Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AT&T Wireless Outage

Published: 2008-12-28
Last Updated: 2008-12-28 22:37:24 UTC
by Raul Siles (Version: 2)
1 comment(s)

(UTC, Sunday, December 28, 2008 at 22:32:00) We got various reports of another massive outage, in this case affecting the AT&T wireless network. The initial reports indicate it is affecting several US states: MI, OH, WI, IL, and IN. This is affecting Blackberry communications and other cell traffic (Thanks Steven and Greg for the early notice).

If you have any additional information about what is really going on (or if both are related incidents), please, let us know.

--
Raul Siles
www.raulsiles.com

Keywords: outage wireless
1 comment(s)

Level3 Outage: confirmed

Published: 2008-12-28
Last Updated: 2008-12-28 21:11:44 UTC
by Raul Siles (Version: 5)
0 comment(s)

An ISC reader wrote in to let us know about a current Level3 outage based on Internet Health Report (IHR). It seems the main issues are with its Detroit origin, although St. Louis seems to be affected too, probably as a consequence of the former one. In fact (although not necessarily directly related), Level3 main web page is not available: http://www.level3.com.

UPDATE 1: (UTC, Sunday, December 28, 2008 at 18:21:00) During the last few minutes we have confirmed the Level3 issues with several ISC readers. Thank you to all who wrote in to let us know and confirm it!

UPDATE 2: (UTC, Sunday, December 28, 2008 at 19:45:00) It seems everything is back to normal operations now, according to IHR.

UPDATE 3: (UTC, Sunday, December 28, 2008 at 21:08:00) John (Thanks!) let us know that while IHR may be reporting that things are back to normal in the Detroit area still there are offline data connections and even using cell phones you get the message that the "call cannot be completed at this time".

If you have any additional information about the real reason for this, please, let us know.

--
Raul Siles
www.raulsiles.com

0 comment(s)

NMAP Trivia: Mastering Network Mapping and Scanning

Published: 2008-12-28
Last Updated: 2008-12-28 09:35:25 UTC
by Raul Siles (Version: 1)
0 comment(s)

Recently the official (and highly recommended) NMAP book, "NMAP Network Scanning" by Fyodor, was published. I will post a review on my personal blog in the next few days (plus this challenge), but meanwhile, I thought it would be very productive to challenge you with a NMAP Trivia. The main goal is providing some entertainment during the holiday season and the early days of 2009, and at the same time, force you to practice and play with the latest stable nmap version, v4.76, trying to increase your technical knowledge, skills, and mastering of the traditional and current features of such an important security tool.

  1.  What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?
  2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?
  3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?
  4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?
  5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?
  6. Why port number 49152 is relevant to nmap?
  7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?
  8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?
  9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?
  10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?
  11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?
  12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?
  13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org?
  14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?
  15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?
  16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?
  17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

Send your answers through our contact page using "NMAP Trivia" as the subject by January, 15. If you have other interesting nmap trick and tips, please, send them too. I will publish the best answers and other nmap usage suggestions on my next shift around mid-end January 2009.

If you want to stay up to date about the major nmap news and events I strongly recommend you to subscribe to the nmap-hackers mailing list (low traffic, with less than 10 messages this year). You can do so at http://cgi.insecure.org/mailman/listinfo/nmap-hackers.

--
Raul Siles
www.raulsiles.com

Keywords: nmap
0 comment(s)
Diary Archives