February 2nd, 2005, 03:46 AM
I know I could post this at IDS forum, but I consider myself newbe in IDS and in Hacking in general so I will just post my questions here.
I need instruction (easy step by step) on installing either 'nmap' or 'snort' so that I can use it on a Windows GUI.
My personal attempt on looking for such information and trying to do it myself didnt work for the following reasons:
*most instruction I found on the web are outdated.
*Nmapwin is outdated
*Most of them consider the user as an advanced user, thus no step by step instruction.
While using Nmap on command prompt is fairly easy, I didnt have much luck with snort.
*What is the best Freeware IDS?
*What is the best Commercial IDS?
*Can IDS tell if a firewall is using spoofed (fake) open port? I have a friend from a differant country who has set up a box for me to play with. He says he has installed Cisco PIX firewall, which nmap found out , along with the filtered ports,instantly with the "-P0" option; but not without it. What could be the reason?
I am trying to find out if it's possible to break into a box that is firewalled, while I am sure it is possible, I am trying to learn it from ground up. I think setting up a proper IDS and getting the right information is important before I look for information for the next step.
Any help is appreciated.
ps, So many questions........... So much to learn!!
February 2nd, 2005, 05:37 AM
Yada! yada! yada! blah! blah! blaAAH!
but I consider myself newbe in IDS and in Hacking in general so I will just post my questions here.
spoofed or faked port? WTF!? You can host a service that has no actual purpose other than simply being there & you can do some redirection around the network. That? But uhhh... ummm... yeah... fine, ok, whatever. ****in' l33t h4x0r d00D.
February 2nd, 2005, 06:16 AM
Constantine you might want consider going to www.insecure.org and snort.org or winsnort.org and searching for install information. Installing Nmap is as easy as unzipping all the files (dont forget to add registry information for "nmap_performance.reg" and in snort you have to edit a file (i am sorry i do not remember the name) but if you just go to download page of Nmap a complete instruction of installation and download procedure is given. As far as Nmap only command line version (Nmap 3.75) is available.
As far as your question about free (opensource) IDS snort is the best and Commercial IDS goes i still like snort but these are my opinion. It's better you search for both FREE and Commercial type of IDS on internet and decide which is best for you.
Breaking into a box which is firewall is possible but depends on many thing's. Like using a vunrabilty or using a vunrabilty in configuration by the user. All this also requires you too learn about how a firewall works ans how TCP/IP protocols work.
If you reall want to beome a elite cracker or hacker you migh want to consider not scanning using any portscanner becasue if they dont know you are going to crack and/or break into their server or if they dont expect you they want be looking for you (but this is just me). remember that portscanning is not the only way to findout which OS the target is running and also there are lot of ways you can fool portscanner (like Nmap) in OS fingerprinting.
As far as setting up and running Snort you might want to but Snort 2.1 by syngress (www.syngress.com)
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
February 2nd, 2005, 06:59 AM
The insecure.org nmap for windows is garbage.
Use nMapNT instead: http://www.eeye.com/html/Research/Tools/nmapnt.html
Installation is very basic point and click and includes a gui.
February 2nd, 2005, 07:08 AM
I've seen you mention that a few times in the past catch...
The only problems I've run into is scanning localhost and an odd bug a long time ago. What's your reasoning for the opinion?
February 2nd, 2005, 07:28 AM
I'd never rely on the results of a network scan on local host anyhow.
I prefer nMapNT because it just plain works for everyone that I've suggested it to, as opposed to nMap Win which has no installer, no GUI, works poorly with XP SP2, it requires extra software, and frequently requires even more extra software.
People who ask this type of question typically want something simple that just works.
PS. Also, when I first formed the opinion, though this may no longer be applicable, nMapNT was faster.
February 2nd, 2005, 04:19 PM
I just downloaded nMapNT, and there isn't a binary with a GUI anywhere in the .zip. It looks like there might be source for nmapfe though.
There isn't an installation GUI, it's a zip file with a binary (at least it is in the link you provided). I remember nmap had problems with SP2 initially, but I think there was a release soon after with a fix.
Anyhow nmap for win is pretty slow, I'm giving nMapNT a chance today
February 2nd, 2005, 10:54 PM
It is possible, I've not used either in a good two years now, but at that time nMap Win was a terrible product that had development halted and nMapNT was a good workalike to nMap.
The nMapNT download page looks different, so perhaps it is no longer includes the simple point and click install GUI.
nMap Win seems to have had development restarted with the help of eeye people... maybe the two are more similar now. Still, when people suggest nMap Win to neophtes, they almost invariably come back with problems. Never seems to happen with nMapNT.
Please let me know how the speed of the two projects currently compare.
PS seems the XP SP2 fix is a work around, not a patch. Could be complicated for a non-advanced user.
February 2nd, 2005, 11:17 PM
For freeware IDS check out Snort and also Sguil, actually Sguil can be used with snort and presents a much better way to review alerts than that ACID thing. Thats your best bet for freeware.
As for commercial, I guess one big factor is how much you want to spend, you could buy a TippingPoint IPS sensor for $50k (basic model I believe) or look at Okena (no owned by Checkpoint) or one of the other 100 IDS that seem to be popping up. Oh, there is also sourcefire which is a commercial version of snort (not sure in the logic of that, but anyway).
So, whats you budget?
As for Nmap, -P0 is the no ping option, so if it you don`t specify that and scan something that won`t respond to a ping then the scan will fail. Which would be why you see ports when using -P0 but not when you don`t.
And sure, its possible to "break into" a box that has IDS or IPS,.
Quis custodiet ipsos custodes
February 3rd, 2005, 01:25 AM
Thanks everyone for your help!!
TheSpecialist : Thank you very much for your very informative post. If you have some time you might wanna right this : http://www.albion.com/netiquette/book/index.html
ByTeWrangler : Thanks for the informations! Nmap is actually easy in comand line.
Snort is confusing and it most likely requires extensive third party, even if it's free, software.
I haven't yet succesfully used it. My approach towards learning to break into a firewalled box is this:
* Look for services running. First find out how to do it. IDS is obviously the first choice. Look for the best possible IDS out there and learn hwo to use it inside out (I am at this stage now).
* When you have a list of services running (including OS), look for vulnerabilities of the specific version of the software running the services. Study the vulnerabilities, practice them on test mode and than apply them on real life examples.
It obviously is a long process, since I am learning from scratch. In this process I will learn things that are directly or indirectly related to it. For instance: TCP/IP protocols as you mentioned and probably some scripting languages too.
catch : I tried the nmapNT from the link you provided. It doesn't have a GUI. Work the same way nmap 3.75 works. However I tried the demo version of "eyee" IDS. It was horrible. Even when I uninstalled it left a service behind which loads up in the back ground everytime I start up my PC. Don't know how to remove that thing.
R0n1n : I am not willing to spend anything more than $50, even so it needs to be damn good. I don't know if there is anything like that out there. If not, I will settle for freewares.
Also I was referring to "firewall" when I asked if it's possible to break into a box that's firewalled. Not if it has IDS or IPS(? what's that ?)
Currently I am trying to install Snort under windows (prefreably with GUI).