Tuesday, October 30, 2007

Port Scanning

The purpose of this blog entry is to give the reader an introduction to port scanning, some examples of tools used to perform port scanning and some examples of where port scanning may be useful.

What is Port Scanning?

Port scanning is where a port or a range of ports are scanned to find out I they are open or closed and what service or program is listening on that port.

I should also point out that port scanning can cause the devices to crash or may have other unintentional effects. a service may hang or become unresponsive or a printer may print out garbage. So always get permission, be aware of the effects if scanning production systems and know your tools.

Why Port Scan?

A good port scanner such as nmap will often be able to identify the port is open or closed or is filtered by a firewall, and if open, details of the program listening on that port. This information is very useful to both a systems administrator and an attacker. From a system administration point of view you may want to test firewall rules. Or if you were to discover a unauthorised program such as a trojan on your network that is listening on a port you may want to see if other hosts are also affected. Also when hardening hosts a port scan of that host is very useful to look for open ports.

From an attackers point of view, he may want to discover what programs or services are on a host to identify it’s role or to see if these programs are vulnerable to a known exploit.

What is a Port?

Often the analogy used to describe a port is that of a window in a house. Think of your computer as a house and each window or door as a port. Now, the port can either be open or closed, if it’s closed nothing can get in through that port, if it’s open, it will have a program listening that will accept connections through the port. There are 2 types of port, TCP and UDP and each type there are 65536 (0-65535) ports of each type.

Port scanning is akin to rattling the windows and doors to see if any of them are open.

Common Ports

Certain programs and services have standard ports they listen on, such as web servers listening on TCP port 80. This is so your browser knows where to go to by default when just browsing to a web page with HTTP. DNS knows to listen on UDP port 53 and Telnet knows to use TCP port 23. The range of ports between 0-1024 are reserved for use by the computer for standard programs such as FTP, Telnet, DNS, SNMP, SMTP etc…. and ports above this range, known as ephemeral ports, can then be set up with other services such as MSRDP on port 3389 or MSSQL on 1334. It is useful to note that almost any service can be set up to listen on almost an port and in almost all cases the port that a packet is destined for (destination port) is not the port it will go out on (source port).

The link below provides details of known port assignments:


Knowledge of the standard port assignments is very useful when port scanning as it will help you to recognise the ports you are interested in and prevent scanning an entire range which may trigger an IDS or IPS. However, it should be noted that in some situations it may be necessary to scan the entire range because as i said, most services can be set to listen on non-standard ports.


Tools may vary depending on the platform you are using. There are many good port scanners out there but the one I prefer is Nmap by Fyodor. Nmap should work under both Windows and Linux, however I find it screws up my network card under Windows so I will often use sl from Foundstone or if I require a GUI I’ll user SuperScan4. Netcat can also be used to port scan if you get in a pinch but has limitations. There are plenty of other scanners out there but in this blog entry I'll stick mostly with Nmap. I’ll briefly cover the syntax of ScanLine and Netcat also.


Nmap is network exploration tool and port scanner. It was created by Fyodor and can be downloaded from www.insecure.org free of charge. I have always had issues with the Win32 port of Nmap so I have only used it from Linux. Nmap is available for most Linux distributions.

A few things to be aware of when using Nmap is it will ping the target before it scans to see if it is up. If the target is blocking ICMP the scan may fail. This initial ping can be prevented by using the -P0 switch which will then allow Nmap to continue the port scan.

When specifying a target the following syntax can be used:

nmap target option

The target is the host or network to be scanned and the options are the list of ports and type of scan. target can be entered as a hostname (www.yahoo.com), the IP address (, or CIDR addressing ( Nmap can also be told to use an input file for target specification. There are additional methods of target specification listed in the Nmap man pages.

Options can be the scan type (SYN scan, ACK scan, list scan etc..), can be turning off certain functions such as DNS resolution or ping, can be setting the options for output such as to XML or text file, can be setting OS or version detection, can be setting up scanning through a FTP server or another host, or can be selecting the ports to be scanned. Ports can be entered in as a list (-p 21,23,80) or as a range (-p 1-1024,3389,5000) or by port type for UDP or TCP (-p U:161,53 T:80,443).

The following are some basic examples of Nmap scans.

1. Ping Scan (ping sweep)

nmap -sP

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:23 GMT
Host appears to be up.
MAC Address: 00:0C:F1:5E:0B:05 (Intel)
Host appears to be up.
MAC Address: 00:30:C1:21:0B:9C (Hewlett-packard)
Host appears to be up.
MAC Address: 00:E0:81:6C:94:53 (Tyan Computer)
Host appears to be up.
MAC Address: 00:60:B0:20:D0:C0 (Hewlett-packard CO.)
Host appears to be up.
MAC Address: 00:00:84:AE:70:BF (Ricoh Company)
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.398 seconds

This scan was used to quickly identify host that are up on a particular range of IP addresses.

2. Basic Host Scan


Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:13 GMT
Interesting ports on
(The 1666 ports scanned but not shown below are in state: closed)
open ftp
open telnet
open http
open http-mgmt
open https
open printer
open ipp
9100/tcp open
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)

This scan picks a performs a TCP connect scan of a selected host. This scan would likely be picked up by an IDS. The basic scan would scan all ports including 1024 and below and certain high numbered ports listed in the nmap-services file. This file can be customised for your own environment. To peform a fast scan use the -F switch. This will just scan ports listed in the nmap-services file. Nmap will also automatically randomise the ports to be scanned, this can be disabled with the -r switch.

3. Version Scan

nmap -sV -p 23

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:14 GMT
Interesting ports on
23/tcp open
telnet HP JetDirect printer telnetd (No password)
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Service Info: Device: printer
Nmap finished: 1 IP address (1 host up) scanned in 2.059 seconds

This scan picked a particular port and attempted to enumerate the service listening on that port.

4. OS Scan

nmap -O -p 23,81

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:16 GMT
Interesting ports on
23/tcp open
81/tcp closed hosts2-ns
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Device type: print server
Running: HP embedded
OS details: HP printer w/JetDirect card
Uptime 74.890 days (since Wed Aug 15 16:55:33 2007)
Nmap finished: 1 IP address (1 host up) scanned in 2.579 seconds

This scan performed an OS scan on the host and correctly identified it as a HP Printer.

5. SYN Scan (Half-Open Scan)

nmap -sS -p 23,80

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:17 GMT
Interesting ports on
23/tcp open
80/tcp open
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 0.440 seconds

This scan performed a half-open scan (-sS) on ports 23 & 80. Half-open means that a full TCP connect scan was not completed. A SYN packet was sent from Nmap followed by a RST packet if a SYN/ACK was received (indicating an open port). If a RST packet was received by Nmap the port will be listed as closed. You must have root permissions to perform a SYN scan otherwise the scan will drop down to a full TCP Connect scan. SYN scans are relatively stealthy and are very fast for the reasons already mentioned. If Nmap receives no response or if an ICMP unreachable is received by Nmap the port is marked as filtered.

6. Stealthy Scan

nmap -sS -p 23,80 -T 1

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:22 GMT
Interesting ports on
23/tcp open
80/tcp open
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 45.422 seconds

This scan performs a half-open scan but the packets are sent at a very slow rate (-T 1). This is to avoid detection by an IDS. Note the time that Nmap took to scan compared to the previous examples.

7. Idle Scan (Zombie Scan)

nmap -p 23 -T 2 -sI -P0

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:29 GMT
Idlescan using zombie (; Class: Incremental
Interesting ports on
23/tcp open
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 7.650 seconds

In this example Nmap has used another host (-sI to perform the scan on behalf of the attacker. The way this works is Nmap sends a packet to the Zombie to check the IP ID and then sends it’s scan to Target but spoofs the IP of the Zombie ( Nmap then checks the IP ID of the Zombie to see how much it has increased by. This tells Nmap whether the port was open or closed due to response (ACK or RST) sent from the real target to the zombie. It has also prevented nmap from pinging the host (-P0) at the beginning of the scan.

Useful Nmap Options

-sT: Full TCP connect scan.

-sS: SYN scan. Stealthier than a TCP connect scan.

-sF: FIN scan. Stealthy. A RST indicates the port is closed

-sR: Scans RPC services and attempts to identify listening programs.

-sI: Idle scan.

-b: Bounces the scan of a FTP server.

-sX: Xmas tree scan. All flags are set. A RST indicates a port is closed, no response may mean the port is open.

-sU: Scan for status of UDP ports.

-sL: Performs a list scan. Will attempt to perform a reverse lookup of hosts

-sP: Ping scan, not a scan as such but can be used initially to locate alive hosts.

-O: OS Fingerprinting.

-sV: Identifies the service and version in some cases.

-A: Both version and OS fingerprinting.

-T 1: Timing is slow (1). Can be increased to 2, 3, 4 or 5 (5 being the fastest)

-sA: TCP ACK scan. This may get through certain packet filtering devices.

-iL : Input from list of hosts/networks

-sP: Ping Scan - go no further than determining if host is online

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

-p : Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

-r: Scan ports consecutively - don't randomize

-D: : Cloak a scan with decoys

-S: : Spoof source address

-e: : Use specified interface

-g/--source-port : Use given port number


-oN/-oX/-oS/-oG : Output scan in normal, XML, s|

and Grepable format, respectively, to the given filename.

-oA: : Output in the three major formats at once

-v: Increase verbosity level (use twice for more effect)


ScanLine (sl)

ScanLine does not have anywhere near the same amount of functionality as a tool such as Nmap. But it can be used to quickly identify if a port is open, a host is up . To perform a basic scan with ScanLine (sl) use the following syntax:


This will ping the host and perform a basic scan of known ports below is the result.

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
Scan of 1 IP started at Thu Oct 25 21:51:36 2007
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 21 80 1723
UDP ports:

We can see from the result that it has found open TCP ports 21, 80, 1723

As some devices are configured to drop ICMP sl may assume the host is not up if it get’s no response and quit. To prevent this use the –p option. The –t or –u option can also be specified followed by port numbers to address only certain ports. Below is an example of this.

sl -vpbt 80

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
Adding IP
Banner grabbing enabled.
No pinging before scanning.
Scan of 1 IP started at Thu Oct 25 22:01:16 2007
Scanning 1 IP...
Responds with ICMP unreachable: No
TCP ports: 80
TCP 80:
[HTTP/1.0 401 Unauthorized Access Denied]
Scan finished at Thu Oct 25 22:01:16 2007
1 IP and 1 port scanned in 0 hours 0 mins 0.05 secs

Above you can see that I have discovered a web server listening on port 80.

You can also specify a range of ports or addresses to sl such as:

sl –pt 21,23,80-250

The output of scan can also be output to a file using the –o switch followed by a filename.

For additional info on the other switches available use sl /?


Netcat can pretty much do anything from being a proxy, transfer files, a chat client, a backdoor and yes, port scanning. Now, it’s not fast and it’s not pretty but it’ll do it. The syntax is below.

nc -vv -z -n -w1 23 80 34

And the output is……..

(UNKNOWN) [] 23 (?): connection refused
(UNKNOWN) [] 80 (?) open
sent 0, rcvd 0: NOTSOCK

So I can see that I have open ports 23 and 80.


Tuesday, October 23, 2007

Forensics - Disk Imaging

For one reason or another you may want to make a copy of a hard disk. I will describe methods to create a bit-for-bit copy of a hard disk either to a local device or over a network.

The thing to remember throughout the examples listed below is Linux thinks of everything as a file. So the file it sees as hda in the /dev directory is actually the harddisk.

The following software will be used in the examples listed below.

  • A bootable live linux distro that does not auto mount drives such as Helix
  • dd
  • nc
  • split
  • md5sum
  • cat

dd, nc, md5sum, cat and split are available on Linux and Windows.

Regarding hardware you will require the following.

  • 2 x Computers (if creating a copy across a network)
  • USB thumb drive
  • USB hard drive (If creating the image to a USB hard drive)

Example 1 – A Copy Across A Network

To make a copy across a network you will need 2 computers, the target computer, Computer01, and the computer you will be copying to, Computer02.

  1. Insert the Linux boot disk into Computer01 and boot the system into Linux.
  1. Insert the USB thumb drive, if this doesn’t automatically mount it will require mounting. In my examples below I will assume it is /dev/sdb1 and has been mounted as /media/USB.
  1. Locate the disk you want to copy in the /dev directory, in my examples the hard disk will be called hda yours maybe something similar.
  1. Using the command md5sum /dev/hda >/mount/USB/diskimage_md5hash.txt create a MD5 hash of the drive on the mounted USB drive so you can test this against the copied file to verify the integrity.
  1. On Computer02 make sure you have enough diskspace to accommodate a file the size of the disk you are going to copy and using netcat (nc) run the command

nc –L –p 6677 >c:\diskimage.img

What you have done here is to set up netcat (nc) to listen persistently (-L) on port 6677 (-p 6677) and send the output to a file on C:\ of Computer02 (>c:\diskimage.img).

  1. From Computer01 run the following command:

dd if=/dev/hda | nc 6677

This command assumes that the IP address of Computer02 is By running this command you will be copying the input file /dev/hda (if=/dev/hda) from Computer01 to C:\diskimage.img on Computer02 using netcat (nc).

  1. Finally, after the copy has finished you can run md5sum on Computer02 against the C:\diskimage.img file on Computer02 and compare this to the md5sum taken earlier to verify the copies are identical.

Example 2 – A Local Copy to a USB Storage Device

In this example you will need only the Target PC and a USB storage device large enough to hold the image.

  1. Insert the Linux boot disk into the computer and boot the system into Linux.
  2. Connect the USB storage device, if this doesn’t automatically mount it will require mounting. In my examples below I will assume it is /dev/sdb1 and has been mounted as /media/USB.
  1. Locate the disk you want to copy in the /dev directory, in my examples the hard disk will be called hda yours maybe something similar.
  1. Using the command md5sum /dev/hda >/mount/USB/diskimage_md5hash.txt create a MD5 hash of the drive on the mounted USB device so you can test this against the copied file to verify the integrity.
  1. Run the following command:

dd if=/dev/hda of=/media/usb/diskimage.img

This will copy the disk as a file onto the USB storage device as diskimage.img.

  1. Create another md5 hash of the image on the storage device and compare to the original to verify the integrity of the copy.

The result of both of the examples above is a forensically sound image of the hard disk.

Advanced Usage of dd for Imaging

Whilst using the methods above you may come across issues. For example, if the PC cannot read some of the sectors of the drive you are copying, or if the file needs splitting to fit onto CD’s. Or if the image needs slitting to fit on a device that is FAT32 and requires files to be smaller than 2GB.

Copying an image from a disk with bad sectors

When imaging a drive that is starting to have some bad sectors the command below can be used.

dd if=/dev/hda of=/media/USB conv=noerror,sync

This will allow dd to proceed past read errors, and pad the destination with 0's where there were errors on the source drive (so your size and offsets will match). If you do this, you may want to consider redirecting standard-error out to a file, so you have a record of where your errors were.

Splitting images

This can be done using a couple of different methods.

The easiest method is by using the split program. The syntax for the command if you required a 4GB image to fit on CD’s would be:

dd if=/dev/hda | split –b 620m - /USB/sda/

This will run the input file (/dev/hda) through split and create several files of 620MB (-b 620m) in the directory /USB/sda/. The files will usually be called x** (* denotes a wildcard in this example)

These files can be reformed into an image file using the cat command.

Cat x* > bigimage.img

Then create a hash of the file using md5sum and compare to the original hash value.

Md5sum bigimage.img

Alternatively, if split is not available you can use dd by itself but use the skip, bs (block size) and count switches to prevent it from reading from the beginning of the file.

dd if=dev/hda of=/media/USB/image1.img bs=1M count=620

dd if=dev/hda of=/media/USB/image2.img bs=1M count=620 skip= 621

dd if=dev/hda of=/media/USB/image3.img bs=1M count=620 skip= 1241

dd if=dev/hda of=/media/USB/image4.img bs=1M count=620 skip= 1861

dd if=dev/hda of=/media/USB/image5.img bs=1M count=620 skip= 2481

etc………until the end of the input file.

What is happening here is you are telling dd to work in 1MB blocks (bs=1M), to only copy 620MB at a time (count=620) and in some cases to skip to a particular part of the input file (skip=621 etc…) thus creating several images that can then be copied to CD’s. Once on the target system and in the same directory (I will assume directory is /home/me) they can be put back together into a single image using the command below.

Cat /home/me/image* > bigimage.img

Md5sum can be run against this image and compared to the original md5 hash to verify the integrity.

Dd To a Zipped Image

You can pipe dd through gzip to save on some disk space.

dd if=/dev/hda | gzip -f > /media/USB/compressed_image.img.gz

Using Split & Gzip Together

To help cope with size limits both gzip and split can be used together. This has the benefit of splitting the image and zipping it up also to save space and requires less work. Below is the syntax used to perform this and an explanation of the command.

dd if=/dev/hda | gzip –c | split -b 2000m - /media/USB/image.img.gz.

  1. dd is used to take an image of the harddrive.
  2. This is passed to gzip (-c is to stdout)
  3. The compressed image is then piped to the split tool (split then creates the files image.img.gzaa, image.img.gzab, etc )

To restore the multi-file backup, run the command below:

cat /USB/image.img.gz* | gzip -dc | dd of=/dev/hda

  1. Cat displays the contents of the zipped and split image files to stdout in order.
  2. Results are piped through gzip and decompressed.
  3. And are then written to the hard drive with dd.

Creating empty disk images

To create an empty disk image, get the data from /dev/zero. To create a 10MB image or file:

dd if=/dev/zero of=image bs=1M count=1024


dd of=image bs=1M count=0 seek=1024

In the second example nothing is written, not even zeroes, we just seek 10MB into the file and close it. The result is a sparse file that is implicitly full of 10MB of zeroes, but that takes no disk space. ls -la will show 10MB, both du and df will show 0. When the file is written to, Linux will allocate disk space for the data. ls will continue to show 10MB, but du will gradually approach 10MB.


Whilst researching the use of dd another tool was brought to my attention which is called dcfldd. This tool is like dd in many ways and uses similar syntax but is also able to produce hashes on the fly and can provide status of copying files amongst other useful features. It's available on both Linux and Windows.

Thanks to the guys at BinRev for ideas whilst creating this entry.

Friday, October 19, 2007

Information Disclosure From Email Headers

I've spent the week looking at email headers and figuring out just how much information can be gleaned from them. To solicit an email from the target a bounce email could be sent, thats where an email is sent to a know bad address on the target domain in order to receive an NDR. depending on the system in question the headers of an NDR will contain some useful juicy info, it depends on how much the admin has locked down the system as it is possible to exclude the network topology. Or you can send to a known good address and hope for a reply. It is also possible to forge parts of the email header, I'll cover that in a separate post.

Below is a standard header from an email sent out from Microsoft regarding Security Bulletins. First lets look at the header before we dissect it.

Microsoft Mail Internet Headers Version 2.0
Received: from mail83.messagelabs.com ([]) by InternalMailServer.adomain.co.uk with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 29 Aug 2007 21:34:25 +0100
X-VirusChecked: Checked
X-Env-Sender: Microsoft@newsletters.microsoft.com
X-Msg-Ref: server-10.tower-83.messagelabs.com!1188419662!42820977!1
X-StarScan-Version:; banners=-,-,adomain.co.uk
X-Originating-IP: []
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG,
Received: (qmail 12350 invoked from network); 29 Aug 2007 20:34:22 -0000
Received: from delivery2.pens.microsoft.com (HELO delivery2.pens.microsoft.com) (
by server-10.tower-83.messagelabs.com with SMTP; 29 Aug 2007 20:34:22 -0000
Received: from TK2MSFTDDSQ16 ([]) by delivery2.pens.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 29 Aug 2007 13:34:21 -0700
Thread-Topic: Microsoft Security Bulletin Minor Revisions
thread-index: Acfqe/rmKWoBBju4SVuJfVqKEPkgrg==
Reply-To: "Microsoft" <20_82825_tzyyvxkag0ov6+9tfqfqkq@newsletters.microsoft.com>
From: "Microsoft"
Subject: Microsoft Security Bulletin Minor Revisions
Date: Wed, 29 Aug 2007 13:34:21 -0700
Message-ID: <5d9601c7ea7b$fae90480$17f9257a@phx.gbl>
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
Return-Path: Microsoft@newsletters.microsoft.com
X-OriginalArrivalTime: 29 Aug 2007 20:34:21.0513 (UTC) FILETIME=[FAEE0B90:01C7EA7B]

Firstly, headers are often read from the bottom up. This way you can identify the path the message took to get to the destination.

1. Thread-Topic: Microsoft Security Bulletin Minor Revisions
2. thread-index: Acfqe/rmKWoBBju4SVuJfVqKEPkgrg==
3. Reply-To: "Microsoft" <20_82825_tzyyvxkag0ov6+9tfqfqkq@newsletters.microsoft.com>
4. From: "Microsoft"
5. To:
6. Subject: Microsoft Security Bulletin Minor Revisions
7. Date: Wed, 29 Aug 2007 13:34:21 -0700
8. Message-ID: <5d9601c7ea7b$fae90480$17f9257a@phx.gbl>
9. MIME-Version: 1.0
10. Content-Type: text/plain;
11. charset="iso-8859-1"
12. Content-Transfer-Encoding: 7bit
13. X-Mailer: Microsoft CDO for Windows 2000
14. Content-Class: urn:content-classes:message
15. Importance: normal
16. Priority: normal
17. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
18. Return-Path: Microsoft@newsletters.microsoft.com
19. X-OriginalArrivalTime: 29 Aug 2007 20:34:21.0513 (UTC) FILETIME=[FAEE0B90:01C7EA7B]

I will pick out the interesting information that may be of use to an inquisitive person or an attacker.

Line 18 displays the email address of the sender.
Line 17 displays details of the software used to create the message.
Line 13 details software that the message passed through, in this case CDO for Windows 2000. It's important to note that CDOSYS.dll has had vulnerabilities that allows remote code execution. also it may indicate that this server may be running Windows 2000.
Line 8 details the Message-ID. This ID is unique to the message and can be used to track the massage with the Message Tracking service.
Lines 7, 6, 5, 4, 3 detail the time the message was sent, the subject, where the reply will go to and who the email was to. Also note that we have picked up a possible username (Microsoft) and sub-domain (newsletters.microsoft.com) here.

The next part of the header gives us some interesting information.

Received: from TK2MSFTDDSQ16 ([]) by delivery2.pens.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 29 Aug 2007 13:34:21 -0700

This information seems to tell us that a internal mail server at Microsoft (TK2MSFTDDSQ16 ([])) sends to what is probably a mail gateway (delivery2.pens.microsoft.com) with the IP Address of running Microsoft SMTPSVC(6.0.3790.1830) which after some googling around appears to be Microsoft 2003 Advanced Edition SP 2. A useful site for finding information on a particular file and version (in this case SMTPSVC.dll) is www.fileproperties.com. i'm looking for other sites and methods to validate this also.

By Googling the intenal server name TK2MSFTDDSQ16 and then amending it slightly to TK2MSFTDDSQ17 & TK2MSFTDDSQ18 you are able to discover other internal servers and IP addresses from headers sent to other people.

The next part of the header gives us some interesting information also.

1. X-VirusChecked: Checked
2. X-Env-Sender: Microsoft@newsletters.microsoft.com
3. X-Msg-Ref: server-10.tower-83.messagelabs.com!1188419662!42820977!1
4. X-StarScan-Version:; banners=-,-,adomain.co.uk
5. X-Originating-IP: []
6. X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG,
7. Received: (qmail 12350 invoked from network); 29 Aug 2007 20:34:22 -0000
8. Received: from delivery2.pens.microsoft.com (HELO delivery2.pens.microsoft.com) (
by server-10.tower-83.messagelabs.com with SMTP; 29 Aug 2007 20:34:22 -0000

Line 8 shows that delivery2.pens.microsoft.com sent the message to server-10.tower-83.messagelabs.com. This is not the target network which is indicative of the use of a filtering service (MessageLabs evident from the next lines also). We also see here from the time stamp that the Filtering service and the sender are in a different time zone. Also, if encryption was in use we would expect to see ESMTP used as oppose to SMTP.
Line 7 shows that MessageLabs is using qmail, a popular SMTP Server. according to secunia qmail has unpatched remote code execution vulnerabilties.
Line 6 displays the spam filter settings and how the sent message rated against those filter settings.
Line 4 details the scanning software in use and the version number (StarScan-Version:
Line 1 tells us that the message was checked for viruses also by MessageLabs.

And lastly the headers tell us about recipients network.

1. Microsoft Mail Internet Headers Version 2.0
2. Received: from mail3.messagelabs.com ([]) by InternalMailServer.adomain.co.uk with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 29 Aug 2007 21:34:25 +0100

Line 2 tells us that Messagelabs external server(mail83.messagelabs.com ([])) sent the message to InternalMailServer.adomain.co.uk (internal server name) which is running SMTPSVC(6.0.3790.3959) which is used in Exchange 2003
Whats also very useful to note here is the AD domain name for this domain is adomain.co.uk which is the root of the entire network that the sender must authenticate to in order to gain access to network resources.

From this i would assume the following mail routing environment.

Sender -> Internal Mail Server -> Mail Gateway -> -> Filtering Service for Recipient ->Recipient Mail Server -> Recipient

So to recap we have found the following:

  • Network topologies and geographic information
  • Mail client software in use
  • Server versions and Service pack levels
  • SMTP server versions
  • Encryption levels
  • Mail Filtering settings
  • Software in use in the mail route
  • Internal server names and IP Addressing schemes
  • External server names and IP Addresses
  • Root domain name
  • Subdomains
  • Possible usernames

Other parts of a header to look out for which can provide useful info are:

The X-WSS-ID is and acronym for Windows Server System ID:
X-WSS-ID: 657782L8189979-01-01

Indicates the sender sent this message form Windows 2003 server.

Received: from by mgw01.youmail.com over TLS secured channel with ESMTP (SMTP Relay);

we can see here that the email was encrypted by TLS protocol and was relayed through a secure channel. Where abouts in the header this appears will identify at which point the mail was encrypted.

It's also useful to note that "X-" headers are non-standard, they are only provided for information. Although often violated any non-standard informative header should be given a name starting with "X-".

I am aware that there are parts of the header that may also provide useful information so any comments would be welcomed.

Tuesday, October 16, 2007

Anonymous Reconnaissance

I have renamed this entry from Passive Reconnaissance to Anonymous Reconnaissance.

Passive Reconnaissance is the act of gathering intelligence without sending any packets to the target, whereas Anonymous Reconnaissance is the act of gathering intelligence without sending any packets to the target from your IP. I break reconnaissance down into 2 phases, Intelligence Gathering and Footprinting.

Whilst mapping my target you will also research and map any other relevant IP addresses such as business partners, subsidiaries, sister companies and divisions. All must be considered relevant as these companies may have trusts set up that provide easier access to my target or they may provide a service such as DNS,web hosting, e-commerce or email to your target which could also be targeted as part of an attack.

Intelligence Gathering

When researching a target you need to gather intelligence. The more intelligence the better as this information may tell you what systems the target has, what the target is running on those systems, and what versions of software the target has. Using this information the attack can be precise and professional. All this information can be gained without sending any packets to the target from your IP. There are many tools that can be installed on Windows or Linux PC’s to perform these tasks, here I will demonstrate how to gain this information using only tools available on web sites. The benefit is the attack will not be linked directly to you. One point to bear in mind when using these web based tools is your IP may well be sent to the target in from the website hosting the tool such as www.serversniff.net, so use these tools through an anonymous proxy (or chain of proxies) or TOR.

There are a huge amount of resources available to use on the web, these can provide you with the following:

• IP Ranges
• Operating Systems
• Software in Use
• Employee Names
• Organisational Structures
• Business Partners

This information is invaluable for targeted technical attacks and for social engineering, after all, why spend days hacking a website or a firewall when the chances are you can make a few phone calls and persuade a user to give you his or her password within an hour. But to do this you need to do your homework first and that’s where Intelligence Gathering comes in, the more knowledgeable you are about your target the more believable you will be.

www.google.com – Just about everything
www.msn.com – Shared hosting
www.paterva.com – People & organisation searches
www.dnsstuff.com – A host of web based DNS tools
www.serversniff.net – Metadata discovery, Tracerouting, IP tools, sub-domains etc…
www.windowspms.com – Whois tools and port scanner
www.publicwebproxies.com – Proxy lists
www.archive.org – The way back machine
www.netcraft.com – Website tools.

Okay so you have a target. The first thing that is required is to view the website (if available) to learn as much about the target as possible. The outcome of this should hopefully be names, addresses, telephone numbers, email addresses, business partners, organisational structures, sub-domains, IP addresses, business relationships. All of this information is useful for the later stages of an attack. Search the source of the web pages to look for details such as names, email addresses, comments etc… To prevent your IP showing in the website logs the following measures can be taken.

• Search the Google cached pages
• Use the Way Back Machine at www.archive.org
• Use an anonymous proxy or TOR
• Use www.serversniff.net

If you are to use Google cached pages (look at the link at the bottom of a Google search) be aware that if there are images on the page these will be retrieved from the site and not from Google’s cache. To prevent this you can modify the settings in the options on your browser so it doesn’t pull back anything but text.

The Way Back Machine has its advantages and disadvantages. On the downside the pages may be slightly dated, on the plus side you may get data (job adds, acquisitions etc..) that the target removed.

Anonymous proxies can be chained together or you could just use TOR for great anonymity. Check out www.publicwebproxies.com for a list of proxies.

One thing to bear in mind is that many companies do not host the website so picking up address ranges from around the IP of the website may not be at that useful.

www.netcraft.com is a useful site, it will often tell you, how long a server has been up, what OS it is and what type of webserver it is.

Using Google you can start to Google email addresses, usernames, employee names etc… it’s useful to search newsgroups on Google (use the groups directive and the author directive), maybe the techies have made postings regarding software in use, questions on servers or firewall configurations. You can focus your search on just the target by using the site directive (site:bbc.co.uk).

Another great reconnaissance tool is www.paterva.com, it will trawl the web and find postings, phone numbers, email addresses and much more.

Virtual Hosting

Virtual Hosting is where many Websites share the same IP Address (and web server) and is sometimes an indicator of a business relationship. You can discover this using the IP directive (ip:target_ip_address) on MSN or you can use the Hostname on IP function on www.serversniff.net

# Name
# 1 cgi.bbc.co.uk
# 2 ftp.bbc.co.uk
# 3 www0.bbc.co.uk
# 4 www0.mh.bbc.co.uk

www.serversniff.net can perform a range of tasks, if you find any documents published on the website this site can pull out the metadata and possibly reveal software in use and usernames. As well as this it has features that can analyse web pages for comments, look at Comments-on-Page function.

Some useful search filters for google are:

site:bbc.co.uk filetype:pdf pdf
This query will just return pdf’s from the target website (assuming the target was the BBC)

site:bbc.co.uk filetype:xls
This query would return Excel spreadsheets posted to the web for the BBC

The www.serversniff.net File-Search function will also perform similarly to the google searches mentioned above.

If the URL for one of the returned spreadsheets is then run through the File Info tool on www.serversniff.net you get the following interesting information.

FileType(guessed) = Microsoft Office Document
last saved by - KingsJ31
creation date - 2005-05-30T18:00:09Z
creator - Harry Blundun
date - 2005-06-29T15:59:50Z
generator - Microsoft Excel
CreateDate = 2005:05:30 18:00:09
LastSavedBy = KingsJ31
AppVersion = 10 (107b)
FileSize = 30 kB
Author = Harry Blundun
Company = fathom partners
AuthorEmail = jonathan.kingsbury@bbc.co.uk
EmailSubject = updated supplier questionaire sheet
AuthorEmailDisplayName = Jonathan Kingsbury
ModifyDate = 2005:06:29 15:59:50
Software = Microsoft Excel
TitleOfParts = Supplier describes competencies

Now were getting somewhere, usernames, email addresses software version etc… All without sending a single packet to the target from your IP.


The objective of footprinting is to mine as many valid hostnames for the target and link them with IP addresses.

Whois Searches

To effectively footprint the target you must discover the IP addresses in use and map them to hostnames. A good starting point is to perform whois lookups with the Regional Internet Registries for your target.

An excellent couple of sites for this are www.whois.sc, www.domaindossier.com and of course the most excellent www.serversniff.net.
All sites will provide you with the whois information for your target. The whois information may provide names, addresses, email addresses telephone numbers and netblock ranges.

Whois Record
Domain name:
British Broadcasting Corporation
Registrant type:
UK Limited Company, (Company number: 000057)
Registrant's address:
Research & Development
Kingswood Warren
KT20 6NP
British Broadcasting Corporation [Tag = BBC]
Relevant dates:
Registered on: before Aug-1996
Renewal date: 13-Dec-2008
Last updated: 25-Sep-2007
Registration status:
Registered until renewal date.
Name servers:

A whois lookup should be performed on each domain name that is linked to the target, as different domains have been registered the target may have disclosed different information in error. Bear in mind that it is not uncommon to find out of date information in these whois queries so verify the information with other tools listed.

DNS Bruteforce
Another great feature on www.serversniff.net is its DNS Bruteforce. This feature can be used to look for predictable hostnames and provide the associated IP addresses. The SubDomains feature on www.serversniff.net is a useful tool that will locate other hosts under the bbc.co.uk domain name for the target. The example below (sorry BBC) displays some of the more interesting information that is returned from www.serverSniff.net on SubDomains search:

Host IP Title
bogons.bbc.co.uk BBC
cgi.bbc.co.uk BBC - Error 403 - Forbidden.
chivers.ww.thdo.bbc.co.uk Directory Listing Denied
creativearchive.bbc.co.uk Creative Archive
db.bbc.co.uk BBC - homepage
extdev.bbc.co.uk ……………
ftp.bbc.co.uk ……………
gateway.bbc.co.uk gateway.bbc.co.uk ……………
mail.bbc.co.uk ……………
mx.bbc.co.uk ……………
ns.bbc.co.uk …………….
ssl.bbc.co.uk BBC - homepage..
virtual0.mh.bbc.co.uk BBC ……...
webmail.bbc.co.uk …………….
www.monitor.bbc.co.uk BBC Monitoring

Top Level Domains (TLD)
The TLD Domains tool on this site can be used for finding other registered domains that may be hosted in other countries. The benefit of this is you may have different software versions in use, different policies and different firewall rules etc… this provides you with a bigger target.


And many more…………………….

Another system that is of use here is to try to find where address ranges allocated to the target start and finish. Often the whois query on an address will highlight the netblock assigned to the ISP. By using the Reverse DNS Lookup feature on www.DNStuff.com you can specify a CIDR (i.e. and it will scan the class C: range. This will often display router names that site on the last IP on an allocated Range. To reduce the packets sent to a domain you can send individual queries to IP addresses throughout the suspected range. Eventually this will narrow down the range until you identify just the set of addresses you are interested in.

If when performing these reverse lookups you find a domain name that is not your targets in the middle of the range, this is often a good indicator of a business relationship and the new domain should be added to your list of domains to footprint.

www.dnsstuff.com can also be used to look at other records that you target may have that may point a bit closer to home, such as MX records that point to mailservers. But be aware that some companies who use mail filtering services may route there mail to the filtering companies mail servers. If you are unsure of if this is happening there are a couple of things you can do. You could Google the address that the MX record points to, or you could send an email bounce from a web-based email address and examine the headers. But the bounce attack falls outside of the scope of this document as it is no longer passive reconnaissance. However, in the example above in the subdomains section it seems quite obvious where the mail servers are.

DNS stuff can also be used for Tracerouting to the target IP’s. So if the admins on that site have left ICMP enabled on the firewall and routers you can begin to map the network. www.serversniff.net also has a UDP and TCP Traceroute which will often work when ICMP is blocked.

Zone Transfers
Okay, these days it’s a real longshot but it’s worth a try because if they haven’t been locked down it’s like stiking gold so go along to http://www.digitalpoint.com/tools/zone-transfer and give it a try.

So after you have done all this work and you have verified the information with forward and reverse lookups until you’re happy that you have a nice list of IP addresses to hostnames you can begin planning for the next phase of the attack, scanning and enumeration.

There are some excellent papers on footprinting. Breaking Into Computer Networks From The Internet is one of them.
Thanks to the guys at binrev who have contributed ideas to this topic

Arp Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. Well it really doesn’t. Anyone can put there network card into promiscuous mode and grabbing packets off the wire, and if you really need to sniff the traffic it is still entirely possible using Arp Spoofing. All you really need is a tool such as Ettercap.

Firstly, lets cover a few basics.

What is ARP?
ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Address (Physical Address). ARP basically works by a computer sending a query out to its broadcast domain asking who has a certain MAC address. When the IP address with that MAC Address receives such a packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. The ARP cache can be viewed by typing arp –a from the command-line, and an output similar to that below:

Interface: --- 0x5
Internet Address Physical Address Type 00-0b-cd-ef-2c-ff dynamic 00-0e-7f-ef-b5-8d dynamic

What is ARP Spoofing?
How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. Upon receiving the traffic the attacker will log, read, or adjust the packets and then forward them onto the destination.

My favourite tool for arp spoofing is the Ettercap which can be used under Windows or Linux. Ettercap provides a GUI which can be lauched from the command-line using ettercap –G or it can be run from the command-line entirely. I’ll cover the command-line usage as the GUI is very intuitive and simple to use. The switches I list below are for my Linux box but windows switches will probably be the same.

Basic Sniffing
To watch traffic passing by on the network use:

ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not arp scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0.

To sniff traffic between 2 hosts the attacker can run the following command from his Linux box:

ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM). The rest is self-explanatory

Multiple hosts can be sniffed say between a gateway and the targets by using a command such as:

ettercap –i eth0 –T –M arp / / /

If traffic to a certain port, in this case Telnet, is to be captured the command would look like:

ettercap –i eth0 –T –M arp / / /

To sniff traffic between all hosts on the network:

ettercap –T –M arp // //

BEWARE – depending on the size of the network, this may cause dropped packets and performance issues.
There are many other switches available to use, they can be viewed by checking out the man page for Ettercap (man ettercap) or by viewing the help file (ettercap -–help).

Ettercap is capable of:
• sniffing HTTPS
• Injecting traffic
• OS fingerprinting

Logging The Output
To log the output of Ettercap you can use the following:

-L This will log both the packet detail (filename.ecp) and the info (filename.eci)

-l This will log only info (filename.eci)

-w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:

ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options
-P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
-c Compress the output (gzip)

Viewing The Output
The output from Ettercap can be viewed using Etterlog, Wireshark or sent to the screen (toggle screen output on and off using the space bar)

Fun With Ettercap
So we have seen here how Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts. Obviously this traffic can be parsed for juicy info. You could run Dsniff on the same PC and LAN card to run the traffic through that. You could run Driftnet to view any pictures that are passing the interface, or you could use one of the many plugins to send the visited URL’s to your browser, to find promiscuous NICs or to perform many other useful activities.

For more info take a look at the links below:


Forensics - Volatile Data

Volatile Data is information that changes frequently and is often lost upon powering down the PC. Volatile data will include information about running process, network connections, clipboard contents, data in memory. This information may be critical to the discovery of the cause of an incident.”
  1. Introduction

  2. Preparing A Toolkit

  3. Responding To An Incident

  4. Removing Data From The PC

1. Introduction

In my work environment, when an incident occurs it's quite likely that upon discovery the first response will be to protect the network. Following that, to understand the incident and to perform a Root Cause Analysis (RCA) to discover the cause, implement safeguards to prevent further incidents of the same kind. Even though in most organisations legal action is not common it is beneficial to preserve as much evidence as possible, as until the incident is understood legal action cannot be ruled out.

The following blog entry describes the steps I perform to protect the network, whilst gathering the volatile data to help perform the RCA whilst preserving the data for further forensics if necessary. The guide below assumes that you have administrative control over the victim PC, network connectivity to a PC for the collection of data, network connectivity to a remote share or access to remote storage such as a USB device.

2. Preparing A Toolkit

To prevent any programs writing to the PC the following tools should be copied to a form of read-only media such as a CD-ROM or run from a read-only network share. Copying data to a comprimised PC may overwrite data on the victim PC and comprimise any legal procedings if they were to occur.

Command, Netstat, Psloglist, Netcat, Pslist, Netusers, Net (user, session), Pulist, ListDLLs, Handle, Tlist, Tasklist, PS, IPConfig, NBTStat, Fport, Openports, DOSKEY, GPList, Time, Date, Route

Many of the tools above collect similar information. However, they often have subtle differences and may provide information that the others lack. What is important is that tools come from good sources, so in the case of tools such as Command, Netstat and other Windows native tools this means taken from a fresh install of Windows. This is to prevent using tools that may be infected or that may have been altered. A disk with these tools on should always be kept safe and MD5Sums should be calculated and saved along with the tools. As important as this is familiarity of the tools. Become an expert at using them and learn there nuances. The switches with commands such as time /t are essential when piping commands to as listener.

To make the process of collecting volatile data easier it is useful to create a batch file to run the tools. Once the switches have been correctly identified and are entered into the batch file the command will be executed the same way each time, this will help save time and has the additional benefit of making the logging task slightly easier too.

3. Responding To An Incident

Firstly, the incident must be discovered. This may be through log monitoring, traffic analysis, alerts or just by stumbling across something that shouldn't be there such as a program, process or registry entry.

Once the incident has been discovered usually the first reaction is to pull the plug to protect the network. Although this does have the desired effect of isolating the PC from the network it also destroys critical volatile data. If the PC remains on and connected to the network this important data can be taken from the PC for further analysis. Also the system in question may be a critical business system that cannot be taken down without monitory loss.

4. Removing Data from the PC

After assembling the toolkit and testing the tools/batch files in a test environment you are ready to respond to an incident.

Data on the PC needs to be removed without altering the state of the PC as much as possible, as until the incident is understood it will not be known if any authorities are notified. This is done by using tools and scripts that can be run from the command-line and piped out to a netcat listener. This gets the volatile data off the PC so it can be disconnected from the network and powered down if necessary. If a listener is not available then every effort should be made to save the captured data on either a network share or some other form of removable media such as an attached USB drive, but be aware that connecting a USB device will write an entry to the registry so the make, model and serial no must be included in the log.

Log File

It is important that a log is kept of every action taken on the victim PC including the following:

  • Time
  • Tools Used (& versions)
  • Commands Used

Setting up a listener

To capture the data across a network connection a netcat listener can be set up on a remote PC using the following command:

c:>nc -L -p 4455 > victimPC_date.log

This will capture any data sent to port 4455 and log it to a file called victimPC_date.log.

From The Victim PC

Log onto the victim PC and run the commands or the prepared batch file from your toolkit and pipe the results out to the netcat listener, the USB device or the network share.

Below are examples of the commands that can be run.

Running each of the commands individually would look something like below:

date /t | nc -w 1 IP_ADDRESS_OF_LISTENER 4455

time /t | nc -w 1 IP_ADDRESS_OF_LISTENER 4455

netstat -anovb | nc -w 1 IP_ADDRESS_OF_LISTENER 4455

fport | nc -w 1 IP_ADDRESS_OF_LISTENER 4455

........Thats quite a lot of work if you get the picture. If you was to create a batch file file with entries such as the following in you could just pipe the batch file out to the listener or to a log file on a share or USB.

The batch file could contain the following:

date /t

time /t

ifconfig /all

netstat -anovb

net session

net user

.................and many more from the toolkit can be added. One thing to note is to make sure none of the commands require user input to continue. For example, time if used without the /t switch will hang as will date. This reiterates the point of becoming familier with the tools and testing them before an incident.

Supposing the batch file is called Volatile.bat you could execute the following command:

volatile.bat | nc -w 2 IP_ADDRESS_OF_LISTENER 4455

Or if F: is the USB or network share:

volatile.bat > F:\>Victim_PC_Name.log

You then have the envious task of going through the logs to find the cause of the incident. Once the data has been lifted from the PC it can be disconnected from the network by disconnecting the network cable if necessary.

If you require further information of the collection of volatile data or any aspects of forensics then the following books are an excellent resources.

  • Windows Forensics and Incident Recovery from Harlan Carvey.
  • Incident Response by Kevin Mandia & Chris Prosise

A computer crime and forensics podcast can be found by googling CyberSpeak.