IT Nov. 19 Assignment:


Ipfw:
	Since I didn't have access to a Linux box, I had to improvise with my OSX
machine. Darwin uses ipfw instead of iptables (this is what OSX's system preference 
firewall modifies), but it's pretty much the same thing with a slightly different 
interface. Setting up logging was difficult (or at least poorly explained). Here is
the firewall as I have it set up now:

[localhost:~] root# ipfw show
02000 11590   714556 allow ip from any to any via lo*
02010     0        0 deny ip from 127.0.0.0/8 to any in
02020     0        0 deny ip from any to 127.0.0.0/8 in
02030     0        0 deny ip from 224.0.0.0/3 to any in
02040     0        0 deny tcp from any to 224.0.0.0/3 in
02050 51104  7654816 allow tcp from any to any out
02060 47099 19703665 allow tcp from any to any established
02070     0        0 allow tcp from any to any 548 in
02080     0        0 allow tcp from any to any 427 in
02090     0        0 allow tcp from any to any 22 in
02100     0        0 allow tcp from any to any 20-21 in
02105     0        0 deny tcp from any 21 to any in
02110     0        0 allow tcp from any 20 to any 1024-65535 in
02120     0        0 allow tcp from any to any 5297 in
02130     0        0 allow tcp from any to any 5298 in
02140    10      600 unreach host log tcp from any to any 80 in
12190     0        0 deny tcp from any to any
65535 72512 13367846 allow ip from any to any

Rule 02140 unreach is the equivalent of iptables' reject rule. By default, logged
packets are put in the system.log file -easy enough, right? Unfortunately they're
only logged if the sysctl net.inet.ip.fw.verbose variable is set to true.
Guess how long it took me to figure that out? Regardless, it now works, so if
I point a browser from cs at my IP address...

Dec  5 14:29:09 localhost kernel: ipfw: 2140 Unreach TCP 10.1.2.19:51103 10.1.5.108:80 in via en0

Voila. So that's nice. I'm still trying to understand dynamic rules, but once 
I get it I can do things like drop sketchy TCP packets, like those sent by nmap.


Host/nmap Exploration:

	  I decided to poke around www.ign.com's domain. I figure these guys are 
paid to play video games, I should make their lives a little more difficult. No
printers as far as I can see, but I did find something rather interesting... Observe
a default nmap scan (host reveals www.ign.com's IP address to be 216.35.123.113), or -sS option, of ign and closely related IP addresses:

[localhost:/etc] root# nmap 216.35.123.121/28

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (216.35.123.113):
(The 1599 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     open        http                    
443/tcp    closed      https                   

Interesting ports on  (216.35.123.115):
(The 1599 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     open        http                    
443/tcp    closed      https                   

Interesting ports on extsmtp1.snowball.com (216.35.123.116):
(The 1600 ports scanned but not shown below are in state: filtered)
Port       State       Service
443/tcp    open        https                   

Interesting ports on extsmtp2.snowball.com (216.35.123.117):
(The 1600 ports scanned but not shown below are in state: filtered)
Port       State       Service
443/tcp    open        https                   

Interesting ports on adserver.gameshark.com (216.35.123.118):
(The 1599 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     open        http                    
443/tcp    closed      https                   

Interesting ports on o.download.theforce.net (216.35.123.119):
(The 1600 ports scanned but not shown below are in state: filtered)
Port       State       Service
443/tcp    closed      https                   

Interesting ports on  (216.35.123.120):
(The 1599 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     open        http                    
443/tcp    closed      https                   

Nmap run completed -- 16 IP addresses (7 hosts up) scanned in 1262 seconds


I find it amusing that they have an entire server dedicated to ads. Thank you, 
Capitalist America. Anyways, most stuff is getting filtered out... That's no fun. 
Let's try a "stealth" FIN scan. For brevity, I stuck it in a seperate file 
(~glein/nmap-ign.txt), but the result is rather interesting. Apparently EVERYTHING 
is open on all of these hosts. So either they have no personal firewalls set up 
(which sounds ridiculous for such a company) or they have something faking out nmap.
I haven't been able to find any information about such a method, but it seems both 
possible and very cool. 





Javascripts, Sross-site scripting, and SQL Injections, Oh My:

	     All that time hanging out at hackthissite.org is finally paying off. I 
tried Jim's Javascript example at amazon.com, which sure enough showed off my cookie
information. For security reasons, I'm not going to paste that info here. The info
was sent unencrypted too, so it's probably not so good to do.
	 I tried some simple SQL injection on several sites ("blah' OR 'r'='r" for 
user and password). Didn't find any that worked. I also tried a little html escape 
code (</html>, <% `echo "hello?"` %>, and the like). Either people are cracking down on these easy holes, or I just don't know where to look, but it was a little disappointing. Maybe next time.