This small FAQ explain how to make linux start certain service or self made program at the boot time.
Step 1:
Edit /etc/rc.local
This script will hold your personal initialization instructions which will be loaded after all other programs are loaded.
Example:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/usr/local/apache/bin/apachectl
startsslecho Starting Apache ... Felo
service sendmail start
echo Starting Sendmail
I do hope its usefull , its simple but not everybody knows it right ?
Friday, July 27, 2007
Installing an SSL Aware APACHE server
This basic instructions to install an ssl apache server on linux are not for the faint of heart (hehehe) , i say that cause basically you need common sense and preferably some unix experience to not make mistakes on the installation, ive made dozens on installations like this, and in some cases new unknown issues appear from time to time. But overall, this steps are the normal ones to follow to compile apache from scratch
Good luck
=====================================
Installing an ssl aware apache server by unixhelper
=====================================
[Step1]
Download openssl (www.openssl.org) and modssl (www.modssl.org) You will need the latest 1.3.X apache server from www.apache.org
[Step2]
Build and make openssl
Create a folder with the name of the openssl package downloaded and cd into it , dont forget to decompress the openssl package into the folder (common sense)
$ cd openssl-0.9.7x (being x the version of the openssl package downloaded of course)
$ ./config (the openssl source package file should be decompressed into this folder already of course)
$ make
$ make install
$ cd ..
[Step3]
Now we create a modssl folder, and decompress the source package file into this folder, cd into it and run the configure command below (use common sense)
$ cd mod_ssl-2.8.16-1.3.29
$ ./configure --with-apache=../apache_1.3.X --with-ssl=../openssl-0.9.7X --prefix=/usr/local/apache
Now go into the apache folder (which should already have the apache source package decompressed into it)
$ cd ..
$ cd apache_1.3.X
[Step3]
$ CFLAGS=-DEAPI SSL_BASE=/openssl_package_folder_path/openssl-0.9.7x
$ ./configure --prefix=/usr/local/apache --enable-module=ssl=../openssl-0.9.7x --enable-module=all --enable-shared=max
make
make certificate
make install
create the self signed certificate and then start apache from: /usr/local/apache/bin/apachectl startssl
People , please understand this WILL NOT work if you dont use common sense on changind the paths & file names properly, thats why I said these instructions are for medium/advanced users. Thank me later.
Good luck
=====================================
Installing an ssl aware apache server by unixhelper
=====================================
[Step1]
Download openssl (www.openssl.org) and modssl (www.modssl.org) You will need the latest 1.3.X apache server from www.apache.org
[Step2]
Build and make openssl
Create a folder with the name of the openssl package downloaded and cd into it , dont forget to decompress the openssl package into the folder (common sense)
$ cd openssl-0.9.7x (being x the version of the openssl package downloaded of course)
$ ./config (the openssl source package file should be decompressed into this folder already of course)
$ make
$ make install
$ cd ..
[Step3]
Now we create a modssl folder, and decompress the source package file into this folder, cd into it and run the configure command below (use common sense)
$ cd mod_ssl-2.8.16-1.3.29
$ ./configure --with-apache=../apache_1.3.X --with-ssl=../openssl-0.9.7X --prefix=/usr/local/apache
Now go into the apache folder (which should already have the apache source package decompressed into it)
$ cd ..
$ cd apache_1.3.X
[Step3]
$ CFLAGS=-DEAPI SSL_BASE=/openssl_package_folder_path/openssl-0.9.7x
$ ./configure --prefix=/usr/local/apache --enable-module=ssl=../openssl-0.9.7x --enable-module=all --enable-shared=max
make
make certificate
make install
create the self signed certificate and then start apache from: /usr/local/apache/bin/apachectl startssl
People , please understand this WILL NOT work if you dont use common sense on changind the paths & file names properly, thats why I said these instructions are for medium/advanced users. Thank me later.
Adding Linux Swap Space
Adding Swap Space
Sometimes it is necessary to add more swap space after installation. For example, you may upgrade the amount of RAM in your system from 64 MB to 128 MB, but there is only 128 MB of swap space. It might be advantageous to increase the amount of swap space to 256 MB if you perform memory-intense operations or run applications that require a large amount of memory.
You have two options: add a swap partition or add a swap file. It is recommended that you add a swap partition, but sometimes that is not easy if you do not have any free space available.
To add a swap partition (assuming /dev/hdb2 is the swap partition you want to add):
The hard drive can not be in use (partitions can not be mounted, and swap space can not be enabled). The easiest way to achieve this it to boot your system in rescue mode. Refer to Chapter 8 for instructions on booting into rescue mode. When prompted to mount the filesystem, select Skip.
Alternately, if the drive does not contain any partitions in use, you can unmount them and turn off all the swap space on the hard drive with the swapoff command.
Create the swap partition using parted or fdisk. Using parted is easier than fdisk; thus, only parted will be explained. To create a swap partition with parted:
At a shell prompt as root, type the command parted /dev/hdb, where /dev/hdb is the device name for the hard drive with free space.
At the (parted) prompt, type print to view the existing partitions and the amount of free space. The start and end values are in megabytes. Determine how much free space is on the hard drive and how much you want to allocate for a new swap partition.
At the (parted) prompt, type mkpartfs part-type linux-swap start end, where part-type is one of primary, extended, or logical, start is the starting point of the partition, and end is the end point of the partition.
Warning
Changes take place immediately; be careful when you type.
Exit parted by typing quit.
Now that you have the swap partition, use the command mkswap to setup the swap partition. At a shell prompt as root, type the following:
mkswap /dev/hdb2
To enable the swap partition immediately, type the following command:
swapon /dev/hdb2
To enable it at boot time, edit /etc/fstab to include:
/dev/hdb2 swap swap defaults 0 0
The next time the system boots, it will enable the new swap partition.
After adding the new swap partition and enabling it, make sure it is enabled by viewing the output of the command cat /proc/swaps or free.
To add a swap file:
Determine the size of the new swap file and multiple by 1024 to determine the block size. For example, the block size of a 64 MB swap file is 65536.
At a shell prompt as root, type the following command with count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536
Setup the swap file with the command:
mkswap /swapfile
To enable the swap file immediately but not automatically at boot time:
swapon /swapfile
To enable it at boot time, edit /etc/fstab to include:
/swapfile swap swap defaults 0 0
The next time the system boots, it will enable the new swap file.
After adding the new swap file and enabling it, make sure it is enabled by viewing the output of the command cat /proc/swaps or free.
Sometimes it is necessary to add more swap space after installation. For example, you may upgrade the amount of RAM in your system from 64 MB to 128 MB, but there is only 128 MB of swap space. It might be advantageous to increase the amount of swap space to 256 MB if you perform memory-intense operations or run applications that require a large amount of memory.
You have two options: add a swap partition or add a swap file. It is recommended that you add a swap partition, but sometimes that is not easy if you do not have any free space available.
To add a swap partition (assuming /dev/hdb2 is the swap partition you want to add):
The hard drive can not be in use (partitions can not be mounted, and swap space can not be enabled). The easiest way to achieve this it to boot your system in rescue mode. Refer to Chapter 8 for instructions on booting into rescue mode. When prompted to mount the filesystem, select Skip.
Alternately, if the drive does not contain any partitions in use, you can unmount them and turn off all the swap space on the hard drive with the swapoff command.
Create the swap partition using parted or fdisk. Using parted is easier than fdisk; thus, only parted will be explained. To create a swap partition with parted:
At a shell prompt as root, type the command parted /dev/hdb, where /dev/hdb is the device name for the hard drive with free space.
At the (parted) prompt, type print to view the existing partitions and the amount of free space. The start and end values are in megabytes. Determine how much free space is on the hard drive and how much you want to allocate for a new swap partition.
At the (parted) prompt, type mkpartfs part-type linux-swap start end, where part-type is one of primary, extended, or logical, start is the starting point of the partition, and end is the end point of the partition.
Warning
Changes take place immediately; be careful when you type.
Exit parted by typing quit.
Now that you have the swap partition, use the command mkswap to setup the swap partition. At a shell prompt as root, type the following:
mkswap /dev/hdb2
To enable the swap partition immediately, type the following command:
swapon /dev/hdb2
To enable it at boot time, edit /etc/fstab to include:
/dev/hdb2 swap swap defaults 0 0
The next time the system boots, it will enable the new swap partition.
After adding the new swap partition and enabling it, make sure it is enabled by viewing the output of the command cat /proc/swaps or free.
To add a swap file:
Determine the size of the new swap file and multiple by 1024 to determine the block size. For example, the block size of a 64 MB swap file is 65536.
At a shell prompt as root, type the following command with count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536
Setup the swap file with the command:
mkswap /swapfile
To enable the swap file immediately but not automatically at boot time:
swapon /swapfile
To enable it at boot time, edit /etc/fstab to include:
/swapfile swap swap defaults 0 0
The next time the system boots, it will enable the new swap file.
After adding the new swap file and enabling it, make sure it is enabled by viewing the output of the command cat /proc/swaps or free.
Kill Child Process
Now this is an usefull and simple command, have you ever had a situation where you are programming socket daemons, or just any process in itself that could create several uncontrolled childs ?
Obviously killing the whole shell would fix the problem, but that quite savage , lets say you have several php childs running on the background and you want to kill them without killing php.
The following command will do the job: kill -9 'pidof php'
Notice: The "-9" option is the most severe kill option available
Obviously killing the whole shell would fix the problem, but that quite savage , lets say you have several php childs running on the background and you want to kill them without killing php.
The following command will do the job: kill -9 'pidof php'
Notice: The "-9" option is the most severe kill option available
Using awk to analyze logs
AWK is a neat tool that comes in most *nix OS environments, basically on this small article I show you how to use awk to analyze a log file like an access_log from apache or even a sendmail log file. This can be really usefull to analyze big log files and find in some cases, someone hammering your server with hyge traffic (DoS Attack)
What is AWK ?
awk Command
Definition: awk is a powful Unix command. It allows the user to manipulate files that are structured as columns of data and strings.
Once you understand the basics of awk you will find that it is surprisingly useful. You can use it to automate things in ways you have never thought about. It can be used for data processing and for automating the application of Unix commands. It also has many spreadsheet-type functionalities.
There are two ways to run awk. A simple awk command can be run from the command line. More complex tasks should be written as awk programs ("scripts") to a file. Examples of each are provided below.
Example: % awk 'pattern {action}' input-file > output-file
meaning: take each line of the input file; if the line contains the pattern apply the action to the line and write the resulting line to the output-file.
If the pattern is omitted, the action is applied to all lines:
% awk '{action}' input-file > output-file
By default, awk works on files that have columns of numbers or strings that are separated by white space (tabs or spaces), but the -F option can be used if the columns are separated by another character. awk refers to the first column as $1, the second column as $2, etc. The whole line referred to as $0.
Back to my example
Lets say we want to find the amount of times an specific ip address has hit your webserver,
on this example we are assuming your apache access_log is located in /usr/local/apache/logs
The full command would be:
awk '{print $1}'
This small command is really powerfull, give it a try!
What is AWK ?
awk Command
Definition: awk is a powful Unix command. It allows the user to manipulate files that are structured as columns of data and strings.
Once you understand the basics of awk you will find that it is surprisingly useful. You can use it to automate things in ways you have never thought about. It can be used for data processing and for automating the application of Unix commands. It also has many spreadsheet-type functionalities.
There are two ways to run awk. A simple awk command can be run from the command line. More complex tasks should be written as awk programs ("scripts") to a file. Examples of each are provided below.
Example: % awk 'pattern {action}' input-file > output-file
meaning: take each line of the input file; if the line contains the pattern apply the action to the line and write the resulting line to the output-file.
If the pattern is omitted, the action is applied to all lines:
% awk '{action}' input-file > output-file
By default, awk works on files that have columns of numbers or strings that are separated by white space (tabs or spaces), but the -F option can be used if the columns are separated by another character. awk refers to the first column as $1, the second column as $2, etc. The whole line referred to as $0.
Back to my example
Lets say we want to find the amount of times an specific ip address has hit your webserver,
on this example we are assuming your apache access_log is located in /usr/local/apache/logs
The full command would be:
awk '{print $1}'
This small command is really powerfull, give it a try!
Thursday, July 26, 2007
Using NMAP TOOL
Fumbling toward a hacker's-eye view of your network
Ready to see your network the way an attacker sees it?
This short series is for the network administrator who has a grasp of networking, but knows less about security. You might be the Natalie in Natalie's Graphic Design, or the all-in-one IT department / PC help desk / Webmaster. Maybe you haven't used command line tools before. But if your network has more than nine devices, you can no longer hold your network in your head. You need a way to quickly and reliably find out:
*How many computers do I have on my network, and what are their IP addresses?
*What network services (distinguished by open ports) does each computer offer?
*What operating system (OS) runs on each computer?
Answering these questions is known as enumeration, or mapping your network. Enumeration is the first thing a savvy attacker does when trying to take over your network -- so you might as well beat 'em to the punch. Enumerating your network helps you identify and close unnecessary services, improving your security. It also tells you what kinds of OS and applications you're running, so that you can keep up with the proper security patches.
Enter the port scanner, a special network-mapping tool that quickly and easily answers all three of these questions for you. Port scanners come in many flavors and prices, but in essence, a scanner sends an avalanche of packets to an IP address (or IP addresses) in order to learn which IPs are active, what ports each IP listens on, and (in some cases) what OS each IP uses. Then the scanner reports the results to you.
Nmap, short for Network Mapper, is one of the most popular and powerful port scanners on the market. Fyodor, a well-respected white hat hacker, originally created Nmap. Since its inception, many security experts have built upon Fyodor's open source tool, making it one of the most powerful and advanced port scanners around.
So how much does all this technology and power cost you? Nothing. All you need is the courage to download and install it... and a little bit of know-how, which we intend to provide in this three-part series.
Ready to get your hands dirty, and find out what's really happening on your network? Read on!
Getting and Installing Nmap
Procuring nmap is easier than saying "procuring." Just go to Fyodor's Nmap web site and look for a link labeled Download, which is near both the top and the bottom of the page. Grab the latest copy of the Nmap Windows installer. When we published this article, it was http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe.
Once you've downloaded the Nmap Windows installer, you should have a file called Nmap-4.20-setup.exe in whatever directory you downloaded the file to. Double-click on this file to begin installing it. After running the installer, Nmap's End-User's License Agreement (EULA) window pops up. Read this agreement. If you choose to accept it, click I Accept. (If you don't accept the agreement, you can't use Nmap.)
After you accept its EULA, Nmap's installer presents you with a Components window. Here you can choose which parts of Nmap to install. Since you pretty much need all its components -- and the installer enables them all by default -- simply click Next to continue.
Now the installer will ask you where you want to install Nmap. We suggest you let it install into its default directory (c:\Program Files\nmap). Just click
Install.
Finally, the Nmap installer begins to install Nmap onto your computer. However, during this installation process it also has to install WinPcap, a little utility that helps Nmap do its job. When this happens, you'll see a window appear for the WinPcap Installer. Click Next. Again you'll have to read a EULA. If you choose to accept it, click I Agree. After you agree to its EULA, WinPcap installs itself. When it finishes installing, click the Finish button in the WinPcap Installer window. Finally, click Close in the Nmap Setup Window to complete your Nmap installation.
Opening the Nmap Command Line
Nmap is a command line utility. This is where you experience hackery goodness, because instead of mouse-clicking on icons like a mainstream office worker, you type commands like the few, the proud, the l33t old-sk00l coders. Here's how.
First, open the command prompt on your Windows computer. Click Start => Run. In the dialog box labeled Open, type cmd. Press Enter. Voila! Meet the command line, left over from the days when Windows was based on the antique Disk Operating System (DOS).
You should see something blinking, in front of some odd characters like these:
C:\>
The letter refers to various drives (real and virtual) on your system. If you see any letter of the alphabet other than C, type C: and press Enter.
If you followed the installation defaults, you just installed Nmap into your c:\Program Files\nmap directory. To run Nmap, you must first navigate to that directory. So, type cd\program files\nmap and press Enter. WHen you use the command line, syntax is always critical. Note the backwards slash, and the space between "program" and "files."
You are now poised to unleash Nmap's power on your network. Which we will do tomorrow, in Part 2. ##
Part 2
In Part 1 of this series, we introduced you to network scanners in general, and an excellent free one in particular, Nmap. You also learned how to obtain and install Nmap. Here in Part 2, you'll use Nmap to find out how many devices are active on your network. In Part 3, tomorrow, you'll try your first network scan, and we'll explain how to interpret the results.
This series assumes you have mastered basic concepts of networking, but do not have a lot of experience managing network security. To understand what follows, you should have a working grasp of IP addresses, subnet masks, and slash notation.
Getting Oriented on Your Own Network
If you're going to scan your whole network at once -- and you are! -- you need to know your network IP address, a single address that represents your entire network..
You can learn your network IP address easily using the command line. If you don't have your DOS prompt open, access it now (and if you don't know how to, refer to the last paragraphs of Part 1). At the blinking prompt, type ipconfig and press Enter. Your results will differ from ours in the details, but will look generally like this:
C:\Program Files\Nmap>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.111.34
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.39.14
C:\Program Files\Nmap>
If you or your predecessor originally designed your network using the most common subnet masks such as 255.255.255.0 (in slash notation, /24), 255.255.0.0 (/16), or 255.0.0.0 (/8), it's easy to figure out your network's IP address, since it will always end in zero. For instance, based on the sample IPCONFIG above, you know our test computer has a 192.168.111.34 address and a 255.255.255.0 or /24 subnet mask. That subnet mask indicates that the first three octets of an address designate the network. We also just mentiond that the most common subnets, such as /24, always end in a zero for the network address. So the network address of our sample computer is 192.168.111.0/24.
However, when you subdivide networks into smaller pieces using less common subnet masks, it's more difficult to find your network address without knowing how subnet masking works on a binary level . The network address won't always end in zero, so then you have to calculate it. Don't worry, though; we have a trick that will tell you your network IP address without any calculation at all.
Using the command prompt, the ROUTE command actually lists every network route on your computer. It's intended to help you figure out how your computer reaches other networks, but that's not how you'll use it today. Besides having routes to other networks, your computer also has a route to your own local network. Your computer creates this route using your local network IP address. So, we'll use the ROUTE command to display the routes to your local network, and in that way, see your network IP address.
In the command prompt, type:
route print 192*
If appropriate, eplace the "192" with the first octet of your own computer's IP address (which you learned from your IPCONFIG results). Then press Enter. Your results should resemble Figure 1 (showing your own IP addresses, of course):
Much of the ROUTE command's output lists information about your network card that we don't care about right now. In our sample output, we've displayed the line of interest in orange text. The first IP address in our output shows our network IP address: 192.168.111.0 with the subnet mask 255.255.255.0 (or 192.168.111.0/24). Similarly, your network IP address should be the first IP address you see in your output.
Presto! You now have the address you need in order to scan your entire network. So let's get back to Nmap.
How nmap counts your networked devices
We're helping you get acquainted with Nmap, but you hardly need us if you're willing to experiment a little and read a lot. To access Nmap's help file, at the command prompt just type nmap and press Enter. That's one convenient way to learn about Nmap's options.
Though nmap is a port scanner, you can use it to do many things. For starters, we'll use the ping command to automate the task of counting how many computers are currently active on your network. In the command prompt, type
nmap -sP 192.168.111.0/24
(Of course, replace our sample network's IP address with your network IP address.) You should see a result similar to this:
C:\Program Files\Nmap>nmap -sP 192.168.111.0/24
Starting Nmap 4.20 (http://www.insecure.org/nmap )
at 2007-05-08 12:18 Pacific Standard Time
Host 192.168.111.1 appears to be up.
MAC Address: 00:01:02:55:73:C3 (3com)
Host 192.168.111.3 appears to be up.
MAC Address: 00:10:5A:27:5C:44 (3com)
Host 192.168.111.254 appears to be up.
MAC Address: 00:90:7F:2E:1D:FB (WatchGuard Technologies)
Host frodolinux.hogwarts.lsstest.dyndns.org
(192.168.111.16)appears to be up.
MAC Address: 00:04:76:22:C6:65 (3 Com)
Host 192.168.111.34 appears to be up.
Host 192.168.111.126 appears to be up.
MAC Address: 00:10:4B:0E:E6:E6 (3com)
Nmap finished: 256 IP addresses (6 hosts up)
scanned in 5.797 seconds
When you ran that command, Nmap pinged every IP address in the range of the network IP address you supplied. Nmap lists information for the IPs that responded to this request. So the list of IP addresses in our sample result show networked devices that currently respond to ping requests. In this example, Nmap found the following six IPs active on our test network:
192.168.111.1
192.168.111.3
192.168.111.254
192.168.111.16
192.168.111.34
192.168.111.126
As you might guess, this is not the most accurate count possible. If you divide some segments of your network using an internal firewall, the firewall might hide any devices behind it. And devices on your network that are powered off when you scan won't respond. But the results are still useful. Repeat the command over time to learn what "normal" is on your network. If a daily scan typically returns 18 to 22 authorized devices, and one day it finds 35, you know it's time to investigate. (Maybe one of the engineers added a rogue wireless access point and now the neighboring businesses are piggybacking onto your WiFi Internet access.)
If you have many active IPs on your network, your Nmap ping results quickly scroll off the command prompt window. Here are two methods to run the same command, managing the output in different ways. You can use these methods when running any command line application:
To pause output before it scrolls off screen, add more
Example: Nmap -sP 192.168.111.0/24 more
(Press your spacebar or the Enter key to continue output)
To capture output to a text file, specify a file name
Example: Nmap -sP 192.168.111.0/24 > filename.txt
(Change "filename" to any name you like)
Using Nmap to automate your pings, rather than manually pinging hundreds of addresses yourself, is cool. You now know how many devices respond on your network. But that's not even Nmap's primary purpose! You want to use it to port scan your network. So let's do it -- in Part 3, tomorrow. ##
Part 3
Recap: Part 1 introduced port scanners in general, and Nmap in particular. You learned where to get Nmap for free, and you installed it. In Part 2, you learned your network IP address and used Nmap to count the active devices on your network. Now, in the series' conclusion, you're ready to port scan your network and interpret the results.
Nmap has many powerful options. However, you probably don't have time to learn all of Nmap's features right now. So we'll jut show you a single big ol' Nmap command, with some options switched on, that should provide almost all you want to know about your local network. Think of this command as "Nmap's greatest hits."
Here it is:
Nmap -P0 -sS -sV -O 192.168.111.0/24 > output.txt
As usual, when you try this command, replace our sample network's IP address with your own network IP. You can also change "output.txt" to any filename you like. You're naming the file where Nmap will record the output from this scan.
What does each parameter in the command do? Briefly:
-P0. This switch tells Nmap not to ping a host before scanning it. As we alluded to when we described ping in Part 2, in some exceptional cases a computer that is active won't respond to ping (for example, when guarded by a firewall). Smart little Nmap can still find these stealth computers without relying on ping.
-sS. This switch tells Nmap to perform a SYN-based port scan. SYN is short for "synchronize," the first packet sent when one computer tries to connect to another using TCP. A SYN-based port scan is the most common method, among many possible methods.
-sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open. For instance, if Nmap learns port 80 is open, it tries to discern which web server runs on that port, as well as what version. Think of these as very educated guesses. Nmap is not always right.
-O. This switch tells Nmap to guess what operating system is running on any computer it scans. This, too, is a very informed estimate, not necessarily rock-solid truth.
We assume that as your company's network administrator, you have senior management's permission to perform analytical operations on your network. If not, this type of Nmap scan can be interpreted as a hostile or provocative action, so go no farther without authorization. But if you are authorized, we encourage you to try this command now.
Type the command above in your command prompt (carefully...remember, syntax matters!) and press Enter. Depending on the size of your network, and speed of your computer, this command could complete in a minute, an hour, or longer.
When the command completes, you see a new command prompt. But you won't see any obvious results. That's because you redirected the results to a text file called output.txt (or whatever you renamed it). To see Nmap's results, open output.txt in a text editor. If you followed the default install in Part 1, you'll find output.txt in c:\program files\nmap.
Interpreting the Results of Your Scan
You just scanned your whole network, so your results could be lengthy, depending on how many active hosts are on your network. Rather than describing the entire result at once, let's take it a chunk at a time.
If you click this link for Figure 2, you'll see a sample representing results from the Nmap scan you just performed. This excerpt contains Nmap's results for one host on our sample network. Once you understand how to read this one excerpt, you'll be able to read the rest of Nmap's results. So click the link and follow along with our commentary.
The first line of this excerpt tells you that the following result correlates to the IP address, 192.168.39.1.
The second line of this excerpt says that Nmap scanned 1,659 of that host's ports during the scan. Yes, you're right: 1,659 is fewer than a host's potential 65,535 ports. To save time, by default Nmap scans only the common, well-known ports. You can force Nmap to scan all 65,535 ports if you like. However, scans that large take an extremely long time. And really, scanning the well-known ports usually tells you all you need to know about that host.
The third line of this excerpt lists four column headings: PORT, STATE, SERVICE, and VERSION. Here's what each heading means:
The PORT column represents the ports (and protocols) Nmap found on the sample host, 192.168.39.1.
The STATE column tells you whether each port is open or in some other intermediary state of open (stealth). You will never see closed ports in Nmap's results. Nmap doesn't display the port if it's closed.
The SERVICE column tells you the well-known network service that usually resides on that port. It displays the service either by formal protocol name, or listed in a sort of technical short hand. You will recognize some of these services, such as HTTP, SMTP, and FTP, from your network experience. With over a thousand possible services, you won't recognize them all. But you have a few options to help you learn what a service is. First, in Nmap's c:\program files\nmap directory, you can open a file named nmap-services in any text editor to read all the services Nmap recognizes. This list contains a longer description of most of the services that appear in the service column. If you still don't recognize a service by either its short-hand or longer description, look both up using Google. You typically find a hundred sites that explain what that service does.
The VERSION column tells you what specific program the host you scanned uses to control the service in question. It also attempts to tell you that program's version.
Now that you know what each heading is, you should be able to interpret much of what follows. A new line appears under these four headings for each open port on a scanned host.
Let's practice interpreting a few random lines from our sample excerpt. First:
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
This line tells you that the host Nmap scanned has port 25 open. Port 25 is the SMTP, or email, service port. Nmap thinks the host is probably running Microsoft's ESMTP Mail Server, version 5.0.2195.6713.
Second example:
80/tcp open http Microsoft IIS webserver 5.0
In this line, we learn that port 80, the HTTP or web service port, is open on the scanned host. According to Nmap's best guess, this port is probably running Microsoft's IIS version 5.0 Web server. This is not really rocket science, huh?
After all the lines that follow the PORT, STATE, SERVICE, VERSION columnar format, you eventually come to lines that no longer follow this format. You'll see a line that tells you the MAC address of the host that was scanned. In our example, the host uses a 3COM network card.
The next line tells you the type of device you most likely scanned. So far, we've referred to the IP we scanned as a "host" because we don't know if it's a computer, a printer, a specialized network device, or what -- until now, that is. The "Device Type" line tells you what device Nmap thinks it's found. Our example says "general purpose," which typically indicates a computer.
Finally, the remaining lines tell you what operating system Nmap thinks is running on this computer. Nmap thinks this computer runs either Windows ME, 2000, or XP.
And that is enough to get you started. You now can interpret Nmap's port scan results. Sure, if you have a large network, you may have hundreds of excerpts like this. But you interpret them all the same way. Lather, rinse, repeat.
Are you now a port scanning expert? Well, hardly. Our hope is that this small amount of interaction with Nmap has torn away any intimidating mystique that command line tools might have held for you. We hope it's whet your appetite to learn more.
Scan on a regular, recurring basis until you have a feel for what's normal on your network. Read up on results that puzzle you. Then you've dramatically increased your likelihood of spotting interlopers -- and it didn't take a penny out of your department's budget. ##
Ready to see your network the way an attacker sees it?
This short series is for the network administrator who has a grasp of networking, but knows less about security. You might be the Natalie in Natalie's Graphic Design, or the all-in-one IT department / PC help desk / Webmaster. Maybe you haven't used command line tools before. But if your network has more than nine devices, you can no longer hold your network in your head. You need a way to quickly and reliably find out:
*How many computers do I have on my network, and what are their IP addresses?
*What network services (distinguished by open ports) does each computer offer?
*What operating system (OS) runs on each computer?
Answering these questions is known as enumeration, or mapping your network. Enumeration is the first thing a savvy attacker does when trying to take over your network -- so you might as well beat 'em to the punch. Enumerating your network helps you identify and close unnecessary services, improving your security. It also tells you what kinds of OS and applications you're running, so that you can keep up with the proper security patches.
Enter the port scanner, a special network-mapping tool that quickly and easily answers all three of these questions for you. Port scanners come in many flavors and prices, but in essence, a scanner sends an avalanche of packets to an IP address (or IP addresses) in order to learn which IPs are active, what ports each IP listens on, and (in some cases) what OS each IP uses. Then the scanner reports the results to you.
Nmap, short for Network Mapper, is one of the most popular and powerful port scanners on the market. Fyodor, a well-respected white hat hacker, originally created Nmap. Since its inception, many security experts have built upon Fyodor's open source tool, making it one of the most powerful and advanced port scanners around.
So how much does all this technology and power cost you? Nothing. All you need is the courage to download and install it... and a little bit of know-how, which we intend to provide in this three-part series.
Ready to get your hands dirty, and find out what's really happening on your network? Read on!
Getting and Installing Nmap
Procuring nmap is easier than saying "procuring." Just go to Fyodor's Nmap web site and look for a link labeled Download, which is near both the top and the bottom of the page. Grab the latest copy of the Nmap Windows installer. When we published this article, it was http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe.
Once you've downloaded the Nmap Windows installer, you should have a file called Nmap-4.20-setup.exe in whatever directory you downloaded the file to. Double-click on this file to begin installing it. After running the installer, Nmap's End-User's License Agreement (EULA) window pops up. Read this agreement. If you choose to accept it, click I Accept. (If you don't accept the agreement, you can't use Nmap.)
After you accept its EULA, Nmap's installer presents you with a Components window. Here you can choose which parts of Nmap to install. Since you pretty much need all its components -- and the installer enables them all by default -- simply click Next to continue.
Now the installer will ask you where you want to install Nmap. We suggest you let it install into its default directory (c:\Program Files\nmap). Just click
Install.
Finally, the Nmap installer begins to install Nmap onto your computer. However, during this installation process it also has to install WinPcap, a little utility that helps Nmap do its job. When this happens, you'll see a window appear for the WinPcap Installer. Click Next. Again you'll have to read a EULA. If you choose to accept it, click I Agree. After you agree to its EULA, WinPcap installs itself. When it finishes installing, click the Finish button in the WinPcap Installer window. Finally, click Close in the Nmap Setup Window to complete your Nmap installation.
Opening the Nmap Command Line
Nmap is a command line utility. This is where you experience hackery goodness, because instead of mouse-clicking on icons like a mainstream office worker, you type commands like the few, the proud, the l33t old-sk00l coders. Here's how.
First, open the command prompt on your Windows computer. Click Start => Run. In the dialog box labeled Open, type cmd. Press Enter. Voila! Meet the command line, left over from the days when Windows was based on the antique Disk Operating System (DOS).
You should see something blinking, in front of some odd characters like these:
C:\>
The letter refers to various drives (real and virtual) on your system. If you see any letter of the alphabet other than C, type C: and press Enter.
If you followed the installation defaults, you just installed Nmap into your c:\Program Files\nmap directory. To run Nmap, you must first navigate to that directory. So, type cd\program files\nmap and press Enter. WHen you use the command line, syntax is always critical. Note the backwards slash, and the space between "program" and "files."
You are now poised to unleash Nmap's power on your network. Which we will do tomorrow, in Part 2. ##
Part 2
In Part 1 of this series, we introduced you to network scanners in general, and an excellent free one in particular, Nmap. You also learned how to obtain and install Nmap. Here in Part 2, you'll use Nmap to find out how many devices are active on your network. In Part 3, tomorrow, you'll try your first network scan, and we'll explain how to interpret the results.
This series assumes you have mastered basic concepts of networking, but do not have a lot of experience managing network security. To understand what follows, you should have a working grasp of IP addresses, subnet masks, and slash notation.
Getting Oriented on Your Own Network
If you're going to scan your whole network at once -- and you are! -- you need to know your network IP address, a single address that represents your entire network..
You can learn your network IP address easily using the command line. If you don't have your DOS prompt open, access it now (and if you don't know how to, refer to the last paragraphs of Part 1). At the blinking prompt, type ipconfig and press Enter. Your results will differ from ours in the details, but will look generally like this:
C:\Program Files\Nmap>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.111.34
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.39.14
C:\Program Files\Nmap>
If you or your predecessor originally designed your network using the most common subnet masks such as 255.255.255.0 (in slash notation, /24), 255.255.0.0 (/16), or 255.0.0.0 (/8), it's easy to figure out your network's IP address, since it will always end in zero. For instance, based on the sample IPCONFIG above, you know our test computer has a 192.168.111.34 address and a 255.255.255.0 or /24 subnet mask. That subnet mask indicates that the first three octets of an address designate the network. We also just mentiond that the most common subnets, such as /24, always end in a zero for the network address. So the network address of our sample computer is 192.168.111.0/24.
However, when you subdivide networks into smaller pieces using less common subnet masks, it's more difficult to find your network address without knowing how subnet masking works on a binary level . The network address won't always end in zero, so then you have to calculate it. Don't worry, though; we have a trick that will tell you your network IP address without any calculation at all.
Using the command prompt, the ROUTE command actually lists every network route on your computer. It's intended to help you figure out how your computer reaches other networks, but that's not how you'll use it today. Besides having routes to other networks, your computer also has a route to your own local network. Your computer creates this route using your local network IP address. So, we'll use the ROUTE command to display the routes to your local network, and in that way, see your network IP address.
In the command prompt, type:
route print 192*
If appropriate, eplace the "192" with the first octet of your own computer's IP address (which you learned from your IPCONFIG results). Then press Enter. Your results should resemble Figure 1 (showing your own IP addresses, of course):
Much of the ROUTE command's output lists information about your network card that we don't care about right now. In our sample output, we've displayed the line of interest in orange text. The first IP address in our output shows our network IP address: 192.168.111.0 with the subnet mask 255.255.255.0 (or 192.168.111.0/24). Similarly, your network IP address should be the first IP address you see in your output.
Presto! You now have the address you need in order to scan your entire network. So let's get back to Nmap.
How nmap counts your networked devices
We're helping you get acquainted with Nmap, but you hardly need us if you're willing to experiment a little and read a lot. To access Nmap's help file, at the command prompt just type nmap and press Enter. That's one convenient way to learn about Nmap's options.
Though nmap is a port scanner, you can use it to do many things. For starters, we'll use the ping command to automate the task of counting how many computers are currently active on your network. In the command prompt, type
nmap -sP 192.168.111.0/24
(Of course, replace our sample network's IP address with your network IP address.) You should see a result similar to this:
C:\Program Files\Nmap>nmap -sP 192.168.111.0/24
Starting Nmap 4.20 (http://www.insecure.org/nmap )
at 2007-05-08 12:18 Pacific Standard Time
Host 192.168.111.1 appears to be up.
MAC Address: 00:01:02:55:73:C3 (3com)
Host 192.168.111.3 appears to be up.
MAC Address: 00:10:5A:27:5C:44 (3com)
Host 192.168.111.254 appears to be up.
MAC Address: 00:90:7F:2E:1D:FB (WatchGuard Technologies)
Host frodolinux.hogwarts.lsstest.dyndns.org
(192.168.111.16)appears to be up.
MAC Address: 00:04:76:22:C6:65 (3 Com)
Host 192.168.111.34 appears to be up.
Host 192.168.111.126 appears to be up.
MAC Address: 00:10:4B:0E:E6:E6 (3com)
Nmap finished: 256 IP addresses (6 hosts up)
scanned in 5.797 seconds
When you ran that command, Nmap pinged every IP address in the range of the network IP address you supplied. Nmap lists information for the IPs that responded to this request. So the list of IP addresses in our sample result show networked devices that currently respond to ping requests. In this example, Nmap found the following six IPs active on our test network:
192.168.111.1
192.168.111.3
192.168.111.254
192.168.111.16
192.168.111.34
192.168.111.126
As you might guess, this is not the most accurate count possible. If you divide some segments of your network using an internal firewall, the firewall might hide any devices behind it. And devices on your network that are powered off when you scan won't respond. But the results are still useful. Repeat the command over time to learn what "normal" is on your network. If a daily scan typically returns 18 to 22 authorized devices, and one day it finds 35, you know it's time to investigate. (Maybe one of the engineers added a rogue wireless access point and now the neighboring businesses are piggybacking onto your WiFi Internet access.)
If you have many active IPs on your network, your Nmap ping results quickly scroll off the command prompt window. Here are two methods to run the same command, managing the output in different ways. You can use these methods when running any command line application:
To pause output before it scrolls off screen, add more
Example: Nmap -sP 192.168.111.0/24 more
(Press your spacebar or the Enter key to continue output)
To capture output to a text file, specify a file name
Example: Nmap -sP 192.168.111.0/24 > filename.txt
(Change "filename" to any name you like)
Using Nmap to automate your pings, rather than manually pinging hundreds of addresses yourself, is cool. You now know how many devices respond on your network. But that's not even Nmap's primary purpose! You want to use it to port scan your network. So let's do it -- in Part 3, tomorrow. ##
Part 3
Recap: Part 1 introduced port scanners in general, and Nmap in particular. You learned where to get Nmap for free, and you installed it. In Part 2, you learned your network IP address and used Nmap to count the active devices on your network. Now, in the series' conclusion, you're ready to port scan your network and interpret the results.
Nmap has many powerful options. However, you probably don't have time to learn all of Nmap's features right now. So we'll jut show you a single big ol' Nmap command, with some options switched on, that should provide almost all you want to know about your local network. Think of this command as "Nmap's greatest hits."
Here it is:
Nmap -P0 -sS -sV -O 192.168.111.0/24 > output.txt
As usual, when you try this command, replace our sample network's IP address with your own network IP. You can also change "output.txt" to any filename you like. You're naming the file where Nmap will record the output from this scan.
What does each parameter in the command do? Briefly:
-P0. This switch tells Nmap not to ping a host before scanning it. As we alluded to when we described ping in Part 2, in some exceptional cases a computer that is active won't respond to ping (for example, when guarded by a firewall). Smart little Nmap can still find these stealth computers without relying on ping.
-sS. This switch tells Nmap to perform a SYN-based port scan. SYN is short for "synchronize," the first packet sent when one computer tries to connect to another using TCP. A SYN-based port scan is the most common method, among many possible methods.
-sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open. For instance, if Nmap learns port 80 is open, it tries to discern which web server runs on that port, as well as what version. Think of these as very educated guesses. Nmap is not always right.
-O. This switch tells Nmap to guess what operating system is running on any computer it scans. This, too, is a very informed estimate, not necessarily rock-solid truth.
We assume that as your company's network administrator, you have senior management's permission to perform analytical operations on your network. If not, this type of Nmap scan can be interpreted as a hostile or provocative action, so go no farther without authorization. But if you are authorized, we encourage you to try this command now.
Type the command above in your command prompt (carefully...remember, syntax matters!) and press Enter. Depending on the size of your network, and speed of your computer, this command could complete in a minute, an hour, or longer.
When the command completes, you see a new command prompt. But you won't see any obvious results. That's because you redirected the results to a text file called output.txt (or whatever you renamed it). To see Nmap's results, open output.txt in a text editor. If you followed the default install in Part 1, you'll find output.txt in c:\program files\nmap.
Interpreting the Results of Your Scan
You just scanned your whole network, so your results could be lengthy, depending on how many active hosts are on your network. Rather than describing the entire result at once, let's take it a chunk at a time.
If you click this link for Figure 2, you'll see a sample representing results from the Nmap scan you just performed. This excerpt contains Nmap's results for one host on our sample network. Once you understand how to read this one excerpt, you'll be able to read the rest of Nmap's results. So click the link and follow along with our commentary.
The first line of this excerpt tells you that the following result correlates to the IP address, 192.168.39.1.
The second line of this excerpt says that Nmap scanned 1,659 of that host's ports during the scan. Yes, you're right: 1,659 is fewer than a host's potential 65,535 ports. To save time, by default Nmap scans only the common, well-known ports. You can force Nmap to scan all 65,535 ports if you like. However, scans that large take an extremely long time. And really, scanning the well-known ports usually tells you all you need to know about that host.
The third line of this excerpt lists four column headings: PORT, STATE, SERVICE, and VERSION. Here's what each heading means:
The PORT column represents the ports (and protocols) Nmap found on the sample host, 192.168.39.1.
The STATE column tells you whether each port is open or in some other intermediary state of open (stealth). You will never see closed ports in Nmap's results. Nmap doesn't display the port if it's closed.
The SERVICE column tells you the well-known network service that usually resides on that port. It displays the service either by formal protocol name, or listed in a sort of technical short hand. You will recognize some of these services, such as HTTP, SMTP, and FTP, from your network experience. With over a thousand possible services, you won't recognize them all. But you have a few options to help you learn what a service is. First, in Nmap's c:\program files\nmap directory, you can open a file named nmap-services in any text editor to read all the services Nmap recognizes. This list contains a longer description of most of the services that appear in the service column. If you still don't recognize a service by either its short-hand or longer description, look both up using Google. You typically find a hundred sites that explain what that service does.
The VERSION column tells you what specific program the host you scanned uses to control the service in question. It also attempts to tell you that program's version.
Now that you know what each heading is, you should be able to interpret much of what follows. A new line appears under these four headings for each open port on a scanned host.
Let's practice interpreting a few random lines from our sample excerpt. First:
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
This line tells you that the host Nmap scanned has port 25 open. Port 25 is the SMTP, or email, service port. Nmap thinks the host is probably running Microsoft's ESMTP Mail Server, version 5.0.2195.6713.
Second example:
80/tcp open http Microsoft IIS webserver 5.0
In this line, we learn that port 80, the HTTP or web service port, is open on the scanned host. According to Nmap's best guess, this port is probably running Microsoft's IIS version 5.0 Web server. This is not really rocket science, huh?
After all the lines that follow the PORT, STATE, SERVICE, VERSION columnar format, you eventually come to lines that no longer follow this format. You'll see a line that tells you the MAC address of the host that was scanned. In our example, the host uses a 3COM network card.
The next line tells you the type of device you most likely scanned. So far, we've referred to the IP we scanned as a "host" because we don't know if it's a computer, a printer, a specialized network device, or what -- until now, that is. The "Device Type" line tells you what device Nmap thinks it's found. Our example says "general purpose," which typically indicates a computer.
Finally, the remaining lines tell you what operating system Nmap thinks is running on this computer. Nmap thinks this computer runs either Windows ME, 2000, or XP.
And that is enough to get you started. You now can interpret Nmap's port scan results. Sure, if you have a large network, you may have hundreds of excerpts like this. But you interpret them all the same way. Lather, rinse, repeat.
Are you now a port scanning expert? Well, hardly. Our hope is that this small amount of interaction with Nmap has torn away any intimidating mystique that command line tools might have held for you. We hope it's whet your appetite to learn more.
Scan on a regular, recurring basis until you have a feel for what's normal on your network. Read up on results that puzzle you. Then you've dramatically increased your likelihood of spotting interlopers -- and it didn't take a penny out of your department's budget. ##
Sunday, July 22, 2007
How to use a tape drive in Linux?
Sometimes remembering the way to access your tape drive in linux aint that easy, follow this basic guide which has almost all the neccesary commands you might execute on your tape drive.
As I said, this is a very basic guide with pretty much most if not all commands you will probably execute in your tape drive on a linux environment. Enjoy
Check if tapedrive is online:
mt -f /dev/st0 status
Erase tapedrive:
mt -f /dev/st0 erase
Copy some content to a tapedrive:
tar cvf /dev/st0 /content_path/content.archive
List files on a tape:
tar tvf /dev/st0
Restore from the tape:
tar xvf /dev/st0
Restore an specific archive
tar xvf /dev/st0 /folder/archive.dmp
As I always say, hope this was usefull.
As I said, this is a very basic guide with pretty much most if not all commands you will probably execute in your tape drive on a linux environment. Enjoy
Check if tapedrive is online:
mt -f /dev/st0 status
Erase tapedrive:
mt -f /dev/st0 erase
Copy some content to a tapedrive:
tar cvf /dev/st0 /content_path/content.archive
List files on a tape:
tar tvf /dev/st0
Restore from the tape:
tar xvf /dev/st0
Restore an specific archive
tar xvf /dev/st0 /folder/archive.dmp
As I always say, hope this was usefull.
Subscribe to:
Posts (Atom)