jah's blog

I've just finished a short greasemonkey userscript (get the userscript here) which fixes the display of pages at the excellent, free, online TCP/IP guide at www.tcpipguide.com/free/. The TCP/IP Guide is displayed on html pages which rely heavily on html table elements for their layout and the table cell containing the main content for a page is missing a "valign" attribute and so defaults to a value of "middle" when rendered by the browser. This is annoying because there's an area of white space above the main content which is most pronounced when the browser window is very wide - see an example at this page.

Greasemonkey is a cool add-on for the firefox browser which allows you to modify and extend html pages with short snippets of JavaScript giving you some control over how those pages are displayed or alter and extend their functionality.

This particular userscript sets the "valign" attribute of the cell in question with a value of "top" - a very simple thing to do, but it took me bloody ages to get it right. If it doesn't work for you, please leave me a comment and let me know.

Get the userscript at http://jahboite.co.uk/files/js/the_tcpip_guide_fix.user.js.

True to my word I've begun work on a gallery application to show my Picasa Web Album here at jah's world. I've decided to build it with Google Web Toolkit (GWT) to create an entirely client-side javascript gallery which uses the Picasa Web Albums Data API to fetch a json feed of my photos and display them in all their splendour.

So far, I haven't got very far, but I have created a new open source project at Google Code: PicaVue and committed some code to the svn repository. The aim is to have an albums index view with a thumbnail for each album and from there you can elect to view an album as a gallery of thumbnails or as a slide show. It will be simple to deploy to any website and hopefully easy to style to your liking. We'll see.

This will be my first real foray into GWT land and it shows - the source is seriously spaghettified, but I'm getting the hang of it and it will eventually be a beautiful thing!

If you'd like to contribute, you are more than welcome. If you want it now, you might like to take a look at PWI which I perhaps should have examined before I started coding (and not just two minutes ago).

Nmap 5.00 is the latest and greatest version of what is arguably the most useful network utility ever created and it's now available, for all major computer operating systems, from the download page at nmap.org. Nmap is Free and Open Source Software.

The previous stable release of Nmap was version 4.76 way back in September 2008 and much has happened since then - this version of Nmap is packed with new features and numerous improvements.
You can read the official details of this release at http://nmap.org/5/.

So what is Nmap exactly? How about a little introduction:

Nmap Port Scanning

Nmap, the port scanner, is able to discover services running on a networked host by utilising a variety of scanning techniques and probes in order to help you gather important information about the function of the host and the state of the network.

Try this command against scanme.nmap.org (a host provided, as the name suggests, for testing your favourite port scanner):

# nmap scanme.nmap.org

Nmap's abilities make it easy to troubleshoot problems on the network, enforce network policies, test firewall rules and much more. Nmap is a must-have tool for Network Professionals, System Administrators, Security Professionals and just about anyone who uses a computer in a networked environment and who wants to know more about their network environment or just networking in general.

Read more about Nmap Port Scanning techniques at
http://nmap.org/book/man-port-scanning-techniques.html.

Host Discovery

Nmap excels at finding hosts on the network: your network; someone else's network or even the entire Internet. Nmap is able to send a great variety of probes for many network protocols in order to elicit responses from hosts, thus revealing their presence.

Try running a command such as one of the following to find hosts on your local network:

# nmap -sP --reason 10.0.0.0/16
# nmap -sP --reason 192.168.1.0/24

The following will generate 1024 random IP addresses and report any hosts it finds out there on the Internet:

# nmap -sP --reason -iR 1024

Read more about Nmap and Host Discovery at
http://nmap.org/book/man-host-discovery.html.

Nmap Version Detection

Discovering that port 80 is open on a host means that it's a fairly safe bet that the service available via that port is a web server of some kind - port 80 is the standard port for the HTTP protocol. Nmap can tell you exactly which kind of web server down to the product name and it's version number.

Try this command against port 80 of scanme.nmap.org:

# nmap -sV -p80 scanme.nmap.org

Version detection has been a part of the Nmap arsenal for several years and is one of its greatest strengths. The Nmap database of service detection probes and probe responses allows Nmap to identify thousands of services even when those services are running on non-standard ports. No longer is it a good idea to hide services by binding them to non-standard ports (e.g. hiding telnet on some high numbered port such as 50000 instead of its standard port 23) and assuming that the service won't be found. Nmap will quickly reveal the service's true identity!

Read more about Nmap Version Detection at
http://nmap.org/book/man-version-detection.html

Nmap Operating System Detection

Another great feature of Nmap is its ability to detect small differences in the way a host speaks over the network in order to identify the Operating System (OS) running on the host. Under ideal conditions Nmap is able to accurately detect more than 2000 different versions of OS from Apple iPhones to ZyXEL ZyWALL routers and including standard ones such as Ubuntu or Windows Vista and obscure ones running on devices such as Oscilloscopes and Toasters (OK, not really toasters - not yet anyway...).

Try this command against scanme.nmap.org to discover what Operating System it runs:

# nmap -sV -O scanme.nmap.org

Read more about Nmap Operating System Detection at
http://nmap.org/book/man-os-detection.html.

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) allows its users to write custom scripts in the Lua scripting language to perform any kind of networking task imaginable. NSE provides access to Nmap's networking APIs and makes it very easy to send and receive data across the network. Nmap ships with over 50 scripts which complement and extend the discovery of information about a host - tasks such as detecting open proxy services, detecting open mail relays, looking-up Autonomous System Numbers and WHOIS information, detecting and exploiting vulnerabilities and many more.

Try the following command against the web service at scanme.nmap.org to discover the Title of the default web page:

# nmap -p80 --script html-title scanme.nmap.org

There are also more than 30 NSE libraries to allow script-writers to easily implement all sorts of common networking tasks such as sending HTTP requests and parsing the responses, performing DNS queries, talking the SMB protocol to Microsoft Windows machines to name but a few.
The Lua language is easily mastered and its use within NSE is well documented making it very simple to start writing NSE scripts.

Read more about the Nmap Scripting Engine at
http://nmap.org/book/man-nse.html.

Nmap and Accompanying Tools

Nmap has become a suite of tools for Network discovery, exploration and management and as well as the main Nmap executable, Nmap 5.0 now comes with the Zenmap GUI, Ndiff and Ncat:

Nmap and the Zenmap Graphical User Interface

Zenmap is a cross-platform graphical user interface for Nmap with several really cool tricks up its sleeves. The killer features of Zenmap include a graphical view of the network Topology and its ability to Aggregate the results of multiple scans into a single place.
Using the results of Nmap traceroute output (option: --traceroute) Zenmap draws an actual map of the network which includes the routers between you and the target host. Result Aggregation allows you to perform multiple scans and Zenmap extends the map to include any new hosts discovered. Information about any host is available for viewing right there on the map making it a great way to build-up a picture of hosts on the network. The map is displayed as a series of concentric circles each representing a 'hop' with your host at the centre, but the map can be redrawn with any host at the centre allowing you to view the network from different perspectives. The map can even be exported as an image for viewing outside of the Zenmap interface.

For people new to Nmap, the Profile Editor is a fantastic way to learn about and experiment with the huge array of Nmap options. The Profile Editor explains each of the options and presents them in an easy to use interface which allows you to select options by ticking boxes, selecting items in drop-downs and so on. Zenmap profiles are a great way to save Nmap commands which you use regularly and Zenmap ships with several ready-made profiles to get you started.

Command line junkies need not use the Zenmap Profile Editor at all - commands can be typed directly into the Zenmap Interface and using Nmap this way is just as quick as from the command line with all of the added benefits that Aggregation and Topology bring. Zenmap also produces both the normal output associated with a command terminal as well as Nmap XML output which means you don't have to worry about specifying Nmap output options - Zenmap allows you to simply save the output to a file once a scan is finished and you can even save multiple scans to a single directory in a couple of mouse clicks.

Zenmap has other features too such as: maintaining a database of recent scans so that you can search them to find specific hosts or services you're interested in; enabling comparisons between the results of two scans to quickly see the differences in the output; and novel ways to display information about scanned hosts.

Read more about Zenmap at
http://nmap.org/book/zenmap.html and marvel at just how useful it is.

Ndiff and Nmap Output comparisons

Nmap can produce its output in XML format and a common desire is to compare the output of two scans of the same host or network taken at different times. Ndiff is a separate command line tool, shipped alongside Nmap, which allows you to quickly see the differences between the outputs of two scans in a similar way that Unix diff works. Ndiff is Nmap aware and excels at showing you changes in available hosts on the network and changes in port states of a host - making it really useful for keeping abreast of changes on the network. Zenmap leverages Ndiff for its scan comparison functionality.

Read more about Ndiff at
http://nmap.org/ndiff/.

Ncat - Netcat for the 21st Century

Ncat is a modern re-implementation of Netcat and is fundamentally a tool for reading from and writing to the network. Ncat has a nearly limitless number of uses like acting as a simple TCP, UDP or SSL client to a variety of network services, providing network functionality to non-networked applications, acting as a server to which clients can connect and cool things like becoming a proxy server, a chat client/server and the brokering of connections between clients. It features security measures such as access control lists for client connections and proxy authentication.

Like the rest of the Nmap toolset, Ncat runs on all major operating systems and has no trouble communicating with an Ncat running on a different operating system.

Read more about Ncat at
http://nmap.org/ncat/.

Nmap Network Scanning - Fyodor's Nmap book

Nmap's author Fyodor has also authored Nmap Network Scanning - the "Official Nmap Project Guide to Network Discovery and Security Scanning". The book is a 468 page treasure trove of information about how to effectively harness the power of Nmap in the real world including a 42 page reference of all Nmap options. The book is available for purchase and several of its chapters are available in the free online-edition at
http://nmap.org/book/toc.html

This has been a short introduction to Nmap 5.00 and its associated tools which I hope you've found useful. If you want to know more about Nmap, you will find everything you need to know at http://nmap.org/.

Happy Nmapping!

Today I wanted to enable mod_userdir for apache2 on Debian 5.0 (Lenny).
Here's what I did:

# sudo cp /etc/apache2/mods-available/userdir* /etc/apache2/mods-enabled/
# sudo /etc/init.d/apache2 restart

That was easy! The userdir.conf was already set-up to disable this feature for user root and to serve files from /home/*/public_html so to test that it works I did:

# mkdir ~/public_html
# echo yay! > ~/public_html/index.html

and then typed http://mysite.com/~jah/ into my web browser to check that the index file was served. yay!

UPDATE 2009-04-01:
The newest beta of the network exploration and auditing tool Nmap 4.85BETA5 is now available for download at nmap.org/download.
Among the changes, which you can read about in the CHANGELOG, is an especially handy tool which can detect machines compromised with the Conficker (aka Downadup aka Kido) worm.
The smb-check-vulns.nse script has been updated by its author Ron Bowes to include specially crafted RPC messages and detection of the giveaway response returned by a machine compromised with Conficker.

The script may be run like so:

nmap -PN -p139,445 -n -v --script smb-check-vulns --script-args safe=1 <targets>

which might result in:

Interesting ports on cleanhost1.com (192.168.0.1):
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

Interesting ports on compromised2.com (192.168.0.2):
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

The MS08-067 and regsvc DoS checks are not performed when "--script-args safe=1" is specified on the command line and is the reason you will see "NOT RUN" next to the host script result entry. The MS08-067 check can determine whether or not the KB958644 Microsoft patch for the vulnerability exploited by Conficker has been applied. There's a very good chance that this check will crash the server service of a vulnerable machine which is why it is suggested that the "safe" argument is specified to prevent the crash. If you want to perform the check, omit "--script-args safe=1" from the command.

If you have a large number of hosts in your organisation you may be interested in some great advice posted to the nmap-developers mailing list on tuning the nmap parameters to speed the process up, as well as a handy perl script for parsing nmap xml output files to extract the conficker results.

The background to this update to smb-check-vulns.nse may be interesting to anyone curious about or involved in defending against Conficker.

Researchers at Rheinische Friedrich-Wilhelms-Universitat Institute of Computer Science, Felix Leder and Tillmann Werner (members of the Honeynet Project) discovered that Conficker, which patches the MS08-067 vulnerability of its host, responds with a uncommon error codes when sent specific RPC messages.  These responses are entirely different than those that may be elicited from a normal patched or unpatched host thus making remote detection of compromised hosts a possibility.

Remote detection of Conficker is a real boon for system administrators who can now scan their entire organisation and determine whether there are compromised hosts on its networks without having to visit each machine or trawl through and decipher stacks of logs generated by network security monitoring tools.

Leder and Tillmann have posted details of their research into Conficker and methods/tools to detect and contain compromised hosts and there is a more detailed analysis available from them in a paper entitled "Containing Conficker - To Tame a Malware".

Several scanning tools are being or have already been updated to take advantage of this ability to remotely detect Conficker, as noted in a blog post by Dan Kaminsky, though it's worth noting that Nmap is free and will almost certainly get the job done quicker!