Reconnaissance, Scanning

April 20, 2010

Footprinting Tools

What information can you gather without informing the target that you are gathering information? What information can others gather about you?

Scanning Tools

  • nslookup with ls -d example.tld to simulate a zone transfer
  • to enumerate DNS information
  • Chaosmap is an information gathering tool and dns / whois / web server scanner written in Python. It can be used to lookup DNS names with a dictionary with or without using a salt.
  • sl, SuperScan windows utilities for ping sweeps, port scanning
  • Fping for ping sweeps
  • Fing is a tool for network discovery and scanning
  • nc, portqry for port scanning
  • nmap for ping sweeps, port scanning, OS mapping and more. nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. [video] Fyodor – Advanced Network Reconnaissance with Nmap ShmooCon 2006, Nmap 5 cheatsheet [pdf]. PaulDotCom Episode 207 and PaulDotCom Episode 242, too.A stealth inventory, which requires nmap 5.51 or later:

    nmap -P0 -script=broadcast

    What’s That Web Server?

  • Frustrate port scanners using portspoof.

    The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
    The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow  and output very difficult to interpret,  thus making the attack reconnaissance phase a challenging and bothersome task.

  • amap (THC-amap) for application mapping (banner grabbing, penetration test) [video]
  • p0f is an advanced passive OS/network fingerprinting utility. [video]
  • Firewalk for port scanning
  • Hping is a command-line oriented TCP/IP packet assembler/analyzer (ICMP TCP UDP). [video]
  • Gobbler for spoofed source OS mapping, port scanning and Dynamic Host Configuration Protocol (DHCP)
  • Dsniff is a collection of tools for network auditing and penetration testing. [video]
  • SSLdump is an SSLv3/TLS network protocol analyzer. [video]
  • Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. [video]
  • Metoscan is a tiny tool for scanning the HTTP methods supported by a web server. [video]
  • DNSmap is a passive DNS network mapper and subdomains bruteforcer. [video]
  • SING is a tool that sends ICMP packets fully customized from command line. [video]
  • SIPVicioussuite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:
    • svmap – this is a sip scanner. Lists SIP devices found on an IP range
    • svwar – identifies active extensions on a PBX
    • svcrack – an online password cracker for SIP PBX
    • svreport – manages sessions and exports reports to various formats
    • svcrash – attempts to stop unauthorized svwar and svcrack scans
  • Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone’s configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.
  • DHCPdump parses DHCP packets from tcpdump. [video]
  • TCPdump is a common packet analyzer that runs under the command line. [video]
  • Yersiniafor reconnaissance of layer 2 protocols:
    • Spanning Tree Protocol (STP)
    • Cisco Discovery Protocol (CDP)
    • Dynamic Trunking Protocol (DTP)
    • Dynamic Host Configuration Protocol (DHCP)
    • Hot Standby Router Protocol (HSRP)
    • IEEE 802.1Q
    • IEEE 802.1X
    • Inter-Switch Link Protocol (ISL)
    • VLAN Trunking Protocol (VTP)

    Yersinia is included on your BackTrack CD. See usage tips from Jimmie Ray Purser Yersinia: Coolest Layer 2 Hacking Tool

  • CHScanner is an ARP, IPv4 and IPv6 network scanner with 31 scan methods: it scans for open ports, protocols, NetBIOS information’s and Windows shares, SNMP information, and WMI (WBEM) information. CHScanner can turn on a remote Windows host (using Wake-On-LAN) or shut it down or reboot it. CHScanner an automatic (scriptable) working mode, a hunt mode, a passive mode, and the normal scanning mode.
  • SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).
  • Arp-scan fingerprint with ARP scans
  • ike-scan fingerprint VPN devices, learn IPSec (along with Steve Friedl’s Tech Tips An Illustrated Guide to IPsec)
  • WS_Ping ProPack
  • Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Using ICMP with a time-to-live (TTL) of 1. If the ICMP packet reaches a device and the time-to-live drops to zero, you get a response, you get to know something is there.

Port Assignments

IANA Port Numbers The well Known Ports (0 through 1023),
the Registered Ports (1024 through 49151), and
the Dynamic and/or Private Ports (49152 through 65535).
Neohapsis Ports List Consolidated list standard and exploited ports.
SANS Trojan Ports Port numbers of well known Trojans.
ISS Exploit Ports

Banner Grabbing

What does the server or application say it is?

Generic form telnet 80
What PHP version is running? that “page not found” indicates PHP is used.
Telnet telnet host port
nc nc -v host port
FTP ftp host
Web #nc -v host 80
sl sl -b host(s)

OS Mapping

NMAP nmap -O host(s)
NMAP nmap -O -p port host(s)

Read the rest of this entry »


DNS Client Settings

December 16, 2009

DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).

Windows Vista IPv4 Configuration tab


  1. Malware can replace the DNS settings with its own settings. (One example: Trojan:Win32/Alureon.CO) When malware has made this change, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who they do business with (bank with). The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute an IP address of their own choosing. There should be a certificate error when the victim connects, but certificate errors can be ignored. A prompt for user ID and password would collect use ID and password. To allay suspicion,  give the victim an “access denied” message. The bad actor now has with working credentials.
  2. DNS settings are typically ignored. When the payload is DNS settings, the payload is ignored. Anti-virus software would not detect an “infection” since these are configuration settings, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?
    In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims.
  3. DNS implementation can have security vulnerabilities; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required.
  4. DNS lookup history is an important intrusion detection mechanism. Review lookup requests to discover if malicious sites are being accessed.

At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.

If you are using your router to provide IP and DNS addresses on your home network, consider providing more secure DNS servers.

Google Public DNS

Windows assigns DNS settings for each network adapter. If you switch from a wireless connection to a wired connection, you may be using different DNS settings.

Some hotels assume that you do not specify DNS settings. Their DHCP solution delivers DNS servers that you are required to use. That is, specifying DNS settings breaks some hotel Internet usage.

The ESET SysInspector utility reveals the DNS settings you are currently using.
Read the rest of this entry »

Information Gathering

October 29, 2009

You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.

The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.

Retain the information for future reference.

The Sam Spade utilities look up DNS and domain information. Frequently under revision, but one stable source is

Use Maltego and Pipl to learn published information scattered across the Internet. Maltego uses nslookup, SecretSniff, Robtex. Pipl uses a different set of sources.

Collect and document information about the company’s Internet presence. This would include:

  • Internet Service Registration – The global registration and maintenance of IP address information
  • Domain Name System – Local and global registration and maintenance of host naming
  • Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
  • Email Systems – The information contained within each email delivery process
  • Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
  • Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security

hpHosts consolidates a lot of information about web sites. vURL can be used to review the company’s web pages through proxies.

AS Numbers Query (

Retain the information for future reference.

What have others found? See Un1c0rn.

Does NTP report the hosts which have queried NTP? It could be used for further network enumeration.

– Border Gateway Protocol (BGP) Queries
– About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to or and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP. (find target’s AS number) (query BGP via web)

1. Reconnaissance
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks

nmap (the most utilized penetration testing tool)

Metasploit framework Metasploit: A Penetration Tester’s Guide

Don’t Pick the Lock, Steal the Key – Password Auditing with Metasploit

Armitage – A GUI for Metasploit

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

SinFP3 is an operating system fingerprinting tool

Pushpin will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.  Example Usage:

python ./ -c 42.3534688,-71.0611556 –all

For latitude and longitude, see


eEye Retina

Core Impact

netcat: an asynchronous port scanner (a load balancer can shape traffic and slow down scans; that is, has IPS functions)

For more specialized penetration testing tools, see

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments.

And also consider this version of the steps for penetration testing with 10 (instead of 5) steps:

Find open directories with Google by searching for ” Name Last modified Size Description”:

Web Browser Forensics

October 7, 2009

What question were you trying to answer? Could it be:

  • Where did this malicious software come from?
  • What web sites has this person been visiting?

What access do you have? Could it be:

  • A single machine, and I have local access
  • Multiple machines, and I have remote access

Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links.

Is this actually a Forensics examination (where you care about preserving evidence) or is this an Incident Response root cause examination, where discovery (and not legally admissible evidence) is the goal?

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and  you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

An appropriate tool to collect web browser history and evidence would be CacheGrab and its companion interpreter CacheBack.

CacheGrab® is our standalone cache and history recovery tool that can be used on any logically mounted volume or virtual file system, including disks mounted using Physical Disk Emulation. CacheGrab does not require any purchase or licensing and may be used freely. Users should note that this version of the program only searches logical volumes at this time, and the ability to search physical disks and unallocated space will be available with the release of CacheGrab® Version 2, sometime in early 2010.

Note the features of CacheBack:

  • Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).
  • View cached web pages and pictures in a single consolidated thumbnail gallery making it easy to zero in on artifacts of interest.
  • Comb through complex histories and large cache repositories using the powerful multi-tabbed, multi-functional WYSIWYG interface.
  • Combine the built-in Query Manager window, Quick Queries and compound query filtering options to drill down efficiently on large datasets.
  • Produce visually compelling, rich HTML reports of rebuilt web pages and picture evidence with valuable metadata.
  • Publish reports to any destination folder or removable media keeping the evidence intact and portable.
  • Display timestamps in any selected time zone and choose to observe daylight savings for any region. Completely system independent.
  • Powerful Link Analysis to identify matches between history URLs and hyperlinks found in web pages (e.g., which links might have been clicked or visited).
  • Multiple tabbed views of the same evidence (Browser, Text, Hex, Picture, Audit and Links).

These features may be more that you need.

If you only need to be concerned about Internet Explorer, then grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco ( to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
Error - requires two parameters, machine name (or IP address) and userid

When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Related articles:


Where to find browser history

Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\History\History.IE5
Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\Temporary Internet Files
Mozilla C:\Documents and Settings\<windows login>\Application Data\Mozilla\Profiles\default\bsczxlvc.slt\Cache\572222B7d01
Netscape history.dat
Firefox C:\Documents and Settings\<windows login>\Application Data\Mozilla\Firefox\Profiles\ygeipybb.default
Safari history.plist
Opera global.dat

Check query history

Google toolbar C:\Documents and Settings\[userid]\Application Data\Google\Local Search History

Where to find passwords

Firefox C:\>C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons.sqlite

Where to find chat logs

Trillian C:\Program Files\Trillian\users\default\logs
MSN Messenger post version 7.0 C:\Documents and Settings\\My Documents\My Received Files\\History
AOL Messenger C:\program files\users\default\log\AIM\Query
Yahoo Messenger 6.0 C:\Program Files\Yahoo!\Messenger\Profiles\\Archive\Messages
mIRC C:\program files\mirc\logs
GAIM *nix: ~/.gaim/logs
Windows: \Documents and Settings\user\Application Data\.gaim\logs
Look for the screenname under the protocol directory.
Miranda Messenger C:\Program Files\Miranda IM\Logs
Exodus 0.9.x C:\Documents and Settings\\My Documents\Exodus-Logs\<user>_<server>.html
iChat /Users//Documents/iChats

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis

October 2009 is National Cyber Security Awareness Month

October 1, 2009

From InfraGard:

October 2009 is National Cyber Security Awareness Month (NSCAM), which the FBI endorses and participates.  The NSCAM event has been held every October since 2001, as a national awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Cyber security requires vigilance 365 days per year.  However, the Department of Homeland Security, the FBI, the National Cyber Security Alliance, and the Multi-State Information Sharing and Analysis Center, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data.

Ultimately, our cyber infrastructure is only as strong as the weakest link.  No individuals, business, or government entity is solely responsible for cyber security.  Everyone has a role and everyone needs to share the responsibility to secure their part of cyber space and the networks they use.  The steps we take may differ based on what we do online and our responsibilities.  However, everyone needs to understand how their individual actions have a collective impact on cyber security.

Please read the Awareness Month Fact Sheet, Awareness Month What Home Users Can Do Tip Sheet, and the Awareness Month CSAVE Fact Sheet.

You can read more by visiting STAYSAFEONLINE.ORG.


John “Chris” Dowd
Unit Chief
Public/Private Alliance Unit
Strategic Outreach and Initiative Section
Cyber Division

Can You Trust That Web Site? (URL Shortener edition)

September 24, 2009

Regarding URL shorteners such as, and (Google’s URL shortener services),, and, services designed to redirect to a different, typically longer, URL.

  • They are nearly mandatory when posting a URL via Twitter (or other microblogging site).
  • They can get your email dropped by a SPAM filter, since URL redirection (URL forwarding, URL obfuscation) is how malicious sites get past SPAM filters.
  • A URL shortener service takes links out of your control; many of the free URL shortener services have already shut down.

You want to know if you can trust that web site, and a meaningless link doesn’t help. Note that you should always treat any link you may see in an email or web page as meaningless; there is no reason to trust that what the link connects to the text displayed.

For all URLs, there are two facets:

  1. the text they display and
  2. the resource they actually locate.

There is no requirement that they match. Should ISC SANS be clicked? Should be clicked? Displayed text was always untrustworthy, and link shortening services make that obvious.

Whether you can trust the resource they actually locate is a difficult problem. URL shortening services introduce an extra layer of obfuscation which makes that problem more difficult. Techniques which rely upon an organization’s reputation (such as Web Of Trust) are ineffective when confronted with a shortened URL that obfuscates the organization. This leads to a desire for de-obfuscation approaches, such as Redirect Detective or the (currently unavailable)

There are problems with relying upon an organization’s reputation to determine if a resource is trustworthy. Problems such as PHP code insertion add untrustworthy code to a trustworthy organization. These problems exist independent of URL shortening services, and are neither more nor less obvious through the use of URL shortening services.

URL shortening services introduce new problems in terms of reliability and stability. There is a trust than the shortened URL will consistently refer to the same resource; that the reference cannot be hijacked and the service provider will remain in business (see These problems are not within the control of the person using the URL shortening service.

In conclusion, shortened URLs make:

  1. the text they display neither more trustworthy nor less trustworthy,
  2. the resource they actually locate neither more nor less trustworthy, and
  3. introduce availability issues which are outside your control.

Use URL shortening services only if necessary.

Instead of HpHosts as your first step (my advice from Can You Trust That Web Site?), go to vURL. vURL reveals and expands the redirected web site. You can learn what the obfuscated URL will lead you to (and examine the code) without directly connecting to the web site. Then learn if the revealed web site is trustworthy at HpHosts.

Lessons from the Heartland Data Breach

September 14, 2009

View “Lessons from the Heartland Data Breach” on Vimeo to hear from Robert O. Carr, the particular victim. Read his testimony before the United States Senate Committee on Homeland Security and Government Affairs. An apparently secure (even audited, pen tested and forensically examined) organization was breached. You can be PCI DSS compliant, and pay the penalties of an information breach.

My take-aways from the Heartland breach: Note that a SQL injection vulnerability was discovered, then remediated.  Too late, as it turns out; the damage was done. Previously undetected malware was running on the system. Even though an intrusion was suspected, this malware escaped the detection of auditors, pen testers and (for a long time) forensic examiners. In the end, forensics examiners found the vital clue that revealed that a security breach had occurred, was occurring and the intrusion response procedure needed to be invoked.

Why so long? Undetected malware is not the sort of problem auditors would look for. Pen testers would fail since the system had been hardened after the breach. A more efficient approach to a forensic examination would been to have a set of hash values of known good files, and compute the hash values of current files. Inspect the files that do not match the “known good” list. See Simple Malware Discovery Measures for additional approaches.

The Hannaford Brothers breach is also attributed to undetected malware.

My theory is that malware never (perhaps rarely) travels alone. Previously undetected malware is always (perhaps usually) accompanied by detected malware. Reliance upon anti-virus software to detect all malware is false confidence. Investigation of detected malware yields information you want to use. and that information may be about previously undetected malware or information about where malware is coming from. Was there detected malware that accompanied the undetected malware in the Heartland breach example?

I do agree that encryption of data is an additional defense, an additional preventative measure. There is also a need for readily available detective measures; reliable mechanisms to confirm or deny an incident quickly.

See also: Online Trust Alliance (OTA) 2011 Data Breach & Loss Incident Readiness Guide