$2,000 FREE on your first deposit*Please note: this bonus offer is for members of the VIP player's club only and it's free to joinJust a click to Join!
Exclusive VIPSpecial offer

🔥 AEP - Vodia PBX forum

Join port wireshark source blackjack join
  • 100% safe and secure
  • Licensed and certified online casino
  • Players welcome!
  • 97% payout rates and higher
  • Exclusive member's-only bonus

Source port blackjack wireshark

Sign-up for real money play!Open Account and Start Playing for Real

Free play here on endless game variations of the Wheel of Fortune slots

  • Fortune CookieFortune Cookie
  • Wheel of CashWheel of Cash
  • Wheel Of Fortune Triple Extreme SpinWheel Of Fortune Triple Extreme Spin
  • Wheel of Fortune HollywoodWheel of Fortune Hollywood
  • Wheel of WealthWheel of Wealth
  • Spectacular wheel of wealthSpectacular wheel of wealth

Play slots for real money

  1. Make depositDeposit money using any of your preferred deposit methods.
  2. Start playingClaim your free deposit bonus cash and start winning today!
  3. Open accountComplete easy registration at a secure online casino website.
Register with the Casino

VIP Players Club

Join the VIP club to access members-only benefits.Join the club to receive:
  • Slot tournaments
  • Loyalty rewards
  • Exclusive bonuses
  • Monthly drawings
  • Unlimited free play
Join the Club!

Please also send a Wireshark trace for the incoming RADIUS... UDP Source port: blackjack Destination port:radius[Malformed Packet] Click to Play!

User Ports are assigned by IANA using the "IETF Review" process, the "IESG.... blackjack 1025 tcp network blackjack blackjack 1025 udp network blackjack cap.... [Kouichi_Takeda_2] Protocol-2 davsrcs 9802 tcp WebDAV Source TLS/SSL ... Click to Play!

UDP port 1025(Blackjack) From: blackjack service port 1025 blackjack pizza jobs.. 1025/udp network blackjack A proper packet-sniffer like Wireshark/Ethereal or a. Video play Open Source The whole is greater than the sum of its parts ... Click to Play!

So I throw down wireshark, and here is basically what I am seeing.. Source port: blackjack (1025) Destination port: sgi-storman (1178) Click to Play!

Event ID: 5000, Event Source: .NET Runtime 2.0 Err - General - TekRADIUS

Project developed using VisPro/Rexx, source code included.... A FreeRDP port for OS/2, eComStation and ArcaOS..... This pack contains Blackjack 1.0, Caribbean Poker 1.0, Caribbean Stud Poker 1.3a and Multi..... Wireshark 2.2.17
Hello all, Can anyone tell me how to stop wireshark giving the port numbers for TCP packets popular names like "ddi-tcp" and "blackjack" etc, ...
Txt file” button to upload the file to the gaia. Wireshark Pipe - Launches Wireshark with a pipe connected to the traffic. Source port is 49654, while the destination.


14.04 - Serial Port Debugging on Ubuntu - Ask Ubuntu Source port blackjack wireshark

Wireshark uses it to resolve port numbers into human readable # service names,... Experiment 2 blackjack 1025/tcp/udp # network blackjack cap 1026/tcp/udp.... Transfer Protocol-2 davsrcs 9802/tcp/udp # WebDAV Source TLS/SSL sapv1 ...
One paring of destination and source ports that were labeled in an. Examining the network traffic in Wireshark, in particular the Blackjack entries, clearly details ...
User Ports are assigned by IANA using the "IETF Review" process, the "IESG.... blackjack 1025 tcp network blackjack blackjack 1025 udp network blackjack cap.... [Kouichi_Takeda_2] Protocol-2 davsrcs 9802 tcp WebDAV Source TLS/SSL ...

AEP - Vodia PBX forum

source port blackjack wireshark
1, tcpmux, TCP Port Service Multiplexer... 1025, blackjack, network blackjack.... 3064, distrib-net-proxy, stupid closed source distributed.net project proxy port.
I posted my source code for easier reference.. Serial.begin(38400); // opens serial port, sets data rate to 38400 bps. I've tried running the code, monitor through wireshark, the arduino keeps sending "blackjack port 1025" to ...

source port blackjack wireshark FLUID -- Florida Unemploym...
In the Name box type in Cl-Web App Test.
In Scan Targets type in the IP address that is of interest to you, in our case 95.
Let the scan run this may take a while.
In the left-hand column LC on Download Report, and for the format as shown below choose Detailed RTF Report by finding : Download Report Download Format nessus v1 Detailed HTML Report by finding Executive HTML Report by host Detailed RTF Report by finding Once again we see the warning about the website's security certificate.
As before, just continue to the website and Nessus will format the report.
You will then elect to save the report to whatever directory you so desire, giving it whatever name works best for you; then LC Open and see the Nessus report.
Here is what Nessus is showing us when running the Web App test: Web Server Directory Enumeration Synopsis It is possible to enumerate directories on the web server.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
Description Security patches may have been 'backported' to the remote SSH server without changing its version number.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
List of Hosts 95.
Description The remote host answers to an ICMP timestamp request.
This allows an attackerto know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.
List of Hosts 95.
The difference between the local and remote clocks 13 14422 seconds.
The above item is interesting since it disagrees with an earlier time stamp state- ment from our earlier Web App test.
We will iron out this discrepancy later.
List of Hosts 95.
It supports: publickey, keyboard-interactive.
Description The credentials provided for the scan did not allow us to log into the remote host or the remote operating system is not supported.
List of Hosts 95.
This may cause problems for some dedicated services BGP.
Well now, isn't that interesting?
Sequence prediction might be our way in.
Let's keep that in the back of our mind for potential use later.
List of Hosts 95.
It is suggested that you change the number of pages to mirror in the 'Options' section of the client.
We will plan to change the number of pages to mirror and run this part of the test again later on in this book.
It therefore is potentially affected by a weakness in the cURL extension that can allow SSL spoofing and man-in-the-middle attacks.
The above and below items show us more potential pathways to a successful compromise of our target.
List of Hosts 95.
List of Hosts 95.
Databases should not be reachable from Internet, according to PCI DSS.
Description The remote host is running a database server that is reachable from the Internet.
This violates PCI DSS, section 1.
List of Hosts 95.
MySQL User-Defined Functions Multiple Vulnerabilities Synopsis The remote database server is potentially affected by multipleVulnerabilities List of Hosts 95.
List of Hosts 95.
List of Hosts 95 141.
List of Hosts 95.
List of Hosts 95.
Such versions are affected by multiple denial of service vulnerabilities: - A denial of service vulnerability exists in the gss-serv.
A remote attacker may be able to trigger this vulnerability if gssapi-with-mic is enabled to create a denial of service condition via a large value in a certain length field.
List of Hosts 95.
Such versions of OpenSSH allow forwarding TCP connections.
If the OpenSSH server is configured to allow anonymous connections e.
AnonCVS , remote, unauthenticated users could use the host as a proxy.
PHP lp2long Function String Validation Weakness Synopsis The remote web server uses a version of PHP that does not properlyWalidate user strings.
List of Hosts 95.
IB Installed version: 5.
Based on all that Nessus has shown us thus far, we have quite a bit to work with when it comes to being able to compromise the target system.
But we have other tools to learn in this stage of the game, so let's take a look at them.
In summary, we have learned with a high confidence level but not 100% the following from Nessus about 95.
We will iron out this discrepancy later.
Since this is also an educational process, let's continue our research on the target using some other tools and techniques.
We've already "touched" the target, and I'd rather lay off directly touching the target right now and see if we can uncover some additional information about the target through some indirect means.
Chapter 3 Indirect Target Information Acquisition ITIA In this section we focus on discovering more about our target without actually "touching" the target.
In this manner we learn all we can about the target covertly without alerting those who may be watching the target a security team or whoever.
Let's begin with a tool called Metagoofil.
Metagoofil is used to gather metadata from files.
It automatically searches for the files, retrieves the documents, and per- forms its metadata analysis.
The tool is developed by Edge-Security.
To observe an example and learn how to use this tool, type.
Or in some versions just type metagoof il.
They think that they are not noticed � that they can act maliciously without being detected.
You might ask, how can you be sure they are not just innocent bystanders that were infiltrated by someone else?
I suppose my reply would be, "keep your com- puter systems appropriately secured"; besides that, we aren't attacking them � just learning more about them and giving them some "nice" free advertising.
Let's first use a tool called whois to determine just who they are and where they are located.
Soldat Stefan Velicu, nr.
Notice that the responses from IANA etc.
This is done to make specific searches more difficult some companies are hoping you'll miss them via this method of hiding.
For example, below you will see that sometimes you have to use Country instead of country NetName instead of netname, Address instead of address, and so on.
Soldat Stefan Velicu, nr.
Kennedy 7327 Steinsel Luxembourg +352 20.
Kennedy 7327 Steinsel Luxembourg +352 20.
I I Please contact abuse as5577.
Box 93054 109 OBB AMSTERDAM Netherlands www.
NL LSW1-RIPE LSW1-RIPE ASSIGNED PA OCOM-MNT RIPE Filtered person : address address address phone : fax-no : abuse-mailbox : nic-hdl : mnt - by : source : RIP Mean P.
Box 93054 109 OBB AMSTERDAM Netherlands +31 20 3162880 +31 20 3162890 abuseoleaseweb.
Box 93054 address: 1090BB AMSTERDAM address : Netherlands 118.
To update this object, please contact APNIC hostmasters and include your organisation' s account name in the subject line.
To update this object, please contact APNIC hostmasters and include your organisation's account name in the subject line.
Moscow 119034 Russia 172.
For the rest of these I'm not going to put in the entire whois information � just a small portion.
You get the idea here, I'm sure.
They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment : Comment: These addresses can be used by anyone without any need to coordinate with I ANA or an Internet registry.
The traffic from these addresses does not come from ICANN or IANA.
We are not the source of activity you may see on logs or in e-mail records.
They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment : Comment: These addresses can be used by anyone without any need to coordinate with I ANA or an Internet registry.
The traffic from these addresses does not come from ICANN or IANA.
We are not the source of activity you may see on logs or in e-mail records.
They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment : Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry.
The traffic from these addresses does not come from ICANN or IANA.
MX-CRSC10-LACNIC GAL 2 Luis Vielma Ordones Av.
Naciones Unidas, 5526, Col.
Vallarta Universidad 45110 - Guadalajara - JL Hidalgo, 2074, Col.
Ladron de Guevara 44650 - Guadalajara - Ja 201.
You can search by hostname, IP address, and location.
For example, you can narrow your search results by operating system, port available, or city or country.
GOOGI E HACKING-1DATA3ASE Welcome to the google hacking database We call them 'googledorks': Inept or foolish people as revealed by Google.
Whatever you call these fools, you've found the center of the Google Hacking Universe!
Sensitive Directories 2013-08-08 intitle:lndex.
WebMail Powered by Winmail...
WebMail I Powered by Winmail Server - Login www cdt-gz.
Password Automatically login at next time.
MM d' 6MMMMb MM...
Not Found - Arab Zone I Hacker Ps information Attack Service add-attack.
Still, google finding usernames on a web site..
Web Server Detection 72 These links demonstrate Google's awesome ability lo profile web servers Vulnerable Files 60 HUNDREDS of vulnerable files that Google can find on websites...
Vulnerable Servers 74 These searches reveal servers with specific vulnerabilities.
Files containing passwords 165 PASSWORDS, for the LOVE OF GOD!!!
Pages containing login portals 271 These are login pages for vanous services.
Consider them the front door of a website s more sensitive functions.
J Various Online Devices 228 This category contains things like primers, video cameras, and all sorts of cdoI things found on the web with Google.
Advisories and Vulnerabilities 1970 These searches locate vulnerable servers.
These searches are often generated from various secunty advisory posts, and in many cases are product or version-specific.
To see that route: dig +trace.
This might show us several subdomains within the target domain:.
It seeks to find all the IP addresses and hostnames used by a target.
Potentially it could contain such words for example as www, ire, mail, wwwl, ns, and so on.
Dnsmap Used to brute-force subdomains from a target domain.
You can either use the built- in word list that comes with this tool or provide a list of your own.
Keep in mind that it may take a while for this tool to finish running.
Note that IP stands for IP address, and this will be used throughout the book.
This means we are going to be in contact with the contact system, and the more noise we make on the target system, the higher the probability that someone will discover our presence.
So if you are concerned about someone detecting and responding to your presence on a target, then be as quiet as you possibly can.
You'll have to use your own judgment as to just how noisy you can be, depending on the circumstances of your particu- lar engagement.
We get nothing back.
Could the system have been taken offline?
We get nothing back.
Could the system have been taken offline?
V - Prints live hosts on the IP.
Looking at the file I see that there are 64 systems available, none of which are our original target.
Looking at the file I see that there are 85 systems available, including our original second target, 64.
Looking at the file I see that there are 65 systems available, including the IP address in our traceroute that came just before our original tar- get, 193.
You can also put values in a hosts file and have it read from that file.
So what do we do?
We check to see what other tools tell us.
This will bring us all the closer to the truth.
It is allocated to EuroTransit GmbH.
Remember that it is not good to have too many web- sites located in the same web server because if a website gets infected by malware, it can easily affect the online reputation of the IP address and also of all the other websites.
This is the system that sits right in front of target 1 Tl in the traceroute we performed earlier.
Store data on different box.
Have an in-demand skill the masses do not have.
Must put your entire target domain in a text file.
Text file must have each domain on a separate line.
Can do much more.
The WayBack Machine is a means to access old "no longer there" websites.
Technology Description Popular sites using this Perl iff Perl is a high-level, general-purpose, interpreted, dynamic programming language www.
Technology Description Popular sites using this technology IBM HTTP No description www-946.
Technology Description Popular sites using this Client Pull No description www.
This is the system that sits right in front of target 1 Tl in the traceroute we performed earlier.
As you will see, Nmap can tell us many things � or at the very least, put us in a better position than we were.
As we go through Nmap you will see that I repeat some explanations of switches and param- eters at various intervals.
I do that for two reasons.
One is so that you don't have to search around for the explanation again.
And the other is to help instill it better in your memory.
First, we will put a table in place that we can use for reference: Nmap Switch Type of Packet Sent Response if Open Response if Closed Notes -sT Operating system OS -based connect Connection made Connection refused or time-out Basic nonprivileged scan type.
Not stealthy since it completes the three-way handshake logged.
Can cause a denial of service DoS older systems.
Executes both service scan -sV and OS fingerprint -O.
Use as "-b user:pass servenftpport".
Can also use banner grab mTormaiion.
Reports which targets are up.
TCP ACK implies that you have a TCP packet with the ACK flag set.
Here is a quick synopsis of those parameters and how to use them.
EXAMPLES : nmap -v -A scaniw.
Nmap -T5 -O -sTV -vv -p- -PN 95.
Earlier no pings were returned, but Nmap discovers the following.
We will have to drop our recon work on this system.
X, Sony Ericsson embedded, iPXE 1.
Sony Ericsson U8i Uiuaz nobile phone, iP XE 1.
Nmap also performs Address Resolution Protocol ARP discovery by default against targets on the local Ethernet network.
Nmap uses the ARP scan -PR by default on the local Ethernet network.
ARP scans are disabled by using the -send-ip option.
We will update the table as we progress through our other Nmap commands.
IP Port State Service MAC 192.
UPnP is intended primarily for residential networks without enterprise class devices.
ICSLAP: This has to do with how you have Windows Media Player set up per- taining to it connecting to online stores.
Netbios-ssn: Involved in Windows file sharing.
Windows file sharing will use ports 137 through 139 and port 445.
TCP NetBIOS connections are made over this port, usually with Windows machines, but also with any other sys- tems running Samba SMB.
These TCP connections form NetBIOS sessions to support connection-oriented file-sharing activities.
Microsoft-ds: Microsoft Directory Services.
This port replaces the notorious Windows NetBIOS trio ports 137-139 , for all versions of Windows after NT, as the preferred port for carrying Windows file-sharing and numerous other services.
The protocol is used for establishing and controlling media sessions between endpoints.
Clients of media servers issue VCR-like commands, such as play and pause, to facilitate real-time control of playback of media files from the server.
Normal use of port 10243: Port 10243 TCP is used by WMC Windows Media Connect to actually stream the media to the PC.
Basically, there is a web server on this port.
The digital media receiver DMR uses UPnP on port 2869 to get a list of the music, video, or photos that are available.
When it is ready to play music, for example, it gets the URL of the song from UPnP and then requests it.
The port in that URL is port 10243.
The web server then streams the music to the DMR on that port.
Ports 49152�49158: Per about.
Services typically grab one or more random free ports in this range when they need to perform multithreaded socket communications.
Ok, let's move on to some more Nmap commands and see what we can learn about those four systems.
That's a zero, not the capital letter O.
If you know that an intrusion detection system IDS sits between you and the tar- get, and you want to be as stealthy as possible, us -TO or paranoid to keep your probes as silent as possible.
TO sends a probe every 5 minutes, and upping it to T5 sends a probe every 5 milliseconds meaning you are going to be very noisy, you are in a hurry, and you don't care if you are noticed.
By default meaning you leave off the -T option , Nmap scans with the normal template -T3.
For IDS evasion you can use either -TO or -Tl, Tl being just a little faster, but of course just a little less quieter than TO � which one you use will depend on your situation as far as stealth and if being a little less quiet is OK.
This time frame would not work for a limited penetration testing PT engagement, but malicious state-sponsored entities and organized crime figures will take the time to do this if they consider it necessary.
You can use TO for PT engagements PTEs , but you need to vastly cut back on which ports you want to scan.
T4 puts the scanner into aggressive mode.
T5 is also called insane mode, which is the very fastest that Nmap can run.
The slower speeds lower the impact on the network and systems and again are used for IDS evasion.
The faster tem- plates, though, are used on very fast networks, and although they are very fast, they may be less accurate.
It attempts to complete the three-way handshake and has little chance of flooding the target, which might lead to a system crash on the target which we don't want.
If a user does not have root or admin privileges, Nmap will perform a TCP connect scan by default -sT.
It is more likely to be logged since it does attempt to complete the three-way handshake as mentioned earlier, but you may be able to detect additional open ports by using it indicative that the target is running a host-based fire- wall that can interfere with SYN scan results.
Use whenever possible since it provides ver- sion of service information.
By default, version scanning -sV also executes all NSE scripts in the version category.
Notice that I've combined -sV and -sT into -sTV, which is legal in Nmap.
The more v's you use, the more infor- mation you obtain relative to an explanation of what Nmap is doing.
If you want to just run Nmap and don't care about reading an explanation of what it is doing right now, then leave off the v's.
I like to know, so I use the v's, usually three of them.
Nothing new was found on the four systems using the above parameters, but for our fifth system something was found: For 192.
Let's see if it figures out the correct operat- ing system later.
There is little chance of a denial of service DoS or system crash occurring.
It is somewhat stealthy since the three-way handshake is not completed.
This option is also known as half-open or SYN stealth.
With this option Nmap sends a SYN packet and then waits for a response.
If there is no response or an ICMP unreachable error message response, the port is considered to be filtered.
Well, we have learned something new this time.
Here is what we have: For 192.
I know it to be a Windows XP SP3 system, so Nmap guessed correctly.
I know Nmap to be cor- rect here about the running operating system.
This is indeed a Windows 98 SE system.
In case you don't know what SE stands for, it means "second edition.
Nmap -A -vvv -p- -PN -iL IPlist.
It performs default port scanning of ports 1-1024 and those listed in the nmap-services file.
Each IP address in the text file is on a line by itself.
This can be used with any Nmap options.
This will break the packets into a maximum of 8 bytes after the IP header.
It can be used twice for 16 bytes, which will break the packets into a maximum of 16 bytes after the IP header.
This will sometimes break up distinguishing char- acteristics across packets and evade pattern matching detection techniques.
The change we find here is for 192.
Notice the additional port of 49157 instead of 49158.
If the target responds with a RST packet it is active.
Many of the Nmap host discovery options can be combined to scan through firewalls and evade intrusion detec- tion systems.
Specifying -PA will send a single TCP ACK packet, which may pass certain stateful firewall configura- tions that would block a bare SYN packet to a closed port.
If the machine only has an IPv6 address, add the NV ap -6 flag to scan that.
If the machine only has an IPv6 address, add the Nr ap ~6 flag to scan that.
Nmap scan report fop 192.
There are various ways to keep track of your results, and using tables is one way.
There are other ways, such as software that does this for you, Excel spreadsheets, and more.
What follows is many more ways to use Nmap.
Also remember that updates to Nmap occur, and sometimes com- mands that worked at one time no longer do, or they require some new alteration.
Keep that in mind as you work your way through these.
This will be slower due to numerous retries since UDP is a connectionless protocol.
It sends an empty UDP header to the target port.
The target responds with an ICMP port unreachable error if the port is closed.
Other ICMP errors indicate that the port is blocked by a packet filter.
UDP services on open ports will respond with a UDP packet, but some UDP services will not send a response.
Christmas tree scan -sX sets the PSH, FIN, and URG flags PUF.
It might bypass firewalls.
Henceforth I'm not going to keep stating "nothing new" if there is nothing new.
If there is something new from Nmap, I'll place it under the appro- priate Nmap command.
It does not set any flag bits in the TCP header.
The MTU for Ethernet is 1500 bytes.
However, sometimes controls don't have this feature enabled for performance and routing reasons.
It sets the FIN and ACK flags in the port scan packet.
This scan takes quite a while over an hour.
Notice that we can use the -p port option to specify specific ports that we wish to scan.
This allows you to solicit a variety of responses from targets as well as evade IDSs.
To set the URG and PSH flags: -scanflags URGPSH.
By default Nmap uses the SYN scan for result interpretation.
Nmap -n -sP 192.
Nmap -sP -oG Results IP.
If you are scanning through a firewall: - The TCP SYN ping -PS creates a packet with the SYN flag set and sends it to specified ports on the target.
By default Nmap uses port 80, but you can specify a single port or multiple ports.
Both responses, though, indicate that a device is active and responding.
If no response is received, either the target is not active or the responses are being blocked by a firewall.
This option is passive since it does not send any packets to the targets, but it does perform DNS name lookups for each host.
SYN scans are stealthy.
This will take quite a while, as mentioned earlier.
Again, this will take quite a while.
You can use Nmap to scan for a variety of items on a network just by scanning common ports.
Here is a partial listing: Item to Scan For Port Type Port Number SQL server 1 Lr -1 AT} 1 4.
Based on your knowledge of Nmap, hide yourself while performing a scan.
If you want to scan your own DMZ to look for rogue hosts but you don't want to scan your known DNS, web, and mail servers, you can use the following.
Note that Nmap supports target specification from an input file and excluded targets from an exclude file.
The targets must be space, tab, or new line delimited.
Nmap -sO IP The TCP Window scan -sW sends a packet with only the ACK flag set, but also analyzes the TCP Window field in the RST response to determine if the port is open or closed.
Some systems will use a positive window size if the port is open and a zero window size if the port is closed.
The zombie host masks your IP address.
Nmap randomizes the order of ports scanned.
You can scan them sequentially by using the -r option.
To speed up slow scans, scan hosts in parallel, scan just the most popular ports, and perform scanning behind the firewall.
The probes and response matches are located in the nmap-os-db file.
Nmap -O IP Uses Nmap's default SYN scan for port detection, but other port detection tech- niques can be chosen.
Version detection uses a variety of probes located in the nmap-services- probes file.
If Nmap was compiled with OpenSSL support, it can attempt to discover lis- tening services behind SSL encryption.
OpenSSL support is not available on the Windows version of Nmap.
To enable version detection, use Nmap -sV IP.
To enable all ports for version detection, use the -allports option.
Probe intensity falls between 0 and 9, with 9 being the most intense and 7 being the default.
The -version-intensity option allows you to control this.
Higher-intensity scans take longer, but you are more likely to have services and versions correctly detected.
The -version-light option performs quickly, but has less reliable ver- sion detection.
The -version-all option is equal to a version intensity level of 9.
Get detailed information during version detection with the mighty -version-trace option.
Specify a customized service probe file instead of the default nmap-service- probes file by using the -versiondb option.
The -A option enables version detection, OS detection, script scanning, and traceroute.
Remember our friends from Chapter 3?
Below is a list to refresh your memory.
The Nmap results for the IPs scanned below are located on the BT5R3 box in the PTbookNaughty directory.
The Nmap commands used are: Nmap -A -Pn -oA IP Nmap -sS -sU -T4 -A -Pn -oA IP However, I'm going to now use Zenmap, which is the graphical front end of Nmap.
This provided me with three output files each time I ran Nmap, one of those being an xml file.
The xml results file is the file I will open using Zenmap.
The point here is not to explain Zenmap in detail other books do that or you can explore it on your own � it comes as part of Nmap when you download it , but to show you some of its capabilities graphically when working with xml files.
That's why it's important to try a variety of Nmap commands on a particular target.
What one may miss, another may pick up.
Knowing what to use comes with experience.
All 1000 scanned ports on 118.
Nmap done at Sat Oct 5 12:20:59 2013-1 IP address 1 host up scanned in 231.
Results are placed in the PT bookNaughty direc- tory on the BT5R3 system.
Do some more UDP service discovery on our "friends": Nmap -sU -p- -oA MaliciousFriends-UDP -iL MaliciousFriendsIPs.
Note that I used nano to create the above txt file with a list of IPs of our friends.
What communications protocols are being used?
Nmap -sO -oA MFcommProto -iL MaliciousFriendsIPs.
Not shown: 254 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 17 open udp Nmap scan report for 91.
Not shown: 254 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 17 open udp Nmap scan report for web.
Not shown: 254 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 17 open udp Nmap scan report for 146.
Not shown: 255 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp Nmap scan report for 177.
Not shown: 254 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 17 open udp Nmap scan report for 2 01 - 167 - 123 - 176 -cable.
Not shown: 255 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp Nmap scan report for 2 08-69-108-103.
Not shown: 253 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 6 open tcp 17 open udp Nmap scan report for 210.
Not shown: 254 open filtered protocols PROTOCOL STATE SERVICE 1 open icmp 17 open udp Nmap done at Sat Oct 5 21:56:55 2013- 16 IP addresses 10 hosts up scanned in 1321.
Nmap -sA -oA BehindFirewall?
A response of "open" or "closed" from the target tells us the target is not behind a firewall.
We know the target sits behind a firewall if it does not respond or we receive an ICMP-related error message.
Last boot Not available IPv4: 83246.
Nmap � script http-enum -p80 -oA FilesOflnterest?
Now let's see if we can brute-force some passwords from our friends' web servers: Nmap -p80 � script http-brute -script-args http-brute.
Now in the image below note that I've selected Services instead of Hosts as I did above.
Scan lo Target: Command: nmap -p80 -iL MaliciousFriendsIPs.
Last boot Not available IPv4: 177.
Detect web application firewalls and intrusion prevention systems: Nmap -p80 � script http-waf-detect -oA DetectWebAppFWandlPS -iL MaliciousFriendsIPs.
Detect potential cross-site tracing XST vulnerabilities: Nmap -p80 � script http- methods,http-trace � script-args http-methods.
Nmap scan report for 146.
Are any of their web servers vulnerable to the Slowloris DoS attack?
Nmap -p80 � script http-slowloris � max-parallelism 320 -oA WebServVul2SloworisDoS -iL MaliciousFriendsIPs.
Are any mySQL servers?
You've got a lot of experimenting to do.
Remember: Practice, practice, and more practice.
Chapter 6 MATLAB, SimuLink, and R Three tools that work great together during a penetration test engagement are MATLAB, SimuLink, and R.
You can download and experiment with MATLAB and SimuLink for 30 days free at MathWorks.
R is both open source and free.
How can these three tools be of immense use to us during a penetration test?
Let's take a high-level overview of what each tool is good for, and then how to use them as a team in conjunction with the C programming language MATLAB was designed to work with C, and they fit together like a hand in a glove.
Keep in mind that it takes a while to get a good handle on these tools, but once you do, you'll be in love with them.
OK, first let's do an overview of MATLAB.
What is it good for?
How can it help us?
As I stated earlier, but it bears repeating here, mathematics is very impor- tant.
Don't just think about software tools.
Remember that the software you see on the monitor is just for your human eyes and mind to be able to somewhat interpret what's happening or going to happen.
Don't get lost in the software.
The software may be your "gateway," but it's not your be all and end all.
The only thing going down that Ethernet cable or other type of cable or wireless coming out of or into your computer system is electrical signals, and all of those electrical signals can be formulized mathematically.
The closer to the real source you can get as to what is really happening, the better off you are when it comes to really understanding and responding to what's going on.
Also keep in mind that you can write C programs that interface directly with MATLAB.
Then move on to SimuLink and follow the same procedure as I just mentioned for MATLAB.
Both products have fantastic graphics capabilities, so I'll provide a few examples of that right here.
Note that all of the graphical images below have to do with penetrating computer networks in some fashion.
If you rec- ognize them, great; if you don't, then that's another book unto itself and I suggest you pick up one of the beginner's books on MATLAB and SimuLink to get started.
Think about this: Instead of trial and error or wondering if "attack x" will work, and if it does or does not, what effect it will have on the system, we can first simulate our attacks in software until we have it down pat as to what tools and techniques will work best on our target � then we launch our attack in the real world.
This technique is far stealthier and can gain you much more in a one-fell-swoop attack.
That's part of the picture, but where does R come in to play?
Let's allow the r-project.
R can be considered as a different implementation of S.
There are some impor- tant differences, but much code written for S runs unaltered under R.
R provides a wide variety of statistical linear and nonlinear model- ling, classical statistical tests, time-series analysis, classification, cluster- ing,.
The S language is often the vehicle of choice for research in statistical methodology, and R provides an Open Source route to participation in that activity.
One of Rs strengths is the ease with which well-designed publication- quality plots can be produced, including mathematical symbols and formulae where needed.
Great care has been taken over the defaults for the minor design choices in graphics, but the user retains full control.
It compiles and runs on a wide variety of UNIX platforms and similar systems including FreeBSD and Linux , Windows and MacOS.
We will be using the Windows version here, so to start R just double-click DC the R icon.
RData in your current working director.
Note that x is a vector.
V: Provides you with help.
Note the use of back ticks.
If you want to know which libraries and data frames are attached in the work- space use search.
R does record all of the commands you type.
Rhistory in your current working directory CWD.
Simulates 15 values from a distribution with a mean of 1 and a standard deviation of 0.
If you type only the function name without the parentheses, you will see the actual code that built the function.
Orange contains information pertaining to the growth of orange trees.{/INSERTKEYS} {INSERTKEYS}Yannakogeorgos and Adam B.
Lowther ISBN 978-1-4665-9201-8 Conducting Network Penetration and Espionage in a Global Environment Bruce Middleton ISBN 978-1-4822-0647-0 Core Software Security: Security at the Source James Ransome and Anmol Misra ISBN 978-1-4665-6095-6 Data Governance: Creating Value from Information Assets Neera Bhansali ISBN 978-1-4398-7913-9 Developing and Securing the Cloud Bhavani Thuraisingham ISBN 978-1-4398-6291-9 Effective Surveillance for Homeland Security: Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Franceschetti ISBN 978-1-4398-8324-2 Enterprise Architecture and Information Assurance: Developing a Secure Foundation James A.
Scholz ISBN 978-1-4398-4159-4 Information Security Fundamentals, Second Edition Thomas R.
Peltier ISBN 978-1-4398-1062-0 Intrusion Detection in Wireless Ad-Hoc Networks Nabendu Chaki and Rituparna Chakiv ISBN 978-1-4665-1565-9 Intrusion Detection Networks: A Key to Collaborative Security Carol Fung and Raouf Boutaba ISBN 978-1-4665-6412-1 Iris Biometric Model for Secured Network Access Franjieh El Khoury ISBN 978-1-4665-0213-0 Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud Frank Siepmann ISBN 978-1-4398-7909-2 PCI Compliance: The Definitive Guide Abhay Bhargav ISBN 978-1-4398-8740-0 Responsive Security: Be Ready to Be Secure Meng-Chow Kang ISBN 978-1-4665-8430-3 Security and Privacy in Smart Grids Yang Xiao ISBN 978-1-4398-7783-8 Security for Service Oriented Architectures Walter Williams ISBN 978-1-4665-8402-0 Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity J.
Stapleton ISBN 978-1-4665-9214-8 The Complete Book of Data Anonymization: From Planning to Implementation Balaji Raghunathan ISBN 978-1-4398-7730-2 The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture Kerry Ann Anderson ISBN 978-1-4822-2007-0 The State of the Art in Intrusion Prevention and Detection Al-Sakib Khan Pathan ISBN 978-1-4822-0351-6 Trade Secret Theft, Industrial Espionage, and the China Threat Carl Roper ISBN 978-1-4398-9938-0 AUERBACH PUBLICATIONS www.
The MathWorks does not warrant the accu- racy of the text or exercises in this book.
This book's use or discussion of MATLAB� software or related products does not constitute endorsement or sponsorship by The MathWorks of a particular pedagogical approach or particular use of the MATLAB� software.
Government works Version Date: 20140206 International Standard Book Number-13: 978-1-4822-0648-7 eBook - PDF This book contains information obtained from authentic and highly regarded sources.
Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use.
The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained.
If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.
Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, micro- filming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.
CCC , 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400.
CCC is a not-for-profit organization that provides licenses and registration for a variety of users.
For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identi- fication and explanation without intent to infringe.
During the Vietnam War, one of my duty stations was on an island in the China Sea.
I was part of a signal intelligence group, intercepting and decoding wartime communications traffic.
We did our best to decode and analyze the information we intercepted, but there were many times when we required the help of a high-end at that time mainframe computer system.
Did we have a com- munications network in place to just upload the data to the mainframe, let it do the processing, and then download it back to us?
We had to take the large magnetic tapes, give them to the pilots on the SR-71 Blackbird, and fly them to the United States for processing on the mainframe computer system.
Once the results were obtained, we would receive a telephone call informing us of any critical information that was found.
It's hard to believe now that 40 years ago that's the way things were done.
Now we have data networks in place that allow us to transmit information to and from virtually any location on Earth and even in outer space to a degree in a timely and efficient manner.
But what did this tremendous enhancement in communications technology bring us?
Another place for criminal activity to take place.
Who are these criminals in cyberspace?
You could start with organized crime, such as the Mafia and others.
What is their major focus here?
Financial activity, of course.
They have found a new way to "mismanage" the finan- cial resources among other things of others.
We also have foreign espionage activi- ties making good use of our enhanced communications systems.
They routinely break into government, military, and commercial computer networked systems and steal trade secrets, new designs, new formulas, and so on.
Even the data on your home computer are not safe.
If you bring your work home or handle your finances on your computer system, both your personal data and your employer's data could easily be at risk.
I could go on, but I'm sure you get the picture.
Why is it like this?
Why can't we make these communications systems fully secure?
Banks and homes and businesses have been in existence as far back as we can remember.
Despite all the security precautions put in place for banks, homes, aircraft, and businesses, we haven't been able to fully secure them.
Almost nothing in the physical world is really secure.
If someone wants to focus on and target something, more than likely he or she will obtain what he or she wants if he or she has the time, patience, and other sufficient resources behind him or her.
We shouldn't expect it to be any different in cyberspace.
Just like in the physical world, where we have to be constantly alert and on guard against attacks on our government, military, corporations, and homes, in cyberspace we have to be even more alert.
Because now people can come into your homes, your businesses, and your secured government and military bases without being physi- cally seen.
They can wreak havoc, change your formulas, change your designs, alter your financial data, and obtain copies of documents � all without you ever know- ing they were there.
Where does this bring us?
This brings us to the fact that we need to keep doing the same things we have been doing for many years in the realm of physical secu- rity.
Do not let your guard down.
But it also means that we must continue to enhance our security in the cyber realm.
Many excellent products hardware and software have been developed to protect our data communications systems.
These products must be further enhanced.
Numerous new and enhanced laws over the past 35 years have provided law enforcement with more teeth to take a bite out of cybercrime and cyber espionage.
What is also needed are those who know how to test the security of computer networks via an art termed "penetration testing.
That is what this book is about � testing the security of computer networks � coupled with discussions pertaining to ongoing global cyber espionage via the same tools used for testing the security of computer networks globally.
Bruce Middleton, CISSP, CEH, PMP, BSEET, MBA University of Houston Alumni Go Cougars!
Bruce Security Refuge, com MATLAB and Simulink are registered trademarks of The MathWorks, Inc.
For product information, please contact: The MathWorks, Inc.
Since that time he has worked with various government, military, and commercial enti- ties such as NASA Space Station Freedom communications systems design team , CIA, DISA Defense Information Systems Agency , The White House, NAVSEA Naval Sea Systems Command , and Boeing ground station-to-aircraft commu- nications systems.
While employed at various Fortune 500 companies, Bruce has held positions in engineering, management, and executive management CIO.
Middleton has been the keynote speaker at select national and international industry events and a trusted advisor in both the government and commercial sec- tors.
He has written multiple books, e-books, and magazine articles in the fields of communications security, cybercrime, and computer network penetration.
It contains the background you need in order to properly utilize and understand the rest of this book.
Also, keep in mind that although there are many things in here that a beginner can use, this is not being written as a beginner's book for penetration testing.
A number of items throughout the book assume that the user has the experience to recognize what is going on, how to modify something to work for your environment, and so on.
So don't expect to see everything step-by-step, and don't expect to see explanations for everything I do.
There are other books on the market that beginners can use for steps and explanations.
At times it may seem to you that certain items are out of order, or what the heck is he talking about here, or really?
Stay with me anyway.
Read through the book in order the first time, start to finish; after another read or two things will fall all the more into place.
I've lived or worked in a number of countries while serving in the military, working for the intelligence community IC , and just as a tourist, and I've learned something from all of them, both cultur- ally and technically.
Do not just jump in and begin using tools trying to hack into a system somewhere.
That's what impatient losers do it's also done by those who have already had the recon work done for them by someone else.
You need to spend as much time as necessary learning all you can about your target without your target knowing that you are researching them.
Also remember � and this applies to those whose assignment includes seeking to bypass the network defense team � that when doing recon, no matter which tool and which site you are visiting to learn informa- tion, you must keep your MAC address, IP address, and physical location a secret.
That means either disguising each of those in some way, shape, or form, or using a totally different computer system and more than one geographical location for your endeavors.
You could also be part of a team in which each of you agrees on who will do what from dispersed geographical locations.
Never discuss your plans via any type of electronic means if you are up against a tough adversary � only together, in person, in whispers and never travel to meet each other in a way that can track all of you as to being together at any one time.
Patience and perseverance are your biggest allies.
Keep all this in mind during other steps of the pen test process where it makes sense to do so.
Impatience and poor planning will be your downfall.
Using operating systems that were in existence prior to 1999 is fine, and if you must use email communications, there are a few anonymous ones out there, but the best route to keep your commu- nications private is to use the email application that came with Unix prior to 1999 in conjunction with a compromised or unsecured message transfer agent MTA.
I recommend against encrypting your email communications because that just calls attention to you and raises a red flag.
Instead, in your in-person meetings agree on common words or sentences used in everyday life that mean something special to your group and use those.
Also, remember that the hardware you are using can be vulnerable to detection due to some extra electronics now embedded in laptops and desktops.
Either build your own system from scratch or use laptops or desktops built prior to 1999.
And one last thing � again, depending on just how private your penetration test needs to be � if you are up against a tough adversary, then before doing any pen testing, wipe not just format, but wipe your hard drive and reinstall your operating system from scratch.
Do not update your operating system with any service packs, antivirus software, etc.
As soon as you do that, make a list of any and all services running on your computer and absolutely know what each one is for.
You want to keep those services as stripped down as possible and check them hourly to be sure you recognize each and every one.
And don't just rely on the names of the services.
Know their MD5 checksum, file size, or whatever it is that allows you to know that you have not been fooled into loading a Trojaned service.
The recom- mendations I've just mentioned depend on just how much you value your privacy and how powerful your adversary is.
I keep my focus on three areas: cyberforensics, reverse engineering, and penetra- tion testing.
My training in reverse engineering came from Sandia Labs out in New Mexico � the instructor was working on his doctorate, and he was outstanding.
These three all play very closely together.
For example, in the past I've done work for agencies within the federal government to develop penetration testing tool sets that "hide" themselves and what they do from standard forensic tools on the commercial market today.
I've also worked with penetration testing PT tool developers by performing forensics examinations on their practice targets, letting them know what I found, and going back and forth like that until either no trace or a very minimal trace of the tool and its activities are found.
This allows our cyber soldiers and oth- ers within the U.
Someone may wonder, Why does a hacker need an MBA?
It's because years back I was frustrated in a number of meetings because I was given business reasons that I did not understand as to why we could or could not do something.
I didn't understand the lingo, nor did I understand the financials, risk management, and so on.
So I moved forward on an MBA.
It took me 3 years to acquire it, but it has been one of the best educational investments I have ever made.
I highly recommend this education.
Now when I believe something needs to be done, I can explain the situation to the business personnel who control the budget- ary spending in a way that makes business sense to them.
I have been working with computers for nearly 45 years.
I'm one of those guys who could easily just go back to the 1950s and 1960s and live in that world.
I remember the red boxes and the blue boxes and so on.
I inadvertently found myself on my first computer in 1970, using punched cards and setting toggle switches just to boot the computer that was taller than me; I couldn't get my arms around it and I could never have picked it up.
I was in high school and I thought the class was on electronics, but instead it turned out to be a data processing class for those who wanted to begin learning how to work in a bank that was moving toward automated data processing ADP.
I found that data processing didn't interest me, but the classes did whet my appetite to learn more about how computers worked.
In 1972 I joined the Army during the Vietnam conflict.
I was in the mindset of wanting to be an Army Ranger, but when my recruiter saw my test scores he decided to turn me in a different direction.
He told me that if I instead went for a certain other military occupational specialty MOS I would receive a "top secret" clearance.
To a 17-year-old that sounded really impressive, so I said yes.
So during my time in the military I worked under the auspices of NSA focused on the communications systems analysis of foreign entities using NSA mainframe computer systems.
Eventually in the mid-1980s ASA was folded into U.
Army Intelligence and Security Command INSCOM.
During the 1988-1990 time frame I was one of those chosen by NASA to be on the communications system design team for the Space Station Freedom project being run out of Huntsville, Alabama, at NASA's Marshall Space Flight Center.
Many people don't realize just what a high-tech area Huntsville, is.
It's one of the most high-tech cities in our nation and in the world.
In the late 1990s I began working at times in the bowels of the Pentagon.
This was far from normal, so I began thinking, Wow, what did I say that upset them?
I actually started heavily perspiring and sweat began running down my face.
Then I learned that a plane had flown into the World Trade Center twin towers, and that's what they were checking out.
The full impact was not yet known, so they came back into the room and let me finish my spiel.
I was now going to be late for my next appoint- ment because they had delayed part of our meeting by walking out.
I was now on my way to my next appointment � the Pentagon.
I'm so glad that I was late that day; otherwise, I would have been there when the plane struck the building.
Now of course I'm not going to spend time delving into decades of computer security work on both the offensive and defensive sides of the fence, but my work has spanned the government, military, and commercial realms and includes pen- etration testing of military networks, insurance companies, the White House, Air Force One, utilities, manufacturing facilities, CIA headquarters, Defense Information Systems Agency DISA , NASA, foreign entities, and other financial organizations � with a nearly 100% success rate.
Of course, if the purpose of a particular penetration test was to find vulner- abilities in our own systems, I usually then sat with the system administrators and others to ensure they knew how I compromised their systems and how to enhance their security so that it became more and more difficult to break in to their respec- tive systems.
Around 13 years ago I thought it would be a good idea to become a private detective.
Through research I learned that every state had different regulations and laws regarding this profession.
I was living and working in northern Virginia in the Washington, D.
I attended the classes, passed the exam, and became a registered PI.
This enhanced my social network, and I came into contact with experts in various areas that I knew at times would be useful.
That was the good part of becoming a PI.
For me the cons outweighed the pros, so I'm no longer a PI, but I still maintain the network contacts I made � and those are important to me.
I spent 2009-2011 working overseas in the Middle East.
So what have I been doing since late 2011 upon my return from the Middle East?
Still performing pen- etration testing on computer networks of course, but I've also been involved in what are termed supply chain operations concerns.
In the late 1990s American compa- nies began slowly but surely moving some or all of their manufacturing operations to China and elsewhere in the desire for enhanced profitability.
Dell was one of those companies.
What wasn't foreseen at the time was that China would even- tually become so technically adept that it could surreptitiously secretly slightly alter computer motherboard chip designs and embedded software in order to put malicious backdoors into some of the computers it manufactured and distributed to other countries, such as the United States.
So without having to use any real hacking techniques, China had its "automatic in" manufactured into the products we are talking about more than just computers here.
For years now some gov- ernments have required certain hardware or software be built in to the computer for tracking purposes � it just depends on the brand you buy and where it's com- ing from.
Another company of interest is Freescale a Motorola spinoff , whose embedded products microprocessors, etc.
But their chips are manufactured in China, and much of the software is written in Romania, Russia, and India.
American companies are using these Freescale products without thinking about inadequate security due to supply chain concerns.
Some of these companies are seeking to move their products into our military and intelligence community.
Using what I just said as a background, what I've been asked to do and have been doing since late 2011 is perform penetration testing on the embedded sys- tems themselves before they are allowed onto the premises of whoever ordered the systems.
So I'll take a computer motherboard or some other type of board with embedded electronics and seek to compromise it in conjunction with a search for malicious hardware or software.
But we really need to look at bringing our manufacturing of electronics chips and systems back into the United States for our own security.
I'm also engaged to test network security defense teams and physical security defense teams.
Depending on what the agreed-upon plan is, I might begin a hack that makes near zero noise and slowly raises the intensity over time until the net- work security defense team is able to specifically state where I am in the network and what I'm doing.
Then I work with the team to enhance their capabilities.
I'm elsewhere in the network, very slowly but surely acquiring the golden goose, whatever that may be.
And if there are webcams I've gained access to, I can actually watch the team working away from my remote loca- tion.
As I move through this chapter, I'm going to work from both sides of the fence.
I'll discuss what you need to do if you are someone who wants to become a certi- fied ethical hacker CEH or someone who wants to learn to perform penetration testing against your own network in order to enhance its security, and I'll discuss malicious hackers themselves.
So what type of individual makes the best hacker?
Those I know that are tops in this field are very detail oriented; they will find the missing comma in a 100-page document.
At the same time, though, you have to be able to step way back and see the big picture.
Plan to be a lifelong learner.
You have to love to learn new things.
You also need a physical security mentality, and you need to pursue security aggressively.
You may also need to be confrontational.
And why is there a cable running from his laptop to the rear of the ATM?
Don't be afraid to confront.
Your company should have guidelines for this.
That people will notice but do nothing.
Be someone who does something, who is proactive in the security realm.
It does help to be somewhat paranoid.
It helps to have a naturally suspicious nature.
You need to be meticulous, patient, and methodical.
But also ready at a moment's notice to deviate from a plan based on new information garnered.
Be research oriented and really think things through.
Don't just react � really think.
I can't emphasize that enough.
Imagination is more important than knowledge.
I sit and visualize the packets traveling over the network, encountering various devices, how those packets will be handled at each device, what could possibly go wrong, how someone could intercept those packets, and so on.
If you focus your thoughts on what you think should be happening, then there is a good chance you'll miss out on what's really happening.
It's very important to keep an open, imaginative mind.
If you decide you want to be a CEH, then you need to work with your person- ality.
You have to decide whether to be a generalist or a specialist expertise in one to three items.
If you decide to be a generalist, then you must build a network of experts and be a very quick learner on the fly.
Over the past 40+ years I've seen quite a bit, so I know something about many things, which makes me a generalist.
I think in the world as it is today, most people are better off being an expert in one or two things and backing that up with a solid network of other experts.
Still, though, generalists who understand the entire system to some degree are also needed, and it's best if you have one in your network.
Nowadays a generalist is harder to find.
Know them and use them to be successful.
Don't try to be something or work in a way that's not you.
He travels globally for any work involving forensics analy- sis of or penetration of Apple computers.
He is the expert � the go-to guy.
Putting classified tools aside here, I begin my penetration testing engagements with the use of standard commercial tools.
However, as I move forward, depend- ing on the targets and goals, I move to the use of my own personal tool set.
Because I want absolute control over what the tool is doing, and I want to know that I really know what the tool is doing.
I don't have that same comfort level with commercial tools I buy off the shelf.
Unless I take the time to thoroughly analyze them and I don't have that kind of time for the most part , I really don't know what else that commercial tool is doing on the backend, under the covers.
For example, for tool development I don't use languages such as C.
I don't use object-oriented programming; it's just too much overhead.
It takes me 20 lines just to say hello � a little exaggeration perhaps, but there is just too much going on "under the covers" for me to feel comfortable.
Languages like this just make me feel bloated.
What do I use?
My favorites are Python, PERL, Assembly, Bash shell, Ruby, and C.
I want absolute control over my programs, and I want to know exactly what they are doing at all times � and these languages give me that control with mini- mal overhead.
I also make use of Window's PowerShell at times.
If someone forced me to choose one and only one language for pen testing software development, it would be Python.
My operating system of choice?
A stripped-down version of some flavor of Unix, especially when it's warfare of some type.
As I stated before, I spent 2009-2011 working overseas in the Middle East.
At various times when I was engaged in real-time cyber warfare I could just feel the opponent's frustration when they tried useless attacks one after the other because my system was so stripped down.
It was fixed to do exactly what I needed it to do and nothing more.
When I had the opportunity, I also Wiresharked all incoming traffic for analysis later.
You can keep yourself high on the learning curve doing things like that.
I also Wiresharked the entire 2012 Superbowl since it was being broadcast over the Internet and millions were tied in via very specific ports globally.
I made the assumption that various entities would perform some malicious activities.
Sure enough, analysis of the pcap file had shown that my assumptions were correct.
Another nice tool to use is BusyBox, but keep in mind that there are some enti- ties that like to add a little bit of malicious flavor to certain items within BusyBox.
This is a multicall binary that combines many common Unix utilities into a sin- gle executable.
Its nickname is the Swiss Army Knife of embedded Linux.
The utilities are far smaller with minimal options.
It can be difficult to hack into a BusyBox setup.
As long as I'm hyping on the software, I might as well elaborate more on some- thing I mentioned to a degree earlier in this chapter.
Our government in the United States and governments in various other countries too has required, under the auspices of security against terrorism, various additions to the computer hardware you are using for electronic tracking purposes.
If you feel this is important to you, then pick up older laptops at garage sales, Craigslist, flea markets, foreign countries using older technology, and so on.
The same applies to the software you are using.
This also applies to other operating systems such as Linux, antivirus soft- ware, and other similar items.
If privacy is important, then do not use the "latest and the greatest" � this applies to routers and other items too � and keep your systems off the Internet except when they must be.
Use air gap security, meaning you keep your Ethernet cables unplugged except when you have to have them plugged in, and you keep your devices unplugged laptops, desktops, switches, routers, etc.
And I hate to break it to you, but I'm also talking about your cabled televisions, radios, and various other devices.
If you have some of the newer and coming down the pike refrigerators, stoves, and other appliances, these NANs can put them on the Internet and they can be hacked.
Newer cars are in the same boat, with on-board electronic devices that can be hacked via the Internet, mobile phones and laptops, and so on.
And last but not least, your mobile phones are at the same risk level.
There are various things you can do to protect yourself against snooping, but I can't go into all of that here.
One of the best things to do is to let the snoops think that you don't know what they are doing, but at the same time, when they tunnel into you, you automatically tunnel back into them without their knowing about it.
I teach classes on these things, and I also build custom laptops for those who have privacy concerns; it just depends on what you feel you need to do.
I also advise avoiding the use of wireless networks for anything you are doing if you are concerned about privacy.
If you really want to use one, go ahead, but only have it on when you need it; otherwise, unplug it from the back of the unit.
Keep in mind that some items have built-in batteries that keep certain electronics running even if you unplug them from the wall.
In those cases remove the battery or batteries.
If you can't easily remove the battery, then put the device in a Faraday bag and test that bag � some are more dependable than others.
If privacy invasion is not an issue for you, then don't worry about it and proceed as you always have.
MATLAB� and SimuLink MathSoft.
Don't just think about software tools.
Remember that the software you see on the monitor is just for your human eyes and mind to be able to somewhat interpret what's happening or going to happen.
Don't get lost in the software.
The software may be your gateway, but it's not your be all and end all.
The only thing going down that Ethernet cable or other type of cable or wireless , coming out of or into your computer system, is electrical signals, and all of those electrical signals can be formulized mathematically.
The closer to the real source you can get, the better off you are when it comes to really understanding what's going on.
For example, electron microscopes are used to examine hard drives for hidden data, and they have the top math- ematicians in all the world.
MATLAB and SimuLink are just the tools to help you do that.
SimuLink can be used to simulate the actions occurring in any type of communications network, and it can be used in conjunction with MATLAB to look at your network commu- nications from a mathematical perspective.
Also keep in mind that you can write C programs that interface directly with these tools.
Interestingly, I'm finding that older tools from the 1980s and 1990s are now once again working on newer systems.
It's like some computer designers are so focused on protecting themselves from current high-profile threats that they've forgotten all about older attack vectors.
In fact, their protection solutions are the very thing that's opening the doors for older "forgotten" tools to successfully attack the newer systems.
And other times, just a slight variation on the old tool works wonders.
Statistics also comes into play in the information security arena.
An excellent tool for statistical analysis on the fly is R.
I use it more for determining the best tool or approach to use in a given situation.
I usually use it in an automated fashion, built in to one of the various scripts I've built and used over the years.
If you want to be a high-end penetration tester, then you should be able to write quick and dirty programs on the fly in your language of choice, such as Python.
So many programmers nowadays depend on looking at someone else's code, and then looking at a programmer's reference manual for that language, and subsequently modifying the code to do whatever it is they now want it to do.
But you shouldn't stop there.
Whether you are involved on the offensive or defensive side of informa- tion security, you should be able to write short programs on the fly on an as-needed basis.
Most of the programs I need to write on the fly are 100 lines or less.
Remember: Don't fall into the trap of using only commercially available auto- mated tools.
They are a good place to start, and they will serve you well both offen- sively and defensively from a "normal hacker encounter" perspective.
But you are up against much more than that.
For some adversaries they are just a minor annoyance.
Who are your adversaries?
There was a time when hackers consisted mainly of curious individuals seeking to learn or seeking to make a name for themselves among their peers.
That is no longer true and hasn't been for a while.
Nowadays your adversaries could be state-sponsored entities from Russia, China, India, or elsewhere.
They could be making their living by working for organized crime net- works.
They may have come across one of the websites out there that lists exactly what they are looking for from company X, and it's even stated how much money they will pay for each individual item.
Your adversary could also be just the type of individual we first discussed � just curious and trying to learn and looking to make a name for himself or herself among his or her peers.
I once was part of a team that was investigating a security breach at an Air Force facility.
During the interview process one of the network administrators talked about seeing a mouse pointer move by itself on one of his systems.
He thought that the system just had a malfunction, rebooted it, and left for the day.
What he really had was a hacker on his system who eventually com- promised other systems, using the one as a jump-off point to other local systems.
Again, have a security mindset.
Obviously this network administrator did not.
If he would have had a security mindset, his response to seeing the moving mouse would have been quite different and would have saved a lot of time, money, and trouble.
Your mindset determines how you think about and how you react to some event in your network environment.
As stated earlier, some utility companies are now using computer networks all the way to your house and linking them to what they call smart meters.
I'll touch on this once more here, but in essence this subject could easily be a book all by itself.
You and your neighbors are in what they call a neighborhood area network NAN.
More and more your power, television, refrigerator, and stove are being tied to these networks.
Hackers could shut off your power or turn off your refrigera- tor or television from any country in the world that has sufficient Internet access.
What if they turn on your stove and you are not home?
What if they access your thermostat and shoot the temperature up to 90 degrees during wintertime and you've left the house for a week?
Who is responsible for the electric or gas bill if this happens?
Several years ago there was a teenage boy just playing around and he didn't know he was in a hospital.
He shut power off on a section of the hospital, the backup failed, and a patient died due to machine failure.
One company that is manufacturing and pushing this technology is ZigBee.
Go ahead and Google it.
Recommended Defensive Measures I know it's more of a burden from a financial, administrative, and training FAT perspective, but I do recommend that you have a variety of equipment on your net- work, like I have done.
Once they see one of your firewalls, they make the assumption that all your firewalls are of this type and proceed accord- ingly.
If they are correct, then their job is all the easier to accomplish.
If they begin to run into two or three different types of routers, firewalls, desktop computers, operating systems, web browsers, and so on, then this frustrates them, confuses any manual or automated attacks they launch, and they just go looking for easier targets and greener pastures.
That's good for you and bad for someone else.
And here is another recommendation that you may not want to hear, but if you want to take another major step forward in securing your network and I'm talk- ing about both your home computers and the ones where you work , then use only cabled networks � no wireless.
If you don't do that, then for some systems the wireless capabil- ity can be remotely activated even if you have disabled it via software on the computer itself.
The same goes for mobile phones.
And for those cables, be sure to label them in a way you understand so that you can walk into a wiring closet and know exactly where each and every cable should be.
Don't have a rat's nest wiring closet � that only invites trouble.
Here are some more recommendations that are not administratively friendly, but from a security perspective are very helpful both at your home and in your work environment.
Remember, someone, somewhere, is running hacking tools at all hours every day, some manually and some in an automated fashion.
You can do the following to all the more enhance your security.
Again, don't get lost in the "automation jungle" and think that you are not technically savvy just because you choose to do some things manually.
It can both save you money and increase the security of various systems.
Every system you use does not have to be on your net- work.
If it's a highly critical system that would seriously impact your business if compromised, then take it off the network and let it be a stand-alone system in a secured room.
Additionally, you get the benefit of more exercise.
Standing up and walking around once in a while is better for your health than sitting all day.
So what if you have to leave your desk, go to another secured room, sit down at the stand-alone system, and get your work done in a secure fashion?
It's like having a moat around the castle, but in this case the moat is the air gap you create.
No, because you are wasting fuel, putting wear and tear on the engine belts, and someone might steal it.
No, because you are concerned that someone might come in and steal from you.
We only "see" what our software allows us to see, for exam- ple, like using Wireshark to watch network traffic.
If there is a pro- tocol running on the wire that Wireshark is not programmed to see, then you won't see it and you'll think it's not even there.
I'm sure some will not like the security suggestions I've made, but I'm recommend- ing these things for your own good.
Nowadays security is not a luxury; it's a necessity.
Be part of the solution, not part of the problem.
Also, being privacy oriented does help you to have a mindset that helps you to behave in a more secure manner.
When your HR department is posting new jobs on the Internet, such as on Monster or on your own website, they need to be careful about what they put in those adver- tisements.
Yes, on the one hand, the individuals seeking a new position need to know to some degree what you are looking for.
On the other hand, when hackers choose a company or companies to focus on, they use the job postings to learn what systems you have in house, be it operating systems, types of routers, types of firewalls, and so on.
At other times a new exploit has come out against system X, and they want to find some companies with that system, so they just run a keyword search on Monster for instance to find out all companies using system X and then move forward on their attacks.
You need to minimize or generalize as much as possible the type of computer network technology you are using.
If you receive a resume of interest, then you can always provide additional details via a phone call.
At various sites throughout the Internet universe put information about your network systems that is not true.
Obviously on some sites critical to your business you want the right information out there, but there are a number of sites hackers like to visit in order to find out more about your systems.
Misinformation there can pay you a bonus security-wise.
Hackers will use that information thinking it is legit.
This approach costs you little but frustrates the automated attacks hackers launch in an effort to research what network compo- nents you have so they can launch the appropriate attacks.
This will frustrate many and cause them to move on to other targets of opportunity.
Google News Groups Millions of people use them, and just like Vegas, what you put there stays there.
If you are a network admin and you go out asking for help about hardware X or software Y, then keep in mind that malicious individuals also see that informa- tion.
This may be a quick and easy approach to problem solving, but since it's all very public, you are telling a vast number of people globally details about your own network or about embedded systems you are working on � details that may compromise the security of your network or the device you are intending to manu- facture.
One or more individuals within your corporation should spend time per- forming some automated searches pertaining to what may be out there about you and your personnel.
Then get it cleaned up if need be.
Google news groups are one place that you could lay out some misinformation.
But when a hacker sees that, he or she will think that you may well have those systems in house and begin preparing to move against your network based on that incorrect information.
That's the kind of misinformation I'm referring to.
Be careful what you put on your corporate website.
And remember that just because you make a change and republish, that information that you sought to change or eliminate is still out there available to others globally via the Wayback Machine, a site that has archived websites for nearly 20 years.
Do you have Voice over Internet Protocol VOIP phones in your lobby?
Be sure they are properly locked down and secured including locking the phone cable to the phone so it is difficult to move the cable from the phone to a laptop.
I know they are nice to have both administratively and financially, but I don't recommend them from a security viewpoint.
Many a time when I'm engaged to do either physi- cal security walk-throughs or penetration testing of a network, it's been the VOIP phones in the lobby that have been my gateway to some part of the corporate net- work.
Someone sitting at the VOIP phone in the lobby is essentially ignored.
Again, someone sitting at the VOIP lobby phone is just ignored.
When you are out at a restaurant or cafe, be aware of your surroundings and who is listening to your conversations.
Don't broadcast corporate plans, network information, phone numbers of individuals or departments, and so on.
In cities across the world including the United States, of course hacker meet- ings occur on a weekly or monthly basis.
Find out where they are meeting many times it's at a coffeehouse or mall and sit close by or join the group.
Listen to what they say.
It could be something pertinent to your organization.
Another thing you have to watch out for is unexpected software built in to the operating systems or applications that you purchase and install yourself, whether it be on computer systems or your mobile phones.
You should read with care those long boring licensing agreements that almost no one reads.
Some of them have one or two sentences that specifically state that you agree to "something extra" in the software.
They get by with this because they know most buyers of the software don't read the agreements, so if something went to court, they feel protected.
And it's not just the software you install that you have to watch out for.
There could be other low-level software built in to the motherboard electronics and elsewhere doing things that you just don't know or expect.
Keep in mind that a "secure" virtual private network VPN tunnel is in effect a two-way street.
You can get yourself an unwelcome visitor when your adversary is backed by major billion dollar organizations and other resources.
If you need to keep a system up and running on the network for some reason but you don't need to keep its data on the system, then don't.
Keep the data on an external drive when you need access to it, and then disconnect that drive when you don't need it and place it in a secure location.
We operate this way at my office.
Keep backups offline and not touchable by the network until you actually need them.
Then take what you need from a secured area, load a copy of the backup to keep your offline backup pure and malware free , and then destroy that backup copy wipe, magnet to keep your backups malware free.
If there is an electronic keypad only, then someone with appropriate knowledge could bypass it without your being aware of it.
Adding an additional physical key lock helps to further enhance security.
If it's a small facility, then they can grab your systems pretty quickly.
If it's a medium to large facility and they are successful, then most likely they have had some insider assistance.
Keep that in mind.
Laptops should be physically cabled to desks with either a key lock preferred or a combination lock so they can't just walk off.
Desktop and server covers should be hardware locked so that no one can just open up a system, remove the hard drive, and walk out with it or copy it and bring it back without your knowledge.
Keep all keys and combinations properly secured.
If you are not using an Ethernet jack or phone line, then turn it off so it can't be utilized by anyone just walking into the room.
Don't let vendors come in to your facility with their laptops and just jack into your network in a conference room.
You have no idea what's running on their laptops.
I've encountered vendors in the past who are running scanners in the background while jacked into the network of the client they are visiting.
If it works for you, make each Ethernet jack only respond to particular medium access control MAC addresses and then reject anything else.
Have keyed lockers outside conference rooms to hold cell phones if you are concerned about others such as visitors recording the meeting on their cell phone or leaving a phone line open so someone else can listen in.
I built my first computer from scratch somewhere in the 1985-to-1987 time frame.
It was built around a Zilog Z80 microprocessor.
I remember that time well because the new Air Force One was sitting on the flight line at Boeing flight test in the Seattle area at the time undergoing various tests.
When I say "from scratch," I mean from scratch.
I smile when I hear many people nowadays say they build their own computers.
What they really mean is they bought a case, a motherboard, a power supply, some memory, hard drives, etc.
To me, from scratch means you design and build your own motherboard and write your own bare-bones operating system that does exactly what you need and no more.
I build these once in a while for customers who need them, so if you need one let me know, but I can tell you it takes time and it's not cheap.
Nowadays bugs and cameras are so small that they are very easily hidden from sight.
Do you know how cameras work?
Do you know the physics behind the cam- era?
If not, but you are interested, then do your research.
Cameras don't have to see you if you don't want them to.
They only work due to certain scientific principles, and if you want to take the time to protect yourself from being seen, then you can do so.
If you have a concern about whether or not your conference rooms or other areas have been bugged, then I recommend you hire an expert who sweeps rooms for such items.
But be sure that whomever you hire really knows what he or she is doing i.
Some companies and countries are known for setting up hotel rooms and even commercial aircraft seats with these little tidbits.
If you find yourself wondering how a competitor obtained certain information or data, then it's time to sweep those rooms, think about what you may have said or done in a hotel room or commercial flight, or if they have hacked into your network unknown to you.
I've seen all of this in the past.
Think twice about holding meetings over video telecoms if the subject you're discussing is going to air critical business information.
Security can be a problem with these systems, and they are definitely hackable.
If you want to be sure no one can hack into your cell phone, then you have to both turn it off and take out the battery.
Otherwise, it can be remotely accessed.
Unless you really feel like you need it at night when you go to bed, turn off your cell and take out the battery.
Doing so prevents automated phone hacking tools from leaving you a present during that time frame.
If you want to be sure you are not being tracked via your cell phone when travel- ing, then purchase a Faraday bag and drop it in there.
These bags let no communi- cations into or out of the phone.
Some are better than others, so test them by calling your phone when it's in the bag.
It shouldn't audibly ring, take messages, etc.
Typical PT Process The upfront research about the target is key to a successful penetration test.
I'll learn all I can about you from various sites on the Internet, such as Google, finan- cial news reports, your job postings Monster, for instance , which Google Groups you use and what you said, your own corporate website, and numerous other sites on the Internet.
Even though various social networks, Google, and other search engines are monitored by law enforcement and intelligence agencies globally, top- of-the-line hackers can do all this anonymously and without your knowledge.
Next, I start hanging around restaurants, cafes, the sidewalk outside your facil- ity, and organizations your company is involved with, and I'll listen in on conversa- tions to see what information I can pick up that might assist me.
I'll try to find out phone numbers within your company that I can call and use.
I want to find out just how security savvy personnel are, so I'll hit them up with various questions to see what I can learn � just how much will your people give out?
A good annual or semiannual security briefing to all your employees can be invalu- able, warning them as to what to watch out for.
I'll find out all I can about you via Domain Name System DNS records, email addresses I find on the Internet, your IP address range, and so on.
So for all public DNS records, be sure to minimize the information you put out there.
Next, I'll actually touch your system.
How quietly or severely I scan a system depends on whether or not I care if I am noticed.
I'll have a list of potential vulnerabilities.
Note that in this step for the most part I do not manually type every com- mand.
I have a large number of commands already typed into a text file and cat- egorized and prioritized.
As I move through the assignment, I just copy and paste commands.
Doing it this way greatly minimizes fumbling a command due to typ- ing errors and fat fingering.
It also keeps you from forgetting command parameters, and it keeps you from making mistakes during an engagement.
Now I exploit the system and do what was agreed upon for the assignment.
Note that in this step again, for the most part I do not manually type every command.
I have a large number of commands already typed into a text file and categorized and prioritized.
As I move through the assignment I just copy and paste commands.
As I stated earlier, doing it this way greatly minimizes fumbling a command due to typing errors and fat fingering.
It also keeps you from forgetting command parameters, and it keeps you from making mistakes during an engagement.
Next, I meet with management, system administrators, and the security team to discuss how I compromised the system and what needs to be done to shore up the security of the system s.
After each penetration test wipe your hard drive, shut down the system, and then bring it back up and lay a pristine image onto the hard drive.
This both helps to protect your system you never know what might have snuck in during a penetra- tion test � be on the safe side and ensures that you don't accidentally infect a new client that's next on your schedule.
Principles of Communications Satellites, Gary D.
Gordon and Walter L.
Highly recommended and mathematically intensive � calculus based.
Many of your potential adversaries are reaching your network via satel- lites, and understanding this technology can be the difference between being on the winning end and being on the losing end of an attack on your network.
The more you understand the communications technology you are tied to, the better you can shore up your network defenses.
Safari Books Online SBO , corporate license: a.
Enables you to search thousands of technical books online on the fly.
I can travel globally without reference material as long as I have efficient Internet access to SBO.
There is also Safari Books Online Mobile.
I can search books on the fly right from my phone and I can also download PDF versions of the books right to my phone or computer.
Hakin 9 magazine: Comes out every 2 months.
I try and read each issue cover to cover; it let's me know what others are thinking.
For the mathematically inclined.
Does a great job in a step-by-step fashion of explaining in detail the math- ematics behind modern communications systems.
Knowledge of this type is a must if you desire to be on the upper cusp of the penetration testing field.
An excellent blend of skills if you desire to be a successful penetration tester on the high end is the addition of cyberforensics and reverse engineering.
I have personally taken and taught these classes in the past and recommend the vendor InfoSec Institute InfosecInstitute.
Before taking these classes, you should pick five books on penetration testing and read through them at least once, and preferably two or three times and practice with the authors as they lead you through various exercises.
Additionally, if you take these classes, don't be one of the lazy ones.
You are in class all day from 8:00 a.
But if you do that, then you are missing a key part of the class.
Around 7:00 in the evening the optional portion of the classes begins, and usually maybe a third of the class shows up.
From approximately 7:00 to 10:00 and later are the evening live hacking contest exercises.
That's where you can really put into practice what you've been learning from experts in the field � a great learn- ing experience.
Also, don't take the classes online � take them in class, live with real people.
The network you develop, along with what you hear people saying while in the class, is well worth the live class effort.
You get out of something what you put into it � you come back with a number of tools that you now own and can use on your own network.
Certified Information Systems Security Professional CISSP prep if you don't already have this certification b.
Ten-day penetration testing class c.
Certified Penetration Tester CPT class d.
Certified Ethical Hacker CEH class e.
Advanced ethical hacking f.
Web app pen testing g.
Cyber Crime Investigator's Field Guide, 2nd edition, Bruce Middleton: a.
The tools could be considered out of date now since they are over 10 years old, but they all still work just fine; they are more manually intensive � and sometimes that's just what you need.
Understanding Internet Protocols, J.
Mark Pullen: Includes actual exercises and software you develop along the way to enhance your knowledge in this area.
Don't feel overwhelmed by all of these suggestions.
Just start somewhere and week by week learn more and do more.
Put together a plan and follow it.
What should you keep up with?
Do I keep up with all the latest attacks, viruses, new software, and so on?
These can change daily.
You only have so many hours in the day, and you have to spend them wisely.
If you spend significant time just keeping up with the latest and greatest that comes out on a daily or weekly basis, then you won't have time for what really matters in the long run.
What does really matter?
If you are on the defensive side of the house seeking to protect your network from malicious hackers, then you need to spend plenty of time becoming intimately familiar with your own network.
You need to get to know it like you know a good friend.
For example, bank tellers and others who spend their day dealing with currency on a regular basis at major banks and this has been true for decades have to be on the alert for counterfeit monies every day they work, year in and year out.
So what does the bank do � spend the tellers' time on a regular basis learning about all the different counterfeit bills in circulation, how to spot them, their nuances, techniques to produce them, and so on?
Instead, the bank trains them to know the real thing so well that anything counterfeit just sticks out like a sore thumb to them.
This has a direct application to you and your network.
You should be so intimately familiar with your own network that if someone is or has while you were sleeping attempting to break into your network, you recognize that something is not right and you begin your investigation and either stop or mitigate the malicious activity in progress.
On the offensive side this also has application.
Just like the bank tellers have become currency experts, you need to be an expert in two, maybe three, things at the most.
For example, perhaps you choose to be an expert in both Python and BackTrack.
For everything else you need to develop a network of experts � people who also know one or two things extremely well.
It's the "you scratch my back and I'll scratch yours" scenario.
When you need help, you contact them, and when they need your expertise, they contact you.
Having a network like this is very important.
No one can know everything.
There is just too much out there.
What I do spend time reading each week, though, from an update perspective, are the SANS Risk and NewsBites emails.
If you have not signed up for those, then I strongly recommend that you do so.
As you read these, if you see something that is directly applicable to you and your network, then Google is your friend and you can do some research.
I also attend the SANS webcasts that are pertinent to me.
I suggest you attend those also.
Just go to SANS.
Subsequently some corporations and government agencies are required by law to abide by those programs.
When the paperwork is all done for the year, corporations let out a sigh of relief and management on down feel they have done their duty and once again feel like their systems are properly protected.
They will sit in a room making jokes and holding a thick pile of papers in front of a computer and say, "Well, it's protected now.
We might as well give up.
No sense in even trying.
As such, they develop products, learn new techniques, know what our negotiators are going to say before they ever even meet with them, and the list goes on.
If we spent the time and money on actually defending our systems and train- ing our personnel instead of wasting our time, money, and other resources with paperwork that mostly goes unread unless an auditor wants to review it, then we would be so much further ahead in the security of our networks and our nation as a whole.
Our available resources are strained all because someone wants an audit trail due to legal ramifications, to be in compliance.
We need to make some serious changes in how we go about spending our time and dollars when it comes to secur- ing our network infrastructures.
Technology changes happen far too quickly, and it takes far too much time and paperwork to perform these annual audits and other types � by the time you complete all the annual compliance reports and various other types of reports that are either legally required or desired, things have already changed so much that you just remain behind the curve year after year.
I'm not saying all paperwork is a waste of time and resources; I'm just saying that overall we need to rethink how we want to most credibly use our limited resources when it comes to properly securing our computer networks.
Let's step back in time for a minute � back to the 1950s, 1960s, 1970s, 1980s, and early 1990s, when we didn't have the network security problems to the degree we now have.
Every year our security has grown more and more toward the downside.
This is not good.
On the extreme side, we could say and if you and your organization can do this, all the more power to you : - Our network only remains connected to the outside world from 6:00 a.
I'm not talking about a com- puter software shutdown here.
I'm talking about an internal offline elec- tronic power switching unit like we used before the advent of computers.
If you let a computer do this work, then you are just wasting your time.
The more complex we have made it over the past 20 years, the more insecure it has become.
Or we could continue running our networks as we are now with a few major differences.
Do what cyber warfare soldiers do � run all your systems stripped down to only the necessary services that you absolutely must have to do business.
It's like building a house with 20 extra external doors that you don't need � more places for a malicious individual to enter your house without your knowing about it.
Start with your most critical systems and work your way down the chain to get this done.
Then when you know your model for each category of system you utilize, let your vendors know when you place an order what you want that system to be like when you receive it � or you can just make all of your own images and lay them on the various systems when you receive them before putting them on your network.
And how about really caring about your organization's network?
At one time corporations were like families, and for the most part no one left until their 30 years were up.
They took care of each other and watched out for the welfare of each other and the business as a whole.
What kind of business can you have when the CEO is replaced by the board every 3 years, when VPs and directors of business strategy just come and go, when technical personnel come and go every few years?
We need to change back to the model where people are in the business for the long haul.
How can you really become intimately familiar with your corporate network if you are changing to another one every few years?
Remember the joke about the guy with the hammer who knew just where to strike the machine to make it work again?
They paid him the big bucks because he had worked with that organization for 20 years and knew exactly where to strike the machine to fix the problem.
They paid him because he knew exactly which machine to strike, where to strike it, and how hard to strike it to make it work again.
Training Management becomes afraid of providing the proper training to network security engineers because they figure they will just leave the company and use the skills for a competitor.
If they knew everyone was in it for the long haul of 20 or 30 years, they would feel much differently about it.
Minimal Paperwork We need to significantly reduce the paperwork mill and focus instead on really get- ting the job done, really securing the network, really knowing the network.
Misinformation is also your friend when it comes to protecting your privacy.
I'm a huge privacy advocate and place individual rights to privacy above security.
If you only have out there what is true and real about yourself then anyone who has no business in doing so can find out about you � and you may not want them to.
Your close friends, employer, and the government already have the correct information about you taxes you file annually or quarterly and so on , but you don't want others learning about you from any country in the world.
So throw out that misinformation everywhere you can, in my opinion.
With your friends and complete strangers, trade cell phones, credit cards, electronic highway toll col- lectors, vehicles, grocery store reward cards, etc.
Remember, the focus here in this paragraph is on ensuring your privacy and placing that privacy above security.
So if you place security above privacy, then no, you might not do this.
But if you are a big privacy advocate and place individual privacy above security, then you would do some or all of these things, whatever you feel comfortable with.
If you don't know how to wipe your phone so forensic tools won't work on it, then toss your phone every month or so � or trade phones with friends on a regular basis your choice as to how you want to handle things like this.
And if cameras are a concern to you at times I don't have the time or space in this book to elaborate on this , do some research and learn how cameras actually work.
You can be invisible to cameras if you understand how they actually work and take the appropriate steps.
Make use of but be sure to test them before depending on them � some are better than others Faraday bags or similar type products.
If you want to travel globally without others knowing where you are going, learn about techniques for doing so, such as walking up to freighters at the last minute and hitching a ride as a worker.
The work may be long and hard on the ship, but you get a "free" and anonymous ride.
There is also the Green Turtle to get you from here to there anonymously.
A new clock, radio, television, DVD player, computer, or appliance?
All of these items easily contain micro-cameras, micro-microphones, or micro-detectors of all sorts.
Better think carefully about this.
Remember too that your cell phone cameras and microphone can be used against you and taken over by someone else remotely to spy on you � so can the electronics in your vehicle.
Newer vehicles can be taken over and controlled or stopped by others remotely; get rid of the electronics, shield it, or purchase an older vehicle.
And now, with this information under our belts, let's move on to the next chapter.
Chapter 2 Attack from Christmas Island How many of you out there have heard of Christmas Island?
Have they launched a similar attack in the past and it occurred without my noticing it?
Let's begin with the first one from Christmas Island.
What is my initial goal here?
My logs show that the attack came from a computer system on Christmas Island, but did it originate there?
So my initial goal is to take a look at the log files on 95.
Will the log files indicate that the attack actually originated from this system on Christmas Island, or will the log files show assuming they have not been altered or deleted that this computer was only a vulnerable way station used by another computer system on Christmas Island, or from another country?
First, we need to play private detective and do some up-front investigation and analysis a key part of penetrating computer systems.
Let's begin by using a tool called Nessus www.
Your scanner is registered and can download new plugins from Tenable.
Clear registration file Update plugins O Perform a daily plugin update If this option is set, your Nessus server will update its plugins every 24 hours.
Stop Nessus Server Start Nessus Server Left-click LC Update plugins and allow Nessus to update itself so you have the latest and greatest.
Next, LC Start Nessus Server, letting it go through its start- up process.
Now do a CTRL-ALT-DEL; LC Processes and you'll see the nessusd.
H Offensive Seoxfty TraUng...
The security certificate presented by this website �vas not issued by a trusted certificate authority.
The security certificate presented by this website was issued fo r a different website's address.
Security certificate proolems may indicate an attempt to fool you or intercept any data you send :c the server.
We recommend that you close this webpage and do not continue to this website.
More information LC Continue to this website, and up comes: 1 ,i "A Usemame 1 Login f EW Sign in with your username and password if you have not set up a username and password return to the Nessus Server Manager then LC Manage Users and follow the prompts , and then LC Log In.


170 171 172 173 174

One paring of destination and source ports that were labeled in an. Examining the network traffic in Wireshark, in particular the Blackjack entries, clearly details ...


23.12.2019 in 17:27 Malarisar:

I am sorry, that has interfered... This situation is familiar To me. Is ready to help.

19.12.2019 in 14:31 Kajijin:

It was registered at a forum to tell to you thanks for the help in this question, can, I too can help you something?

21.12.2019 in 21:13 Shaktizragore:


20.12.2019 in 11:46 Kigarr:

I thank for the information. I did not know it.

20.12.2019 in 12:33 Nijora:

You are not right. I am assured. I can prove it. Write to me in PM, we will communicate.

22.12.2019 in 17:58 Arashibar:

You are not right. Let's discuss. Write to me in PM, we will communicate.

20.12.2019 in 00:54 Shakazshura:

I consider, that you are not right. I can prove it. Write to me in PM.

21.12.2019 in 06:12 Tojazuru:

Willingly I accept. In my opinion, it is an interesting question, I will take part in discussion. I know, that together we can come to a right answer.

17.12.2019 in 16:14 Yor:

To think only!

17.12.2019 in 18:42 Voodoojind:

I am sorry, that I interfere, but, in my opinion, there is other way of the decision of a question.

20.12.2019 in 11:03 Daigore:

Logically, I agree

Total 11 comments.