Beginner’s guide: OSSIM Part 2

-
Image
Hope all of you are keeping well. Thank you all for the overwhelming support you people are giving me. So today we’ll deal with everything from basic OSSIM configuration to integrating different types of assets. Before we jump in to all of that I hope all of you are ready with installation. If not please visit my previous post, which is actually the first part. Beginner’s guide: OSSIM (Open Source Security Information Management) part 1 Make sure you have an active internet connection for your OSSIM. As you all know the Alienvault platform has five modules in it, which are the Asset discovery, vulnerability assessment, threat detection, behavioural monitoring and security intelligence. In simple words we add assets first, and then we’ll configure all those assets under each and every module of Alienvault respectively. If you're ready with everything mentioned in part 1, we can now move forward with the configurations. Here we’re just considering only OSSIM not USM.
11 comments

Nmaping your network

-

A short tutorial for using NMAP 

I hear a lots of questions like, how do we scope assets, or how do I manage my asset inventory. Well the answer is NMAP. Nmap is a quite handy tool, that'll allow you to map ip address with assets, create an asset inventory, or even  a small vulnerability scans. Here we'll talk about how to run an nmap full scan, nmap all port scan or nmap specific port scan

For all those newbies out there, I’m just starting from scratch. As you all know NMAP means network mapping. This is a small tool which every pentester and network/system administrator must know. Most of my friends complain that Nmap is so vast; they don’t know how to set or why to set certain attributes before initiating a scan. To understand the working of Nmap properly, you need to how a system works in network. I’m not planning to go into core basics, but we’ll touch whatever is essential.

TCP connect scan

TCP connect scan is the commonly used default TCP scan type. The Nmap asks the host operating system (Operating system in which Nmap is installed) to establish a connection with the target machine via port by issuing the connect system call. This is the same high-level system call which is used web browsers, P2P clients, ftp, ssh and most other network based applications use to establish a connection. It is part of a socket programming interface known as the Berkeley Sockets API. Nmap uses this very same API to obtain status information of each port on each connection attempt.

-sS (TCP SYN scan)

SYN scan is the most popular scan option for good reasons. It provides quick scanning of thousands of ports per second on a very fast network. The probes are not hampered by restrictive firewalls. It is also relatively unobtrusive, very stealthy, since it never completes a full TCP handshake. SYN scan will work against any compliant TCP stack rather than depending on any specific platforms. It also allows clear, reliable differentiation between the open, closed, and filtered states.

How to Install Nmap

If you don’t have the Nmap installed then,
For windows install pcap first and download the nmap from official site

https://nmap.org/download.html
https://www.winpcap.org/install/

linux users simply hit the command

# yum install nmap                        (for Red Hat based systems)

$ sudo apt-get install nmap         (for Debian based systems)

An Nmap command typically has 3 parts Scan type, options and target. But its not always mandatory that we supply the command with scan type and options. In short these two attributes are optional
.
To do a simple scan, you need simply call Nmap and supply the target’s hostname/domainname/ipaddress or simply nmap full scan

root@attacker#nmap example.com

root@attacker#nmap 192.168.1.1


Now answer to one of the challenging question by an admin “how do I create asset inventory”

root@attacker#nmap  -sP 192.168.1.0/24


This command will skip port detection and tries to find out which machine are alive. Or else you can try

root@attacker#nmap –sS –oN /root/Desktop/asset.txt 192.168.1.0/24
sS stands for stealth scan
oN stands for output followed by the save location 
192.168.1.0/24 is my network address with CIDR value.
Which is much deeper scan and provide accurate results.

If you are looking for all machines with a particular service running like Databases or any other web-services you can use nmap specific port scan

root@attacker#nmap –sS –p22  --open –oN /root/Desktop/service.txt 192.168.1.0/24

This will give a list all machines with ssh (port 22) open in my network
If there is a case in which you only need to scan few machine then, simply add the ip address as shown below

root@attacker#nmap –sS–oN /root/Desktop/maptxt 192.168.1.1 192.168.1.2 192.168.1.2


But if the ip addresses are consecutive address then, simply add the ip address as shown below

root@attacker#nmap –sS–oN /root/Desktop/maptxt 192.168.1.1-125

pentesters can also use –sV and –sC options for service version fingerprinting and also a basic script scan, just like a vulnerability scan.
If you already have asset list, and you want Nmap to scan only those Ip address then,

root@attacker#nmap  -iL assetlist.txt

Below I’m pasting a set of Nmap commands which will be handy for various uses.

Nmap Cheat Sheet


Scan system for OS information and Traceroute
root@attacker#nmap  -A 192.168.1.1

OS detection/ OS fingerprinting
root@attacker#nmap  -O 192.168.1.1

Nmap Firewall Detection
root@attacker#nmap  -sA 192.168.1.1


Nmap all port scan
root@attacker#nmap  -p 1-65535 192.168.1.1


Nmap fast scan
root@attacker#nmap  -F 192.168.1.1

Nmap scan by defining protocols,
root@attacker#nmap  –p T:22 192.168.1.1
for TCP port

root@attacker#nmap   -sU 22 192.168.1.1
for UDP port

Nmap scanning if, ICMP is blocked or disabled
root@attacker#nmap   -PS 22 192.168.1.1
Uses SYN packet
root@attacker#nmap   -PA 22 192.168.1.1
Uses ACK packet
root@attacker#nmap   -sN 22 192.168.1.1








Comments

Post a Comment

Popular posts from this blog

Beginner’s guide: OSSIM (Open Source Security Information Management) part 1

-
Image
As we always do, we’ll start from the scratch, the very basics. OSSIM is most widely used open source SIM tool. The appliance is developed by the Alienvault. Other than OSSIM there are lots of open source SIM like LOGalyze, Kustodian, Prelude etc. But out of these SIM tools, OSSIM is my favorite. It is much user friendly and very stable with respect to performance and resilience. They also have a very good documentation center which gives step-by-step instructions and very good community forum to get help Before we start, if you haven’t seen my blog post on SOC please go through it first. http://pentesterblogs.blogspot.in/2017/05/beginners-guide-how-to-setup-soc.html
Read more

Beginner’s guide: OSSIM Part 2

-
Image
Hope all of you are keeping well. Thank you all for the overwhelming support you people are giving me. So today we’ll deal with everything from basic OSSIM configuration to integrating different types of assets. Before we jump in to all of that I hope all of you are ready with installation. If not please visit my previous post, which is actually the first part. Beginner’s guide: OSSIM (Open Source Security Information Management) part 1 Make sure you have an active internet connection for your OSSIM. As you all know the Alienvault platform has five modules in it, which are the Asset discovery, vulnerability assessment, threat detection, behavioural monitoring and security intelligence. In simple words we add assets first, and then we’ll configure all those assets under each and every module of Alienvault respectively. If you're ready with everything mentioned in part 1, we can now move forward with the configurations. Here we’re just considering only OSSIM not USM.
Read more

Beginner’s guide: How to setup a SOC (Security Operations Center)

-
Image
Lot of people asks me to put something about setting up a SOC. So from today onwards, I’ll be posting articles about, how to set up a SOC. Unlike my other tutorials, SOC is not a specific tool/device, which you can simply ‘fit and forget’. So you need lots of patience and hard work to build one. As usual I’ll posting set-by-step instructions from planning to setting up the SOC.   But before that we need to learn some basics. We need all of you networking, system administration and security skills for this. As a minimum requirement to start, you need to have the following skills Networking basics (Preferred CCNA) Basic system administration (Linux and windows) Security administration (Firewall / UTM management) In other words if know how to configure networking devices, knows how to install package in windows and Linux, and knows at least how to open close ports in firewall, then we’re good to go. I’ve tried my best to write the article from the very basics stuff.
Read more