Tag Archives: security

Scan a subnet with Nmap

Simple Nmap combination useful if you need to scan an entire subnet for active hosts and the IP addresses used by the same. I am not an expert on Nmap if you have a better method let me know.

1. From a command line window issue the command below.

nmap -v -sn 192.168.1.0/24
  • -v
  • Vervose

  • -sn
  • Ping scan – disable port scan

2. Nmap outputs its findings along with the IP address and MAC address of the clients on the subnet.

# nmap -v -sn 192.168.1.0/24

Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-05 00:10 Mountain Standard Time
Initiating ARP Ping Scan at 00:10
Scanning 11 hosts [1 port/host]
Completed ARP Ping Scan at 00:10, 0.53s elapsed (11 total hosts)
Initiating Parallel DNS resolution of 11 hosts. at 00:10
Completed Parallel DNS resolution of 11 hosts. at 00:10, 16.50s elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
MAC Address: 00:90:7F:26:3E:13 (WatchGuard Technologies)
Nmap scan report for 192.168.1.2 [host down]
Nmap scan report for 192.168.1.10 [host down]
Initiating Parallel DNS resolution of 1 host. at 00:10
Completed Parallel DNS resolution of 1 host. at 00:11, 16.50s elapsed
Nmap scan report for 192.168.1.11
Host is up.
Initiating ARP Ping Scan at 00:11
Scanning 244 hosts [1 port/host]
Completed ARP Ping Scan at 00:11, 1.96s elapsed (244 total hosts)
Initiating Parallel DNS resolution of 244 hosts. at 00:11
Completed Parallel DNS resolution of 244 hosts. at 00:11, 16.50s elapsed
Nmap scan report for 192.168.1.12 [host down]
Nmap scan report for 192.168.1.17 [host down]
Nmap scan report for 192.168.1.18
Host is up (0.0019s latency).
MAC Address: 00:0C:29:97:30:0A (VMware)
Nmap scan report for 192.168.1.19 [host down]
Nmap scan report for 192.168.1.255 [host down]
Read data files from: C:Program Files (x86)Nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 52.16 seconds
           Raw packets sent: 509 (14.252KB) | Rcvd: 3 (84B)

Wipe Multiple Drives Simultaneously

This is one way you can wipe or overwrite multiple drives simultaneously it requires a little tool called Dcfldd which is available for all distributions.

If you are an Ubuntu user you can install Dcfldd from the repositories:

# apt-get install dcfldd

CentOS and Scientific Linux can install Dcfldd from the RepoForge repositories:

# yum install dcfldd

Dcfldd Wipe

Dcfldd will overwrite drive sdb and sdc with zeroes. You can also increase the block size if you want.

# dcfldd if=/dev/zero of=/dev/sdb of=/dev/sdc bs=4M

If the operation completes successfully you should receive the message No space left on device meaning there is nothing left to overwrite on the drive(s).

5120 blocks (20480Mb) written.dcfldd:: No space left on device

If you don’t beliieve me here is a screenshot displaying the activity taking place on both sdb and sdc.

nmon

Conlusion

Dcfldd can become useful for when you have get rid of several drives at once, as you saw the command is quite easy to remember. If you have any questions feel free to leave a comment below and I will do my best to reply as soon as possible.

Home page: Dcfldd

Securely Erase A Drive With Shred

The reason why tools like Shred exist is because we don’t like the tough of our files ending in the hands of the wrong people and if it’s within our reach to prevent such an occurrence then why not take the steps.

Shred accomplishes its goal by repeatedly overwriting the target with specific data patterns in order to make recovery of the data contained within the drive impossible.

As long as the system can see the drive Shred should have no problem erasing the contents. Keep in mind that erasing a drive will take a considerable amount of time.

The simple version of shred would be.

shred /dev/sda2

This would erase the second partition in /sda using default options.

But we are geeks and the defaults just wont do, if you like you can opt to use different parameters as explained below.

shred -fzv /dev/sdb

f = If necessary override file permission and overwrite
z = final overwrite with zeros to hide shredding process, you don’t want the drive to stand out
v = Display operation progress

By default Shred will overwrite the target three times if you think the default is too much or too little you can change the default by adding the -n # parameter to change the overwrite amount.

shred -fzv -n 1 /dev/sdb

Shred will not save you from the XKCD five dollar wrench recovery method.

XKCD Five Dollar Wrench

Hash The Contents Of An Entire Drive With md5deep

Previously I wrote about Hashing a directory with md5deep since that post was written I’ve received a few comments asking how to accomplish the same but with an entire drive which is why I’ve decided to write this post.

The actual command to hash an entire drive with md5deep is quite easy to understand and execute just like before.

Normally if all you want it to do is hash a single directory you would use the exact command below.

md5deep -rel E:Encoder_Output > Encoder_Output.md5

The command to hash the contents of an entire drive is similar to the one above, but instead of using the directory path we only need to use the drive letter.

md5deep -rel E: > E_Results.md5

Command Explanation

  • r = recursive operation
  • e = compute estimated time remaining for file name
  • l = print relative paths for file name
  • E: = Drive you need to hash
  • > E_Results.md5 = output file

Once you have the resulting hashes from the operation in a text file you can refer to my second post on how to Compare Hashes With md5deep.

Windows 7 Network Share Trust

Windows 7 improved various aspects of security over previous version of the Microsoft operating system, while improvements are usually well received some of the new security aspects resulted in Windows no longer trusting my network share despite being in my LAN which is already trusted and not in the Internet where I have no control.

While is not the end of the world, the changes do make it annoying if you have to download multiple files from a network share. This is what I have to put up with every time I have to download a file:

The Solution

Fortunately, the fix is an easy one, and it only requires adding the IP address of the network share as a trusted one.

Start by going to the Control Panel.

And click on Internet Options.

In the Internet Properties window select Local intranet.

Click on Sites.

And in the Advanced button.

Enter the IP address of your NAS or network server and click on Add.

Click on OK.

One last time click on OK.

From now on the network share will not be treated as an untrusted source and you will not be presented with the warning any more. However, if you add another network share with a different IP address you will need to follow the same steps all over again.

Links:

Securely Erase A Drive With CCleaner

By know you probably already know of CCleaner and how its commonly used to remove unwanted files from a system make registry changes and other system related tasks. Another great feature is the included ability to securely wipe drives called Drive Wiper.

Drive Wiper supports both hard drives and USB drives and can be instructed to either erase Free Space only or erase the Entire Drive (all data will be erased).

Compared with other applications you can have CCleaner wiping a drive in a matter of minutes. You can choose from four sanitation methods: Simple Overwrite (1 pass), DOD 552.22-M (3 passes), NSA (7 passes), Gutmann (35 passes).

For demonstration purposes I will be using a 512MB Flash Drive as the target drive, always make sure you are wiping the intended drive.

Let’s Start

Start CCleaner and on the sidebar located on the left and click on Tools

Click on the Drive Wiper button.

Here you can select what what parts of the drive will be erased, your options are Free Space only and Entire Drive (all data will be erased). I want all the data in the drive gone, therefore I am going with Entire drive option.

You also have to choose the sanitation method, or how the data will be erased. You can choose between Simple Overwrite (1 pass), DOD 552.22-M (3 passes), NSA (7 passes), Gutmann (35 passes), the more passes the longer it will take but also the more secure it is(depends on who you ask). For my purpose Overwrite (1 pass) will be enough for my Flash Drive.

And click on Wipe, we are almost there.

Because humans can’t be trusted you will be asked to type the following text exactly as it is and then click on OK.

My 512MB Flash Drive took a total time of three minutes and twenty seconds to complete, the larger the drive the longer it will take to erase the contents.

After the process is done you will be taken back to Drive Wiper Menu.

With CCleaner and Drive Wiper securely erasing the contents of a drive could not be easier. Users will appreciate the clean interface that removes unnecessary options that only serve to take space and confuse the user. It doesn’t get any better for a tool that is freely available.

If you have any questions leave a comment below and I will try to respond as soon as possible.

Links:

CCleaner Home Page

Acronis Drive Cleanser – Securely Erase Hard Drives

There are certain tools that every IT Pro should have in its arsenal and surprisingly sometimes insted of recovering data we may be required to destroy data. The reason is that you wouldn’t want some unintended party to get hold of a drive with your data on it. If you need to completely destroy all data from a drive then you need to know about Acronis Drive Cleanser. With Acronis Drive Cleanser a Windows application you can choose between a wide selection of supported National Data Destruction Standards depending on how thorough of a job you want done.

When you format a drive all the previously held data in the drive can still be recovered with standard data recovery tools.

The Interface

The user interface will not bother with unnecessary options that only serve the purpose of taking space rather than providing functionality. The whole operation can be described as pick a drive you want to erase, select method, and proceed.

Data destruction standards and Algorithms

Among the supported National data destruction standards:

  • American: DoD 5220.22-M;
  • American: NAVSO P-5239-26 (RLL);
  • American: NAVSO P-5239-26 (MFM);
  • German: VSITR;
  • Russian: Russian Standard, GOST P50739-95.

Supported predefined algorithms many of which you are probably already familiar with:

  • Peter Gutmann’s algorithm — data is destroyed with 35 passes
  • Bruce Schneier’s algorithm — data is destroyed with 7 passes

Acronis Media Builder

Acronis Media Builder is a feature that creates a bootable version of Acronis Drive Cleanser that is OS independent for erasing drives that are in other systems. You can save the bootable version of Drive Cleanser either to an ISO or Flash Drive (23MB in total).

Conclusion

At $61 USD per license I consider Acronis Drive Cleanser 6.0 to be a good option for when you need to erase all data from a drive. Easy to use, and with the right options makes for a winning option for when you need to securely erase hard drives before repurposing it, selling it or handing it over to an un-trusted party.

Links

Acronis Drive Cleanser

Eraser – Secure data removal tool for Windows

Whether we like it or not hard drives and USB flash drives contain more personal information than we would like. Thats why its essential to properly erase any information they contain before disposing of them. We already know that formatting is not the way to, the only way of ensuring the permanent removal of data is by overwriting it.

Meet Eraser a security tool available for the Windows platform that can securely and permanently erase sensitive data from a drive by overwriting it with one of the many available patterns. Eraser integrates seamlessly with Windows Explorer and includes a scheduler called Erase Schedule where the user can schedule tasks to erase certain files, unused disk space or the Recycle Bin.

Eraser is licensed under a GNU General Public License.

Windows Explorer Integration

After Eraser is installed it will automatically integrate with Windows Explorer if the user needs erase a drive all it has to is Right click on the drive, select Erase, and decided whether to Erase now or on Erase on Restart. It cant get any easier than this.

Erase Schedule

You can even automate Eraser to erase certain files, unused disk space, a specified disk, or the Recycle Bin.

Erasure methods supported by Eraser

You can even choose the levels of paranoia.

  1. Gutmann (35 passes)
  2. Gutmann (Lite10 passes)
  3. US DoD 5220.22-M (8-306./E, C & E) (7 passes)
  4. RCMP TSSIT OPS-II (7 passes)
  5. Schneier 7 pass (7 passes)
  6. German VSITR (7 passes)
  7. US DoD 5220.00-M (8-306./E) (3 passes)
  8. British HMGIS5 (Enhanced) (3 passes)
  9. US Air Force 5020 (3 passes)
  10. US Army AR380-19 (3 passes)
  11. Russian GOST P50739-95 (2 passes)
  12. British HMG IS5 (Baseline) (1 pass)
  13. Pseudorandom Data (1 pass)
  14. First/last 16KB Erasure

Why run the risk of having your erased data recovered by a stranger when the tool need to erase the data permanently is accessible.

Links

Eraser Home Page

Q&A: DMZ In Consumer Routers

My Linksys router has the option to set up a DMZ, is there any thing I should know before making use of it?

Excerpt from Wikipedia

The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

A DMZ is commonly used to offer Internet facing services like HTTP and FTP, while at the same time isolating the exposed host from the Local Area Network. Although some consumers routers advertise the capability to offer a DMZ what they call a DMZ is far from the truth.

WRT54 GLThe use of the word DMZ is not accurate, it’s not a DMZ at all. Enabling the DMZ feature on a Linksys device actually decreases the security of the LAN by creating a large security hole. This is because consumer routers misuse the word DMZ for what is acutally known as One to One NAT(1:1), meaning all ports will be forwarded from the WAN to a specific IP inside the LAN. Unlinke port forwarding which only forwards a specific port from the WAN, 1:1 NAT forwards all ports into the specified IP address while doing nothing to isolate the exposed host from the rest of the LAN.

Port forwarding is a safer option than One to One NAT by reducing the attack surface to the specified ports. If you still want a DMZ then consider a better solution such as pfSense or the Cisco ASA series.

Using Hashdeep To Ensure Data Integrity

On a previous post I discussed the value of md5deep, now I am going to show you another tool by the name of hashdeep. As expected with hashdeep you can: recurse entire directories, perform matching, audit known hashes. Hashdeep grants auditing capabilities to the administrator.

Official Hashdeep description

Computes multiple hashes, or message digests, for any number of files while optionally recursively digging through the directory structure. By default the program computes MD5 and SHA-256 hashes, equivalent to -c md5,sha256. Can also take a list of known hashes and display the filenames of input files whose hashes either do or do not match any of the known hashes. Can also use a list of known hashes to audit a set of FILES. Errors are reported to standard error. If no FILES are specified, reads from standard input.

Hashdeep is the indicated tool if you need to recurse entire directories, I have personally hashed directories as large as 300GB without any problems.

Recursive directory hashing

The most common use, hashdeep can recurse a directory and output the results to a text file(you can change the extension). The -e parameter is optional.

hashdeep -e -r directory_name/ > output.txt
  • -r Recursive mode
  • -e Estimate time

Recursive drive hashing

Or if you wish you can hash an entire drive.

hashdeep -r G:
  • -r Recursive mode
  • G: Name of the drive

Perform an audit using a list of known hashes (simple form)

Once you have a list of known hashes you can perform an audit of a directory to see if any changes where made.

hashdeep -r -a -k output.txt dir
  • -r Recursive mode
  • -a Audit mode
  • -k Load list of known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question

For this example some files where changed, which resulted in a failed audit.

hashdeep: Audit failed

Perform an audit using a list of known hashes (advanced form)

This option will give detailed information about the audit.

hashdeep -v -r -a -k output.txt dir
  • -v Verobose mode
  • -r Recursive mode
  • -a Audit mode
  • -k Load listof known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question
hashdeep: Audit failed
          Files matched: 41
Files paritally matched: 0
            Files moved: 0
        New files found: 1
  Known files not found: 1

Audit a list of known hashes and display the hash and location of those that failed to math against the list

This option will give you the name name, location, and hash of those files that failed to pass the audit.

hashdeep -r -X -v -k output.txt dir
  • -r Recursive mode
  • -X Display each failed hash that does not match the list of known hashes
  • -v Verbose mode
  • -k Load list of known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:UsersLuisDesktop
## C:> hashdeep -r -X -v -k output.txt dir
##
6,dcd989387b401ac29bf44755f31c0952,5a3edf2142ffde0b2d9803d845c795c24bfdd610d2b9d68408f5207d47e11b4a,C:UsersLuisDesktopdirNew Text Document - Copy (10).txt