Sunday, July 1, 2012
The Wreckage: A Thriller by Michael Robotham
My rating: 0 of 5 stars
Michael Robotham is one of my favorite authors. These books engage you from the beginning and I find it difficult to put them down. The Wreckage is no different, filled with action and a complex story line. A late twist brings everything into focus.
With all that said, I found The Wreckage to lack the suspense from some of the earlier novels. This is still a great book and very enjoyable. I love it and can't wait for [b:Say You're Sorry|13521564|Say You're Sorry|Michael Robotham|http://photo.goodreads.com/books/1340805869s/13521564.jpg|19082240] to hit US shelves!
View all my reviews
Posted by marshalgraham at 12:47 PM
Friday, May 25, 2012
The StoryThis all started when I got a text message from my wife earlier today. This is the image she sent me:
The Initial ReviewOnce at home, I looked more closely at this incident. First, I opened MSE to review the logs and found that nothing was detected in any previous scans (edit: MSE actually calls this History). This starts to confirm the suspicion of a fake antivirus popup.
The next step was to take the cache files from my daughter's profile and put them in a virtual machine. Since she uses Firefox, this is easy to do. If you are interested, explanations of the Firefox cache directories are here.
A quick peek at the history reveals this is definitely fake antivirus related.
Firefox Cache ToolsI start the cache exploration by typing about:cache into the URL bar. This gives you the screen below which is not very useful.
ConclusionI suspect the popup came from the website directly prior in the browsing history, possibly from an advertisement. If that is true, it appears the problem has been remedied. I did look for some contact information on that website, but I did not locate any. I would have preferred to report this information, but I was unable to.
Firefox is a great browser. These cache tools are great for troubleshooting and fun to explore with as well. I am certain Firefox includes many more tools that I don't know about. Hopefully you found something useful in this post. Thanks for reading!
Thursday, May 24, 2012
It turns out, getting Nmap 6 to run on BackTrack 5 R2 is actually quite simple. Follow the steps below and prepare to bask in the newness of Nmap 6.
Linux Security Cookbook by Barrett, Daniel J./ Silverman, Richard E./ (Google Affiliate Ad)
First, you need to get rid of the included Nmap which is version 5.61. Simply run this command:
apt-get -y autoremove nmap
This command should only take a few seconds to complete. Next, grab the Nmap 6 source using this command:
The source tarball is about 22 MB so it should (hopefully) download pretty quickly. After you have the source, you need to extract it. You can do that with this command:
tar zxvf nmap-6.00.tgz
Finally, these commands will compile and install Nmap 6. If you are unfamiliar with Linux, these are standard commands for installing software from source code.
Depending on your hardware, these commands make need a few minutes to complete. To check that Nmap is installed, run:
Nmap version 6.00 ( http://nmap.org )
Compiled with: nmap-liblua-5.1.3 nmap-libpcre-7.6 libpcap-1.0.0 nmap-libdnet-1.12 ipv6
Compiled without: openssl
Now, Nmap 6 is installed. Check out the announcement here, http://nmap.org/6. You may also want to check out my previous post on Nmap NSE scripts, http://www.marshalgraham.com/2012/05/getting-started-with-nse-nmap-scripting.html.
One thing to note regarding this installation method. During the first step, the BackTrack maintained Nmap package is removed. This means that apt-get will no longer be able to update Nmap. When a new Nmap version is released, you will need to repeat this procedure to upgrade to the current version.
Edit: If you want to restore the BackTrack maintained Nmap, you can. Go back to the nmap-6.00 directory and run make uninstall. Next run apt-get -y install nmap to reinstall the packaged version of Nmap.
Wednesday, May 23, 2012
After talking with some friends last week, I realized that the Nmap Scripting Engine (NSE) is an unappreciated and underutilized Nmap component. That is unfortunate, since NSE has easily become my favorite Nmap feature. According to the Nmap 6 release notes, the number of available NSE scripts is nearly 350! This seems like a good time for a long overdue blog post. This post talks about using the built in Nmap 5 scripts. It's intended to introduce NSE and assumes at least some Nmap exposure.
If you are using Backtrack 5, the NSE scripts are located in /usr/local/share/nmap/scripts/. Each file ends with a .nse extension and is plain text. The scripts cover a variety of areas including vulnerabilities, information gathering, and exploitation. If you are uncertain of what a script does, simply open it in a text editor.
I'll walk you through a few examples of using NSE scripts. The first will show running the smb-enum-shares.nse script. This script connects to a Windows or Samba file server and enumerates the shares. The syntax is:
nmap -Pn --script=smb-enum-shares 192.168.1.136
You will obviously need to replace 192.168.1.136 with the IP address of your file server. Here is the output:
You can see there are four shares: ADMIN$, C$, IPC$, and "Documents and Settings". Another simple script is http-headers which does exactly what it says, retrieves HTTP headers. Here is the syntax:
nmap -Pn -p80 --script=http-headers slashdot.org
Again, replace "slashdot.org" with the server you wish to retrieve the HTTP headers from. And here is the output:
Those are some pretty simple examples. Here is a little more complex one using smb-check-vulns.
nmap -Pn -p445 --script=smb-check-vulns 192.168.1.136
While this command may not appear more complex than the previous examples, the checks performed are more powerful. This command checks for the MS08-067 vulnerability and if the host is infected with Conficker. Here is the output:
You can try running the unsafe checks with the command below. I have had limited luck with this, usually resulting in an SMB server crash (not good in a production environment!).
nmap -Pn -p445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.136
The previous commands all demonstrated running a single NSE script. Another method of invoking scripts is to use NSE script categories. This link lists all of the available categories, http://nmap.org/book/nse-usage.html#nse-categories. One of my favorites is the broadcast category. This is a very safe category that can be run on a production network with virtually no concerns. The syntax is very similar to the previous examples:
nmap -Pn --script=broadcast
Notice how this example does not specify a target host. These scripts find hosts and services that advertise themselves to the network broadcast address. The output format looks a little different than the previous examples. Each script name will be listed followed by the script output. Warning: these scripts can output a significant amount of data! Here is some sample output:
This scan produced output from these scripts: broadcast-wpad-discover, targets-ipv6-multicast-slaac (are you sure you aren't running IPv6?), broadcast-ping, and broadcast-netbios-master-browser. Broadcast-wpad-discover only returned that it could not discover a WPAD DNS or DHCP entry.
To get an idea of what broadcast checks are performed, check the broadcast scripts in /usr/local/share/nmap/scripts/ (ls /usr/local/share/nmap/scripts/broadcast*). Here's a sampling of things I have discovered using the broadcast category: Dropbox clients, shared iTunes libraries, TiVo beacons, mDNS/Avahi/Bonjour services, MS SQL servers, UPnP capable hosts, Netbios hosts, and proxy servers (via WPAD discovery). The TiVo actually discloses the TiVo Service Number (sort of like a serial number). It seems like each time I run this script, I find a new service. While writing this article, I learned from the broadcast-upnp-info script that the Roku runs an embedded web server on TCP port 8060! However, I think the real power of the broadcast scripts is the ability to enumerate network hosts and services in virtual silence, never requiring a direction connection to the discovered host or service.
Sunday, January 29, 2012
It's Not All about Me: The Top Ten Techniques for Building Quick Rapport with Anyone by Robin Dreeke
My rating: 5 of 5 stars
This is one of my favorite books and I'm certain that I will read it again and again. It offers some great advice for quickly building relationships. The material is presented in a concise and easy to understand format. Even the most shy or introverted individual can benefit from this book.
If you have problems starting conversations or have ever felt you have trouble finding the right words, this book will help.
View all my reviews
Posted by marshalgraham at 8:10 PM
Saturday, January 7, 2012
Freedom (TM) by Daniel Suarez
My rating: 4 of 5 stars
Freedom is a little too much science fiction for me. It is a good book; but the idea that large swaths of the population would be willing to supplant modern governments for what amounts to a real life MMORPG is a too far fetched for my tastes. I give it four stars because it is well written and has enough action and suspense to overcome the plot shortcomings.
View all my reviews
Posted by marshalgraham at 8:45 PM