The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the ability to detect various attacks coming from the same LAN, and find out thresholds of triggering warning/detection relevant to those attacks.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
In this slides I talked about IDS and his passive (without a firewall) role that it has in the network, analyzing different scenarios. In particularly i used and talked about Snort
HackIT is an annual cybersecurity conference that gathers the best technical researchers and top players in the cybersecurity industry to explore cutting-edge technologies together. In 2018, HackIT focused on the use of blockchain technology.
Join our community:
Website - https://hacken.live/hackit-slideshare
Twitter - https://hacken.live/twitter_hackit
Facebook - https://hacken.live/facebook_hackit
Instagram - https://hacken.live/instagram_hackit
Reddit - https://hacken.live/reddit
Telegram community - https://hacken.live/tg-hackit
#hackit #cybersecurity #blockchain #hacking
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
A participant will acquire basic skills of searching for vulnerabilities on switches and routers from various vendors. The masterclass will cover both common network vulnerabilities, and exceptive cases that can be detected in the process of security assessment of real networks.
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
Information And Data Security Pseudorandom Number Generation and Stream Cipher seminar
Mustansiriya University
Department of Education
Computer Science
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
In this slides I talked about IDS and his passive (without a firewall) role that it has in the network, analyzing different scenarios. In particularly i used and talked about Snort
HackIT is an annual cybersecurity conference that gathers the best technical researchers and top players in the cybersecurity industry to explore cutting-edge technologies together. In 2018, HackIT focused on the use of blockchain technology.
Join our community:
Website - https://hacken.live/hackit-slideshare
Twitter - https://hacken.live/twitter_hackit
Facebook - https://hacken.live/facebook_hackit
Instagram - https://hacken.live/instagram_hackit
Reddit - https://hacken.live/reddit
Telegram community - https://hacken.live/tg-hackit
#hackit #cybersecurity #blockchain #hacking
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
A participant will acquire basic skills of searching for vulnerabilities on switches and routers from various vendors. The masterclass will cover both common network vulnerabilities, and exceptive cases that can be detected in the process of security assessment of real networks.
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
Information And Data Security Pseudorandom Number Generation and Stream Cipher seminar
Mustansiriya University
Department of Education
Computer Science
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Assessment Questions and Answers1. What are the diff.docxfredharris32
Assessment Questions and Answers
1. What are the differences between ZeNmap GUI (Nmap) and Nessus?
Nessus is a vulnerability scanner whereas Nmap is used for mapping a network’s hosts and the hosts’ open ports. Nmap discovers active IP hosts and gathers information about the open ports. Nessus scans ports just like Nmap, however it will notify if the open ports have potential security vulnerabilities attached to them.
2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure?
Nmap is better for performing a network discovery reconnaissance probing of an IP network infrastructure.
3. Which scanning application is better for performing a software vulnerability assessment with suggested remediation steps?
Nessus is better for performing a software vulnerability assessment.
4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?
There are 36 scripts loaded for scanning.
5. From the ZenMap GUI pdf report page 6, what ports and services are enabled on the Cisco Security Appliance device?
Port 443 and ssl/http service are enabled on the Cisco Security Appliance device.
6. What is the source IP address of the Cisco Security Appliance device (refer to page 6 of the PDF report)?
The IP address is 172.30.0.1
7. How many IP hosts were identified in the Nessus® vulnerability scan? List them.
There are 7 IP host. They are:
172.16.20.1
172.17.20.1
172.18.20.1
172.19.20.1
172.20.20.1
172.30.0.10
172.30.0.66
8. While Nessus provides suggestions for remediation steps, what else does Nessus provide that can help you assess the risk impact of the identified software vulnerability?
Beside remediation steps, Nessus also provides devices and software on the network that are not authorized or indicate a network compromise.
9. Are open ports necessarily a risk? Why or why not?
Of course open ports are a risk, because the attacker can use these ports to exploit the vulnerabilities such as use Trojan to make a screenshot and then send a screenshot back to the attacker.
10. When you identify a known software vulnerability, where can you go to assess the risk impact of the software vulnerability?
Common Vulnerability Scoring System (CVSS) is a place where we can go to assess the risk impact of the software vulnerability. This is a classification system for the exploitability of software vulnerabilities and exposures.
11. If Nessus provides a pointer in the vulnerability assessment scan report to look up CVE-2009-3555 when using the CVE search listing, specify what this CVE is, what the potential exploits are, and assess the severity of the vulnerability.
CVE is a list of information security vulnerabilities and exposures that provides common names for publicity known problems. CVE also helps to share data across separate vulnerability capabilities easily.
12. Explain how the CVE search listing can be a tool for security practi ...
For your final step, you will synthesize the previous steps and laShainaBoling829
For your final step, you will synthesize the previous steps and labs to summarize the major findings from this project.
Specifically, you will prepare a technical report that summarizes your findings including:
1. Provide a table of common ports for protocols we studied. Discuss how security devices can be used to within a larger network to control subnets and devices within those subnets.
2. Discuss network diagnostic tools you used in this lab. Summarize their functionality and describe specifically how you used each tool. Discuss the results you used to assist in both the discovery phase and protocol analysis of the sites you analyzed. What tools impressed you the most and would be most useful for an analyst to employ in the daily activities? What other functionality do you think would be useful to cyber operations analysts?
3. Research and discuss the ethical use of these tools. For example, if you discover a serious vulnerability, what you should you do? What communications should you have with site owners prior to conducting vulnerability scans?
The report should include a title page, table of contents, list of tables and figures (as applicable), content organized into sections. Be sure to properly cite your sources throughout, and include a list of references, formatted in accordance with APA style.
Final Technical Report
31 January 2022
Llyjerylmye Amos
COP 620 Project 1 Final Technical Report
Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority
(IANA) base on the default services that are associated with the assigned ports. Administrators may
obfuscate services that are running on well-known ports by configuring services to be utilized on unused
ephemeral ports. However, the default configuration of well-known ports allow tech savvy personnel
and software vendors to speak a common language when configuring networking devices, information
systems (IS)s and or software applications. Within this lesson, 22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80-
HTTP, 110-POP3 and 443-HTTPS were the common ports and protocols that were reviewed, table 1.
Port Protocol
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 HTTPS
Table 1. Common ports studies.
Firewalls are the most common network security devices installed on information systems (IS).
According to Cisco (n.d.), “a firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a defined set of security
rules”. Security rules may be applied to specific ISs, host-based firewalls, or to the entire network,
network-based firewalls to scan emails, hard drives for malware or to allow traffic on certain sections of
the subnet. Firewalls are also categorized into specific type such as, proxy firewalls, stateful inspection
firewalls, unified threat management firewalls, next-generation firewalls (NGFW), ...
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Zmap fast internet wide scanning and its security applicationslosalamos
Internet-wide network scanning has numerous security
applications, including exposing new vulnerabilities and
tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is
both difficult and slow. We introduce ZMap, a modular,
open-source network scanner specifically architected to
perform Internet-wide scans and capable of surveying
the entire IPv4 address space in under 45 minutes from
user space on a single machine,
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks
1. 1/9
Analysis of ESET Smart Security 6
personal firewall’s thresholds and
detection of various network attacks
Andrej Šimko
359952
andrej.simko@mail.muni.cz
08.05.2013
Project on Advanced Topics in IT Security
1. Introduction
The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the
ability to detect various attacks coming from the same LAN, and find out thresholds of triggering
warning/detection relevant to those attacks.
2. Testing environment:
To simulate firewall’s reaction in real-life scenario, 2
notebooks (first one, the attacker without any
antivirus/firewall system present; and second one the
victim with Windows 7 64-bit installed, and ESET Smart
Security 6 turned on) were present, connected through
cables (or wireless) to intermediate device - router, which
was resetted to default factory settings. Victim’s IPv4
address is 192.168.0.101, attacker’s 192.168.0.100 and
router’s 192.168.0.1.
3. About ESET Smart Security 6
ESET Smart Security 6.0.316.0 is the newest version of commercial
internet security suite from company ESET for end user devices, such as
computers or laptops. It gives end station complex protection, since it
integrates antivirus, firewall, Intrusion Detection System, Host Intrusion
Prevention System, antispam, parental control, and other means of
protection. It has gotten multiple awards throughout entire world [1].
2. 2/9
4. Port scanning
Port scanning is technique of discovering open ports on host computer, or any other network device.
If there are any open ports, attacker might be able to use them to mount some kind of attack. On the
other hand, port scanning is widely used from network administrator positions to find out, whether
computer ports are secured enough. One of the best widely available tools that specializes on
different scans and various options is Nmap, which was used to lunch port scanning attacks on ESET
Smart Security 6’s firewall, and thus test it’s reactions, capabilities, and thresholds of scanning ports.
Manual page to Nmap with lots examples and explanations can be found on [4].
4.1. TCP SYN = “-sS”
This default variant of port scanning in Nmap is very quick and stealthy, since it never completes TCP
connection. It isn’t platform specific, so it works on any platform. It differentiates between open
(reply to SYN packet is SYN/ACK or SYN), closed (RST is received) and filtered (if no response is
received, or ICMP unreachable error is received) state of ports.
4.2. TCP Connect() = “-sT”
This technique is used, when user doesn’t have privileges to raw packets - Nmap asks operating
system to establish entire TCP connection with port on destination machine. It is much slower
variant, then TCP SYN scan that requires more packets. Using this technique, target machine is more
likely to log the connection.
4.3. TCP NULL, FIN, XMAS = “-sN”, “-sF”, “-sX”
These scans are based on loophole in TCP RFC document to differentiate between open and closed
ports. If system is compliant with RFC text, closed port is indicated by returning RST if any packet
doesn’t contain SYN, RST or ACK bits. If no response is received, port is designated open|filtered. If
ICMP unreachable error is received, port is marked as filtered. However, not all operating systems
follow RFC 793 to the letter, resulting in all ports being labeled as closed. Such systems are from
Microsoft or CISCO and their response is RST no matter if port is open or closed. But this scan should
work on most UNIX-based systems.
4.4. TCP ACK = “-sA”
This variant is slightly different from all others, because it does not determine if ports are open or
closed, but it rather differentiates if ports are filtered or unfiltered. This is done by sending packets
with only ACK bit. If ports are unfiltered, they response with RST packet no matter if they are open or
closed. Ports that send ICMP unreachable error or don’t send any reply at all are marked as filtered.
4.5. TCP Window = “-sW”
Window scan is exactly the same as TCP ACK scan, but thanks to some implementation details of
some systems, it is able to differentiate also between open and closed ports. It does so by examining
if window size is zero or positive number, because some systems respond with zero window size if
3. 3/9
ports are closed, and positive number if ports are opened. However, this type of scan is not
trustworthy, because only minority of systems are behaving in this way.
4.6. TCP Maimon = “-sM”
Named after its discoverer, Maimon scan is behaving like NULL, FIN or XMAS scan. The only
difference is that probe has FIN/ACK bits set. According to TCP RFC, RST packet should be generated
as response to such probe, no matter if port is open/closed. However, some systems simply drop
packet if the port is open.
4.7. UDP = “-sU”
UDP scan is much slower then scanning TCP, because probe responses may be lost, and many
systems (mainly Linux ones) have set limit in generating ICMP destination unreachable messages to
one per second. For most common ports, Nmap sends protocol-specific payload, and for other ports
the payload is left empty. If particular ICMP port unreachable is received, port is labeled as closed. If
other ICMP unreachable errors are received, port is marked as filtered. If UDP response is generated,
port is designated as open. If no response is received, port is classified as open|filtered.
4.8. SCTP INIT = “-sY”
SCTP is new protocol that is an alternative to TCP/UDP. SCTP INIT is SCTP equivalent to TCP SYN,
because it doesn’t establish entire connection. It differentiates between open, closed and filtered
ports.
4.9. SCTP COOKIE ECHO = “-sZ”
More advanced variant of SCTP scanning that is even stealthier then SCTP INIT. The disadvantage is
inability to differ between open and filtered ports.
4.10. Service/version detection = “-sV”
Nmap is also able to tell, what kind of service protocol is run on selected port (Telnet, SSH, FTP, …),
application name (Apache httpd, Solaris telnetd…), version number, hostname, type of device
(router, printer…), OS family (Windows, Linux…).
5. Port scanning and ESET Smart Security 6
I have used default scanning options (“nmap -[technique] 192.168.0.101”, where “[technique]” was
chosen from {-sS, -sT, -sN, -sF, -sX, -sA, -sW, -sM, -sU, -sY, -sZ, -sV}) to discover which scanning
techniques are detectable on ESET Smart Security 6. I found out, that ESET Smart Security 6 is able to
successfully detect following Nmap methods: TCP SYN, TCP Connect(), UDP, and service/version
detection. It however completely lacks the ability to detect following scanning methods: TCP ACK,
TCP Window, TCP Maimon, TCP Null, TCP FIN, TCP XMAS, SCTP INIT, SCTP COOKIE-ECHO. Nmap’s
default number of scanned ports is set to 1000 ports, and only SCTP uses only less (52) ports that
have all been scanned.
4. 4/9
Next, I tried to observe how many ports can be scanned with all detected methods without detecting
it. I found out, that if anyone is scanning only 8 ports ESET Smart Security 6 won’t detect it at all (but
scanning 9 ports will be detected!). The example can be “nmap -p 190-197 192.168.0.101”. I also
discovered, that having scanned ports in non-random consecutive fashion (e.g. scanning ports in
ascending order, like 190, 191, 192, 193, 194; apart from scanning in random fashion, like 194, 190,
192, 193, 191) has none effect on detection of scanning. Another setting that has no effect on
detection ability is scanning top ports, so I would recommend everyone to use “--top-ports” in any
command, since it is higher probability of finding an open ports.
There is also a way how to scan all ports with techniques that are detectable by ESET Smart Security
6. One can either have “--max-rate 1” or “--scan-delay 1” set. Both options limit scanning to 1 port
per second, but they are not detectable at all by this firewall. When setting “--scan-delay” to 0.9, or
“--max-rate” to 1.1 they are detected, so setting either of them to 1 is the right choice.
Another method of how to successfully evade scanning detection is to use fragmentation. When set
to 8 or 16, both TCP SYN and Service/version detection can be used without limiting number of scans
per second. One can achieve this by setting command to “nmap -f --mtu 16 -technique
192.168.0.101”, where “-technique” can be {-sS, -sV} and ”--mtu” can be {8, 16}. Setting maximum
transfer unit to higher than 16 will cause successful detection of port scanning. However, TCP
Connect() and UDP are detected no matter the fragmentation.
UDP Scan has many unique properties that I discovered while testing it. It seems that it doesn’t have
specific default threshold values set, but rather some adaptive kind. I’ve tried to approximate “--max-
rate” parameter with its value as high as possible, but I observed following situation: when set
directly to anything higher than 6, it is detected immediately. However, when it is set to 6, then 11,
and again and again incremented by 5, it is detected only when setting to 51. After one successful
detection, it is again impossible to do undetected scan, unless set to 6 or lower and start the process
again. I tried incrementing it by other values then 5, and the highest possible value was 9. While
incrementing with 9, successful detection was at number 60. The exact command I used was “nmap -
n --top-ports 100 --max-rate 6 -sU 192.168.0.101”. On the other hand, “--scan-delay” set to 0.05
works perfectly and is undetectable, while when set to 0.04, it is detected.
6. ARP Spoofing
Using Cain & Abel, I was able to mount ARP spoofing/poisoning attack. Since there is nice GUI
environment, I saw that it Cain & Abel was unable to lunch successful ARP spoofing attack to given IP
address (no matter the settings in Cain & Abel), when ESET Smart Security 6 was turned on. It was
successfully detected as “Detected ARP cache poisoning attack” and countered by not allowing traffic
to go through attacker. When however firewall was turned off, and then while attacking it was
turned on, old and new connections were successfully routed through attacker. Yes, they were
detected, but not countered. I haven’t found any way of making ARP spoofing attack undetected.
5. 5/9
7. Denial of Service
DOS attack is an attempt to make devices or entire network unavailable for legitimate users. There
exists dedicated software on DOS attacks that were created to lunch attack on web servers, based on
their URL. Example of such software can be BamBam [2]. Other programs I found have the capability
to lunch DOS attack on some computer (also) by typing it’s IP address, like Low Orbit Ion Cannon [3].
7.1. Flooding with Low Orbit Ion Cannon
This tool can be used to target web servers based on their URL, or any computer based on IP. User
have also capability to set attack options like timeout, HTTP subsite or TCP/UDP message=payload,
attacked port, method (TCP, UDP or HTTP), number of threads (how many users it emulates), ability
to wait for replay and speed of attacking. I tried all 3 methods, and since there is no web-server run
on my victim’s computer, HTTP attack didn’t do anything. TCP attack did also nothing to my network.
On the other hand, UDP attack, firing up to 50 000 packets per second did about 38% of network
utilization. I think this number would be even higher, if my attacker’s netbook was better equipped
(since it’s CPU was used to 100%). ESET Smart Security 6 was unable to detect any of these attacks
done by LOIC. When I tried to attack from victim to attacker (simply because of better equipped
hardware), I was able to utilize network to 45% and CPU of computer I attacked on to about 80%.
With option ”wait for reply” checked, network was utilized to 73% and CPU to 90%. So using this tool,
one can attacked network without the detection of ESET Smart Security 6.
7.2. Flooding with Hping3
Using tool Hping3 (manual pages can be found
on [5]), I was able to also test another flooding
attacks. While testing ICMP flood with “--flood”
option (which means sending packets as fast as
possible, but also ignoring incoming replies),
network utilization of 100Mb/s network
connection on victim’s computer was rather strange (see picture) and it didn’t matter if firewall was
on or off. Of course, ESET Smart Security 6 has successfully detected that attack was in progress
(“Detected ICMP Flooding attack”). I noticed, that when not using “--flood” option, “hping3 --
icmp 192.168.0.101” is receiving successful responses from victim. I tried to find threshold and while
using waiting interval between sending packets (“-i u24650”), there was 0% packet loss and it was
not detected (although, with network utilization of only 0.03%, it is hardly DOS type of attack).
Anything lower then this bound was detected by firewall, and it started to drop some packets. For
example when using u24000, attack was detected along with 2% packet loss. The detection threshold
is set to 201 packets. If 202 packets are sent to victim, ESET Smart Security 6 detects attack in
progress. These 201 undetected packets can be sent 1 microsecond apart from each other (with “-i
u1” command). Another way around detection is using “--rand-source” which isn’t detected at all,
nor there are any message logged in firewall’s logs. Yet another successful way of avoiding detection
was setting data size to some high number (for example to “-d 22304”), which also utilized over
98.4% of network (constantly, not in peaks like it was shown in the picture), and this time without
any detection.
6. 6/9
When trying to flood victim with UDP flood (“hping3 --udp --flood 192.168.0.101”), victim’s network
adapter was utilized to continuous 71.5% and one of 8 CPUs was utilized to about 50%. This attack,
however, was not detected by ESET Smart Security 6, but there were hundreds of warning messages
in logs saying “Detected unexpected data in protocol”, so this attack can be noticed. This warning
messages can also be countered by adding “--destport 80” or other port (I also tried port 89), which
makes this attack really undetectable and successful. Like with ICMP flooding, one can add more data
bytes to utilize more network, but it also from some reason lowers CPU usage of 1 CPU from 50% to
about 1%.
Almost the same results were observed by trying “--rawip”, which creates TCP packets. If however
data value was not set (left to default setting), there were hundreds of warning messages in logs
telling “Incorrect TCP packet length”. This of course was easy to cope with by again setting data
parameter to some value. Maximum network utilization was again somewhere around 98.4% when
using big data packets, but there was no need to set destination port - TCP packets doesn’t generate
“Detected unexpected data in protocol” warning message in logs.
7.3. IPv6 ICMP router advertisement
Using this attack, anyone can disable entire network of Windows based devices from 1 device which
is generating only few packets per second. The main idea of this attack is in behavior of IPv6. In IPv4,
when host/client told router/DHCP server “I need an IP”, he obtained one. IPv6 works in different
way: when host connects to network, router is the one who tells “I’m your router, join my network”
and host only replies “ok, I will”. Thus, every client on LAN creates an address and joins the network.
To use this attack, I used 3 commands in Backtrack: “cd /usr/local/bin”, “./fake_router6 eth0
def:c0::/64” to advertise attacker’s PC as IPv6 router, then I’ve waited few seconds so that victim’s PC
would notice new router, and then finally started flooding with “flood_router6 eth0”. Although this
type of flood was utilizing network only on about 0.5%, it rendered my Intel i7 with 8 logical CPUs
and 8 GB of RAM almost completely frozen in seconds (which is nice since attacker’s netbook is only
single-core 1.7GHz Athlon) - I wasn’t even able to move my mouse. ESET Smart Security 6 did not
detected this DOS attack, which I find rather strange, since attacker was firing thousands of packet
per second (although, it only takes about 5 packets per second to drive CPU to 100%). After issuing
command “ipconfig | more” on victim’s computer, there were of course many IPv6 addresses. What
good firewall should be able to do with this attack is to block rogue Router Advertisements. Which
could be again attacked if traffic had source IP address of legitimate router, but it would still be
better than nothing. Or at least, detecting multiple IPv6 router advertisements packets and dropping
some of them would be huge improvement. I’ve sent an email to ESET asking whether there is
possibility to detect/
protect against this
attack and got reply
within 24 hours, but
they haven’t answered
any of my questions.
7. 7/9
7.4. 2 ARP spoofing attacks at once
Another type of DOS attack, this time to attack the network connection itself, was done be setting
ARP spoofing twice with swapped IP addresses of victim and router. This was done in Backtrack, by
first setting attacker’s machine to forwarding mode: “echo 1 > /proc/sys/net/ipv4/ip_forward”. Then,
setting up ip table to intercept HTTP requests was done (by command “iptables -t nat -A
PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000”). Convincing network it should
send their traffic to my machine was done by “arpspoof -i eth0 -t 192.168.0.101 192.168.0.1”. Second
arpspoof, which ended in Denial of Service was “arpspoof -i eth0 -t 192.168.0.1 192.168.0.101”. This
attack was detected as “Detected ARP cache poisoning attack” and also “Identical IP addresses
detected in network”. Network seemed unused (0-0.01% of utilization), but when trying to connect
to internet, Google Chrome returned “Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to
resolve the server's DNS address”. Internet connection was thus entirely disabled. The conclusion is
that ESET Smart Security 6 can effectively handle one ARP spoofing, but not multiple spoofings that
result in DOS.
7.5. deAuthentication attack
Yet another DOS attack that isn’t detected by ESET Smart Security 6 is sending deAuthentication
packets, when victim is connected via wireless. While in Backtrack, I issued “airmon-ng start wlan0”,
then “airodump-ng mon0” to discover access point’s (my router’s) BSSID/MAC address. When this
was done, I simply started flooding deAuthentication packets to either entire network to disconnect
all computers on it (“aireplay-ng -0 0 -a [BSSID of router] mon0”) or just selected computer (“-c [MAC
of victim]” was added). Neither one of these attack has been noticed by ESET Smart Security 6. The
only way of noticing it was the inability of Windows to connect to wireless LAN. This attack can be
also done with “mdk3” command: “mdk3 mon0 d -b blacklist -c 11”, where “blacklist” is file with
BSSID of station (“echo [target BSSID] > blacklist”) and “11” is channel which is easily found at output
of “iwlist wlan0 scan”. I’ve also asked ESET company about detecting this type of attack - they first
tried to convince me that this attack will be detected as ARP spoof, since they were pretty sure that
ARP spoofing is needed to perform this type of attack, but after another email exchange they told me
there is no way in ESET Smart Security 6 to detect this type of attack.
8. Relevant settings in ESET Smart Security 6
All relevant settings are located in Advanced Setup/Network/Personal Firewall/IDS and advanced
options. User can turn on/off the detection of various attacks separately (ARP Poisoning, DNS
Poisoning, TCP Port Scanning, UDP Port Scanning), with ability to “Block unsafe address after
detection”. This is useful option for end users, which is defaultly enabled. The threshold of this
blocking timer after successfully detecting an attack is set to exactly 10 minutes, without any way of
changing it.
8. 8/9
However, ESET Smart Security 6 lacks any option to set timers for various detections. I didn’t found
that something like this would be possible. Another disadvantage from my point of view is, that in
Log files to personal firewall, there isn’t any information about precise type of attack (e.g. when the
attack is Port Scanning, it displays only TCP or UDP as protocol, but none information about which
flags where used in packet, or if connection was successfully established/only TCP SYN packet was
sent from attacker). Only things logged and always recorded are: Time (without milliseconds), Event,
Source, Target and Protocol; where both source and target addresses are in IP_address:port form
(when the protocol is TCP or UDP; otherwise only IP addresses are shown). One can filter log by
record type (Diagnostic, Informative, Warnings, Errors, Critical), where all attacks I did were
designated as Critical. There were also logged some Warning messages (Incorrect TCP packet length,
Suspicious IP packet fragment, Detected unexpected data in protocol). When I turned on defaultly
disabled setting “Log all blocked connections”, I was able to observe packets being blocked when
trying to port scanning. There were 2 types of logged messages that something is blocked, but both
were only Informative. First one was with default setting of blocking unsafe address after detection:
“Address temporarily blocked by active defense (IDS)”. Second one was when this setting was turned
off: “Packet blocked by active defense (IDS)”.
The last thing I’m missing is some dialogue or information to the user, what can be/is being done
while attack is detected. I observed that detecting ARP poisoning attack successfully prevents
attacker from routing communication through him, but there is no information about it. If I was user
and saw this warning that I’m being attacked, I would use some information that there is nothing to
be afraid of, since this attack is successfully countered. Or after detecting port scanning, just add
some information about that attacker is temporarily blocked (if this setting is in affect). Also, there
could be simple button “find out more about this type of attack” pointing to ESET’s knowledge base,
so user can directly find relevant information about that particular type of attack and if he should be
afraid of something, or not.
9. 9/9
9. Email to ESET tech support
After these findings, I tried to write an email to ESET, asking them detection/possible protection
about IPv6 router advertisement attack, detection of deAuthentication packets, and possibility of
setting thresholds of detection of other attack types. I got reply within 24 hours, but it was really
inaccurate. They tried to tell me all those attacks I asked are detected within “IDS and advanced
options” settings; and that since deAuthentication attack first needs successful ARP poisoning to be
done, it is detected when trying ARP poisoning attack. Another inaccuracy they told me was that TCP
flooding is also detectable. After another email exchange with ESET they admitted that
deAuthentication attack isn’t detectable by their firewall, but didn’t answer any of my other
questions, so I stopped trying to communicate with them.
10. Conclusion
There exists multiple easy-doable attacks from widely available (free) software on the Internet. Many
of them are undetectable on systems with ESET Smart Security 6 with default settings set. The only
truly unsuccessful attack that I observed and could not successfully do was ARP poisoning attack - it
was always detected and countered, so packets weren’t routed through attacker. Other attacks were
successfully done by changing parameters of attacks. Among those attacks that can be made
undetectable are port scanning, different kinds of Denial of Service attacks (TCP/UDP/ICMP flooding,
IPv6 router advertisement attack, and deAuthentication attack). I haven’t tried any other attacks, nor
any other firewall from the same or different company, but I think ESET should make this personal
firewall better by including more information about attacks and adding more types of attacks that
can be detected.
11. Resources
[1] http://www.eset.com/home/whyeset/awards/
[2] http://www.anonoperations.com/bambam
[3] http://sourceforge.net/projects/loic/
[4] http://nmap.org/book/man-port-scanning-techniques.html
[5] http://linux.die.net/man/8/hping3
[6] http://samsclass.info/ipv6/proj/flood-router6a.htm
[7] http://ashwinsaxena.com/blog/technology/deauth-attack-disconnect-computers/
[8]
http://kb.eset.com/esetkb/index?page=content&id=SOLN2906&viewlocale=en_US&actp=SE
ARCH