Jimiz.net – Jim Becher on the web

I’m a huge fan of a tool called nmap (nmap.org).  It is a network tool that can do many things.  The most simple is to determine if a host is active.  Anytime I connect to any network I run a quick scan to see who my neighbors are on the network.

To do a network scan with nmap you only need one bit of information. Your IP address.  Below is a scan from my local network.  I was able to do a quick ipconfig to see my local IP was (192.168.2.118) armed with that information I can tell that the network segment is 192.168.2.1/24.

To scan the network you only need to issue the command

nmap -sP 192.168.2.1/24

Here is the result on my windows machine.

The scan took 9.16 seconds.  This is a pretty fast network scan.  In 9 seconds I was able to determine I have 12 devices connected, a few iphones, ipad, printer, and other machines.

I am always interested in performance and I wanted to see if my linux machine would do the scan faster.  (NOTE:  the windows machine is using a 802.11 G network and the linux machine is over the LAN bridge using Wireless G as well)

The Linux results of the same nmap command ran in 5.4 Seconds.  In this simple test the linux nmap process was a bit faster.

 Overall it is always a great idea to see what and how is around you when on a network.  I did not go into more detail but you can always use nmap to do more investigation.   I can cover that in a later article.

Happy scanning.

I get all types of security questions from home users.  How do I secure my wireless so people can’t use it?  How can I make sure people can’t steal files on my computer?  How can I keep the kids from going to sites they are not suppose to be on?

For the last one, how to secure and block sites I recommend OpenDNS.  Not only does open dns allow you to speed up your surfing (more on that later). It also allows you to monitor, maintain, and block sites that are used from your network.

To utilize OpenDNS you need to set your router’s dns service to use OpenDNS. This is a fairly simple task if you know how to admin your home router. In most cases your router is a (netgear, linksys, or dlink device). OpenDNS has instructions for most versions. Once you add their Primary (208.67.222.222) and Secondary (208.67.220.220) ip address to your router you are almost done.

You then create an account at openDNS and setup your rules. I choose the moderate setting and then modified it to block adult content and removed Proxy / anonymous sites (since I use wifi-vpn.com)

customized Settings

With a simple DNS change on your router you can now block all types of sites and specific urls. Example, if you wanted to block some specific port site or other url (www.xxxsomething.com) you would add this to the open dns block list. One of my colleagues at work has blocked facebook when his kids did not meet the grades or rules.

Once you have set your rules / filters for OpenDNS you can now monitor what is being done on your network. OpenDNS has great reporting to show you how much traffic you have done and what domains people go to. Here is a sample of what people have gone to on our Family cottage wireless network.

Overall OpenDNS is a great tool for your home or business. It can block unwanted sites and also track usage and sites people should not go to.

I use Filezilla as my main FTP client. It is a wonderful tool for ftp, ftps, scp (sftp) and other transfer protocols. I am getting a new laptop and needed to transfer / backup my settings. I have a lot of sites stored and did not want to go looking for all the username and password information.

Filezilla allows you to backup your information and transfer it to a new system. To do this you need to:
1. Open Filezilla
2. File | Export

3. select (export site manager entries and export settings)
4. Save the XML file to your hard drive.

This backup contains all your site manager information. It also stores your password in the clear. If you look at the XML file you can see the element has your passwords. This is not a safe thing, for those of use who are security conscious. I am no-longer storing my passwords in filezilla and will be prompted when using ftp or sftp. As much as I like filezilla, I’ve started looking for an alternative. One option I’ve read about is to use a password storage tool like “keypass” to use with filezilla I will have to try this.

If anyone has suggestions please let me know.

I went to a coffee shop today to do some work. Update a few documents and get some random things I have been putting off.    As always I log onto the coffee shop wireless and connect to my VPN.  (read other articles here and here).

After completing the items I had set out to do.  I took some time to do some poking around on the wifi.  Since wireless is basically you sharing a network with others, it is easy to see what people are doing.  I used a simple nmap query to see who my neighbors are.

That scan showed me 5 active people and their IP.   It also let me know that the router had HTTP running.   Since I already knew the PC names and what ports they had open. (some one had a web server running).  I decided to look at the wireless router.  To my surprise it was running DD-WRT, my favorite router firmware.    DDwrt is a very powerful router firmware that can turn a basic wireless router into a great device.

However there are a few settings you need to understand when using DDWRT.  One in particular is to disable the default status page for unauthenticated users.  This page shows a lot of information that you don’t want snooping people like me to see.   Things like:

• Public IP
• Firmware version
• Device Type and name
• Connected users (IP address, mac address, dhcp lease)

Not only was this on but I was able to also see the other computers on the network (with out doing a nmap scan).   So everyone who had connected in the last 2 hours pc was listed on this page.  I decided to push up a pic.  My pc is called TP2.

This is scary to me because someone took the time to use a great opensource Firmware but not the time to properly secure it.    It is also interesting to see the number of android devices that were using the wifi.  I guess the same is true for iPhone devices.

I can’t stress this enough, when on public wifi use a VPN.  If you don’t have one.  Head on over to wifi-vpn.com and subscribe or purchase.

The other item on the list is BT, that is the backtrack vm that I started to do some network sniffing.

I am frequently creating Visio diagrams to use for software development or web applications.  I typically use the built in elements and icons.  Recently I have found it difficult to find some items that I would like to have in my designs.    The great team and group over at OSA (www.opensecurityarchitecture.org) have many tools to both help with designs but also elements in the designs.

If you are not familiar with OSA I would recommend looking at some of their patterns or their library to understand how this great group can be useful.  They help both visually display IT standards but also security standards.

Recently I have been using their Creative Commons released Icon set to help in my designs.  Simple icons like padlocks, wifi signals, users, and servers.  Not only are they good looking but it is very functional.    It never hurts to have a design that is both elegant and useful.

I’ve posted before regarding browsing the web on a public wifi network like your local coffee shop or restaurant. I will repeat my message, this type of browsing is not secure, you don’t know who else is on the same network you are using. It is not hard for someone to view your sessions or info. (take for example firesheep) It allows anyone that uses firefox the ability to download a plug-in and see other wifi users facebook sessions.

So what are you suppose to do? To begin with, you should secure your connection to the internet. Securing your connection can be done a few ways. Some of the more practical methods are SSH tunneling or a VPN connection. These allow you to use an unsecured wifi network and send your traffic to a known secure network somewhere else.

If you are unsure what a SSH tunnel or a VPN is, you may have more trouble securing your connection. For the novice I suggest using a Free or Paid VPN service if your work does not offer one.

Here are two free VPN connections that I am aware of:
1. OPENVPN.net – http://www.openvpn.net/ SSL/TLS based VPN that you need to install software to use (windows or linux)
2. MacroVPN – http://www.macrovpn.com/
3. USA IP – http://www.usaip.eu/en/free_vpn.php
4. Projectloki – http://www.projectloki.com/

Paid VPN connections
1. AlwaysVPN – http://alwaysvpn.com/
2. Wifi-vpn – http://www.wifi-vpn.com/
3. AccessVPN – http://www.accessvpn.com/
4. http://worldvpn.net/

I have not used any of these services but have seen them on a few top 5 lists. I use both SSH and VPN connections back to my home or my office to secure my connections.

I recommend using a PPTP client on your home router as a simple method to secure your connections. Read my article on how to setup a VPN on DDWRT.

I love the new firefox plug-in that allows you to view user sessions. It is a simple plug-in called firesheep that uses winpcap to capture packets and hijack web sessions. If you have not heard of this head on over to firesheep and read more

What I find funny is the fact that people are all worked up about their security and the fact that others could see what they are doing. I am amazed, that people somehow think that a wifi hotspot is secure. I’ve seen people do online banking at starbucks, or a few online purchases at BigB’s. If you are not sure of who is giving you WiFi (public wifi does not count) than don’t do anything that you would not want the person to see next to you.

Firesheep is a good example of this, it no longer takes a “computer guy” to be able to sniff packets and basically snoop on your browsing. It is now a simple click and install and watch other’s facebook info…

Here is a great article about the legality of using firesheep. (http://www.computerworld.com/s/article/9194159/Is_it_legal_to_use_Firesheep_at_Starbucks_)
I find this interesting, basically the argument would be that you are doing something illegal by use of wiretap. I would equate firesheep to the same as two people in a coffee shop talking. One person is next to you and the other is all the way across the room. The person next to you is yelling at the top of their lungs to communicate to the person on the other side of the room. Hey may be yelling his credit card number to be able to purchase a coffee drink, or maybe his username / password to his bank account to allow the other guy to enter it into the computer for him. The same is when you share a wireless (wifi) network with your closest friends at a coffee shop you are basically yelling your information over the wire (or wireless in this case).

If a person decides to listen, is that illegal? Aren’t you and that other person sharing the same space , communication, it’s not illegal to both communicate. When does it become illegal to listen?

If you are concerned about people snooping, use some type of security tunnel to your home network, use ssl everywhere, or setup a vpn. If you don’t know about these things and would like some help, give me a call or email. I can help you understand how to do this and also why to do this.

There is now a little firefox plug-in for detecting firesheep called black sheep. http://www.zscaler.com/blacksheep.html Reminds me of the fuzz buster.. then there was the radar detector detector….

I use DDWRT as my home router / firewall. It has some of the best features that can be found on a router. Visit DDWRT for more information.

I use the VPN when I am not in a trusted location. I have setup my iPhone, iPad, and computers to use this as my connection to the internet any time I am not at home. By having a secure connection I am comfortable using the web where ever I am. Connections from a non trusted connection, say a coffee shop wireless. Traffic from your computer is sent encrypted from the PC over the VPN to your home router, then out to the internet.

To setup the VPN on DDWRT you need to log into the admin section. Select SERVICES | VPN. You need to enable PPTP, Broadcast support, and Force MPPE Encryption.

The Server IP is the internal IP of your router (192.168.2.1 is what I use)
The Client IP(s) are the dynamic IP’s you want the connecting devices to use. I have set 192.168.2.200-220, this allows for 20 devices to connect and get IP’s.
CHAP-Secrets: the username / passwords for each user. Note the “*” after both the username and password.
Unless you have a Radius server keep that set to Disabled.

With DDWRT you can have a simple and easy VPN server setup at your home that allows you to connect securely back to your home or office. I often use my vpn to also remote take over machines at my house. I have my iPad configured to use this setting when ever I am on a non trusted connection.

http://wwj.cbslocal.com/2010/07/08/dangers-of-free-public-wifi/

If this article is news to you, please take the time to learn how to be secure. If the idea of doing more work to be secure scares you then please take the time to do a few minor things. Understand that when using public wifi (anywhere you don’t know who’s wi-fi network you are using) do not do anything that you would not want the person sitting next to you to see. Example: don’t do banking, online purchases, or share any personal information.

The reason you would not do these activites is you do not know who is listening or watching. It is releativley simple for a hacker to intercept (“man in the middle”) your information as you are using the wi-fi network. The interception happens because of the wi-fi you are using is available to everyone around you.

If you do intend to use public wifi please use a VPN or some other method to secure your information.

For many years developers have been using the User-Agent element of the browser to detect what web browser a person is using. This is very useful for designers when they are looking to make a very functional site in older browsers or add new technology (IE 6 )

In my last post I looked at the portscan of an iPad. Today I decided to look at he header information.

I opened up wireshark (packet sniffer) and watched the iPad traffic.

If you look at this information it has some interesting bits. It does identify the actual device ‘iPad’ in the user-agent string. A developer could read the string and look for the iPad or even iPhone user-agent to target these devices.

Here is copy and past from yoyo.org to read header info from the web for my iPad.

Host: pgl.yoyo.org
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.google.com/search?q=view+browser+headers&ie=UTF-8&oe=UTF-8&hl=en&client=safari
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

I think it is interesting that in the string it also has OS 3_2 like Mac OS X.

Here is the header information for my iPhone.
Host: pgl.yoyo.org
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7D11 Safari/528.16
Referer: http://www.google.com/m/search?oe=UTF-8&client=safari&hl=en&aq=0&oq=view%2520browser%2520head&aqi=g1-k18d1t0&fkt=3393&fsdt=14019&q=view+browser+headers
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

Continuing my security theme, I decided to see what the iPad looks like on a network. Can you ping it, what does nmap say about it, does OS detection work, are there any open ports?

To test this I used both my iPhone (jimiz-phone) and iPad (jimizIP) connected to my wireless network.

The first thing I did was lookup the MAC address. There are many ways to do this but I like to use (www.coffer.com/mac_find/) It answers with Apple Inc
7C-6D-62 (hex) Apple, Inc
1 Infinite Loop
Cupertino CA 95014
UNITED STATES

I then ran 3 different OS detection tools: Nmap, zenmap, and xprobe2. NOTE: Zenmap is really just a GUI for nmap but it does clean up the OS detection. All three tools did a good job on calling out the OS as MAC

Nmap: iPad (It detected the iPad as OS X 10.5.6)
Interesting ports on JimizIP.jimizhome.com:
PORT STATE SERVICE
62078/tcp open iphone-sync
MAC Address: 7C:6D:62:C7:FA:17
Running: Apple Mac OS X 10.5.X
OS details: Apple Mac OS X 10.5 - 10.5.6 (Leopard) (Darwin 9.0.0b5 - 9.6.0)

Nmap: iPhone (it detected the iPhone OS)
Interesting ports on Jimiz-Phone.jimizhome.com:
PORT STATE SERVICE
62078/tcp open iphone-sync
MAC Address: 00:26:B0:67:18:B3 (Unknown)
Running: Apple iPhone OS 2.X
OS details: Apple iPod touch audio player (iPhone OS 2.2)

Zenmap: (both iPad and iPhone) detected both devices as an iPod Touch iPhone OS 2.2 – Screen Capture

Xprobe2: iPad (OS x 10.4.1)
[+] Primary guess:
[+] Host JimizIP Running OS: "Apple Mac OS X 10.4.1" (Guess probability: 100%)
[+] Other guesses:
[+] Host JimizIP Running OS: "Apple Mac OS X 10.4.0" (Guess probability: 100%)
[+] Host JimizIP Running OS: "Apple Mac OS X 10.3.9" (Guess probability: 100%)

Xprobe2 iPhone (OS x 10.4.1)
[+] Primary guess:
[+] Host Jimiz-Phone Running OS: "Apple Mac OS X 10.4.1" (Guess probability: 100%)
[+] Other guesses:
[+] Host Jimiz-Phone Running OS: "Apple Mac OS X 10.4.0" (Guess probability: 100%)
[+] Host Jimiz-Phone Running OS: "Apple Mac OS X 10.3.9" (Guess probability: 100%)

Each OS detection package did a pretty good job in showing it is an apple product. Nmap was able to identify the iPhone. I am guessing as the nmap OS database get’s updated it will also detect the iPad.

One interesting item that did show up is that port scan showed that port 62708 was open on both the iPhone and iPad. I did a little looking and it is the iphone-sync port.

Overall it looks like both devices are fairly secure over the wifi connection. It is always amazing to see what information your devices leak out (MAC address, open ports, OS detection, and user info)

The iPad is like any other device, it has your data on it. No matter if you use it at home or out in a coffee shop. You need to make sure that your data is safe. The iPad like the iPhone allows you to lock the devise from use with a 4 digit passcode.

To enable locking your screen you need to go to Settings | general | Passcode Lock

Select Turn Passcode On

You will then be asked to enter a passcode. You have to enter this in twice

You then have an option on Require Passcode (Immediately, After 1, 5, 15 min or 1, 4 hours). I use immediately.

It never hurts to add one more level of security. A passcode is a simple way to keep others out of your info / mail / information. I have set the auto-lock to 5 min on the iPad.

So far the iPad has been a great hit in our home. From remote access, browsing the web, email and movies. I have only good things to say about this device.

Inside the comfort of my own home I know my connection is safe. However, when I venture out to public wifi or a coffee shop, I cannot be a comfortable with the network security. When using my laptop at a public wifi I normally use SSH or a VPN to secure my connection. I will show you a quick how-to on using VPN on you iPad to get a secure connection when using a public hotspot.

To use a VPN client on your iPad you will need a VPN server somewhere. I use DDWRT as a vpn server at my home. It has a built-in PPTP VPN server. The iPad supports (PPTP, IPSec, and L2TP).

Thankfully the iPad has a built in VPN client. To access the settings for this you will need to go into settings | general | network.

Under your network settings you can find vpn connections. In this section you can turn on vpn, view the status of a connection, add a connection or edit a connection. We will be adding a connection:

Next you select “Add Vpn Connection”. Select PPTP, L2TP, or IPSec. For each type of vpn you have different options:
PPTP:

L2TP:

IPsec (cisco):

Once you have setup your vpn connection you only need to go back to the setting page (network / vpn) to enable the vpn connection. You then can view the status and be connected or browsing through your VPN tunnel. In the image below I can connected to my home VPN and have an IP of 192.168.2.200.

Happy secure browsing. Remember to still take precautions when in a public location and using any type of secure sites.

If you are in need of a personal VPN provider, I recommend wifi-vpn.com.