yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Scan of the week (page 2 of 2)

Darknet can’t lie – most of the attacks, scans and other interesting things indeed come from behind the Great Firewall of China.

October 12, 2010 / /

Working for ISP entitles me to various perks, one of them is unlimited connection to the Internet with wealth of unallocated yet IP addresses. So to use it somehow I set up a little Darknet (details what it means can be found here Darknet Project ) Most malware comes from Chinaand gather some statistics. First the volume of unsolicited and malicious traffic is staggering . Mostly it is traffic to Windows sharing – port 445 , then brute force – port 22, then strange ports used by new malware in the wild .Second, the interesting information pretty much stops here – as nothing listens on my side of the Darknet I don’t get more insight. As comes from this I am working on the next stage of the Darknet – HoneyNet. Once done, I’ll post here the findings.
To give you a glimpse of the Ips and ports involved in probes here is the non-sanitized sorted list of the alien IPs , destination ports, protocols and number of packets seen.This is the day’s worth statistics Bad guys and gals IPs
To get this list from Tcpdump capture I used one-liner: [root@darkstar]# tshark -n -r honey_bunny.cap42 | awk ' $3~/[0-9]+\./ {print $3,$6,$9}' | sort -n -k1,1 | uniq -c > Darknet_probing_IPs.txt

You need no MX record to get mails

October 7, 2010 / / 2 Comments

That one is funny. One client of ours that is actually themselves provide ISP services
in a far-far-away land asked to add PTR record for their mail server . But that was dull,
the interesting part was that their domain had absolutely NO MX record ! Only A record for the mail server host . I had always thought if there is no MX record for the destination domain sending mail server should bail out and I was wrong. A SMTP RFC 5321 actually states that if there no MX record exists for the domain the sender should try delivering the mail to A record of the domain RFC 5321 section 5 . Be aware though that MX record should be completely absent, so say if MX record does exist but points to a not responding server is a different case – in such case sender should fail the delivery.
The funny thing about that is that they have been working without MX record for about 2 years and have had no problems with receiving the mails, just amazing how  RFC-compliant mail servers in the wild are.

Skynet got blacklisted – Google mail servers entered RBL of Sorbs.net

October 5, 2010 / / 3 Comments

When yesterday my client sent me the headers of blocked by eSafe (Aladdin) mails I was quite surprised – the message said ” Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 574 574 MAIL REFUSED – IP (74.125.82.172) is in RBL black list recent.spam.dnsbl.sorbs.net (state 18). ” What? Google servers got blacklisted ? No way .
I also expected Sorbs.net to be wiped out from the Earth rather quickly for such act of aggression against Skynet , also known as Google.com but nothing actually happened. So just for the fun of it I checked another IP of theirs – 74.125.82.48, also blocked. In short the class-C 74.125.82.0 got listed (screenshot follows). From
practical point of view – make sure if your device is using www.Sorbs.net to put this pool in exclusion list, as I did in the eSafe of the client.

Few questions you will most probably hear on your next job interview.

September 25, 2010 / / 1 Comment

Lately, for whatever reason it may be, many of my friends/colleagues/acquaintances switched the jobs and mostly because they wanted to. And hearing their accounts of job search I catch myself that while offered positions and employers differ there are ever returning themes/questions that arise on the job interviews pretty much universally.
So here I bring compendium of these questions planning to update it as I hear new stories.

Tell us about something at your current job that you did and it made you proud of yourself …
Bring us an example or few of initiatives you took at the current/previous job …

This probably tests that you actually have had some initiatives worth mentioning or in other words – Did you do something productive that didn’t come from your manager request directly?

What was the highest sign of appreciation you earned on the current/previous job and what was the cause ? …

They mean beyond the pay check that you got every month , or in other words – Did someone notice that you actually quit the job ?

Usage/Case studies .

This is rather a metacategory and will include slightly different subject depending on the sought title. I will bring united cases for the 2 titles – in enterprise networking and security.
Networking.

We are the internet enabled and reliant company. What are the key factors in designing network topology and connectivity and how you suggest to implement them ?

Key words here: Redundancy, reliability of connection, cost saving in managing the lines utilization.
How do you implement this:
Redundancy in Internet connectivity (different ISPs and infrastructure types with possible hot failover, routing advertisements of your IPs if you have them [BGP]).
Redundancy in network equipment (HSRP and VRRP for standby routers/Etherchannel for Cisco switches/ ) .Proprietary clustering implementations by some vendors (3COM,HP, Checkpoint firewalls – you think you can escape it ?).
Line utilization management – maximize bits for bucks ratio using traffic management or load balancing solutions like F5 Big-IP with Link Controller module for accessing the internet or if some webservers are hosted at the company premises then also using Local/Global Traffic Manager modules. On a cheaper side Radware load balancers like Linkproof for Internet access , Appdirector for webservers will do the job.
Implementing DRP procedure – remote hosting of database backups.
Security.

We are the Internet connected and publicly traded company that should safeguard against external and internal threats, what key factors in fulfilling this requirement would you list ? What would be actual implementation ?

Key factors:

  • Security in depth.
  • Accountability for security-related events in the company.
  • Ability to comply with external audit/standards requirements.
  • Data Leak/Lost Protection/Prevention (everyone says it differently anyway).
  • Ability to sustain determined and targeted external attacks.

How would you implement this ?
Perimeter security with Checkpoint firewall(s), possible with clustering for reliability.
Central log and events correlation and management system (ArcSight).
If there are web servers to be protected then Web Application Firewall – say Imperva.
For DLP – Websense, Symantec / maybe EMC Documentum as part of the more comprehensive task. Also endpoints data encryption – Symantec.
Antivirus ofcourse by default – Symantec or McAfee
To thwart and detect dedicated and highly skilled attacks IPS will be appropriate. Say
http://www.mcafee.com/us/enterprise/products/network_intrusion_prevention/index.html or Tipping Point .
Regarding compliance usually people didn’t mean to exam you on every point of PCI requirement , but at least awareness of such standards is expected.
That is all I could remember from the stories told so far. As I hear new ones I will update this post.
Cheers.

List of valid domain names for load testing DNS

August 14, 2010 / /

I am currently running a bunch of tests on DNS resolver software called Unbound to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file from Nominum Sample query data file for use with resperf . Only that it contains all kinds of record types : A, PTR, AAAA and I want list of domain names where I can modify query type but also that it will be of a specific TLD sample.
Say all domains in .ASIA only TLD . To compile such list I took a word list , added to each word specific extensions and then run against some DNS server. Then I filtered the answers to include only existing resolvable domains that return at least 1 answer to query ANY. So far I did it for extensions : .ASIA .COM .CA .BIZ .EDU .EU .FR .INFO .MIL .NET .ORG .RU and it brought 831903 valid domains.
You can download the final list of those domains here : Domain list 831903 domains

Scan of the week – scan by country scan by continent

March 22, 2010 / /
Gooood morning everyone . Today I launch yet another weekly column “Scan of the week” and this will be all about scanning the Net. Tools will be many but they will not be the point, my wanting here is to show interesting/funny/unusual/useful things you can see on the Internet by going out there and exploring.
Dis+claimer – all this stuff I bring to your attention is for educational purposes only, and what may be fine and ok here and for me can easily get you somewhere else in trouble so use your discretion here .
Happy scanning.

“…Don’t know much about geography” as the song goes was ok in 1958 but can be embarrassing in our times of globalization. So let’s fill the gap using the NMAP . Say you
are investigating the issue of negative attitude towards foreigners in Russia , and as part of the research
you just have to see active members of the movement(s) in question voicing their opinions. Only that many
times access to such forums or messageboards is limited by their admins to Russian IPs only. So to get there you need a free open Russian proxy. So let’s see how to find one.

Round 1-Gimme the addresses. IP geolocation databases as it is known in the Net , or simply GeoIP databases are compilation of IP ranges per their assigned country. Take it with a bit of salt as accuracy is the issue here. The one of the most known and used free GeoIP source is Maxmind.com free database that is updated once per month (good enough for this).
The Maxmind database comes as binary proprietary format file you can work with using 3rd party tools or as CSV file I will be using here. Download it as Geolite country , unzip and you have GeoIpCountryCSV.csv . Format of the records in it goes like this –

"1.0.0.0","1.0.0.255","16777216","16777471","AP","Asia/Pacific Region"
"1.1.1.0","1.1.1.255","16843008","16843263","AU","Australia"
"1.2.3.0","1.2.3.255","16909056","16909311","AU","Australia"
"1.50.0.0","1.50.3.255","20054016","20055039","AP","Asia/Pacific Region"

The purpose here is to :

  1. Find all IP ranges that belong to the country of interest
  2. Reformat found IP ranges into the presentation suitable for the NMAP
awk -F, '/RU/ { gsub(/"/,"",$0); print $1 "-" $2} ' GeoIPCountryWhois.csv > IPs.data
head IPs.data
62.5.128.0-62.5.255.255
62.12.80.0-62.12.81.255
62.16.32.0-62.16.66.255

– After I found all Russian IPs reformat it to the NMAP eatable form

awk -F\. '{split($4,aaa,"-"); print $1"-"aaa[2]"."$2"-"$5 "." $3"-"$6"."aaa[1]"-"$7}' IPs.data > scan.me
 head scan.me
62-62.5-5.128-255.0-255
62-62.12-12.80-81.0-255
62-62.16-16.32-66.0-255
62-62.16-16.68-127.0-255
62-62.32-32.64-95.0-255

Round 2 – find me some proxy Here I will use LUA script from NSE repository of the nmap called http-open-proxy

nmap -n -PN -oN proxy-check.grep --script=http-open-proxy -iL scan.me -p 8080,3128

That completes this opening article of the Scan of the week united with Awk weekly . Hope you found it educational enough and see you next time.

Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑