|
-
April 22nd, 2004, 08:11 PM
#31
So far, nessus and nmap have failed to work under xp (with the correct winpcap). I got to get to class, maybe I can post the errors later.
That's something I've heard a lot. Perhaps a look at Retina (use the trial for the 14 days) or other Windows specific vulnerability scanners. Or.. if you have a spare box fire it up in Linux. WebAttack (now called SnapFiles) has a nice selection of Freeware scanners.
And aren't you supposed to use Newt for Windows in regards to Nessus?
-
April 22nd, 2004, 09:07 PM
#32
This sounds more like what HT was talking about it... and Maestro's comment brought up something similar, but not what HT was speaking of...
I think HT mightof been confused, I was able to get to his screen not through the group policys, but through the control panel on my network connection(right click properties).
Now that I think of it, I might of been confused as to where it was. I attached a screenie.
MsM...
I used newt, and it doesn't work. I do have access to a linux box with all of these tools working... but I don't like it when stuff doesn't work on windows (easier to get stuff done on one box). All of those tools practically come by default with most distros, I wish windows would do the same. It all came with slack, by the way.
As for stealth vs. closed:
The problem with this is simple -- it is not possible to attack closed ports, and as a result it is unnecessary to hide them from scanners. This simple piece of information is the key to defending vs. mass-scanners - don't. They can't hurt you. And as far as directed attacks go, do you think that having your ports stealthed vs. closed is going to discourage a talented and determined attacker? Do you honestly think that they are going to say to themselves, "Well damn, the guy stealthed his ports...if he had only left them closed I would have tore him up..."
That guy offers no credibility behind quote, but I think he's right.
http://www.dslreports.com/forum/rema...2338~mode=flat
I'm starting to believe that a program that offers realtime monitoring of your ports, (like what fport does, but in realtime) would be more effective (and less bloated) than a firewall, maybe. An ideal program of this nature would be a icon in the system tray that I can click on, and see whats going on with my ports, and it would monitor the software (set access rules) trying to access the internet. Anything like this?
Actually I think what I just said is what a firewall basically is....
-
April 22nd, 2004, 09:36 PM
#33
I apologize for being a post whore today....
Retina absolutley rules. Thanks MsM, I'm in love... It detected all kinds of flaws with my box.. I attached a screenie. again.
The problem is... it's telling me I am all up to date on windows update, but this is telling me I am missing patches...
edit correction-
those are patches that are already in place, the red arrows.. at least i think so.
-
April 22nd, 2004, 09:50 PM
#34
Keep in mind that sometimes patches != hotfixes. Do searches in the Knowledge Base to see if there is other files to install. Also, use some other scanners to double check what Retina found. While eEye is good no one is perfect.
-
April 22nd, 2004, 09:51 PM
#35
Hey Hey,
Originally posted here by Soda_Popinsky
[B]This sounds more like what HT was talking about it... and Maestro's comment brought up something similar, but not what HT was speaking of...
I think HT mightof been confused, I was able to get to his screen not through the group policys, but through the control panel on my network connection(right click properties).
Now that I think of it, I might of been confused as to where it was. I attached a screenie.
/B]
Soda: I was tired at the time and my thoughts ran, that's why i posted the second time
Soda: Connection Properties are seperate... I guess i didnt' seperate them all that well. Look under View Network Connections --> Properties for your specific connection --> TCP/IP --> Advanced --> Option
You can do TCP or UDP port-based filtering of IP protocol-based filtering from that screen.
The other option is IPSec which is found under group policy (gpedit.msc) in the security section. I just ran them together quickly, hoping that you'd pick out the seperation.
As far as patches go, you should remember that MS Office patches have to be installed seperately, they aren't included in the Windows Update site, you have to visit the MS Office site and run the online update that's located there.
Another app that you may wish to check out is Languard Network Security Scanner, It's not necessarily as advanced as retina, but it'll give you a very decent scan. -- http://www.gfi.com/lannetscan/
Peace,
HT
-
April 22nd, 2004, 09:51 PM
#36
"I'm starting to believe that a program that offers realtime monitoring of your ports, (like what fport does, but in realtime)"
http://www.antionline.com/showthread...939#post734939
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
April 22nd, 2004, 10:02 PM
#37
I'm starting to believe that a program that offers realtime monitoring of your ports, (like what fport does, but in realtime) would be more effective (and less bloated) than a firewall, maybe. An ideal program of this nature would be a icon in the system tray that I can click on, and see whats going on with my ports, and it would monitor the software (set access rules) trying to access the internet. Anything like this?
I had missed this until I saw Maestr0's post. I would highly recommend that you check out TCPView from Sysinternals. It does just about everything you want. Monitors connections in "real time" (there might be a few second delay for refreshes). It'll map it to an application, and allow you to kill any established connections...
You can find it @ http://www.sysinternals.com/ntw2k/source/tcpview.shtml
There's another program but it's name has slipped my mind, I believe it's Telsa or something similar to that, if i find it I'll post a link.
[Edit]
I remembered the name, it's Tesseract. You can find it @ http://www.snapfiles.com/get/tesseract.html
PS. AO needs a strike-out tag, then we could strikeout old comments and post the new ones. People could follow the line of thought (old stuff would be kept for continuity).. i'm going to wonder over to the suggestions forum.
[/Edit]
Peace,
HT
-
April 24th, 2004, 12:49 AM
#38
Again, I'm very sorry for bringing up a controversial thread, but it's so interesting to me I feel I have to (also sorry for knockin this thread back to the top of the main page).
http://www.antionline.com/showthread...289#post733045
Don't believe me? Turn on your windows machine and turn off your firewall. Now ask a friend to run a complete TCP and UDP port scan on you. Notice the stack of UDP go further and further down the list. How could this happen, even though you are not running the services?
Because windows REQUIRES THEM, but only needs them internally. Since they are still kept open to the public, they still cause you a threat.
nmap my.ip.my.ip -sU
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-04-23 13:06 CDT
Interesting ports on xxxxxxxxxx (xxx.xxx.xxx.xxx):
(The 1476 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
123/udp open ntp
1025/udp open blackjack
Nmap run completed -- 1 IP address (1 host up) scanned in 2.957 seconds
Then fport of those ports:
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
4 System -> 445 TCP
332 ccApp -> 1027 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
0 System -> 123 UDP
4 System -> 445 UDP
332 ccApp -> 1025 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
0 System -> 1026 UDP
Documentation has show that stopping ccApp would cause my autoprotection to cease in NIS and NAV- so I'm not sure about closing that.
If i were to disable ccApp, that port UDP 123 would be left, and its a system process. Any suggestions as to what that is? Every port listing has just said reserved.
Anyways... regardless if I still need a firewall to protect that port or not(maybe a way to close it?), I picked up more stuff from this thread han maybe any other thread, so thanks a lot AO...
-
April 24th, 2004, 01:01 AM
#39
Again, I'm very sorry for bringing up a controversial thread, but it's so interesting to me I feel I have to (also sorry for knockin this thread back to the top of the main page).
NEVER apologize for making people think and question things. If we didn't, no one would learn anything. And that is often what is needed the most in Security: for people to learn good habits, get rid of the bad and understand things better.
Now in regards to the ccApp, the question is should it be allowed to run as a service/server? After doing some quick research I found out this about it:
Process File: ccapp or ccapp.exe
Process Name: Common Client CC App
Description: Associated with Norton AntiVirus 2003, which runs auto-protect and email checking facilities. Without this service, both facilities cannot function correctly.
So you may need a firewall in this case (hopefully something a little more than ZA)
-
August 23rd, 2004, 07:41 PM
#40
Junior Member
You can use IPSec rules to allow IMCP internally and deny ICMP-ECHO replies externally. This will still allow pinging inside the network itself.
ASCII to ASCII, DoS to DoS
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote