Nping - port redirection detection.

Yesterday I got an email from insecure.org about the beta version (5.30) of nmap. For
those who use nmap I recommend to read the changelog, they fix and change few things and add new interesting scripts. Also, from now on Nping will be the part od nmap distribution (like ncat).

Nping is a "ping" like tool but on steroids (something simillar to hping2), it has a lot of powerfull features that can expand host discovery techiques in many different ways. Like nmap ping option with packet trace, using Nping you can check the response TTL values, and more or less determine if there is a port redirection on a remote router (Read my previous posts about finding port redirecition with nmap)

Here is a simple example:
nping --tcp -flags syn -p3389,22,1723 -c 1 -H [x.x.x.x]
(where x.x.x.x is an IP address)

--tcp -flags syn tcp protocol, only syn flag will be set
-p ports to check
-c 1 this is for reducing count of packets (for more information check Nping man page)
-H show only response

One of the difference that I found between the nmap and nping is that nping is a little bit slower (nmap ~0,4sec / nping ~3sec), currently I don't know why this happening and how can I (as a user) speed it up. Maybe it's a parameter issue.

How to clear security eventlog with the SYSTEM account.

After you clear the security log, one log entry is created (Event ID 1120) with the information who did this (account name, domain name) and when.
If you, for some reasons, want to hide that information you can clear the security log (or other event logs) with the SYSTEM account. This account is on every Windows operating system, so it is hard to guess who really cleared that log.
Let's do it.
First of all, you need two applications psexec.exe and psloglist.exe, you can get them from systinternals.com. Next, open your command prompt, and change directory to where you have downloaded these files. Type the following command:

psexec -accepteula -s -c psloglist.exe -accepteula -c system -n 1

psexec switches:
-s Run remote process in the System account.
-c Copy the specified program to the remote system for execution. (psloglist.exe in our case)

psloglist switches:
-c Clear the event log after displaying,
-n 1 Show only most recent entry (you can omit this if you want to see all events)

-accepteula automatic license agreement (if you run sysinternals tools for the first time you have to accept the license, this switch prevents from waitng for user response)
The really cool thing about this trick is to use it on remote machine:

psexec \\[host] -u [user] -p [password] -accepteula -s -c psloglist.exe -accepteula -c security -n 1

Of course you must have suitable privileges to clear the security log (in most cases you have to be an administrator).

Nmap - port redirection detection.

Not perfect! port redirection detection method, example:

nmap -sS -PN -n --max-parallelism 1 --packet-trace -p1723,3389 x.x.x.x
(where x.x.x.x is an IP address)

If SYN/ACK TTLs for both ports are different then sometimes it means that there is port redirection on a router. Also looking at TTL values you can identify the remote os (ex. TTL close to 128 it's probably MS Windows).

BTW. shorter version of --max-parallelism is -M. Maybe i'm wrong but -M is undocumented shortcut, I found it when I used --max-parallelism with 0 value, this caused error "Argument to -M must be at least 1!". :)

Welcome!

Hello and welcome to my new playground. It's been a while since I've made something ambitious, like for example my previous blog (digitalinsane.com). For about two year I've been working in small company as an ERP application developer. It's a fine job however I feel that I'm stuck. If someone will ask me "Do you like your job?", the answer will be "I have to.". Like every human being on the planet I need money to survive, and doing boring business things it's currently only way to survive, so I have to like my job. Anyway, I did few cool things in JavaScript couple of years ago and I thought I'll do this until I get completely bored of it, but my job has changed me. Now I'm focused on operating systems, networking, SQL servers, business intelligence applications, etc. As you can see these things are not related in what I've been doing in the past, so I had to change my interests.Also, I needed to find something that makes all these things less boring and free myself from feeling stuck. So, I've started interesting in computer security, pentesting, the bright and dark side, I've desired to be a ninja or Jedi (please stop laughing), and because of that I decided to create new blog instead of continuing digitalinsane.com, which was mostly about JavaScript frameworks.

I hope you enjoy this one.