The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.
chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
Examples:
1.How to set the minimum password expiration date and the maximux expiration date for a user named john:
chage -m 3 -M 30 john
2.How to make a user's account inactive 1 day after his password has expired
chage -I 1 john
3.How to create a expiration date for the user and warn him with 3 days before that his account will expire.
chage -E 2010-03-20 -W 3
4. How to list user information
chage -l kate
Last password change : Mar 02, 2010
Password expires : Jun 30, 2010
Password inactive : Jul 01, 2010
Account expires : Jul 02, 2010
Minimum number of days between password change : 4
Maximum number of days between password change : 120
Number of days of warning before password expires : 7
5.How to remove password inactive and account expires settings.
chage -E -1 -I -1 kate
chage -l kate
Last password change : Mar 02, 2010
Password expires : Jun 30, 2010
Password inactive : never
Account expires : never
Minimum number of days between password change : 4
Maximum number of days between password change : 120
Number of days of warning before password expires : 7
Note : Only chage can help you set an account expiration date passwd can't.
Friday, February 26, 2010
Tuesday, February 23, 2010
How to use nmap security scanner
Nmap is a "Network Mapper", used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.
Nmap features include:
Host Discovery - Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.
Typical uses of Nmap:
-Auditing the security of a computer, by identifying the network connections which can be made to it
-Identifying open ports on a target computer in preparation for auditing
-Network inventory, Network mapping, maintenance, and asset management
Auditing the security of a network, by identifying unexpected new servers.
Nmap options
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idlescan
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection (try 2nd generation w/fallback to 1st)
-O2: Only use the new OS detection system (no fallback)
-O1: Only use the old (1st generation) OS detection system
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA : Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--stylesheet : XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
How to use NMAP
1.How to scan your network to see which hosts are up:
nmap -sP 192.168.1.0/24 (it will scan ip-s from 192.168.1.1 to 192.168.1.254 to see which hosts are up)
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:05 EET
Host 192.168.1.12 is up (0.0010s latency).
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Host 192.168.1.50 is up (0.00021s latency).
MAC Address: 00:24:8C:5D:EC:6C (Asustek Computer)
Host 192.168.1.51 is up.
Host 192.168.1.53 is up (0.0013s latency).
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.88 seconds
2. Now we scan 192.168.1.12 using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.The results will be saved in a file named nmap.log.
nmap -sS -A -oN nmap.log 192.168.1.12
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:12 EET
Interesting ports on 192.168.1.12:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Linksys WRT54GL wireless-G router http config
|_ html-title: 401 Unauthorized
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = WRT54GL
5431/tcp open http Belkin/Linksys wireless router http config (Linux 2.4; UPnP 1.0; BRCM400 1.0)
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Devices: WAP, router
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
3.How to scan a host for open ports ,network services,os version,ipid:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:38 EET
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 19:38
Scanning 192.168.1.53 [1 port]
Completed ARP Ping Scan at 19:38, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:38
Completed Parallel DNS resolution of 1 host. at 19:38, 0.05s elapsed
Initiating SYN Stealth Scan at 19:38
Scanning 192.168.1.53 [1000 ports]
Discovered open port 22/tcp on 192.168.1.53
Completed SYN Stealth Scan at 19:38, 1.41s elapsed (1000 total ports)
Initiating Service scan at 19:38
Scanning 1 service on 192.168.1.53
Completed Service scan at 19:38, 0.05s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.53
Retrying OS detection (try #2) against 192.168.1.53
Retrying OS detection (try #3) against 192.168.1.53
Retrying OS detection (try #4) against 192.168.1.53
Retrying OS detection (try #5) against 192.168.1.53
NSE: Script scanning 192.168.1.53.
NSE: Starting runlevel 1 scan
Initiating NSE at 19:38
Completed NSE at 19:38, 0.24s elapsed
NSE: Script Scanning completed.
Host 192.168.1.53 is up (0.00085s latency).
Interesting ports on 192.168.1.53:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)
| ssh-hostkey: 1024 51:08:cd:ba:ad:5a:4d:87:20:5b:41:ee:f2:34:80:e5 (DSA)
|_ 2048 a2:7c:9e:22:7e:9c:3f:2e:7d:46:d6:1a:29:f1:c2:c8 (RSA)
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=2/23%OT=22%CT=1%CU=41757%PV=Y%DS=1%G=Y%M=080027%TM=4B8412B
OS:0%P=x86_64-redhat-linux-gnu)SEQ(SP=C5%GCD=1%ISR=C0%TI=Z%CI=Z%II=I%TS=8)S
OS:EQ(SP=C6%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)SEQ(SP=C6%GCD=1%ISR=C0%TI=Z%CI
OS:=Z%II=I%TS=8)SEQ(SP=C5%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M5B4ST11N
OS:W5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5B4ST11NW5%O6=M5B4S
OS:T11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=4
OS:0%W=16D0%O=M5B4NNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW5%RD=0%Q=)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.004 days (since Tue Feb 23 19:33:04 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
Raw packets sent: 1103 (52.340KB) | Rcvd: 1076 (46.596KB)
vices available
Nmap features include:
Host Discovery - Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.
Typical uses of Nmap:
-Auditing the security of a computer, by identifying the network connections which can be made to it
-Identifying open ports on a target computer in preparation for auditing
-Network inventory, Network mapping, maintenance, and asset management
Auditing the security of a network, by identifying unexpected new servers.
Nmap options
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idlescan
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection (try 2nd generation w/fallback to 1st)
-O2: Only use the new OS detection system (no fallback)
-O1: Only use the old (1st generation) OS detection system
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA : Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--stylesheet : XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
How to use NMAP
1.How to scan your network to see which hosts are up:
nmap -sP 192.168.1.0/24 (it will scan ip-s from 192.168.1.1 to 192.168.1.254 to see which hosts are up)
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:05 EET
Host 192.168.1.12 is up (0.0010s latency).
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Host 192.168.1.50 is up (0.00021s latency).
MAC Address: 00:24:8C:5D:EC:6C (Asustek Computer)
Host 192.168.1.51 is up.
Host 192.168.1.53 is up (0.0013s latency).
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.88 seconds
2. Now we scan 192.168.1.12 using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.The results will be saved in a file named nmap.log.
nmap -sS -A -oN nmap.log 192.168.1.12
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:12 EET
Interesting ports on 192.168.1.12:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Linksys WRT54GL wireless-G router http config
|_ html-title: 401 Unauthorized
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = WRT54GL
5431/tcp open http Belkin/Linksys wireless router http config (Linux 2.4; UPnP 1.0; BRCM400 1.0)
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Devices: WAP, router
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
3.How to scan a host for open ports ,network services,os version,ipid:
nmap -sS -P0 -A -v 192.168.1.53
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-23 19:38 EET
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 19:38
Scanning 192.168.1.53 [1 port]
Completed ARP Ping Scan at 19:38, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:38
Completed Parallel DNS resolution of 1 host. at 19:38, 0.05s elapsed
Initiating SYN Stealth Scan at 19:38
Scanning 192.168.1.53 [1000 ports]
Discovered open port 22/tcp on 192.168.1.53
Completed SYN Stealth Scan at 19:38, 1.41s elapsed (1000 total ports)
Initiating Service scan at 19:38
Scanning 1 service on 192.168.1.53
Completed Service scan at 19:38, 0.05s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.53
Retrying OS detection (try #2) against 192.168.1.53
Retrying OS detection (try #3) against 192.168.1.53
Retrying OS detection (try #4) against 192.168.1.53
Retrying OS detection (try #5) against 192.168.1.53
NSE: Script scanning 192.168.1.53.
NSE: Starting runlevel 1 scan
Initiating NSE at 19:38
Completed NSE at 19:38, 0.24s elapsed
NSE: Script Scanning completed.
Host 192.168.1.53 is up (0.00085s latency).
Interesting ports on 192.168.1.53:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)
| ssh-hostkey: 1024 51:08:cd:ba:ad:5a:4d:87:20:5b:41:ee:f2:34:80:e5 (DSA)
|_ 2048 a2:7c:9e:22:7e:9c:3f:2e:7d:46:d6:1a:29:f1:c2:c8 (RSA)
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=2/23%OT=22%CT=1%CU=41757%PV=Y%DS=1%G=Y%M=080027%TM=4B8412B
OS:0%P=x86_64-redhat-linux-gnu)SEQ(SP=C5%GCD=1%ISR=C0%TI=Z%CI=Z%II=I%TS=8)S
OS:EQ(SP=C6%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)SEQ(SP=C6%GCD=1%ISR=C0%TI=Z%CI
OS:=Z%II=I%TS=8)SEQ(SP=C5%GCD=1%ISR=BF%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M5B4ST11N
OS:W5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5B4ST11NW5%O6=M5B4S
OS:T11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=4
OS:0%W=16D0%O=M5B4NNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW5%RD=0%Q=)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.004 days (since Tue Feb 23 19:33:04 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
Raw packets sent: 1103 (52.340KB) | Rcvd: 1076 (46.596KB)
vices available
Thursday, February 18, 2010
How to manage service in fedora
1.Open a shell and login as root
2.The service command
service --status-all (it shows you the status of the services)
service sshd restart (you can use start,stop,restart,reload)
3.The chkconfig command - run with no parameters it shows all the services and their status in all the runlevels.You can turn on or off a service as well in the desired runlevel.
4.The ntsysv command - it opens a menu where you can set your options.
ntsysv (this will help you set up if a service should start or not at boot in your default runlevel)
2.The service command
service --status-all (it shows you the status of the services)
service sshd restart (you can use start,stop,restart,reload)
3.The chkconfig command - run with no parameters it shows all the services and their status in all the runlevels.You can turn on or off a service as well in the desired runlevel.
chkconfig
chckconfig --level 5 sshd on (this option will automaticly start ssh server at boot in the default fedora runlevel)4.The ntsysv command - it opens a menu where you can set your options.
ntsysv (this will help you set up if a service should start or not at boot in your default runlevel)
Friday, February 12, 2010
How to use GnuPG/GPG to encrypt and sign your files
GNU Privacy Guard (GnuPG or GPG) is a free software alternative to the PGP suite of cryptographic software.GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.
This tutorial is for linux users.
1.Open a shell and type :
This will produce a menu asking you what type of algorithm you want.
Please select what kind of key you want:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
DSA, aka Digital Signature Algorithm, is an algorithm which is used for signing messages, whereas ElGamal useable for encryption as well as signatures. (A good discussion of the encryption options available is located here).The default should be fine, although any key length longer than 2048 will be ignored for the DSA algorithm (ie: your ElGamal key will be 2048 bits, but the DSA one will still be 1024). This is because DSA keys cannot be larger than 1024 bits, although they can be as small as 512 bits (but this would not be useful in a real world setting).
Next, you choose the length of your key.
The problem with larger keys is that they will empty the entropy pool quickly during generation. You can get around this by having several people log in and do their work, which seeds the entropy pool on Linux (and other) systems. For this example key, I'll leave it at the default of 2048 bits.
Note: an entropy pool is used by the random number function on most operating systems. It is important to keep it random because keys generated from non-random numbers can be cracked much more easily. Linux (and other systems such as OpenBSD) keep the entropy pool fed by monitoring the input of the random device in a computer system: the human.
d = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 16 Feb 2011 04:58:53 PM EET
Is this correct? (y/N) y
Regardless of what expiry setting you choose, GnuPG will ask you to confirm it.
Key does not expire at all
Is this correct (y/n)?
Next you enter your user ID for the key.
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"John Lock "
Real name:
Email address:
Comment:
If you entered the data as follows:
Real name: John Lock
Email address: john_lock@yahoo.com
Comment: just beleve
You selected this USER-ID: "John Lock (just beleve)"
Your ID would be: My name (me). GnuPG will then allow you to correct any mistakes, generate the key, or abort.
After this, GnuPG will generate your keys. You should see a message like this:
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need NN more bytes)
Don't panic! Just run some programs,type some random characters in the shell, etc. If you have installed egd (the entropy gathering daemon [scroll down page for egd info and files]), play some music into the microphone. Once GnuPG is done, you should see this message:
2.Generate a revocation certificate
gpg --output revoke.asc --gen-revoke key_id(you can put the user id and it will work )
915E0CF3
3.Exchange keys with your friends
gpg --list-keys
pub 2048R/915E0CF3 2010-02-16 [expires: 2011-02-16]
uid John Lock (just beleve)
sub 2048R/597A4582 2010-02-16 [expires: 2011-02-16]
Now to export the key in armored format(is better to be armored if you email the key or if you publish it on the web) :
Now you must give this key(johnlock.asc) which is in your home folder to your friend.If you send it by mail then you should call him/her and tell her the fingerprint.If the fingerprint is ok then the certificate is realy from that person.How to see the fingerprint of a key:
gpg --edit-key john_lock (you can use the id like this or gpg --edit-key 915E0CF3 )
Command> fpr (this will list the keysfingerprint)
4.Importing a friends public key
Let's presume that your friend gave you his public key named jack.asc.pub.
gpg --edit-key jack_shepard (or key_id)
Once signed you can check the key to list the signatures on it and see the signature that you have added.Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.
Then you can set a trust level for your friends key:
After that save and exit.
Note . It is a good practice to sign and trust someone else's public key then to export that persons key and send it back to them.That is how you rase the credibility of your public key by letting other people sign it and send it back to you.
5.Encrypt/Decrypt documents
a.Encrypt a document
If you want to encrypt a document for someone else use his public key you just imported in the previous exercise.If you want to encrypt a document for yourself use your public key.
Note if you encrypt the document using someone else's public key only that person can decrypt that document.
b.Decrypt a document
6.Symmetric encription
If you do not need to send the document to anyone and is your private document you can use symmetric encryption.
A digital signature certifies and time stamps a document. If the document is subsequently modified in any way,a verification of the signature will fail.A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper resistant. The GnuPG source distribution,for example,is signed so that users can verify that the source code has not been modified since it was packaged.
Creating and verifying signatures uses the public/private key pair in an operation different from encryption and decryption.A signature is created using the private key of the signer.The signature is verified using the corresponding public key.
How to create a signature file:
The document is compressed before being signed, and the output is in binary format.
Given a signed document, you can either check the signature or check the signature and recover the original document.To check the signature use the -verify option. To verify the signature and extract the document use the -decrypt option.The signed document to verify and recover is input and the recovered document is output.
To verify signature type:
To decrypt the document type:
A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it.The option -clearsign causes the document to be wrapped in anASCII-armored signature but otherwise does not modify the document.
gpg --clearsign doc_name (this will create a signed document named doc_name.asc)
Detached signatures
A signed document has limited usefulness.Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature, which is a separate file.A detached signature is created using the -detach-sig option.
Both the document and detached signature are needed to verify the signature.The -verify option can be used to check the signature:
8.Exporting a key from a key server
Exporting a key:
gpg --send-keys --keyserver keyserver.ubuntu.com
Importing a key:
gpg --recv-keys --keyserver keyserver.ubuntu.com
9.Key Management and examples
gpg --edit-key key_id Present a menu which enables you to do all key related tasks:
sign Make a signature on key of user name If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u.
lsign Same as --sign but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment.
nrsign Same as --sign but the signature is marked as non-revocable and can therefore never be revoked.
nrlsign Combines the functionality of nrsign and lsign to make a signature that is both non-revocable and non-exportable.
revsig Revoke a signature. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated.
trust Change the owner trust value. This updates the trust-db immediately and no save is required.
disable
enable Disable or enable an entire key. A disabled key can not normally be used for encryption.
adduid Create an alternate user id.
addphoto Create a photographic user id. This will prompt for a JPEG file that will be embedded into the user ID. Note that a very large JPEG will make for a very large key.
deluid Delete a user id.
delsig Delete a signature.
revuid Revoke a user id.
addkey Add a subkey to this key.
delkey Remove a subkey.
addrevoker [sensitive] Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).
revkey Revoke a subkey.
expire Change the key expiration time. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed.
passwd Change the passphrase of the secret key.
primary Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.
uid n Toggle selection of user id with index n. Use 0 to deselect all.
key n Toggle selection of subkey with index n. Use 0 to deselect all.
check Check all selected user ids.
showphoto Display the selected photographic user id.
pref List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences.
showpref More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list.
setpref string Set the list of user ID preferences to string, this should be a string similar to the one printed by "pref". Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use "gpg -v --version" to get a list of available algorithms. This command just initializes an internal list and does not change anything unless another command (such as "updpref") which changes the self-signatures is used.
updpref Change the preferences of all user IDs (or just of the selected ones to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG.
toggle Toggle between public and secret key listing.
save Save all changes to the key rings and quit.
quit Quit the program without updating the key rings.
The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. Letters are used for the values:
- No ownertrust assigned / not yet calculated.
e Trust calculation has failed; probably due to an expired key.
q Not enough information for calculation.
n Never trust this key.
m Marginally trusted.
f Fully trusted.
u Ultimately trusted.
gpg --delete-key key_id (deletes a public key you don't need)
For mor information check this out is the online man page:
http://www.squarebox.co.uk/cgi-squarebox/manServer/gpg.1
For windows users there is gpg4win if they want to use gnupg.
This tutorial is for linux users.
1.Open a shell and type :
gpg --gen-key
This will produce a menu asking you what type of algorithm you want.
Please select what kind of key you want:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
DSA, aka Digital Signature Algorithm, is an algorithm which is used for signing messages, whereas ElGamal useable for encryption as well as signatures. (A good discussion of the encryption options available is located here).The default should be fine, although any key length longer than 2048 will be ignored for the DSA algorithm (ie: your ElGamal key will be 2048 bits, but the DSA one will still be 1024). This is because DSA keys cannot be larger than 1024 bits, although they can be as small as 512 bits (but this would not be useful in a real world setting).
Next, you choose the length of your key.
SA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
The problem with larger keys is that they will empty the entropy pool quickly during generation. You can get around this by having several people log in and do their work, which seeds the entropy pool on Linux (and other) systems. For this example key, I'll leave it at the default of 2048 bits.
Note: an entropy pool is used by the random number function on most operating systems. It is important to keep it random because keys generated from non-random numbers can be cracked much more easily. Linux (and other systems such as OpenBSD) keep the entropy pool fed by monitoring the input of the random device in a computer system: the human.
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) 1y
Key expires at Wed 16 Feb 2011 04:58:53 PM EET
Is this correct? (y/N) y
Regardless of what expiry setting you choose, GnuPG will ask you to confirm it.
Key does not expire at all
Is this correct (y/n)?
Next you enter your user ID for the key.
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
Real name:
Email address:
Comment:
If you entered the data as follows:
Real name: John Lock
Email address: john_lock@yahoo.com
Comment: just beleve
You selected this USER-ID: "John Lock (just beleve)
Your ID would be: My name (me). GnuPG will then allow you to correct any mistakes, generate the key, or abort.
After this, GnuPG will generate your keys. You should see a message like this:
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need NN more bytes)
Don't panic! Just run some programs,type some random characters in the shell, etc. If you have installed egd (the entropy gathering daemon [scroll down page for egd info and files]), play some music into the microphone. Once GnuPG is done, you should see this message:
2.Generate a revocation certificate
gpg --output revoke.asc --gen-revoke key_id(you can put the user id and it will work )
Example:
gpg --output revoke.asc --gen-revoke3.Exchange keys with your friends
gpg --list-keys
pub 2048R/915E0CF3 2010-02-16 [expires: 2011-02-16]
uid John Lock (just beleve)
sub 2048R/597A4582 2010-02-16 [expires: 2011-02-16]
Now to export the key in armored format(is better to be armored if you email the key or if you publish it on the web) :
gpg --output johnlock.asc --armor --export key_id
Now you must give this key(johnlock.asc) which is in your home folder to your friend.If you send it by mail then you should call him/her and tell her the fingerprint.If the fingerprint is ok then the certificate is realy from that person.How to see the fingerprint of a key:
gpg --edit-key john_lock (you can use the id like this or gpg --edit-key 915E0CF3 )
Command> fpr (this will list the keysfingerprint)
4.Importing a friends public key
Let's presume that your friend gave you his public key named jack.asc.pub.
gpg --import jack.asc.pub
After checking the fingerprint, you may sign the key to validate it.Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key’s fingerprint with the owner before signing the key.
gpg --edit-key jack_shepard (or key_id)
Command> sign jack_shepard (or_key_id)
Once signed you can check the key to list the signatures on it and see the signature that you have added.Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.
Command> check
Then you can set a trust level for your friends key:
Command>trust jack_shepard(or key_id)
After that save and exit.
Command> save
Note . It is a good practice to sign and trust someone else's public key then to export that persons key and send it back to them.That is how you rase the credibility of your public key by letting other people sign it and send it back to you.
a.Encrypt a document
If you want to encrypt a document for someone else use his public key you just imported in the previous exercise.If you want to encrypt a document for yourself use your public key.
Note if you encrypt the document using someone else's public key only that person can decrypt that document.
gpg --output doc_name.gpg --encrypt --armor --recipient
b.Decrypt a document
gpg --output doc_name --decrypt doc_name.gpg
6.Symmetric encription
If you do not need to send the document to anyone and is your private document you can use symmetric encryption.
gpg --output doc_name.gpg --armor --symmetric doc_name
Enter Passphrase:type_the_password_you_want(it is a new password don't use youre public key password)To decrypt type:
gpg --output doc_name --decrypt doc_name.gpg
Enter Passphrase:7.Making and verifying signatures
Creating and verifying signatures uses the public/private key pair in an operation different from encryption and decryption.A signature is created using the private key of the signer.The signature is verified using the corresponding public key.
How to create a signature file:
gpg --output doc_name.sig --armored --sign doc_name
Given a signed document, you can either check the signature or check the signature and recover the original document.To check the signature use the -verify option. To verify the signature and extract the document use the -decrypt option.The signed document to verify and recover is input and the recovered document is output.
To verify signature type:
gpg --verify doc_name.sig
To decrypt the document type:
gpg --output doc_name --decrypt doc_name.sig
A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it.The option -clearsign causes the document to be wrapped in anASCII-armored signature but otherwise does not modify the document.
gpg --clearsign doc_name (this will create a signed document named doc_name.asc)
Detached signatures
A signed document has limited usefulness.Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature, which is a separate file.A detached signature is created using the -detach-sig option.
gpg --output doc_name.sig --detach-sig doc_name
Both the document and detached signature are needed to verify the signature.The -verify option can be used to check the signature:
gpg --verify doc_name.sig doc_name
8.Exporting a key from a key server
Exporting a key:
gpg --send-keys --keyserver keyserver.ubuntu.com
Importing a key:
9.Key Management and examples
gpg --edit-key key_id Present a menu which enables you to do all key related tasks:
sign Make a signature on key of user name If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u.
lsign Same as --sign but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment.
nrsign Same as --sign but the signature is marked as non-revocable and can therefore never be revoked.
nrlsign Combines the functionality of nrsign and lsign to make a signature that is both non-revocable and non-exportable.
revsig Revoke a signature. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated.
trust Change the owner trust value. This updates the trust-db immediately and no save is required.
disable
enable Disable or enable an entire key. A disabled key can not normally be used for encryption.
adduid Create an alternate user id.
addphoto Create a photographic user id. This will prompt for a JPEG file that will be embedded into the user ID. Note that a very large JPEG will make for a very large key.
deluid Delete a user id.
delsig Delete a signature.
revuid Revoke a user id.
addkey Add a subkey to this key.
delkey Remove a subkey.
addrevoker [sensitive] Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).
revkey Revoke a subkey.
expire Change the key expiration time. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed.
passwd Change the passphrase of the secret key.
primary Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.
uid n Toggle selection of user id with index n. Use 0 to deselect all.
key n Toggle selection of subkey with index n. Use 0 to deselect all.
check Check all selected user ids.
showphoto Display the selected photographic user id.
pref List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences.
showpref More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list.
setpref string Set the list of user ID preferences to string, this should be a string similar to the one printed by "pref". Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use "gpg -v --version" to get a list of available algorithms. This command just initializes an internal list and does not change anything unless another command (such as "updpref") which changes the self-signatures is used.
updpref Change the preferences of all user IDs (or just of the selected ones to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG.
toggle Toggle between public and secret key listing.
save Save all changes to the key rings and quit.
quit Quit the program without updating the key rings.
The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. Letters are used for the values:
- No ownertrust assigned / not yet calculated.
e Trust calculation has failed; probably due to an expired key.
q Not enough information for calculation.
n Never trust this key.
m Marginally trusted.
f Fully trusted.
u Ultimately trusted.
gpg --delete-key key_id (deletes a public key you don't need)
For mor information check this out is the online man page:
http://www.squarebox.co.uk/cgi-squarebox/manServer/gpg.1
For windows users there is gpg4win if they want to use gnupg.
Thursday, February 11, 2010
What is md5sum
md5sum is a computer program that calculates and verifies 128-bit MD5 hashes, as described in RFC 1321. The MD5 hash (or checksum) functions as a compact digital fingerprint of a file. It is extremely unlikely that any two non-identical files existing in the real world will have the same MD5 hash (although as with all such hashing algorithms, there are an unlimited number of files that will have any given MD5 hash).
Because almost any change to a file will cause its MD5 hash to also change, the MD5 hash is commonly used to verify the integrity of files (i.e., to verify that a file has not changed as a result of file transfer, disk error, meddling, etc.). The md5sum program is installed by default in most Unix, Linux, and Unix-like operating systems or compatibility layers. BSD variants (including Mac OS X) have a similar utility called md5. Versions for Microsoft Windows do exist (see external links at the bottom of the page).
Example
1.If you download for example ubuntu-9.10-desktop-i386.iso and want to verify the integrity of the file open a shell and type:
Ok now go to this page UbuntuHashes and search for the md5hash for your distribution compare with your result.If they match then the file is ok.Some sites like snort provide the md5 hash in a file for download.To check the integrity of the file you just downloaded you must download the .md5 file too and use md5sum like this:
md5sum snort-2.8.5.3.tar.gz -c snort-2.8.5.3.tar.gz.md5
For windows you can use:
Jacksum - Jacksum is a free and platform independent software for computing and verifying checksums, CRCs and message digests
Fsum - a command line utility to check the md5hash.
HashCheck - is another utility to check the md5hash from explorer.
MD5Summer - is another standalone utility utility to check the md5hash.
Because almost any change to a file will cause its MD5 hash to also change, the MD5 hash is commonly used to verify the integrity of files (i.e., to verify that a file has not changed as a result of file transfer, disk error, meddling, etc.). The md5sum program is installed by default in most Unix, Linux, and Unix-like operating systems or compatibility layers. BSD variants (including Mac OS X) have a similar utility called md5. Versions for Microsoft Windows do exist (see external links at the bottom of the page).
Example
1.If you download for example ubuntu-9.10-desktop-i386.iso and want to verify the integrity of the file open a shell and type:
md5sum ubuntu-9.10-desktop-i386.iso
the out put will be:8790491bfa9d00f283ed9dd2d77b3906 ubuntu-9.10-desktop-i386.iso
Ok now go to this page UbuntuHashes and search for the md5hash for your distribution compare with your result.If they match then the file is ok.Some sites like snort provide the md5 hash in a file for download.To check the integrity of the file you just downloaded you must download the .md5 file too and use md5sum like this:
md5sum snort-2.8.5.3.tar.gz -c snort-2.8.5.3.tar.gz.md5
For windows you can use:
Jacksum - Jacksum is a free and platform independent software for computing and verifying checksums, CRCs and message digests
Fsum - a command line utility to check the md5hash.
HashCheck - is another utility to check the md5hash from explorer.
MD5Summer - is another standalone utility utility to check the md5hash.
What is TCPDUMP and how to use it
TCPDUMP is a packet analyzer that runs under the command line.It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.I has a version for windows too named WinDump.
What is it good for?
Tcpdump is frequently used to debug applications that generate or receive network traffic. It can also be used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.
Examples:
I.To see on which network interfaces tcpdump can capture packets type:
Output of the above command :
II.How to capture packets from a interface
sudo tcpdump -i eth0 or if you want the output saved in a file for later analysis type sudo tcpdump -i eth0 -w tcpdumpfile.log
III.How to see data in human readable format while captured:
IV.Print packets ariveing from ubuntubox1(192.168.2.3) or departing from it using the host name or the ip:
V.To print traffic between ubuntumaster and either ubuntubox1 or ubuntubox2:
VI.To print all IP packets between ubuntubox1 and any host except ubuntumaster:
VII. How to print packets that are send and recived from port 22:
VIII. How to print trafic showing the ip-s of the sender and reciver
IX.How to print traffic from only a source or destination ignoring one side of the host conversation
X.How to capture traffic from an entire network
XI.How to print a specific number of packets from a specific protocol (protocols supported are TCP, UDP,ICMP,ARP and IP):
XII. How to filter traffic based on source port and destination port
Note you can combine options using expressions.Accepted expresions are: and,or,not.
If you save the output to a file with -w option, it is not human readable.You must use another software like WireShark to be able to see it in human readable format.
What is it good for?
Tcpdump is frequently used to debug applications that generate or receive network traffic. It can also be used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.
Examples:
I.To see on which network interfaces tcpdump can capture packets type:
sudo tcpdump -D
Output of the above command :
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
II.How to capture packets from a interface
sudo tcpdump -i eth0 or if you want the output saved in a file for later analysis type sudo tcpdump -i eth0 -w tcpdumpfile.log
III.How to see data in human readable format while captured:
sudo tcpdump -l | tee dat
IV.Print packets ariveing from ubuntubox1(192.168.2.3) or departing from it using the host name or the ip:
sudo tcpdump host ubuntubox1
or like this: sudo tcpdump host 192.168.2.3
V.To print traffic between ubuntumaster and either ubuntubox1 or ubuntubox2:
tcpdump host ubuntumaster and \( ubuntubox1 or ubuntubox2 \)
VI.To print all IP packets between ubuntubox1 and any host except ubuntumaster:
tcpdump ip host ubuntubox1 and not ubuntumaster
VII. How to print packets that are send and recived from port 22:
sudo tcpdump port 22 -w tcpdump.log
VIII. How to print trafic showing the ip-s of the sender and reciver
sudo tcpdump -nS
sudo tcpdump -nnvvS (to see a good amount of traffic with verbosity and no name)IX.How to print traffic from only a source or destination ignoring one side of the host conversation
sudo tcpdump src 192.168.2.4
sudo tcpdump dst 192.168.2.5
X.How to capture traffic from an entire network
sudo tcpdump net mynetworkdomain.com
or like this:sudo tcpdump net 192.168.2.0/24
XI.How to print a specific number of packets from a specific protocol (protocols supported are TCP, UDP,ICMP,ARP and IP):
sudo tcpdump -c20 TCP
XII. How to filter traffic based on source port and destination port
sudo tcpdump src port 22 and dst port 22
Note you can combine options using expressions.Accepted expresions are: and,or,not.
If you save the output to a file with -w option, it is not human readable.You must use another software like WireShark to be able to see it in human readable format.
Wednesday, February 10, 2010
Open SSH basic security
For the ssh to be secure any competent network admin will tell you to do the following:
Open a shell and type :
sudo nano /etc/ssh/sshd_config (this is the openssh-server configuration file)
1.Find the line where you see port 22 and change the port number to another number example port 2232 (the number must be higher than 1024).Now when you log to this sistem you must specify the port number like this:
3.Try to use passwordless authentication and in the sshd_config set PasswordAuthentication no.
Open a shell and type :
sudo nano /etc/ssh/sshd_config (this is the openssh-server configuration file)
1.Find the line where you see port 22 and change the port number to another number example port 2232 (the number must be higher than 1024).Now when you log to this sistem you must specify the port number like this:
ssh -p 2232 cata@ubuntubox1
2.Find the line where you see PermitRootLogin yes and change to no .If you do this nobody can ssh login with the root user.3.Try to use passwordless authentication and in the sshd_config set PasswordAuthentication no.
How to configure password-less authentication with Open SSH
In my experience as a network admin is not a good ideea to let users login with their machine credentials so I will show you how to ssh login using public key and private key authentication.
Note . I presume that you have already installed the openssh-server package.
1.Open a shell and type
ssh-keygen (this is the ssh utility for PKI authentication.It will generate a public key and a private key.)
2.Lets presume you want to login without a password to the pc named xubuntu(192.168.2.55).
ssh-copy-id -i ~/.ssh/id_rsa.pub cata@192.168.2.55 - this will copy your public key(id_rsa.pub) to the remote sistem and generate the file /home/cata.ssh/authorized_keys where your public key will be inserted.
3.Restart ssh server on the remote host :
4.Now from your shell type:
ssh 192.168.2.55 (and you will be loged in without a password)
5.If you want to test that everything is ok type:
ssh-add -l (this will show you all the public keys thata are stored in your public agent)
If there are no keys here and ssh-copy-id has made an error to add a public key manualy do this:
ssh-add -d or ssh-add -D (deletes all keys)
Recommandation
Change your public key password at least once a year .To change the password without generating a new key type:
Note . I presume that you have already installed the openssh-server package.
1.Open a shell and type
ssh-keygen (this is the ssh utility for PKI authentication.It will generate a public key and a private key.)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cata/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
7a:df:3b:ac:6f:72:24:44:31:9d:c1:61:bb:59:9f:61 cata@krishnamurti2
The key's randomart image is:
+--[ RSA 2048]----+
| o+++ |
| .o+. |
| . . .E |
| . +..o|
| S. o ..|
| . . . |
| . . + |
| . ...= |
| o*+o |
+-----------------+
2.Lets presume you want to login without a password to the pc named xubuntu(192.168.2.55).
ssh-copy-id -i ~/.ssh/id_rsa.pub cata@192.168.2.55 - this will copy your public key(id_rsa.pub) to the remote sistem and generate the file /home/cata.ssh/authorized_keys where your public key will be inserted.
3.Restart ssh server on the remote host :
suso service ssh restart
4.Now from your shell type:
ssh 192.168.2.55 (and you will be loged in without a password)
5.If you want to test that everything is ok type:
ssh-add -l (this will show you all the public keys thata are stored in your public agent)
If there are no keys here and ssh-copy-id has made an error to add a public key manualy do this:
ssh-add
If you want to delete a key from the agent do thisssh-add -d or ssh-add -D (deletes all keys)
Recommandation
Change your public key password at least once a year .To change the password without generating a new key type:
ssh-keygen -p
How to copy files with SCP
1.Copy a file to another host:
2.Copying file from host:
Note that if the remote host uses a port other than the default of 22, you can specify it in the command.
For example, copying a file from host:
scp sourcefile user@host:/directory/TargetFile
2.Copying file from host:
scp user@host:/directory/sourcefile TargetFile
Note that if the remote host uses a port other than the default of 22, you can specify it in the command.
For example, copying a file from host:
scp -P 2222 user@host:/directory/SourceFile TargetFile
Friday, February 5, 2010
Virtual Box How to change screen resolution in a Ubuntu 9.10 guest system
Two days ago I installed a ubuntu 9.10 virtual machine.The process of installation went great except for the video driver.I have a Sapphire ATI HD 4850 HD 512 DDR3 with an and a Samsung SyncMaster T240HD monitor 1920x1200 maximum resolution.And yet the secreen maximum resolution was 800x600.
So after some reading of Virtual Box manual i found the answer.
You must install the Guest Drivers in the Ubuntu guest machine and create a xorg.conf file.
Step 1 - Start the virtual machine and mout the VBoxAdditions.iso
If you can't find it on the menu you will have to find the image and mount it .If your on a windows host you will find it in your VirtualBox instalation folder mine is on d:\VirtualBox\.If you are on linux host you will find it in /usr/share/Virtual Box/ folder.
Step 2 - install the guest adition drivers
Open a shell and type:
cd /media/cdrom0/
ls -ltr
If you are on 32 bit machine you must install VBoxLinuxAdditios-x86.run like this:
sudo sh VBoxLinuxAdditios-x86.run
After the install completes reboot the sistem
Step 3 - create a xorg.conf file
Open a shell and type:
sudo gedit /etc/X11/xorg.conf
Now copy this lines bellow in the xorg.conf file you just created and save the file.
Under modes put your own monitor resolution.Log out and after that you will be able to change the screen resolution using Sistem-->Preferences-->Display
So after some reading of Virtual Box manual i found the answer.
You must install the Guest Drivers in the Ubuntu guest machine and create a xorg.conf file.
Step 1 - Start the virtual machine and mout the VBoxAdditions.iso
If you can't find it on the menu you will have to find the image and mount it .If your on a windows host you will find it in your VirtualBox instalation folder mine is on d:\VirtualBox\.If you are on linux host you will find it in /usr/share/Virtual Box/ folder.
Step 2 - install the guest adition drivers
Open a shell and type:
cd /media/cdrom0/
ls -ltr
If you are on 32 bit machine you must install VBoxLinuxAdditios-x86.run like this:
sudo sh VBoxLinuxAdditios-x86.run
After the install completes reboot the sistem
Step 3 - create a xorg.conf file
Open a shell and type:
sudo gedit /etc/X11/xorg.conf
Now copy this lines bellow in the xorg.conf file you just created and save the file.
Section "Device"
Identifier "Configured Video Device"
Driver "vboxvideo"EndSection
Section "Screen"
Identifier "Default Screen"
Device "VirtualBox graphics card"
Monitor "Generic Monitor"
DefaultDepth 24
SubSection "Display"
Depth 24
Modes "1920x1200"
EndSubSection
EndSection
Under modes put your own monitor resolution.Log out and after that you will be able to change the screen resolution using Sistem-->Preferences-->Display
Thursday, February 4, 2010
Xinetd the super server
Xinetd performs the same function as inetd: it starts programs that provide Internet services. Instead of having such servers started at system initialization time, and be dormant until a connection request arrives, xinetd is the only daemon process started and it listens on all service ports for the services listed in its configuration file. When a request comes in, xinetd starts the appropriate server. Because of the way it operates, xinetd (as well as inetd) is also referred to as a super-server.The only reason for the existence of a super-server was to conserve system resources by avoiding to fork a lot of processes which might be dormant for most of their lifetime. While fulfilling this function, xinetd takes advantage of the idea of a super-server to provide features such as access control and logging. Furthermore, xinetd is not limited to services listed in /etc/services. Therefore, anybody can use xinetd to start special-purpose servers.
CONTROLLING XINETD
SIGHUP causes a hard reconfiguration, which means that xinetd re-reads the configuration file and terminates the servers for services that are no longer available. Access control is performed again on running servers by checking the remote location, access times and server instances. If the number of server instances is lowered, some arbitrarily picked servers will be killed to satisfy the limit; this will happen after any servers are terminated because of failing the remote location or access time checks. Also, if the INTERCEPT flag was clear and is set, any running servers for that service will be terminated; the purpose of this is to ensure that after a hard reconfiguration there will be no running servers that can accept packets from addresses that do not meet the access control criteria. SIGQUIT causes program termination. SIGTERM terminates all running servers before terminating xinetd. SIGUSR1 causes an internal state dump (the default dump file is /var/run/xinetd.dump; to change the filename, edit config.h and recompile). SIGABRT causes an internal consistency check to verify that the data structures used by the program have not been corrupted. When the check is completed xinetd will generate a message that says if the check was successful or not.
xinetd.conf is the configuration file that determines the services provided by xinetd. Any line whose first non-white-space character is a ’#’ is considered a comment line. Empty lines are ignored.You can find it in /etc/xinetd.conf. The file contains entries of the form: service { ... ... }
The necessary attributes for a service in xinetd.conf are:
EXAMPLE
# # Sample configuration file for xinetd
defaults
{
log_type = FILE /var/log/servicelog
log_on_success = PID
log_on_failure = HOST
only_from = 128.138.193.0 128.138.204.0
only_from = 128.138.252.1
instances = 10
disabled = rstatd
}
service ftp
{
socket_type = stream
wait = no
nice = 10
user = root
server = /usr/etc/in.ftpd
server_args = -l
instances = 4
log_on_success += DURATION HOST USERID
access_times = 2:00-9:00 12:00-24:00
}
For more details see http://manpages.ubuntu.com/manpages/lucid/en/man5/xinetd.conf.5.html
CONTROLLING XINETD
SIGHUP causes a hard reconfiguration, which means that xinetd re-reads the configuration file and terminates the servers for services that are no longer available. Access control is performed again on running servers by checking the remote location, access times and server instances. If the number of server instances is lowered, some arbitrarily picked servers will be killed to satisfy the limit; this will happen after any servers are terminated because of failing the remote location or access time checks. Also, if the INTERCEPT flag was clear and is set, any running servers for that service will be terminated; the purpose of this is to ensure that after a hard reconfiguration there will be no running servers that can accept packets from addresses that do not meet the access control criteria. SIGQUIT causes program termination. SIGTERM terminates all running servers before terminating xinetd. SIGUSR1 causes an internal state dump (the default dump file is /var/run/xinetd.dump; to change the filename, edit config.h and recompile). SIGABRT causes an internal consistency check to verify that the data structures used by the program have not been corrupted. When the check is completed xinetd will generate a message that says if the check was successful or not.
xinetd.conf is the configuration file that determines the services provided by xinetd. Any line whose first non-white-space character is a ’#’ is considered a comment line. Empty lines are ignored.You can find it in /etc/xinetd.conf. The file contains entries of the form: service { ... ... }
The necessary attributes for a service in xinetd.conf are:
socket_type
user (non-internal services only)
server (non-internal services only)
wait protocol (RPC and unlisted services only)
rpc_version (RPC services only)
rpc_number (unlisted RPC services only)
port (unlisted non-RPC services only)EXAMPLE
# # Sample configuration file for xinetd
defaults
{
log_type = FILE /var/log/servicelog
log_on_success = PID
log_on_failure = HOST
only_from = 128.138.193.0 128.138.204.0
only_from = 128.138.252.1
instances = 10
disabled = rstatd
}
service ftp
{
socket_type = stream
wait = no
nice = 10
user = root
server = /usr/etc/in.ftpd
server_args = -l
instances = 4
log_on_success += DURATION HOST USERID
access_times = 2:00-9:00 12:00-24:00
}
For more details see http://manpages.ubuntu.com/manpages/lucid/en/man5/xinetd.conf.5.html
How to run a software with *.sh or *.run extension
Open a shell and go to the folder where the executable aplication is then type:
1. sudo sh soft_name.sh
or like this
2. sudo ./soft_name.sh
For a software with *.run extension is done the same.
1. sudo sh soft_name.sh
or like this
2. sudo ./soft_name.sh
For a software with *.run extension is done the same.
Wednesday, February 3, 2010
TCP Wrappers
If you want to set up a very good security you must build a layerd security.Tcp Wrappers is like a basic firewall that protects your network services.
A basic security before you set up ipfilters firewall looks like this:
xinetd -->TCPWrappers-->network service (layerd security)
To create the TCP Wrappers rules edit these two files:
These two files, located in your /etc/ folder, allow you to limit or permit connections from specific hosts or ips. Using these two files you could setup a whitelisting basic firewall or blacklist.
Here is the format:
daemon_list : client_list [ : shell command]
daemon_list - is a list of one or more daemon process names (argv[0] values) or server port numbers or wildcards.
client_list - is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.
shell command is optional
List elements should be separated by blanks and/or commas.
Wildcards
Here are lists of wildcards support by tcp wrappers:
ALL The universal wildcard, always matches.
LOCAL Matches any host whose name does not contain a dot character.
UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address are unknown.
KNOWN Matches any user whose name is known, and matches any host whose name and address are known.
PARANOID Matches any host whose name does not match its address.
Shell commands
I never used theese but you can open a shell type man hosts.allow to find out more
Example of editing rules for TCP Wrappers:
Open your favorite editor and open the hosts.allow file
sudo nano /etc/hosts.deny
ldd /usr/sbin/telnetd | grep libwrap (this example tests the telnet service)
In the example above we see that the telnetd (telnet server) is referring to the libwrap.so, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service.
A basic security before you set up ipfilters firewall looks like this:
xinetd -->TCPWrappers-->network service (layerd security)
To create the TCP Wrappers rules edit these two files:
hosts.allow and hosts.deny
These two files, located in your /etc/ folder, allow you to limit or permit connections from specific hosts or ips. Using these two files you could setup a whitelisting basic firewall or blacklist.
Here is the format:
daemon_list : client_list [ : shell command]
daemon_list - is a list of one or more daemon process names (argv[0] values) or server port numbers or wildcards.
client_list - is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.
shell command is optional
List elements should be separated by blanks and/or commas.
Wildcards
Here are lists of wildcards support by tcp wrappers:
ALL The universal wildcard, always matches.
LOCAL Matches any host whose name does not contain a dot character.
UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address are unknown.
KNOWN Matches any user whose name is known, and matches any host whose name and address are known.
PARANOID Matches any host whose name does not match its address.
Shell commands
I never used theese but you can open a shell type man hosts.allow to find out more
Example of editing rules for TCP Wrappers:
Open your favorite editor and open the hosts.allow file
sudo nano /etc/hosts.allow
ALL: 127.0. (the 127.0. range is allowed)
telnetd : 192.168.0.2 (specific IP) 192.168.0. (specific range) EXCEPT 192.168.0.10 (range exceptions)
sudo nano /etc/hosts.deny
ALL : ALL (denying all services to all hosts)
How to test if tcpwrappers is working:
1.Open a shell and type:
tcpdchk -v (tcpdchk examines your tcp wrapper configuration and reports all potential and real problems it can find. The program examines the tcpd access control files (by default, these are /etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files against entries in the inetd(xinetd) network configuration file.)
2.Open a shell and type:
tcpdmatch in.telnetd 192.168.0.2 (tcpdmatch predicts how the tcp wrapper would handle a specific request for a service.The program examines the tcpd access control tables (default /etc/hosts.allow and /etc/hosts.deny) and prints its conclusion. For maximal accuracy, it extracts additional information from your inetd(xinetd) network configuration file.When tcpdmatch finds a match in the access control tables, it identifies the matched rule. In addition, it displays the optional shell commands or options in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands.)
How to check if a service is compatible with tcpwrappers:1. Not all the services are compatible with TCP Wrappers , so to see which services are compatible open a shell and type:
ldd /usr/sbin/telnetd | grep libwrap (this example tests the telnet service)
In the example above we see that the telnetd (telnet server) is referring to the libwrap.so, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service.
Subscribe to:
Posts (Atom)