Le Tue, Jan 02, 2001 at 08:11:56AM +0100,
Bernd Eckenfels ([EMAIL PROTECTED])
a �crit:
> On Tue, Jan 02, 2001 at 04:43:47PM +1100, David Shoon-Yew Ng wrote:
> > Dear all,
> > Can someone direct me as to a free-software that does vulnerability tests
> > for networks with firewalls configured?
>
> nessus or nmap are the default tools here. Have a look on
> http://www.freefire.org in the tools section, for some more.
Hi, nessus, tripwire, ippl, netcat, nmap, scandetd and logcheck are for me some
good tools.
I tried nessusd -D -p 27374 and I've recorded a lot of scan on it.
I mind that are somewhere on the web, some machine, are not owned and try to
put viruses or trojans on this odd port. You can say me: No!! don't put nessusd
on 27374 port because it's reboot my w2k :'( and I say you: How work nessusd ?
It's a session in it for a dump. I've got a look on faq in /usr/doc/ but it's a
little bit ... how say you ... guru's config.
tripwire is only now installed on my machine...
The integrity of datas are not sure because it happened many things since 1998
on it. This one make an image of md5sum from files and can control it by a long
passphrase. Install it on a new machine.
ippl is enough for all tcp/udp logins, scandetd say just:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
/var/log/messages
=-=-=-=-=-=-=-=-=
Jan 2 02:08:27 bermude scandetd: www connection attempt from xx.xx.xx.xx
where xx is ip
netcat (or nc)
nc -z -u -v -w2 steack.hach�.net 53 can make an udp connect, just to see if
steack.hach�.net is alive ... it's a very old tool which described in a big
red/back book (in french now)
nmap is the best.
[root@depht /root]# nmap -sS 10.0.0.10 -p80 -P0
Starting nmap V. 2.30BETA17 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ )
Interesting ports on proxie (10.0.0.10):
Port State Service
80/tcp open http
make this:
Jan 2 19:17:46 www connection attempt from [EMAIL PROTECTED]
[10.0.0.13] (10.0.0.13:35047->10.0.0.10:80)
and with spoofed adress, it can be like this:
[root@depht /root]# nmap -sS 10.0.0.10 -D 10.0.0.15,ME -p80 -P0
Jan 2 19:17:46 www connection attempt from [EMAIL PROTECTED]
[10.0.0.13] (10.0.0.13:35047->10.0.0.10:80)
Jan 2 19:18:01 ICMP message type echo reply from provider [xx.xx.xx.xx]
(xx.xx.xx.xx->213.228.18.253)
Jan 2 19:20:01 last message repeated 15 time(s)
Jan 2 19:20:26 ICMP message type destination unreachable - bad host from
proxie [10.0.0.10] (10.0.0.10->10.0.0.10)
Jan 2 19:20:29 ICMP message type destination unreachable - bad host from
proxie [10.0.0.10] (10.0.0.10->10.0.0.10)
Jan 2 19:20:29 last message repeated 1 time(s)
Jan 2 19:20:29 www connection attempt from [EMAIL PROTECTED]
(10.0.0.15:38722->10.0.0.10:80)
Jan 2 19:20:29 www connection attempt from [EMAIL PROTECTED]
[10.0.0.13] (10.0.0.13:38722->10.0.0.10:80)
Jan 2 19:20:33 ICMP message type destination unreachable - bad host from
proxie [10.0.0.10] (10.0.0.10->10.0.0.10)
yerk!! what for a big war in the zone. Be sure that I never play with this
tool. You must jure it and hold the right hand up too. Because, now it's in
yours hands
because make this:
tcp 0 0 proxie:www 10.0.0.15:38722 SYN_RECV
for 20 minutes. because 10.0.0.15 doesn't exist. With a 10 connection maxi, it
can be a nuclear war.
logcheck.sh is a tool to spam the root box. Be careful, put an alias in way to
make normal user granted to see thoses spams in mailbox without root connecting
for this. And you have administratives logs directly in mailbox, a little look
in ~/.fetchmailrc and you can read it at work with others machines you are
administrating.
gilles.
�PS; sorry for picture, last day, it was "happy new year" in figlet.
--
Sauvez une plante,
bouffez un vegetarien !
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
