as CNET. When selecting products, typically user reviews for software as complicated as anti-virus provide little insight to how good it really is as experiences vary from person to person. With a tech journal, you at least know they sampled many products. The downside is they only get to it every year or two, so the ratings may be based on last years version.

That said, here’s a link to CNET’s Anti-Virus review page as a starting point.

Here is a link to CNET’s top rated Anti-Virus software which includes free home-use products.

Hope that helps! Happy hunting.

Regards,
Tom

Related posts:

1. Free OSX Tools I Use Everyday
2. Computer Security At Hotels
3. 7 Reasons Why You Should NOT Eat Breakfast

Cron is a unix program that is used to automatically run commands or scripts at predetermined times. Common uses include running nightly backups, log searching or other system resource intensive tasks when everyone is at home sleeping. Each unix user has their own crontab list. If you are new to scheduling tasks in Sun Solaris, Red Hat Enterprise Linux, Fedora, Ubuntu, Debian OS X, FreeBSD or any other flavor of unix, the following quick cron guide should help.

To check what is currently scheduled for execution for one user, open a terminal and type:

crontab -l -u <username>

Any task that requires root privileges will need to be put in the root uer’s crontab. Let’s add a simple backup scheduled task as an example. To open the cron file as the root user with your default text editor, type:

sudo crontab -e

At the top of the crontab file (or if it is empty) paste in the following:

# +- - - - - - minute [0-59]   | Special Entries: @reboot, @yearly, @monthly,
# | +- - - - - hour [0-23]     |                  @weekly, @midnight, @hourly
# | | +- - - - monthday [1-31]  ---------------------------------------------
# | | | +- - - month [1-12, jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec]
# | | | | +- - weekday [0-6, sun,mon,tue,wed,thu,fri,sat,sun]
# * * * * * /full/path/to/command args >> ~/command.log

This Crib Sheet will serve as a crontab syntax reference every time you list or edit the crontab but won’t be interpreted by cron since each line starts with a poundsign (#) character indicating a comment line. The first five columns allow you to define the minutes, hours, days of the month, months, and weekdays that you want your job to run. The sixth column is the command or script to execute at the appointed time or times.

Here’s an example crontab line that runs the backup.sh script every twenty minutes on April 13th, 14th and 15th:

0,20,40 * 13-15 4 * /home/tom/scripts/backup.sh >> /var/log/backups.log

The last part may look new if you are unfamiliar with pipes. The double greaterthan signs will append the output of backup.sh into a file called backups.log located in the /var/log/ directory. While you can chain together many unix commands directly in the crontab file, I recommend using a separate file (ie: in your scripts directory) to perform more complicated tasks.

Here’s another cron job example that searches for files in anyones home directory modified in the last 24 hours and puts a report in your home directory:

0 1 * * * /usr/bin/find /home -mtime -1 -type f -exec ls -lh {} \; > \
/home/tom/new_files_report_`date +%Y-%m-%d`.txt

Hope that helps! Comments welcome.

Related posts:

1. AUC #2: ls
2. AUC #1: paste
3. Quick note on sorting john.pot files