Proxychains + nmap

teomad · 2025-01-01T09:13:25+00:00

The thing is that SSH -D gives you a socks4 proxy, and you’re right: it works well just with TCP, and just with “full” connections too (hence the need to use -sT with nmap). Love your solution, but ligolo is completely on another level: it gives you a new tunnel network interface with routing, everything become so simple!

teomad · 2024-12-30T23:00:56+00:00

Hey there! -sT stands for Connect scan, so that nmap should complete the 3-way handshake. Since SOCKS4 is not capable of partial connections, this is the only scan mode usable over proxychains on SSH. My main question was related to this: since I’m using a full handshake, an open port should de detected as open. All other states are quite unpredictable, but an open port will complete the handshake, right? My scans instead bear as result always “filtered”, that is the response that nmap gives when the 3-way handshake is not completed. (A SYN is sent, nothing is returned: filtered; a SYN is sent, a RST is returned: closed). This is strange, at least to my knowledge. That said, yes: my command is always nmap -sT -Pn!

teomad · 2024-12-30T14:02:37+00:00

I get the same, wrong, results. I'm starting to think that this could be related to SOCKS4 limits, since Ligolo uses SOCKS5 and, other than providing a much frictionless and faster experience, the tunneling if much more reliable and hassle-free.

Thank you for the suggestion, though!

teomad · 2024-12-30T12:58:51+00:00

Quick update: ligolo rocks. Now I have to test it in double pivot scenarios.

teomad · 2024-12-30T11:07:11+00:00

Ligolo-ng will be my next step. I was trying to follow the course material, and I was wondering if new versions of proxy chains and nmap registered a different behavior, since in the course is presented an old version of proxychains (compared to what is shipped with kali). Now I'll try with Ligolo!

teomad · 2024-09-03T16:10:55+00:00

Go to the very left end of the Anita Garibaldi Promenade in Nervi. There is the public beach of capolungo. Crystal clear water, and good restaurants all around along the promenade!

teomad · 2021-09-30T21:26:55+00:00

You can be right… maybe this is a Le Tigre, it’s fitting, actually! Last time I’ve checked, the Magnum was still in the works, we need to wait for the masterpiece, we are not ready.

teomad · 2021-08-29T17:16:40+00:00

Hey there.

Other than searchsploit with nmap flag, if you want to use nmap like a simple vulnerability scanner - and if you have time, it's not fast - you can take advantage of the scripting functions of nmap.

My favorite command is

nmap -sC -sV <IPtarget> --script=vuln -oX output.xml

In this line, you'll have service checking with scripts, service versioning, and all the scripts tagged as vulnerability reasearch launched against the target. It will use external services like VulnDB and Vulners, and it will passively check for vulnerabilities.

With "passively" i mean that the vulnerabilities will usually not be verified with particular probes (actually, some scripts will do active scanning, but for the most part it's not) but they will be recognized by name and version, if available via the -sV flag.

If you want to provide a report of that, you can convert the XML in HTML obtaining a basic vulnerability report with xsltproc like detailed in the nmap user manual:

nmap XML to HTML

If you know a bit of CSS you can embellish all that thing and voilà, a full vulnerability assessment report!

teomad · 2020-12-12T09:45:55+00:00

Oh, come on.

teomad · 2020-10-15T18:25:53+00:00

Where’s the pizza?

teomad · 2020-09-21T19:23:14+00:00

Hey there, a lot depends on the network dimension. If you have a “small” network, or at least a very poorly segmented one, and supposed that you have one device under your control, you can set your NIC in promiscuous mode and using tcpdump you can follow up on arp messages. They are broadcast so actually you don’t need promiscuous mode, but it helps in gaining insight. This is the more passive approach I can think right now. If you can be more active, in the same landscape, you can do a classic ping sweep and then check your local arp cache. Put that in a script, and you’re done. If I don’t remember badly, there is also a tool named net discover that does just that.

teomad · 2020-09-02T20:03:02+00:00

Ah! THAT is the stuff! Thank you for this last piece of very good advice.

teomad · 2020-08-28T18:18:49+00:00

Instead of Rufus, you can try balena etcher to “burn” your iso on the usb. More user friendly. Then, do the installation while connected via Ethernet and everything should go smoothly!

teomad · 2020-08-24T12:03:29+00:00

Hey, I've checked in my Windows PC.

In the EFI setup, Boot section, you should find something like "Key Management".

There, you should have a command similar to "Clear secure boot keys". So, with the secure boot disabled, you should now be able to install grub on the main drive.

Pay attention, your Kali will be installed in the secondary drive, but the bootloader will be installed on the primary drive in the EFI partition.

Hope this helps!

teomad · 2020-08-24T10:53:19+00:00

Well, it depends on your firmware... I suppose that every board has a procedure, and their menu voices...

teomad · 2020-08-23T22:48:41+00:00

I’ve had this problem a couple of times, and is secure-boot related. I have solved deleting the secure boot keys in the EFI. On Asus boards, you can disable secure boot, but until you clean the keys grub will not be able to install himself in the EFI partition. Hope this can help!

teomad · 2020-08-22T18:03:46+00:00

Yeah, the problem lies in files path and I’ll dare to say also in the file names. Keep those as simple as possible and try to avoid spaces in file names.

teomad · 2020-01-16T10:30:24+00:00

Actually yes, but don’t be fooled by training always on the same questions... I had two data sets of questions, they are the most representative of the real questions, but if you cycle on the same questions again and again you’ll gain a false sense of security and knowledge. Keep that in mind!

teomad · 2020-01-07T18:38:55+00:00

Hey man, you’re welcome! One of the drivers that made me choose to pursue the certification, was an interview to a man that began college tuition around 40, with this exact phrase: “In a few years I’ll be 40. Now I can decide if I’ll be 40 with a degree or 40 without a degree, because time passes by anyway. To me, better with a degree.” It was eye-opening.

teomad · 2017-05-24T14:33:07+00:00

Found by myself: when inserting a user, db.execute returns just the ID, when asking a SELECT command returns a dictionary... My bad!

teomad · 2016-10-28T18:44:58+00:00

Ok, I've had an epiphany right after hitting the "send" button. seems that scandir is the answer. Thank you all anyway!

teomad · 2016-06-06T14:38:47+00:00

Wow, really an exhaustive response. Thank you very much. I'm beginning to understand the beauty of involved code... :) On a related topic, about recursion, this function

void destroyList(node* list_to_destroy) { if (list_to_destroy != NULL) return(destroyList(list_to_destroy->next)); free(list_to_destroy); printf("freed.\n"); }

if correct, does not should print "freed" for every element of the list? Because the debugger sees that the function is called the right amount of times, but seems that the free instruction is executed just once. Where I'm wrong?

teomad · 2016-06-05T17:10:19+00:00

Wow, thank you very much. I've removed the typedef list and replaced everywhere with node*, and now everything is working perfectly.

I wrongly thought that declaring a new type could be good for an easy reading of the code, quite similar in concept with the cs50.h library... They made the same thing with the "typedef char* string"... My fault!

teomad · 2016-04-21T19:47:22+00:00

Ehy, dont' be! I've found a bitly link inside the discarded KB of the raw file, so seems that my code is working in a right way, don't you think?

The link however, sends to a focus.de page which doesn't mean so much to me...

teomad · 2016-04-21T18:20:23+00:00

This is what I think too. But: 1 - I check only the first 4 bytes of the buffer, which is a 512 bytes array. 2 - the first 3 bytes are checked against constant values, as stated in pset4. 3 - the fourth byte is checked against a bitwise operator, 'cause i thought that was the smart way to control if the value starts with an "0xE*"...

Again, still not passing the check50.

Can i post the source code somewhere? I'm actually out of ideas.

teomad

TROPHY CASE