Thursday, March 28, 2013

Port Scan versus Port Sweep

If you're new to network security, you've no doubt heard the terms "port scan" and "port sweep" but may not be sure what the difference is.
A port scan is a scan of one host for one or more ports. For example, someone may scan a server for any of the privileged ports (server ports). Privileged ports are traditionally ports 1-1023 and are called that because under Linux you must have root privileges to bind a process to one of these ports. These days there a number of services that break this model, as the need for more ports has lead to services using high (also known as ephemeral) ports, 1024 and above. Ephemeral ports, also know as client side ports, are mostly used by the client as the source port to initiate a connection to the server on and are chosen by the operating system. The entire port range is 0-65535, though port 0 technically isn't supposed to be used.
A port sweep on the other hand is a scan of multiple hosts for one port. Scanning all the addresses in a 24 bit address space (what used to be called a class C netblock) for port 80 would be an example of a port sweep. In doing reconnaissance, an attacker (or a security admin testing his own systems) may sweep an address space for common open ports, then go back and do a port scan of each system that had an open port to see what all of the offered services are.
Nmap is the most well known of all port scanners and is under constant development and improvement by it's author, who goes by the screen name of Fyodor. His real name is Gordon Lyon (it's not a secret) and you can find nmap at his site, as well as at
Nmap has a large list of parameters and does more than just basic port scanning. It can do OS fingerprinting (trying to determine the operating system of a host by the way it responds to certain network stimuli) and has hundreds of scripts that it's scripting engine uses to do all sorts of discovery.
There is a Windows version of nmap, but if you're serious about getting started in network security you should really have at least one Linux box to do your testing and learning on. Most of the good NetSec tools were written natively for Linux and many of them have no Windows counterpart. (There are a few good Windows tools that don't run on Linux, but not nearly as many as the other way).
So read up on the documents and get started. Just make sure you ONLY scan devices you either own or have permission to scan. If you're scanning at work it's a really good idea to get that permission in writing, from someone who has the authority to grant it.

Friday, March 22, 2013

Tool Kit Essentials

Every intrusion analyst has to have a toolkit. It's not just the essential Linux programs you need to install on each machine you do analysis from, but it entails all those web sites you use to check sites, to help you deobfuscate malicious code, research exploits and the like, not to mention some of the good Windows-only tools you might be using (like NetWitness Investigator or Malzilla). I used to keep a flat file of all the tools I needed, but it quickly gets out of date. How do you determine what should be on that list?

I've received a flurry of emails lately from recruiters for IDS related posts they need to fill. As I was reading one, it struck me: If I took this job and needed to get up and running doing intrusion analysis on Day One, what would I need to make that happen? I realized that scenario defines what should be in my essential toolkit. Not those rarely used apps or sites that that duplicate things I can cmd line from the packet boxes, but what I HAVE to have.

So rather than create another list, I've decided I need (yet another) flash drive to keep with me at all times (at least when I'm working) that has current copies of essential tools, Windows and Linux, exported bookmarks, copies of notes I've taken and such so that I'm fairly comfortable that I could walk in the door of a new job and within a couple of hours be ready to start looking at alerts.

If you have a better method, please share. I don't have any plans to change jobs, but keeping this info close by and updated is also a way to keep up with version checking and making sure I always have the latest improvements in my tools.

Tuesday, March 12, 2013

Pen Test Sites

I'm a blue team guy, but occasionally I across some cool red team website or tip. Here's one, thanks to a post by Ed Skoudis. A student of his shared this excellent mind map of pen test practice sites for vulnerable apps and systems. You can find the site here.

Tuesday, March 5, 2013

DerbyCon 3.0

DerbyCon tickets go on sale April 1st. The con will be at the Hyatt Regency Louisville once again, and will run September 27-29th. Training will be September 25-26th and runs $1,000.00. General admission tickets to the conference only is $150.00, same as last year. Full info at the web site, Hope to see you there!

Blog Archive