SEO

Hi, I'm in the processes of locking down my pf OpenBSD 3.6 router. Just
wanting to know of the recommendations for scanners I can use to see
what's open and up for grabs or what can be exploited. Preferably an
OpenBSD targeted solution would be good. I've run ShieldsUp from my
Windows workstations (behind the router) but does that scan the Windows
box or the router?

Sh4d03

--
If you require more assistance or if my suggestion works please E-mail me at
sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
assistance to me and wish to E-mail me directly please also feel free to
contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
in the
subject line. Please pay attention to the capitilisation. Emails sent to
this the above address which do NOT contain "Newsgroup_sh4d03" in the
subject line will fail to reach me.
Thanks,
Sh4d03

sh4d03 <sh4d03@TPG.com.au> writes:

> I've run ShieldsUp from my Windows workstations (behind the router)
> but does that scan the Windows box or the router?

That depends entirely on your setup. Prossibly a bit of both. If your pf
box does NAT, I'm not convinced ShieldsUp is able to tell the difference
between your OpenBSD box and machines behind it.

Unless your setup is simply "pass all", at least some packets will never
make it past the router. In general, connections which are let through a
pf filtering via a pass rule will pass end to end.

ShieldsUp is good for a few laughs, though - I just ran the various
tests from my laptop. According to Gibson, I failed. Three highly
dangerous things, we are lead to believe:

* SSH answers

* SMTP answers (as in:

<<< 220 delilah.datadok.no ESMTP spamd IP-based SPAM blocker; Tue Jan 11 09:34:55 2005
>>> HELO www.abuse.net
<<< 250 Hello, spam sender. Pleased to be wasting your time.)

* ping answers

Then of course there's the sermon at https://grc.com/x/ne.dll?bh0bkyd2
which warns about the grave and immediate danger of reverse DNS.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

So can you advise me of any 'good' scanners for a pf router? I'm running
NAT. The ShieldsUP said that my ftp was open and ssh was closed and all
others were stealth. I realise there is Nmap... is that the best option?

Sh4d03

Peter N. M. Hansteen wrote:
> sh4d03 <sh4d03@TPG.com.au> writes:
>
>
>>I've run ShieldsUp from my Windows workstations (behind the router)
>>but does that scan the Windows box or the router?
>
>
> That depends entirely on your setup. Prossibly a bit of both. If your pf
> box does NAT, I'm not convinced ShieldsUp is able to tell the difference
> between your OpenBSD box and machines behind it.
>
> Unless your setup is simply "pass all", at least some packets will never
> make it past the router. In general, connections which are let through a
> pf filtering via a pass rule will pass end to end.
>
> ShieldsUp is good for a few laughs, though - I just ran the various
> tests from my laptop. According to Gibson, I failed. Three highly
> dangerous things, we are lead to believe:
>
> * SSH answers
>
> * SMTP answers (as in:
>
> <<< 220 delilah.datadok.no ESMTP spamd IP-based SPAM blocker; Tue Jan 11 09:34:55 2005
>
>>>>HELO www.abuse.net
>
> <<< 250 Hello, spam sender. Pleased to be wasting your time.)
>
> * ping answers
>
> Then of course there's the sermon at https://grc.com/x/ne.dll?bh0bkyd2
> which warns about the grave and immediate danger of reverse DNS.
>


--
If you require more assistance or if my suggestion works please E-mail me at
sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
assistance to me and wish to E-mail me directly please also feel free to
contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
in the
subject line. Please pay attention to the capitilisation. Emails sent to
this the above address which do NOT contain "Newsgroup_sh4d03" in the
subject line will fail to reach me.
Thanks,
Sh4d03

sh4d03 <sh4d03@TPG.com.au> writes:

> So can you advise me of any 'good' scanners for a pf router? I'm
> running NAT. The ShieldsUP said that my ftp was open and ssh was
> closed and all others were stealth. I realise there is Nmap... is that
> the best option?

nmap is quite popular and very flexible. See if you can make it do what you need.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

On Tue, 11 Jan 2005 20:36:43 +1100, sh4d03 <sh4d03@TPG.com.au> wrote:

>So can you advise me of any 'good' scanners for a pf router? I'm running
>NAT. The ShieldsUP said that my ftp was open and ssh was closed and all
>others were stealth. I realise there is Nmap... is that the best option?
>

Ignore anything that publicity seeking gobshite Gibson asserts and scan
yourself using the web based front end to nmap on

www.unixcircle.com

I recommend being a good Internet citizen and setting

~ # grep block-policy /etc/pf.conf
set block-policy return


This will ensure that the nmap scan wont timeout before completion and will
politely tell the world at large to go forth and multiply.



greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In comp.unix.bsd.openbsd.misc, sh4d03 dared to utter,
> I realise there is Nmap... is that the best option?

If you keep your ear to the ground and know enough about recent (and
not so recent) announced vulnerabilities, have a little bit of
understanding about banner retrieval (preferably even some
understanding of the ASCII commands your services speak), then nmap and
telnet (or netcat) are really your best friends. nmap's an excellent
port scanner with a lot of different ways and means of scanning. netcat
can retrieve all the banners you want, as well as send regular ascii
commands via both tcp and udp.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB49bclKR45I6cfKARAjQQAJ9fHZIR2RI93ABKIX+znc 71TDHs+QCeNlwU
M73jzod8akgy/KgeZZlJi5o=
=kAc1
-----END PGP SIGNATURE-----

sh4d03 <sh4d03@TPG.com.au> wrote in news:41e385d1$1@dnews.tpgi.com.au:

> Hi, I'm in the processes of locking down my pf OpenBSD 3.6 router. Just
> wanting to know of the recommendations for scanners I can use to see
> what's open and up for grabs or what can be exploited. Preferably an
> OpenBSD targeted solution would be good. I've run ShieldsUp from my
> Windows workstations (behind the router) but does that scan the Windows
> box or the router?

Download the latest version of Knoppix and use it to run Nessus from both
inside and outside your network. I haven't used anything that is as
thorough in checking for potential exploits. If you simply want a port
scan, use nmap.

Note that Nessus uses both a server and a client. You need to go to:

K -> System -> Security -> Nessus Security Tool

to start the server. After about a minute (it needs to generate a
certificate), it will launch the client. Log in as knoppix/knoppix and
start scanning to your heart's content.

The menu entry at:

K -> System -> Nessus

is simply the client, which you can use to connect to an already running
Nessus server.

Another tip: If your router is an old box with limited disk space, make
sure that the logging rules in pf aren't too verbose.

Greg Hennessy wrote:

> Ignore anything that publicity seeking gobshite Gibson asserts and scan
> yourself using the web based front end to nmap on
>
> www.unixcircle.com

got a bad security certificate warning from this site

On Tue, 11 Jan 2005 20:16:16 -0500, prodigal1 <prodig@l.com> wrote:


>> Ignore anything that publicity seeking gobshite Gibson asserts and scan
>> yourself using the web based front end to nmap on
>>
>> www.unixcircle.com
>
>got a bad security certificate warning from this site

So ? Did you actually check the certificate to see why ?



greg

--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone