============|  Defeating Portsentry (Intrusion Detection system)
              y3dips <y3dips@gmail.com>


==================||Intro

Artikel ini dibuat dengan tujuan memberikan wawasan dan sedikit trik untuk
menghadapi "portsentry" yang sering digunakan untuk melengkapi "fitur"
sekuriti suatu mesin (PC/Server), kebetulan penulis merupakan pemakai
`program` ini pula (!portsentry) .Artikel ini juga secara tidak langsung
mengajak kita untuk tidak mengganggap bahwa "mengalahkan" adalah dengan
cara frontal/total , tetapi mengalahkan bisa berarti mengikuti desain atau
aturan ( design and rule)! dan mengambil keuntungan dari desain tersebut.

----| Background |----------------------------------------------------------

Dalam kegiatan "Footprinting" terhadap suatu mesin , maka kita mau atau tidak
mau harus melakukan "scanning" terhadap mesin, aktifitas scanning inilah
nantinya yang akan membantu kita dalam "mengorek" info lebih dalam tentang
mesin tersebut.Banyak sekali software yang bisa kita gunakan untuk lakukan
scanning disertai metode metode yang "dahsyat" dan fitur fitur yang keren.

Portsentry adalah program yang di gunakan untuk mendeteksi port scan
(scan thd port) pada interface jarigan sampai kepada mendeteksi sacan yang
dilakukan secara stealth (tanpa melakukan ping thd mesin, dll). Dan juga
Portsentry memiliki "alarm" yang dapat melakukan blocking terhadap mesin
yang melakukan scanning ke mesin kita (baik penambahan di hosts.deny, sampai
penambahan rule "REJECT" pada table routing)

==================||Get Rumble

Sekarang aku akan coba praktekkan secara langsung terhadap mesin yang telah
menggunakan portsentry , ini skenarionya :

target (portsentry running on it) : root@heaven (192.168.1.1)
attacker (with nmap and else)     : y3dips@hogwarts (192.168.1.9)

ok, lets go!

Sekarang portsentry belumlah berjalan sama sekali dan kita akan melakukan
scanning ke mesin "heaven"

<shell>
root@heaven:~ # ps -awx | grep portsentry
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
 7286 pts/1    S+     0:00 grep portsentry
</shell>

yupe, portsentry tidak/belum running di mesin heaven

---------------------------- [ Attacker Side ] --------------------------

----|The scanning begin[1st]

Sekarnag kita akan melakukan scanning terhadap mesin yang belum menjalankan
portsentry di "atasnya"

<shell>
y3dips@hogwarts:~$ sudo nmap 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-07-02 22:08 WIT
Interesting ports on 192.168.1.1:
(The 1660 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3128/tcp open  squid-http
MAC Address: 80:0A:E6:1E:F4:A8 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 21.206 seconds
</shell>

yupe, scanning standar terhadap mesin , kita mendapatkan beberapa port
yang menjalankan service

Selanjutnya gunakan stealth scan (-sS) terhadap target (heaven)

<shell>
y3dips@hogwarts:~$ sudo nmap -sS -vv -P0 -sV 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-07-02 22:09 WIT
Initiating SYN Stealth Scan against 192.168.1.1 [1663 ports] at 22:10
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 3128/tcp on 192.168.1.1
The SYN Stealth Scan took 0.34s to scan 1663 total ports.
Initiating service scan against 3 services on 192.168.1.1 at 22:10
The service scan took 5.08s to scan 3 services on 1 host.
Host 192.168.1.1 appears to be up ... good.
Interesting ports on 192.168.1.1:
(The 1660 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 2.0)
80/tcp   open  http       Apache httpd 1.3.33 ((Debian GNU/Linux))
3128/tcp open  http-proxy Squid webproxy 2.5.STABLE8
MAC Address: 80:0A:E6:1E:F4:A8 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 26.172 seconds
</shell>

karena kita gunakan options version juga maka informasi versi dari aplikasi
juga kita daptkan :)


----|Portsentry is Up

Sekarang yakinkan kalo portsentry telah "running" di mesin heaven

<shell>
root@heaven:~ # ps -awx | grep portsentry
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
 6805 ?        Ss     0:00 /usr/sbin/portsentry -tcp
 6809 ?        Ss     0:00 /usr/sbin/portsentry -udp
</shell>

Dan juga bisa melakukan checking ke log file

<shell>
root@heaven:~ # tail -f /var/log/syslog
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 640
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 700
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 32770
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 32771
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 32772
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 32773
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 32774
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 31337
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: Going into listen mode on UDP port: 54321
Jul  3 10:16:21 localhost portsentry[7301]: adminalert: PortSentry is now active and listening.
</shell>

yupe portsentry telah berjalan sebagaimana mestinya, Ingat kali ini
konfigurasi portsentry kita buat untuk tidak lakukan blocking langsung
terhadap scanning dan tidak langsuung melakukan "kill route"


<++>/etc/portsentry/portsentry.conf

#######################
# Port Configurations #
#######################
# Use these for just bare-bones
TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,
          \32771,32772,32773,32774,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,
          \31337,54321"

ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"

# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

##################
# Ignore Options #
##################
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="0"
BLOCK_TCP="0"

###################
# Dropping Routes:#
###################
# We do Nothing !!!!


<-->/etc/portsentry/portsentry.conf

Tujuan kita adalah untuk melihat "fake" daemon yang di hasilkan dan log yang
dicatat, ini cuma masalah "purpose" saja :) , agar riset kita sedikit "w0w"

---------------------------- [ Attacker Side ] --------------------------

----|The scanning begin[2nd]

<shell>
y3dips@hogwarts:~$ sudo nmap -sS -vv -P0 -sV 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-07-02 22:16 WIT
Initiating SYN Stealth Scan against 192.168.1.1 [1663 ports] at 22:16
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 540/tcp on 192.168.1.1
Discovered open port 32771/tcp on 192.168.1.1
Discovered open port 635/tcp on 192.168.1.1
Discovered open port 32772/tcp on 192.168.1.1
Discovered open port 15/tcp on 192.168.1.1
Discovered open port 32773/tcp on 192.168.1.1
Discovered open port 54320/tcp on 192.168.1.1
Discovered open port 11/tcp on 192.168.1.1
Discovered open port 2000/tcp on 192.168.1.1
Discovered open port 32774/tcp on 192.168.1.1
Discovered open port 12346/tcp on 192.168.1.1
Discovered open port 143/tcp on 192.168.1.1
Discovered open port 1080/tcp on 192.168.1.1
Discovered open port 12345/tcp on 192.168.1.1
Discovered open port 111/tcp on 192.168.1.1
Discovered open port 1524/tcp on 192.168.1.1
Discovered open port 3128/tcp on 192.168.1.1
Discovered open port 110/tcp on 192.168.1.1
Discovered open port 1/tcp on 192.168.1.1
The SYN Stealth Scan took 0.60s to scan 1663 total ports.
Initiating service scan against 21 services on 192.168.1.1 at 22:16
The service scan took 5.03s to scan 21 services on 1 host.
Host 192.168.1.1 appears to be up ... good.
Interesting ports on 192.168.1.1:
(The 1642 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE          VERSION
1/tcp     open  tcpmux?
11/tcp    open  systat?
15/tcp    open  netstat?
22/tcp    open  ssh              OpenSSH 3.9p1 (protocol 2.0)
80/tcp    open  http             Apache httpd 1.3.33 ((Debian GNU/Linux))
110/tcp   open  pop3?
111/tcp   open  rpcbind?
143/tcp   open  imap?
540/tcp   open  uucp?
635/tcp   open  unknown
1080/tcp  open  socks?
1524/tcp  open  ingreslock?
2000/tcp  open  callbook?
3128/tcp  open  http-proxy       Squid webproxy 2.5.STABLE8
12345/tcp open  NetBus?
12346/tcp open  NetBus?
32771/tcp open  sometimes-rpc5?
32772/tcp open  sometimes-rpc7?
32773/tcp open  sometimes-rpc9?
32774/tcp open  sometimes-rpc11?
54320/tcp open  bo2k?
MAC Address: 80:0A:E6:1E:F4:A8 (Unknown)

Nmap run completed -- 1 IP address (1 host up) scanned in 26.316 seconds
</shell>

Lihat , apa yang terjadi ? begitu banyak daemon yang dijalankan oleh
"heaven" padahal sesungguhnya hanya "3" buah (lihat diatas)
portsentry created "fake daemon/service" yang berjalan pada port port
yang kita tentukan pada file konfigurasi.

Dengan catatan blocking rule dan kill rule tidak kita aktifkan (if u admin,
u should dont do this!)

----|Logs Are Reliable

Setelah aksi kita tersebut , apakah yang akan di dapatkan oleh "heaven".
Mari kita lihat apakah aksi kita dalam men-scan "heaven" tidak terdeteksi
oleh portsentry ?, untukm itu mari lakukan sedikit investigasi terhadap
log file

<script>
root@heaven:~ # tail -f /var/log/syslog
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 640
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 700
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 32770
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 32771
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 32772
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 32773
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 32774
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 31337
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: Going into listen mode on UDP port: 54321
Jul  3 10:18:09 localhost portsentry[7320]: adminalert: PortSentry is now active and listening.
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 1
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Ignoring TCP response per configuration file setting.
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 11
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 15
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 110
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 111
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 143
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 540
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 635
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 1080
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 1524
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 2000
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 12345
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 12346
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 32771
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 32772
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 32773
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 32774
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Connect from host: 192.168.1.9/192.168.1.9 to TCP port: 54320
Jul  3 10:18:47 localhost portsentry[7316]: attackalert: Host: 192.168.1.9 is already blocked. Ignoring
</script>

Any comment ? yupe "we are caught in the acts" oleh portsentry yang memberi
"alert" pada kita dengan salah satu caranya adalah via log file


----|Blocking your Wayz

Apakah hanya segitu saja kemampuan portsentry ? hum tentu saja tidak

Sekarang gunakan strict configuration pada portsentry

<++>/etc/portsentry/portsentry.conf

##################
# Ignore Options #
##################
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="1"
BLOCK_TCP="1"

###################
# Dropping Routes:#
###################

KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

<-->/etc/portsentry/portsentry.conf

Yupe , Sekarang kita di blok! semua hubungan dengan target di putus :(
kamu tidak percaya ?

cek di mesin heaven

<shell>
root@heaven:~ # cat /etc/hosts.deny
ALL: 192.168.1.9 : DENY
</shell>

IP y3dips@hogwarts termasuk hosts yang di deny !

<shell>
root@heaven:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.9     -               255.255.255.255 !H    0      -        0 -
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
</shell>

liat FLags !H terhadap ip 192.1681.9 (y3dips@hogwarts)
!H = REJECT HOST

coba kita lakukan ping (dengan catatan sebelumnya bisa melakukan ping dan
icmp_echo_ignore_all di "heaven di set 0)

<shell>
y3dips@hogwarts:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.9 icmp_seq=2 Destination Host Unreachable
From 192.168.1.9 icmp_seq=3 Destination Host Unreachable
From 192.168.1.9 icmp_seq=7 Destination Host Unreachable
From 192.168.1.9 icmp_seq=11 Destination Host Unreachable
</shell>

masih belum yakin dengan ping request ? , coba lakukan scanning ulang
mengunakan nmap !? yang terjadi nmap kamu akan hang

<shell>
y3dips@hogwarts:~$ sudo nmap -sS -vv -P0 -sV 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-07-02 22:26 WIT
Initiating SYN Stealth Scan against 192.168.1.1 [1663 ports] at 22:27
SYN Stealth Scan Timing: About 8.99% done; ETC: 22:32 (0:05:04 remaining)
</shell>

==================||Revenge are about to begin


----|Knowledge Are ROckz

Kalian tau kejadiannya kan ? kenapa ?  pernahkah terpikir untuk tidak
mem-break desain ! tapi mengikuti desain , liat lagi desain portsentry
cari kelemahannya dan salah satunya adalah , cobalah gunakan jalur resmi
dengan artian "cobalah" lakukan "hand-shaking" or "tcp-connection"
with usual wayz :D , sampai sini mengertikah ?

Jadi gampangnya adalah coba aja lakukan koneksi ke service tersebut
dengan tujuan seolah olah bener bener akan melakukan koneksi

berikut script yang sangat sederhana yang aku buat untuk Proof of concept,
kebetulan dalam hal ini menggunakan perl , kamu dapat membuatnya menggunakan
bahasa pemograman lainnya .Script ini melakukan keneksi ke service
yang running , selanjutnya mencetak banner yang di keluarkan oleh
applikasi (mungkin akan kesulitan jika banner telah dimodifikasi, but
dont worry hal ini sangat jarang) , dan kebetulan juga script ini untuk
grab banner ssh saja, untuk lainnya gunakan kreatifitas kamu; (walau
script ini bis adi gunakan , asalkan service tidak membutuhkan kiriman
teks , seperti HTTP)

yang terpenting konsepnya dah dapet kan ?

mari lihat scriptnya :

<++> echo12-009/remote_grab_ssh.pl
#!/usr/bin/perl -w
#http://www.geocities.com/y3d1ps/scrapt/ssh_grab.pl.txt

print "*Simple Remote SSH Grab Banner by y3dips*\n";

if(@ARGV==0)
#Help Options
       {
       print "Gunakan: perl $0 www.target.com/ip.address:ssh \n";
       }
else

#Processing
       {
       use IO::Socket;
       my$server = shift;
       my$love = IO::Socket::INET->new($server);
       my$garis = <$love>;
       print "Result = $garis";
       }

#y3dips(c)2005
<--> echo12-009/remote_grab_ssh.pl

---------------------------------\\

Baiklah, sekarang mari kita lakukan sedikit ujicoba terhadap "heaven"
yang telah menggunakan portsentry dengan script yang sederhana ini:

<shell>
y3dips@hogwarts:~$ ./remote_grab_ssh.pl 192.168.1.1:ssh
*Simple Remote SSH Grab Banner by y3dips*
Result = SSH-2.0-OpenSSH_3.9p1 Debian-1ubuntu2
</shell>

nah, berarti port 22 dari heaven menyala ? dan kita dapat info lebih
mengenai versi dari sshd yang digunakan yaitu :
"SSH-2.0-OpenSSH_3.9p1 Debian-1ubuntu2"

metode ini juga dapat digunakan untuk mendeteksi daemon palsu yang di
bangkitkan/diciptakan oleh portsentry (*lihat hasil scanning kita diatas)

--------------------------------------------------------

Untuk membuktikan bahwa kita tidak terdeteksi di portsentry maka dapat
kita lihat di log portsentry (dalam hal in tergabung di syslog
(coz im to lazy to make it defferent :P)

<shell>
root@heaven:~ # tail -f /var/log/syslog
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 640
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 700
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 32770
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 32771
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 32772
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 32773
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 32774
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 31337
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: Going into listen mode on UDP port: 54321
Jul  3 11:07:59 localhost portsentry[8827]: adminalert: PortSentry is now active and listening.
</shell>

lihat ? aksi kita tidak terdata di log-kan ? *_^

---------------------------------------------------------

Untuk semakin meyakinkan kalau routing kita tidak di reject (diputus)
oleh "heaven" coba lakukan ping (kecuali icmp_echo_ignore_all di set 1)

<shell>
y3dips@hogwarts:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.321 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.276 ms

--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.276/0.298/0.321/0.028 ms
</shell>

yeah, we did it bro!

----|THC Amap Rulez!

Jika dan hanya jika kalian terlalu malas untuk mengcoding sendiri (bukan
gak bisa loh ? cuma terlalu males :P ), maka "THC" telah membuatkan satu
aplikasi yang akan menscan aplikasi yang running di port tertentu yang
bernama THC AMAP.prinsip kerjanya sama seperti skrip sederhana yang aku
buat, hanya "lebih sempurna" terutama untuk semua aplikasi.


*amap v4.7 (c) 2004 by van Hauser and DJ RevMoon <amap-dev@thc.org>
*www.thc.org


Sekarang mari kita lakukan hal yang sama ;

<shell>
y3dips@hogwarts:~$ amap 192.168.1.1 -B 22
amap v4.7 (www.thc.org) started at 2005-07-02 23:09:34 - BANNER GRAB mode

Banner on 192.168.1.1:22/tcp : SSH-2.0-OpenSSH_3.9p1 Debian-1ubuntu2\n

amap v4.7 finished at 2005-07-02 23:09:34
</shell>

yupe, kita mengetahui bahwa service yang running pada port 22 di "heaven"
adalah OpenSSH_3.9p1

==================||Closing Session

----|Penutup

Semoga artikel ini sedikit banyak membuka wawasan kita, in cuma salah satu
cara , adapaun intinya adalah jikalau kita memiliki keterbatasan b/w (misal
saat Capture the Flag dengan aturan pengurangan nilai untuk penggunaan b/w,
maka scanning model ini bisa kita gunakan.) dibandingkan dengan model scan
secara port apalagi menggunakan ping sweep.

Apakah percuma menggunakan portsentry ? Tidak , portsentry kamu masih berguna
"thats why im still using it ", kenapa ? <cobain aja sendiri:P>

----|Contact

[1] "personal site". http://y3dips.echo.or.id
[2] "web blog". http://y3d1ps.blogspot.com

Leave a critic , comment, suggestion message , shoutz, or blame to

mailto:y3dips<at>gmail<dot>com


----|Referensi

[1] Portsentry. http://sourceforge.net/projects/sentrytools/
[2] THC "amap". http://thc.org
[3] nmap scanner. http://insecure.org/nmap/
[4] SHH Grab Banner.http://www.geocities.com/y3d1ps/scrapt/ssh_grab.pl.txt
[5] "Portsentry Prive Doc". http://www.geocities.com/y3d1ps/fedorabox/my_portsentry/
[6] Google. http://google.com

----|Greetz

+ m0by the_day comex z3r0byt3 k-159 c-a-s-e s`to lirva32 anonymous
+ Jim.Geovedi Biatch-x sakitjiwa yudhax
+ newbie_hacker@yahoogroups.com
+ e-c-h-o @ Dalnet

----|EOF