neraliu's blog internet profession in between hongkong/china and silicon valley (no longer, but the world!)

57月/100

prototype is live

存檔在: aglie, 商業, 娛樂, 投資, 攝影, 流動科技, 生活, 科技, 筆記, 管理, 語言, 軟件, 遊戲設計, 閱讀, 電腦, 電腦保安, 電腦工程 沒有回應
226月/100

domain scan for pentest

存檔在: 電腦, 電腦保安, 電腦工程 沒有回應
206月/100

somebody is scanning alibaba.com.cn



somebody is scanning alibaba.com.cn, and my account is being scanned for password reset. i received the password reset email yesterday.

存檔在: 電腦, 電腦保安 沒有回應
143月/100

notes on doing some pentest on my isp




it is just a sunday hacking...

  1. first i would like to use the traceroute to know the gateway of my isp, you can simply traceroute some well known portal, like www.yahoo.com. 
    #traceroute www.yahoo.com
traceroute: Warning: www.yahoo.com has multiple addresses; using 72.30.2.43
traceroute to any-fp.wa1.b.yahoo.com (72.30.2.43), 64 hops max, 40 byte packets
 1  192.168.8.1 (192.168.8.1)  1.602 ms  0.782 ms  0.712 ms
 2  [gateway_hostname] (XXX.XXX.XXX.254)  18.115 ms  50.441 ms  11.054 ms
  2. second i am interested in how many hosts are available in this /24 subnet, i use nmap -sP -PN to find out, there are many hosts are actually up, anyway, i go back to the gateway as my focus. 
    #nmap -sP XXX.XXX.XXX.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-13 17:32 HKT
Nmap scan report for [hostname] (XXX.XXX.XXX.3)
Host is up.
...
  3. the next thing i am going to do is to have a heavy probing on the gateway and see what is actually live on it. i try to have the TCP SYN scan to probe the gateway and below is the result. it seems like that all of the services are being protected by kind of firewall. 
    #nmap -sS [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 13:37 HKT
Nmap scan report for [gateway_hostname] ([gateway_ip])
Host is up (0.053s latency).
Not shown: 988 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
80/tcp    filtered http
111/tcp   filtered rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
515/tcp   filtered printer
593/tcp   filtered http-rpc-epmap
1068/tcp  filtered instl_bootc
5000/tcp  filtered upnp
6129/tcp  filtered unknown
10001/tcp filtered unknown
  4. without giving up, i start the next round of udb scanning and see, seems like there is something open up for us, it is the snmp service on the host. 
    #nmap -sU [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 14:44 HKT
Nmap scan report for pcd-yck14-1-ex.netvigator.com (116.49.68.254)
Host is up (0.017s latency).
Not shown: 986 closed ports
PORT     STATE         SERVICE
7/udp    open|filtered echo
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
135/udp  open|filtered msrpc
136/udp  open|filtered profile
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open          snmp
162/udp  open|filtered snmptrap
445/udp  open|filtered microsoft-ds
520/udp  open|filtered route
1434/udp open|filtered ms-sql-m

Nmap done: 1 IP address (1 host up) scanned in 2111.55 seconds
  5. in order to get more feeling of the host, i enable the OS detection in the scan, but no luck on it. 
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|router|switch|printer
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (91%), Apple iPhone OS 1.X (90%), OpenBSD 4.X (89%), FreeBSD 7.X (88%), Cisco IOS 12.X (88%), Novell NetWare 6.X (87%), HP embedded (86%), Microsoft Windows 2000|98 (86%)
Aggressive OS guesses: Apple Mac OS X 10.5 (Leopard) (Darwin 9.2.2, x86) (91%), Apple Mac OS X 10.5.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.5.0 - 10.0.0) (91%), Apple iPod touch audio player (iPhone OS 1.1.2 - 1.1.4, Darwin 9.0.0d1) (90%), OpenBSD 4.1 (89%), OpenBSD 4.3 (89%), OpenBSD 4.5 (89%), FreeBSD 7.0-RC1 (88%), FreeBSD 7.0-STABLE (88%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (88%), OpenBSD 4.1 (x86) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops

not manage to continue on the snmp, like looking into the community string, need to hang out with my wife...

disclaimer: this article does not encourage people to do anything illegal, for those who reads this arcticle takes their own responsibilities and risks.

存檔在: 電腦, 電腦保安, 電腦工程 沒有回應
73月/100

testing the udb awareness of the nmap 5.21



for a typically network scanner, when it is going to scan the udb services available on the hosts, it simply sends the udb packets without knowing the exact content of the specific services. when the hosts receive the packet, there are few things possible happen. if the hosts do not listen on that port, it would reply the ICMP port unreachable (type 3, code 3). if the hosts listen on port, they may drop the packet or do not reply of not understanding packet contents. anyway, the similar behavior happen for firewall protected port.

in the new version of nmap 5.21, it provides a new feature of udb awareness during the udb scanning. for simplicity, the nmap is actually talking some specific protocol, like dns, ntp etc. during scanning, rather than scanning with some malcontent. below is the comparison of nmap 5.0 and 5.21

# nmap -sU -p53 208.67.222.222
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-07 15:39 HKT
Interesting ports on resolver1.opendns.com (208.67.222.222):
PORT   STATE         SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds
# nmap -sU -p53 208.67.222.222
Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-07 15:54 HKT
Nmap scan report for resolver1.opendns.com (208.67.222.222)
Host is up (0.18s latency).
PORT   STATE         SERVICE
53/udp open  domain
NNmap done: 1 IP address (1 host up) scanned in 0.64 seconds

from the returned result, you can notice that nmap 5.0 reports the port 53 is of the state of "open/filtered" while nmap 5.21 reports the state of "open", as the new version of nmap is actually talking the dns protocol rather than scanning with malcontent, it is not sure about whether it is firewall protected or not.

存檔在: 電腦, 電腦保安 沒有回應
222月/100

a recent phishing email i got – hey dudes, this is maggie tam!

recently, i got a phishing email which made me stop and think who this guy is, below is the content i got

hey guys, I haven't seen or talked to some of you for ages, but how are all of you doing??? hope you guys are having fun at casterton (for those still there) and have joy at whatever you do,

well I've changed my email:
old: abc@hotmail.com
NEW email: xyz@hotmail.com

well, I will try and add all of you again!!
if you want to send me emails feel free!

Love you all,
Magz!

after getting this email for a while, i found this guy trying to add me in my msn. hm..., seems like the phishers now are talking one more step further by combining the email and msn to approach the victim nowadays. if you have a certain level of curiosity without doubt, you may add her and got phished finally. good luck

存檔在: 電腦, 電腦保安 沒有回應
52月/100

old news, just a screenshot of how twitter being phished recently

存檔在: twitter, 科技, 電腦, 電腦保安 沒有回應
32月/100

battlenet warning on account theft

hm... when you read the new security portal provided by blizzard, to an internet security professional, things are very basic to defend your online asset being phished or hacked.

存檔在: 科技, 電腦, 電腦保安 沒有回應
12月/100

understanding the aurora attack in ie



as the source code of exploit is being out, i can reproduce the ie aurora exploit by using the metasploit, dumping my peers screen out, it is really terrible. (note: my testing platform is ie6 running on xp)

存檔在: 電腦保安 沒有回應
311月/100

you are being identified easily on the web




the electronic frontier foundation has demonstrated how to identify the browser on the web by using some anonymous information collected from your browser. it evaluates some unique information from the http request headers (like ip address etc.), and uses javascript to detect some browsers settings (like plugins installed, font size etc.) to identify the browser. you can try out their test from here.

存檔在: 科技, 電腦, 電腦保安 沒有回應
   較舊項目 »

我的朋友

flickr 圖片

tea
wrong spelling
welcome rose from banyee tree
welcome rose from banyee tree
the first typhoon this year 2010
香煎三文魚
香煎(完成)
香煎
A4日本黑毛T骨和牛牛扒
更多圖片...

分類

頁面

日曆

八月 2010
« 7月    
1234567
891011121314
15161718192021
22232425262728
293031  

標籤

投資 電腦 adobe android apache authentication chrome coding standard coding style crossdomain.xml css facebook firefox firefox extension flash france google google wave html5 http interface builder ipad iphone javascript memory management microsoft nmap objective-c phishing privacy programming programming standard programming style project management ps3 psp3 security social games twitter uiviewcontroller user privacy wordpress xbox360 xss yahoo!

額外資訊

RSS ha.ckers.org

RSS techcrunch

RSS 张化桥的BLOG

RSS touch aracde

RSS inside socialgames

RSS h security

RSS metasploit

RSS gnucitizen

RSS security shell

RSS offensive security

RSS zero day

RSS mashable

RSS inside facebook

RSS virtual goods news

RSS facebook developer blog

RSS code project

RSS code guru

RSS stack overflow

Lunarpages.com Web Hosting

我的最愛