As promised back in November, here is the first of my penetration testing tutorials. This tutorial will deal with the basics of Nmap, the popular port scanning security tool.

For this tutorial, you will need:

• Nmap
• A host (or hosts) that you own, or that you have permission to scan.

The host can be your computer (just use 127.0.0.1 as the IP address), or your home WiFi router (you can usually find the IP address of this in your network settings).

Performing your First Scan

The first thing we will do is run a default Nmap scan against an IP address. Enter the following command at your command prompt, or if you are using Zenmap (the graphical front-end to Nmap), put the command in the “Command” box.

nmap 192.168.1.1

Of course, replace 192.168.1.1 with the IP address you wish to scan (192.168.1.1 is the address of my home router). Then press enter. Nmap will start scanning the IP address you gave it, and should produce something like the following output:

Nmap Default Scan

As you can see, Nmap has detected that the host is up, and that it has 6 ports open or filtered. The entire scan took 9.37 seconds. What did Nmap actually do though? To understand this better, re-run the scan but add the -vv flag to the command:

nmap -vv 192.168.1.1

The terms Deep Web, Dark Web, Darknet, and Dark Internet are ones I see confused and misused on a regular basis on the Internet and in the media. This is my attempt to rectify this confusion and misuse by explaining what each of these terms means and when you should use them.

Deep Web

The Deep Web is quite simply any content on the Web which is not accessible to or indexed by standard search engine spiders. A search engine spider will typically crawl a website by visiting it and then visiting all the pages it links to, which includes pages local to the site and pages on other sites. Whilst this gives the search engine a pretty good view of the web, it misses out on a lot of other resources for various reasons:

• Standard search engine spiders do not try to log into any websites, so any resources protected by a login are not accessible to it.
• Content which explicitly denies access to search engine spiders (e.g. using a robots.txt file) is also left off the search engine index.
• A web server may host a file or directory of files that isn’t linked to anywhere on the web. These files and directories would be missed by search engines as they would (most likely) be by humans too.
• Content that requires input by a user to be generated (i.e. search results) may also be effectively invisible to search engine spiders.
• Some websites may require a special browser configuration to gain access.

You can think of the web as an ocean of content. Anything on the surface of this ocean is content that is being linked to openly. A search engine spider can only look at the content on the surface of the ocean, and any content in the deeper parts of the ocean (whether protected by a login, or just hidden from view) is inaccessible to it.

What it is important to remember is that the Deep Web has nothing necessarily to do with illegal activity, nor is it about being anonymous or hiding your identity. Most of us access the Deep Web on a regular basis, whenever we check web mail, or log in to a social networking site. If a search engine can’t see it, for whatever reason, it’s part of the Deep Web.

Dark Web

Conversely, the Dark Web does have numerous links to illegal activity and hiding one’s identity. It is a collection of websites that are only accessible over the Tor network, which hides your IP address and gives you complete anonymity. Not every website accessed over Tor is part of the Dark Web, since Tor allows you to browse anonymously on the regular web as well. However, the Tor network has a special pseudo-top-level domain suffix called “.onion” which is used to get to websites which host themselves over Tor, and are therefore only accessible via Tor.

Going to these websites without using a browser configured to use Tor is impossible, so the Dark Web is actually a subset of the Deep Web, and as such is not indexed by search engines. Whilst there are many websites on the Dark Web which do not promote illegal activity, there are plenty that do, including sites that sell drugs and weapons. A BBC report earlier this year highlighted the Dark Web quite well, and the hacktivist group Anonymous have attacked pedophilia-related websites on the Dark Web before.

Darknet

Wikipedia asserts that a darknet is a “private, distributed P2P filesharing network, where connections are either made only between trusted peers using non-standard protocols and ports or using onion routing.” Limiting the term to certain types of filesharing network is unhelpful in my opinion, and I see no reason a darknet cannot simply be any such network. This would make the onion routed part of the Tor network itself a darknet, and it is often called “The Darknet” (though there is more than one darknet, the onion routed part of the Tor network is still the most well known).

This too would make the Dark Web a part of the Darknet. However, it is important to point out that the Dark Web and the Darknet are not synonymous. Many other services can run on the Darknet, such as email, IRC, etc. The Dark Web is just one of these services, contributing a subset of traffic over the Darknet.

So a darknet (no capitalisation) is any network where connections are made only between trusted peers using non-standard protocols and ports or using onion routing. The Darknet (capitalised) is the onion routed part of the Tor network. This means that the Darknet is a darknet, in the same way as the Internet is an internet.

To make matters slightly more confusing, Project Meshnet used to be known as the “Darknet Plan”, though luckily the name was changed to more accurately reflect the nature of their project (and possibly to alleviate confusion).

Dark Internet

Finally, we end with a term which is completely unrelated to the three above, yet still manages to get confused with them. The Dark Internet refers to the unreachable network hosts on the Internet. They could be unreachable because a machine is turned off, or a network cable is damaged, or even because routing tables have become corrupted somewhere. Nobody, not even regular Internet users, can reach them. The Dark Internet is constantly changing; machines get taken offline, and some get put back online, but whilst they are offline, they are part of the Dark Internet.

Various organisations have revealed the existence of yet another piece of malware used for targeted attacks against a country’s infrastructure. Flame (also known as Flamer and sKyWIper), was discovered jointly by Kaspersky Lab, Iran’s MAHER Center, and CrySyS Lab of the Budapest University of Technology and Economics.

The most visible difference between Flame and earlier pieces of targeted malware like Stuxnet and Duqu is the size, expanding to 20 megabytes when fully installed (Stuxnet was only half a megabyte). CrySyS Lab, which discovered Duqu in 2011, have described Flame as “arguably… the most complex malware ever found.”

More information on Flame can be found below:

Identification of a New Targeted Cyber-Attack - Iran National CERT (MAHER)

The Flame: Questions and Answers – Kaspersky Lab

sKyWIper: A complex malware for targeted attacks [PDF] – CrySyS Lab

Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers – Threat Level (Wired)

Flame malware – more details of targeted cyber attack in Middle East – Naked Security (Sophos)

Flame: Massive cyber-attack discovered, researchers say – BBC News

Image via CrunchBase

Part of my job involves reading through a lot of documentation, especially if it is security related. I don’t usually come across many mistakes or gaffes, but when I do, 99% of the time they were written by someone at IBM. The following quotes are all taken from IBM’s AIX V6 Advanced Security Features [PDF] redbook.

AES, as standardized by NIST, is not exactly in the form the Rijndael was originally submitted. It has a fixed block size of 128 bits, and has key sizes of 128, 192, and 512 bits.

Whilst a 512 bit key size for AES might be more secure, the standard doesn’t support it. The key sizes are actually 128, 192, and 256 bits. This is a simple mistake to make, so it is more forgivable than the others.

SHA256 is the Secured Hash Algorithm with a 256-bit key.

I’m not sure what the author of this statement was thinking of when writing it. The ’256′ in SHA256 corresponds to the length of the output the hash generates (256 bits). It is possible that the author was confusing a cryptographic hash function like SHA256 with an HMAC, which does involve a key. However, even then the key size is not dictated by the hash function used in the HMAC. Indeed, any length of key can be used, the longer the better. Additionally, the ‘S’ in SHA stands for “Secure” not “Secured”, but that is just a small nitpick.

Typically the owner of the private key encrypts data with their private key, and the receiver or reader of the data decrypts with the public key.

This explanation of how public key cryptography works is completely backwards, quite literally. The public key can safely be known by anyone (hence the name), so it makes no sense to use it to decrypt data. The proper way to use public key cryptography is to encrypt using the public key, and decrypt using the private key. This means that anyone can send encrypted data, but only the private key owner can decrypt it. The other way around, there is practically no security gained by encrypting the data; you are no better off than sending it in plaintext.

The resulting ciphertext was, and still is, impossible to crack with a brute force attack.

This was found in a section discussing Triple DES, which whilst being far stronger than regular DES, is not “impossible” to crack with a brute-force attack. In fact, nothing is impossible to crack with a brute-force attack (apart from properly implemented one time pads), since brute-force attacks generate and test every possible key. Such an attack on Triple DES is unfeasible, since generating the keys and running the attack takes a very long time with current hardware.

I found this video today featuring Dr Yan Wong from the BBC. Whilst it is very short, the video does provide a nice simple introduction to some of the ideas behind public key cryptography, which secures most of e-commerce on the web. Definitely worth a watch if you don’t want to get into the messy details.

However, if you do want to get into the messy details of public key cryptography, I suggest perusing the Wikipedia article on the subject.