Thoughts From The Fringe Of The Web

Complete rewrite of nmap (version 3.70)

2004-09-06T11:54:00.000+05:30

Rush to your friendly neightbourhood insecure.org and pick up a copy of the new nmap 3.70. As fyodor himself puts it:
"This release includes dozens of major changes, and all users are advised to update. "

nmap is now much faster and supports parallel scanning of hosts ! This allows you to distribute a scan better, and is lighter on the target systems as well. There is also a fix for using it on systems with Windows SP2 (which broke raw sockets).

From whatever testing I've done with the new version, it seems really good. The increase in speed is really awesome. This has all happened because the main port scanning engine has been rewritten from scratch.

Go ahead and download

The New Job.....

2004-08-05T02:09:00.000+05:30

Well, about that work related scenario.. I'm now working for MIEL e-Security Pvt Ltd. I'm working as a penetration-tester (what they call 'Attack & Penetration').

The blog updates have slowed down temporarily as I've been over-burdened with a whole lot of stuff. However here's the good news. The portknocking code will be up very shortly, as will another tool I've written to discover systems with common hostnames.. very useful when you don't get an AXFR from a DNS server. Pops up some interesting results ;)

I'm back in action at firewall.cx again, so get in touch with me there.

If any of the guys from the training in Mauritius are reading this, drop me a private message there and we can discuss some of the training topics etc.

Back From The Dead

2004-05-18T00:38:00.000+05:30

Yes I know its been awhile.. I've been busy appearing on the front page of newspapers (ok so only one newspaper.. the Mid-Day). The article covered the work I'm doing at the Mumbai Police Cyber Lab (the website is incomplete) and was rather spiced up IMHO. Anyway, scans of that will come up later once I figure out how to make myself look like less of a hardened criminal in the photograph.

So the Cisco IOS 12.3 source has been stolen. Coming after Microsoft's great Win2k source expose, this is giving the term 'open source' a new meaning ;). Still you've gotta feel for Cisco, they make the best damn hardware bar none (the fact that I'm a proud card carrying member of the CCNA family does not make me biased !).

Watched an incredible biography on Beethoven on the History Channel this evening. If you're a musician you'll really understand how he must have driven himself crazy after going deaf. Anyway, in deference to genius I've traded in the progressive rock for the Moonlight Sonata and Tchaikovsky's violin concertos (Kyung-Wha Chung on violin).

My port knocking implementation is almost complete. You'll be able to grab it here the second I finish commenting the code for you hackers. Then you admins / crackers can enjoy the goodness of backdoor shell access that is undetectable to portscans !

More on an interesting work related scenario soon..

Firewall.cx ties up with Searchnetworking.com, a new Nmap, Winamp plugins and prog rock !

2004-02-28T22:01:00.000+05:30

Good news everyone, firewall.cx has tied up with Searchnetworking. Searchnetworking is one of the heavyweight networking sites in the techtarget group. It gets a tremendous amount of traffic everyday and under the new deal, Searchnetworking gets to use firewall.cx's exclusive articles and other content. This way searchnetworking benefits from getting really quality original articles and we get a load more traffic. I suggest you check out searchnetworking and sign-up there, there is a whole lot of really top-notch information on that site.. and now if you browse through their administrator academy you'll see a few of our firewall.cx articles up their already.

In other news, Nmap 3.50 has been officially released. The improvements include a remote OS identification database that has doubled since its last incarnation as well as cosmetic changes to how the output is displayed. It is also supposedly faster. So go grab the Rolls-Royce of portscanners !

I've also added a neat little thing called Blogamp to the bottom left of the page (in the sidebar below the virus information). This niftly little thing shows you the last five songs I've been playing in Winamp (and yes I own the CDs). Thanks Chris for letting me host it at firewall.cx :)

As you can see I've just discovered the incredible progressive-rock band called Shadow Gallery. If you like prog rock, you owe it to yourself to check this band out.

Vulnerability Database Added

2004-02-15T02:09:00.000+05:30

I've just added the search code to the ICAT CVE Vulnerability Database. This useful tool lets you search for vulnerabilities in any software by keyword or vendor. Its completely up-to-date and provides further information on any vulnerabilities it finds.

Atom enabled news feeds !

2004-01-28T02:03:00.000+05:30

In addition to the RSS news feed we already have from InstantRSS, I've now added Bloggers own Atom news feeds. Not all newsreaders currently aggregate Atom content, but you have both options. Here is a list of newsreaders that will handle the Atom feeds.

Here is the feed (or you can access it from the sidebar)
Atom Site Feed

Antivirus engines triggering on IE URL spoofing vulnerability while we wait for Microsoft to issue a patch

2004-01-28T01:45:00.000+05:30

I received word from Cheetah, a firewall.cx member that the IE URL spoofing vulnerability demonstrated on this blog (a few posts below this) is now being recognised by some anti virus scanners as a 'URL spoofing exploit'. This is a good thing, since we're still waiting for Microsoft to issue a patch for the exploit. I have moved the actual demonstration link to a separate page so that anti virus products don't run around telling you that TFTFOTW is trying to do something evil. Rest assured that there is no malicious content on this site. It just goes to show that trust is a hard asset to win, and an even harder one to hold on to these days.

Once again, thanks to Cheetah for bringing this to my attention.

Security predictions for 2004

2004-01-05T16:20:00.000+05:30

Well after you've read the post below this for IT predictions, you can have a look at some security predictions for 2004. I had also predicted the growth of personal firewalls in the enterprise, lets see how that comes about by the end of this year.

Security Predictions for 2004

The last paragraph really stands out. It makes three very pointed observations about how the IT industry and users have been dealing with security for the longest time, and why that has to change.

IT predictions for 2004, and Wi-Fi Security

2004-01-04T00:13:00.000+05:30

I pulled these two gems off Slashdot.
The first are IT predictions for 2004, including the future of Microsoft and Linux, not to mention Sun, SCO, and Apple. Very worthwhile reading considering the guy who wrote this last year got 11 out of 15 predictions spot on. I'm not in total agreement with all his predictions, but what the heck, we'll know next year round won't we.
It Predictions for 2004

The second is a little Risk Assessment analysis of Wi-Fi networks. Don't expect too much technical detail, but some very good general risk identification ideas.
Risk Management of Wireless Networks

Happy new year all.

Introduction to security article

2003-12-23T04:09:00.000+05:30

The Introduction to Security article that I've been working on for everyones favourite networking site, firewall.cx, has been published.
Go have a look at it here :
An Introduction To Network Security

You can leave your comments here.. using the new comments system, or preferably in the firewall.cx forums, where you'll usually find me skulking.

Many thanks to Chris and Tfs for putting up with my incessantly mailing it to them for proofreading.

Acer Ferrari Laptop

2003-12-16T16:32:00.000+05:30

You have to have a look at the Acer Ferrari 3000 Notebook. Its a top performance laptop officially licensed from Ferrari. While I'm more of a Porsche person myself, this notebood just looks so sexy.. wait till you check out its specs,
Athlon XP 2500 , 60GB HDD, 512MB DDR SDRAM, DVD writer, ATI Radeon Mobility 9200 powering the 15 inch screen ! Start drooling

Acer Ferrari 3000 Notebook

Mozilla Firebird 0.7 beats IE

2003-12-15T17:02:00.000+05:30

I've just been testing out Mozilla Firebird after hearing all the wonderful things people say about it. This is the final word -- it really whips IE's ass ! The browser is quick to load, fully customisable and extendable via extensions that can do anything from adding Opera's mouse gestures to having an RSS reader in the sidebar !

The browser supports multiple windows as well as a tabbed interface and has some really neat keyboard shortcuts. The look is very clean and minimalistic (no unnecessary toolbars and buttons) however this does not mean it's dumbed down, its just very good UI design. The whole thing is skinnable as well ! Then you add all the usual jazz like built in google search and nifty full screen modes and you're ready to go !

Rendering wise, this baby is fast! I would say its equivalent in speed to Opera, but it renders pages much better than Opera. The HTML and CSS support are as per international standards (unlike Microsoft which chooses to ignore tags as it pleases). In fact I find this blog looking much more like I intended it to look under Firebird than under IE ! That said, its now my default browser :).

Oh yeah, did I mention it loads really quickly ? Hehe..

IE URL hiding vulnerability

2003-12-13T03:42:00.000+05:30

I caught this on the security lists. There is a new vulnerability in Internet Explorer that allows an attacker to make any page appear to come from a URL of his choosing. The address bar will display whatever URL he wants, and even if you hover over the link, you won't see the location you're actually being sent to. This has a lot of relevance given how scammers may use it to mislead people into believing they're at e-bay or paypal. The actual exploit involves inserting a null character before the @ sign commonly used to denote a login and password combination when accessing a website or ftp server.

To see a demonstration of the vulnerability, click the link below.

Demonstration of the IE URL spoofing vulnerability

Notice that even when you just hover over the link, it appears to be linked to www.google.com, the only way one might notice this attack is by viewing the source (or happening to notice that you're not making a TCP/IP connection to www.google.com). Both of which are fairly unlikely to happen. As of now there is no word on a patch.. so much for a patchless December from Microsoft !

Site update

2003-12-11T02:36:00.000+05:30

Well I've also added the nifty little security news, security alerts scrollers courtesy SecurityUnit to the sidebar, as well as virus alerts courtesy VirusPortal. Also don't forget about the new Feeds ! I'm planning to work on them over the next week so that they have proper headlines. However this will have to do for now !

I've also added titles to each blog entry, and a link in the byline so you can link directly to a particular post. Now hows that for a days work eh ?

XML Feed Added

2003-12-10T17:09:00.000+05:30

I've just added RSS newsfeeds of the site, you can access these using the little orange XML icon at the top of the page. Shove this link into your favourite RSS aggregator. I recommend Amphetadesk or FeedReader.

I'm very grateful to Ben from thelocust.org for providing instantRSS for free. Thats how we're giving you the XML feeds. I recommend you visit his website

Go grab that newsfeed !!

System monitors and desktop art...

2003-12-07T13:57:00.000+05:30

I just found a windows port of GkrellM, the incredible little stack of system monitors.

For those who haven't used this beauty before, it is a fully skinnable and customisable stack of monitors which can be extended with lots of plugins.. the plugins do everything from scrolling your choice of news headlines, checking mail, controlling winamp etc etc.

This is a must have !! Go get it
GkrellM Linux/BSD/Solaris/MacOS
GkrellM Windows port

Here are some screenshots of my desktop, click for full size images. GkrellM is the little stack of monitors on the right. As you can see I'm using it to monitor CPU/Disks/Memory, check my mail, control winamp and scroll security headlines and Google news. Oh yeah don't miss Flynn from Doom who shows you how messed your system in true Doom style !!

Yes I know my desktop looks too cool to be Windows XP, but that will be dealt with in another post ;)

portscanners 'r us

2003-11-19T12:41:00.000+05:30

This post will be appreciated by those of you who use Windows.

I've been on the lookout for a good portscanner for those times when I'm using Windows (Nmap doesn't work well off my PPP connection from home using WinPcap). I'd often heard of Foundstone's SuperScan being a very worthy windows scanner and so I checked it out. I must say I'm very impressed and wouldn't recommend any other scanner for the Windows OS. It has all the usual jazz you expect and some more. Some of the features :

Host discovery using multiple methods
Windows NetBIOS enumeration
UDP scanning
SYN stealth (half-connect) scanning
Banner grabbing
Built in tools such as zone transfer, whois, traceroute, bulk resolve, http requests
HTML report generation

I've been going through a whole lot of foundstones free tools and they really do have some interesting stuff, I suggest you check it out. Here's a direct link for SuperScan.

I'll also be adding a whole lot of Ebooks on a range of topics like security, programming and system administration. For all those of you who wanted to learn a programming language or linux or SQL, these will help you out. Its always good to have a book that covers material from the basics up.

Oh yeah you can now get fired for blogging at work ! Isn't this a funny one !

Bad perl coding 101

2003-11-12T03:24:00.000+05:30

For some reason a lot of people ask me how to find what webserver is running on a machine. To help you work this out and show you some pathetic coding along the way, I dug out an old perl script I'd written when I first started learning perl. Hey the code is far from beautiful.. but it works. If its some use to you, download it -
Webserver identifier script

Though I don't understand why you just dont nc www.fu.fu 80 ? Anyway some people like doing things the complicated way.

If you use windows, you can get perl from Activestate.com. Its free, and will run any perl script you find on the net.

Blah lame post ;)

New documents for old !!

2003-11-04T17:40:00.000+05:30

I'm in a generous mood so I'm handing out a couple of treats. So for taking the time to visit Thoughts From The Fringe Of The Web you're gonna get yourself a tutorial on database hacking (SQL injection). Its not the worlds newest topic, but 9/10 sites that I've visited with SQL backends and login pages are vulnerable. Best of all you can test this stuff using just your browser. Remember you're supposed to use this information to check your own intranet / website security ;)
SQL Injection

And as a little bonus, heres a default password list, no this is not a list of common passwords like a dictionary wordlist, this is a list of vendors and products, with their associated default logins and passwords. Most of the time nobody bothers changing the default password. Someone should do a survey on how many Cisco routers are sitting pretty on the net with the default password 'cisco'. Anway grep the list for all the products you own and make sure you've changed your default passwords.
Default Password List

Credit to Eric Knight for maintaining the default password list.

2003-11-01T02:28:00.000+05:30

Found a pretty decent site today. A nice selection of texts and tutorials, a few that I have in the library, but quite a few that I haven't seen before. Also has some good original material. Give it a look
http://angelx.cjb.net

Firewall.cx has added some really neat flash games (check out Max Arcade from the side menu) :) kudos to Chris and the gang for constantly keeping the site among the top, its a real pleasure to be part of the team.
Also check out two of my posts at firewall.cx in the Security / Firewalls forum... one is a pretty basic introduction to security and the other details my pen-testing methodology (yes my kung-fu is better than yours !)

I'm doing my CCNA recertification on the 5th of the month.. will let people know whether they made it harder.. lets hope not !

2003-10-27T18:56:00.000+05:30

MS03-43 is the vulnerability in Windows' Messaging Service. This service is not to be confused with windows messenger which is totally different. However, this service is enabled by default in all versions of windows since Windows 98. If you're foolish enough to have not turned this off yet, I suggest you do.. why ? Because proof of concept code and an exploit are out in the wild. I'm posting the POC code for you to have a look at

Proof Of Concept MS03-43

If you want to know how you can safely disable the service :

1. Click Start
2. Click Run type 'services.msc'
3. Double click the 'Messenger' service
4. Stop the service
5. Change startup type to 'disabled'.

More news later.

2003-10-23T03:12:00.000+05:30

Just finished reading Stealing The Network: How To Own The Box. For those of you who haven't heard, its a book which concocts 10 fictitious hacking stories.. ranging from corporate espionage, to revenge.. and then showcases the hack with pretty good technical detail. Its been under a bit of controversy due to the usual ethics question. Frankly, though the book was really entertaining, there weren't any spectacularly new hacks.. I suppose that was part of the point -- to depict the genius involved in the strategy, rather than the tactics. All in all I'd give it a 7/10.

The rest of the day was spent prowling a certain small ISP here and sending a detailed list of issues to the admin, god knows if it'll be acted on. Wonderful security included the default enable password on the border router, as well as full dns zone transfers available for the taking.

Yknow when it comes to security, theres one bit of advice that nobody really gives and from my experience is the most important -- whatever shade of hat you wear -- its about being patient. Take things slowly.. whether you're scanning from the outside of the firewall, or dealing with an incident at your workplace -- take your time.....

2003-10-21T03:31:00.000+05:30

Ive added a new link to the sidebar, its a site called djeaux.com and it provides aggregated news feeds from lots of different security news sources including bugtraq and full disclosure. The feeds are provided in RSS for an RSS reader as well as HTML for regular browsing. Very nice !

I'm still busy uploading parts of my library, actually thats the easy part, the hard part is renaming all the files and classifying the material. If I really have the time I'll try and give it all some uniform formatting -- don't count on that though.

All the material represents texts, tutorials or whitepapers that I have hand-picked because they represent original thought, interesting concepts, or just hard to find information. Consider it something like the good reading list

Here's a couple of teaser papers :
Advanced Host Discovery with Nmap
Probing Firewalls
HTTP Tunnels through proxies
Hardening the TCP Stack

All work is the copyright of the respective authors. If you want credit, or have a really good paper, let me know at sahir (at) firewall (dot) cx.

2003-10-16T12:32:00.000+05:30

So the newest version of Nmap supports version scanning. In other words, not just will it tell you that port 80 is open, it will tell you that port 80 is running IIS/4.0... it'll even do this if the webserver is using a different port altogether. How does it do this ? Heres all you wanted to know about Nmap Version Scanning.

2003-10-16T12:03:00.000+05:30

Here we go again. Four new vulnerabilities from the worlds most popular O/s maker. Vulnerable systems include Win2k and XP.
Check it out
Oh and you might want it from the horse's mouth:
Microsoft Security Bulletin October 03

I'm busy uploading parts of my security and networking library. All the material in that library is hand picked and I'm quite proud of it. Of course you'll be able to access it all from here when I post a link.

2003-10-09T15:42:00.000+05:30

Just read a groundbreaking paper which was posted to bugtraq entitled 'Juggling With Packets'. It describes, both in theory and in practice, how to use the latency or delay in network communications to store vast amounts of data (around 2gb from a 28.8kbps modem alone !) 'on the wire'! In other words, you have your data in an intermediate state in the network.. not on your disk.. never accessible to anyone except you. They describe many practical examples, including storing data in an email that will bounce back to you. I really can't explain the subject over here, but this one's worth a read if you wanna see some of the foundation shattering thoughts that can come out of bugtraq. It would be incredible to see an implementation of this !
Juggling With Packets

Other stuff - I wrote a simple script for work that allows you to start simultaneous downloads on multiple machines and log the start and end time. I am modifying it to work in a master - slave fashion, so you can just issue a command on one system and get all the others to start downloading. Ill probably put up a link when its done so you can adapt it to any similar situations you might have.

2003-10-06T10:14:00.000+05:30

Just started helping out at Chris Partsenidis' stellar networking site firewall.cx as forum moderator. If you're looking for original content on networking and network security topics, this is the place to go ! I know a lot of people who study for certifications using the material on the site. Make sure you check out the forums as theres a lot of good information there too. I've added a link to the sidebar.

2003-09-15T00:39:00.000+05:30

My long weekend is over :( spent Thursday helping change the firewall topology at work, Check Point NG FP3 is pretty impressive from the little I've seen so far. As promised earlier here is the paper I wrote on the need for personal firewalls.

I've been doing some research on buffer overflows, something I've never really dealt with since I stopped coding years ago (and am only just getting back into it). I found a couple of wonderfully written articles. Ultimately Aleph Ones Smashing The Stack For Fun & Profit from Phrack issue 49 is the definitive paper.

For those of you who are just starting out on assembly or buffer overflows, here are a couple of beginner tutorials :
Buffer Overflow Tutorial
A Beginners Tutorial

Enjoy yourself, and remember, its only fun until someone loses an eye..

2003-09-10T19:53:00.000+05:30

Finally fixed that damn style sheet error that was irritating me ! I read today that Kevin Mitnick has written a book on social engineering called "The Art Of Deception". I feel pretty bad for the guy, he went to jail on top of his game, spent time in solitary confinement, got released, and is now (imho) pretty lost. When he went to jail the net as we know it didn't exist. Someone even had to show him how to surf !

Got some good new music by two of my favourite bands :
Queensryche and Dream Theater.
I'm listening to Queensryche's Promised Land right now (thanks Ra, Mim ;)

2003-09-08T01:38:00.000+05:30

Right, spent the last 45 minutes updating the look of the page. Its been a while since I put my HTML skills (!) to good use, I like how it turned out. Started writing a paper entitled "A Case For Personal Firewalls", will put up a link to it when I'm done. Also had a long discussion on religious fundamentalism (I'm a die-hard atheist). Excited about getting Red Hat 9.0 and installing it on my virtual machines powered by VMware the most kick ass virtualisation software going ! Check it out.

2003-09-07T01:44:00.000+05:30

Ok, I'm sitting at Uttam's putting back a few beers. Tomorrow is Sunday so chances are that we wont be getting up anytime early . They're planning to involve me in a big project at work from Monday onwards.. lets see how that goes. Oh yeah check out Uttam's co's website - Flakey, Mellow & Grounded.

Flakey website - Nice flash

2003-08-31T19:37:00.000+05:30

Just thought I'd drop in a few interesting security related links :

www.securityfocus.com - The new home of bugtraq and a very good general security site
neworder.box.sk - Site with slightly more underground viewership, lots of $cript kiddie$
ftp.technotronic.com - Perhaps the largest tools archive online ?

2003-08-31T19:28:00.000+05:30

And so it begins .....