Wrote a guest post about “301 redirects“ on my buddy, Shimon Sandler’s blog. Shimon is very well known in the SEO community and his blog has 1000+ subscribers. It is a great resource.
Thanks, Shimon, for giving me the opportunity share a post with your readers.
I read a nice post on “Securitycatalyst.com” that made me stop and think. We really need to appreciate the here and now. Sometimes I’ll look at my kids; they understand what it means to live life in the present moment. There is so much going on in our heads, so many thoughts. Do you ever stop to reboot? Clean out the cache? I like to sit quietly sometimes and just follow my breath; if a thought comes in I let it pass gently. This little meditation can be very relaxing. I’m a firm believer that this type of practice on a daily basis is especially essential in today’s high-tech world. As security folk, we also have to appreciate what we have. There are so many things to be grateful for. Let’s stop, think and thank on this long Labor Day weekend. Thank you Security Catalyst for the nice post.
The netstat command is a very handy command available for use on all OS’s. When invoked netstat shows the network connections made by your computer, the ports used, and the status of these connections. It will also show you what services that may open waiting for connections. This knowledge can help in ascertaining if your system is vulnerable to attack.
Ok. Let’s see our connection to google that is established so I can write this blog. In the command prompt I typed ‘netstat’.
As you can see, the last line shows a TCP connection the local information showing the outbound port; next you have the foreign address where you see google’s host information separated by a colon showing the port as http or 80 and last you have the state of this connection, which in my case, is established. If connection is established that the line represents a socket, that is an endpoint for communication between two machines.
There can be defend states for each connection or potential connection if it’s listening.
ESTABLISHED - connection has been made, the TCP three way handshake has taken place.
LISTENING - port on your computer is listening for incoming traffic.
TIME_WAIT - occurs at the end of an established connection, before connection is torn down it waits for any packets that didn’t make it across. This is done so as not to confuse things if a new connection gets established.
SYN_RECIEVED - unlikely to see this, since it happens so quickly; it’s part of the three way handshake that happens when connection is being set up.
SYN_SENT - unlikely to see this too as it’s part of the three way handshake when connection is being set up.
It is important to note that if you see a line in netstat showing LISTENING, it means that you have a port on your computer waiting for incoming traffic. No, don’t get all freaked out, “does that mean someone can hack into my computer at take control of it”? No, it does not. Most people today have routers that sit between their computers and the Internet. If someone wanted to make a connection to, say, some port that I found was in a listening state, they would not be able to. The router acts as a firewall for all inbound traffic (also called ingress filtering, hope to discuss this further on a new post). So, if you have a port in a listening state on a specific port, try to find out what application/process is using this port and then try to google the “exe” file. Now you will know if this process should, in fact, be listening for incoming requests or if it’s a Trojan.
Netstat can be passed a bunch of different parameters depending on what you’re looking to do.
Here is a really great feature - ‘netstat -b’ will show you the actual process that is using this connection. Back to me writing this blog. The process that made the connection would be my browser and you see below iexpolorer.exe shows underneath the connection line. So, if you see a connection made that you’re not sure about, you can use the -b parameter and then you can see the process. If you see an .exe file that haven’t heard of just type in google to see if it’s something safe, perhaps it’s malware on your computer; if that’s the case backup important files and reinstall your operating system.
It’s important to remember when you issue the Netstat command it will give you a snapshot of what is happening right then. You can use an interval, so that it keeps running. There is a really great, free program that is worth checking out called TCPView This is a windows GUI version of Netstat and it updates in real time. And just in case you need it to figure out why your mom’s Internet connection is slow, Netstat is always available on all OS’s; just fire it up; there is no need to install anything.
Nmap a is a free popular port scanning security tool , used by both good and bad hackers alike.
For someone breaking into a network, this tool is used to gather as much information about the network that is possible; mapping it out or as it’s called, fingerprint the target. On the other side, the good guys use NMAP internally to determine if there are any unauthorized services running on their network. This tool kind of levels the playing ground so to speak.
I downloaded the free tool at home and was playing around with it on my internal network. As a caveat, scan your own hosts or networks that have given permission to scan only. Unauthorized scanning of a host with the intent to breaking into may be unlawful, one should keep this in mind when using this tool..
There are two ways of scanning using NMAP; regular TCP connect scanning and stealth scanning.
Without going into the geeky details of TCP/IP, stealth scanning attempts to determine if a port is open on the target system by soliciting a SYN/ACK and not completing the 3-way handshake, then ultimately going in under the radar. However, even this type of scanning is now being logged with modern firewalls and IDS (Intrusion Detection Systems).
The TCP connect mode actually completes the 3-way handshake. The downside for a hacker would be that most servers log connections including the source IP address and the IDS may be tripped , and these are things a hacker would like to avoid while fingerprinting a network.
Here is some basic NMAP commands to get started.
TCP() connect scanning:
# nmap -sT 192.168.1.2
Syn/Stealth scan.
# nmap -sS 192.168.1.2
I wanted to share my first infosec book review on amazon I wrote back in August of ‘06.
“Defend I.T.: Security by Example” is one of my first reads on IT security. I am currently a programmer, looking to get into the information security field.
This book has successfully turned my interest in IT security into intrigue. Each chapter is a different real life case study, with techniques used and lessons learned. Coming from a technical background, I appreciated the technical depth that the authors delve into. From the get go in Chapter 1, the authors present a tutorial on the popular scanning tool called NMAP which is fascinating. The network diagrams throughout the book were very helpful in explaining to the reader the difficult concepts such as Distributed Denial-of-Service attack and Ingress and Egress filtering.
“Defend I.T.: Security by Example” introduced me to many new concepts including IDS, INGRESS, EGRESS, DMZ, SSO, ZOMBIE,FIREWALL’s, VPN’s, PKI, and DOS attacks, just to name a few. Overall, this book is very informative and well-written.
I highly recommend this book as a great addition to your IT Security library.
Wow this is exciting !!!! I recently got my google reader all set up with a bunch of different feeds from bloggers and news ect. On a whim I decided start my own blog. I feel like writing in a blog can help my writing skills and help me express my thoughts and ideas, at the same time provide others with information that I hope will be informative. I’m totally intrigued by the information security world and hope to some day work in the field. To be proactive I started studying for the CISSP. I hope to share some of the things I learned that I find interesting. Please post your comments.
