Security :: Interpreting Zenmap Results: Network Distance And Traceroute Hop Values
Apr 18, 2011
I ran two scans in Zenmap: 1) Quick scan plus and 2) Quick Traceroute. Quick scan plus, under the Nmap Output tab, has a field called "Network Distance". The Quick Traceroute report under the same tab lists the HOP and RTT time. I was thinking that for a given server, the value for the Network Distance would be the same as the HOP field when initiating the scans from the same server, but they are not.
I have installed nmap/zenmap from rpms in 11.4. Zenmap as root runs fine from the CLI, but when launched from the KDE Kickoff Application Launcher I get a message back Cannot execute command ' 'zenmap " 'which zenmap' finds zenmap in /usr/bin no problem.
I just started messing with the networking tools in Linux, and I've discovered that when I run an intense scan in zenmap on 192.168.1.1-254, the network crashes. By network crash I mean - All clients on the network lose connectivity.
I want to write a script to find out the journal size of an ext3 file system. I have two commands (graciously provided by unSpawn): Code: The journal is located at inode: 'tune2fs -l /dev/device | awk '/Journal inode/ {print $3}''
The size is: debugfs -R "stat <inodenumber>" /dev/device 2>&1| awk '/Size: / {print $6}'|head -1 These commands work okay from the command line. I wanted to do something like code...
This is the difference in the output of a port scan using Zenmap on the same system with UFW turned off and then with it turned on. It is obvious that UFW works.
As root I get the following result: ngssuse:~ # traceroute -nI 10.200.123.45
Note: the -i and -I options were exchangedfor compability with LBL traceroute Use -I for ICMP, and -i <ifname> to specify the interface name unable to create ICMP send socket: Permission denied. Is this a bug?
Recently I was going through some chmod manipulations and found the umask values to be 0002 by default in Fedora 11 distro. What I knew about the default values to be 022. I don't know whether this is a kernel modification in this distro or my system is in compromise(I doubt for the latter option, but not confirmed).
I'm using gpg to encrypt and sign a file on a linux machine.using the same keys the file is encrypted and signed on a windows machine and the file sizes are different.
I then encrypted and signed on another windows machine and again the file sizes are different. Does GPG use some random stuff from the machine during encryption?
I've installed ClamTK on my Kubuntu 9.10 installation, since it's connected to a Windows7 machine.When I ran a scan, it found 9 'viruses', but they are all within my home directory > Opera/mail/store and are either status Phishing.Heuristics.Email.SpoofedDomain OR HTML.Phishing.Bank-593.I recently synced my Hotmail into Opera, so I checked the corresponding dates in my Hotmail account and deleted the emails which I thought were related, however, after clearing down my Opera history, etc., re-booting my PC and re-scanning, the results are the same.How do I clear down these files?
I am a newbie in ubuntu. I did clamscan on my ubuntu /, and I got the result message as follow. it shows "486 errors" I am wondering if the result is OK or I need to do some action on it.
Known viruses: 968595 Engine version: 0.96.5 Scanned directories: 28067 Scanned files: 131696 Infected files: 0 Total errors: 486 Data scanned: 9020.40 MB Data read: 17800.31 MB (ratio 0.51:1) Time: 1349.479 sec (22 m 29 s)"
Also, my engine is 0.96.5. The latest version is 0.97. But "aptitude upgrade" can not upgrade the engine to 0.97. I understand 0.97 is still on testing. I am wondering if I can just stay with 0.96.5 and wait for the 0.97 passing all tests. if so, does it cause any security issue?
I was testing the security of my Ubuntu 10.04 64bit install by running a port scan from [URL] and I came upon some odd results. It appears that basically all my ports are closed, but only Port 646 is dropping packets silently. Furthermore, Port 80 is open.
We are trying to implement a firewall as kernel module through netfilter hooking (in C). In the following code we are allowing only TCP traffic. Source port number and destination port number are printed for every TCP packet. On execution, this code prints wrong port numbers. This is the first time we are using skb_transport_header function for accessing tcp headers.
We verified port numbers being printed by firewall through NFS traffic. On the same machine where firewall is running, we hosted an NFS server. An NFS client (from a different system) puts a file in exported mount. Firewall is able to capture packets for this file transfer but port numbers printed are wrong. It prints '69' for source portnumber (whereas ethereal capture shows it as 790) and prints '553231' for destination port (whereas for nfs version 4 it has to be 2049).
I just noticed the results of the Honeynet Project's Challenge 7: Forensic Analysis of a Compromised Server have finally been posted today. Just got done reading one of the submissions and it's pretty good if anyone is interested in how to analyze a Linux incident involving evidence from memory and the file system.
I have a RAID1 array, where mdadm states that one of the disks is "removed." Naturally, I assume one of the drives has failed. The mdadm --detail command tells me that the sda drive has failed. However, further inspection from the mdadm -E /dev/sdb1 command says that sdb1 disk has been removed. I am a bit confused. Can someone clarify which drive is failed? Am I misreading the command outputs?
I have been doing a lot of research on the web to piece together the components I need to understand what is probably a very simple thing. I've read up on buffers/cache vs. physical memory and using free -m and top and understanding that output, and reviewed Red Hat's article on virtual memory. I am hoping to get some assistance in putting it all together to understand what's happening in my situation because so far I have a lot of dangling factoids and no glue. I have also referenced the thread http://www.linuxquestions.org/questi...memory-309767/ but I didn't find my answer there.
My company is running a cluster of physical web servers (they are clones so running the same OS, with same RAM and applications installed). I'll be referring to a single system although the question applies to all because they're all showing similar output. The Multi Router Traffic Grapher is showing a steady swap usage for 3-4 months now. The average usage for today is 81%. There is, as far as I know, no performance hit because of it, but a developer noticed this and wanted to know what was going on, and I'd using this opp to learn. The system is Linux version 2.6.18-128.7.1.el5, running JBOSS, postgres, Apache, and Java. Here is the output from the memory commands I have used to try and understand what's going on.
So my interpretation of this output tells me that my system has 4GB of RAM installed, 23MB of free "physical" RAM, and 1.35GB of RAM in cache (according to the second line of free -m, which represents free physical memory and useable mapped memory if I understand correctly). I have a 2GB swap partition, 1.5GB of which is currently being used, and according to the MRTG is the average that has been in use since January. So the swap size isn't decreasing. Java (JBOSS) is using the most physical RAM at 1.6GB.
My question is: if I have 1.35GB of RAM cached, why is my system using all of that swap space and not using any of the cached RAM? I thought I understood that Linux is supposed to either re-use unmodified pages in cache or send older pages to disk when more RAM was needed. It seems like my system is always sending pages to disk, which I guess would normally mean I just need more RAM but, to have close to the same swap size consistently seems like there must be more to it.
I setup an ssh server that works fine when using the terminal, but trying to run programs like firefox fails. It will open partially and then simply hang. Less complicated programs can open successfully and run fine, but cause my remote computer to pause every 5 seconds for about a second.
I want to install Ubuntu on many different new user's systems from a distance. I am looking for the simplest cleanest way to pull this off. These systems will only boot Ubuntu....no dual boot systems. Plus, I need a way to accommodate different size Hard drives such that the entire hard drive is used. There will be a novice computer user on site who can insert a cd or dvd for me and boot the machine.
Currently one of my neighbours has his/her router transmitting open ( no encryption ) web access for anyone to enjoy. Unfortunately I do not believe he/she is aware others can use his/her internet or that the wireless feature is on at all. The reasons behind this are simple. The router is using its default SSID, and the access password and username are default. If I wanted to I could stuff up his/her router badly, but I am a nice person.
I need to locate his/her router. The only method I know of other than doorknocking is to locate it via three distance measurements from three different points. If I have 23 metres from point A for example, it could be 23 meters in any direction, creating a circle of possible positions. A second position and distance reading will allow me to narrow that down to exactly two positions, and a third distance reading with tell me exactly the spot the router is transmitting from.
I've drawn a diagram and attached it to explain what I plan to do. What I need to know how to do is get access to any information on the distance of the router from where my computer is. Even if each measurement is off by 1 or more metres, it should still be accurate enough to pinpoint a single house.
how efficient and effective are these snort, argus, ossec etc etc for an organization having 3500 PC Network, connected through 700+ Cisco Devices (Layer 2 and Layer 3), and scattered on 130 different sites (geographically)? what should be the combination of products and what should be the architecture for an efficient forensics activity?
When you execute this in the command line it prints a bold green 'OK'. So far so good.
Now, I need to check the output of the script over time using the command watch. The problem then arises. watch seems to ignore the escape codes and just prints:
Code: [1;31;32mOK [00m
Is there any way to fix this?
If not, how can I check inside the script if it is being executed from a command? (watch in this case) So I can print without color for those cases.
i recently installed nmap-5.21 on my fedora using the tar.gz file and the installation was successful (with the typical dragon head at the end of configuration) after which i did make and make install and it showed installation succesful now there is an icon for zenmap and zenmap as root under my internet menu but they dont work ((when i tried to run the command /usr/local/share/zenmap/su-to-zenmap.sh %F the output is
According to the man page, the "recent" match of iptables accepts certain parameters (e.g. "ip_list_tot"). I'd like to change the values of some of them. All the solutions found on the web were about changing parameters for module, but my kernel was compiled without modules support (such that it can be used for installation booting as well). How can I change the match parameters for my non-modular kernel ?
To be sure that the remote desktop was working, I tried from home, where I have both the laptop I want to connect to and the laptop from which I make the connection. It worked without any problem, but now I'm trying to connect from my work place and it's not working anymore. Both are connected to the same VPN, so I don know where the problem comes from.
bonjour; voici mon probleme, j un serveur ftp sous redhat, comment faire pour creer les utilisateurs, (mais pas des utilisateurs locaux), c-a-d, les utilisateurs peuvent acceder au serveur ftp distant partir du client ftp (dans une autre machine), par mot de passe et identifiant. merci de me donner la rponse si c possible dtaille. merci beaucoup.
what i'm trying to do is create some distance between sets of child nodes in my freemind maps. See the attached png file to see what im getting at. Is there a way to do this, other than using clouds?
I'm timing how long it takes to run a command foo. I'm looking to append the results from the time command to a file, and discard the results from the foo command. I tried the following, but it didn't do what I want:
$ time ./foo > /dev/null >> output_from_time_command.txt
