December 29, 2008

Security Book Review: "Nmap Network Scanning"

"Nmap Network Scanning"
Author: Gordon "Fyodor" Lion
Editorial: Nmap Project
Publication date: January 1, 2009
ISBN-10: 0979958717
ISBN-13: 978-0979958717

Summary: The Art of Network Mapping and Scanning Masterpiece.

Score: 5+/5

I could summarize this book review by saying this is THE nmap reference book, what in itself would be an obvious conclusion I already expected before reading a single page, just by looking at the author name. Fyodor is the creator of nmap, a tool he has carefully fed and taken care of during all these years, and slightly knowing him from the Honeynet project, I couldn't expect less.

"Nmap Network Scanning" is a masterpiece that teaches the reader the Art of Network Mapping and Scanning, and
definitely, one of the best books I've read in years. Honestly, there are only a few minor things regarding network scanning you cannot accomplish with a single tool, the current nmap version. The book takes advantage of it.

The official nmap reference guide is simply included on chapter 15, while the rest of the book steers the reader through the nifty art of network mapping and scanning. It disects the network scanning phases and techniques, describing the different options and tool arguments available throughout practical examples and real-world usage tips, here and there, that will improve all your scanning techniques. This is a never-ending book that took Fyodor 5 years to write, and it clearly spreads his experience testing and analyzing networks. This is specially true in the "Solution" section at the end of some chapters, where real-world scenarios are efficiently solved.

Additionally, the book clearly pinpoints the limitations for the multiple platforms (eg. Windows vs Linux) and scenarios (eg. privileged vs non-privileged user) nmap can run on. Besides that, it summarizes most nmap internals without requiring you to dive deep into the source code, what is a challenge in itself. All this information is complemented with some real challenges you find as a penetration tester
today, such as the limitations to spoof Internet traffic from legal ISP, a topic I've been researching about recently.

The most advanced and technical chapters are chapter 7 and 8, detailing the inner workings of the nmap service, application, and OS fingerprinting modules, and chapter 9, providing the NSE knowledge required to read and develop your own nmap scripts.

This is the type of book I recommend you to read in front of your computer, practicing simultaneously. Open a terminal, enable your network connection, and run the latest nmap version as you read throughout the book while testing the different options and examples. You can use multiple target virtual machines to experiment with, or if not available, the site (use with caution). One thing is sure: you will have a lot of fun!

I have been using nmap since 1999, and found the book fits a broader audience, from the novice reader (please, do not get overwhelmed initially by all the available nmap options and scan types), that can learn the principles of the scanning techniques used (the packet flow diagrams on the port scanning chapter are specially helpful), up to the advanced professional,
explaining what's behind the scenes of every technique and nmap argument, at the OS and network traffic level. The book applies to most security professionals, from security administrators that need to manage and secure their environments, to penetration testers interested on driving their skills to a new level.

This is the kind of book that feeds your creativity and research motivation. Fyodor, once again, promotes along the book the open-source philosophy, the need to share and contribute to the community, in this case in the form of OS and service fingerprints, NSE scripts, or just reporting nmap bugs.

Some minor things I would have liked to see mentioned for an extra finishing touch,
offering my tiny contribution for a future version, are:
  • A statistical analysis of the most common ICMP types currenty allowed on the field, similar to the study for TCP and UDP ports Fyodor did. On my experience, for example, I find ICMP timestamps allowed much frequently than ICMP netmask requests today.
  • Extend the analysis of port knocking with the Single Packet Authorization (SPA) concept.
  • Finally, I would have loved to see specific sections for the new nmap-related tools, such as ndiff (the command line version), or ncat.
Respectfully, once I finished reading the book I feel like Raul "Fyodor" Siles..., you will do too! :)

Fyodor was generous enough to release an extensive portion of the book for free on the official nmap book website. Take a look at it and you won't doubt about getting your own full copy.

UPDATE: Amazon review.

Labels: ,

December 28, 2008

NMAP Trivia: Mastering Network Mapping and Scanning

Recently the official (and highly recommended) NMAP book, "NMAP Network Scanning" by Fyodor, was published. I will post its review here in the next few days. Meanwhile, I thought it would be very productive to challenge you with a NMAP Trivia. The main goal is providing some entertainment during the holiday season and the early days of 2009, and at the same time, force you to practice and play with the latest stable nmap version, v4.76, trying to increase your technical knowledge, skills, and mastering of the traditional and current features of such an important security tool.
  1. What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?
  2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?
  3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?
  4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?
  5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?
  6. Why port number 49152 is relevant to nmap?
  7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?
  8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?
  9. What is the default scan type used by nmap when none is specified, as in "nmap -T4"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?
  10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?
  11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?
  12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?
  13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on
  14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?
  15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?
  16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?
  17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

Send your answers to using "NMAP Trivia" as the subject by January, 15. The winner will get a copy of one of the latest technical security books I get access to.

NOTE: This challenge has been published on the Internet Storm Center (ISC) diary too.
NOTE: The image above belongs to the 2008 campaign against fire in Madrid, Spain.

Labels: ,

December 14, 2008

Security Book Review: "Voice over IP Security"

"Voice over IP Security"
Author: Patrick Park
Editorial: Cisco Press
Publication date: September, 2008
ISBN-10: 1587054698
ISBN-13: 978-1587054693

Summary: General VoIP security overview. Best chapters: SBC's and LI.

Score: 4/5

The book provides a good general overview of VoIP security, covering multiple topics involved on securing a VoIP infrastructure, from network devices to VoIP servers, plus secure VoIP protocols. In my opinion, the best chapters are chapter 8 and 10 & 11, Session Border Controllers (SBC's) and Lawful Interception (LI), respectively; it is difficult to find books covering these topics still today, although these are two of the major areas regarding VoIP security nowadays.

SBC's are the VoIP security element by design and therefore a key device in any VoIP infrastructure. The book covers SBC's types, access and peering, expected SBC functionality and capabilities (such as DoS protection, translation and NAT features, LI, high availability and load balancing, etc) and offers a brief introduction to its architecture design concepts.

Lawful Interception (LI) by law enforcement (LE), or LI by LE :), is one of the main VoIP research topics today, especially when strong security features are added, such as signaling and media encryption, that difficult the interception tasks. The last two chapters cover the fundamentals of LI on VoIP networks (following the Cisco model, as there are three other standards), describing the different elements, fucntions, and interfaces involved. It is a theoretical chapter followed by some practical advice to implement LI, very detailed and Cisco-based.

The book starts with an introductory overview of VoIP, its benefits and drawbacks, and some security concerns. Then it provides another VoIP threat taxonomy, a good generic overview that lacks some VoIP threats and complements (or simply provides another perspective to) the IETF draft and VOIPSA VoIP threat taxonomies. Unfortunately, I have not found yet a classification that consolidates all the different VoIP threats from (IMHO) the right perspective.

Chapter 3 offers an interesting summarized analysis of the main VoIP protocols, how they work, and their main security requirements and features. It covers H.323, SIP, and MGCP; I specially liked the SIP section, with descriptive message captures and flow diagrams. Chapter 5 complements the VoIP protocols with the main network devices in a VoIP environment, their role, and key security requirements. Although chapter 7 extends the security analysis of VoIP protocols, covering authentication and signaling and media encryption, it does not cover the latest key exchange solutions, such as DTLS, ZRTP or MickeyV2, as it is focused mainly on S/MIME.

All these chapters provide a lightweight analysis of VoIP security, not going very much in-depth into any of the topics covered. The book is a good overview reference for the VoIP security novice reader, I guess intended for network and system administrators, law enforcement, or security pros new to VoIP.

VoIP threats, including some attack types and tools, are analyzed on chapter 6. This chapter covers in detail a few VoIP attacks, providing simulation, examples and command line options for widely available attack tools. It allows the reader to see some real attacks in action, although it only shows the tip of the iceberg regarding all the tools and attacks that are possible; please, do not get the feeling that this is all you can do.

Chapter 4 covers cryptography, and in my opinion, it doesn't fit on the book; although crypto is a key aspect to protect VoIP infrastructures, the novice reader can get this info from other sources.

As the book is from Cisco Press, chapter 9 focuses on specific Cisco features and syntax, specially for practical sections that provide configuration details for firewalls, access devices, and the Unified Communication Manager (& Express), formerly CallManager. The info is useful to get an overview of the implementation steps, but do not apply to you if you are using equipment from other vendors.

Overall, it is a generic reference book to start getting involved into the VoIP security world, acquire a general understanding of the main VoIP security threats, target network elements, VoIP protocols, and security solutions. Once again, the SBC and LI sections are my favorites.

UPDATE: Amazon review.

NOTE: I will not publish my reviews on Bookpool anymore due to their hard-to-use interface and review rules.

Labels: ,

December 13, 2008

To Blue, ot not to Blue: That is the Question

I spent part of last and this year researching about Bluetooth security, and recently I have been promoting the need to focus on securing Bluetooth technologies at a personal and enterprise level. I've presented about it in several private and public events all over the world, such as Meitsec 2008, II Jornadas CCN-CERT, or SANS London 2008.

An event-independent English version of the presentation (requested by multiple attendees) is available here!

The most critical aspect is that Bluetooth devices are being extensively used to exchange private and sensitive information in the form of data and voice, and the control is mainly on the hands of end users. If you do not enable an enterprise (or even personal) security program for these devices and communication channels at the same level you do with the rest of your infrastructure, you will be dealing against Bluetooth-related security incidents soon, especially on targeted attacks. Start by adding Bluetooth detection capabilities, and integrate this technology in your penetration tests and incident handling procedures.

Although it has been tough traveling around with two laptops, plus the USRP, multiple omni and directional antennas, cables, several Bluetooth dongles, plus the victim cellphones and headsets... just to run the demo, it has been a well worth experience! The demonstration focuses on showing the audience the Bluetooth activity around, discovering the undiscoverable (Bluetooth hidden devices), and injecting and eavesdropping audio from a headset The initial threat was published by Spill and Bittau, then popularized by Josh Wright, and in my opinion it is not getting enough attention. A demo is well worth a thousand words! ;)

Something that took my attention in one of the events was the little impact the presentation and demo had on part of the audience, as it seems it didn't increase the awareness and paranoid level about the current threats. It is in our hands (as end users and organizations) to improve the security capabilities we demand from the Bluetooth vendors. Most of the time, I see the audience changing the Bluetooth settings on their phones and PDA's as I move through the material ;)

This time, the security recommendations are not based on expensive or complex solutions, such as the latest and greatest Bluetooth IDS/IPS that costs more than 100K €. You simply need to follow common sense practices and precautions to get a reasonable level of protection (check the last part of the presentation), and understand the major threats and weaknesses, especially on Bluetooth devices with limited capabilities, such as car kits, headsets, keyboard and mouse, etc.

Enjoy it and... Happy Blue Christmas!
Raul Siles