Open Source

Open Source Security Systems
2/2/2023 Dr. Vivek Kapoor 1

Open-source software (OSS)
• It is a computer software that is available in source code form: the source code and
certain other rights normally reserved for copyright holders are provided under a
software license that permits users to study, change, improve and at times also to
distribute the software.
• Open source software is very often developed in a public, collaborative manner.
• Open-source software is the most prominent example of open-source development
and often compared to (technically defined) user-generated content or (legally
defined) open content movements.
• A report by the Standish Group states that adoption of open-source software models
has resulted in savings of about $60 billion per year to consumers.
• Software developers may want to publish their software with an open source license,
so that anybody may also develop the same software or understand its internal
functioning.
• Open source software generally allows anyone to create modifications of the
software, port it to new operating systems and processor architectures, share it with
others or, in some cases, market it.

History
• The free software movement was launched in 1983. In 1998, a group of individuals
advocated that the term free software should be replaced by open source software
(OSS) as an expression which is less ambiguous and more comfortable for the
corporate world.
• The Open Source Initiative (OSI) was formed in February 1998 by Raymond and
Perens.
• With about 20 years of evidence from case histories of closed and open development
already provided by the Internet, the OSI continued to present the 'open source' case
to commercial businesses.
• There are a number of commonly recognized barriers to the adoption of open source
software by enterprises. These barriers include the perception that open source
licenses are viral, lack of formal support and training, the velocity of change, and a
lack of a long term roadmap.
• A commonly employed business strategy of commercial open-source software firms
is the dual-license Strategy.

Development philosophy
• Users should be treated as co-developers so they should have access to the source
code of the software.
• The first version of the software should be released as early as possible so as to
increase one's chances of finding co-developers early.
• Code changes should be integrated (merged into a shared code base) as often as
possible so as to avoid the overhead of fixing a large number of bugs at the end of
the project life cycle.
• There should be a buggier version with more features and a more stable version with
fewer features. The buggy version (also called the development version) is for users
who want the immediate use of the latest features, and are willing to accept the risk
of using code that is not yet thoroughly tested. The users can then act as co-
developers, reporting bugs and providing bug fixes.
• The general structure of the software should be modular allowing for parallel
development on independent components.
• Dynamic decision making structure.

Licensing
• A license defines the rights and obligations that a licensor grants to a licensee.
• Open Source licenses grant licensees the right to copy, modify and redistribute
source code (or content). These licenses may also impose obligations (e.g.,
modifications to the code that are distributed must be made available in source code
form, an author attribution must be placed in a program/ documentation using that
Open Source, etc.).
• Unlike proprietary off-the-shelf software, which comes with restrictive copyright
licenses, open-source software can be given away for no charge. This means that its
creators cannot require each user to pay a license fee to fund development.

Advantages/Disadvantages
• Since open source software is open, defects and security flaws are more easily
found. Closed-source advocates argue that this makes it easier for a malicious
person to discover security flaws.
• Further, that there is no incentive for an open-source product to be patched.
• Further, if the patch is that significant to the user, having the source code, the user
can technically patch the problem themselves.
• These arguments are hard to prove. However, research indicates that the open-
source software - Linux - has a lower percentage of bugs than some commercial
software.

Open Source Security Tools
• Wireshark- Wireshark (known as Ethereal until a trademark dispute in Summer 2006)
is a fantastic open source multi-platform network protocol analyzer. It allows you to
examine data from a live network or from a capture file on disk. You can interactively
browse the capture data, delving down into just the level of packet detail you need.
Wireshark has several powerful features, including a rich display filter language and
the ability to view the reconstructed stream of a TCP session. It also supports
hundreds of protocols and media types.
• IPTables- It is a Linux based packet filtering firewall. Iptables interfaces to the Linux
netfilter module to perform filtering of network packets. This can be to deny/allow
traffic filter or perform Network Address Translation (NAT). With careful configuration
iptables can be a very cost effective, powerful and flexible firewall or gateway
solution.
• Nmap- Nmap ("Network Mapper") is a free and open source (license) utility for
network exploration or security auditing. Many systems and network administrators
also find it useful for tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel
ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics. It was designed to rapidly scan large networks, but
works fine against single hosts.
• Snort- This network intrusion detection and prevention system excels at traffic
analysis and packet logging on IP networks. Snort detects thousands of worms,
vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a
flexible rule-based language to describe traffic that it should collect or pass, and a
modular detection engine.
• John the Ripper- John the Ripper is a fast password cracker for UNIX/Linux and Mac
OS X.. Its primary purpose is to detect weak Unix passwords, though it supports
hashes for many other platforms as well. There is an official free version, a
community-enhanced version (with many contributed patches but not as much quality
assurance), and an inexpensive pro version.
• Nikto- Nikto is an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over 6400
potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers,
and version specific problems on over 270 servers.
• Hping- This handy little utility assembles and sends custom ICMP, UDP, or TCP
packets and then displays any replies. It was inspired by the ping command, but
offers far more control over the probes sent. It also has a handy traceroute mode and
supports IP fragmentation. It probe hosts behind a firewall that blocks attempts using
the standard utilities. This often allows you to map out firewall rule sets.

• Sysinternals- Sysinternals provides many small windows utilities that are quite useful
for low-level windows hacking. Some are free of cost and/or include source code,
while others are proprietary. Survey respondents were most enamored with:
ProcessExplorer for keeping an eye on the files and directories open by any process
(like lsof on UNIX).
PsTools for managing (executing, suspending, killing, detailing) local and remote
processes.
Autoruns for discovering what executables are set to run during system boot up or
login.
RootkitRevealer for detecting registry and file system API discrepancies that may
indicate the presence of a user-mode or kernel-mode rootkit.
TCPView, for viewing TCP and UDP traffic endpoints used by each process (like
Netstat on UNIX).

• Scapy- Scapy is a powerful interactive packet manipulation tool, packet generator,
network scanner, network discovery tool, and packet sniffer. Note that Scapy is a very
low-level tool—you interact with it using the Python programming language. It
provides classes to interactively create packets or sets of packets, manipulate them,
send them over the wire, sniff other packets from the wire, match answers and
replies, and more.
• THC Hydra- When you need to brute force crack a remote authentication service,
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more
then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much
more.
• TrueCrypt- TrueCrypt is an excellent open source disk encryption system for
Windows, Mac, and Linux systems. Users can encrypt entire filesystems, which are
then on-the-fly encrypted/decrypted as needed without user intervention beyond
initially entering their passphrase.
• Dsniff- This popular and well-engineered suite by Dug Song includes many tools:
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a
network for interesting data (passwords, e-mail, files, etc.).

• Ophcrack- Ophcrack is a free rainbow-table based cracker for Windows passwords
(though the tool itself runs on Linux, Windows, and Mac).
• Netfilter- Netfilter is a powerful packet filter implemented in the standard Linux kernel.
The userspace iptables tool is used for configuration. It now supports packet filtering
(stateless or stateful), all kinds of network address and port translation (NAT/NAPT).
• PGP- PGP is the famous encryption system originally written by Phil Zimmerman
which helps secure your data from eavesdroppers and other risks. GnuPG is a very
well-regarded open source implementation of the PGP standard (the actual
executable is named gpg). While the excellent PGP is always free, PGP is now
owned by Symantec and costs a lot of money.
• Skipfish- skipfish is an active web application security reconnaissance tool. It
prepares an interactive sitemap for the targeted site by carrying out a recursive crawl
and dictionary-based probes. The resulting map is then annotated with the output
from a number of active (but hopefully non-disruptive) security checks. The final
report generated by the tool is meant to serve as a foundation for professional web
application security assessments.

• Firefox- Firefox is a web browser, a descendant of Mozilla. It emerged as a serious
competitor to Internet Explorer, with improved security as one of its features. While
Firefox no longer has a stellar security record, security professionals still appreciate it
for its wide selection of security-related add-ons, including Tamper Data, Firebug, and
NoScript.
• OpenVPN- OpenVPN is an open-source SSL VPN package which can accommodate
a wide range of configurations, including remote access, site-to-site VPNs, WiFi
security, and enterprise-scale remote access solutions with load balancing, failover,
and fine-grained access-controls. It supports flexible client authentication methods
based on certificates, smart cards, allows user or group-specific access control
policies using firewall rules applied to the VPN virtual interface. OpenVPN uses
OpenSSL as its primary cryptographic library.
• L0phtCrack- L0phtCrack attempts to crack Windows passwords from hashes which it
can obtain (given proper access) from stand-alone Windows workstations, networked
servers, primary domain controllers, or Active Directory. In some cases it can sniff the
hashes off the wire. It also has numerous methods of generating password guesses
(dictionary, brute force, etc).

• Firebug- Firebug is an add-on for Firefox that provides access to browser internals. It
features live editing of HTML and CSS, a DOM viewer, and a JavaScript debugger.
Web application security testers appreciate the ability to see what's happening behind
the scenes of the browser.
• KeePass- KeePass is a password manager. It stores many passwords which are
unlocked by one master password. The idea is to only have to remember one high-
quality password, and still be able to use unique passwords for various accounts. It
has a feature to automatically fill in passwords in web forms.
• Google- While it is far more than a security tool, Google's massive database is a gold
mine for security researchers and penetration testers. You can use it to dig up
information about a target company by using directives such as “site:target-
domain.com” and find employee names, sensitive information that they wrongly
thought was hidden, vulnerable software installations, and more.

IPTables
• What is iptables?
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the
Linux netfilter module to perform filtering of network packets. This can be to
deny/allow traffic filter or perform Network Address Translation (NAT). With careful
configuration iptables can be a very cost effective, powerful and flexible firewall or
gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux
distribution.
• Introduction
A basic rule of thumb is that you want to block all inbound traffic and then specify
which traffic you want to receive. Depending on levels of security needed this policy
could also be applied to outgoing traffic. With iptables you first set rules to allow traffic
you want to get through the firewall then set a rule to deny all traffic.

IPTables
• Rules, Chains, and Tables

Iptables rules are grouped into chains. A chain is a set of rules used to determine
what to do with a packet. These chains are grouped into tables. Iptables has three
built in tables filter, NAT, mangle. More tables can be added through iptables
extensions.
• Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT,
OUTPUT, FORWARD. The input chain is used to filter packets destined for the local
system. The output chain is used to filter packets created by the local system. The
forward chain is used for packets passing through the system, mainly used for
gateways/routers.
• NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen.
This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The
prerouting chain is where packets come to prior to being parsed by the local routing
table. The postrouting chain is where packets are sent after going through the local
routing table.

IPTables
• Basic Uses
The most common use of iptables is to simply block and allow traffic.
• Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is
inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet

IPTables
• Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as
Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 --
192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

IPTables
• Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.
Blocks inbound TCP traffic port 22 (ssh)

iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100

iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DROP

IPTables
• Examples
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1

iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP
Allow all inbound web traffic

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4

iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP
Deny outbound traffic to 192.2.4.0-192.2.4.255

iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP
Wireshark (Ethereal)
• When you run the Wireshark program, the Wireshark graphical user interface shown
in Figure 1 will de displayed. Initially, no data will be displayed in the various windows.

The Wireshark interface has five major components:
• The command menus are standard pulldown menus located at the top of the
window. Of interest to us now are the File and Capture menus. The File menu allows
you to save captured packet data or open a file containing previously captured packet
data, and exit the Wireshark application. The Capture menu allows you to begin
packet capture.
• The packet-listing window displays a one-line summary for each packet captured,
including the packet number (assigned by Wireshark; this is not a packet number
contained in any protocol’s header), the time at which the packet was captured, the
packet’s source and destination addresses, the protocol type, and protocol-specific
information contained in the packet. The packet listing can be sorted according to any
of these categories by clicking on a column name. The protocol type field lists the
highest level protocol that sent or received this packet, i.e., the protocol that is the
source or ultimate sink for this packet.

• The packet-header details window provides details about the packet selected
(highlighted) in the packet listing window. (To select a packet in the packet listing
window, place the cursor over the packet’s one-line summary in the packet listing
window and click with the left mouse button.). These details include information about
the Ethernet frame (assuming the packet was sent/receiverd over an Ethernet
interface) and IP datagram that contains this packet. The amount of Ethernet and IP-
layer detail displayed can be expanded or minimized by clicking on the plus-or-minus
boxes to the left of the Ethernet frame or IP datagram line in the packet details
window. If the packet has been carried over TCP or UDP, TCP or UDP details will also
be displayed, which can similarly be expanded or minimized. Finally, details about the
highest level protocol that sent or received this packet are also provided.
• The packet-contents window displays the entire contents of the captured frame, in
both ASCII and hexadecimal format.

• Towards the top of the Wireshark graphical user interface, is the packet display filter
field, into which a protocol name or other information can be entered in order to filter
the information displayed in the packet-listing window (and hence the packet-header
and packet-contents windows). In the example below, we’ll use the packet-display
filter field to have Wireshark hide (not display) packets except those that correspond
to HTTP messages.

Taking Wireshark for a Test Run
• The best way to learn about any new piece of software is to try it out! We’ll assume
that your computer is connected to the Internet via a wired Ethernet interface. Do the
following
1. Start up your favorite web browser, which will display your selected homepage.
2. Start up the Wireshark software. You will initially see a window similar to that shown in
Figure 2, except that no packet data will be displayed in the packetlisting,packet-
header, or packet-contents window, since Wireshark has not yet begun capturing
packets.
3. To begin packet capture, select the Capture pull down menu and select Options. This
will cause the “Wireshark: Capture Options” window to be displayed, as shown in
Figure 3.


4. You can use most of the default values in this window, but uncheck “Hide capture info
dialog” under Display Options. The network interfaces (i.e., the physical connections)
that your computer has to the network will be shown in the Interface pull down menu
at the top of the Capture Options window. In case your computer has more than one
active network interface (e.g., if you have both a wireless and a wired Ethernet
connection), you will need to select an interface that is being used to send and
receive packets (mostly likely the wired interface). After selecting the network
interface (or using the default interface chosen by Wireshark), click Start. Packet
capture will now begin - all packets being sent/received from/by your computer are
now being captured by Wireshark!
5. Once you begin packet capture, a packet capture summary window will appear, as
shown in Figure 4. This window summarizes the number of packets of various types
that are being captured, and (importantly!) contains the Stop button that will allow you
to stop packet capture. Don’t stop packet capture yet.


6. While Wireshark is running, enter the URL: http://gaia.cs.umass.edu/wireshark-
labs/INTRO-wireshark-file1.html
and have that page displayed in your browser. In order to display this page, your
browser will contact the HTTP server at gaia.cs.umass.edu and exchange HTTP
messages with the server in order to download this page, as discussed in previous
section of the text. The Ethernet frames containing these HTTP messages will be
captured by Wireshark.
7. After your browser has displayed the INTRO-wireshark-file1.html page, stop Wireshark
packet capture by selecting stop in the Wireshark capture window. This will cause the
Wireshark capture window to disappear and the main Wireshark window to display all
packets captured since you began packet capture. The main Wireshark window
should now look similar to Figure 2. You now have live packet data that contains all
protocol messages exchanged between your computer and other network entities!
The HTTP message exchanges with the gaia.cs.umass.edu web server should
appear somewhere in the listing of packets captured. But there will be many other
types of packets displayed as well (see, e.g., the many different protocol types shown
in the Protocol column in Figure 2). Even though the only action you took was to
download a web page, there were evidently many other protocols running on your
computer that are unseen by the user. We’ll learn much more about these protocols
as we progress through the text! For
2/2/2023 now, Kapoor
Dr. Vivek you should just be aware that there is often
28
much more going on than “meet’s the eye”!
8. Type in “http” (without the quotes, and in lower case – all protocol names are in lower
case in Wireshark) into the display filter specification window at the top of the main
Wireshark window. Then select Apply (to the right of where you entered “http”). This
will cause only HTTP message to be displayed in the packet-listing window.
9. Select the first http message shown in the packet-listing window. This should be the
HTTP GET message that was sent from your computer to the gaia.cs.umass.edu
HTTP server. When you select the HTTP GET message, the Ethernet frame, IP
datagram, TCP segment, and HTTP message header information will be displayed in
the packet-header window3. By clicking plusand- minus boxes to the left side of the
packet details window, minimize the amount of Frame, Ethernet, Internet Protocol,
and Transmission Control Protocol information displayed. Maximize the amount
information displayed about the HTTP protocol. Your Wireshark display should now
look roughly as shown in Figure 5. (Note, in particular, the minimized amount of
protocol information for all protocols except HTTP, and the maximized amount of
protocol information for HTTP in the packet-header window).


10. Exit Wireshark
Congratulations! You’ve now completed the first lab.

Nmap

Nmap
• Nmap is a free, open-source port scanner available for both UNIX and Windows. It
has an optional graphical front-end, NmapFE, and supports a wide variety of scan
types, each one with different benefits and drawbacks.
• The article assumes you have Nmap installed (or that you know how to install it.
Instructions are available on the Nmap website, http://www.insecure.org/
map/install/inst-source.html ), and that you have the required privileges to run the
scans detailed (many scans require root or Administrator privileges).

Nmap (Basic Scan Types [-sT, -sS])
• TCP connect() Scan [-sT]
These scans are so called because UNIX sockets programming uses a system call
named connect() to begin a TCP connection to a remote site. If connect() succeeds,
a connection was made. If it fails, the connection could not be made (the remote
system is offline, the port is closed, or some other error occurred along the way). This
allows a basic type of port scan, which attempts to connect to every port in turn, and
notes whether or not the connection succeeded. Once the scan is completed, ports to
which a connection could be established are listed as open, the rest are said to be
closed. This method of scanning is very effective, and provides a clear picture of the
ports you can and cannot access. If a connect() scan lists a port as open, you can
definitely connect to it - that is what the scanning computer just did! There is,
however, a major drawback to this kind of scan; it is very easy to detect on the
system being scanned. If a firewall or intrusion detection system is running on the
victim, attempts to connect() to every port on the system will almost always trigger a
warning. Indeed, with modern firewalls, an attempt to connect to a single port which
has been blocked or has not been specifically ”opened” will usually result in the
connection attempt being logged. Additionally, most servers will log connections and
their source IP, so it would be easy to detect the source of a TCP connect() scan. For
this reason, the TCP Stealth Scan was developed.
• SYN Stealth Scan [-sS]
• I’ll begin this section with an overview of the TCP connection process. Those familiar
with TCP/IP can skip the first few paragraphs. When a TCP connection is made
between two systems, a process known as a ”three way handshake” occurs. This
involves the exchange of three packets, and synchronizes the systems with each
other. The system initiating the connection sends a packet to the system it wants to
connect to. TCP packets have a header section with a flags field. Flags tell the
receiving end something about the type of packet, and thus what the correct
response is. Here, I will talk about only four of the possible flags. These are SYN
(Synchronies),
• ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP
sequence number, which lets the remote system know what sequence numbers to
expect in subsequent communication. ACK acknowledges receipt of a packet or set
of packets, FIN is sent when a communication is finished, requesting that the
connection be closed, and RST is sent when the connection is to be reset (closed
immediately). To initiate a TCP connection, the initiating system sends a SYN packet
to the destination, which will respond with a SYN of its own, and an ACK,
acknowledging the receipt of the first packet (these are combined into a single
SYN/ACK packet). The first system then sends an ACK packet to acknowledge
receipt of the SYN/ACK, and data transfer can then begin.
• SYN or Stealth scanning makes use of this procedure by sending a SYN packet and
looking at the response. If SYN/ACK is sent back, the port is open and the remote
end is trying to open a TCP connection. The scanner then sends an RST to tear down
the connection before it can be established fully; often preventing the connection
attempt appearing in application logs. If the port is closed, an RST will be sent. If it is
filtered, the SYN packet will have been dropped and no response will be sent. In this
way, Nmap can detect three port states - open, closed and filtered. Filtered ports may
require further probing since they could be subject to firewall rules which render them
open to some IPs or conditions, and closed to others.
• Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in
combination with other features of Nmap, it is possible to create a virtually
undetectable SYN scan by altering timing and other options (explained later).

Nmap
• With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these
three scan types may be useful to varying degrees. Each scan type refers to the flags
set in the TCP header. The idea behind these type of scans (FIN, Null and Xmas Tree
Scans) is that a closed port should respond with an RST upon receiving packets,
whereas an open port should just drop them (it’s listening for packets with SYN set).
This way, you never make even part of a connection, and never send a SYN packet;
which is what most IDS’ look out for.

Nmap
• The sample below shows a SYN scan and a FIN scan, performed against a
Linux system. The results are, predictably, the same, but the FIN scan is
less likely to show up in a logging system.
1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp
6
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds

Nmap
15 [chaos]# nmap -sF 127.0.0.1
16
18 Interesting ports on chaos (127.0.0.1):
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
28 seconds

Nmap
• Other possible scans provided by Nmap is:
1. Ping Scan [-sP]-- This scan type lists the hosts within the specified range that
responded to a ping. It allows you to detect which computers are online, rather
than which ports are open. Four methods exist within Nmap for ping sweeping.
The first method sends an ICMP ECHO REQUEST (ping request) packet to the
destination system. If an ICMP ECHO REPLY is received, the system is up, and
ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will
try a ”TCP Ping”, to determine whether ICMP is blocked, or if the host is really not
online.
2. UDP Scan [-sU]-- Scanning for open UDP ports is done with the -sU option. With
this scan type, Nmap sends 0-byte UDP packets to each target port on the victim.
Receipt of an ICMP Port Unreachable message signifies the port is closed,
otherwise it is assumed open.
3. IP Protocol Scans [-sO]-- The IP Protocol Scans attempt to determine the IP
protocols supported on a target. Nmap sends a raw IP packet without any
additional protocol header to each protocol on the target machine. Receipt of an
ICMP Protocol Unreachable message tells us the protocol is not in use, otherwise
it is assumed open.
Nmap
• Results of an -sO on my Linux workstation are included below.
1 [chaos]# nmap -sO 127.0.0.1
2
4 Interesting protocols on chaos(127.0.0.1):
5 (The 251 protocols scanned but not shown below are
6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
13
14 Nmap finished: 1 IP address (1 host up) scanned in
15 1.259 seconds
Nmap
• Idle Scanning [-sI]
• Version Detection [-sV]
• ACK Scan [-sA]
• Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

Typical Scanning Session
• First, we’ll sweep the network with a simple Ping scan to determine which hosts
• are online.
1 [chaos]# nmap -sP 10.0.0.0/24
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:19 BST
5 Host 10.0.0.1 appears to be up.
6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds

• We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprinting
• and version detection.
1 [chaos]# nmap -sS -A 10.0.0.1
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:23 BST
5 Insufficient responses for TCP sequencing (0),
6 OS detection may be less accurate
7 Interesting ports on 10.0.0.1:
9 closed)
10 PORT STATE SERVICE VERSION
11 80/tcp open tcpwrapped
12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
13 Device type: WAP
14 Running: Compaq embedded, Netgear embedded
15 OS details: WAP: Compaq iPAQ Connection Point or
16 Netgear MR814
17
2/2/2023
18 Nmap finished: 1 IP address (1Dr.host
Vivekup)
Kapoor
scanned in 44
19 3.533 seconds
• The only open port is 80/tcp - in this case, the web admin interface for the router. OS
fingerprinting guessed it was a Netgear Wireless Access Point - in fact this is a
Netgear (wired) ADSL router. As it said, though, there were insufficient responses for
TCP sequencing to accurately detect the OS.

Privacy Tools to Stay Secure
• Tor Browser: It is designed to enable anonymous internet browsing. Fire Fox based
browser is simplest and quirkiest way to start using it. It can also block IP addresses
from specific countries.
• CyberGhost VPN: It is a virtual private network app that re routes your internet traffic
to hide your location and identity. Free version runs more slowly than paid for
premium service.
• Ghostery: Our surfing habits is being tracked by dozens of websites keen to sell their
products. That’s where Ghostry comes in. It is available for all browsers. You can
simply install it and let it get on with its job. So if you’d rather not share every click
with marketers, it’s must have.
• KeyScrambler: It is a tiny app (Under 1.5 MB) designed to encrypt every letter you
type into your web Browser to prevent it being intercepted by key logging software.
• AntiSpy for: It helps you disable advertising IDs, Smart Screen filtering, whether apps
can access your camera and so on.
• GnuPG: It is a open source higher version of PGP (Pretty Good Privancy) tool for
encrypting files and emails. It enables you to encrypt and digitall sign data and
documents with technology that is effectively unbreakable.

Privacy Tools to Stay Secure
• Tails: Privacy software. It leaves no trace of you in internet.
• Wise Folder Hider: Free privacy software: It hides things on your PC. It hides work
files from your kids, boss etc. It scrambles file as well as hides them.

.
THANK YOU
vkapoor@ietdavv.edu.in
vkapoor13@yahoo.com
09424566004 (M)

Open Source

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open Source

Uploaded by

Copyright:

Available Formats

Open Source Security Systems

2/2/2023 Dr. Vivek Kapoor 1

2/2/2023 Dr. Vivek Kapoor 2

2/2/2023 Dr. Vivek Kapoor 3

2/2/2023 Dr. Vivek Kapoor 4

2/2/2023 Dr. Vivek Kapoor 5

2/2/2023 Dr. Vivek Kapoor 6

2/2/2023 Dr. Vivek Kapoor 8

2/2/2023 Dr. Vivek Kapoor 9

2/2/2023 Dr. Vivek Kapoor 10

2/2/2023 Dr. Vivek Kapoor 11

2/2/2023 Dr. Vivek Kapoor 12

2/2/2023 Dr. Vivek Kapoor 13

2/2/2023 Dr. Vivek Kapoor 14

• Rules, Chains, and Tables

2/2/2023 Dr. Vivek Kapoor 15

2/2/2023 Dr. Vivek Kapoor 16

Allow incoming TCP traffic on port 22 (ssh) for adapter eth0

2/2/2023 Dr. Vivek Kapoor 17

Blocks inbound TCP traffic port 22 (ssh)

Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100

2/2/2023 Dr. Vivek Kapoor 18

Drop all outbound traffic to 192.168.0.1

Allow all inbound web traffic

Allow inbound HTTPS traffic from 10.2.2.4

Deny outbound traffic to 192.2.4.0-192.2.4.255

2/2/2023 Dr. Vivek Kapoor 20

2/2/2023 Dr. Vivek Kapoor 21

2/2/2023 Dr. Vivek Kapoor 22

2/2/2023 Dr. Vivek Kapoor 23

2/2/2023 Dr. Vivek Kapoor 24

2/2/2023 Dr. Vivek Kapoor 25

2/2/2023 Dr. Vivek Kapoor 26

2/2/2023 Dr. Vivek Kapoor 27

2/2/2023 Dr. Vivek Kapoor 29

2/2/2023 Dr. Vivek Kapoor 30

2/2/2023 Dr. Vivek Kapoor 31

2/2/2023 Dr. Vivek Kapoor 32

2/2/2023 Dr. Vivek Kapoor 33

2/2/2023 Dr. Vivek Kapoor 36

2/2/2023 Dr. Vivek Kapoor 37

2/2/2023 Dr. Vivek Kapoor 38

2/2/2023 Dr. Vivek Kapoor 39

2/2/2023 Dr. Vivek Kapoor 42

2/2/2023 Dr. Vivek Kapoor 43

2/2/2023 Dr. Vivek Kapoor 45

2/2/2023 Dr. Vivek Kapoor 46

2/2/2023 Dr. Vivek Kapoor 47

2/2/2023 Dr. Vivek Kapoor 48

You might also like