Rhinovirus

The evil bit is an attempt to make securing remote systems easier by setting a flag in the IPv4 header to specify whether or not the packet intends to harm the destination or not. Here are a few excerpts from RFC 3514, the document introducing the evil bit:

If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note that this part of the spec is already implemented by many common desktop operating systems.)

If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc.

Devices such as firewalls MUST drop all inbound packets that have the evil bit set. Packets with the evil bit off MUST NOT be dropped.

So as you can clearly see, this will make internet security far easier. So created a small patch in the experimental nmap repository to make Nmap RFC 3514 compliant, it is unclear when this experimental patch will make it to the main Nmap distribution, as there has been some controversy over the bit, Nmap users, and how exactly to implement the bit in the past, here are some quotes from http://seclists.org/nmap-hackers/2003/0009.html:

1) How should Nmap determine evil intent? Perhaps an –evil option
would be handy, or maybe a standard environmental variable should
be used (SCRIPT_KIDDIE=1?) so that all security programs run by the
hacker set the flag appropriately? Or maybe Nmap could ship with a
hardcoded list of UNIX usernames used by known malicious hackers?
Maybe shady options like “decoy scan” and Idle Stealth scan should
always set the bit.

NMAP should remain agnostic, and set the evil bit to .5, neither on nor off.
This should please the white, grey and black hats.

I think perhaps a default option configurable at compile time. For example
if I include Nmap in a rootkit I may not be able to control the username or
environmental variables properly, and would be potentially violating the RFC
which would be very rude towards the end system I am using.

One can imagine –evil will be very welcome among the novice
hackers early in their careers, as they take those first hesitant
steps towards evil hacking.

Cheers,
Michael

Final exams, moving out of my apartment, and now activly working on Nmap related projects; this week has been pretty busy for me. But atleast my Nmap projects are pretty interesting. I’m working on two major ones right now: –top-ports, and OS finger print integration assistant.

–top-ports is pretty cool, normally nmap scans check a vast range of ports - most of which arent open 90% of the time. I will be checking for which ports are most frequently open in the real world through empirical testing, this feature could potentially speed up many Nmap scans. There has already been a few third party internet portscans - most interesting is ACK-RST - the diffrence between the ACK-RST survey is I will feature far more hosts and I will be scanning the entire port range.

The second feature is something that you as an Nmap user will never get to use, see, or even notice; it is something for the core Nmap developers. Currently the OS fingerprinting database is edited almost manually with only a few basic utilities to help out which ever poor soul gets stuck with the task. I will be writing a GUI utility to make the task far easier and quicker. As a plus for the end user, this means that the main developers will have more time for coding actal features, as they will be wasting less time editing text mode databases.

-Michael

I managed to get a Google Summer of Code stipend this year working with the nmap crew. WIth regards to the people that I’m working with: WOW, some of them are pretty well known in their respective communities.

you can see all the nmap abstracts here.

Introducing the 2008 Nmap/Google Summer of Code Team

The Nmap Project is pleased to announce that Google has agreed to
sponsor seven student developers to spend their Summer enhancing the
Nmap Security Scanner.  If you enjoy the new Zenmap GUI, 2nd
generation OS detection system, or the Nmap Scripting Engine, then you
are using features developed in a large part by previous Summer of
Code students.  While the last three years have been terrific
successes, as described at
http://seclists.org/nmap-dev/2007/q4/0024.html , we hope accomplish
even more this year.  So we’re delighted to introduce the 2008 team:

Kemal Akman has already made a name for himself in the security world
under his handle Mixter (http://en.wikipedia.org/wiki/Mixter).  His
experience writing numerous security tools and exploits makes him a
perfect choice to create Ncat and Nping, new interpretations of the
venerable netcat and hping2 utilities.  Our versions will utilize
Nmap’s efficient networking libraries, be actively maintained, and
include all the features we have long wished were in the originals.
Much of the work on Ncat has already been completed by previous SoC
student Chris Gibson.  For more details on our plans, see the project
requirements document at http://nmap.org/SoC/Ncat.html .  Mixter is
finishing his 2nd year studying Bioinformatics at Ludwig-Maxmillians
University in Munich, Germany.  He will be mentored by Nmap author
Fyodor.

Patrick Donnelly is a well-known expert in the Lua community, and also
has substantial experience with C and C++.  So he is a perfect choice
to improve the Nmap Scripting Engine [http://nmap.org/book/nse.html]
infrastructure.  Some ideas include adding a script documentation
system based on LuaDoc and improving the efficiency of the system.
Patrick is finishing his 3rd year as a Computer Engineering student at
the University of New Mexico in the USA.  His project mentor is
Fyodor.

Kris Katterjohn has long been one of the most prolific Nmap
developers.  He has authored hundreds of useful patches, and his name
appears in the Nmap changelog 82 times.  He was a successful Nmap SoC
student last summer, and we’re delighted to have him back again.  As a
feature creeper, Kris will handle a wide variety of tasks, from fixing
bugs to adding new features.  Kris is finishing his 2nd year studying
Computer Science at Northwest Mississippi Community College in the
USA.  He will be mentored by Fyodor.

Vladimir Mitrovic plans to spend the summer improving the Zenmap GUI.
In addition to improving the interface, Vladimir is interested in
adding network topology mapping to the system.  He has already written
code for this, and posted ideas at
http://seclists.org/nmap-dev/2008/q1/0409.html .  Vladimir
successfully completed SoC last year with the OpenMRS project.  When
we asked his previous mentor for a reference letter, it started with
“Vladimir is a star” and ended with “If you work with Vladimir, you
won’t be disappointed.”  He is finishing his fifth year studying
Computer Science at the University of Belgrade in Serbia.  Vladimir
will be mentored by David Fifield, who was himself an Nmap SoC student
last year.

Jurand Nogiec will also be working on features and enhancements for
Zenmap.  Our goal is to make Zenmap so powerful in browsing and
analyzing results that even Nmap experts will prefer it to the
command-line for some scans.  Of course the traditional command-line
version isn’t going away!  Jurand is finishing his second year
studying Computer Science at the University of Illinois at
Urbana-Champaign in the USA.  He will be mentored by David Fifield.

Michael Pattrick will be a feature creeper working on a wide variety
of important Nmap tasks.  One of tasks will be improving the Nmap OS
fingerprint integration system as described at
http://bamsoftware.com/wiki/Nmap/OSIntegratorAssistantRequirements, as
he has already developed some great ideas for doing so.  Michael is
completing his 2nd year studying IT Security at the University of
Ontario IT in Canada.  His mentor is David Fifield.

Philip Pickering plans to focus on the Nmap Scripting Engine, with an
emphasis on writing valuable scripts and libraries.  He will also be
doing some infrastructure work, such as enhancing the NSE debugger so
it can be integrated with Nmap.  Philip is completing his 2nd year
studying Software & Information Engineering at the Vienna University
of Technology in Austria.  His mentor will be Diman Todorov, who
helped create the Nmap Scripting Engine as a Nmap SoC student in 2006.

In addition to these core Nmap projects, 5 students were sponsored to
work on the UMIT Nmap GUI.  UMIT was created by SoC student Adriano
Marques in 2005 and 2006 and forms the basis of Zenmap which is now
included with our Nmap packages and integrated into our repository.
However, Adriano has developed his own design goals for Umit, and is
carrying it forward as a separate project.  We wish him the best in
this endeavor and are excited to see what the Umit team comes up with.

Please join us in welcoming this new team of Nmap SoC students! Most
of the development will be done on the nmap-dev list, where everybody
is invited to participate in coding, suggesting ideas, testing,
etc. With a team like this, we can’t help but expect great things for
the Summer of 2008!

-Fyodor

Apparently my internet traffic generator kills EIGRP.

I have written a layer 7 traffic generator and it boasts with the following features:

• ~90% line speed per protocol through a router.
• ~99% line speed per protocol through switches.
• Support for 8 protocols. (http, rtp, telnet, smtp, pop3, ftp, ssh, x11)
• Concurrent protocol traffic generation.

Here’s a screen shot of the effect it has on a computer.

After a bit of beta testing I plan on releasing it open source