TCP Three-Way Handshake

Figure 1 illustrates how it works. Computer A sends a SYN asking computer B to establish a connection on port 80, if the port is open, then B acknowledges the SYN and send SYN in return as well. Third and final step is when A acknowledges that it also received the SYN from B.

If port 80 is closed, B will respond with RST.

Before proceeding to the following illustration, refresh your mind with the following list of TCP Communication Flags:

• Synchronize (SYN): Initiates connection between hosts.
• Acknowledgment (ACK): Establish connection between hosts.
• Push (PSH): System accepting requests and forwarding buffered data.
• Urgent (URG): Instructs data contained in packets to be processed ASAP.
• Finish (FIN): Communicates to the remote system of no more retransmissions.
• Reset (RST): Reset a connection.

TCP Three-Way Handshake

Port scanning is used to check which ports are open by sending and receiving packets directly between two computers. In SYN Stealth (Also known as Half Open Scan) for example Computer A sends SYN to B, If the port is Computer B is open, the reply will be: SYN+ACK based on the Three-Way Handshake rules. Otherwise, if B respond with a RST, then the port is closed or not listening.
SYN Stealth and other types of scaning expose the scanners IP to the targeted computer. To overcome that, Idle scan is used.

How Idle Scan works

Every IP packet on the internet has a fragment identification numer (IP ID), which is usually incremented by one by the operating system for every packet transmission. Hence, if we record the IP ID of a computer, we can compute the number of packets it sent after certain time.

Now, assume that Computer A wants to scan Computer B, while Computer C is being used as a Zombie.

• A will first ask to communicate with C, from C’s response, A knows that C’s IP ID is: 1445.
• A sends SYN to one of B’s ports asking for a connection using C’s IP address.
• B respond to the relevant IP address, that is C with a SYN+ACK if the port is open, else if the port is closed, then it will send back a RST or nothing at all.
• A ask to communicate with C one more time to read its IP ID again.
• If the IP ID is 1447 (increased by two since the last transmission) then the port is open assuming that B responded with a SYN/ACK back to C, hence C had to reply with a RST packet using IP ID = 1446.
• Else If the IP ID is 1446, (increased by one since the last transmission) then the port is close, assuming that B simply responded with a RST or nothing at all, hence C did not have to communicate back.

You must have noticed that, to collect reliable data, it is important that computer C does not communicate with any other devices while running the scan, otherwise, its IP ID will increase dramatically anyway. This is why, the zombie device should be chosen carefully to be Idle, hence the name of the scan.

Also, as you must have noticed, the scan was performed by sending packets with spoofed IP to the target computer. Hence the spoofed IP is blamed for the scan, not yours!

In practice, the following Nmap command is an example of how to perform Idle scans:

nmap -PN -p20-25 -sI 192.168.1.152 192.168.0.131

-sI: is used to run Idle Scan.
-PN: is necessary for stealth, otherwise packets would be sent to the target from your real addres.
-p20-25: scan ports 20, 21, 23, 24 and 25.
192.168.1.152: Zombie IP.
192.168.0.131: Target IP.

At the end, here is a reminder that you should not scan any computer/network without permission. There are many known cases where using Nmap unethically caused serious legal issues.

Three designs for Iraq’s flag (click on the images to enlarge) followed by few banners to support my favourite list in the elections “337” leaded by our current PM Nouri al-Maliki.

If you supoort 337 feel free to use the following banners as a signature in forums/online communities.

Dimensions: 400x70

Dimensions: 400x70

Dimensions: 400x70

Dimensions: 400x150

Dimensions: 400x70

Dimensions: 400x150

Connect the cables. Once done, you should first enable Internet Connection Sharing on your Windows machine. To do that, right-click your Internet connection and select “Properties“. Then click the “Advanced” tab. Now simply put a tick on the following option:

“Allow other network users to connect through this computer’s Internet connection”

This should give your Network card the following static IP address: 192.168.0.1. This address will represent the gateway address for the other computers in your LAN to connect to the Internet.

Now, move to your Linux box and use the following command to give it an IP address and a Subnet Mask:

ifconfig eth0 192.168.0.131 netmask 255.255.255.0

The following command is then used to set the default gateway

route add -net default gw 192.168.0.1

Finally, you will need to update your Linux DNS servers file. Get the two DNS servers IPs by typing
“Ipconfig /all” In the command prompt of your Windows machine, and then add them to “/etc/resolv.conf” in your Linux using your favorite editor. For instance, to open the file with nano use the following command:

sudo nano /etc/resolv.conf

That’s all, try to test the connection between the two computers by pinging their IP addresses and then test your DNS configuration with any of the following commands from your Linux box:

host google.com
 
nslookup google.com
 
ping google.com

You first need to download BackTrack’s VMWare Image for the final available release from the following link:

http://www.backtrack-linux.org/downloads/

At the time of writing this post the final release is BackTrack 4 so the download gave me the following zip file:

bt4-final-vm.zip

Now we should do the following:

1. First unzip the file. The result is a folder called: BackTrack4-Final
   

2. Move BackTrack4-Final and its contents to the Virtual Machines folder created for you by VMware when you first installed it. Under Windows 7 it is located at:
   C:\Users\{Your User Name}\Documents\Virtual Machines
   

3. Run VMware Workstation
   

4. From the menu bar, select File –> Open and navigate to the BackTrack4-Final folder. Inside the folder you should find: BackTrack4-Final.vmx. Open it.
   

5. Now that the image is loaded into your VMware Desktop, click: Power on this virtual machine.
   

6. Most likely, you will get the following dialog:

   “This virtual machine may have been moved or copied.

   In order to configure certain management and networking features, VMware Workstation needs to know if you moved this virtual machine or if you copied it.”

   Choose I copied it and proceed.
   

7. If everything goes well, and it should, BackTrack will ask you to log in. The username will be root and the password is toor.
   

8. Once logged in as a root, type startx to run the graphical interface.
   

9. The internet/network is not connected by default in BackTrack, to start it run the Konsole and enter the start-network command.
   

10. If that did not work, open Wicd manager (K menu –> Internet –> Wicd manager) and click Connect. The status bar should show something like:

    Connected to wired network (IP: xxx.xxx.xxx.xxx)

If you get that, it means you connected BackTrack to the network successfully! Well done

At the end, make sure you have the latest kernel sources by running the following commands:

apt-get update
 
apt-get install linux-source
 
cd /usr/src
 
tar jxpf linux-source-{version}.tar.bz2
 
ln -s linux-source-{version} linux
 
cd linux
 
zcat /proc/config.gz > .config
 
make scripts
 
make prepare

VisualRoute

Traceroute is a famous program to draw the route taken by packets from your computer to any destination you chose. It uses UDP or ICMP echo packets with TTL value of one, then continuously increase it until it reaches the destination, this way it can get time exceeded responses from every hop in the pathway.

There is also TCP Traceroute programs which can be useful to bypass some firewalls filtering.

Similar techniques like Dig, Host for UNIX-like systems and PathPing for Windows may also be used to achieve similar results, but all these are command based. Although, using the Terminal is great pleasure, but it is always nice when these locations are illustrated on a real world map in addition to different forms of diagrams. To get such results, I suggest two tools I have used: NeoTrace Pro and VisualRoute.

This post is about www robots (also called: web spiders/crawlers/worms/indexers) such as google bot, so what are they?

These applications browse the World Wide Web based on a primary list of URLs, then they use links from on the web pages they visit to reach other pages so the process can continue. This is how search engines find their way to your website.

To stop search bots from indexing some folders and files on your domain, a robots.txt file is used.

robots.txt contain rules to follow by this kind of bots, they are referred to as the Robot Exclusion Standard. The structure of the file is very simple as follow:

User-agent: *
Disallow: /private/
Disallow: /code/

User-agent: Googlebot-Image
Disallow: /images/haider.jpg

First line is used to determine the specific bot you want your rules to apply to. The disallow rule, specify which file or folder to you want to keep away from search bots. In my example I am excluding two folders from all bots and an image from Googlebot-image only.

The robots.txt file should be uploaded to the root folder, but note that this does not cover subfolders, so every subfolder should have its own copy.

However, be warned that bots are also used by malicious people to spread viruses, run DDoS attacks or to collect emails and other kind of information. These bots does not respect robots.txt rules, in other words, robots.txt does not guarantee privacy. In addition, the file is accessible by any web browser, so if you specify your important folders manually, it might be used by some people to locate your important folders and files. This will be then a security breach and to overcome it imply the disallow rule on folders rather than individual files and also try to name them smartly.

Another possible way to control bots is by using special metadata tags as part of your HTML files, the following tag for example, implies that the bot should not index the page.

<META NAME="ROBOTS" CONTENT="NOINDEX">

Another tag is:

<META NAME="ROBOTS" CONTENT="NOFOLLOW">

And by using it, you stop bots from parsing the links on your page.

Introduction

Are you looking for a safe way to encrypt your files and messages? What if there is a method that can do all that and more and yet it is FREE to use? If you are interested, keep reading to know about encrypting and exchanging files safely with GPG and PGP.

GPG is an acronym for Gnu Privacy Guard. It was developed as a free and open source alternative to PGP, a famous commercial encryption product. Both GPG and PGP can encrypt and decrypt data on your system, in addition they can be used to authenticate emails and files you exchange with other people, this means that if Bob is sending files and emails to Alice, she can check if the data has been altered in the way by any third party and if the sender is Bob for sure and no one else. Furthermore, with these applications, Bob can also make sure that only Alice will be able to decrypt and read/view the data he is sending.

Before proceeding with how this works in practice, let me first start with a small formal introduction to the protocol these programs use, that is OpenPGP (RFC 4880).

OpenGPG

OpenPGP is the most used email encryption standard now a day. It uses public-keys in combination with symmetric cryptography and hash-function to provide security solutions for electronic communications and data storage. Any OpenPGP software should support data confidentiality, integrity and authentication.

So OpenGPG is the standard or the protocol, while PGP and GPG are the applications you can use.

The software

It is best now to get your own copy of the software. GPG is free, if you are using Windows, you can get GPG4win from: http://www.gpg4win.org.

For Mac and Unix/Linux systems, download the copy that is best for you from: here

Usually GPG is installed by default in most Linux distributions. In Ubuntu for example, you can start working on it directly using your command line, but to save yourself time and make your life easier, add the suitable frontend for Gnome: Seahorse, by running the following commands:

sudo apt-get install seahorse

And also install its plug-ins

sudo apt-get install seahorse-plugins

If you are a KDE user then you should get KGpg instead of Seahorse.

On the other hand, you can also use PGP. It is commercial, but the good news is that: if you decide to use their trial version without entering the license key, it works as a freeware version. It does not give you the full functionality of a commercial license of course, however, what you get is convenient enough (I personally use it). You can download the trial version and try it yourself from here

How it works

Now, that you installed a software (I assume), you should have a small program responsible for key management, that will usually be GPA if you got GPG4win, KGpg for KDE Linux or else, Seahorse if you are using Gnome. A Key Manager is used to create, delete, import, export and backup keys in addition to some few other management tasks. So what are these keys used for?

When you create a key, the software generates two, a private key for your own use and a relevant public key that can be sent to all other people to communicate securely with you.

What you really need to understand is that:

• All data encrypted with your public key, can only be decrypted with your private key. This is how GPG provide confidentiality i.e. data can only be read by the person who is meant to read it. So, if Bob wants to send a confidential file to Alice, he encrypts the file with her public key and sends it. Do you see how important it is to keep your private key secure? That is why the software makes you protect it with a passphrase.

• All data you encrypt with your private key can be decrypted using the public key: this implies that if Alice is able to decrypt data using Bob’s public key, she knows for sure that he was the one who encrypted it, no one else.

Digital Signatures

But why should Bob encrypt the whole file if all he needs is to prove authenticity to Alice? What if he is sending the file to many people and only Alice needs to authenticate it?

For this reason, we have digital signatures: Bob can simply sign the file with his private key instead of encrypting it.

Signing files can be done using Kleopatra if you installed GPG4win, otherwise simply right-click any file and the popup menu you get should have a new option to let you sign and/or encrypt the file.

Signing a file results in a digital signature, which contains a message digest (can be produced using a hash function such as MD5 algorithm) of the original file encrypted with Bob’s private key. The message digest maintains data integrity, because any change happens to the file changes its digest as well. While the fact that it has been encrypted with Bob’s private key proves him as the original sender. Interestingly, this can also be used as a method of non-repudiation, which implies that it prevents the sender from claiming that he or she did not actually send the information!

Now if Bob’s public key can decrypt and read the signature, Alice knows he is the sender, and then she uses the content (the message digest hash) to compare with a new calculated hash of the file she received. If they match, then the file has not been altered. Meanwhile, other people who might have received the file and does not have Bob’s public key, can simply use the file (because it is not encrypted) and ignore the digital signature.

Of course all of this is done easily by the software, no much manual work for you other than understanding how the software works.

Key Servers and Public Key Distribution

Exchanging public keys can be easy with a friend you already know, but what if you don’t have a direct contact with the person? How can you make sure the key you get isn’t fake? What if someone else made it up?

As a solution, Key Servers host public keys for everyone and provide you with solutions to work around this problem. PGP Global Directory for example verify the email address attached to every key before listing them online, hence, if you recognize the email address, you could trust the public key attached belongs to the owner of the email address.

Another one is SKS OpenPGP Keyserver. It shows you how many users trusted a certain public key and signed it as valid. In principle, if you see that many users signed a key, you might have a reason to think it actually belongs to its owner. This method is called “web of trust” and it helps to authenticate keys. So, it is best that you sign the keys you personally trust and ask the people who know you to sign your key as well to show it as valid. Make sure you don’t forget publishing any public key you sign to the key servers.

There are many key servers and many of them are linked together, so once you send your public key to one of them manually or by using your software, consequently, they will update each other with your information.

Digital Certificates

When someone signs a public key as valid, this operation results in what we call: a digital certificate. So, a digital certificate consists of a public key, identity information (owner’s name, email etc) and a digital signature by a third party to verify that the identity information belongs to the public keys. The third party can be a person, group, organization etc.

Conclusion

An interesting idea if you have some private data that you share with somebody is to encrypt it twice with both of your public keys. That way, neither of you can make use of it alone!

In Windows: MD5summer can be used to perform the task.

While in Linux: The famous md5sum utility is usually used.

The following examples shows how md5sum can be used from the command line.

To compute the MD5 sum of an ISO file for example use:

md5sum filename.iso

The result will be something like:

f8c7451b0de5a1e5f7a68fb3d15f4064 filename.zip

Note that the wild card can be used too, so if you are in a folder containing many files, you can compute the hashes to all files using:

md5sum *

or

md5sum h*.exe

Some applications/distributions provide a file with all MD5 hashes of the released files. Ubuntu for example provide a file called MD5SUMS and it looks like this from inside:

836440698456aa2936a4347b5485fdd6 *ubuntu-9.10-alternate-amd64.iso
3faa345d298deec3854e0e02410973dc *ubuntu-9.10-alternate-i386.iso
dc51c1d7e3e173dcab4e0b9ad2be2bbf *ubuntu-9.10-desktop-amd64.iso
d91659de6e945dbb96eb8970b2b4590a *ubuntu-9.10-desktop-armel+dove.img
297875d2a7531824a0fb08f241d33e85 *ubuntu-9.10-desktop-armel+imx51.img
8790491bfa9d00f283ed9dd2d77b3906 *ubuntu-9.10-desktop-i386.iso
ed6e77587b87fe0d92a2f21855869f00 *ubuntu-9.10-netbook-remix-i386.iso
14707e8847b9c9ba2dd1869fb5086e4f *ubuntu-9.10-server-amd64.iso
55618ad5f180692f9dac20cbff352634 *ubuntu-9.10-server-i386.iso
37a04db193b1a342f961f59aea2fada8 *wubi.exe

Now assume you downloaded: ubuntu-9.10-alternate-i386.iso
You can verify it’s hash against that list with the following command:

md5sum ubuntu-9.10-alternate-i386.iso -c MD5SUMS

If the comparison results in a single match then your file is alright.

To cultivate the result, use the following to show the positive match only:

md5sum ubuntu-9.10-alternate-i386.iso -c MD5SUMS | grep -v "FAILED$"

grep -v “FAILED$” is used to ignore the failed comparisons in the results, hence, if we change it to grep -v “OK$” we can get the failed comparisons only. this is useful when you run md5sum to verify many files against a list and need to check if there are any bad files.