Aperture Science

Tuesday

Aug232011

Automating Nmap analysis with PowerShell

Tuesday, August 23, 2011 at 12:00PM

Nmap is one of the best tools in a sysadmin's toolkit; this powerful tool allows us to quickly determine what computers and devices are on our network, what software and operating systems are running.

In most environments, esp. when there are a large number of servers and workstations in quite a number of subnets, its handy for system administrators to be able to easily find a free IP address.

There have been several times when various security managers have requested to know the following items:

All servers/workstations that are up
Are the following services running: SSH, Telnet, FTP, HTTP, HTTPS, RDP, SMTP
Is there anonymous FTP?
Is there anonymous FTP uploads?

Nmap is obviously the tool to complete the task to find out this information. If we could automate this, then we could easily generate reports for upper management!

Thankfully, the guys over at SANS have already completed most of the work for us. In the post: PowerShell Script To Parse nmap XML Output, the provide a script which gets Nmap XML output and makes it into a format that allows any powershell user to manipulate the results using all the usual commands (format-table, format-list, where-object, select-object).

I developed a simple script to find IP addresses that were in use and provide a simple output that any system administrator or service desk operator could read. The script is simple, and does the following tasks for each subject listed in an array:

Make a user friendly filename
Run nmap to perform a number of ICMP and TCP scans to find servers that are up (I recommend TCP SYN scanning on top of ICMP Ping to ensure you find firewall protected servers and workstations)
Parse the results of nmap and put them into a file in a more friendly format

The script looks like this:

nmap Command breakdown:

-PS20,21,22,23,25,3389,80,443,8080 is a TCP SYN Ping sweep of the subnet of ports 20, 21, 22 etc

-PE is ICMP ping (usual ping command)

-R is perform a reverse DNS look up

--dns-servers is specifying all of our DNS servers (incase you have reverse lookup zones across differing DNS servers)

-p 20,21,22,23,25,3389,80,443,8080 we want to scan these ports for possible reports later on

-oX $nmapfile --no-stylesheet outout the results to the filename and don't use a XML sylesheet

-A enable all advanced options

-v we want verbose output for reporting.

We end with the subnet we want to scan.

Comments Off |

1 Reference | |

Email Article |

Print Article |

Permalink

tagged

Windows,

nmap,

powershell in

Coding,

Sysadmin

Monday

Aug222011

MailScanner on Centos

Monday, August 22, 2011 at 12:00PM

This is a simple guide to building an email gateway which will perform anti-spam and anti-virus filtering prior to delievering email to its intended destination.

I also make use of a sendmail milter to verify the recpients of email messages are valid, and drop the messages if the recpient is found to be invalid. Recipient filtering not only reduces the amount of work that the gateway has to do (as it doesn't perform any anti-spam analyasis etc on the message) but reduces the load on the destination server(s) and protects them.

The milter works by simply connecting to the destination server and testing if it accepts the recipient address prior to accepting the rest of the email body from the machine which is connected to it. If you use Exchange as your destination server, make sure it doesn't accept invalid recipients and returns an NDR which is the default. If the recipient isn't valid, the miltor returns to the SMTP server which is attempting to send email to it that the mail box is full or invalid.

Installation Steps

Install Centos
Just follow normal install
Install Updates
yum update
Install Webmin
If you like to install and update Webmin via RPM, create the /etc/yum.repos.d/webmin.repo file containing:
[Webmin]
name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1
You should also fetch and install my GPG key with which the packages are signed, with the command:
rpm --import http://www.webmin.com/jcameron-key.asc
You will now be able to install with the command :
yum install webmin
All dependencies should be resolved automatically.
Install Mailscanner
export MAILSCANNER_CREATE_TMPFS=1
wget http://yum.fslupdate.com/fsl-beta/fsl-beta.repo -O /etc/yum.repos.d/fsl-beta.repo
yum -y groupinstall MailScannerGold
export PERL5LIB=/opt/fsl/lib/perl5
chkconfig MailScanner on
yum update
Configure Mailscanner
vi /etc/MailScanner/MailScanner.conf
Install Sender/Recipient verification sendmail milter
yum install sendmail-devel
yum install sendmail-cf
yum install libmilter
tar xzvf smf-sav-1.4.0.tar.gz
cd smf-sav-1.4.0
make
make install
Configire address verification milter
Configure Sendmail
Do what ever forwarding and routing you need to configure.

Add the following lines to sendmail.mc above the MAILER(smtp)dnl like
INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl
Configure Startup scripts to include milter
We need to modify the MailScanner init script at \etc\inif.d\MailScanner to ensure that the process that performs the address verification is started before sendmail and mailscanner.
start)
...
    daemon /usr/local/sbin/smf-sav
...
stop)
    if test "x`pidof smf-sav`" != x; then
    echo -n $"Stopping $prog: "
    killproc smf-sav
    echo
...

Comments Off |

2 References | |

Email Article |

Print Article |

Permalink

tagged

Linux,

MailScanner in

Sysadmin

Sunday

Aug212011

PowerShell RoboCopy Wrapper

Sunday, August 21, 2011 at 12:00PM

So I find myself copying files from point A to point B on a regular basis, so much so, that I find myself using robocopy in a Windows scheduled task. The problem with this approach, is that there isn't many easy ways of working out if it worked, or worse, if something bad has happened!

I bashed out a script several years ago, and finally updated it to make use of the template that I posted up previous.

There are a few things to note with the script:

I always check if the source and destination exist, and report an error if they don't
My scripts always use the /MIR command, and limit retries to 3
Robocopy return codes:
0: Completed sucessfully, but didn't copy any files
1: Completed sucessfully and copied files
rest: some error has occured

The bulk of the code is:

#robocopy task
$result = robocopy $source $destination /MIR /R:3

#robocopy sucess is:    0: no errors, but no copying done
#                       1: one or more files were copied sucessfully

#check there were no errors in the robo copy
if ($lastexitcode -gt 1)
{
   if ($lastexitcode -eq 0)
   {
       $messagebody = "Robocopy completed but no files copied! `n"
       foreach ($x in $result) {$messagebody = $messagebody + $x + "`n"}
       send-email $messagebody $false
   } elseif ($lastexitcode -eq 1)
   {
       #do nothing, it worked
   } else {
       $messagebody = "Robocopy returned an unknown error! `n"
       foreach ($x in $result) {$messagebody = $messagebody + $x + "`n"}
       send-email $messagebody $false
       exit 3
   }
}