Friday, May 25, 2012

Fake Antivirus and Firefox Cache Tools

Firefox has some pretty nifty features. One of those is the ability to view the cache contents without any extra tools. This post covers an incident with a fake antivirus popup and how I used the built in Firefox tools to confirm my suspicions.

The Story

This all started when I got a text message from my wife earlier today. This is the image she sent me:
The story goes, our daughter was using the computer and this appeared on the screen. My initial thought was this is a fake antivirus popup. However, we do have Microsoft Security Essentials (MSE) on that computer and the screen shot is convincing. Following the old saying of "you are better safe than sorry"; I told her to shut down the computer and I would look at it when I got home.

The Initial Review

Once at home, I looked more closely at this incident. First, I opened MSE to review the logs and found that nothing was detected in any previous scans (edit: MSE actually calls this History). This starts to confirm the suspicion of a fake antivirus popup.

The next step was to take the cache files from my daughter's profile and put them in a virtual machine. Since she uses Firefox, this is easy to do. If you are interested, explanations of the Firefox cache directories are here.

A quick peek at the history reveals this is definitely fake antivirus related.
The entries for and "Viruses were found on your computer!" are dead giveaways. At this point you could stop but I will take a few more minutes to show you some of the Firefox cache exploration tools.

Firefox Cache Tools

I start the cache exploration by typing about:cache into the URL bar. This gives you the screen below which is not very useful.
Clicking on "List Cache Entries" starts to look more interesting.
This page can be searched by pressing Ctrl+F. I searched for "".
The fifth entry refers to a PNG image file. Clicking on that link takes us to another page, specific to the alert.PNG cache entry.
This page is filled with information. It includes HTTP server response headers and a full packet capture of the PNG image. In the center of the page is a line marked "file on disk". This gives the location on the disk where the cached image is located. I navigated to that location, copied the file to a temporary directory, and renamed it with a PNG extension.
Opening this file removes any remaining doubt about the fake antivirus popup. This recovered image perfectly matches the text message I received earlier today!


I suspect the popup came from the website directly prior in the browsing history, possibly from an advertisement. If that is true, it appears the problem has been remedied. I did look for some contact information on that website, but I did not locate any. I would have preferred to report this information, but I was unable to.

Firefox is a great browser. These cache tools are great for troubleshooting and fun to explore with as well. I am certain Firefox includes many more tools that I don't know about. Hopefully you found something useful in this post. Thanks for reading!

Thursday, May 24, 2012

Installing Nmap 6 on BackTrack 5 R2

It turns out, getting Nmap 6 to run on BackTrack 5 R2 is actually quite simple. Follow the steps below and prepare to bask in the newness of Nmap 6.

Linux Security Cookbook by Barrett, Daniel J./ Silverman, Richard E./ (Google Affiliate Ad)

First, you need to get rid of the included Nmap which is version 5.61. Simply run this command:
apt-get -y autoremove nmap

This command should only take a few seconds to complete. Next, grab the Nmap 6 source using this command:

The source tarball is about 22 MB so it should (hopefully) download pretty quickly. After you have the source, you need to extract it. You can do that with this command:
tar zxvf nmap-6.00.tgz

Finally, these commands will compile and install Nmap 6. If you are unfamiliar with Linux, these are standard commands for installing software from source code.
cd nmap-6.00
make install

Depending on your hardware, these commands make need a few minutes to complete. To check that Nmap is installed, run:
nmap -V
This command should report version information similar to this:
Nmap version 6.00 ( )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.1.3 nmap-libpcre-7.6 libpcap-1.0.0 nmap-libdnet-1.12 ipv6
Compiled without: openssl

Now, Nmap 6 is installed. Check out the announcement here, You may also want to check out my previous post on Nmap NSE scripts,

One thing to note regarding this installation method. During the first step, the BackTrack maintained Nmap package is removed. This means that apt-get will no longer be able to update Nmap. When a new Nmap version is released, you will need to repeat this procedure to upgrade to the current version.

Happy Nmaping!

Edit: If you want to restore the BackTrack maintained Nmap, you can. Go back to the nmap-6.00 directory and run make uninstall. Next run apt-get -y install nmap to reinstall the packaged version of Nmap.

Wednesday, May 23, 2012

Getting Started With NSE, The Nmap Scripting Engine

After talking with some friends last week, I realized that the Nmap Scripting Engine (NSE) is an unappreciated and underutilized Nmap component. That is unfortunate, since NSE has easily become my favorite Nmap feature. According to the Nmap 6 release notes, the number of available NSE scripts is nearly 350! This seems like a good time for a long overdue blog post. This post talks about using the built in Nmap 5 scripts. It's intended to introduce NSE and assumes at least some Nmap exposure.
If you are using Backtrack 5, the NSE scripts are located in /usr/local/share/nmap/scripts/. Each file ends with a .nse extension and is plain text. The scripts cover a variety of areas including vulnerabilities, information gathering, and exploitation. If you are uncertain of what a script does, simply open it in a text editor.

I'll walk you through a few examples of using NSE scripts. The first will show running the smb-enum-shares.nse script. This script connects to a Windows or Samba file server and enumerates the shares. The syntax is:
nmap -Pn --script=smb-enum-shares

You will obviously need to replace with the IP address of your file server. Here is the output:

You can see there are four shares: ADMIN$, C$, IPC$, and "Documents and Settings". Another simple script is http-headers which does exactly what it says, retrieves HTTP headers. Here is the syntax:
nmap -Pn -p80 --script=http-headers

Again, replace "" with the server you wish to retrieve the HTTP headers from. And here is the output:

Those are some pretty simple examples. Here is a little more complex one using smb-check-vulns.
nmap -Pn -p445 --script=smb-check-vulns

While this command may not appear more complex than the previous examples, the checks performed are more powerful. This command checks for the MS08-067 vulnerability and if the host is infected with Conficker. Here is the output:

You can try running the unsafe checks with the command below. I have had limited luck with this, usually resulting in an SMB server crash (not good in a production environment!).
nmap -Pn -p445 --script=smb-check-vulns --script-args=unsafe=1

The previous commands all demonstrated running a single NSE script. Another method of invoking scripts is to use NSE script categories. This link lists all of the available categories, One of my favorites is the broadcast category. This is a very safe category that can be run on a production network with virtually no concerns. The syntax is very similar to the previous examples:
nmap -Pn --script=broadcast

Notice how this example does not specify a target host. These scripts find hosts and services that advertise themselves to the network broadcast address. The output format looks a little different than the previous examples. Each script name will be listed followed by the script output. Warning: these scripts can output a significant amount of data! Here is some sample output:

This scan produced output from these scripts: broadcast-wpad-discover, targets-ipv6-multicast-slaac (are you sure you aren't running IPv6?), broadcast-ping, and broadcast-netbios-master-browser. Broadcast-wpad-discover only returned that it could not discover a WPAD DNS or DHCP entry.

To get an idea of what broadcast checks are performed, check the broadcast scripts in /usr/local/share/nmap/scripts/ (ls /usr/local/share/nmap/scripts/broadcast*). Here's a sampling of things I have discovered using the broadcast category: Dropbox clients, shared iTunes libraries, TiVo beacons, mDNS/Avahi/Bonjour services, MS SQL servers, UPnP capable hosts, Netbios hosts, and proxy servers (via WPAD discovery). The TiVo actually discloses the TiVo Service Number (sort of like a serial number). It seems like each time I run this script, I find a new service. While writing this article, I learned from the broadcast-upnp-info script that the Roku runs an embedded web server on TCP port 8060! However, I think the real power of the broadcast scripts is the ability to enumerate network hosts and services in virtual silence, never requiring a direction connection to the discovered host or service.

I hope you enjoyed this intro to NSE scripts. Thanks for reading!