Conducting an Nmap Scan and Exporting The Findings As An XML Report

Nmap is a multifaceted application used for network reconnaissance.  Whether it be a white hat, grey hat or black hat, NMAP is often considered a very essential tool.  According to Nmap.orgs's official website the application is described as "a free and open source utility for network discovery and security auditing."  The website also explains that "Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics."  If you are interested in more official information on Nmap, visit their website here.

This tutorial is a demonstration on how a user can conduct moderately advanced Nmap scan.  Once we've completed the Nmap scan, the findings will be exported to an XML report for our review.  Let's get started.
 

1.  Start Metasploitable as a virtual machine.  Metasploitable will be the target host.  If you are unfamiliar Metasploitable, a basic configuration guide can be found here.

I first logged into Metasploitable and discovered it's local IP address.  I did this by running ifconfig.  The IP address of Metasploitable is 10.0.0.21.  I did this to spare myself a wild goose chase on my local area network.

2.  Start a Backtrack virtual machine and log in.  Backtrack will be the host conducting the Nmap scan.  Nmap scans can be conducted from many different operating systems, but this tutorial is heavily based on Backtrack (Linux).  

3.  Click the small black square towards the top of the screen in Backtrack.  This will open a new terminal.

 
4.  When the console opens, type nmap and hit enter.  Doing this shows Nmaps's usage, options and arguments.  The official guide explaining these options can be found here.

5.  Let's do a quick Nmap scan by typing: nmap 10.0.0.21 (Metasploitable).  Hit enter.  Without any arguments or options, Nmap with conducts a default SYN scan of the target. Congratulations.  If you are new, you've conducted your first network scan.

The default Nmap scan revealed that there are many ports and services open.  This would be detrimental to a business server because it broadens the attack surface for possible malicious intruders.  Whenever possible, disable any non-essential services.


6.  Now that we've observed a basic port scan, let's conduct something a little more customized.  Run the following command:

nmap -O -sS -p 1-65535 -T3 -oX /root/Desktop/scan_report.xml --stylesheet=nmap.xsl 10.0.0.21

Now that the command has been issued, let's break down what it did.

[nmap] We just ran this command, this is the Nmap application.
[-O]  OS detection.  Nmap will make it's best attempt to identify the OS is being used.
[-sS] SYN scan.  This is a half open method of scanning.
[-p 1-65535] - Manually specify to Nmap that we want to scan ports  1-65535.
[-T3] - Slower than normal scan time.  Important if you are Pentesting a fragile network.
[-oX  /root/Desktop/scan_report.xml] - Exports an XML report of findings to a specified directory.
[--stylesheet=nmap.xsl] - Formats the XML file so that it is readable by a web browser.
[10.0.0.21] - Metasploitable / Target Host

7.  It is necessary to have the nmap.xsl file in the same directory as the newly created scan_report.xml file that we placed on our desktop.  To copy this file to the desktop run the following command:  cp /usr/local/share/nmap/nmap.xsl /root/Desktop/nmap.xsl

8.  Now that the nmap.xsl file is on our desktop, we can simply double click the scan_report.xml.  This should automatically open the report in your web browser.  Below are screenshots of the said report.

Scan_report.xml continued...

Final Thoughts:


Nmap is an very important tool that is used by both security professionals and malicious attackers. 
To defend an asset from Nmap scans, disable all non-essential services.   Doing this limits the attack surface and "hardens" the target against malicious attackers.  Another way of defending an asset from network reconnaissance is to implement a finely tuned firewall.  

I'm done with this blog post...  It was more daunting than I previously thought.  If you have any questions, please feel free to ask in the comment section below.

Tips on Passing the CISSP Examination

If I had to summarize the Certified Information System Security Professional exam in one word, I would use the word "challenging".  The CISSP can be described as the most coveted certification in the computer security industry.  Prior to taking the exam, I researched what many people had to say about it.  After hearing many contrasting stories, I decided to share my thoughts, incites and opinions on CISSP examination. 

What materials did you use?

Official (ISC)2 Guide to the CISSP -

The Official Guide to the CISSP was my primary source when it came to study materials.  I recommend this book on the sole fact that if officially covers every question on the exam.  This book is very comprehensive but also very dry.  If I had to study for this test over again, I would first check out the Shon Harris All-In One Exam Guide.  I heard the reading in the All-In One Exam Guide is a little more light.

CCCure.org
CCCure.org is an online quiz engine tailored for tests like the CISSP and the Certified Ethical Hacker.  Although the website layout appears to be a bit dated, the quiz engine works like a charm.  The CCCure.org quiz engine has a database full of questions and provides statistics on how well you did in certain areas.  I found this to be the most beneficial!  There is a free limited version of the quiz engine, but I highly recommend the paid version.

What strategies did you use to study?

Study, Study, Study - 

This goes without saying.  Unfortunately there are no short-cuts when it comes to studying.  As long as you have good study material, you should set aside at least one hour a night for 3-5 months.  Schedule yourself an ample amount of time before the exam.  It is important to not study too feverishly or else you will burn yourself out on the abundant amount of facts you will be trying to memorize.  It is also important to take a night off once in a while to drink a beer (if in fact that is what you are into).

Utilize What You Are Studying -
It is very beneficial if you have IT job that allows you to apply your new found knowledge.  Try and apply what you studied to your daily job routine.  For example, if you are studying access control, what access control mechanisms interact with on a daily basis.  Can these access controls be improved or refined? 

What are some good tactics when taking the test?

Use the Process of Elimination -
And use it well! I felt that many of the questions on the CISSP exam were very vague.  I felt that throughout the 80% of the exam I used the process of elimination.

Be Comfortable with the 10 Domains - 
I feel that if you can categorize an uncertain question into one of the 10 domains, you may have better incite when choosing an uncertain answer.  Just for reference, the 10 domains to know are:

• Access Control
• Telecommunications
• Information Security Governance and Risk Managment
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operation Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance

For a more verbose list, click here.

Flag the Questions you Feel Doubtful On -
Now that the CISSP is computerized, it is quick and easy to flag a question for review.  I unfortunately flagged the first 100 questions or so.  Don't do this. It didn't help me.  Only flag the questions you feel very uncertain about.  But by all means, if you have extra time at the end of your exam, skim and review every question possible.

Time Management - 
When taking the exam, you have 6 hours to answer 250 questions.  After the first 100 questions you feel a little brain dead.  Find a way to pace yourself.  Don't spend too much time on one single question.  Flag it and move on, you may have a better grasp on the answer the second time through. 

Pre-Exam Preperations - 
Make sure that you get a solid 7-8 hours of rest the night before.  If possible try to warm your brain up with some practice questions before you start the test.  I didn't but it might help you.  Eat food with fiber and complex carbohydrates.  I prefer oatmeal.  Also, many people say that you shouldn't use cafiene do to the crash, but I dont listen to that because...

I LOVE COFFEE!!!

Conclusion 

The test is challenging, but not impossible by any means.  Many poeple never feel prepared enough going into the exam, but then again I don't think you are supposed to.  The test is very broad and sometimes theoretical.  If you spend a hearty amount of time studying and take some interest in what you are learning, most likely you will be fine. 

Setting Up Metasploitable on Virtual Box

What is Metasploitable?

Metasploitable is a highly vulnerable Linux distribution.  Metasploitable was created by Rapid7.  This Linux distribution was created for information security consults as a educational tool.  In summary Metasploitable is a target operating system that is meant to be probed, scanned and exploited.  Using this operating system for anything legitimate would be insanity.

What is the purpose of this article?

This article is meant to be a step by step guide on how to download and install the virtual machine into the Oracle VirtualBox Manager.  Let's get started.

1.   I found Metasploitable-2 by doing a Google search on it.  It ultimately led me to Sourceforge.com.  You can search the internet for it yourself or you can simply click this direct link to the Sourceforge download page.

2.  Download and save Metasploitable-2 to an accessible directory.  I simply saved the file to my desktop.

3.  Once Metaploitable-2 is has downloaded, unzip the file to your desktop or a directory you feel comfortable with.

4.  Once the file is unzipped, we must locate the directory to place the files.  If you are using Windows 7, or another Windows varient, the files will typically be placed in the following directory:  C:\Users\CURRENT_USER_HERE\VirtualBox VMs\      ---    Note:  I removed my username for security reasons, [USERNAME HERE] is based on your most likely Windows account.

5.  Within the VirtualBox VMs directory create a directory with a relevant name.  I simply labeld mine Metasploit-2.  You can name it whatever you want.

6.  In the VirtualBox manager click New.  Click Next.

7.  We personalize the label the new virtual machine by labeling it and selecting it as being a Linux distribution.  I believe incorrectly selecting in this window won't cause any kind of impact.  After selecting your options, click next.

8.  Select the amount of memory we want to utilize.  I left it at 256MB because Metasploit is meant to simply just sit there and not do very much.

9.  Click next, and this is the important part.  The setup will ask you if you want to create a new virtual disk image.  Select the use existing virtual disk.   Then click the folder with the green arrow on it.  This will allow you to browse for the unzipped file we downloaded.  Navigate to C:\Users\ [USERNAME HERE] \VirtualBox VMs\Metasploitable-2 folder (if you in fact named it that) and select the "Metasploitable.vmdk.

 

10.  Hit next, then hit create.

11.  There are a few setting that need to be configured before starting Metasploitable.  You want to right click on the machine and click Settings.  Under Settings you want to go to the network configuration tab.  Network Address Translation is not a very good option for this scenario, so for simplicity sake, I change it to the Bridged Adapter setting.  This just gives it a IP address native to my DHCP.

12.  Lastly I had a problem where, when booting, Metasploitable-2 showed an error stating

This kernel requires the following features not present on the CPU:
0:6

This problem was corrected by again opening the settings window for the virtual machine, go to System page, click the processor tab and then select the "Enable PAE/NX" check box.

13.  You are done!  You are done after 13 boring steps!  You are now ready to test your offensive security skills!

Hello World!

Hi Everyone,

Yes.  I've finally done it.  I've created a blog.  I've never been a fan of blogs for some reason.  I viewed them as being too simplistic, too easy.  I always believed that it was important that a person craft a website from scratch.  After wrestling with HTML and CSS nightmares, I have given into Blogger.com.  I think I like it so far. 

The purpose of this blog is for it to act as a living portfolio of my information security research.  Currently I am in between jobs and I would like to build a portfolio to show to potential employers.   Enjoy.  =)