Blog de Javier Castañón – JavCastaPosts RSS Comments RSS


Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.


Only if I lied could I love you
Nothing of our lives could we share
Only could we try to get by on a sigh
Just because, just this once, I was there.

Bandas sonoras alternativas:

  • Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

  • Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

  • Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

  • Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

  • Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Share

PowerShell Script – Envio de mensajes via ping
http://javcasta.com/?p=8194

@javcasta

Javier Castañón

Referencia:

icmp-msg-00

Al enviar un ping (icmp echo request) se puede indicar el tamaño del buffer.
Por ejemplo desde windows seria:

x:\> ping -n 1 -l <tamaño-en-bytes 0 a 65500> <destino>

icmp-msg-1

¿Pero que es lo que windows envía en los bytes del buffer?. Para verlo, envié una serie de
pings con buffer 8, 16, 32 y 256 bytes a un Ubuntu con tcpdump (un sniffer) escuchando el tráfico icmp.

usuario@maquina$ sudo tcpdump -A -v icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:58.111122 IP (tos 0×0, ttl 128, id 32720, offset 0, flags [none], proto ICMP (1), length 36)
192.168.222.2 > 192.168.222.9: ICMP echo request, id 256, seq 304, length 16
E..$……}…….. ..d:…0abcdefgh……….
15:27:23.074423 IP (tos 0×0, ttl 128, id 13, offset 0, flags [none], proto ICMP (1), length 44)
192.168.222.2 > 192.168.222.9: ICMP echo request, id 256, seq 305, length 24
…..f……. …….1abcdefghijklmnop..
15:27:31.375225 IP (tos 0×0, ttl 128, id 35, offset 0, flags [none], proto ICMP (1), length 60)
192.168.222.2 > 192.168.222.9: ICMP echo request, id 256, seq 306, length 40
E..<.#…..@……. ..K*…2abcdefghijklmnopqrstuvwabcdefghi

15:28:21.729381 IP (tos 0×0, ttl 128, id 162, offset 0, flags [none], proto ICMP (1), length 284) 192.168.222.2 > 192.168.222.9: ICMP echo request, id 256, seq 307, length 264
E……………… …….3abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqr
stuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw
abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabc

icmp-msg-2

Para el buffer de 8 bytes, windows lo rellena con “abcdefgh”
Para el buffer de 16 bytes, windows lo rellena con “abcdefghijklmnop”
Y así sucesivamente, con lo que vemos que usa el alfabeto (hasta la w) para rellenar el buffer con datos.

Como el paquete icmp lo escucho vía sniffer (tarjeta de red en modo promiscuo) no hace falta que la maquina
receptora del ping tenga su firewall que aceptarlo o desecharlo, nos da igual.

Esto me sugerió, que se pueden enviar mensajes en el buffer del ping (icmp echo request) a otra máquina.
(Y para leerlo la maquina receptora tendrá que tenner un sniffer escuchando.)

En Windows, para insertar datos en el buffer del ping, esto se puede hacer con la clase de .Net:
 System.net.networkinformation.Ping y Pingreply

icmp-msg-3

Y se me ocurrio un script en PowerShell que implementa la clase System.net.networkinformation.Ping

para enviar mensajes insertado en el buffer.

######################################################
#  Envio de mensajes via icmp echo request (ping)    #
######################################################
# By Javier Castañon - http://jasvcasta.com/ - 2.013 #
######################################################

# ref http://msdn.microsoft.com/es-es/library/system.net.networkinformation.pingreply.aspx
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Net.NetworkInformation")
$ping = New-Object System.Net.NetworkInformation.Ping

$datos = "Hola Mundo.
 En un lugar de la Mancha de cuyo
 nombre no quiero acordarme. Vivia
 un tal hidalgo ..."

$buffer = [System.Text.Encoding]::ASCII.GetBytes($datos)

$destino = "192.168.2.9"

$pingreply = $ping.send($destino, 1000, $buffer)

if ($pingreply.Status -eq "Success") {
    Write-Host "resultado: OK"
} else { Write-Host "resultado: NO OK - " $pingreply.Status }

Write-Host "Direccion: " $pingreply.Address
Write-Host "Buffer: " $pingreply.Buffer
Write-Host "Buffer length: " $pingreply.Buffer.Length
Write-Host "ttl: "$pingreply.RoundtripTime

# para escuchar en receptor linux-Ubuntu: sudo tcpdump -A -v icmp

icmp-msg-0

La lectura vía sniffer del receptor

usuario@maquina$ sudo tcpdump -A -v icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:58:50.189119 IP (tos 0×0, ttl 128, id 4882, offset 0, flags [none], proto ICMP (1), length 131)
192.168.222.2 > 192.168.222.9: ICMP echo request, id 256, seq 308, length 111
E……….
……. …-…4Hola Mundo.
En un lugar de la Mancha de cuyo
nombre no quiero acordarme. Vivia
un tal hidalgo …

Y voila :-)

Share

Integrar firewall pfSense en VirtualBox con GNS3 http://t.co/58JbtJKBEN
@javcasta
Javier Castañón


Referencias:

pfSense-on-GNS3-0

GNS3 viene con una integración más que aceptable con VirtualBox.
Se puede integrar en una topología de red en GNS3 máquinas o hosts virtuales bajo VirtualBox (VirtualBox guest)
ya sean un windows (XP) un linux (Ubuntu 12.04) … o un freeBSD (pfSense).

Voy a integrar en GNS3 una máquina virtual (de VirtualBox) con pfSense 2.03-Release instalado con dos tarjetas de red, una en modo bridge con la nic ethernet del pc, y la otra con VirtualBox Host-Only Network

Lo primero es configurar los parámetros de VirtualBox Guest en GNS3.

pfSense-on-GNS3-1

Menú Edit > Preferences > VirtualBox > Pestaña: General Settings

Y ejecutar el test (este paso es importante).

pfSense-on-GNS3-2

 Una vez pasado el test vamos a la pestaña: VirtualBox Guest
donde parametrizamos:

Nombre identificador: pfSense

VM List: <elegimos en el desplegable la maquina virtual con pfSense> pfSense203

Nº de nics: según las que tenga la maquina virtual, suelen ser un mínimo de dos para un router/firewall

Desmarco “reverse first nic for virtualbox NAT …” (reservar la primera nic para virtualbox NAT)y tambien desmarco soporte de consola y que empiece en modo oculto la máquina virtual.Salvo la máquina virtual.

pfSense-on-GNS3-3

En el editor de topología de GNS3, añado un host “VirtualBox Guest” con la maquina virtual pfSense

pfSense-on-GNS3-4

Añado una nube y le configuro la nic ethernet de mi pc, para que esta topología tenga acceso a Inet.

pfSense-on-GNS3-5

Al host pfSense le cambio el simbolo de PC al de un router_firewall

pfSense-on-GNS3-6

Termino de construir la topología, añadiendo un host con una sola nic ( VirtualBox Host-Only Network ) que se conecte al pfSense (mwdiante switch). Y añado un router Cisco 2900, que se conecte a la WAN de pfSense mediante switch.

Es importante que entre una interfaz de un host, ya sea una nube o una maquina virtual, y otro dispositivo de capa 3 haya siempre en medio un switch (dispositivo de capa 2), para evitar errores en el GNS3 (si los conectas directamente presenta errores)

Inicio los dispositivos (Start all devices). Se abrirá la maquina virtual pfSense de VirtualBox.
Y abro una consola del router Cisco R1 que he añadido, para configurarle una ip a su interfaz fa0/0

R1# configure terminal
R1(configure) int fa0/0
R1(configure-if)# ip add 192.168.2.123 255.255.255.0
R1(configure-if)# no sh

pfSense-on-GNS3-7

Si hago un ping desde pfSense a R1 es exitoso. Pero si hago el ping desde R1 a pfSense no lo es.
Ya que la interfaz WAN del firewall pfSense necesita una regla permisiva para responder a R1

pfSense-on-GNS3-8

Así que defino una regla, vía navegador (http://ip-pfSense , http://192.168.56.2) que permita cualquier tráfico desde R1 a la interfaz WAN de pfSense

pfSense-on-GNS3-9

Antes de la regla, pfSense no respondia al ping, y tras aplicar la regla si responde.

Resumiendo. Un lujazo (y free) la integración VirtualBox y GNS3. Y si a esto le añades la posibilidad con Qemu de añadir firewalls Cisco ASA y PIX y routers Juniper, tan solo tendrás por límite en tus labs virtuales la RAM de tu PC

Y voila :-)

Share

Instalar Firewall Cisco ASA 8.4(2) y ASDM 6.4(7) en GNS3 0.8.3.1 http://t.co/KnBmqz7NAM
@javcasta
Javier Castañón


Referencias:

Descargas: ASA 8.4(2) y ASDM 6.4(7):

Cisco-ASA-ASDM-3

Plataforma: Windows 7 SP1 Ultimate

Lo primero es configurar en el GNS3 el emulador Quemu para el Cisco ASA:

Menu: Edit > Preferences > Quemu > ASA:

Y parametrizar: Usaré 1GB de RAM (con 512MB no arrancaba correctamente)

Identifier Name:  asa-842-1

RAM: 1024 MB

Number of NICs: 6

NIC Mode: e1000

Qemu options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Initrd: H:\IOS\ASA\asa842-initrd.gz

Kernel: H:\IOS\ASA\asa842-vmlinuz

Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Cisco-ASA-1

Salvamos ( botón save ), aplicamos (apply) y OK.

Tras esto, en el editor de topología del GNS3 arastramos un Firewall ASA y construimos la topología que nos interese. Ojo, que la interfaz de gestión por donde accederemos al ASDM ( https://ip ) debe de ser la 0/0, en este caso la GigabitEthernet 0 (Gi0) (o la denominada e0 según la rotula GNS3)

Cisco-ASA-2

En mi caso conecto el ASA a un switch ethernet y este a una nube (cloud) que es la nic ethernet de mi PC

Cisco-ASA-3

Arrancamos los dispositivos y abrimos una consola del ASA (tarda unos minutos en ponerse operativo)

 done
Freeing initrd memory: 22953k freed
platform rtc_cmos: registered platform RTC device (no PNP device found)
highmem bounce pool size: 64 pages
HugeTLB registered 4 MB page size, pre-allocated 0 pages
bigphysarea: Allocated 16384 pages at 0xe0000000.
msgmni has been set to 668
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
pci 0000:00:00.0: Limiting direct PCI/PCI transfers
pci 0000:00:01.0: PIIX3: Enabling Passive Release
pci 0000:00:01.0: Activating ISA DMA hang workarounds
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
loop: module loaded
pcnet32.c:v1.35 21.Apr.2008 [email protected]
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
Uniform Multi-Platform E-IDE driver
ide_generic: please use “probe_mask=0x3f” module parameter for probing all legacy ISA IDE ports
ide-gd driver 1.18
TCP cubic registered
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
TIPC: Activated (version 1.6.4 compiled Jun 15 2011 17:18:15)
NET: Registered protocol family 30
TIPC: Started in single node mode
Using IPI Shortcut mode
Freeing unused kernel memory: 156k freed
Write protecting the kernel text: 1716k
Write protecting the kernel read-only data: 504k
Clocksource tsc unstable (delta = 194037368 ns)
Starting kernel event manager…
Loading hardware drivers…
Intel(R) PRO/1000 Network Driver – version 7.3.21-k3-NAPI
Copyright (c) 1999-2006 Intel Corporation.
e1000 0000:00:02.0: found PCI INT A -> IRQ 9
e1000: 0000:00:02.0: e1000_probe: (PCI:33MHz:32-bit) 00:ab:cd:92:52:00
e1000: eth0: e1000_probe: Intel(R) PRO/1000 Network Connection
e1000 0000:00:03.0: found PCI INT A -> IRQ 11
e1000: 0000:00:03.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:c1:32:01
e1000: eth1: e1000_probe: Intel(R) PRO/1000 Network Connection
e1000 0000:00:04.0: found PCI INT A -> IRQ 9
e1000: 0000:00:04.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:03:83:02
e1000: eth2: e1000_probe: Intel(R) PRO/1000 Network Connection
e100: Intel(R) PRO/100 Network Driver, 3.5.23-k6-NAPI
e100: Copyright(c) 1999-2006 Intel Corporation
!!! …..
loaded.
Initializing random number generator… done.
Starting network…
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
device eth0 entered promiscuous mode
e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
device eth1 entered promiscuous mode
e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
device eth2 entered promiscuous mode
!!! ………..
Initializing partition – done!
Clocksource tsc unstable (delta = 191070273 ns)
Initializing partition -  hda: hda1
done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 0 files, 0/65463 clusters
dosfsck(/dev/hda1) returned 0
FAT: “posix” option is obsolete, not supported now
TIPC: Started in network mode
TIPC: Own node address <1.1.1>, network identity 1234
TIPC: Enabled bearer <eth:tap0>, discovery domain <1.1.0>, priority 10
msrif: module license ‘Cisco Systems, Inc’ taints kernel.
msrif module loaded.
grep: /mnt/disk0/.private/startup-config: No such file or directory
Starting Likewise Service Manager
Processor memory 650117120, Reserved memory: 62914560
WARNING: LINA Monitor notification queue not created
No such file or directory
IMAGE ERROR: An error occurred when reading the controller type

Total NICs found: 6
secstore_buf_fill: Error reading secure store -  buffer 0xddfffb08, size 0×14
key_nv_init: read returned error 1, len 129
L4TM: Unknown ASA Model

INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash
Verify the activation-key, it might take a while…
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0×00000000 0×00000000 0×00000000 0×00000000 0×00000000
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Cisco Adaptive Security Appliance Software Version 8.4(2)
_le_open: fd:4, name:eth0
—Device eth0 (fd: 4) opened succesful!
_le_open: fd:8, name:eth1
—Device eth1 (fd: 8) opened succesful!
_le_open: fd:9, name:eth2
—Device eth2 (fd: 9) opened succesful!
_le_open: fd:10, name:eth3
—Device eth3 (fd: 10) opened succesful!
_le_open: fd:11, name:eth4
—Device eth4 (fd: 11) opened succesful!
_le_open: fd:12, name:eth5
—Device eth5 (fd: 12) opened succesful!

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to [email protected]
  ******************************* Warning *******************************

Copyright (c) 1996-2011 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

config_fetcher: channel open failed
ERROR: MIGRATION – Could not get the startup configuration.
COREDUMP UPDATE: open message queue fail: No such file or directory/2

INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201306071139.log’
Type help or ‘?’ for a list of available commands.
ciscoasa>

Si todo ha ido bien nos debe aparecer el prompt ciscoasa>

Vamos a configurarlo

ciscoasa> enable
!!! cuando pregunte la pass pulsar enter (no se ha configurado todavia pass de enable)
Password:
ciscoasa# config terminal
ciscoasa(config)#

!!! Nos pregunta si deseamos enviar informes anónimos a Cisco, contesto No: N
***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: N

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)#

!!! Configuro  una licencia
ciscoasa(config)# activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
   running permanent activation key: Restricted(R)
   new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm] Yes
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.

!!! configuramos ip y nombre interfaz GigaBitEthernet e0
ciscoasa(config)# int GigabitEthernet0
ciscoasa(config-if)# ip add 192.168.2.55 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif asafirewall
INFO: Security level for "asafirewall" set to 0 by default.
ciscoasa(config-if)# exit
!!! habilitamos servidor http
ciscoasa(config)# http server enable
!!! especificamos quien se puede conectar al servidor http, en este caso todo el segmento 192.168.2.0/24
ciscoasa(config)# http 192.168.2.0 255.255.255.0 asafirewall
!!! creamos un usuario y su password "laclave", con máximo nivel de privilegios
ciscoasa(config)# username operador password laclave privilege 15
!!! compruebo que hay en la flash
ciscoasa(config)# dir

Directory of disk0:/

2      drwx  4096         11:38:54 Jun 07 2013  log
9      drwx  4096         11:39:00 Jun 07 2013  coredumpinfo
11     -rwx  196          11:39:00 Jun 07 2013  upgrade_startup_errors_201306071139.log

268136448 bytes total (268091392 bytes free)
!!! copiamos ASDM en la flash vía servidor web

Utilizo el servidor http de la utilidad MobaXterm v6.3

Cisco-ASA-4

!!! copiamos ASDM en la flash vía servidor web
ciscoasa(config)# copy http: flash:

Address or name of remote host []? 192.168.2.2

Source filename []? asdm-647.bin

Destination filename [asdm-647.bin]?

Accessing http://192.168.2.2/asdm-647.bin...!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-647.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa(config)# dir

Directory of disk0:/

2      drwx  4096         11:38:54 Jun 07 2013  log
9      drwx  4096         11:39:00 Jun 07 2013  coredumpinfo
11     -rwx  196          11:39:00 Jun 07 2013  upgrade_startup_errors_201306071139.log
15     -rwx  17902288     12:01:59 Jun 07 2013  asdm-647.bin

268136448 bytes total (250187776 bytes free)
ciscoasa(config)# end

!!! Copiamos la configuración en la de arranque
ciscoasa# copy run st

Source filename [running-config]?
Cryptochecksum: 4deb8e2f 565f074e 2683ab21 638e2d9e

2340 bytes copied in 0.950 secs

!!! Tambien valdria wr
ciscoasa# wr
Building configuration...
Cryptochecksum: 4deb8e2f 565f074e 2683ab21 638e2d9e

2340 bytes copied in 0.870 secs
[OK]

!! reiniciamos
ciscoasa# reload
Proceed with reload? [confirm] Yes


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system



***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
restarting system
machine restart
...

Nos conectamos via navegador a https://192.168.2.55 y accedemos al configurador del ASDM

Cisco-ASA-ASDM-1

Y lanzo la guia o asistente de comienzo (Run startup wizard)

Cisco-ASA-ASDM-2

Cisco-ASA-ASDM-3

Y ya tenemos instalado un Cisco ASA con ASDM en GNS3

Y voila :-)

Share

Idle scan - Buscando zombies y escaneando objetivos vía zombie con NMAP http://t.co/WSFPaNE6rH
@javcasta
Javier Castañón


Referencias:

Idlescan

Un Zombie o “idle host“, es aquel que su IPID es incremental y por lo tanto predecible, por lo que es vulnerable a ser usado, entre otras cosas, como intermediario o bouncer para escaneos anonimos de otros objetivos.

Para buscar un zombie con Nmap:

nmap –script ipidseq.nse –script-args probeport=<PUERTO> <OBJETIVO-CANDIDATO-A-ZOMBIE>

Para escanear un objetivo vía Zombie:

nmap -sI <ZOMBIE:PUERTO> -Pn <OBJETIVO>

La opción -Pn previene respuestas icmp desde la verdadera IP (en realidad el idle scan es una técnica de spoofing)

Esta es toda la teoria que debemos saber, ahora la pongo en práctica:

Busco si un determinado host (www.EL-OBJETIVO.com) es un Zombie probando en el puerto 80

nmap -vv --script ipidseq.nse --script-args probeport=80 www.EL-OBJETIVO.com

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-29 10:03 UTC
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating Ping Scan at 10:03
Scanning www.EL-OBJETIVO.com (172.16.20.38) [4 ports]
sendto in send_ip_packet_sd: sendto(6, packet, 40, 0, 172.16.20.38, 16) => Operation not permitted
Offending packet: TCP 192.168.66.6:42327 > 172.16.20.38:80 A ttl=42 id=57190 iplen=10240  seq=0 win=1024
Completed Ping Scan at 10:03, 1.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:03
Completed Parallel DNS resolution of 1 host. at 10:03, 0.14s elapsed
Initiating SYN Stealth Scan at 10:03
Scanning www.EL-OBJETIVO.com (172.16.20.38) [1000 ports]
Discovered open port 443/tcp on 172.16.20.38
Discovered open port 80/tcp on 172.16.20.38
Discovered open port 1863/tcp on 172.16.20.38
Discovered open port 5190/tcp on 172.16.20.38
Completed SYN Stealth Scan at 10:04, 27.45s elapsed (1000 total ports)
NSE: Script scanning 172.16.20.38.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.56s elapsed
Nmap scan report for www.EL-OBJETIVO.com (172.16.20.38)
Host is up (0.088s latency).
Scanned at 2013-05-29 10:03:36 UTC for 29s
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
1863/tcp open  msnp
5190/tcp open  aol

Host script results:
|_ipidseq: Incremental!

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 29.52 seconds
           Raw packets sent: 4018 (176.772KB) | Rcvd: 72 (3.712KB)

nmap-looking-for-zombies-0

Que el resultado de la secuencia del ipid sea incremental ( _ipidseq: Incremental! ) indica que es un zombieo idle host

 La distro para router-firewall pfSense (basado en FreeBSD) tiene la opción: IP Random id generation

IP Random id generation: Insert a stronger id into IP header of packets passing through the filter.
Replaces the IP identification field of packets with random values to compensate for operating
systems that use predictable values. This option only applies to packets that are not fragmented
 after the optional packet reassembly.

Con esta opción hacemos precisamente que los valores de las secuencias del IP ID de pfSense sean aleatorias y no sean predecibles, evitando que se convierta en un zombie o idle host.

Si usas nmap desde pfSense, otra opción que conviene activar temporalmente en pfSense al usar nmap en escaneos tipo idle host, es desactivar el firewall (para que nmap sea efectivo), convirtiendo a pfSense en un simple router
(ojo, que tambien desactiva NAT, por lo que si la maquina esta en “produccion” no os lo aconsejo, dejariais a la red LAN sin salida a Inet y desprotegida)

Disable Firewall: Disable all packet filtering.

Note: This converts pfSense into a routing only platform!Note: This will also turn off NAT!

nmap-looking-for-zombies-1

Otro ejemplo, desde el host bajo pfSense (con el paquete Nmap instalado) voy a ver si un host dentro de mi LAN es un zombie., probando con el puerto 3389

nmap -vv --script ipidseq.nse --script-args probeport=3389 192.168.2.0/24

Obtengo 4 maquinas, donde una parece ser un zombie ( _ipidseq: Incremental! )

Nmap scan report for 192.168.2.2
Host is up (0.00029s latency).
Scanned at 2013-05-30 15:00:17 UTC for 10s
PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server


Host script results:
|_ipidseq: Unknown

Nmap scan report for 192.168.2.3
Host is up (-0.20s latency).
Scanned at 2013-05-30 15:00:17 UTC for 10s
PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

Host script results:
|_ipidseq: Incremental!

Nmap scan report for 192.168.2.9
Host is up (-0.14s latency).
Scanned at 2013-05-30 15:00:17 UTC for 11s
PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server


Host script results:
|_ipidseq: Unknown

Initiating ARP Ping Scan at 15:00
Initiating SYN Stealth Scan at 15:00
Scanning pfsense.localdomain (192.168.2.254) [1 port]
Completed SYN Stealth Scan at 15:00, 2.00s elapsed (1 total ports)
NSE: Script scanning 192.168.2.254.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:00
Completed NSE at 15:00, 6.00s elapsed
Nmap scan report for pfsense.localdomain (192.168.2.254)
Host is up.
Scanned at 2013-05-30 15:00:28 UTC for 8s
PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

Host script results:
|_ipidseq: Unknown

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read data files from: /usr/local/share/nmap
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.27 seconds
           Raw packets sent: 543 (15.716KB) | Rcvd: 10 (356B)

La máquina 192.168.2.3 (Zombie) via puerto 3389 es un candidato a zombie y como la maquina 192.168.2.2 (Victima) resulta que me  filtra todos los escaneos desde pfSense, la voy a escanear el puerto 445 con intermediario el Zombie (192.168.2.3)

nmap -sI 192.168.2.3:3389 -Pn -p445 -r --packet-trace -v 192.168.2.2

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-30 15:03 UTC
Initiating ARP Ping Scan at 15:03
Scanning 192.168.2.2 [1 port]
SENT (0.0558s) ARP who-has 192.168.2.2 tell 192.168.2.254
RCVD (0.0562s) ARP reply 192.168.2.2 is-at 00:1F:E2:03:A7:BA
Completed ARP Ping Scan at 15:03, 0.20s elapsed (1 total hosts)
NSOCK (0.2570s) nsi_new (IOD #1)
NSOCK (0.2570s) UDP connection requested to 208.67.220.220:53 (IOD #1) EID 8
NSOCK (0.2570s) Read request from IOD #1 [208.67.220.220:53] (timeout: -1ms) EID 18
NSOCK (0.2570s) nsi_new (IOD #2)
NSOCK (0.2570s) UDP connection requested to 8.8.8.8:53 (IOD #2) EID 24
NSOCK (0.2570s) Read request from IOD #2 [8.8.8.8:53] (timeout: -1ms) EID 34
NSOCK (0.2570s) nsi_new (IOD #3)
NSOCK (0.2570s) UDP connection requested to 4.2.2.3:53 (IOD #3) EID 40
NSOCK (0.2570s) Read request from IOD #3 [4.2.2.3:53] (timeout: -1ms) EID 50
Initiating Parallel DNS resolution of 1 host. at 15:03
NSOCK (0.2570s) Write request for 44 bytes to IOD #1 EID 59 [208.67.220.220:53]: .w...........2.2.168.192.in-addr.arpa.....
NSOCK (0.2570s) Callback: CONNECT SUCCESS for EID 8 [208.67.220.220:53]
NSOCK (0.2570s) Callback: WRITE SUCCESS for EID 59 [208.67.220.220:53]
NSOCK (0.2570s) Callback: CONNECT SUCCESS for EID 24 [8.8.8.8:53]
NSOCK (0.2570s) Callback: CONNECT SUCCESS for EID 40 [4.2.2.3:53]
NSOCK (0.3630s) Callback: READ SUCCESS for EID 18 [208.67.220.220:53] (103 bytes)
NSOCK (0.3630s) Read request from IOD #1 [208.67.220.220:53] (timeout: -1ms) EID 66
NSOCK (2.7580s) Write request for 44 bytes to IOD #1 EID 75 [208.67.220.220:53]: .w...........2.2.168.192.in-addr.arpa.....
NSOCK (2.7580s) Callback: WRITE SUCCESS for EID 75 [208.67.220.220:53]
NSOCK (2.8630s) Callback: READ SUCCESS for EID 66 [208.67.220.220:53] (103 bytes)
NSOCK (2.8630s) Read request from IOD #1 [208.67.220.220:53] (timeout: -1ms) EID 82
NSOCK (5.7580s) Write request for 44 bytes to IOD #2 EID 91 [8.8.8.8:53]: .w...........2.2.168.192.in-addr.arpa.....
NSOCK (5.7580s) Callback: WRITE SUCCESS for EID 91 [8.8.8.8:53]
NSOCK (5.8640s) Callback: READ SUCCESS for EID 34 [8.8.8.8:53] (44 bytes): .w...........2.2.168.192.in-addr.arpa.....
NSOCK (5.8640s) Read request from IOD #2 [8.8.8.8:53] (timeout: -1ms) EID 98
NSOCK (5.8640s) nsi_delete (IOD #1)
NSOCK (5.8640s) msevent_cancel on event #82 (type READ)
NSOCK (5.8640s) nsi_delete (IOD #2)
NSOCK (5.8640s) msevent_cancel on event #98 (type READ)
NSOCK (5.8640s) nsi_delete (IOD #3)
NSOCK (5.8640s) msevent_cancel on event #50 (type READ)
Completed Parallel DNS resolution of 1 host. at 15:04, 5.61s elapsed
Initiating idle scan against 192.168.2.2 at 15:04
SENT (5.8644s) TCP 192.168.2.254:42115 > 192.168.2.3:3389 SA ttl=58 id=46658 iplen=44  seq=3020817895 win=1024 <mss 1460>
SENT (5.8976s) TCP 192.168.2.254:42116 > 192.168.2.3:3389 SA ttl=49 id=64470 iplen=44  seq=3020817896 win=1024 <mss 1460>
SENT (5.9306s) TCP 192.168.2.254:42117 > 192.168.2.3:3389 SA ttl=46 id=31599 iplen=44  seq=3020817897 win=1024 <mss 1460>
RCVD (5.8656s) TCP 192.168.2.3:3389 > 192.168.2.254:42115 R ttl=128 id=6409 iplen=40  seq=1656142168 win=0
SENT (5.9636s) TCP 192.168.2.254:42118 > 192.168.2.3:3389 SA ttl=53 id=38802 iplen=44  seq=3020817898 win=1024 <mss 1460>
SENT (5.9966s) TCP 192.168.2.254:42119 > 192.168.2.3:3389 SA ttl=55 id=16823 iplen=44  seq=3020817899 win=1024 <mss 1460>
RCVD (5.8982s) TCP 192.168.2.3:3389 > 192.168.2.254:42116 R ttl=128 id=6410 iplen=40  seq=1656142168 win=0
RCVD (5.9313s) TCP 192.168.2.3:3389 > 192.168.2.254:42117 R ttl=128 id=6411 iplen=40  seq=1656142168 win=0
SENT (6.0296s) TCP 192.168.2.254:42120 > 192.168.2.3:3389 SA ttl=41 id=51439 iplen=44  seq=3020817900 win=1024 <mss 1460>
RCVD (5.9645s) TCP 192.168.2.3:3389 > 192.168.2.254:42118 R ttl=128 id=6412 iplen=40  seq=1656142168 win=0
RCVD (5.9973s) TCP 192.168.2.3:3389 > 192.168.2.254:42119 R ttl=128 id=6413 iplen=40  seq=1656142168 win=0
Idle scan using zombie 192.168.2.3 (192.168.2.3:3389); Class: Incremental
SENT (15.0461s) TCP 192.168.2.2:42114 > 192.168.2.3:3389 SA ttl=49 id=16354 iplen=44  seq=3020817895 win=1024 <mss 1460>
SENT (15.0970s) TCP 192.168.2.2:42114 > 192.168.2.3:3389 SA ttl=55 id=2517 iplen=44  seq=3020817896 win=1024 <mss 1460>
SENT (15.1480s) TCP 192.168.2.2:42114 > 192.168.2.3:3389 SA ttl=40 id=50787 iplen=44  seq=3020817897 win=1024 <mss 1460>
SENT (15.1990s) TCP 192.168.2.2:42114 > 192.168.2.3:3389 SA ttl=59 id=21011 iplen=44  seq=3020817898 win=1024 <mss 1460>
SENT (15.5000s) TCP 192.168.2.254:42179 > 192.168.2.3:3389 SA ttl=54 id=5694 iplen=44  seq=2237308931 win=1024 <mss 1460>
RCVD (6.0305s) TCP 192.168.2.3:3389 > 192.168.2.254:42120 R ttl=128 id=6414 iplen=40  seq=1656142168 win=0
RCVD (15.5012s) TCP 192.168.2.3:3389 > 192.168.2.254:42179 R ttl=128 id=6419 iplen=40  seq=739701181 win=0
SENT (15.5013s) TCP 192.168.2.3:3389 > 192.168.2.2:445 S ttl=44 id=57295 iplen=44  seq=3198776353 win=1024 <mss 1460>
SENT (15.5520s) TCP 192.168.2.254:42209 > 192.168.2.3:3389 SA ttl=48 id=34759 iplen=44  seq=2237309431 win=1024 <mss 1460>
RCVD (15.5556s) TCP 192.168.2.3:3389 > 192.168.2.254:42209 R ttl=128 id=6421 iplen=40  seq=739701181 win=0
SENT (15.6529s) TCP 192.168.2.254:42306 > 192.168.2.3:3389 SA ttl=39 id=333 iplen=44  seq=2237309931 win=1024 <mss 1460>
RCVD (15.6564s) TCP 192.168.2.3:3389 > 192.168.2.254:42306 R ttl=128 id=6422 iplen=40  seq=739701181 win=0
SENT (15.7030s) TCP 192.168.2.3:3389 > 192.168.2.2:445 S ttl=41 id=40099 iplen=44  seq=3198776353 win=1024 <mss 1460>
SENT (15.7539s) TCP 192.168.2.254:42314 > 192.168.2.3:3389 SA ttl=42 id=25570 iplen=44  seq=2237310431 win=1024 <mss 1460>
RCVD (15.7546s) TCP 192.168.2.3:3389 > 192.168.2.254:42314 R ttl=128 id=6424 iplen=40  seq=739701181 win=0
SENT (15.8549s) TCP 192.168.2.254:42351 > 192.168.2.3:3389 SA ttl=45 id=17478 iplen=44  seq=2237310931 win=1024 <mss 1460>
RCVD (15.8555s) TCP 192.168.2.3:3389 > 192.168.2.254:42351 R ttl=128 id=6425 iplen=40  seq=739701181 win=0
Discovered open port 445/tcp on 192.168.2.2
Completed idle scan against 192.168.2.2 at 15:04, 10.04s elapsed (1 ports)
Nmap scan report for 192.168.2.2
Host is up (0.013s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:XX:XX:XX:XX:XX (Hon Hai Precision Ind. Co.)

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds
           Raw packets sent: 18 (776B) | Rcvd: 12 (468B)

Y efectivamente, parece ser que .2 (Victima) confia en que .3 (Zombie) pueda establecer conexiones a su puerto tcp445 ( 445/tcp open  microsoft-ds )

Si hago el scan de los puertos mas comunes de la victima via zombie:

nmap -sI 192.168.2.3:3389 -Pn -r --packet-trace -v 192.168.2.2
.................
Nmap scan report for 192.168.2.2
Host is up (0.15s latency).
Not shown: 990 closed|filtered ports
PORT     STATE SERVICE
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1028/tcp open  unknown
1031/tcp open  iad2
1580/tcp open  tn-tl-r1
5357/tcp open  wsdapi
6000/tcp open  X11

De donde se infiere que a traves de 192.168.2.3 (que es un XP Pro con SP3 actualizado a día de hoy), 192.168.2.2 es camino abierto

:-)

Nota: . Por lo general todos los XP tienen una secuencia IPID incremental, por lo que son candidatos a Zombies.
Y las pruebas que he hecho con un Ubuntu 12.04, un W7 SP1 ultimate y un pfSense 2.03 indican que no tienen una secuencia incremental de IPID.

Y voila :-)

Share

FreeBSD/pfSense - tcsh script para escanear puerto en un rango de red vía NMAP http://t.co/BTezsZ6zlx
@javcasta
Javier Castañón


scanClassB-nmap-telnet

Un script ejecutado desde un router-firewall bajo pfSense 2.03-Release (FreeBSD 8.1-Release-p13).
Se trata de escanear con nmap un puerto determinado (tcp23) en un rango de red, en este caso un rango de clase B (/16)

¿Para que hacerlo desde el firewall?. Simple, para no tener que estar añadiendo o retocando
reglas de filtrado de la maquina del operador en el firewall. Normalmente no suele haber auto-restricciones
en un router-firewall para conectarse desde si mismo a un puerto en la WAN.
Esta claro que este script es una prueba de concepto sobre como recorrer un segmento de clase B para ejecutar una tarea. Ya que NMAP permite indicar en el objetivo no solo una IP, sino también redes (p.e: nmap -sV -sC -PN -p23 180.159.0.0/16) ¿Para que hacer un script, si NMAP ya lo hace por si mismo?.
La respuesta es simple: para aprender a hacer un shell script en tcsh bajo pfSense/FreeBSD :-)

En pfSense, se puede instalar el paquete NMAP (desde el menú System > Packages > ) en la versión 6.25

pfsense-nmap

El Script:

#!/bin/tcsh
# pfSernse 2.0.3-RELEASE
# FreeBSD 8.1-RELEASE-p13
#########################################################
# Scan con nmap de puerto tcp en rango de clase B (/16) #
###############################################################
# By Javier Castañon - JavCasta - http://javcasta.com - 2.013 #
###############################################################
# Personalizar rango de red y puerto
set red = "180.159"
set puerto = "23"
foreach i ( `jot 255` )
        foreach j ( `jot 255` )
                set ip = "${red}.${i}.${j}"
                set scan = `nmap -sV -sC -PN -p${puerto} ${ip} | grep "${puerto}/tcp"`
                echo "${ip} ${scan}" | grep "open"	
        end
end
#importante: poner nueva linea despues del end - important: put new line after end

Si lo ejecutas directamente (# ./tuscript.sh ), debes antes darle permisos de ejecución (#chmod +x tuscript.sh) o
simplemente llamarlo con tcsh ( #tcsh tuscript.sh )

Y voila :-)

Share

Nmap scripting Engine (NSE) - Analizar fichero con VitusTotal vía NMAP http://t.co/dkqaLR2Ed5
@javcasta
Javier Castañón


Referencias:

nmap-virustotal-1

NMAP no es solo un escanner de puertos e identificador de servicios y OS (Sistemas Operativos).
Posee una característica muy potente y versatil: NSE

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features.
 It allows users to write (and share) simple scripts (using the Lua programming language, )
 to automate a wide variety of networking tasks.

siteNMAPlogo

El motor de scripting de nmap (NSE) es una de las caracteristicas más potentes y flexibles de nmap.
Permite a los usuarios escribir (y compartir) guiones (scripts) simples (usando el lenguaje de programación LUA) para automatizar una amplia variedad de tareas de networking

Existen ya una serie de librerias o módulos en LUA (con extension .lua, alojadas en el directorio nselib de nmap) y una
gran variedad de scripts (con extension .nse, alojados en el directorio scripts de nmap).

Echando un vistazo a los scripts que vienen por defecto con la version 6.25 de Nmap, me encontré con uno llamado:

Que efectivamente hace lo 1º que se nos viene a la mente: Analizar un fichero en virtus total ya sea enviando su hash SHA1, SHA256 o MD5 o subiendo el fichero a VirusTotal.

La linea de comandos para usar el nse script http-virustotal de Nmap seria:

nmap –script http-virustotal –script-args=”apikey=’TU-APIKEY-DE-VIRUSTOTAL’,checksum=’LA-HASH-DEL-FICHERO-A-ANALIZAR’”

nota: La ApiKey de virustotal se obtiene registrandose en https://www.virustotal.com

Como bajo windows no hay un comando nativo para obtener la hash SHA1 o SHA256 o MD5 de un fichero.
Voy a implementar con C# y .Net 2.0 una pequeña utilidad de consola para obtener la hash MD5 de un fichero:

Bajarse: getMD5.exe
getMD5.cs

/*
 * Created by SharpDevelop.
 * User: JavCasta - http://javcasta.com/
 * Date: 26/05/2013
 */
using System;
using System.IO;
using System.Security.Cryptography;

namespace getMD5
{
	class Program
	{
		public static void Main(string[] args)
		{
			try {
				using (var hmd5 = MD5.Create())
				{
					using (var stream = File.OpenRead(args[0]))
    				{
        				string devolver = BitConverter.ToString(hmd5.ComputeHash(stream)).Replace("-","").ToLower();
        				stream.Close();
        				stream.Dispose();
        				Console.WriteLine(devolver);
    				}
				}
				
			} catch (Exception mye) {
				Console.WriteLine(mye.Message);
			}
			
		}
	}
}

Tras compilarlo copio el ejecutable (getMD5.exe) en el directorio de nmap (c:\nmap-6.25\)
Y creo un batch script que tenga como argumento un fichero y obtenga su hash MD5 con getMD5.exe y
via nmap (y el script http-virustotal.nse) consulte con VirusTotal:

nmapVirusTotal.cmd

@echo off
setlocal ENABLEDELAYEDEXPANSION
REM =======================================================
REM nmapVirusTotal.cmd - by JavCasta - http://javcasta.com/
REM =======================================================
REM uso: nmapVirusTotal.cmd <fichero>
REM =======================================================

color 17
mode con cols=135 lines=300

set apikey='38cfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'

if EXIST %tmp%\elmd5.tmp del %tmp%\elmd5.tmp
if NOT "%1" == "" (
	getMD5 %1 > %tmp%\elmd5.tmp
	for /F %%i in (%tmp%\elmd5.tmp)	do (
		set md5='%%i'
		nmap --script http-virustotal --script-args="apikey=%apikey%,checksum=!md5!"
	)
) ELSE (
	@echo Introduce un fichero.
)
endlocal

Lo pruebo, analizando el fichero C:\Windows\System32\svchost.exe de un W7 SP1 , que sé que da un positivo sobre 47 motores de antivirus (un falso positivo, o al menos eso esperamos los que usemos W7 :-) )
C:\nmap-6.25>nmapVirusTotal.cmd “C:\windows\System32\svchost.exe”

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-26 16:04 Hora de verano romance
Pre-scan script results:
| http-virustotal:
|   Permalink: https://www.virustotal.com/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1369574636/
|   Scan date: 2013-05-26 13:23:56
|   Positives: 1
|   digests
|     SHA1: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
|     SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
|     MD5: 54a47f6b5e09a77e61649109c6a08866
|   Results
|     name                  result             date      version
|     Agnitum               -                  20130526  5.5.1.3
|     AhnLab-V3             -                  20130526  2013.05.27.00
|     AntiVir               -                  20130526  7.11.80.28
|     Antiy-AVL             -                  20130526  2.0.3.7
|     Avast                 -                  20130526  6.0.1289.0
|     AVG                   -                  20130526  10.0.0.1190
|     BitDefender           -                  20130526  7.2
|     ByteHero              -                  20130517  1.0.0.1
|     CAT-QuickHeal         -                  20130523  12.00
|     ClamAV                -                  20130523  0.97.3.0
|     Commtouch             -                  20130526  5.4.1.7
|     Comodo                -                  20130526  16321
|     DrWeb                 -                  20130526
|     Emsisoft              -                  20130526  3.0.0.575
|     eSafe                 Win32.TrojanHorse  20130523  7.0.17.0
|     ESET-NOD32            -                  20130526  8375
|     F-Prot                -                  20130526  4.7.1.166
|     F-Secure              -                  20130526  11.0.19020.35
|     Fortinet              -                  20130526  5.0.43.0
|     GData                 -                  20130526  22
|     Ikarus                -                  20130526  T3.1.4.0.0
|     Jiangmin              -                  20130526  16.0.100
|     K7AntiVirus           -                  20130524  9.168.8751
|     K7GW                  -                  20130524  12.7.0.12
|     Kaspersky             -                  20130526  9.0.0.837
|     Kingsoft              -                  20130506  2013.4.9.267
|     Malwarebytes          -                  20130526  1.75.0.1
|     McAfee                -                  20130526  5.400.0.1158
|     McAfee-GW-Edition     -                  20130526  2012.1
|     Microsoft             -                  20130526  1.9506
|     MicroWorld-eScan      -                  20130526  12.0.250.0
|     NANO-Antivirus        -                  20130526  0.24.0.52214
|     Norman                -                  20130525  7.01.04
|     nProtect              -                  20130525  2013-05-25.02
|     Panda                 -                  20130526  10.0.3.5
|     PCTools               -                  20130521  9.0.0.2
|     Rising                -                  20130524  24.63.03.04
|     Sophos                -                  20130522  4.89.0
|     SUPERAntiSpyware      -                  20130526  5.6.0.1008
|     Symantec              -                  20130526  20131.1.0.101
|     TheHacker             -                  20130524  None
|     TotalDefense          -                  20130524  37.0.10437
|     TrendMicro            -                  20130526  9.740.0.1012
|     TrendMicro-HouseCall  -                  20130526  9.700.0.1001
|     VBA32                 -                  20130525  3.12.22.1
|     VIPRE                 -                  20130526  18122
|_    ViRobot               -                  20130526  2011.4.7.4223
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 2.00 seconds

Y voila :-)

Share

Older Entries »