By Blake Wiedman
Wireless hacking or war driving is possible because of the inherent flaws in the 802.11 protocol. ? 802.11b protocol will receive any signal that is within its broadcast range. ? This is means that any network card that is within the 18 - 30 foot radius of a wireless access point, will in theory able to access the network from which the point is set up. ? Currently there are number of different methods of preventing access to wireless network. ?
?
One is through using wireless encryption protocol or WEP, as we will show within this article this form of security is not the only answer. ? Wireless encryption protocol encrypts the packets that the network sends out, if a person does not have the specific wireless encryption protocol key than in theory they will be unable to access the data. ? Unfortunately do through enough analysis of air traffic it can be guessed by certain software products.
?
Another method is by using a radius server, this server acts as if a domain controller for a wireless network.. ? A combination of both of these security measures provides the tightest form of security.
?
The question you may be asking yourself is, "why would someone want to do this?". ? The first and most innocent reason is simply to gain free Internet access. ? The second is to use your network as a jumping point to commit other computer crimes. ? Their identity will then be hidden behind your network, escaping prosecution.
?
Following are the tools and most computer criminals are using:
airsnort
Kismet
scanchan
arpping
?
The computer criminals will use these tools, to break the encryption on your network and gain access to the network and its bandwidth. ? Here is where you can find copies of these tools.
?
airsnort ??????????? http://airsnort.shmoo.com/
Kismet ??????????? http://www.kismetwireless.net/
scanchan ????????? http://team.vantronix.net/reyk/prism2/
arpping http://busybox.net/cgi-bin/cvsweb/udhcp/?sortby=file#dirlist
?
Now technically, you could try war driving at this moment. ? But, you must remember that the distance wireless LAN's capable of broadcasting, is relatively short distance; approximately about 18 feet to 30 feet with a normal consumer base product.
?
So , to increase the effectiveness of our audit policy, we will add an additional antenna to our wireless LAN card. ? Not every car that's available market is ready to have an external antenna attached. ? So some cards will require a bit of soldering and other modifications. ? But, to save use of the trouble try purchasing a car that as the capability of attaching an external antenna. ? Here are some additional resources for finding cards that fit this bill.
?
Goto: Seatlewireless.net
Now that you have one of these cards, you'll now be able to purchase something called "pigtail". ? This will allow you to connect the small usually proprietary connector on the card to an actual external antenna.
?
They may hear the Internet rumors, about building and antenna and, from a Pringles can. ? But, is not the best way to do it. ? A Pringles can wasn't no way me to actually be an antenna in the amount of metal that's actually contained in it is not the best way to focus the wireless LAN frequency onto the actual antenna receptor. ? If you going to have the most effective method for doing is, used actually just purchase an antenna from a local store. ? You can find this type of antenna at your local electronic store, usually a specialty store like RadioShack (not the best place to look, but most common) the best bet would actually be a ham radio shop, but these are usually a rarity in some areas.
?
Now the question I usually get is, "can I use my cars antenna?" ? The answer to that one is no, antennas are designed to capture the frequency of the signal they are designed for. ? For example: radio waves are long waves as the fact that a radio antenna is a long thin design. ? Wireless LAN waves are very tight and fast so the antenna has to be thin and long. ? This also means that the wireless LAN antenna is a directional antenna, so this means you have to face the antenna towards the source.
?
Now let's begin tracking down Roque signals.
The first thing to do in any type a security audit, is to take a look at the area that you're trying to secure. ? Is your area low to the ground? ? Or, is it in a skyscraper or other type of tall building. ? You need to take this into consideration because of the differences in the support structure of the building. ? Obviously, a skyscraper is going to have more steel in the support structure, the line building. ? Also depending of a little floor you're on the actual range of your wireless LAN may not even reach the ground levels. ? If you're on a low-lying structure will have more of an area cover.
?
Let's start with a low-lying area wireless LAN audit first. ? Get your gear and hop into the car. ? Now an additional piece of equipment would be a DC power inverter. ? This will let you run your laptop off of the car battery. ? First drive the pattern of ? traffic frequently followed at the different times a day. This will establish the most common points that a criminal would use access the network. ? So it is usually the first place that I would try to pick up the signal from your wireless LAN.
?
Someone to have the laptop up and running start of netStumbler and crank up the soundcard. ? As you drive around you'll notice that net Stumbler will beep when it runs into a wireless LAN signal. ? First thing you should take notice of is it the wireless LAN signal is W. E. P. encrypted. ? This will show up as a lock icon on net Stumbler. ? This means that the wireless connection is not exactly open. ? If it shows up without a lock this means that the wireless LAN is completely open, a person could merely just configure their wireless LAN card to DHCP and connect to the network. ? Now some wireless LANs are not set up for DHCP. ? In this case of the people would have to configure their card to use an unused IP. ? All that is needed to do that is a little bit of guesswork. ? Which is a lot easier than you would think, especially since most networks use the normal private 192.168 network address scheme.
?
If the connection does have W. E. P. enabled, then you can use air snort to collect W. E. P. data, which after about 1 GB of collect data the software program would be able to break the encryption algorithm.
?
They would then take the resulting key, and configure it to be used by their neck card, this will allow them to then access the encrypted network traffic.
?
Now criminals use a multitude of methods to prevent administrators from noticing them on the new network. ? One way is that they set up a firewall on the laptop, which has all of the incoming ports blocked to their machine. ? This to prevent their machine from showing up on a networks can, especially if the scan used ping to determine if there is a computer answering at that IP address. ? Most good scanning software can scan a network without using paying. ? This merely causes the scan to take any extreme amount of time. ? But, a good network administrator should always supplement their normal scanning routine with a non ping based solution and
?
I hope all of this information helped you out. ? I am in no way an experienced columnist, so please excuse the inevitable bad grammar, and run on sentences. ? If you have any questions give free to contact me.
?
Blake Wiedman
admin@governmentsecurity.org
?
Monday, January 29, 2007
Microsoft Database Security
By www.microsoft.com
One of the most common scenarios for a distributed application involves reading and writing data on a remote database. The dilemma that arises is how to do so securely while maintaining application scalability. Where you choose to manage security in your application will greatly impact, either negatively or positively, the scalability of your application.
To achieve scalability using database connection pooling foregoes having the database manage security. This is because database connection pooling requires the connection string be identical to pool connections. Therefore, you must manage security elsewhere. If you must track database operations on per user basis, consider adding a parameter for user identity to each operation and manually log user actions in the database.
Following the advice above, another issue is how to store the database connection string, which typically contains security credentials, so multiple users can access it without compromising security. Most sample applications demonstrate storing the connection string in the Web.config or global.asax files. However, because these files are plain text files that have limited security, it is not the best location for storing this information. Should an intruder compromise your Web server's security, these files would be easily accessible. Here are just a few alternatives:
If using the Web.config file, store the connection string encrypted and then decrypt the connection string in your application code when needed.
Build a COM+ application using the ServicedComponent Class and store the connection string in the construct string for that component.
When storing sensitive information in the constructor string, you should verify the following:
Only the appropriate users/groups belong to the Reader role of the System Package. However, you must carefully manage COM+ to prevent it from being unable to read its own configuration.
You have controlled and audited access to the %windows%\Registration folder, where the COM+ configuration database (RegDB) stores its files.
For more information, see ServicedComponent Class .
Use integrated security to make a trusted connection with SQL Server. This makes it possible for you to use a connection string that eliminates the need for storing a password in the connection string, such as: "Data Source=mySqlServer;Integrated Security=SSPI;Initial Catalog=myDB"
There are some drawbacks to using integrated security, most of which you can overcome. Because integrated security requires a Windows account, it defeats connection pooling if you impersonate each authenticated principal using an individual Windows account. However, if you instead impersonate a limited number of Windows accounts, with each account representing a particular role, you can overcome this drawback. Each Windows account must be a domain account with IIS and SQL Server in the same or trusted domains. Alternatively, you can create identical (including passwords) Windows accounts on each machine.
After a typical installation, the default security authentication mode is Windows Authentication for SQL Server 2000, which is different from SQL Server 7.0. In SQL Server 7.0, the default authentication mode is Mixed (Windows Authentication Mode and SQL Server Authentication). Windows Authentication is a better security method because of the additional security features it provides, such as secure validation and encryption of passwords, password expiration and auditing. For more information, see Authentication Modes .
If you configure SQL Server to use Windows Authentication, you could create one Windows account for read-only operations and another Windows account for read/write operations. You then map each Windows account to a SQL Server login and establish the desired permissions. Using application logic, you then determine which Windows account to impersonate when performing database operations. In SQL Server, you can add any Windows user account as a member of a fixed database role. Each member gains the permissions applied to the fixed database role. For more information, see Managing Permissions .
For SQL Server 7.0, integrated security does not work with SQL Server's TCP/IP network library, but uses the named pipes network library instead.
As an added security measure, the ConnectionString property of the SqlConnection object does not persist or return the full connection string by default. To do so, you must set Persist Security Info to true. For more information, see SqlConnection.ConnectionString Property and SqlConnection Class
See Also
Security Model
One of the most common scenarios for a distributed application involves reading and writing data on a remote database. The dilemma that arises is how to do so securely while maintaining application scalability. Where you choose to manage security in your application will greatly impact, either negatively or positively, the scalability of your application.
To achieve scalability using database connection pooling foregoes having the database manage security. This is because database connection pooling requires the connection string be identical to pool connections. Therefore, you must manage security elsewhere. If you must track database operations on per user basis, consider adding a parameter for user identity to each operation and manually log user actions in the database.
Following the advice above, another issue is how to store the database connection string, which typically contains security credentials, so multiple users can access it without compromising security. Most sample applications demonstrate storing the connection string in the Web.config or global.asax files. However, because these files are plain text files that have limited security, it is not the best location for storing this information. Should an intruder compromise your Web server's security, these files would be easily accessible. Here are just a few alternatives:
If using the Web.config file, store the connection string encrypted and then decrypt the connection string in your application code when needed.
Build a COM+ application using the ServicedComponent Class and store the connection string in the construct string for that component.
When storing sensitive information in the constructor string, you should verify the following:
Only the appropriate users/groups belong to the Reader role of the System Package. However, you must carefully manage COM+ to prevent it from being unable to read its own configuration.
You have controlled and audited access to the %windows%\Registration folder, where the COM+ configuration database (RegDB) stores its files.
For more information, see ServicedComponent Class .
Use integrated security to make a trusted connection with SQL Server. This makes it possible for you to use a connection string that eliminates the need for storing a password in the connection string, such as: "Data Source=mySqlServer;Integrated Security=SSPI;Initial Catalog=myDB"
There are some drawbacks to using integrated security, most of which you can overcome. Because integrated security requires a Windows account, it defeats connection pooling if you impersonate each authenticated principal using an individual Windows account. However, if you instead impersonate a limited number of Windows accounts, with each account representing a particular role, you can overcome this drawback. Each Windows account must be a domain account with IIS and SQL Server in the same or trusted domains. Alternatively, you can create identical (including passwords) Windows accounts on each machine.
After a typical installation, the default security authentication mode is Windows Authentication for SQL Server 2000, which is different from SQL Server 7.0. In SQL Server 7.0, the default authentication mode is Mixed (Windows Authentication Mode and SQL Server Authentication). Windows Authentication is a better security method because of the additional security features it provides, such as secure validation and encryption of passwords, password expiration and auditing. For more information, see Authentication Modes .
If you configure SQL Server to use Windows Authentication, you could create one Windows account for read-only operations and another Windows account for read/write operations. You then map each Windows account to a SQL Server login and establish the desired permissions. Using application logic, you then determine which Windows account to impersonate when performing database operations. In SQL Server, you can add any Windows user account as a member of a fixed database role. Each member gains the permissions applied to the fixed database role. For more information, see Managing Permissions .
For SQL Server 7.0, integrated security does not work with SQL Server's TCP/IP network library, but uses the named pipes network library instead.
As an added security measure, the ConnectionString property of the SqlConnection object does not persist or return the full connection string by default. To do so, you must set Persist Security Info to true. For more information, see SqlConnection.ConnectionString Property and SqlConnection Class
See Also
Security Model
Step-by-Step Guide to Using the Security Configuration Tool Set
By www.microsoft.com
ON THIS PAGE
Introduction
Viewing and Modifying Local Security Policy
Working with security templates
Performing a Security analysis
Configuring System Security
Command-line configuration and analysis
Pre-defined security templates
Introduction
This step-by-step guide describes how to view, configure, and analyze local security policy and local security settings using various components of the Security Configuration Tool Set included with the Windows® 2000 operating system.
The Security Configuration Tool Set allows you to configure the following security areas:
Area
Configurable Items
Account Policies Password, lockout, and Kerberos settings.
Local Policies Audit, user rights, and security options.
Event Log Settings for system, application, security and directory service logs.
Restricted Groups Policy regarding group membership.
System Services Startup modes and access control for system services.
Registry Access control for registry keys.
File System Access control for folders and files.
Administrators can use the following components of the Security Configuration Tool Set to configure some or all of the security areas described above:
Security Templates snap-in. The Security Templates snap-in is a stand-alone Microsoft Management Console (MMC) snap-in that allows the creation of a text-based template file that contains security settings for all security areas.
Security Configuration and Analysis snap-in. The Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Windows 2000 operating system security. Its operation is based on the contents of a security template that was created using the Security Templates snap-in.
Secedit.exe. Secedit.exe is a command-line version of the Security Configuration and Analysis snap-in. It allows security configuration and analysis to be performed without a graphical user interface (GUI).
Security Settings extension to Group Policy. The Security Configuration Tool Set also includes an extension snap-in to the Group Policy editor to configure local security policies as well as security policies for domains or organizational units (OUs). Local security policies only include the Account Policy and Local Policy security areas described above. Security policies defined for domains or OUs can include all security areas.
This step-by-step guide describes how to use the snap-ins, command-line tool, and Security Settings extension to view, configure, and analyze local security policy and local security settings.
Requirements and Prerequisites
This guide assumes that you have run the procedures in the two-part "Step by Step Guide to A Common Infrastructure for Windows 2000 Server Deployment." The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Product Compatibility Web site.
Viewing and Modifying Local Security Policy
Local security policy is exposed through the Security Settings extension to Group Policy. Local security policy includes the Account Policy and Local Policy areas only. The Account Policy area contains password and lockout information. The Local Policy area contains audit, user rights, and security options information.
To view local security policy:
Log on to a Windows 2000-based computer as a user with administrative privileges. In our example, we log on as Administrator to the server named HQ-RES-SRV-01.
To open the Group Policy console, click Start, click Run and type Gpedit.msc. Click OK.
Click the + next to Computer Configuration, then Windows Settings, then Security Settings, and then Local Policies to expand these folders.
Click the Security Options folder under Local Policies. Your window should be similar to the one shown below in Figure 1.
Figure 1. Security Options
For each security setting, notice that the Security Settings extension displays the local policy and an effective policy. Local Policy describes policy settings as they are defined on the local computer. Effective policy describes the combined local, domain, and organizational unit policies for each setting. This distinction is made because local policy settings can be overwritten by domain or OU policy settings. The order of precedence for policies is from lowest to highest:
Local Policy
Domain Policy
OU Policy
Local Policy has the least precedence and the OU that directly contains the computer has the highest precedence. The effective policy column displays the security policy in effect based on these precedence rules.
Modifying local security policy
To modify a local security policy setting, double-click the security item of interest and revise the policy. For example, to change the minimum password age defined by the local password policy:
Click the + next to Account Policies in the left pane (under Security Settings) to expand it.
Click Password Policy.
Double-click Minimum Password Age in the right pane.
Set a Minimum Password Age of 1 day, and click OK.
When you OK the policy change, policy propagation is triggered, which causes an effective policy to be computed (based on any overriding domain or OU policies) and applied to the system. Status regarding this policy propagation is available in the application event log.
Right-click Security Settings (in the left pane), and then click Reload.
Reloading the local policy updates the effective policy in the user interface. Depending on domain or OU password policies that are in effect, the effective policy may or may not have changed on your computer.
Close the Group Policy console.
Working with security templates
The Security Templates snap-in allows you to create a text-based template file that can contain security settings for all of the security areas supported by the Security Configuration Tool Set. You can then use these template files to configure or analyze system security using other tools.
You can import a template file into the Security Settings extension to configure local, domain, or OU security policy.
You can use the Security Configuration and Analysis snap-in to configure or analyze system security based on a text-based security template.
You can use the Secedit.exe command-line tool directly or in conjunction with other management tools such as Microsoft Systems Management Server or Task Scheduler to deploy a security template or trigger a security analysis.
To load the Security Templates snap-in:
Click Start, click Run, and then type MMC /s into the text box and click OK. (Note: there is a space between the C and the /s).
Click Console (under Console1 in the upper right of the window), click Add\Remove Snap-in, and click Add.
From the list of available Standalone Snap-ins, select Security Templates, as shown in Figure 2 below.
Figure 2. Adding the Security Templates snap-in
Click Add, then click Close.
Click OK.
Click the + next to Security Templates in the left pane to expand it.
Click the + next to C:\WINNT\security\templates to expand it. (Note: if you installed Windows 2000 in a different drive and/or directory, that path will display instead of C:\WINNT.)
Windows 2000 ships with several predefined security templates. Please see the section, Predefined Security Templates, in this paper for more information.
Modifying a Security Template
You can create your own security template by right-clicking the default templates folder (C:\WINNT\security\templates) under Security Templates and selecting New Template. (Note: If you installed Windows 2000 in a different drive and/or directory, that path will display instead of C:\WINNT.) However, in this guide you are going to modify the predefined secure workstation or server template (Securews.inf) that is included with Windows 2000.
To view the settings defined by Securews.inf:
In the left pane, scroll down and then Click the + next to Securews to expand it. Notice in Figure 3 below that (unlike the local security policy covered in the previous two sections) all security areas are configurable when you define a security template.
Figure 3. Reviewing settings defined by Securews.inf
Browse the Account Policies and Local Policies defined by Securews by expanding those folders, selecting the different areas and viewing the Stored Template settings in the right pane.
Displaying a Custom Logon Message
You can modify the Securews to display a custom message to all users who log on.
Click the Security Options node under Local Policies.
In the right pane, scroll down and then double-click Message Text for Users Attempting to log on.
Type a message that will be displayed to all users when they log on, and click OK.
Creating a Restricted Group Policy
A Restricted Group Policy allows you to define who should and should not belong to a specific group. When a template (or policy) that defines a restricted group is applied to a system, the Security Configuration Tool Set adds members to the group and removes members from the group to ensure that the actual group membership coincides with the settings defined in the template (or policy). In this procedure, you will define a restricted group policy for the Local Administrators group in addition to the restricted group policy that is already defined for the local Power Users group in Securews.inf.
To create the restricted group policy:
In the left pane, right-click Restricted Groups, and select Add Group.
Type NewAdmins as the group name and click OK. The local Administrators group is added as a restricted group in the right pane of the Security Templates snap-in.
Double-click Administrators in the right pane.
You can now define who should be a member of the Administrators group and specify other groups that the Administrators group can be a member of.
Click Add and then click Browse. The Select Users or Groups dialog appears as shown in Figure 4 below.
Select the Administrator user in the Select Users or Groups dialog. Click Add.
Figure 4: Select Administrator
Click OK, and then click OK twice more.
This restricted group policy states that only the local administrator user can belong to the Administrators local group when the Securews template is used to configure a Windows 2000 system. During configuration, the tool set removes all other users that belong to the Administrators group at the time of configuration. Similarly, if (at the time of configuration) the Administrator user does not belong to the Administrators group, the Security Configuration Tool Set adds the Administrator user to the Administrators group.
If the Members list is empty–If no users are specified as members of a defined restricted group (the top box is empty), the Security Configuration Tool Set removes all current members of that group when the template is used to configure a system.
If the Member of list is empty–If no groups are specified for a restricted group to belong to (the bottom box is empty), no action is taken to adjust membership in other groups.
Configuring Permissions for a File System Directory
You can use Securews to configure permissions for file system directories as well.
Right-click File System in the left pane, and click Add File.
Click the %systemroot%\repair directory as shown in Figure 5 below. Click OK.
Figure 5. Configuring file system permissions — selecting the repair directory
The Access Control List (ACL) Editor shown in Figure 6 below appears. This allows you to specify permissions for the %systemroot%\repair directory in the Securews.inf template.
Figure 6. Using the ACL Editor to specify permissions
Select the Everyone group in the top pane and click the Remove button.
Click the Add button and select the Administrators group. Click Add and click OK.
Click the Full Control checkbox in the bottom pane to give the Administrators group full control permissions.
Clear the Allow inheritable permissions from parent to propagate to this object checkbox.
Click OK to accept the Administrator-only permissions defined for the directory.
Figure 7: Template Security Policy Setting
Select the Replace existing permission on all subfolders and file with inheritable permissions button and click OK.
Inheriting, Overwriting, and Ignoring Policy Changes
After you define permissions for a file system or registry object, the Security Configuration Tool Set asks you how the object's children should be configured.
If you select Propagate inheritable permissions to all subfolders and files, normal Windows 2000 ACL inheritance procedures are in effect. Specifically, any inherited permissions on child objects are adjusted according to the new permissions defined for this parent. Any explicit access control entry (ACE) defined for a child object remains unchanged.
If you select Replace existing permission on all subfolders and files with inheritable permissions, all explicit ACEs for all child objects (which are not otherwise listed in the template) are removed, and all child objects are set to inherit the inheritable permissions defined for this parent.
To prevent a child object from being overwritten by a parent, the child object can be added to the template and ignored. If a child object is added to the template and ignored, then that child's inheritance mode and that child's explicit ACEs remain untouched. Choosing the option: Do not allow permissions on this file or folder to be replaced for an object in a template makes sense only if an ancestor of that object is configured to overwrite children. If no ancestor exists in the template, ignoring an object has no impact. If an ancestor exists but is configured such that children inherit, then ignoring a child has no impact.
In this example, the ACL configuration for the %systemroot%\repair directory in the Securews.inf template is defined as follows:
Administrators have full control on the %systemroot%\repair directory. By default, these full control permissions apply to this folder, subfolders, and files. You specified this when you defined the Administrator permissions in the ACL Editor.
Note: The degree to which an ACE is inheritable is specified in the Advanced tab of the ACL Editor under the Apply to column. This walkthrough did not examine the Advanced tab when defining the permissions for Administrator.
The %systemroot%\repair directory does not inherit any permissions from its parent. You specified this when you cleared the Allow inheritable permissions from parent to propagate to this object checkbox in the ACL Editor.
All ACLs on all subfolders and files of the repair directory are configured such that they inherit the inheritable Administrators full control permission from this parent, regardless of their current configuration. You specified this when you selected the Replace existing permission on all subfolders and files with inheritable permissions mode of operation.
To save your customized Securews.inf file:
Right-click Securews.inf, click Save As, and type Mysecurews and click Save.
Exit the Security Templates snap-in console by clicking the Close button in the upper right corner.
Click Yes to save the console settings
Save the console as Security Templates. This allows you to start the Security Templates snap-in without having to add it to a console in the future.
Performing a Security analysis
You can analyze current system settings against a baseline template at anytime. Performing an analysis is useful for several different reasons:
To identify security holes that may exist in a current configuration.
To identify changes that a potential security policy may impart to a system, before actually deploying the security policy.
To identify deviations from a policy that is currently imposed on a system.
During this part of the guide, you will analyze the current system settings against the custom security template you created in the previous section. If you assume that the custom security template defines a more secure configuration, this analysis should identify security holes that may exist in the current system configuration, and can also identify changes that will take place if this template is used to configure the system.
To load the Security Configuration and Analysis MMC snap-in:
On the Start menu, click Run and type: MMC /s
From the Console menu, select Add\Remove Snap-in, and click Add.
Select Security Configuration and Analysis.
Click Add and then click Close. Click OK.
Creating a Database
All configurations and analyses are database-driven. Therefore, you must get the baseline analysis template into a database prior to performing the analysis operation.
To create the database
Click Security Configuration and Analysis in the left pane.
Right-click Security Configuration and Analysis in the left pane.
Click Open Database.
Type Mysecurews.sdb as the name of the database.
Click Open.
Select Mysecure.inf as the security template to import into the database.
Click Open.
Notice that the name of the database is now exposed in the result pane and that there are several more options on the context menu for Security Configuration and Analysis.
To perform the analysis
Right-click Security Configuration and Analysis, and then select Analyze Computer Now, from the context menu shown in Figure 8 below.
Figure 8. Analyze Computer option
Specify the log file for the analysis operation as follows: (note: you can find this also by clicking the browse button instead of typing it in)
%windir%\security\logs\Mysecurews.log
where %windir% is the drive and path to your Windows directory; for example:
C:\WINNT\security\logs\Mysecure.log
Click Open and then click OK. A progress dialog like the one show in Figure 9 below displays as the analysis proceeds.
Figure 9. Analyzing System Security Progress Report
Reviewing the Analysis Results
After the analysis has completed, the security areas are available under the Security Configuration and Analysis node.
To review the results
From the Security Configuration and Analysis node, click View.
Select the Description Bar to expose the database you are currently working with.
Expand Security Configuration and Analysis in the left pane, and then expand Local Policies, and then click Security Options as shown in Figure 10 below.
Figure 10. New Security Settings
In the right pane, both database and actual system settings are displayed for each object. Discrepancies are highlighted with a red flag. Consistencies are highlighted with a green check mark. If there is no flag or check mark, the security setting is not specified in the database (that is, the security setting was not configured in the template that was imported).
You can double-click any setting in the result pane to investigate discrepancies further and modify database settings if desired.
For example:
Expand the File System node in the left pane.
Expand the %windir% directory (for example, C:\WINNT).
Right-click the Repair directory.
Note that files contained in the repair directory are also highlighted as being OK or mismatched. When a template specifies a container object in overwrite mode (which was the case when we configured the repair directory) all children of that object are analyzed for compliance. Child objects that do not inherit from the parent are flagged as mismatched because overwrite implies that all children (not otherwise specified in the template) should inherit from the parent. Child objects that are inheriting from the parent (and contain no explicit ACEs of their own) are flagged as matches even if they are currently inheriting a different DACL than the one specified by the parent in the template. In this latter case, the relevant mismatch was flagged on the parent itself.
Select Security. You can view the analyzed permissions, the database permissions, or both.
Click View Security then click OK. (Note that you cannot modify the actual system settings while viewing analysis results.)
Drag the Last Analyzed Security dialog out of the way, and click Edit Security in the previous window. Line up the windows side by side as shown:
Figure 11. Compare Repair ACL
You can see the discretionary access control list (DACL) defined in the database (that was imported from the Mysecure template) and the actual DACL at the time the analysis was performed. Because the DACLs differ, the repair directory is highlighted as a mismatch.
Close these three windows.
Modifying Baseline Analysis Settings
After you review the analysis results, you may decide to update the baseline database that was used to perform the analysis. This may be desirable if you have changed your mind about the relevancy or the security specification that was originally defined for an object. For example:
If you consider an object to be security relevant, then you would check the Define this policy in the database checkbox when viewing the detailed analysis results. If this box is unchecked, the object is removed from the configuration and receives its inheritance from the parent object, as defined.
If you want to base future configurations or analyses on a different security specification, then you can click the Edit Security settings control to modify the security definition currently stored in the database.
In the example above, you already clicked the Edit Security control in step 6. If desired, you can modify the ACL currently defined for the repair directory in the database. Future analyses or configurations using this database would then be based on the newly defined ACL. Such modifications can be saved to a template by selecting Export Template from the context menu of the Security Configuration and Analysis node.
Configuring System Security
Thus far, you have created a customized security template (Mysecure.inf) and analyzed the current system settings against this template. If you are comfortable with the security changes indicated by this template (as noted by the mismatches flagged in the analysis), you can now configure the system with these new security settings.
To configure the system with the new settings:
Right-click the Security Configuration and Analysis node.
Select Configure System Now.
Specify the following as the path to the log file:
%windir%\security\\logs\Mysecure.log
where %windir% is the drive and path to your Windows directory (for example, C:\WINNT).
Click OK. A progress dialog displays to indicate the security areas being configured. When the configuration has completed your system is configured with the settings specified in Mysecure.Inf.
Click the Close button in the upper right corner of the Security Configuration and Analysis MMC snap-in.
Click Yes to save the console settings.
Specify SCA as the file name, and save the file.
This allows you to start the Security Configuration and Analysis snap-in without having to add it to a console in the future. Note that both the Security Templates snap-in and the Security Configuration and Analysis snap-in can be added to the same console if desired.
Viewing the Updated Local Security Policy
Changes made to local policy settings are automatically trapped by the Security Configuration Tool Set and stored in the local policy database. You can view these settings as you did in the first phase of this guide.
To view the policy
On the Start menu, click Run and then type Gpedit.msc and click OK.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Account Policies.
Click Password Policy, as shown in Figure 12 below.
Note You must be an administrator to view local policy. If you are not logged on as an administrator user, then you may no longer have administrator permissions. This is because of the restricted Group Policy you just applied to the system.
Figure 12. Password Policy
You see that the local minimum password age (originally set to 1 during the Modifying Local Security Policy phase of this guide) is now set to 2 in accord with the Mysecure.inf specification.
Similarly, the message text has been updated:
In the left pane, expand Local Policies, and click Security Options, as shown in Figure 13 below.
Figure 13. Viewing security options
Viewing Updated File System Security Settings
Because file system settings are not local policies, you can verify the configuration of the repair directory through Windows Explorer.
To view file system security settings:
On the Start menu, point to Programs, then point to Accessories, and click Windows Explorer.
Unless it is already displayed, click the View menu, point to Explorer Bar, and select Folders.
Expand %windir% (where %windir% is the drive and path of your Windows directory; for example, C:\WINNT).
Click the Repair directory, right-click it, and select Properties.
Click the Security tab. Figure 14 below shows these two windows lined up:
Figure 14. Viewing file system security settings
Click the Close button in the upper right corner of the Group Policy window.
Now that the customized security settings specified in Mysecure.inf have been applied to the system, you can monitor any deviations from this security policy by periodically performing a system analysis against the database.
Command-line configuration and analysis
The configuration and analysis operations available from the Security Configuration and Analysis user interface can also be performed using the Secedit.exe command-line tool. Command-line operation allows security configuration and analysis to be performed in conjunction with other administrative tools, such as Microsoft Systems Management Server or the Task Scheduler built into Windows 2000. Secedit.exe also provides some capabilities that are not available in the graphical user interface.
Viewing Secedit.exe Help
The online Help provided with Secedit.exe describes the syntax for using the command.
To view the help text
On the Start menu, click Run and then type CMD. Click OK.
Type Secedit and press Enter to see online Help for this command.
The command provides five high-level operations:
Analyze
Configure
Export
RefreshPolicy
Validate
Analyze and Configure correspond to the same tasks available using the Security Configuration and Analysis snap-in.
Export dumps database configuration information into a template (.inf) file. This feature is also available in the snap-in through the Security Configuration and Analysis context menu after a database has been opened.
RefreshPolicy allows you to trigger a group policy propagation event which, by default, occurs whenever the machine boots, every 60-90 minutes thereafter, and when local security policy is modified using the Security Settings extension to Group Policy (as described in this guide). When a policy propagation event is triggered, pending policy changes are enforced by the corresponding Group Policy extensions (in this case, the Security Settings extension). To cause a refresh in policy regardless of whether there has been a change or not, you can use the /Enforce switch in conjunction with /RefreshPolicy.
Validate verifies the syntax of a template created using the Security Templates snap-in.
As described previously in this guide, all configurations and analyses are database driven. Therefore, Secedit.exe supports parameters for specifying a database (/db) as well as a configuration file (/cfg) to be imported into the database prior to performing the configuration. By default, the configuration file is appended to the database. To overwrite existing configuration information in the database, use the /overwrite switch. As with the snap-in, you can specify a log file (/log); however, Secedit.exe also allows detailed (/verbose) log information to be recorded. Also note that while the snap-in always configures all security areas, Secedit.exe allows you to specify areas (/areas) to be configured. Security areas not specified with the /areas switch are ignored even if the database contains security settings for those areas.
Configuring Security with Secedit.exe
The following example reapplies only the file system configuration specified by Mysecure.inf.
To configure file system security with Secedit.exe
Change to the %windir%\security\database directory (where %windir% is the drive and path to your Windows directory). For example, at the command prompt type:
cd\c:\windir\security\logs
Type the following:
secedit /configure /db mysecure.sdb /areas FILESTORE /log %windir%\security\logs\Mysecure.log /verbose
where %windir% with the drive and path to your Windows directory (for example, C:\WINNT)
Note: since the database already existed and contained configuration information previously imported from Mysecure.inf, you did not need to specify the /cfg parameter. Note also that paths for /db, /cfg, and /log–other than the current directory–must be absolute.
Type:
%windir%\security\logs\Mysecure.log
Notice that previous configurations configure all security areas, while the last configuration processed only the file security area.
Performing Security Analysis with Secedit.exe
Your system is currently configured according to the customized settings defined in Mysecure.inf. You will now violate this policy, and then perform a command-line analysis to locate the violation.
To violate the policy and then locate the violation:
Recall that Mysecure.inf specifies a restricted Group Policy for the Administrators group such that only the administrator user should belong to the Administrators group. Violate that policy by adding Everyone to the administrators group. Type the following at the Command prompt, and press Enter:
Net LocalGroup Administrators Everyone /Add
Perform the analysis using Mysecure.sdb as the baseline configuration. Type the following command at the Command prompt:
secedit /analyze /db Mysecure.sdb /Log Monitor.log /verbose
If you have access to the Grep tool, you can parse the log file to locate mismatches. Type the following at the Command prompt:
grep Mismatch Monitor.Log
Notice that the administrators group is flagged. Mismatches on registry values are occurring because these particular registry values are configured on the system, but not configured in the database. The snap-in tool does not flag these types of mismatches.
Pre-defined security templates
Windows 2000 Default Security Templates
Windows 2000 default security settings are applied only to Windows 2000—based systems that have been clean-installed on an NTFS partition. When computers are upgraded from Windows NT 4.0 or earlier, security is not modified. When Windows 2000 is installed on a FAT file system, security cannot be applied.
The following basic security templates are provided to secure upgraded NTFS computers in the same fashion as clean-installed NTFS computers:
Basicwk.inf for computers running Windows 2000 Professional.
Basicsv.inf for computers running Windows 2000 Server.
Basicdc.inf for domain controllers running Windows 2000 Server.
These security templates specify default Windows 2000 security settings for all security areas with the exception of User Rights and Groups.
Incremental Security Templates
Windows 2000 also ships with the following incremental security templates. These security templates were constructed based on the assumption that they would be applied to Windows 2000 computers that are configured with the new Windows 2000 default security settings. In other words, these templates incrementally modify the default security settings. They do not include the default security settings plus the modifications.
You should apply these incremental templates to Windows 2000 systems that have been clean-installed onto an NTFS partition. For NTFS computers that have been upgraded from Windows NT 4.0 or earlier, apply the corresponding basic template (as described above) before you apply any of the incremental security templates. Windows 2000 systems that are installed on FAT file systems cannot be secured.
Compatws.inf for workstations or servers. If you do not want your users to run as power users, the compatible configuration opens the default permissions for the Users group so that legacy applications are more likely to run correctly. Office 97 should run successfully when you are logged on as a User to a Windows 2000 machine that has had the compatible security template applied over the default settings. Note that this is not considered a secure environment.
Securews.inf for workstations or servers, and Securedc.inf for domain controllers provide a secure configuration. The secure configuration provides increased security for areas of the operating system not covered by permissions. This includes increased security settings for Account Policy, Auditing, and some well-known security relevant registry keys. Access control lists are not modified by the secure configurations because the secure configurations assume that default Windows 2000 security settings are in effect.
Hisecws.inf for workstations and servers, and Hisecdc.inf for domain controllers provide a highly secure configuration. The high security configuration is provided for Windows 2000 computers that operate in native Windows 2000 environments only. In this configuration, all network communications must be digitally signed and encrypted at a level that can only be provided by Windows 2000. Thus, communications between a Windows 2000 highly secure computer and a downlevel Windows client cannot be performed.
Security Levels
The following table describes the relative levels of security that can be associated with the operating system based on the templates that have been applied as well as the type of user accessing the system:
Templates Applied
User Level
Default Power User
Default + Compatible User
Default User
Default + Secure User
Default + Secure + High Secure User
Thus, logging on as a Power User on a system where Windows 2000 was clean-installed on an NTFS system is less secure than logging into that same system as a User.
Important Notes
The example company, organization, products, people, and events depicted in this step-by-step guide are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.
The Active Directory® service structure for this common infrastructure is designed to show how Microsoft Windows 2000 Change and Configuration Management works and functions with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization–for such information see the Active Directory documentation.
ON THIS PAGE
Introduction
Viewing and Modifying Local Security Policy
Working with security templates
Performing a Security analysis
Configuring System Security
Command-line configuration and analysis
Pre-defined security templates
Introduction
This step-by-step guide describes how to view, configure, and analyze local security policy and local security settings using various components of the Security Configuration Tool Set included with the Windows® 2000 operating system.
The Security Configuration Tool Set allows you to configure the following security areas:
Area
Configurable Items
Account Policies Password, lockout, and Kerberos settings.
Local Policies Audit, user rights, and security options.
Event Log Settings for system, application, security and directory service logs.
Restricted Groups Policy regarding group membership.
System Services Startup modes and access control for system services.
Registry Access control for registry keys.
File System Access control for folders and files.
Administrators can use the following components of the Security Configuration Tool Set to configure some or all of the security areas described above:
Security Templates snap-in. The Security Templates snap-in is a stand-alone Microsoft Management Console (MMC) snap-in that allows the creation of a text-based template file that contains security settings for all security areas.
Security Configuration and Analysis snap-in. The Security Configuration and Analysis snap-in is a stand-alone MMC snap-in that can configure or analyze Windows 2000 operating system security. Its operation is based on the contents of a security template that was created using the Security Templates snap-in.
Secedit.exe. Secedit.exe is a command-line version of the Security Configuration and Analysis snap-in. It allows security configuration and analysis to be performed without a graphical user interface (GUI).
Security Settings extension to Group Policy. The Security Configuration Tool Set also includes an extension snap-in to the Group Policy editor to configure local security policies as well as security policies for domains or organizational units (OUs). Local security policies only include the Account Policy and Local Policy security areas described above. Security policies defined for domains or OUs can include all security areas.
This step-by-step guide describes how to use the snap-ins, command-line tool, and Security Settings extension to view, configure, and analyze local security policy and local security settings.
Requirements and Prerequisites
This guide assumes that you have run the procedures in the two-part "Step by Step Guide to A Common Infrastructure for Windows 2000 Server Deployment." The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Product Compatibility Web site.
Viewing and Modifying Local Security Policy
Local security policy is exposed through the Security Settings extension to Group Policy. Local security policy includes the Account Policy and Local Policy areas only. The Account Policy area contains password and lockout information. The Local Policy area contains audit, user rights, and security options information.
To view local security policy:
Log on to a Windows 2000-based computer as a user with administrative privileges. In our example, we log on as Administrator to the server named HQ-RES-SRV-01.
To open the Group Policy console, click Start, click Run and type Gpedit.msc. Click OK.
Click the + next to Computer Configuration, then Windows Settings, then Security Settings, and then Local Policies to expand these folders.
Click the Security Options folder under Local Policies. Your window should be similar to the one shown below in Figure 1.
Figure 1. Security Options
For each security setting, notice that the Security Settings extension displays the local policy and an effective policy. Local Policy describes policy settings as they are defined on the local computer. Effective policy describes the combined local, domain, and organizational unit policies for each setting. This distinction is made because local policy settings can be overwritten by domain or OU policy settings. The order of precedence for policies is from lowest to highest:
Local Policy
Domain Policy
OU Policy
Local Policy has the least precedence and the OU that directly contains the computer has the highest precedence. The effective policy column displays the security policy in effect based on these precedence rules.
Modifying local security policy
To modify a local security policy setting, double-click the security item of interest and revise the policy. For example, to change the minimum password age defined by the local password policy:
Click the + next to Account Policies in the left pane (under Security Settings) to expand it.
Click Password Policy.
Double-click Minimum Password Age in the right pane.
Set a Minimum Password Age of 1 day, and click OK.
When you OK the policy change, policy propagation is triggered, which causes an effective policy to be computed (based on any overriding domain or OU policies) and applied to the system. Status regarding this policy propagation is available in the application event log.
Right-click Security Settings (in the left pane), and then click Reload.
Reloading the local policy updates the effective policy in the user interface. Depending on domain or OU password policies that are in effect, the effective policy may or may not have changed on your computer.
Close the Group Policy console.
Working with security templates
The Security Templates snap-in allows you to create a text-based template file that can contain security settings for all of the security areas supported by the Security Configuration Tool Set. You can then use these template files to configure or analyze system security using other tools.
You can import a template file into the Security Settings extension to configure local, domain, or OU security policy.
You can use the Security Configuration and Analysis snap-in to configure or analyze system security based on a text-based security template.
You can use the Secedit.exe command-line tool directly or in conjunction with other management tools such as Microsoft Systems Management Server or Task Scheduler to deploy a security template or trigger a security analysis.
To load the Security Templates snap-in:
Click Start, click Run, and then type MMC /s into the text box and click OK. (Note: there is a space between the C and the /s).
Click Console (under Console1 in the upper right of the window), click Add\Remove Snap-in, and click Add.
From the list of available Standalone Snap-ins, select Security Templates, as shown in Figure 2 below.
Figure 2. Adding the Security Templates snap-in
Click Add, then click Close.
Click OK.
Click the + next to Security Templates in the left pane to expand it.
Click the + next to C:\WINNT\security\templates to expand it. (Note: if you installed Windows 2000 in a different drive and/or directory, that path will display instead of C:\WINNT.)
Windows 2000 ships with several predefined security templates. Please see the section, Predefined Security Templates, in this paper for more information.
Modifying a Security Template
You can create your own security template by right-clicking the default templates folder (C:\WINNT\security\templates) under Security Templates and selecting New Template. (Note: If you installed Windows 2000 in a different drive and/or directory, that path will display instead of C:\WINNT.) However, in this guide you are going to modify the predefined secure workstation or server template (Securews.inf) that is included with Windows 2000.
To view the settings defined by Securews.inf:
In the left pane, scroll down and then Click the + next to Securews to expand it. Notice in Figure 3 below that (unlike the local security policy covered in the previous two sections) all security areas are configurable when you define a security template.
Figure 3. Reviewing settings defined by Securews.inf
Browse the Account Policies and Local Policies defined by Securews by expanding those folders, selecting the different areas and viewing the Stored Template settings in the right pane.
Displaying a Custom Logon Message
You can modify the Securews to display a custom message to all users who log on.
Click the Security Options node under Local Policies.
In the right pane, scroll down and then double-click Message Text for Users Attempting to log on.
Type a message that will be displayed to all users when they log on, and click OK.
Creating a Restricted Group Policy
A Restricted Group Policy allows you to define who should and should not belong to a specific group. When a template (or policy) that defines a restricted group is applied to a system, the Security Configuration Tool Set adds members to the group and removes members from the group to ensure that the actual group membership coincides with the settings defined in the template (or policy). In this procedure, you will define a restricted group policy for the Local Administrators group in addition to the restricted group policy that is already defined for the local Power Users group in Securews.inf.
To create the restricted group policy:
In the left pane, right-click Restricted Groups, and select Add Group.
Type NewAdmins as the group name and click OK. The local Administrators group is added as a restricted group in the right pane of the Security Templates snap-in.
Double-click Administrators in the right pane.
You can now define who should be a member of the Administrators group and specify other groups that the Administrators group can be a member of.
Click Add and then click Browse. The Select Users or Groups dialog appears as shown in Figure 4 below.
Select the Administrator user in the Select Users or Groups dialog. Click Add.
Figure 4: Select Administrator
Click OK, and then click OK twice more.
This restricted group policy states that only the local administrator user can belong to the Administrators local group when the Securews template is used to configure a Windows 2000 system. During configuration, the tool set removes all other users that belong to the Administrators group at the time of configuration. Similarly, if (at the time of configuration) the Administrator user does not belong to the Administrators group, the Security Configuration Tool Set adds the Administrator user to the Administrators group.
If the Members list is empty–If no users are specified as members of a defined restricted group (the top box is empty), the Security Configuration Tool Set removes all current members of that group when the template is used to configure a system.
If the Member of list is empty–If no groups are specified for a restricted group to belong to (the bottom box is empty), no action is taken to adjust membership in other groups.
Configuring Permissions for a File System Directory
You can use Securews to configure permissions for file system directories as well.
Right-click File System in the left pane, and click Add File.
Click the %systemroot%\repair directory as shown in Figure 5 below. Click OK.
Figure 5. Configuring file system permissions — selecting the repair directory
The Access Control List (ACL) Editor shown in Figure 6 below appears. This allows you to specify permissions for the %systemroot%\repair directory in the Securews.inf template.
Figure 6. Using the ACL Editor to specify permissions
Select the Everyone group in the top pane and click the Remove button.
Click the Add button and select the Administrators group. Click Add and click OK.
Click the Full Control checkbox in the bottom pane to give the Administrators group full control permissions.
Clear the Allow inheritable permissions from parent to propagate to this object checkbox.
Click OK to accept the Administrator-only permissions defined for the directory.
Figure 7: Template Security Policy Setting
Select the Replace existing permission on all subfolders and file with inheritable permissions button and click OK.
Inheriting, Overwriting, and Ignoring Policy Changes
After you define permissions for a file system or registry object, the Security Configuration Tool Set asks you how the object's children should be configured.
If you select Propagate inheritable permissions to all subfolders and files, normal Windows 2000 ACL inheritance procedures are in effect. Specifically, any inherited permissions on child objects are adjusted according to the new permissions defined for this parent. Any explicit access control entry (ACE) defined for a child object remains unchanged.
If you select Replace existing permission on all subfolders and files with inheritable permissions, all explicit ACEs for all child objects (which are not otherwise listed in the template) are removed, and all child objects are set to inherit the inheritable permissions defined for this parent.
To prevent a child object from being overwritten by a parent, the child object can be added to the template and ignored. If a child object is added to the template and ignored, then that child's inheritance mode and that child's explicit ACEs remain untouched. Choosing the option: Do not allow permissions on this file or folder to be replaced for an object in a template makes sense only if an ancestor of that object is configured to overwrite children. If no ancestor exists in the template, ignoring an object has no impact. If an ancestor exists but is configured such that children inherit, then ignoring a child has no impact.
In this example, the ACL configuration for the %systemroot%\repair directory in the Securews.inf template is defined as follows:
Administrators have full control on the %systemroot%\repair directory. By default, these full control permissions apply to this folder, subfolders, and files. You specified this when you defined the Administrator permissions in the ACL Editor.
Note: The degree to which an ACE is inheritable is specified in the Advanced tab of the ACL Editor under the Apply to column. This walkthrough did not examine the Advanced tab when defining the permissions for Administrator.
The %systemroot%\repair directory does not inherit any permissions from its parent. You specified this when you cleared the Allow inheritable permissions from parent to propagate to this object checkbox in the ACL Editor.
All ACLs on all subfolders and files of the repair directory are configured such that they inherit the inheritable Administrators full control permission from this parent, regardless of their current configuration. You specified this when you selected the Replace existing permission on all subfolders and files with inheritable permissions mode of operation.
To save your customized Securews.inf file:
Right-click Securews.inf, click Save As, and type Mysecurews and click Save.
Exit the Security Templates snap-in console by clicking the Close button in the upper right corner.
Click Yes to save the console settings
Save the console as Security Templates. This allows you to start the Security Templates snap-in without having to add it to a console in the future.
Performing a Security analysis
You can analyze current system settings against a baseline template at anytime. Performing an analysis is useful for several different reasons:
To identify security holes that may exist in a current configuration.
To identify changes that a potential security policy may impart to a system, before actually deploying the security policy.
To identify deviations from a policy that is currently imposed on a system.
During this part of the guide, you will analyze the current system settings against the custom security template you created in the previous section. If you assume that the custom security template defines a more secure configuration, this analysis should identify security holes that may exist in the current system configuration, and can also identify changes that will take place if this template is used to configure the system.
To load the Security Configuration and Analysis MMC snap-in:
On the Start menu, click Run and type: MMC /s
From the Console menu, select Add\Remove Snap-in, and click Add.
Select Security Configuration and Analysis.
Click Add and then click Close. Click OK.
Creating a Database
All configurations and analyses are database-driven. Therefore, you must get the baseline analysis template into a database prior to performing the analysis operation.
To create the database
Click Security Configuration and Analysis in the left pane.
Right-click Security Configuration and Analysis in the left pane.
Click Open Database.
Type Mysecurews.sdb as the name of the database.
Click Open.
Select Mysecure.inf as the security template to import into the database.
Click Open.
Notice that the name of the database is now exposed in the result pane and that there are several more options on the context menu for Security Configuration and Analysis.
To perform the analysis
Right-click Security Configuration and Analysis, and then select Analyze Computer Now, from the context menu shown in Figure 8 below.
Figure 8. Analyze Computer option
Specify the log file for the analysis operation as follows: (note: you can find this also by clicking the browse button instead of typing it in)
%windir%\security\logs\Mysecurews.log
where %windir% is the drive and path to your Windows directory; for example:
C:\WINNT\security\logs\Mysecure.log
Click Open and then click OK. A progress dialog like the one show in Figure 9 below displays as the analysis proceeds.
Figure 9. Analyzing System Security Progress Report
Reviewing the Analysis Results
After the analysis has completed, the security areas are available under the Security Configuration and Analysis node.
To review the results
From the Security Configuration and Analysis node, click View.
Select the Description Bar to expose the database you are currently working with.
Expand Security Configuration and Analysis in the left pane, and then expand Local Policies, and then click Security Options as shown in Figure 10 below.
Figure 10. New Security Settings
In the right pane, both database and actual system settings are displayed for each object. Discrepancies are highlighted with a red flag. Consistencies are highlighted with a green check mark. If there is no flag or check mark, the security setting is not specified in the database (that is, the security setting was not configured in the template that was imported).
You can double-click any setting in the result pane to investigate discrepancies further and modify database settings if desired.
For example:
Expand the File System node in the left pane.
Expand the %windir% directory (for example, C:\WINNT).
Right-click the Repair directory.
Note that files contained in the repair directory are also highlighted as being OK or mismatched. When a template specifies a container object in overwrite mode (which was the case when we configured the repair directory) all children of that object are analyzed for compliance. Child objects that do not inherit from the parent are flagged as mismatched because overwrite implies that all children (not otherwise specified in the template) should inherit from the parent. Child objects that are inheriting from the parent (and contain no explicit ACEs of their own) are flagged as matches even if they are currently inheriting a different DACL than the one specified by the parent in the template. In this latter case, the relevant mismatch was flagged on the parent itself.
Select Security. You can view the analyzed permissions, the database permissions, or both.
Click View Security then click OK. (Note that you cannot modify the actual system settings while viewing analysis results.)
Drag the Last Analyzed Security dialog out of the way, and click Edit Security in the previous window. Line up the windows side by side as shown:
Figure 11. Compare Repair ACL
You can see the discretionary access control list (DACL) defined in the database (that was imported from the Mysecure template) and the actual DACL at the time the analysis was performed. Because the DACLs differ, the repair directory is highlighted as a mismatch.
Close these three windows.
Modifying Baseline Analysis Settings
After you review the analysis results, you may decide to update the baseline database that was used to perform the analysis. This may be desirable if you have changed your mind about the relevancy or the security specification that was originally defined for an object. For example:
If you consider an object to be security relevant, then you would check the Define this policy in the database checkbox when viewing the detailed analysis results. If this box is unchecked, the object is removed from the configuration and receives its inheritance from the parent object, as defined.
If you want to base future configurations or analyses on a different security specification, then you can click the Edit Security settings control to modify the security definition currently stored in the database.
In the example above, you already clicked the Edit Security control in step 6. If desired, you can modify the ACL currently defined for the repair directory in the database. Future analyses or configurations using this database would then be based on the newly defined ACL. Such modifications can be saved to a template by selecting Export Template from the context menu of the Security Configuration and Analysis node.
Configuring System Security
Thus far, you have created a customized security template (Mysecure.inf) and analyzed the current system settings against this template. If you are comfortable with the security changes indicated by this template (as noted by the mismatches flagged in the analysis), you can now configure the system with these new security settings.
To configure the system with the new settings:
Right-click the Security Configuration and Analysis node.
Select Configure System Now.
Specify the following as the path to the log file:
%windir%\security\\logs\Mysecure.log
where %windir% is the drive and path to your Windows directory (for example, C:\WINNT).
Click OK. A progress dialog displays to indicate the security areas being configured. When the configuration has completed your system is configured with the settings specified in Mysecure.Inf.
Click the Close button in the upper right corner of the Security Configuration and Analysis MMC snap-in.
Click Yes to save the console settings.
Specify SCA as the file name, and save the file.
This allows you to start the Security Configuration and Analysis snap-in without having to add it to a console in the future. Note that both the Security Templates snap-in and the Security Configuration and Analysis snap-in can be added to the same console if desired.
Viewing the Updated Local Security Policy
Changes made to local policy settings are automatically trapped by the Security Configuration Tool Set and stored in the local policy database. You can view these settings as you did in the first phase of this guide.
To view the policy
On the Start menu, click Run and then type Gpedit.msc and click OK.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Account Policies.
Click Password Policy, as shown in Figure 12 below.
Note You must be an administrator to view local policy. If you are not logged on as an administrator user, then you may no longer have administrator permissions. This is because of the restricted Group Policy you just applied to the system.
Figure 12. Password Policy
You see that the local minimum password age (originally set to 1 during the Modifying Local Security Policy phase of this guide) is now set to 2 in accord with the Mysecure.inf specification.
Similarly, the message text has been updated:
In the left pane, expand Local Policies, and click Security Options, as shown in Figure 13 below.
Figure 13. Viewing security options
Viewing Updated File System Security Settings
Because file system settings are not local policies, you can verify the configuration of the repair directory through Windows Explorer.
To view file system security settings:
On the Start menu, point to Programs, then point to Accessories, and click Windows Explorer.
Unless it is already displayed, click the View menu, point to Explorer Bar, and select Folders.
Expand %windir% (where %windir% is the drive and path of your Windows directory; for example, C:\WINNT).
Click the Repair directory, right-click it, and select Properties.
Click the Security tab. Figure 14 below shows these two windows lined up:
Figure 14. Viewing file system security settings
Click the Close button in the upper right corner of the Group Policy window.
Now that the customized security settings specified in Mysecure.inf have been applied to the system, you can monitor any deviations from this security policy by periodically performing a system analysis against the database.
Command-line configuration and analysis
The configuration and analysis operations available from the Security Configuration and Analysis user interface can also be performed using the Secedit.exe command-line tool. Command-line operation allows security configuration and analysis to be performed in conjunction with other administrative tools, such as Microsoft Systems Management Server or the Task Scheduler built into Windows 2000. Secedit.exe also provides some capabilities that are not available in the graphical user interface.
Viewing Secedit.exe Help
The online Help provided with Secedit.exe describes the syntax for using the command.
To view the help text
On the Start menu, click Run and then type CMD. Click OK.
Type Secedit and press Enter to see online Help for this command.
The command provides five high-level operations:
Analyze
Configure
Export
RefreshPolicy
Validate
Analyze and Configure correspond to the same tasks available using the Security Configuration and Analysis snap-in.
Export dumps database configuration information into a template (.inf) file. This feature is also available in the snap-in through the Security Configuration and Analysis context menu after a database has been opened.
RefreshPolicy allows you to trigger a group policy propagation event which, by default, occurs whenever the machine boots, every 60-90 minutes thereafter, and when local security policy is modified using the Security Settings extension to Group Policy (as described in this guide). When a policy propagation event is triggered, pending policy changes are enforced by the corresponding Group Policy extensions (in this case, the Security Settings extension). To cause a refresh in policy regardless of whether there has been a change or not, you can use the /Enforce switch in conjunction with /RefreshPolicy.
Validate verifies the syntax of a template created using the Security Templates snap-in.
As described previously in this guide, all configurations and analyses are database driven. Therefore, Secedit.exe supports parameters for specifying a database (/db) as well as a configuration file (/cfg) to be imported into the database prior to performing the configuration. By default, the configuration file is appended to the database. To overwrite existing configuration information in the database, use the /overwrite switch. As with the snap-in, you can specify a log file (/log); however, Secedit.exe also allows detailed (/verbose) log information to be recorded. Also note that while the snap-in always configures all security areas, Secedit.exe allows you to specify areas (/areas) to be configured. Security areas not specified with the /areas switch are ignored even if the database contains security settings for those areas.
Configuring Security with Secedit.exe
The following example reapplies only the file system configuration specified by Mysecure.inf.
To configure file system security with Secedit.exe
Change to the %windir%\security\database directory (where %windir% is the drive and path to your Windows directory). For example, at the command prompt type:
cd\c:\windir\security\logs
Type the following:
secedit /configure /db mysecure.sdb /areas FILESTORE /log %windir%\security\logs\Mysecure.log /verbose
where %windir% with the drive and path to your Windows directory (for example, C:\WINNT)
Note: since the database already existed and contained configuration information previously imported from Mysecure.inf, you did not need to specify the /cfg parameter. Note also that paths for /db, /cfg, and /log–other than the current directory–must be absolute.
Type:
%windir%\security\logs\Mysecure.log
Notice that previous configurations configure all security areas, while the last configuration processed only the file security area.
Performing Security Analysis with Secedit.exe
Your system is currently configured according to the customized settings defined in Mysecure.inf. You will now violate this policy, and then perform a command-line analysis to locate the violation.
To violate the policy and then locate the violation:
Recall that Mysecure.inf specifies a restricted Group Policy for the Administrators group such that only the administrator user should belong to the Administrators group. Violate that policy by adding Everyone to the administrators group. Type the following at the Command prompt, and press Enter:
Net LocalGroup Administrators Everyone /Add
Perform the analysis using Mysecure.sdb as the baseline configuration. Type the following command at the Command prompt:
secedit /analyze /db Mysecure.sdb /Log Monitor.log /verbose
If you have access to the Grep tool, you can parse the log file to locate mismatches. Type the following at the Command prompt:
grep Mismatch Monitor.Log
Notice that the administrators group is flagged. Mismatches on registry values are occurring because these particular registry values are configured on the system, but not configured in the database. The snap-in tool does not flag these types of mismatches.
Pre-defined security templates
Windows 2000 Default Security Templates
Windows 2000 default security settings are applied only to Windows 2000—based systems that have been clean-installed on an NTFS partition. When computers are upgraded from Windows NT 4.0 or earlier, security is not modified. When Windows 2000 is installed on a FAT file system, security cannot be applied.
The following basic security templates are provided to secure upgraded NTFS computers in the same fashion as clean-installed NTFS computers:
Basicwk.inf for computers running Windows 2000 Professional.
Basicsv.inf for computers running Windows 2000 Server.
Basicdc.inf for domain controllers running Windows 2000 Server.
These security templates specify default Windows 2000 security settings for all security areas with the exception of User Rights and Groups.
Incremental Security Templates
Windows 2000 also ships with the following incremental security templates. These security templates were constructed based on the assumption that they would be applied to Windows 2000 computers that are configured with the new Windows 2000 default security settings. In other words, these templates incrementally modify the default security settings. They do not include the default security settings plus the modifications.
You should apply these incremental templates to Windows 2000 systems that have been clean-installed onto an NTFS partition. For NTFS computers that have been upgraded from Windows NT 4.0 or earlier, apply the corresponding basic template (as described above) before you apply any of the incremental security templates. Windows 2000 systems that are installed on FAT file systems cannot be secured.
Compatws.inf for workstations or servers. If you do not want your users to run as power users, the compatible configuration opens the default permissions for the Users group so that legacy applications are more likely to run correctly. Office 97 should run successfully when you are logged on as a User to a Windows 2000 machine that has had the compatible security template applied over the default settings. Note that this is not considered a secure environment.
Securews.inf for workstations or servers, and Securedc.inf for domain controllers provide a secure configuration. The secure configuration provides increased security for areas of the operating system not covered by permissions. This includes increased security settings for Account Policy, Auditing, and some well-known security relevant registry keys. Access control lists are not modified by the secure configurations because the secure configurations assume that default Windows 2000 security settings are in effect.
Hisecws.inf for workstations and servers, and Hisecdc.inf for domain controllers provide a highly secure configuration. The high security configuration is provided for Windows 2000 computers that operate in native Windows 2000 environments only. In this configuration, all network communications must be digitally signed and encrypted at a level that can only be provided by Windows 2000. Thus, communications between a Windows 2000 highly secure computer and a downlevel Windows client cannot be performed.
Security Levels
The following table describes the relative levels of security that can be associated with the operating system based on the templates that have been applied as well as the type of user accessing the system:
Templates Applied
User Level
Default Power User
Default + Compatible User
Default User
Default + Secure User
Default + Secure + High Secure User
Thus, logging on as a Power User on a system where Windows 2000 was clean-installed on an NTFS system is less secure than logging into that same system as a User.
Important Notes
The example company, organization, products, people, and events depicted in this step-by-step guide are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.
The Active Directory® service structure for this common infrastructure is designed to show how Microsoft Windows 2000 Change and Configuration Management works and functions with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization–for such information see the Active Directory documentation.
Sunday, January 28, 2007
IRC Security FAQ
IRC FAQ Undergroundworld.de.vu the Secure-Net Search Lab
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =>
Resource: http://www.undergroundworld.de.vu
Contact: ugw-mail@gmx.de
IRC: irc.box.sk, port 6667, Channel #exploiters
Writer:
Dead Beat, The Destroyer
Introduction:
Welcome to the IRC FAQ of UGW (http://www.undergroundworld.de.vu). We have tried
to make this FAQ as complete as we can but will something ever be complete? Well not
with the encreasing technick possibilities we have but thas something else.... We would like
to show the newbie how to start Connecting and where to irc from. What servers are there
and why using them. Anonymous Chatting and more stuff from securing to attacking - we
want to show you what possibilities you have and which you don't... We wan't to write things
as easy as possible so that everybody understands this! Thats why we have divided the Tutorial
into 4 Parts. Newbie, Average, Advanced and Geek. We have just done this so that everybody
has something to enjoy! so read on and have phun!
Dead Beat
IRC (Newbie)
- What is that?
- Why should I use that?
- Clients?
- Where can I get a client?/The first connect
Ports (Newbie/Average)
- Which Ports does IRC use?
- How can I find this out?
- Identd?
- DCC?
Commands (Average)
- Where do I find help?
- What is OP's
- What is "@" and "+"
- How can I can I register my nickname?
- How do I register a Channel?
- Modes?
- How to set modes?
- How to kick and ban people?
- How to invite
- How to use colors
- Shorties ;)
- How to see all channels!
- Whats this privsmsg?
- dcc?
- ctcp?
- Grats!
Attacks on IRC?(Average/Advanced)
- Flooding?
- Getting the IP
- How to get Infos and how to use them?
- How to take over a Chan
- How to get OP's
Solving Problems of attacks from IRC (Advanced)
- Anonymous?!
- Why to be anonymous?
- How to be anonymous?
- How to connect if I don't have a client?
- Telnet ok, but how?
- How to get back your Chan
- How do I prevent user finding out info threw ctcp?
Specials (Geeks)
- Spoofing Technickes
- Using IRC as Portwatcher
- Port watch with Ident
(Attacks)
- Faked Dcc requests
IRC:
What is that?
~~~~~~~~~
IRC stands for Internet Relay Chat. It is a system widely spreaded to -chat- who would have guessed that?
It is build like follow:
Let us suppose User 1 wants to chat with User 2
________ Server _______
connects with connected to
PC User 1 PC User 2
this is the way it works. You send your text to the server which displays it to the channel or privmsg window
(I will explain privmsg later). So without the server you will not be able to chat of course. You can connect to
a Server to send you messages with a so called client. Read on to know what that is
Why should I use that?
~~~~~~~~~~~~~~~
Since it is a widely spread system many people use it so if you don't want to sit alone with somebody in a stupid
Love Chat come to a IRC server and you will be able to chat when ever you would like to ;)! Another reason is
that you have much more commands to use you can send files, find IP's of servers, ping (wit spoofed IP) and more.
Clients?
~~~~~
Yes these so called clients are the communiaction Base between you and the server. If you send a command the client
can send it to the server in a form that the server can read. Second comfortable thing is that you have a GUI (Graphical
User Interface) you don't have to type your finger to death you can use a mouse in this nicley Build Window Application.
Where can I get a client?/The first connect!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At first you will have to go to http://www.mirc.com. Download and install the latest version of mIRC (at this time v5.91
is up-to-date). When starting mIRC a little window called "About mIRC" apears and if you don't want to see it every
time you start mIRC, just deactivate the little checkbox at the buttom left corner! After clicking on the X you will see the
"mIRC Options" window which contains the main settings of mIRC. You can always reach this dialog by clicking on the
icon with the folder and the hammer or going to "File/Options...".
The first thing you should do is to type your desired nickname in the "Nickname" field and an alternative (if the first one is
already used) in the "Alternative" field. The "Full Name" and "E-Mail Address" fields are not so important and can be filled
with some crap. The next important settings are on the "Connect/Identd" page: On most IRC servers and networks you
have to enable the Identd Server (first checkbox) to get connected. But because you don't need it after you connected
you should also check the last checkbox ("Enable only when connecting"). If you want to see if somebody request an ident
you can enable the "Shows Identd requests" option. The text you type in the "User ID" field will be shown before your
hostname when somebody is making a whois on you (then he also sees the text from the "Full Name" field mentioned earlier).
In the "System" field you can write what you want but the port has to be "113"!
2. Connecting to a server
Now you have basically set up your mIRC client and you should learn how to connect to a server and join a chan. As an
example let me explain how you can connect to irc.box.sk and join our chan #Exploiters:
- Goto the "Connect" page in the "mIRC Options"
- Click on "Add"
- name this Server how you think it is the best in the "Description" field (e.g. "box.sk" or "the best irc server")
- Put "irc.box.sk" in the "IRC Server" field
- the "Port" field should be "6667"
- "Group" and "Password" should be left blank
- click on "Add"
- Push the big "Connect to IRC Server" button
Now an popup window named "mIRC Channels Folder" apears and you could enter "#Exploiters" in the text field at the top
and press the "Join" button, but this is pretty lame ;-) and will get really annoying after a short time! So you just disable the
"Pop up folder on connect" option and click "Close" and the next time this window won't apear.
You see the "Status" window now (which we will discuss later on). You just have to type "/J Exploiters" (of course without
the quotes) in the buttom line (the input line). For whome it is of interest: /J is bascally a shortcut for /JOIN, but you can omit
the # in the Chan name. Under normal conditions you should be in our chan now and can chat with us (the most time of the
day there a at least a few people in the chan) by typing something in the input box of the chan window.
Ports
Which Ports does IRC use?
~~~~~~~~~~~~~~~~~~~
It uses the Port-range 6666-6669. Normaly and standart is the Port 6667 so you will actually be right advised to check
that one first. Another Port irc uses is 113 for the ident requests. (btw: perhaps you wonder why we talk about irc and mirc
well quite easy irc is the chat and mirc is the standart Windows client ;).
How can I find them?
~~~~~~~~~~~~~~~
Well when you find the adress of a server on a site they will actually give you the Port if the aren't totally funny or stupid so well
if not portscan ;)) well this will take you far more time then just trying manually so just try the Port-range I gave you upper.
Identd?
~~~~~
This is a service that should just give out some infos about the user and his system! I don't want to go into that Identd Protcol
to much! But if you are interrested check (http://www.faqs.org). So Identd "sits" on Port 113 normally. You can of coures
reconfigure that and change it.
DCC?
~~~~
DCC stands for Direct Client Connections. You find more about DCC down this text! But what to say about Ports? Normally
your client waites for dcc connections on 1024 you can also change that or run the dcc threw a firewall!
Commands
- Where do I find help?
If you want a general Help to irc you can just type /help (you will not have to be connected!) or click Help-> there you
will find a lot of topics you can read about.
What is OP's
~~~~~~~~~~
OP stands for Operator this means if you see somebody in the chan with a @ he is channel Operator he has nearly all rights.
He is able to kick, ban, voice, devoice you and more! There is only one person above him called the "Founder" he has an
operator status too. You can check the founder of a chan like this: "/chanserv list set founder". The OP's are divided into access
levels. Whenever you access a chan "chanserv" a service that organizes all the channels and channelcommands will check which
access level you have. If you are not anounced in the access list you will just get no mode at all. To check the access list of a
channel type this: "/chanserv access #channelname list" you will not be able to see this list for everychannel name since you can
deactivate that command.
What is "@" and "+"
~~~~~~~~~~~~~~~
@ is a sign that the person has Operatori status so if you see the name: @Dead_Beat it means that Dead_Beat has operator
status. If you see a name like "+etsh911" this means "etsh911" has a voice. Well you will read in a sec you can moderate a chan
this means that only op's(@) and people with voice(+) have the permission to talk in the chan. Normally channels are not moderated
so the option "+" isn't actually important but it shows that the person is on the chan perhaps a long time or knows much. It's just a
signification for some kind of respect or friendship or whatever it is just better then nothing ;). If you see a name like "TheDestroyer"
with no "@" and no "+" this means that the access level of "TheDestroyer" is not defined in the access list.
How can I can I register my nickname?
~~~~~~~~~~~~~~~~~~~~~~~~~~
When you enter a irc server you will have to give your self a nickname by default this will be something like gUeSt975Ba or shit
this shows that you have no idea about irc and will decrease the respect of people! Believe me it is not good to do this ;-) so
change your nickname before entering any chan. You can do this with: /nick wished_name so if you wanted to call yourself
Peter_Hugle you would use this syntax: "/nick Peter_Hugle" ok?! good..
How do I register a Channel?
~~~~~~~~~~~~~~~~~~~~
As I mentioned before "chanserv" is the service for all channels! So if you want to register a channel you would have to use
following command: "/chanserv register #channelname password" this is really easy and done quick but don't forget asking a
irc oper if you are allowed to register your own Channel. To do this just enter the most visited channel and ask if somebody
knows the nickname of any IRC-Oper in this channel. (To drop the registration just use "/chanserv #channame drop")
Modes?
~~~~~~
Modes set some "adjectives" to a channel like the one I talked about already! "+m" All modes are specified with a +/-
"+"=set the mode "-"=unset the mode. So like I said m=moderated to set the mode moderated type: "/mode #channel +m"
but to unset use "/mode #channel -m" quite easy!! But don't don't forget only op's can set modes! Other modes are:
b(ban)
p(private)
s(secret)
i(invite only)
How to set modes?
~~~~~~~~~~~~~~
Hmm sorry but I told you upper ;))
How to kick and ban people?
~~~~~~~~~~~~~~~~~~~~
As I said you have to be op's to do this: Kick= "/kick #channel nickname" and Ban= "/mode +b #channel nickname"
How to invite
~~~~~~~~~
"/invite #channel nickname"
How to use colors
~~~~~~~~~~~~~
Well this is quite easy just use "strg+k" yes press these two buttons at the same time and menu will appear to show you
all the colors they are:
0=white 6=lila
1=black 7=orange
2=blue ... check them with the menu ;)
3=green
4=red
5=brown
Shorties ;)
~~~~~~~
Nope this hasn't got to do anything with the length of something ;) well actually it has! It is about the length of a Word!
To make live easier ppl (people) in Chat use shorties ;) the won't have to write so much which saves time this is the only
reason ;) so if you want to know some here they are ;):
ppl = People
btw = by the way
brb = be right back
bbl = be back later
omg = oh my god (which is lame and will not be tollerated in our chan!)
h/p/c/a = Hacking, Phreaking, Cracking/Coding, Anarchy
stfu = shut the fuck up
cycle = please leave the channel and join it again! (this is for changing the access leve remember it? if you get voice and
they want to test it they will have to rejoin this means that you leave the channel and rejoin it so chanserv will check you
access level.)
oic = ohh I see
ic = I see (hehe what did you think???)
cu = see you
u = you
How to see all channels!
~~~~~~~~~~~~~~~~
"/list" Will show you a list with channels!
Whats this privsmsg?
~~~~~~~~~~~~~~
Privmsg is a way to speak to somebody privat so that not everybody is able to read it! By simple double clicking someones
name you wil be able to privmsg him! The other command is: "/privmsg #nick : messge" as soon as he responses a window
will appear.
Dcc?
~~~~
DCC stands for Direct Client Connections. It allows you to connect to a Client directly this is good for sending a programm
or chatting directly. As you should know to have a direct connection you need a IP to send the infos! So it is possible to get
the IP of someone connecting to you via dcc! First if he wants to connect he !must! ask so you will get a box appearing which
informs you that someone wants to chat/send something via dcc. In the status window which is the first window in the windowbar
(first one on the left side) you will see his IP! And other way round if you only request to chat/send via dcc to somebody he will
see your IP and if you chat to somebody you can't find the IP via netstat. This is a program that show open connections. If you
type "netstat -a" it will show all open connections the one say "established" to a IP other then the irc server you are on will be the
user you are chatting to! Pinging it will give you the ip!
Ctcp?
~~~~~
Ctcp stands Client to Client Protocoll it is usefull to collect all sort of Information like userinfo, finger, time and ping from the remote
machine. This works the following:
by typing: "/ctcp nickname ping" will send a ping to the user and tell you the time that the ping took while connecting "/ctcp nickname
userinfo" will give you some userinformation and "/ctcp nickname finger" will give you email and such and "/ctcp nickname time" will
give you the time on the remote machine! If you want to prevent others to get this information please read the Solution section!
Gratulations!
~~~~~~~~~
You have made the Newbie stage and will now enter the World of an Average user live will get more interresting now ;) (btw. nope
you are no Hacker yet! Well did I say you would be after reading this ??? hmm don't remember so hehe you will have to read more
Tutorials ;)
Attacks on IRC?
Flooding?
~~~~~~~
Flooding is a way to bug a user or even disconnect him from the irc network. You can find many scripts to do this! The "best" and way
to flood is to flood a channel like with letting radom nicknames connect to the network. We don't like to tell you any adress since it is
fucking lame to flood a chan with many ppl that didn't even do anything! But I know if you want to flood somebody you can find flooders.
Getting the IP
~~~~~~~~~
Well it is very hard to get the IP from a user that is intelligent and knows what he is doing. Since you can only do this with "/dns nickname"
but many servers that are good deactivate this command! So you can't find the IP that way and another thing is that you will know how
to "spoof" your IP after reading this text and so on /dns you will get the wrong IP! The other way is the dcc way but same thing! You can
use a proxy and so your real IP stays hidden! And normally dcc is only use very seldum and normal people will not allow you to dcc them!
OK just to let you know the dcc way is easy so it works like this:
You dcc (Chat/send) somebody and while doing this open command.com and do a "netstat -a" which will show you all active connections
including the one to the victim! This works because DCC is Direct Connect and won't include any servers into the commincation. i.e.:
C:\Windows>netstat -a
Active Conntecions
Proto Local Adress Remote Adress Status
TCP your_computer:1024 syrios.btinternet.com:1024 Established
TCP your_computer:XXXX irc.box.sk:* Established
this would tell you that syrios.btinternet.com is the name of the dcc partner. Ping him the following:
"ping syrios.btinternet.com:1024" and you would have the IP
How to get Infos and how to use them?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The one way is the normal way to use "/whois nickname" it will give you infos like:
nickname the connection country realname can be faked by just simply entering this in "File->Options"
Channels he is on
nickname is nickname@BOX-26473.proxy.back.edu.de * Why do you ask?
nickname on @#exploiters @#rat @#redsky @#lecture @#newchan #void +#pl3bs_cl4n @#Code @#asm @#c++
nickname using irc.box.sk Box Network IRCD
nickname is a registered and identified nick
nickname has been idle 1min 3secs, signed on Wed Jul 11 14:23:30
nickname End of /WHOIS list.
This user shouldn't be fucked up since he is op in 8 chans this means he knows much! And if he isn't op he is voice so...
You now know on which chans he is and if he knows what he is upto! You already know how to get the IP so I won't say
this here again! We want to know show now how to use the infos from ctcp!
/ctcp nickname ping ---> will just show you if he can be flooded/nuke/oob'ed easy since his bandwitch can be seen like somebody
with ping time: 2 seconds will have a really good bandwitch and will be hard to be nuked! If I were you I would check it with other
times ping many people to get just an idea about how much time is normal...
/ctcp nickname finger ---> Some users will give you the real mail which isn't to intelligent with a network of idiots! Someone could
fake mails and send them to a friend if he spies you and sees who your friends are and he could mail bomb you and more...
/ctcp nickname time ---> will show you the time if the time is right you can find out which time zone he is and you know the country
he is on!
How to take over a Chan?
~~~~~~~~~~~~~~~~~~
This is hard there are someways but they are damn hard! If it is a non registered chan wait till everybody is out course the first person
entering a chan is the op! My suggestion is to go to a chan with lamers like if "Master" is op in the chan of 'hackkkkers" and "Looser"
is op !too! you should change your nick to Master (/nick Master) after he left and come in the chan perhaps he will make you op
otherwise tell him that you are at your friends house and you want op NOW but since you don't come from your IP at home you chanserv
won't give you he shall quick!(This is of course pure shit but.... who cares ;) But be quick after one Minute (standart sometimes longer/
shorter) it will change to _Master- which will show that you are not identified which means you don't have the password for your username
which means you aren't the user ;))! After having OP's quickly set the chan on invite only and kick ban everybody!! ban the founder and
akick everybody! This will be really shit for theFounder if he doesn't know much about this shit otherwise he could easylie he get back the
chan!
How to get OP's
~~~~~~~~~~~~
Didn't I just tell you ?
Solving Problems of attacks from IRC
Anonymous?!
~~~~~~~~~~
Well the term is used for users of the internet that are anonym that means you can't really get any information about them they are
anonym! ;)
Why to be anonymous?
~~~~~~~~~~~~~~~~~
Well to not give an easy target for lamers who want to flood you you should try to hide every piece of information! As you saw upper
it is easy to get all of your IP and other so you should if you don't want to be flooded or shit ;)
How to be anonymous?
Well this isn't as easy as you might think! You will have to be careful what you say and should hide all the infos you don't need to give
away! Without beeing paranoid accept you are doing things which others say are illegal as taking infos that should be free anyway! Iin
that case I would recommend to be paranoid! ;)
You will have to first stop the dcc sends and chats from people you don't know NEVER EVER accept a dcc send from somebody you
don't know! Think a second why should somebody that doesn't know you send you a nice Program that would be stupid! It will be a virus
or trojan so never ever ;).... I mean I don't mind just if you are new to this you shouldn't! Second you should stop this silly ctcp requests ;)!
Why don't spoof the response?! Yeah thats no problems just some scripts ;)
__________________________________
Begin:
ctcp 1:finger: {
.notice $me Received CTCP FINGER from $nick $+ / $+ $site
ctcpreply $nick FINGER Hello! My name is response I shall tell you something about hmm dunno do you?... halt
}
ctcp 1:PING:{
.notice $me Recieved PING from $nick $+ / $+ $site
ctcpreply $nick PING 123456789secs halt
}
ctcp 1:VERSION:{
.notice $me Recieved Version request from $nick $+ / $+ $site
ctcpreply $nick VERSION hmm QNXHADEW Version 1.0.1.0.1.0.1.0...}
End
____________________________________
Now just copy everything between Begin and End (Important not "begin" and "end" only the scripts between and now after copieng them
Put them into your Remote scripts collection! Don't worry this is easy just press Alt+R while you are in mirc so start Mirc press alt + r and
a Window will appear called "mIRC Editor" pasted what you have just copied and you are fine ;) you won't have any ctcp requests anymore!
Next please enter: "/ctcp userinfo set nothing" so now nothing will appear in the userinfo too!
The next thing you should do is to use a proxy! This is quite easy!
Go to a site with a lists of proxies like www.multiproxy.org or www.cyberarmy.com/lists/proxy! Now search for Proxies and open Mirc
and startup mIRC will always open a window in which you can enter specific options! To use a proxy go to the "Local Info" field and enter
the proxy where you should enter "Local Host" leave the "IP Adress" field blank but make sure you enable the option below called: "IP Adress"
leave the rest as it is on "Local Info" Page! Now click on "Firewall" and enable the option "Use Firewall" and "Initiate DCC's trought Firewall"
this is important courser otherwise people will see your IP trough DCC! Enable the Option "Proxy" and enter a proxy in the "Hostname" field
and change the Port to the one the Proxy is for you will see that on the site mostly 80 or 8080(I only check for 3128 course they work nearly
ALWAYS ;). Now try to connect if it doesn't work with the error like: "unable to connect Firewall" you will have to try others (this will take a
bit like about 10 Firewall tests but it is worth that work ;). Should it say unable to connect to "locahost" you will have to change the Proxy in
"Local Info" but this is rarely!
How to connect if I don't have a client?
~~~~~~~~~~~~~~~~~~~~~~~~~~
You should do it with Telnet but I tell you this stinks!
Telnet ok, but how?
~~~~~~~~~~~~~~
Start telnet and then click on "Connect" choose a irc server as Hostname enter 6667 (or the irc Port) in the next Box and last use vt100 as
terminaltype! Connect when connected type "nick nickname" and press enter now type "user asd asd asd asd" and enter again! You are now
connected! Joining a channel works like this: "join #channel" and writing in a channel like this: "privmsg #channel : your text here" and to chat
private to somebody type:
How to get back your Chan
~~~~~~~~~~~~~~~~~~~
This depends how it was fucked up! Following you will see a list with commands to bring back your chan:
If you are Banned:
/chanserv unban #channel
Invite only:
/chanserv invite nickname #channel
How do I prevent user finding out info threw ctcp?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check the topic: "How to be anonymous"
Spoofing Technickes
~~~~~~~~~~~~~~
You can spoof your IP, ctcp replies and many other things. But we will start with the one I told you about. It is the easiest of the spoofing
technicks the Proxy technick which is meantioned in the Section: Advanced->How to stay Anonymous. You should understand that. If
you want to spoof your IP in a DCC but use the Direct Client Connectionn which means you want to really chat! You will have to activate
the option Firewall->"Initiate DCC's threw Firewall" which would hide your IP(which means it would give the IP from the proxy). Another
way to spoof you way for DCC is explained in "Specials->Faked Dcc requests" down this text. You can also spoof your IP by connecting
threw a shell with telnet for example. Or using a BNC which I won't explain here since there are 1000's of tuts out there!
Portwatch with Identd
~~~~~~~~~~~~~~~
Once I wondered about this "Identd request watcher" you know when you are connected a longer time to irc you get a notice about a
server requesting a Identd. Well I thought first to fake it but then I said: "Hey I can change the Identd Port which would show me requests
to other Ports". So I changed the Identd Port to "79" the finger Port which is actually only used by someone trying to do something he shouldn't.
And really didn't have to wait to long I saw a first connection request with IP. So for the people that say hey this next Point is far to complicated
for me just use this Function as Portlistener.
Using IRC as Portwatcher
~~~~~~~~~~~~~~~~~~
As I talled you upper I had this idea with Identd and further about a day later I thought hey why don't I write a socket script that listens to ports
I specify. And so I did. Started up Socket Programming.... and this is what came out. Just copy and paste that following script to your Remote
script which you can find following way. Start mIRC and press "Alt+R" or choose "Tools->Remote..." and paste the following sript:
on 1:Connect:/socklisten finger 79
on 1:socklisten:finger:{
sockaccept nbactive /privmsg $me Connection attempt from $sock(nbactive).ip on $sock(nbactive).port to port: $sock(finger).port via $sock(nbactive).type at $time $+ . <-- Socket-Script: Dead Beat. Closing...
sockclose nbactive
}
To change the define Port just change the "79" to the Port you would like to define.
Attacks
Faked Dcc requests
~~~~~~~~~~~~~
Well this is a easy technick you can use for many tricks but I changed this trick for an attack. Anyway so this is how it works:
When you try to request a dcc chat/send connection you will first tell the irc-server to do this for you but to forward your Hostname IP
which means it's very extrem easy to fake DCC requests! But don't forget after him accepting he could easily find out your real IP threw
the netstat technick and since you fake the dcc request it shouldn't work(it=the connection). So now the attack. Let us prosume you don't
like the nick: "I_am_kewl" so you find out his IP with the tricks explained above. Then next you connect to the irc server and change your
nick and ident as well as your Email so nobody would know its you! Best you use a proxy too! And disable the function "Initiate DCC's threw
Firewall" in the Firewall option. And clear your "Local Host" field in options of "Local Info" activate the option "IP Adress" benieth
"On Connect always get:" and activate the "Lookup method:" "Normal" next type the IP of your Victim - in this case the IP of "I_am_kewl"
in the "IP Adress:" field benieth "Local Host:". Next connect and lets say you call yourself "hee_man" and you know that the user of nick "admin"
is able to DoS somebody in knowledge and bandwitch so you chat to him with your real nick and tell him some guy is trieng to dcc flood you.
Next you (in this case your faked dcc nick: "hee_man") Start many dcc send and chat requests! Then he will ask you(the real nick) if this guy
flooding you is called "hee_man" you of course say: "yeah! thats him" with your real nick. Then tell him that you would like to DoS him but you can't
since you are on a 56K Modem and you don't have any code or time to do such thing. Then he will say hey I'll do it. And since he will flood the
faked IP of your "hee_man" which is the IP of "I_am_kewl" he will flood "I_am_kewl" and DoS him perhaps so he'd be dead ;) This is a long
trick and hard and its unlikely that this will all happen like in this example but I just wanted to show you the trick in connection to a nice example.
Anyway I hope you like the tutorial should you have any questions to one of these topics don't ask me via mail just catch me on irc. If you have
any ideas that I should add mail me. Should you be searching for any more cool Tutorials check:
http://ugw.advknowledge.net/ or http://www.undergroundworld.de.vu/.
Thats it thank you for your time
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =>
Resource: http://www.undergroundworld.de.vu
Contact: ugw-mail@gmx.de
IRC: irc.box.sk, port 6667, Channel #exploiters
Writer:
Dead Beat, The Destroyer
Introduction:
Welcome to the IRC FAQ of UGW (http://www.undergroundworld.de.vu). We have tried
to make this FAQ as complete as we can but will something ever be complete? Well not
with the encreasing technick possibilities we have but thas something else.... We would like
to show the newbie how to start Connecting and where to irc from. What servers are there
and why using them. Anonymous Chatting and more stuff from securing to attacking - we
want to show you what possibilities you have and which you don't... We wan't to write things
as easy as possible so that everybody understands this! Thats why we have divided the Tutorial
into 4 Parts. Newbie, Average, Advanced and Geek. We have just done this so that everybody
has something to enjoy! so read on and have phun!
Dead Beat
IRC (Newbie)
- What is that?
- Why should I use that?
- Clients?
- Where can I get a client?/The first connect
Ports (Newbie/Average)
- Which Ports does IRC use?
- How can I find this out?
- Identd?
- DCC?
Commands (Average)
- Where do I find help?
- What is OP's
- What is "@" and "+"
- How can I can I register my nickname?
- How do I register a Channel?
- Modes?
- How to set modes?
- How to kick and ban people?
- How to invite
- How to use colors
- Shorties ;)
- How to see all channels!
- Whats this privsmsg?
- dcc?
- ctcp?
- Grats!
Attacks on IRC?(Average/Advanced)
- Flooding?
- Getting the IP
- How to get Infos and how to use them?
- How to take over a Chan
- How to get OP's
Solving Problems of attacks from IRC (Advanced)
- Anonymous?!
- Why to be anonymous?
- How to be anonymous?
- How to connect if I don't have a client?
- Telnet ok, but how?
- How to get back your Chan
- How do I prevent user finding out info threw ctcp?
Specials (Geeks)
- Spoofing Technickes
- Using IRC as Portwatcher
- Port watch with Ident
(Attacks)
- Faked Dcc requests
IRC:
What is that?
~~~~~~~~~
IRC stands for Internet Relay Chat. It is a system widely spreaded to -chat- who would have guessed that?
It is build like follow:
Let us suppose User 1 wants to chat with User 2
________ Server _______
connects with connected to
PC User 1 PC User 2
this is the way it works. You send your text to the server which displays it to the channel or privmsg window
(I will explain privmsg later). So without the server you will not be able to chat of course. You can connect to
a Server to send you messages with a so called client. Read on to know what that is
Why should I use that?
~~~~~~~~~~~~~~~
Since it is a widely spread system many people use it so if you don't want to sit alone with somebody in a stupid
Love Chat come to a IRC server and you will be able to chat when ever you would like to ;)! Another reason is
that you have much more commands to use you can send files, find IP's of servers, ping (wit spoofed IP) and more.
Clients?
~~~~~
Yes these so called clients are the communiaction Base between you and the server. If you send a command the client
can send it to the server in a form that the server can read. Second comfortable thing is that you have a GUI (Graphical
User Interface) you don't have to type your finger to death you can use a mouse in this nicley Build Window Application.
Where can I get a client?/The first connect!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At first you will have to go to http://www.mirc.com. Download and install the latest version of mIRC (at this time v5.91
is up-to-date). When starting mIRC a little window called "About mIRC" apears and if you don't want to see it every
time you start mIRC, just deactivate the little checkbox at the buttom left corner! After clicking on the X you will see the
"mIRC Options" window which contains the main settings of mIRC. You can always reach this dialog by clicking on the
icon with the folder and the hammer or going to "File/Options...".
The first thing you should do is to type your desired nickname in the "Nickname" field and an alternative (if the first one is
already used) in the "Alternative" field. The "Full Name" and "E-Mail Address" fields are not so important and can be filled
with some crap. The next important settings are on the "Connect/Identd" page: On most IRC servers and networks you
have to enable the Identd Server (first checkbox) to get connected. But because you don't need it after you connected
you should also check the last checkbox ("Enable only when connecting"). If you want to see if somebody request an ident
you can enable the "Shows Identd requests" option. The text you type in the "User ID" field will be shown before your
hostname when somebody is making a whois on you (then he also sees the text from the "Full Name" field mentioned earlier).
In the "System" field you can write what you want but the port has to be "113"!
2. Connecting to a server
Now you have basically set up your mIRC client and you should learn how to connect to a server and join a chan. As an
example let me explain how you can connect to irc.box.sk and join our chan #Exploiters:
- Goto the "Connect" page in the "mIRC Options"
- Click on "Add"
- name this Server how you think it is the best in the "Description" field (e.g. "box.sk" or "the best irc server")
- Put "irc.box.sk" in the "IRC Server" field
- the "Port" field should be "6667"
- "Group" and "Password" should be left blank
- click on "Add"
- Push the big "Connect to IRC Server" button
Now an popup window named "mIRC Channels Folder" apears and you could enter "#Exploiters" in the text field at the top
and press the "Join" button, but this is pretty lame ;-) and will get really annoying after a short time! So you just disable the
"Pop up folder on connect" option and click "Close" and the next time this window won't apear.
You see the "Status" window now (which we will discuss later on). You just have to type "/J Exploiters" (of course without
the quotes) in the buttom line (the input line). For whome it is of interest: /J is bascally a shortcut for /JOIN, but you can omit
the # in the Chan name. Under normal conditions you should be in our chan now and can chat with us (the most time of the
day there a at least a few people in the chan) by typing something in the input box of the chan window.
Ports
Which Ports does IRC use?
~~~~~~~~~~~~~~~~~~~
It uses the Port-range 6666-6669. Normaly and standart is the Port 6667 so you will actually be right advised to check
that one first. Another Port irc uses is 113 for the ident requests. (btw: perhaps you wonder why we talk about irc and mirc
well quite easy irc is the chat and mirc is the standart Windows client ;).
How can I find them?
~~~~~~~~~~~~~~~
Well when you find the adress of a server on a site they will actually give you the Port if the aren't totally funny or stupid so well
if not portscan ;)) well this will take you far more time then just trying manually so just try the Port-range I gave you upper.
Identd?
~~~~~
This is a service that should just give out some infos about the user and his system! I don't want to go into that Identd Protcol
to much! But if you are interrested check (http://www.faqs.org). So Identd "sits" on Port 113 normally. You can of coures
reconfigure that and change it.
DCC?
~~~~
DCC stands for Direct Client Connections. You find more about DCC down this text! But what to say about Ports? Normally
your client waites for dcc connections on 1024 you can also change that or run the dcc threw a firewall!
Commands
- Where do I find help?
If you want a general Help to irc you can just type /help (you will not have to be connected!) or click Help-> there you
will find a lot of topics you can read about.
What is OP's
~~~~~~~~~~
OP stands for Operator this means if you see somebody in the chan with a @ he is channel Operator he has nearly all rights.
He is able to kick, ban, voice, devoice you and more! There is only one person above him called the "Founder" he has an
operator status too. You can check the founder of a chan like this: "/chanserv list set founder". The OP's are divided into access
levels. Whenever you access a chan "chanserv" a service that organizes all the channels and channelcommands will check which
access level you have. If you are not anounced in the access list you will just get no mode at all. To check the access list of a
channel type this: "/chanserv access #channelname list" you will not be able to see this list for everychannel name since you can
deactivate that command.
What is "@" and "+"
~~~~~~~~~~~~~~~
@ is a sign that the person has Operatori status so if you see the name: @Dead_Beat it means that Dead_Beat has operator
status. If you see a name like "+etsh911" this means "etsh911" has a voice. Well you will read in a sec you can moderate a chan
this means that only op's(@) and people with voice(+) have the permission to talk in the chan. Normally channels are not moderated
so the option "+" isn't actually important but it shows that the person is on the chan perhaps a long time or knows much. It's just a
signification for some kind of respect or friendship or whatever it is just better then nothing ;). If you see a name like "TheDestroyer"
with no "@" and no "+" this means that the access level of "TheDestroyer" is not defined in the access list.
How can I can I register my nickname?
~~~~~~~~~~~~~~~~~~~~~~~~~~
When you enter a irc server you will have to give your self a nickname by default this will be something like gUeSt975Ba or shit
this shows that you have no idea about irc and will decrease the respect of people! Believe me it is not good to do this ;-) so
change your nickname before entering any chan. You can do this with: /nick wished_name so if you wanted to call yourself
Peter_Hugle you would use this syntax: "/nick Peter_Hugle" ok?! good..
How do I register a Channel?
~~~~~~~~~~~~~~~~~~~~
As I mentioned before "chanserv" is the service for all channels! So if you want to register a channel you would have to use
following command: "/chanserv register #channelname password" this is really easy and done quick but don't forget asking a
irc oper if you are allowed to register your own Channel. To do this just enter the most visited channel and ask if somebody
knows the nickname of any IRC-Oper in this channel. (To drop the registration just use "/chanserv #channame drop")
Modes?
~~~~~~
Modes set some "adjectives" to a channel like the one I talked about already! "+m" All modes are specified with a +/-
"+"=set the mode "-"=unset the mode. So like I said m=moderated to set the mode moderated type: "/mode #channel +m"
but to unset use "/mode #channel -m" quite easy!! But don't don't forget only op's can set modes! Other modes are:
b(ban)
p(private)
s(secret)
i(invite only)
How to set modes?
~~~~~~~~~~~~~~
Hmm sorry but I told you upper ;))
How to kick and ban people?
~~~~~~~~~~~~~~~~~~~~
As I said you have to be op's to do this: Kick= "/kick #channel nickname" and Ban= "/mode +b #channel nickname"
How to invite
~~~~~~~~~
"/invite #channel nickname"
How to use colors
~~~~~~~~~~~~~
Well this is quite easy just use "strg+k" yes press these two buttons at the same time and menu will appear to show you
all the colors they are:
0=white 6=lila
1=black 7=orange
2=blue ... check them with the menu ;)
3=green
4=red
5=brown
Shorties ;)
~~~~~~~
Nope this hasn't got to do anything with the length of something ;) well actually it has! It is about the length of a Word!
To make live easier ppl (people) in Chat use shorties ;) the won't have to write so much which saves time this is the only
reason ;) so if you want to know some here they are ;):
ppl = People
btw = by the way
brb = be right back
bbl = be back later
omg = oh my god (which is lame and will not be tollerated in our chan!)
h/p/c/a = Hacking, Phreaking, Cracking/Coding, Anarchy
stfu = shut the fuck up
cycle = please leave the channel and join it again! (this is for changing the access leve remember it? if you get voice and
they want to test it they will have to rejoin this means that you leave the channel and rejoin it so chanserv will check you
access level.)
oic = ohh I see
ic = I see (hehe what did you think???)
cu = see you
u = you
How to see all channels!
~~~~~~~~~~~~~~~~
"/list" Will show you a list with channels!
Whats this privsmsg?
~~~~~~~~~~~~~~
Privmsg is a way to speak to somebody privat so that not everybody is able to read it! By simple double clicking someones
name you wil be able to privmsg him! The other command is: "/privmsg #nick : messge" as soon as he responses a window
will appear.
Dcc?
~~~~
DCC stands for Direct Client Connections. It allows you to connect to a Client directly this is good for sending a programm
or chatting directly. As you should know to have a direct connection you need a IP to send the infos! So it is possible to get
the IP of someone connecting to you via dcc! First if he wants to connect he !must! ask so you will get a box appearing which
informs you that someone wants to chat/send something via dcc. In the status window which is the first window in the windowbar
(first one on the left side) you will see his IP! And other way round if you only request to chat/send via dcc to somebody he will
see your IP and if you chat to somebody you can't find the IP via netstat. This is a program that show open connections. If you
type "netstat -a" it will show all open connections the one say "established" to a IP other then the irc server you are on will be the
user you are chatting to! Pinging it will give you the ip!
Ctcp?
~~~~~
Ctcp stands Client to Client Protocoll it is usefull to collect all sort of Information like userinfo, finger, time and ping from the remote
machine. This works the following:
by typing: "/ctcp nickname ping" will send a ping to the user and tell you the time that the ping took while connecting "/ctcp nickname
userinfo" will give you some userinformation and "/ctcp nickname finger" will give you email and such and "/ctcp nickname time" will
give you the time on the remote machine! If you want to prevent others to get this information please read the Solution section!
Gratulations!
~~~~~~~~~
You have made the Newbie stage and will now enter the World of an Average user live will get more interresting now ;) (btw. nope
you are no Hacker yet! Well did I say you would be after reading this ??? hmm don't remember so hehe you will have to read more
Tutorials ;)
Attacks on IRC?
Flooding?
~~~~~~~
Flooding is a way to bug a user or even disconnect him from the irc network. You can find many scripts to do this! The "best" and way
to flood is to flood a channel like with letting radom nicknames connect to the network. We don't like to tell you any adress since it is
fucking lame to flood a chan with many ppl that didn't even do anything! But I know if you want to flood somebody you can find flooders.
Getting the IP
~~~~~~~~~
Well it is very hard to get the IP from a user that is intelligent and knows what he is doing. Since you can only do this with "/dns nickname"
but many servers that are good deactivate this command! So you can't find the IP that way and another thing is that you will know how
to "spoof" your IP after reading this text and so on /dns you will get the wrong IP! The other way is the dcc way but same thing! You can
use a proxy and so your real IP stays hidden! And normally dcc is only use very seldum and normal people will not allow you to dcc them!
OK just to let you know the dcc way is easy so it works like this:
You dcc (Chat/send) somebody and while doing this open command.com and do a "netstat -a" which will show you all active connections
including the one to the victim! This works because DCC is Direct Connect and won't include any servers into the commincation. i.e.:
C:\Windows>netstat -a
Active Conntecions
Proto Local Adress Remote Adress Status
TCP your_computer:1024 syrios.btinternet.com:1024 Established
TCP your_computer:XXXX irc.box.sk:* Established
this would tell you that syrios.btinternet.com is the name of the dcc partner. Ping him the following:
"ping syrios.btinternet.com:1024" and you would have the IP
How to get Infos and how to use them?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The one way is the normal way to use "/whois nickname" it will give you infos like:
nickname the connection country realname can be faked by just simply entering this in "File->Options"
Channels he is on
nickname is nickname@BOX-26473.proxy.back.edu.de * Why do you ask?
nickname on @#exploiters @#rat @#redsky @#lecture @#newchan #void +#pl3bs_cl4n @#Code @#asm @#c++
nickname using irc.box.sk Box Network IRCD
nickname is a registered and identified nick
nickname has been idle 1min 3secs, signed on Wed Jul 11 14:23:30
nickname End of /WHOIS list.
This user shouldn't be fucked up since he is op in 8 chans this means he knows much! And if he isn't op he is voice so...
You now know on which chans he is and if he knows what he is upto! You already know how to get the IP so I won't say
this here again! We want to know show now how to use the infos from ctcp!
/ctcp nickname ping ---> will just show you if he can be flooded/nuke/oob'ed easy since his bandwitch can be seen like somebody
with ping time: 2 seconds will have a really good bandwitch and will be hard to be nuked! If I were you I would check it with other
times ping many people to get just an idea about how much time is normal...
/ctcp nickname finger ---> Some users will give you the real mail which isn't to intelligent with a network of idiots! Someone could
fake mails and send them to a friend if he spies you and sees who your friends are and he could mail bomb you and more...
/ctcp nickname time ---> will show you the time if the time is right you can find out which time zone he is and you know the country
he is on!
How to take over a Chan?
~~~~~~~~~~~~~~~~~~
This is hard there are someways but they are damn hard! If it is a non registered chan wait till everybody is out course the first person
entering a chan is the op! My suggestion is to go to a chan with lamers like if "Master" is op in the chan of 'hackkkkers" and "Looser"
is op !too! you should change your nick to Master (/nick Master) after he left and come in the chan perhaps he will make you op
otherwise tell him that you are at your friends house and you want op NOW but since you don't come from your IP at home you chanserv
won't give you he shall quick!(This is of course pure shit but.... who cares ;) But be quick after one Minute (standart sometimes longer/
shorter) it will change to _Master- which will show that you are not identified which means you don't have the password for your username
which means you aren't the user ;))! After having OP's quickly set the chan on invite only and kick ban everybody!! ban the founder and
akick everybody! This will be really shit for theFounder if he doesn't know much about this shit otherwise he could easylie he get back the
chan!
How to get OP's
~~~~~~~~~~~~
Didn't I just tell you ?
Solving Problems of attacks from IRC
Anonymous?!
~~~~~~~~~~
Well the term is used for users of the internet that are anonym that means you can't really get any information about them they are
anonym! ;)
Why to be anonymous?
~~~~~~~~~~~~~~~~~
Well to not give an easy target for lamers who want to flood you you should try to hide every piece of information! As you saw upper
it is easy to get all of your IP and other so you should if you don't want to be flooded or shit ;)
How to be anonymous?
Well this isn't as easy as you might think! You will have to be careful what you say and should hide all the infos you don't need to give
away! Without beeing paranoid accept you are doing things which others say are illegal as taking infos that should be free anyway! Iin
that case I would recommend to be paranoid! ;)
You will have to first stop the dcc sends and chats from people you don't know NEVER EVER accept a dcc send from somebody you
don't know! Think a second why should somebody that doesn't know you send you a nice Program that would be stupid! It will be a virus
or trojan so never ever ;).... I mean I don't mind just if you are new to this you shouldn't! Second you should stop this silly ctcp requests ;)!
Why don't spoof the response?! Yeah thats no problems just some scripts ;)
__________________________________
Begin:
ctcp 1:finger: {
.notice $me Received CTCP FINGER from $nick $+ / $+ $site
ctcpreply $nick FINGER Hello! My name is response I shall tell you something about hmm dunno do you?... halt
}
ctcp 1:PING:{
.notice $me Recieved PING from $nick $+ / $+ $site
ctcpreply $nick PING 123456789secs halt
}
ctcp 1:VERSION:{
.notice $me Recieved Version request from $nick $+ / $+ $site
ctcpreply $nick VERSION hmm QNXHADEW Version 1.0.1.0.1.0.1.0...}
End
____________________________________
Now just copy everything between Begin and End (Important not "begin" and "end" only the scripts between and now after copieng them
Put them into your Remote scripts collection! Don't worry this is easy just press Alt+R while you are in mirc so start Mirc press alt + r and
a Window will appear called "mIRC Editor" pasted what you have just copied and you are fine ;) you won't have any ctcp requests anymore!
Next please enter: "/ctcp userinfo set nothing" so now nothing will appear in the userinfo too!
The next thing you should do is to use a proxy! This is quite easy!
Go to a site with a lists of proxies like www.multiproxy.org or www.cyberarmy.com/lists/proxy! Now search for Proxies and open Mirc
and startup mIRC will always open a window in which you can enter specific options! To use a proxy go to the "Local Info" field and enter
the proxy where you should enter "Local Host" leave the "IP Adress" field blank but make sure you enable the option below called: "IP Adress"
leave the rest as it is on "Local Info" Page! Now click on "Firewall" and enable the option "Use Firewall" and "Initiate DCC's trought Firewall"
this is important courser otherwise people will see your IP trough DCC! Enable the Option "Proxy" and enter a proxy in the "Hostname" field
and change the Port to the one the Proxy is for you will see that on the site mostly 80 or 8080(I only check for 3128 course they work nearly
ALWAYS ;). Now try to connect if it doesn't work with the error like: "unable to connect Firewall" you will have to try others (this will take a
bit like about 10 Firewall tests but it is worth that work ;). Should it say unable to connect to "locahost" you will have to change the Proxy in
"Local Info" but this is rarely!
How to connect if I don't have a client?
~~~~~~~~~~~~~~~~~~~~~~~~~~
You should do it with Telnet but I tell you this stinks!
Telnet ok, but how?
~~~~~~~~~~~~~~
Start telnet and then click on "Connect" choose a irc server as Hostname enter 6667 (or the irc Port) in the next Box and last use vt100 as
terminaltype! Connect when connected type "nick nickname" and press enter now type "user asd asd asd asd" and enter again! You are now
connected! Joining a channel works like this: "join #channel" and writing in a channel like this: "privmsg #channel : your text here" and to chat
private to somebody type:
How to get back your Chan
~~~~~~~~~~~~~~~~~~~
This depends how it was fucked up! Following you will see a list with commands to bring back your chan:
If you are Banned:
/chanserv unban #channel
Invite only:
/chanserv invite nickname #channel
How do I prevent user finding out info threw ctcp?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check the topic: "How to be anonymous"
Spoofing Technickes
~~~~~~~~~~~~~~
You can spoof your IP, ctcp replies and many other things. But we will start with the one I told you about. It is the easiest of the spoofing
technicks the Proxy technick which is meantioned in the Section: Advanced->How to stay Anonymous. You should understand that. If
you want to spoof your IP in a DCC but use the Direct Client Connectionn which means you want to really chat! You will have to activate
the option Firewall->"Initiate DCC's threw Firewall" which would hide your IP(which means it would give the IP from the proxy). Another
way to spoof you way for DCC is explained in "Specials->Faked Dcc requests" down this text. You can also spoof your IP by connecting
threw a shell with telnet for example. Or using a BNC which I won't explain here since there are 1000's of tuts out there!
Portwatch with Identd
~~~~~~~~~~~~~~~
Once I wondered about this "Identd request watcher" you know when you are connected a longer time to irc you get a notice about a
server requesting a Identd. Well I thought first to fake it but then I said: "Hey I can change the Identd Port which would show me requests
to other Ports". So I changed the Identd Port to "79" the finger Port which is actually only used by someone trying to do something he shouldn't.
And really didn't have to wait to long I saw a first connection request with IP. So for the people that say hey this next Point is far to complicated
for me just use this Function as Portlistener.
Using IRC as Portwatcher
~~~~~~~~~~~~~~~~~~
As I talled you upper I had this idea with Identd and further about a day later I thought hey why don't I write a socket script that listens to ports
I specify. And so I did. Started up Socket Programming.... and this is what came out. Just copy and paste that following script to your Remote
script which you can find following way. Start mIRC and press "Alt+R" or choose "Tools->Remote..." and paste the following sript:
on 1:Connect:/socklisten finger 79
on 1:socklisten:finger:{
sockaccept nbactive /privmsg $me Connection attempt from $sock(nbactive).ip on $sock(nbactive).port to port: $sock(finger).port via $sock(nbactive).type at $time $+ . <-- Socket-Script: Dead Beat. Closing...
sockclose nbactive
}
To change the define Port just change the "79" to the Port you would like to define.
Attacks
Faked Dcc requests
~~~~~~~~~~~~~
Well this is a easy technick you can use for many tricks but I changed this trick for an attack. Anyway so this is how it works:
When you try to request a dcc chat/send connection you will first tell the irc-server to do this for you but to forward your Hostname IP
which means it's very extrem easy to fake DCC requests! But don't forget after him accepting he could easily find out your real IP threw
the netstat technick and since you fake the dcc request it shouldn't work(it=the connection). So now the attack. Let us prosume you don't
like the nick: "I_am_kewl" so you find out his IP with the tricks explained above. Then next you connect to the irc server and change your
nick and ident as well as your Email so nobody would know its you! Best you use a proxy too! And disable the function "Initiate DCC's threw
Firewall" in the Firewall option. And clear your "Local Host" field in options of "Local Info" activate the option "IP Adress" benieth
"On Connect always get:" and activate the "Lookup method:" "Normal" next type the IP of your Victim - in this case the IP of "I_am_kewl"
in the "IP Adress:" field benieth "Local Host:". Next connect and lets say you call yourself "hee_man" and you know that the user of nick "admin"
is able to DoS somebody in knowledge and bandwitch so you chat to him with your real nick and tell him some guy is trieng to dcc flood you.
Next you (in this case your faked dcc nick: "hee_man") Start many dcc send and chat requests! Then he will ask you(the real nick) if this guy
flooding you is called "hee_man" you of course say: "yeah! thats him" with your real nick. Then tell him that you would like to DoS him but you can't
since you are on a 56K Modem and you don't have any code or time to do such thing. Then he will say hey I'll do it. And since he will flood the
faked IP of your "hee_man" which is the IP of "I_am_kewl" he will flood "I_am_kewl" and DoS him perhaps so he'd be dead ;) This is a long
trick and hard and its unlikely that this will all happen like in this example but I just wanted to show you the trick in connection to a nice example.
Anyway I hope you like the tutorial should you have any questions to one of these topics don't ask me via mail just catch me on irc. If you have
any ideas that I should add mail me. Should you be searching for any more cool Tutorials check:
http://ugw.advknowledge.net/ or http://www.undergroundworld.de.vu/.
Thats it thank you for your time
Scanning Networks
By: Krishna
Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections.
First we will determine whether the target machine is alive or not. This can be done by sending a icmp echo request packet to the server. The server would respond with a icmp echo reply showing that it�s alive. The process to do this on a range of hosts or ipaddresses is known as ping sweep. Of the many methods used, we will look on ICMP ping and echo port ping.
ICMP
ping Your machine will send an icmp echo request (type 8) to the target machine and it would respond with an icmp echo reply(type 0) if it is alive. You can use the Unix ping command to do this:
[root@ns2 root]# ping -c 3 66.218.71.86
PING 66.218.71.86 (66.218.71.86) from 203.41.193.140 : 56(84) bytes of data.
64 bytes from 66.218.71.86: icmp_seq=1 ttl=51 time=207 ms
From 203.41.193.137: icmp_seq=2 Redirect Host(New nexthop: 202.5.165.81)
64 bytes from 66.218.71.86: icmp_seq=2 ttl=51 time=204 ms
64 bytes from 66.218.71.86: icmp_seq=3 ttl=51 time=203 ms
--- 66.218.71.86 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2019ms
rtt min/avg/max/mdev = 203.938/205.171/207.287/1.503 ms
[root@ns2 root]#
At the end it will give you a summary, showing statistics of number of packets received and sent and the %age of packet loss.
Echo port ping
This makes use the echo service running on the target machine which runs on port 7. Whatever you send it, will be echoed back to you. So if you see that it echoed back what you sent, then you can be sure that the target machine is alive.
Two interesting tools on Linux is Fping and Nmap
Fping
Fping sends multiple icmp request packets simultaneously and processes the reply as they occur. This makes ping sweeps faster. Fping can be feeded with an ipaddress or can be given a list of ipaddress on a file.
[root@Krishna]# fping -a -g 203.122.1.0 203.122.1.80
203.122.1.9
203.122.1.26
203.122.1.37
203.122.1.47
203.122.1.54
203.122.1.42
203.122.1.68
203.122.1.80
[root@Krishna]#
Type fping -h for a full listing of available options.
Nmap
Nmap is a powerful tool that can do a lot more than ping sweep.
To use nmap for ping sweeping use the �sP argument.
[root@ns2 root]# nmap -sP 203.122.58.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#
If ICMP is blocked on the firewall of the target machine, additional techniques can be used to determine whether systems are alive.
Nmap provides a advanced option called TCP ping scan. It is initiated with the argument �PT with a port number such as port 80, since packets to this port is allowed by many firewall and border routers to the systems on their demilitarized zone (DMZ).
[root@ns2 root]# nmap -sP -PT80 203.122.58.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#
Icmpenum
This tool from Simple Nomad (http://www.nmrc.org/project/misc/icmpenum-1.1.1.tgz) .
Even if the border router or firewall blocks ICMP echo packets , the systems status of being alive can be determined by looking for a different ICMP type, like icmp time stamp request and icmp info requests.
[krishna]# icmpenum �i2 �c 192.168.1.0
In the above example, we enumerated the entire 192.168.1.0 class C network using an icmp time stamp request . Icmpenum can send spoofed packets to avoid detection. Use the s argument to send spoofed packets and passively listen for responses with the p switch.
Icmpquery
Icmpquery can be found at http://packetstormsecurity.com/UNIX/scanners/icmpquery.c
Ping sweeps makes use of icmp echo packets , but there are a lot more types of icmp packets which can be used to gather valuable information about the system. For example you can request the time ona system by sending an ICMP type 13 message (TIMESTAMP) and you can request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST).
To query a routers time, you can run the command:
[root@ns2 files]# ./icmpquery -t 213.206.75.252
213.206.75.252 : Sun Jun 8 16:46:30 2003
[root@ns2 files]#
and to query a routers netmask, use
[Krishna]# icmpquery �m 213.206.75.252
Windows tools:
To do ping sweeps in windows, try the freeware pinger from Rhino9 (http://nmrc.org/snt).
Some other tools for windows are
Ping Sweep from Solarwinds (http://www.solarwinds.net)
WS_Ping ProPack (http://www.ipswitch.com)
NetScan Tools (http://www.nwpsw.com)
Port Scanning:
Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a listening state. Identifying listening ports is essential to determine the type of operating system and application in use on the system.
Types of port scanning:
1.TCP connect scan: This type of scan connects to the target port and completes a full three way handshake (SYN, SYN/ACK and ACK).
2.TCP SYN scan: This is also called half-open scanning because it does not complete the three-way handshake, rather a SYN packet is sent and upon receiving a SYN/ACK packet it is determined that the target machines port is in a listening state and if an RST/ACK packet is received , it indicates that the port is not listening.
3.TCP FIN scan: This technique sends a FIN packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
4.TCP Xmas Tree scan: This technique sends a FIN,URG and PUSH packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
5.TCP Null scan: This technique turns off all flags and based on RFC 793 , the target system should send back an RST for all closed ports.
6.TCP ACK scan: This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections or a stateful firewall performing advance packet filtering.
7.TCP Windows scan: This type of scan can detect both filtered and non-filtered ports on some systems due to anomaly in the way TCP windows size is reported.
8.TCP RPC scan: This technique is specific to UNIX systems and is used to detect and identify Remote Procedure Call (RPC) ports and their associated program and version number.
9.UDP scan: This technique sends a UDP packet to the target port. If the target ports responds with an �ICMP port unreachable� message, the port is closed, if not then the port is open. This is a slow process since UDP is a connectionless protocol, the accuracy of this technique is dependent on many factors related to utilization of network and system resources.
We will now discuss some of the more popular and time proven port scanners.
Strobe
Download it from
ftp://ftp.rpmfind.net/linux/redhat/7.1/en/powertools/i386/RedHat/RPMS/strobe-1.04-8.i386.rpm
It is one of the fastest and most reliable TCP scanners, it can also grab the associated banner of a particular port. Strobe is a TCP scanner and does not provide UDP scanning capability, as such it can be easily detected by the target machine.
[root@ns2 files]# strobe 213.206.75.252
strobe 1.04 (c) 1995-1997 Julian Assange ( proff@suburbia.net).
213.206.75.252 21 ftp File Transfer [Control] [96,JBP]
-> 220-FTP server ready.\r\n
-> 220 Only anonymous FTP is allowed here\r\n
213.206.75.252 80 http www www-http World Wide Web HTTP
www World Wide Web HTTP [TXL]
[root@ns2 files]#
For a UDP port scanner try udp_scan by SATAN(Security Administrator Tool for Analyzing Networks).
Netcat
This is known to be called the Swiss army knife in security toolkit. It provides both TCP and UDP scanning capabilities. The -v and -vv options provide verbose output, the -z option is used for port scanning, and the -w2 option provides a timeout value for each connection. By default nc uses TCP ports, the -u option is so used to specify UDP scanning.
[root@ns2 files]# nc -v -z -w2 203.122.61.154 1-140
ns2.spectra.com [203.122.61.154] 111 (sunrpc) open
ns2.spectra.com [203.122.61.154] 80 (http) open
ns2.spectra.com [203.122.61.154] 53 (domain) open
ns2.spectra.com [203.122.61.154] 23 (telnet) : No route to host
[root@ns2 files]#
[root@ns2 files]# nc -u -v -z -w2 203.122.61.154 1-140
ns2.spectranet.com [203.122.61.154] 132 (?) open
ns2.spectranet.com [203.122.61.154] 131 (?) open
ns2.spectranet.com [203.122.61.154] 130 (?) open
ns2.spectranet.com [203.122.61.154] 129 (?) open
ns2.spectranet.com [203.122.61.154] 128 (?) open
ns2.spectranet.com [203.122.61.154] 127 (?) open
ns2.spectranet.com [203.122.61.154] 126 (?) open
punt!
[root@ns2 files]#
Network Mapper (nmap)
Nmap from http://www.insecure.org/nmap is a all in one tool. To see a possible list of options use
[root@ns2 files]# nmap �h
[root@ns2 files]# nmap -sP 192.168.0.172
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host ns2.krishna.com (192.168.0.172) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[root@ns2 files]#
Nmap allows you to enter ranges in CIDR(Classless Inter-Domain Routing) block notation. The �oN will save the output to a human-readable format and use �oM to save it in a tab-delimited file.
[root@ns2 files]# nmap �sF 203.122.58.0/24 �oN outfile
Windows based port scanners
NetScanTools Pro 2000 http://www.nwpsw.com
SuperScan http://www.foundstone.com/rdlabs/termsofuse.php?filename=superscan.exe
WinScan: http://www.prosolve.com
IpEye http://www.ntsecurity.com
NetCat http://www.atstake.com/research/tools/nc11nt.zip
WUPS http://www.ntsecurity.nu
Fscan http://www.foundstone.com/rdlabs/termsofuse.php?filename=fscan.exe
Krishna
http://www.KrisinDigitalAge.com
Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections.
First we will determine whether the target machine is alive or not. This can be done by sending a icmp echo request packet to the server. The server would respond with a icmp echo reply showing that it�s alive. The process to do this on a range of hosts or ipaddresses is known as ping sweep. Of the many methods used, we will look on ICMP ping and echo port ping.
ICMP
ping Your machine will send an icmp echo request (type 8) to the target machine and it would respond with an icmp echo reply(type 0) if it is alive. You can use the Unix ping command to do this:
[root@ns2 root]# ping -c 3 66.218.71.86
PING 66.218.71.86 (66.218.71.86) from 203.41.193.140 : 56(84) bytes of data.
64 bytes from 66.218.71.86: icmp_seq=1 ttl=51 time=207 ms
From 203.41.193.137: icmp_seq=2 Redirect Host(New nexthop: 202.5.165.81)
64 bytes from 66.218.71.86: icmp_seq=2 ttl=51 time=204 ms
64 bytes from 66.218.71.86: icmp_seq=3 ttl=51 time=203 ms
--- 66.218.71.86 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2019ms
rtt min/avg/max/mdev = 203.938/205.171/207.287/1.503 ms
[root@ns2 root]#
At the end it will give you a summary, showing statistics of number of packets received and sent and the %age of packet loss.
Echo port ping
This makes use the echo service running on the target machine which runs on port 7. Whatever you send it, will be echoed back to you. So if you see that it echoed back what you sent, then you can be sure that the target machine is alive.
Two interesting tools on Linux is Fping and Nmap
Fping
Fping sends multiple icmp request packets simultaneously and processes the reply as they occur. This makes ping sweeps faster. Fping can be feeded with an ipaddress or can be given a list of ipaddress on a file.
[root@Krishna]# fping -a -g 203.122.1.0 203.122.1.80
203.122.1.9
203.122.1.26
203.122.1.37
203.122.1.47
203.122.1.54
203.122.1.42
203.122.1.68
203.122.1.80
[root@Krishna]#
Type fping -h for a full listing of available options.
Nmap
Nmap is a powerful tool that can do a lot more than ping sweep.
To use nmap for ping sweeping use the �sP argument.
[root@ns2 root]# nmap -sP 203.122.58.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#
If ICMP is blocked on the firewall of the target machine, additional techniques can be used to determine whether systems are alive.
Nmap provides a advanced option called TCP ping scan. It is initiated with the argument �PT with a port number such as port 80, since packets to this port is allowed by many firewall and border routers to the systems on their demilitarized zone (DMZ).
[root@ns2 root]# nmap -sP -PT80 203.122.58.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#
Icmpenum
This tool from Simple Nomad (http://www.nmrc.org/project/misc/icmpenum-1.1.1.tgz) .
Even if the border router or firewall blocks ICMP echo packets , the systems status of being alive can be determined by looking for a different ICMP type, like icmp time stamp request and icmp info requests.
[krishna]# icmpenum �i2 �c 192.168.1.0
In the above example, we enumerated the entire 192.168.1.0 class C network using an icmp time stamp request . Icmpenum can send spoofed packets to avoid detection. Use the s argument to send spoofed packets and passively listen for responses with the p switch.
Icmpquery
Icmpquery can be found at http://packetstormsecurity.com/UNIX/scanners/icmpquery.c
Ping sweeps makes use of icmp echo packets , but there are a lot more types of icmp packets which can be used to gather valuable information about the system. For example you can request the time ona system by sending an ICMP type 13 message (TIMESTAMP) and you can request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST).
To query a routers time, you can run the command:
[root@ns2 files]# ./icmpquery -t 213.206.75.252
213.206.75.252 : Sun Jun 8 16:46:30 2003
[root@ns2 files]#
and to query a routers netmask, use
[Krishna]# icmpquery �m 213.206.75.252
Windows tools:
To do ping sweeps in windows, try the freeware pinger from Rhino9 (http://nmrc.org/snt).
Some other tools for windows are
Ping Sweep from Solarwinds (http://www.solarwinds.net)
WS_Ping ProPack (http://www.ipswitch.com)
NetScan Tools (http://www.nwpsw.com)
Port Scanning:
Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a listening state. Identifying listening ports is essential to determine the type of operating system and application in use on the system.
Types of port scanning:
1.TCP connect scan: This type of scan connects to the target port and completes a full three way handshake (SYN, SYN/ACK and ACK).
2.TCP SYN scan: This is also called half-open scanning because it does not complete the three-way handshake, rather a SYN packet is sent and upon receiving a SYN/ACK packet it is determined that the target machines port is in a listening state and if an RST/ACK packet is received , it indicates that the port is not listening.
3.TCP FIN scan: This technique sends a FIN packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
4.TCP Xmas Tree scan: This technique sends a FIN,URG and PUSH packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
5.TCP Null scan: This technique turns off all flags and based on RFC 793 , the target system should send back an RST for all closed ports.
6.TCP ACK scan: This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections or a stateful firewall performing advance packet filtering.
7.TCP Windows scan: This type of scan can detect both filtered and non-filtered ports on some systems due to anomaly in the way TCP windows size is reported.
8.TCP RPC scan: This technique is specific to UNIX systems and is used to detect and identify Remote Procedure Call (RPC) ports and their associated program and version number.
9.UDP scan: This technique sends a UDP packet to the target port. If the target ports responds with an �ICMP port unreachable� message, the port is closed, if not then the port is open. This is a slow process since UDP is a connectionless protocol, the accuracy of this technique is dependent on many factors related to utilization of network and system resources.
We will now discuss some of the more popular and time proven port scanners.
Strobe
Download it from
ftp://ftp.rpmfind.net/linux/redhat/7.1/en/powertools/i386/RedHat/RPMS/strobe-1.04-8.i386.rpm
It is one of the fastest and most reliable TCP scanners, it can also grab the associated banner of a particular port. Strobe is a TCP scanner and does not provide UDP scanning capability, as such it can be easily detected by the target machine.
[root@ns2 files]# strobe 213.206.75.252
strobe 1.04 (c) 1995-1997 Julian Assange ( proff@suburbia.net).
213.206.75.252 21 ftp File Transfer [Control] [96,JBP]
-> 220-FTP server ready.\r\n
-> 220 Only anonymous FTP is allowed here\r\n
213.206.75.252 80 http www www-http World Wide Web HTTP
www World Wide Web HTTP [TXL]
[root@ns2 files]#
For a UDP port scanner try udp_scan by SATAN(Security Administrator Tool for Analyzing Networks).
Netcat
This is known to be called the Swiss army knife in security toolkit. It provides both TCP and UDP scanning capabilities. The -v and -vv options provide verbose output, the -z option is used for port scanning, and the -w2 option provides a timeout value for each connection. By default nc uses TCP ports, the -u option is so used to specify UDP scanning.
[root@ns2 files]# nc -v -z -w2 203.122.61.154 1-140
ns2.spectra.com [203.122.61.154] 111 (sunrpc) open
ns2.spectra.com [203.122.61.154] 80 (http) open
ns2.spectra.com [203.122.61.154] 53 (domain) open
ns2.spectra.com [203.122.61.154] 23 (telnet) : No route to host
[root@ns2 files]#
[root@ns2 files]# nc -u -v -z -w2 203.122.61.154 1-140
ns2.spectranet.com [203.122.61.154] 132 (?) open
ns2.spectranet.com [203.122.61.154] 131 (?) open
ns2.spectranet.com [203.122.61.154] 130 (?) open
ns2.spectranet.com [203.122.61.154] 129 (?) open
ns2.spectranet.com [203.122.61.154] 128 (?) open
ns2.spectranet.com [203.122.61.154] 127 (?) open
ns2.spectranet.com [203.122.61.154] 126 (?) open
punt!
[root@ns2 files]#
Network Mapper (nmap)
Nmap from http://www.insecure.org/nmap is a all in one tool. To see a possible list of options use
[root@ns2 files]# nmap �h
[root@ns2 files]# nmap -sP 192.168.0.172
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host ns2.krishna.com (192.168.0.172) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[root@ns2 files]#
Nmap allows you to enter ranges in CIDR(Classless Inter-Domain Routing) block notation. The �oN will save the output to a human-readable format and use �oM to save it in a tab-delimited file.
[root@ns2 files]# nmap �sF 203.122.58.0/24 �oN outfile
Windows based port scanners
NetScanTools Pro 2000 http://www.nwpsw.com
SuperScan http://www.foundstone.com/rdlabs/termsofuse.php?filename=superscan.exe
WinScan: http://www.prosolve.com
IpEye http://www.ntsecurity.com
NetCat http://www.atstake.com/research/tools/nc11nt.zip
WUPS http://www.ntsecurity.nu
Fscan http://www.foundstone.com/rdlabs/termsofuse.php?filename=fscan.exe
Krishna
http://www.KrisinDigitalAge.com
Subscribe to:
Posts (Atom)