Monthly Archive for September, 2009

Nmap 5.00

For years, I have used the Nmap port scanning tool. The biggest update since 1997 is out in the form of Nmap 5.0.

As part of a penetration test, Nmap is one of the first tools I use to try to enumerate a network and see what it’s running as well as which ports might be open (or closed).

The new release is supposedly to be faster than prior versions. So far, my testing confirms this.

Aside from speed there are the new tools like Ncat that make Nmap 5 a major release.

According to the website:

“The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging,” the Nmap 5.0 release announcement states.

In addition, extensibility is a big part of the release. For example, the Nmap Scripting Engine (NSE) adds quite a bit to Nmap in terms of flexiblity and programability.

NSE is all about automating network scanning task with scripts. According to the release announcement:

“Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and 32 new ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more.”

One of the first steps of any network security assessment is scanning  to identify available and exposed network resources. I have no doubts that Nmap 5 will continue to be a valuable tool for network administrators, security nerds, and penetration testers alike.

OSSEC Upgrade 2.2

For those not in the know, OSSEC is an absolutely wonderful tool for monitoring the security of servers and systems. It includes automated responses, email alerting, and a fairly robust set of baseline rule. In addition, rules can be custom written like this set I did for TitanFTP.

Version 2.2 has been released recently. I suppose it is time to do the OSSEC upgrade. The 2.1 and 2.2 releases include a number of needed enhancements as follows:

1. Centralized configuration management.
2. Remote agent restart
3. Real time integrity checking
4. New Log Rules
5. WordPress Monitoring

I am mainly interested in items 1 through 3. I’ve had some issues with the integrity scan affecting performance during production hours so hopefully these changes will assist with that.

After installing the new version, I wanted to check out the impact that the integrity checks had on performance. I setup a test server and a test windows client.

From the Linux based ossec server:

root@prd-001-hids:/var/ossec/bin# ./agent_control

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h          This help message.
-l          List available (active or not) agents.
-lc         List active agents.
-i <id>     Extracts information from an agent.
-R <id>     Restarts agent.
-r -a       Runs the integrity/rootkit checking on all agents now.
-r -u <id>  Runs the integrity/rootkit checking on one agent now.

-b <ip>     Blocks the specified ip address.
-f <ar>     Used with -b, specifies which response to run.
-L          List available active responses.
-s          Changes the output to CSV (comma delimited).
root@prd-001-hids:/var/ossec/bin# ./agent_control -r -a

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on all agents.root@prd-001-hids:/var/ossec/bin#

I noted on the ossec client that there was a bit of a hit on performance during integrity scanning; however, it does not seem to be as bad as previous versions.