Friday, 13 July 2012


The default command terminal or shell (command line) in most Linux distros is BASH (Bourne Again SHell). In Bash, remember that it is simple to correct an error in typing a command using “CTRL-u”. Performing this action will abandon the entire line resulting in the removal of any input from the buffer (and hence evidence such as the BASH history file). Unlike Windows, Linux operating systems are case-sensitive. In Linux it matters what the case you use.

Linux allows commands to be put into “sleep”, killed, sent into the background, and many more options. Some of these are discussed in table 1. This includes a list of keys that can be used in a shell and are listed with their effect.

In addition, there are a number of other simple techniques for controlling execution in a Linux terminal shell. These include sending output to the foreground (fg), background (bg or &), redirecting it (> or >>) or piping it to another command (|).

Key Sequence



Line feed. “CTRL-J reset CTRL-J” can act as a reset command on some systems.


Remove the current line from the command buffer (and do not log it).


Stop (and restart) a process. This sequence may suspend a command (i.e. pause it). CTRL-s stops the system from sending any further data to the screen until a CTRL-q is pressed.


CTRL-s and CTRL-q control the flow of output to the terminal. CTRL-q resumes a terminal following the CTRL-s key.


Use CTRL-Z to stop a job. The command “bg” (background) can be used to put the program into the background (type "bg" on the command line).


Interrupt a program. This is used to “break” a program execution. This signal allows the program to clean up before exiting.


This is an end-of-input response. Some commands (such as mail) require this. Use with caution as this may log you out of some shells.


Kills a program (without cleaning up).


Clears the screen. This is the same as the command "clear".


Abandon the current command line and return to the prompt.


TAB is used to auto-complete the names of directories and files. Hit Tab for the shell to expand a name of a file such that the system expands it to a unique name that matches what you've typed so far. If there are multiple items that match what you've typed (i.e., there is nothing unique yet), you can hit Tab again to show the names of all files or directories in your current working directory that match what you've typed so far.


This is a history search on recent commands


Use the "HOME" key to go to the start of a command line and the "END" key to jump to the end.

Table 1 BASH shortcuts

Monday, 9 July 2012

Port Scanning Fundamentals

To understand port scanning we have to understand the protocols in use. Most network services use either TCP or UDP which are delivered end-to-end over IP. TCP is connection oriented, which means that it keeps track of sessions, and ensures reliability of order and delivery, by using retransmission and packet ordering before sending them up the stack to the application.

UDP however is connectionless. This means that there is no attempt made to retransmit or reorder the packets that are received. Any lost UDP packet has to be handled at the application layer. Less effort, but no checking. It is smaller, faster and the replay of packets is left to the application.

Scanning TCP Ports

TCP uses source a source port, destination port, sequence numbers, and control bits to ensure reliable session management. The control bits in particular are extremely important for tracking state. They are:

  • SYN – Synchronize number used during session establishment
  • ACK – Acknowledgement number used to acknowledge earlier packets were received
  • RST – used to reset a connection because of errors or other interruptions
  • FIN – Used to gracefully tear down a session
  • PSH – Push, flush data through the TCP layer immediately
  • URG – The Urgent Pointer, data should be handled quickly

Two newer control bits were added as defined in RFC3168 to deal with network congestion:

  • CWR – Congestion Window Reduced, controls the queue of outstanding packets
  • ECE – Explicit Congestion Notification Echo indicates the connection is experiencing congestion.

TCP Three-Way Handshake

It’s important to know how TCP sessions are established to understand all of the different methods of scanning TCP ports. TCP sessions are established using the three-way handshake:

  1. System A initiates a connection to system B by sending a TCP packet to a destination port with the SYN control bit set with an initial sequence number (ISNA).
  1. System B responds (provided that the port is listening) with a packet with both the SYN and ACK bits set and an initial sequence number (ISN-B) as well as an acknowledgement number of ISNA+1.
  1. System A completes the three-way handshake by responding with a packet that has the ACK bit set, a sequence number of ISNA+1, and an acknowledgement number of ISNB+1.

At this point the session is now established. All packets going from A to B will have increasing sequence numbers starting at ISNA+1 and incrementing by 1 for every byte of data in the payload. All responses back from B will have sequence numbers starting at ISNB+1 and incrementing by 1 for every byte of data sent in the payload back to A.

Now that we understand the basics of TCP connections and session management, we can now discuss scanning. RFC793 states that if a service is listening on a TCP port and a packet is sent to it with the SYN bit set, the response will be a packet with its SYN and ACK bits set. This response allows us to determine if a port is open or closed. There are four possible responses using this method of sending a SYN packet to scan for open ports (commonly called a SYN scan or TCP half-open scan):

  • Response 1: SYN-ACK – Port is open and listening.
  • Response 2: RST-ACK – The port is closed.
  • Response 3: ICMP Port Unreachable – The port is blocked by a router ACL or a firewall which sends the ICMP port unreachable message. Nmap will mark this port as “filtered”.
  • Response 4: No Response – The port is blocked by either a router ACL or firewall, which is silently dropping the request. It’s also possible that the port is not listening and the port is not listening on the target host and is configured to be silently dropped. Nmap will mark this port as “filtered” as well.

Penetration testers will typically find many more closed ports than open ports. Large scale port scanning will typically go much faster if the scanner receives Reset or ICMP Port Unreachable packets instead of no response. When a scanner gets no response, it slows the scan down because the scanner typically has to wait for a timeout in order to move on to the next port, which adds significant time in a large scale port scan.

Scanning UDP Ports

Because UDP is a connectionless protocol, there are fewer options for scanning. This is because there are no control bits that can be varied to discern open and closed ports, which makes UDP port scanning much less reliable and are often slower to perform.

There are three possible responses in a UDP scan:

Response 1: UDP Packet response – Port is open. If a UDP packet is sent in response to the UDP request packet, the port is open.

Response 2: ICMP Port Unreachable (Type 3, Code 3) – Port is closed. Some versions of UNIX and Linux rat limit the number of Port Unreachable messages, which will make the scan unreliable and/or slower to complete. Nmap will list this response as closed. It’s possible that other ICMP unreachable errors will be sent (Type 3, Codes 1,2,9,10,13). Nmap will mark the port as “filtered” for these responses.

Response 3: No Response – Port is “open/filtered”. This is common in UDP scanning and can be the result of the following:

CCA - cause consequence analysis

RISO labs (Riso National Laboratory: 307-312) developed CCA (Cause consequence analysis) which is essentially a fault tree based approach. It is commonly used for analysis of security and safety problems. CCA and fault trees can be easily applied to almost any technology or system (Keong, 2004).

The tree based approach involves the following steps:

  1. Identify an event
  2. Determine the underlying causes of the event.
  3. For each underlying cause identify the causes or initiating events.
  4. Repeat until the underlying cause becomes uncontrollable

The  CCA process is repeated until the final underlying cause is beyond the organisation’s control (whether through cost or other factors). 

Thus the process ends when there is no value in continuing to decompose the problem further.

Sample Managerial assessment interview questionnaire

One of the most critical components of any information security program is the people. Humans are what makes or breaks security. This means having an effective awareness program. Like all things, this is something that needs to be assessed.

The following are a few questions that may be asked in order to assess an awareness program.

  1. Is a current information security awareness program in place to ensure all individuals who use information technology resources or have access to these resources are aware of their security responsibilities and how to fulfill them?
  2. Is the program approved by senior management?
  3. Does the process specify timeframes and re-training requirements?
  4. Is it fully documented?
  5. Are new employees trained within 30 days of being hired?
  6. Do all employees sign that they have understood and accept the training and organizational policies?
  7. How often is refresher training provided?
  8. Does your staff know what's expected of them in their role regarding security for the organization, and your division?
  9. When did you last attend a security workshop for staff provided by the Security Division?
  10. Is our contract is included in security awareness sessions?
  11. What areas do the awareness training cover (e.g. password practices, use of anti-malware)?

Sunday, 8 July 2012

Scapy Part 1

Scapy Packet Manipulation

SCAPY is a very powerful packet crafting, manipulation and analysis tool. Scapy is a set of Python modules that allows the user to create scapy enabled python script or run scapy in “interactive” mode. Once you are in interactive mode scapy provides you with several functions that get more details about SCAPY’s capabilities. The ls() command can be used to get more information about scapy’s supported protocols. If you run the ls() command without anything in the parenthesis scapy will give a list of all of SCAPY’s protocols. Putting one of these protocols inside the parenthesis will list the fields associate with that protocol. Scapy also supports the LSC() command which will give a list of scapy functions. You can get more information about the functions that are available by passing the name of the function you want more information on to the help() function. For example, help(fuzz) will give you more information on the fuzz() function.

Crafting packets with SCAPY

Perhaps SCAPY’s most common use is to craft packets. Packets can be created by calling the methods associated with the specific protocol and passing the fields in that protocol as parameters to the protocol function. For example:

>>>newpacket=TCP(src=””, dst = “”, dport=80)”

  • Note: the “” need to be the correct ones … Urgh

This will create a packet containing a TCP packet from the source IP address of and a destination of IP address and port 80. Since they have not been explicitly defined, the IP and Ether (Ethernet) layers will be populated by the defaults associated with these protocols. You can explicitly define each layer in the protocol stack and add protocols together with the “/” character. The new layers can be the results of other scapy objects or other methods. For example, we can combine our existing “newpacket” variable with another layer like this:


Or we can explicitly define each layer using scapy protocol methods:

>>>Newudppacket=IP(dst=””)/UDP(dport=1000)/”THIS IS MY UDP PAYLOAD”

This will create a “Newudppacket” object containing a UDP packet to a destination IP address of and a destination port of 1000 with a payload of “THIS IS MY UDP PAYLOAD”. Here is another example:

>>>NewTCPPacket=Ether(src="ff:ff:ff:ff:ff:ff")/IP(dst=””)/TCP(dport=80)/"GET / HTTP/1.0\r\n\r\n"

This will create a “NewTCPPacket” object containing a TCP packet to the destination host of “” port 80 with a payload of “GET /HTTP/1.0\r\n\r\n”. This packet could be transmitted to a webserver to request the defalult page or after the TCP handshake has been completed.

Command Injection

In addition to cross-site scripting attacks, there is also command injection.

This attack leverages the same attack vector as XSS, but uses it to send operating system commands along with user input in an attempt to get the system to run them. These commands typically run with the same privileges as the web server, which is why running the web server as root on a Unix/Linux system or with SYSTEM privileges on a Windows system is very risky. Running the web server with limited privileges does not fully mitigate command injection vulnerabilities.

When testing for command injection, ping is a very useful command to use for many reasons:

  • Most operating systems have it by default
  • Runs with limited privileges
  • Many networks allow outbound ICMP Echo
  • Unlikely to damage the system
  • Will most likely not be noticed
  • The command is relatively short: “ping [ip address]” which helps if the buffer is limited
  • Verifies outbound connectivity back to the attacker
  • Validates command execution if the attacker cannot see the output of the commands

With respect to the last point above, the application involved may not print out the results of the commands in its response to the command injection. By injecting the ping command and using the attacker system’s IP address as its target, the attacker can verify that the command has been executed by watching for inbound ICMP echo requests to the system. This is called ‘Blind Injection’.

The ping command does have a drawback. On a Unix/Linux system the command “ping [ip address]” will ping continuously until it is killed or the system reboots. This can leave many processes running on the target system. Using the “-c [N]” command line option will limit the number of pings sent. Windows by default sends 3 pings and exits, but can be instructed to send any number of pings using “-n [N]”.

The “killall ping” command may also work, but caution must be used. On Linux, “killall” will kill processes based on name.

NOTE: on a Solaris system it will kill all processes and force a reboot of the system.