To check the active zones:

[root@rh7 ~]# firewall-cmd --get-active-zones
public
  interfaces: enp1s0f0

To get available service names:

[root@rh7 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

If the service you want to enable listed with the command above, you don’t have to write explicit port number, to allow a service permanently:

[root@rh7 ~]# firewall-cmd --zone=public --add-service=https --permanent
success

If the desired service is not available such as POP3 use the following command:

[root@rh7 ~]# firewall-cmd --zone=public --add-port=110/tcp --permanent
success

When you finish adding/removing rules, apply them with the command:

[root@rh7 ~]# firewall-cmd --reload
success

To check the services enabled on the zone public:

[root@rh7 ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp1s0f0
  sources: 
  services: dhcpv6-client http https imaps pop3s smtp ssh
  ports: 7071/tcp 110/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

The post CentOS 7 Firewall Sheet appeared first on VeriTeknik.

Finally we have found a solution to stop DNS Amplification Attacks using pfsense with snort.

The below codes are extracted from raw IP data, as a sample, you may check what we had done for ripe.net query:

0x0000: 4500 0042 6142 4000 7911 e7c3 9a23 a00b E..BaB@.y....#..
0x0010: 5e67 200f 0035 0035 002e 0000 03b8 0100 ^g...5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..

Use the code below to stop DNS Amplification attacks, you can paste the code to snort interface Advanced configuration pass through section:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS ripe.net UDP"; content:"|01 04 72 69 70 65 03 6e 65 74 00|";classtype:attempted-dos;sid:4000003;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org UDP"; content:"|01 03 69 73 63 03 6f 72 67|";classtype:attempted-dos;sid:4000003;)

The code is tested to have minimal overhead.

Please post your comment if you need additional DNS Amplification Attack rules.

The post Snort rules for isc.org and ripe.net DNS Amplification Attacks appeared first on VeriTeknik.

First of all, there are a couple of ways to edit the iptables infrastructure. One way is to use the /sbin/iptables binary file to append each line, or you can directly edit the /etc/sysconfig/iptables file.

There is basically no difference between the two methods, adding “THIS LINE” to the /etc/sysconfig/iptables file is the same thing by running the “/sbin/iptables THIS LINE” command. Just keep in mind that rules in iptables are respective, which means each rule is done in a chain order, the third line is only executed after the second line.

By default, when you install a CentOS system, the iptables will only allow connections to the 22nd port which is for obvious reasons : not to block your ssh connections. But if you change the ssh server port, or run httpd service, mail service or any other service, the default iptables rules will all incoming and outgoing connections.

The default settings a pretty much like this.

# Firewall configuration written by system-config-firewall
 # Manual customization of this file is not recommended.
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT

Let’s say you install apache (or equivalent) on your server, then iptables will keep blocking 80 and 443 ports. To make them available, we have to add them to the ACCEPT chain before the REJECTION.

-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Let’s say you want to block out a specific IP address, for any port, then you can add such line,

-A INPUT -s 192.168.16.29 -j DROP

If you’d like to log the access attempts of this IP address, before the DROP line you can add,

-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "

This line will log any attempt from the IP address 192.168.16.29 but will limit the logs. It will log any similar connection type as only two lines per minute, this way your log file won’t fill out the whole hdd. Also the “STAY AWAY!” will be on the log line, so that you can easily grep the relevant line from the log file. Don’t confuse this as a message, the line “STAY AWAY!” will NOT be sent to the blocked IP or anything, it will just be logged.

At the end our iptables file will be like this

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "
-A INPUT -s 192.168.16.29 -j DROP
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The post Firewall Settings With IpTables on CentOS and RedHat appeared first on VeriTeknik.

To enable it, go to Start > Administrative Tools >  Windows Firewall With Advanced Security

Now go to Inbound Rules on the left pane of the new window, and find the File and Printer Sharing (Echo Request – ICMPv4-In) from the rules. Enable it by right clicking. Now, your server will respond back to ping requests from IPv4 packets. You can also enable this for IPv6 from the rule right below it.

The post Can’t Get Ping Responses from MS Windows Servers appeared first on VeriTeknik.

Actually there are a lot of ways you can accomplish this especially with bash, but using the /dev/urandom file seems to be the most clever one.

The /dev/urandom device doesn’t only generate read-friendly characters, so it’s best to filter out the ones we’d like. The best tool for that would be tr.

$ cat /dev/urandom | tr -dc [:alnum:] | head -c 10

This will generate a password from 10 alphanumeric characters.

It will not include some characters though, such as . ! – _ which are useful for passwords. So this line would be a little more “secure”.

$ cat /dev/urandom | tr -cd “[:alnum:]\.\-_\!” | head -c 10

To generate a password in Python, using the string and random module would be a clever touch. Let’s try something like this,

>>> import string, random
 >>> def passgen(length) :
 ... keys = list(string.ascii_letters + string.digits)
 ... return "".join(random.choice(keys) for i in range(length)

With this definition of the passgen function, we can generate alphanumeric passwords with whatever length we want. If you’d like to include all characters available, try the one below:

>>> import string, random
 >>> def passgen(length) :
 ... keys = list(string.ascii_letters + string.digits + ".,;:-_()@\"\\[]?!'^+*$%&/=~`<>|")
 ... return "".join(random.choice(keys) for i in range(length)

A sample output :

>>> passgen(16)
 'pP!3p"(-uxdIqpAK'

You can find some methods of password generation using MD5 algorithms. For example for password generation in MySQL some people prefer this method;

>SELECT SUBSTRING(MD5(RAND()) FROM 1 FOR 5)

But this will generate very very weak passwords, no uppercase characters and a lot of characters missing, not even to mention the non-alpha numeric characters. Also you’ll have a limit for maximum character number since the MD5 algorithm has a limit for it. So it’s best to stay away from the md5 approach for password generation. Some people also use it for bash password generation too (which is wrong! due to same reasons)

The post Password Generation in UNIX appeared first on VeriTeknik.

To understand the background of scanning, we should know some basic thing about the “three-way handshake” that occurs during a network connection. The three-way handshake is another way of describing the SYN/ACK method. When a computer sends a “Hello” signal to a target machine, it actually sends a SYN packet. After receiving this packet, if the target is listening, it will normally respond with a SYN/ACK packet. When the first computer receives this SYN/ACK packet, it will respond back to the target machine with an ACK packet. This way, the three-way handshake is accomplished.

The SYN/ACK handshake is analogously described by talking on the phone (back on the old days when there weren’t caller id’s!). When we dial some number, we basically send a SYN signal, when the target answers the phone saying “Hello?”, it actually is a SYN/ACK packet, meaning “I’m listening?”, after that when we introduce ourselves as in “Hi, I’m calling from VeriTeknik”, then we’re sending the last ACK packet.

Now since we understand what SYN, SYN/ACK and ACK means, we can start digging around with nmap and see what it uses these information for.
By the way, for what it’s worth, SYN stands for synchronize and ACK stands for acknowledge.

The TCP Scan

Like we’ve discussed earlier in our target specification post, nmap executes a TCP scan with the -sT option. A TCP scan is accomplished with the full three-way handshake, meaning that when we ask nmap to execute a TCP scan on a port on some target, it will send a SYN, wait for the SYN/ACK and send back the ACK, after these, it will tell us that the port is open (or closed). Since we’re going all the way through with the three-way handshake in this method, even though it seems the most reliable one on standard targets (not behind firewall etc.) it has the slightest possibility to flood the target.

Here’s is the basic command to perform one.

$ nmap -sT 10.20.30.40

The SYN Scan

This is the most popular scan type of nmap. In fact, it is also the default option on nmap, meaning if you don’t specify any scan type, nmap will use the default SYN scan method.

The SYN scan is popular because it is faster. This comes from the fact that it doesn’t complete the three-way handshake. It only goes through the two steps of the handshake, first sending the SYN packet, waiting for a SYN/ACK packet, after this, instead of sending an ACK packet, it sends an RST (reset) packet, which tells the target to disregard any previous packets and close the connection between the two machines. The advantage of this is that the RST packet is much smaller than the ACK packet. Even though it may sound like one tiny packet won’t change much, when you add up hundreds (or thousands) of ports on multiple hosts, tiny packets do matter! Also, sending less information to the target always means less possibility to flood it.

$ nmap -sS 10.20.30.40
$ nmap 10.20.30.40

The UDP Scan

Overlooking the UDP scanning technique is a common rookie mistake. Even though most services use the TCP ports today, UDP ports are still essential and cause security vulnerabilities. Also, UDP ports are as useful as TCP ports for getting information on the system.

Note that both TCP and SYN scanning use the TCP method of connection. There are basically two methods for computers to communicate, either the TCP (Transmission Control Protocol) or the UDP (User Datagram Protocol). TCP ensures that the packets sent from one computer to another arrive at the receiver intact and in the order they were sent. But, UDP has no such mechanism, it just sends the data and we never know whether it arrived to the target or not. There are many advantages and disadvantages between the two technologies including speed, reliability, error checking etc. The important thing is to know which one to use under your case.

Comparing the UDP scan to our analogous example of the phone call, it is often described with a mailing system. It is like when we write a mail (not an e-mail, the regular ones!), put a stamp on it, no return address and put it in the mailbox. Maybe sometime the post officer will pick it up, deliver it to the address. You’ll never know if the mail reached its destination or not, and the receiver might not know the origin.

$ nmap -sU 10.20.30.40

Don’t forget that even though people tend to think that services run on TCP ports, a lot of them still stick with the UDP ones, such as DNS, DHCP, SNMP, or TFTP.

The Xmas Scan

This scan method is based on the technical descriptions on the RFC 793 (page 65) of TCP. If the target operating system is bound to the RFC, then when dealing with TCP connections it should obey the following two rules.

* If a closed port receives a packet that doesn’t have a SYN, ACK or RST flag, the port should respond with an RST packet of its own.
* If an open port receieves a packet that doesn’t have a SYN, ACK or RST flag, the packet should be ignored.

So, according to these rules, if a send a packet that doesn’t contain any one of SYN, ACK and RST, and if the relevant port does not answer back, that port should be open. So when we tell Nmap to perform a Xmas scan on a target, it simply sends FIN, PSH and URG packet flags on. The name Xmas comes from the fact that it has so many flags set to “on” as if it lights like a Christmas tree!

The problem with this scan type is that we assume the target operating system fully complies with the RFC standard of the TCP. Linux and Unix operating systems do, but Microsoft operating systems don’t. Ironically this makes Linux systems vulnerable to this scan type.

$ nmap -sX -p- -PN 10.20.30.40

Null Scan

This type of scanning is almost the same with the Xmas scanning method. Instead of switching some of the flags “on”, with the Null scan, Nmap switches everything “off”. This way, the closed ports will respond with a RST flag. (if the operating system complies with the RFC standards)

These type of scans are important when scanning a system behind firewalls. Some firewalls block communication establishment by filtering SYN packets. Since our scanning packets with the Xmas and Null scans don’t have a SYN packet, the firewall won’t filter it. Well, bear in mind that since we don’t have a SYN packet, it is not possible to establish a connection, but the point is scanning for ports, and that is possible without a SYN packet!

$ nmap -sN -p- -PN 10.20.30.40

FIN Scan

This is also almost the same with Xmas and Null scans, this time, nmap only sends the packet with the FIN flag “on”.

$ nmap -sF -p- -PN 10.20.30.40

ACK Scan

This scan type does not directly look for open ports. Instead it tests whether our ACK packets reach the ports or not. By default, it only has the ACK flag set. An unfiltered (ex. no firewall) system would return with RST packets when an ACK packet reaches it, regardless of the port state being open or closed. If a port doesn’t respond, or it responds with ICMP error messages, nmap will label it as filtered, if the port responds with an RST packet, it will be labeled as “reachable”. Detecting if reachable ports are open or not, is not checked by this scan. This type of scan is very useful to check the security of a target.

$ nmap -sA -p- -PN 10.20.30.40

Window Scan

This one is similar to the ACK scan, but categorizes the port filtered or unfiltered depending on the value the returning package’s RST flag is. On some systems open ports have a positive window size, but the closed ports have a window size equal to zero. So when a port replies RST, instead of labeling it as unfiltered (like it does in ACK scan), nmap will read the TCP Window value of the RST package. If the value is zero, the port is filtered, if it has a positive value, it is labeled as unfiltered. This type of scan does not work on most of the systems. In fact, if most of the ports you scan from 1000 ports are open, and only a few are closed, it is possible that the values are incorrect, the few closed ones might be the open ports and the open labeled ones might be the closed ones.
So, things can get the other-way around, use the feedback with caution!

$ nmap -sW -p- -PN 10.20.30.40

Additional Options for Detailed Information

Lastly, there are a few options to remember that can give us great detail about the target system.

Version detection : The -sV switch tries to determine what version of a service is running on a detected open port. This is great when scanning either UDP ports or unusual ports. If you find an unusual port number to be open, a version scan might tell you whether it is an SSH service running or an HTTP.

Operating System detection : The -O switch is for determining the operating system of the target. This does not 100% work but it does give some clues. It also tries to determine the kernel version, if it fails to get the kernel version, it sometimes reports possibilities in percentages.

Another option for Operating System and Version detection is the -A switch. This does not provide as much detail as the -O option but is still useful.

The Speed : You can choose the speed of each scan with the -T switch. The timing switch ranges on a numeric scale from 0 to 5, with 0 being the slowest scan.

It is important to know the backgrounds of a scan when executing it. Otherwise the results would seem meaningless to the scanner. Go ahead and try scanning your own systems. Don’t forget that if you have multiple servers, nmap also has a nice way of dealing with target specification.

The post Nmap : Scanning Methods appeared first on VeriTeknik.

There are several methods to scan ports. One of them is the “TCP” scanning method. With this method, nmap will try to establish a TCP connection with each of the port to be scanned on the target. If we don’t specify any ports, nmap will scan these. This speeds up the process a lot! Below, you’ll find an example of TCP scan on every port on the target machine.

$ nmap -sT -p- -PN 10.20.30.40

When we break down the arguments, things will get clearer.

-sT : The -s there indicates what method to use to scan, so the following T says its a TCP scan.
-p- : With this we tell nmap to scan every port on the target. Normally, nmap has a predefined list of 1000 ports that are widely used. To scan only the default 1000 ports, just don’t use this flag. Alternately you can tell which specific range of ports to scan. For example to scan the ports 21,23 and 25, we specify it as -p21,23,25 or to scan every port between 21 and 25, -p21-25. If we want to scan everything between 21 and 25 plus the 80’th port, it goes like this : -p21-25,80
-PN : This options tells nmap to skip the host discovery, which means it’ll assume that every target we specify are online. Use this if you’re only sure that the host is online, when we specify a lot of targets, and a lot of ports on these targets, host discovery will come in as a handy time saver.

Target specification in a clever way is very important if you’re willing to scan multiple targets. Below, we’ll talk about how detailed we can specify targets on nmap.

The simplest way for telling nmap to scan 2 targets,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4 192.168.16.5

The above will do the same thing with the notation below,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4,5

Nmap can also understand various notations at the same time when specifying target addresses. For example we can specify a network with it’s CIDR notation, and use partial definitions on different subnet blocks. Take a look at this example :

$ nmap -sT -p- -PN 192.168.1.0/16 10.20.30,31.40

Note that you cannot use the comma notation and the CIDR notation at the same time. So target specification such as 192.168.1,2.0/16 is NOT allowed.

You can also specify IPv6 using the -6 options. Below we’re scanning for the website my-ip6.com

$ nmap -sT -p21-25,80 -6 2a00:7300:1::4

Also note that with the IPv6 scanning, nmap does NOT support CIDR notation.

Needless to, we can also specify the target with its domain name.

$ nmap -sT -p- -PN plugged.in

Nmap can also get the targets from a text file if you can’t specify them in a sequential order. Just type your targets’ IP addresses line by line on a file and run it like this:

$ nmap -sT -p- -PN -iL my_targets_text_file

When you specify a range of addresses, it sometimes is crutial to NOT SCAN some members of that network. For this, nmap allows you to exclude addresses. This time we specify multiple “excluded targets” as comma separated, and as usual, it supports all the syntax supported for target specification. (hostnames, CIDR, netblocks, octet ranges, etc.)

$ nmap -sT -p- -PN 192.168.1.0/16 –exclude 192.168.16.30,192.168.1.10-15

Here’s a problem with this syntax of nmap, since the excluded targets are specified with commas, we can’t use commas to define subnets within the exclusion. For example we can specify targets such as 192.168.1,2.1 but this is not allowed within the exclusion since nmap will use the comma as a target exclusion delimiter.

The good thing is, just like specifying your targets in a text file, you can also specify you exclusion list too!

$ nmap -sT -p- -PN 192.168.1.0/16 –excludefile my_exclusion_text_file

And the last but not least, nmap has an option to scan random addresses. This is built specifically for research (and fun!) yet you should always use this option at your own risk, since some networks might detect you as a possible break-in attempt for scanning their system. It is also a good idea to you exclusion lists with this option.

$ nmap -sT -p80 -PN -iR 5

The number 5 above means that nmap will be scanning 5 addresses. So it will generate 5 random IP addresses. To generate infinate numbers of addresses, use the -iR option with the value 0.

Let’s end this post with a quoat from the man page of nmap,

“If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.”

The post Nmap : Target Specification in Detail appeared first on VeriTeknik.

no fixup protocol smtp 25

and save with the “wr mem” command

The post Cisco PIX & ASA Host name in greeting fix appeared first on VeriTeknik.