Open Source

Open Source Security Systems
05/13/22 Dr. Vivek Kapoor 1

Open-source software (OSS)
• It is a computer software that is available in source code form: the source code and
certain other rights normally reserved for copyright holders are provided under a
software license that permits users to study, change, improve and at times also to
distribute the software.
• Open source software is very often developed in a public, collaborative manner.
• Open-source software is the most prominent example of open-source development
and often compared to (technically defined) user-generated content or (legally
defined) open content movements.
• A report by the Standish Group states that adoption of open-source software models
has resulted in savings of about $60 billion per year to consumers.
• Software developers may want to publish their software with an open source license,
so that anybody may also develop the same software or understand its internal
functioning.
• Open source software generally allows anyone to create modifications of the
software, port it to new operating systems and processor architectures, share it with
others or, in some cases, market it.

History
• The free software movement was launched in 1983. In 1998, a group of individuals
advocated that the term free software should be replaced by open source software
(OSS) as an expression which is less ambiguous and more comfortable for the
corporate world.
• The Open Source Initiative (OSI) was formed in February 1998 by Raymond and
Perens.
• With about 20 years of evidence from case histories of closed and open development
already provided by the Internet, the OSI continued to present the 'open source' case
to commercial businesses.
• There are a number of commonly recognized barriers to the adoption of open source
software by enterprises. These barriers include the perception that open source
licenses are viral, lack of formal support and training, the velocity of change, and a
lack of a long term roadmap.
• A commonly employed business strategy of commercial open-source software firms
is the dual-license Strategy.

Development philosophy
• Users should be treated as co-developers so they should have access to the source
code of the software.
• The first version of the software should be released as early as possible so as to
increase one's chances of finding co-developers early.
• Code changes should be integrated (merged into a shared code base) as often as
possible so as to avoid the overhead of fixing a large number of bugs at the end of
the project life cycle.
• There should be a buggier version with more features and a more stable version with
fewer features. The buggy version (also called the development version) is for users
who want the immediate use of the latest features, and are willing to accept the risk of
using code that is not yet thoroughly tested. The users can then act as co-developers,
reporting bugs and providing bug fixes.
• The general structure of the software should be modular allowing for parallel
development on independent components.
• Dynamic decision making structure.

Licensing
• A license defines the rights and obligations that a licensor grants to a licensee.
• Open Source licenses grant licensees the right to copy, modify and redistribute
source code (or content). These licenses may also impose obligations (e.g.,
modifications to the code that are distributed must be made available in source code
form, an author attribution must be placed in a program/ documentation using that
Open Source, etc.).
• Unlike proprietary off-the-shelf software, which comes with restrictive copyright
licenses, open-source software can be given away for no charge. This means that its
creators cannot require each user to pay a license fee to fund development.

Advantages/Disadvantages
• Since open source software is open, defects and security flaws are more easily
found. Closed-source advocates argue that this makes it easier for a malicious
person to discover security flaws.
• Further, that there is no incentive for an open-source product to be patched.
• Further, if the patch is that significant to the user, having the source code, the user
can technically patch the problem themselves.
• These arguments are hard to prove. However, research indicates that the open-
source software - Linux - has a lower percentage of bugs than some commercial
software.

Open Source Security Tools
• Wireshark- Wireshark (known as Ethereal until a trademark dispute in Summer 2006)
is a fantastic open source multi-platform network protocol analyzer. It allows you to
examine data from a live network or from a capture file on disk. You can interactively
browse the capture data, delving down into just the level of packet detail you need.
Wireshark has several powerful features, including a rich display filter language and
the ability to view the reconstructed stream of a TCP session. It also supports
hundreds of protocols and media types.
• IPTables- It is a Linux based packet filtering firewall. Iptables interfaces to the Linux
netfilter module to perform filtering of network packets. This can be to deny/allow
traffic filter or perform Network Address Translation (NAT). With careful configuration
iptables can be a very cost effective, powerful and flexible firewall or gateway
solution.
• Nmap- Nmap ("Network Mapper") is a free and open source (license) utility for
network exploration or security auditing. Many systems and network administrators
also find it useful for tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel
ways to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics. It was designed to rapidly scan large networks, but
works fine against single hosts.
• Snort- This network intrusion detection and prevention system excels at traffic
analysis and packet logging on IP networks. Snort detects thousands of worms,
vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a
flexible rule-based language to describe traffic that it should collect or pass, and a
modular detection engine.
• John the Ripper- John the Ripper is a fast password cracker for UNIX/Linux and Mac
OS X.. Its primary purpose is to detect weak Unix passwords, though it supports
hashes for many other platforms as well. There is an official free version, a
community-enhanced version (with many contributed patches but not as much quality
assurance), and an inexpensive pro version.
• Nikto- Nikto is an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over 6400
potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers,
and version specific problems on over 270 servers.
• Hping- This handy little utility assembles and sends custom ICMP, UDP, or TCP
packets and then displays any replies. It was inspired by the ping command, but
offers far more control over the probes sent. It also has a handy traceroute mode and
supports IP fragmentation. It probe hosts behind a firewall that blocks attempts using
the standard utilities. This often allows you to map out firewall rule sets.

• Sysinternals- Sysinternals provides many small windows utilities that are quite useful
for low-level windows hacking. Some are free of cost and/or include source code,
while others are proprietary. Survey respondents were most enamored with:
ProcessExplorer for keeping an eye on the files and directories open by any process
(like lsof on UNIX).
PsTools for managing (executing, suspending, killing, detailing) local and remote
processes.
Autoruns for discovering what executables are set to run during system boot up or
login.
RootkitRevealer for detecting registry and file system API discrepancies that may
indicate the presence of a user-mode or kernel-mode rootkit.
TCPView, for viewing TCP and UDP traffic endpoints used by each process (like
Netstat on UNIX).

• Scapy- Scapy is a powerful interactive packet manipulation tool, packet generator,
network scanner, network discovery tool, and packet sniffer. Note that Scapy is a very
low-level tool—you interact with it using the Python programming language. It
provides classes to interactively create packets or sets of packets, manipulate them,
send them over the wire, sniff other packets from the wire, match answers and
replies, and more.
• THC Hydra- When you need to brute force crack a remote authentication service,
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more
then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much
more.
• TrueCrypt- TrueCrypt is an excellent open source disk encryption system for
Windows, Mac, and Linux systems. Users can encrypt entire filesystems, which are
then on-the-fly encrypted/decrypted as needed without user intervention beyond
initially entering their passphrase.
• Dsniff- This popular and well-engineered suite by Dug Song includes many tools:
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a
network for interesting data (passwords, e-mail, files, etc.).

• Ophcrack- Ophcrack is a free rainbow-table based cracker for Windows passwords
(though the tool itself runs on Linux, Windows, and Mac).
• Netfilter- Netfilter is a powerful packet filter implemented in the standard Linux kernel.
The userspace iptables tool is used for configuration. It now supports packet filtering
(stateless or stateful), all kinds of network address and port translation (NAT/NAPT).
• PGP- PGP is the famous encryption system originally written by Phil Zimmerman
which helps secure your data from eavesdroppers and other risks. GnuPG is a very
well-regarded open source implementation of the PGP standard (the actual
executable is named gpg). While the excellent PGP is always free, PGP is now
owned by Symantec and costs a lot of money.
• Skipfish- skipfish is an active web application security reconnaissance tool. It
prepares an interactive sitemap for the targeted site by carrying out a recursive crawl
and dictionary-based probes. The resulting map is then annotated with the output
from a number of active (but hopefully non-disruptive) security checks. The final
report generated by the tool is meant to serve as a foundation for professional web
application security assessments.

• Firefox- Firefox is a web browser, a descendant of Mozilla. It emerged as a serious
competitor to Internet Explorer, with improved security as one of its features. While
Firefox no longer has a stellar security record, security professionals still appreciate it
for its wide selection of security-related add-ons, including Tamper Data, Firebug, and
NoScript.
• OpenVPN- OpenVPN is an open-source SSL VPN package which can accommodate
a wide range of configurations, including remote access, site-to-site VPNs, WiFi
security, and enterprise-scale remote access solutions with load balancing, failover,
and fine-grained access-controls. It supports flexible client authentication methods
based on certificates, smart cards, allows user or group-specific access control
policies using firewall rules applied to the VPN virtual interface. OpenVPN uses
OpenSSL as its primary cryptographic library.
• L0phtCrack- L0phtCrack attempts to crack Windows passwords from hashes which it
can obtain (given proper access) from stand-alone Windows workstations, networked
servers, primary domain controllers, or Active Directory. In some cases it can sniff the
hashes off the wire. It also has numerous methods of generating password guesses
(dictionary, brute force, etc).

• Firebug- Firebug is an add-on for Firefox that provides access to browser internals. It
features live editing of HTML and CSS, a DOM viewer, and a JavaScript debugger.
Web application security testers appreciate the ability to see what's happening behind
the scenes of the browser.
• KeePass- KeePass is a password manager. It stores many passwords which are
unlocked by one master password. The idea is to only have to remember one high-
quality password, and still be able to use unique passwords for various accounts. It
has a feature to automatically fill in passwords in web forms.
• Google- While it is far more than a security tool, Google's massive database is a gold
mine for security researchers and penetration testers. You can use it to dig up
information about a target company by using directives such as “site:target-
domain.com” and find employee names, sensitive information that they wrongly
thought was hidden, vulnerable software installations, and more.

IPTables
• What is iptables?
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the
Linux netfilter module to perform filtering of network packets. This can be to
deny/allow traffic filter or perform Network Address Translation (NAT). With careful
configuration iptables can be a very cost effective, powerful and flexible firewall or
gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux
distribution.
• Introduction
A basic rule of thumb is that you want to block all inbound traffic and then specify
which traffic you want to receive. Depending on levels of security needed this policy
could also be applied to outgoing traffic. With iptables you first set rules to allow traffic
you want to get through the firewall then set a rule to deny all traffic.

IPTables
• Rules, Chains, and Tables

Iptables rules are grouped into chains. A chain is a set of rules used to determine
what to do with a packet. These chains are grouped into tables. Iptables has three
built in tables filter, NAT, mangle. More tables can be added through iptables
extensions.
• Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT,
OUTPUT, FORWARD. The input chain is used to filter packets destined for the local
system. The output chain is used to filter packets created by the local system. The
forward chain is used for packets passing through the system, mainly used for
gateways/routers.
• NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen.
This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The
prerouting chain is where packets come to prior to being parsed by the local routing
table. The postrouting chain is where packets are sent after going through the local
routing table.

IPTables
• Basic Uses
The most common use of iptables is to simply block and allow traffic.
• Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is
inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet

IPTables
• Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as
Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 --
192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

IPTables
• Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.
Blocks inbound TCP traffic port 22 (ssh)

iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100

iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DROP

IPTables
• Examples
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1

iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP
Allow all inbound web traffic

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4

iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP
Deny outbound traffic to 192.2.4.0-192.2.4.255

iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP
Wireshark (Ethereal)
• When you run the Wireshark program, the Wireshark graphical user interface shown in Figure
1 will de displayed. Initially, no data will be displayed in the various windows.

The Wireshark interface has five major components:
• The command menus are standard pulldown menus located at the top of the window. Of
interest to us now are the File and Capture menus. The File menu allows you to save captured
packet data or open a file containing previously captured packet data, and exit the Wireshark
application. The Capture menu allows you to begin packet capture.
• The packet-listing window displays a one-line summary for each packet captured, including
the packet number (assigned by Wireshark; this is not a packet number contained in any
protocol’s header), the time at which the packet was captured, the packet’s source and
destination addresses, the protocol type, and protocol-specific information contained in the
packet. The packet listing can be sorted according to any of these categories by clicking on a
column name. The protocol type field lists the highest level protocol that sent or received this
packet, i.e., the protocol that is the source or ultimate sink for this packet.

• The packet-header details window provides details about the packet selected (highlighted) in
the packet listing window. (To select a packet in the packet listing window, place the cursor
over the packet’s one-line summary in the packet listing window and click with the left mouse
button.). These details include information about the Ethernet frame (assuming the packet was
sent/receiverd over an Ethernet interface) and IP datagram that contains this packet. The
amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on
the plus-or-minus boxes to the left of the Ethernet frame or IP datagram line in the packet
details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also
be displayed, which can similarly be expanded or minimized. Finally, details about the highest
level protocol that sent or received this packet are also provided.
• The packet-contents window displays the entire contents of the captured frame, in both
ASCII and hexadecimal format.

• Towards the top of the Wireshark graphical user interface, is the packet display filter field,
into which a protocol name or other information can be entered in order to filter the
information displayed in the packet-listing window (and hence the packet-header and packet-
contents windows). In the example below, we’ll use the packet-display filter field to have
Wireshark hide (not display) packets except those that correspond to HTTP messages.

Taking Wireshark for a Test Run
• The best way to learn about any new piece of software is to try it out! We’ll assume that your
computer is connected to the Internet via a wired Ethernet interface. Do the following
1. Start up your favorite web browser, which will display your selected homepage.
2. Start up the Wireshark software. You will initially see a window similar to that shown in Figure
2, except that no packet data will be displayed in the packetlisting,packet-header, or packet-
contents window, since Wireshark has not yet begun capturing packets.
3. To begin packet capture, select the Capture pull down menu and select Options. This will cause
the “Wireshark: Capture Options” window to be displayed, as shown in Figure 3.


4. You can use most of the default values in this window, but uncheck “Hide capture info dialog”
under Display Options. The network interfaces (i.e., the physical connections) that your
computer has to the network will be shown in the Interface pull down menu at the top of the
Capture Options window. In case your computer has more than one active network interface
(e.g., if you have both a wireless and a wired Ethernet connection), you will need to select an
interface that is being used to send and receive packets (mostly likely the wired interface).
After selecting the network interface (or using the default interface chosen by Wireshark),
click Start. Packet capture will now begin - all packets being sent/received from/by your
computer are now being captured by Wireshark!
5. Once you begin packet capture, a packet capture summary window will appear, as shown in
Figure 4. This window summarizes the number of packets of various types that are being
captured, and (importantly!) contains the Stop button that will allow you to stop packet
capture. Don’t stop packet capture yet.


6. While Wireshark is running, enter the URL: http://gaia.cs.umass.edu/wireshark-labs/INTRO-
wireshark-file1.html
and have that page displayed in your browser. In order to display this page, your browser will
contact the HTTP server at gaia.cs.umass.edu and exchange HTTP messages with the server in
order to download this page, as discussed in previous section of the text. The Ethernet frames
containing these HTTP messages will be captured by Wireshark.
7. After your browser has displayed the INTRO-wireshark-file1.html page, stop Wireshark packet
capture by selecting stop in the Wireshark capture window. This will cause the Wireshark
capture window to disappear and the main Wireshark window to display all packets captured
since you began packet capture. The main Wireshark window should now look similar to
Figure 2. You now have live packet data that contains all protocol messages exchanged
between your computer and other network entities! The HTTP message exchanges with the
gaia.cs.umass.edu web server should appear somewhere in the listing of packets captured. But
there will be many other types of packets displayed as well (see, e.g., the many different
protocol types shown in the Protocol column in Figure 2). Even though the only action you
took was to download a web page, there were evidently many other protocols running on your
computer that are unseen by the user. We’ll learn much more about these protocols as we
progress through the text! For now, you should just be aware that there is often much more
going on than “meet’s the eye”!
8. Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in
Wireshark) into the display filter specification window at the top of the main Wireshark
window. Then select Apply (to the right of where you entered “http”). This will cause only
HTTP message to be displayed in the packet-listing window.
9. Select the first http message shown in the packet-listing window. This should be the HTTP GET
message that was sent from your computer to the gaia.cs.umass.edu HTTP server. When you
select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP
message header information will be displayed in the packet-header window3. By clicking
plusand- minus boxes to the left side of the packet details window, minimize the amount of
Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed.
Maximize the amount information displayed about the HTTP protocol. Your Wireshark
display should now look roughly as shown in Figure 5. (Note, in particular, the minimized
amount of protocol information for all protocols except HTTP, and the maximized amount of
protocol information for HTTP in the packet-header window).


10. Exit Wireshark
Congratulations! You’ve now completed the first lab.

Nmap

Nmap
• Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an
optional graphical front-end, NmapFE, and supports a wide variety of scan types, each one
with different benefits and drawbacks.
• The article assumes you have Nmap installed (or that you know how to install it. Instructions
are available on the Nmap website, http://www.insecure.org/ map/install/inst-source.html ),
and that you have the required privileges to run the scans detailed (many scans require root or
Administrator privileges).

Nmap (Basic Scan Types [-sT, -
sS])
• TCP connect() Scan [-sT]
These scans are so called because UNIX sockets programming uses a system call named
connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was
made. If it fails, the connection could not be made (the remote system is offline, the port is
closed, or some other error occurred along the way). This allows a basic type of port scan,
which attempts to connect to every port in turn, and notes whether or not the connection
succeeded. Once the scan is completed, ports to which a connection could be established are
listed as open, the rest are said to be closed. This method of scanning is very effective, and
provides a clear picture of the ports you can and cannot access. If a connect() scan lists a port
as open, you can definitely connect to it - that is what the scanning computer just did! There
is, however, a major drawback to this kind of scan; it is very easy to detect on the system
being scanned. If a firewall or intrusion detection system is running on the victim, attempts to
connect() to every port on the system will almost always trigger a warning. Indeed, with
modern firewalls, an attempt to connect to a single port which has been blocked or has not
been specifically ”opened” will usually result in the connection attempt being logged.
Additionally, most servers will log connections and their source IP, so it would be easy to
detect the source of a TCP connect() scan. For this reason, the TCP Stealth Scan was
developed.

sS])
• SYN Stealth Scan [-sS]
• I’ll begin this section with an overview of the TCP connection process. Those familiar with
TCP/IP can skip the first few paragraphs. When a TCP connection is made between two
systems, a process known as a ”three way handshake” occurs. This involves the exchange of
three packets, and synchronizes the systems with each other. The system initiating the
connection sends a packet to the system it wants to connect to. TCP packets have a header
section with a flags field. Flags tell the receiving end something about the type of packet, and
thus what the correct response is. Here, I will talk about only four of the possible flags. These
are SYN (Synchronies),
• ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence
number, which lets the remote system know what sequence numbers to expect in subsequent
communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a
communication is finished, requesting that the connection be closed, and RST is sent when the
connection is to be reset (closed immediately). To initiate a TCP connection, the initiating
system sends a SYN packet to the destination, which will respond with a SYN of its own, and
an ACK, acknowledging the receipt of the first packet (these are combined into a single
SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the
SYN/ACK, and data transfer can then begin.

sS])
• SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at
the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a
TCP connection. The scanner then sends an RST to tear down the connection before it can be
established fully; often preventing the connection attempt appearing in application logs. If the
port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and
no response will be sent. In this way, Nmap can detect three port states - open, closed and
filtered. Filtered ports may require further probing since they could be subject to firewall rules
which render them open to some IPs or conditions, and closed to others.
• Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination
with other features of Nmap, it is possible to create a virtually undetectable SYN scan by
altering timing and other options (explained later).

Nmap
• With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three
scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP
header. The idea behind these type of scans (FIN, Null and Xmas Tree Scans) is that a closed
port should respond with an RST upon receiving packets, whereas an open port should just
drop them (it’s listening for packets with SYN set). This way, you never make even part of a
connection, and never send a SYN packet; which is what most IDS’ look out for.

Nmap
• The sample below shows a SYN scan and a FIN scan, performed against a
Linux system. The results are, predictably, the same, but the FIN scan is
less likely to show up in a logging system.
1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp
6
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds

Nmap
15 [chaos]# nmap -sF 127.0.0.1
16
18 Interesting ports on chaos (127.0.0.1):
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
28 seconds

Nmap
• Other possible scans provided by Nmap is:
1. Ping Scan [-sP]-- This scan type lists the hosts within the specified range that responded
to a ping. It allows you to detect which computers are online, rather than which ports are
open. Four methods exist within Nmap for ping sweeping. The first method sends an ICMP
ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO
REPLY is received, the system is up, and ICMP packets are not blocked. If there is no
response to the ICMP ping, Nmap will try a ”TCP Ping”, to determine whether ICMP is
blocked, or if the host is really not online.
2. UDP Scan [-sU]-- Scanning for open UDP ports is done with the -sU option. With this
scan type, Nmap sends 0-byte UDP packets to each target port on the victim. Receipt of an
ICMP Port Unreachable message signifies the port is closed, otherwise it is assumed open.
3. IP Protocol Scans [-sO]-- The IP Protocol Scans attempt to determine the IP protocols
supported on a target. Nmap sends a raw IP packet without any additional protocol header
to each protocol on the target machine. Receipt of an ICMP Protocol Unreachable message
tells us the protocol is not in use, otherwise it is assumed open.

Nmap
• Results of an -sO on my Linux workstation are included below.
1 [chaos]# nmap -sO 127.0.0.1
2
4 Interesting protocols on chaos(127.0.0.1):
5 (The 251 protocols scanned but not shown below are
6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
13
14 Nmap finished: 1 IP address (1 host up) scanned in
15 1.259 seconds
Nmap
• Idle Scanning [-sI]
• Version Detection [-sV]
• ACK Scan [-sA]
• Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

Typical Scanning Session
• First, we’ll sweep the network with a simple Ping scan to determine which hosts
• are online.
1 [chaos]# nmap -sP 10.0.0.0/24
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:19 BST
5 Host 10.0.0.1 appears to be up.
6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds

• We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprinting
• and version detection.
1 [chaos]# nmap -sS -A 10.0.0.1
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:23 BST
5 Insufficient responses for TCP sequencing (0),
6 OS detection may be less accurate
7 Interesting ports on 10.0.0.1:
9 closed)
10 PORT STATE SERVICE VERSION
11 80/tcp open tcpwrapped
12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
13 Device type: WAP
14 Running: Compaq embedded, Netgear embedded
15 OS details: WAP: Compaq iPAQ Connection Point or
16 Netgear MR814
17
05/13/22 Dr. Vivek
18 Nmap finished: 1 IP address (1 host Kapoorin
up) scanned 44
19 3.533 seconds
• The only open port is 80/tcp - in this case, the web admin interface for the router. OS
fingerprinting guessed it was a Netgear Wireless Access Point - in fact this is a Netgear
(wired) ADSL router. As it said, though, there were insufficient responses for TCP sequencing
to accurately detect the OS.

Privacy Tools to Stay Secure
• Tor Browser: It is designed to enable anonymous internet browsing. Fire Fox based
browser is simplest and quirkiest way to start using it. It can also block IP addresses
from specific countries.
• CyberGhost VPN: It is a virtual private network app that re routes your internet traffic
to hide your location and identity. Free version runs more slowly than paid for
premium service.
• Ghostery: Our surfing habits is being tracked by dozens of websites keen to sell their
products. That’s where Ghostry comes in. It is available for all browsers. You can
simply install it and let it get on with its job. So if you’d rather not share every click
with marketers, it’s must have.
• KeyScrambler: It is a tiny app (Under 1.5 MB) designed to encrypt every letter you
type into your web Browser to prevent it being intercepted by key logging software.
• AntiSpy for: It helps you disable advertising IDs, Smart Screen filtering, whether apps
can access your camera and so on.
• GnuPG: It is a open source higher version of PGP (Pretty Good Privancy) tool for
encrypting files and emails. It enables you to encrypt and digitall sign data and
documents with technology that is effectively unbreakable.

Privacy Tools to Stay Secure
• Tails: Privacy software. It leaves no trace of you in internet.
• Wise Folder Hider: Free privacy software: It hides things on your PC. It hides work
files from your kids, boss etc. It scrambles file as well as hides them.

.
THANK YOU
vkapoor@ietdavv.edu.in
vkapoor13@yahoo.com
09424566004 (M)

Open Source

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open Source

Uploaded by

Copyright:

Available Formats

Open Source Security Systems

05/13/22 Dr. Vivek Kapoor 1

05/13/22 Dr. Vivek Kapoor 2

05/13/22 Dr. Vivek Kapoor 3

05/13/22 Dr. Vivek Kapoor 4

05/13/22 Dr. Vivek Kapoor 5

05/13/22 Dr. Vivek Kapoor 6

05/13/22 Dr. Vivek Kapoor 8

05/13/22 Dr. Vivek Kapoor 9

05/13/22 Dr. Vivek Kapoor 10

05/13/22 Dr. Vivek Kapoor 11

05/13/22 Dr. Vivek Kapoor 12

05/13/22 Dr. Vivek Kapoor 13

05/13/22 Dr. Vivek Kapoor 14

• Rules, Chains, and Tables

05/13/22 Dr. Vivek Kapoor 15

05/13/22 Dr. Vivek Kapoor 16

Allow incoming TCP traffic on port 22 (ssh) for adapter eth0

05/13/22 Dr. Vivek Kapoor 17

Blocks inbound TCP traffic port 22 (ssh)

Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100

05/13/22 Dr. Vivek Kapoor 18

Drop all outbound traffic to 192.168.0.1

Allow all inbound web traffic

Allow inbound HTTPS traffic from 10.2.2.4

Deny outbound traffic to 192.2.4.0-192.2.4.255

05/13/22 Dr. Vivek Kapoor 20

05/13/22 Dr. Vivek Kapoor 21

05/13/22 Dr. Vivek Kapoor 22

05/13/22 Dr. Vivek Kapoor 23

05/13/22 Dr. Vivek Kapoor 24

05/13/22 Dr. Vivek Kapoor 25

05/13/22 Dr. Vivek Kapoor 26

05/13/22 Dr. Vivek Kapoor 27

05/13/22 Dr. Vivek Kapoor 29

05/13/22 Dr. Vivek Kapoor 30

05/13/22 Dr. Vivek Kapoor 31

05/13/22 Dr. Vivek Kapoor 32

05/13/22 Dr. Vivek Kapoor 33

05/13/22 Dr. Vivek Kapoor 34

05/13/22 Dr. Vivek Kapoor 35

05/13/22 Dr. Vivek Kapoor 36

05/13/22 Dr. Vivek Kapoor 37

05/13/22 Dr. Vivek Kapoor 38

05/13/22 Dr. Vivek Kapoor 39

05/13/22 Dr. Vivek Kapoor 40

05/13/22 Dr. Vivek Kapoor 42

05/13/22 Dr. Vivek Kapoor 43

05/13/22 Dr. Vivek Kapoor 45

05/13/22 Dr. Vivek Kapoor 46

05/13/22 Dr. Vivek Kapoor 47

05/13/22 Dr. Vivek Kapoor 48

You might also like