Monday, December 19, 2011

Upgrading Sun-Java on Ubuntu 10.04

It is always good from a security point of view to have all your systems up and running in the most current state.  Go to this particular URL

https://browsercheck.qualys.com/

Scan your browser by clicking on the check box.  There Qualys will tell you if there is any upgrade which is available.

Next go to this website

http://www.java.com/en/download/linux_manual.jsp?locale=en

Linux (self-extracting file) filesize: 20.7 MB     - for 32 bit systems
Linux x64 * filesize: 20.3 MB                            - for 64 bit systems



Next move become root on a terminal by executing

$sudo su
Copy the binary over to the destination shown below
#cp /home/bala/Downloads/jre-6u30-linux-x64.bin /usr/lib/jvm/
#cd /usr/lib/jvm
Now make that file as executable
#chmod +x jre-6u30-linux-x64.bin
Now run that executable
#./jre-6u30-linux-x64.bin
Move the old soft link file which pointed to the old java
#mv java-6-sun java-6-sun_old
Remove the bin file.
#rm jre-6u30-linux-x64.bin
Rename the extracted file.
#mv jre1.6.0_30/ java-6-sun-1.6.0.30
Create a new link to your extracted Java
#ln -s java-6-sun-1.6.0.30 java-6-sun
Now rename the old java plugin.
#mv /etc/alternatives/mozilla-javaplugin.so /etc/alternatives/mozilla-javaplugin.so_old
Now create a new soft link to you new java
#ln -s /usr/lib/jvm/java-6-sun/lib/amd64/libnpjp2.so /etc/alternatives/mozilla-javaplugin.so
# ll /usr/lib/mozilla/plugins/libjavaplugin.so
lrwxrwxrwx 1 root root 39 2010-09-19 09:11 /usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/mozilla-javaplugin.so*
# ll /etc/alternatives/mozilla-javaplugin.so
lrwxrwxrwx 1 root root 45 2011-12-19 20:42 /etc/alternatives/mozilla-javaplugin.so -> /usr/lib/jvm/java-6-sun/lib/amd64/libnpjp2.so*
# ll /usr/lib/mozilla/plugins/libjavaplugin.so
lrwxrwxrwx 1 root root       39 2010-09-19 09:11 libjavaplugin.so -> /etc/alternatives/mozilla-javaplugin.so*


http://java.com/en/download/installed.jsp?jre_version=1.6.0_30&vendor=Sun+Microsystems+Inc.&os=Linux&os_version=2.6.32-36-generic

If you have Newer version of firefox via ppa then one more step.

#ln -s /usr/lib/jvm/java-6-sun/lib/amd64/libnpjp2.so /usr/lib/firefox-10.0.1/plugins/libjavaplugin.so 

Monday, December 12, 2011

Ubuntu Date & Time update via NTP

Command Line ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu's NTP server. However, a system's clock is likely to drift considerably between reboots if the time between reboots is long. In that case it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run it every day. With your favorite editor, create (needs sudo) a file /etc/cron.daily/ntpdate containing:
 #!/bin/sh
 ntpdate ntp.ubuntu.com
Make sure that you make this new file executable:
sudo chmod 755 /etc/cron.daily/ntpdate
 
 
Source: https://help.ubuntu.com/community/UbuntuTime 

SNORT Sig updates Including SED

Whenever I update Snort Rules, the five SID mentioned below gets additional ! before $DNS server which makes SNORT not to start.  All these SID are included inside emerging-current_events.rules.

sid:2013353
sid:2013354
sid:2013355
sid:2013358
sid:2013359

so as a work around I have included sed "Serial Editor" along with my snort rules update script as shown below.

root@Bodhidarmar:/store/snort/rules# cat /var/scripts/snort_update.sh

#!/bin/bash
wget -q http://www.snort.org/sub-rules/snortrules-snapshot-xxxx.tar.gz/aaabbbcccdddeeefffggghhhiiijjjkkk -O /store/snort/archive/snortrules-snapshot-xxxx.tar.gz
oinkmaster.pl -o /store/snort/rules/ -Q
echo "Now Running Serial Edit to change the Bang Dollar DNS to Dollar DNS in ET-current_event[DOT]rules"
sed s/\!\$DNS/$DNS/ /store/snort/rules/emerging-current_events.rules > /store/snort/rules/emerging-current_events.rules



Note I have reduced the Font size above as they needs to be on one single line.

Saturday, December 10, 2011

Snort Sensor Name

To get the name of the sensor which is logging a particular event we need to include  sensor_name=Bodhidarmar in the snort.conf file.


root@Bodhidarmar:/home/bala# grep sensor_name /etc/snort/snort.conf
output database: log, mysql, user=********** password=**************** dbnames=******* host=localhost sensor_name=Bodhidarmar

Friday, December 9, 2011

Adit0 SSL VPN

While starting adito if it refuses to start do as shown in the link :-)

http://sourceforge.net/projects/openvpn-als/forums/forum/824507/topic/2883732

Add these two lines: 
wrapper.java.classpath.1=/opt/adito-0.9.1/lib/adito-boot.jar wrapper.java.mainclass=com.adito.boot.Bootstrap
 
To this file: /opt/adito-0.9.1/conf/wrapper.conf and service adito start should now work.

Thursday, December 8, 2011

Snort - fixing Error PortVar Lookup failed on '$FILE_DATA_PORTS'.

When we get the error "PortVar Lookup failed on '$FILE_DATA_PORTS'." on starting SNORT, this means to say that we need to declare the ports for '$FILE_DATA_PORTS' in our snort.conf file.


Source


http://blog.joelesler.net/

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

SNORT FQDN resolution

If we want BASE to do resolution of the IP addresses as shown below.


We need to edit base_config.php file under the document root.


Friday, November 25, 2011

FFMPEG

http://howto-pages.org/ffmpeg/

http://www.commandlinefu.com/commands/tagged/76/ffmpeg


Thursday, November 24, 2011

Ubuntu ICS

Source is from this link http://ubuntu-works.blogspot.com/2010/06/internet-connection-sharing-in-ubuntu.html

#!/bin/bash

# (c) Mahesh R. S. (themaheshrs _at_ gmail.com)
# Created on June 20, 2010.
# distributed under GPL or some such liberal open-source licence.

# Purpose: This simple script enables Internet Connection Sharing
# on my computer.
#
# I have multiple computers at home. Only one of them can connect
# to the Internet over a 3G USB modem. Typically, that computer is
# either an old ACER laptop -OR-
# an old Lenovo laptop.
# All the other computers connect to the Internet through either
# of these two laptops. So, this script is typically run on either
# of those notebooks.
#
# The idea here is:
# 1. Enable IP-Forwarding, so that the laptop that is connected to
# the Internet can pass packets around between its interfaces
# 2. Enable Network-Address-Translatin (NAT) on the laptop that is
# connected to the Internet so that the other computers can enjoy
# the Internet
# 3. Enable a local interface through which the other computers connect
# to the Internet

# This script assumes that your notebook connects to the Internet through
# ppp0 and that your internal computers connect to eth0. The internal
# network is on the 192.168.100/24 subnet. (TBD: I should be able to make
# those values "configurable" by having the user pass them as arguments.)

if [ `id -u` -ne 0 ]
then
echo ":( PLEASE RUN THIS SCRIPT WITH ROOT PERMISSIONS."
echo "e.g. \$ sudo $0 "
exit -1
fi

if [ $# -ne 1 ]
then
echo "Please specify whether to start or stop ICS."
echo "e.g. \$ sudo $0 "
exit -1
fi


ics_stop()
{
# disable IPv4 Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

# the following three rules are as defined in:
# https://help.ubuntu.com/10.04/serverguide/C/firewall.html
# note that we are deleting the rules here, hence the "-D"
iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ppp0 -j MASQUERADE
iptables -D FORWARD -s 192.168.100.0/24 -o ppp0 -j ACCEPT
iptables -D FORWARD -d 192.168.100.0/24 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

# unconfigure eth0 to connect to the internal (NAT-ted) network
ip address del 192.168.100.1/24 dev eth0
}

ics_start()
{
# enable IPv4 Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# the following three rules are as defined in:
# https://help.ubuntu.com/10.04/serverguide/C/firewall.html
# note that we are adding the rules here, hence the "-A"
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ppp0 -j MASQUERADE
iptables -A FORWARD -s 192.168.100.0/24 -o ppp0 -j ACCEPT
iptables -A FORWARD -d 192.168.100.0/24 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

# configure eth0 to connect to the internal (NAT-ted) network
ip address add 192.168.100.1/24 dev eth0
}

case $1 in
start)
ics_start
echo "ICS started."
;;
stop)
ics_stop
echo "ICS stopped."
;;
 

Tuesday, November 22, 2011

Snort mysql compilation

http://www.mcabee.org/lists/snort-users/Jan-04/msg00497.html
make distclean
The command shown above make the trick for me to get my snort to compile successfully with mysql :-)

Change font size in TTY

To change font size in TTY terminals, type the following command.

sudo dpkg-reconfigure console-setup

Answer all the question it asks, When it asks for the console font size select what ever you want.

Monday, November 14, 2011

Expanding VDI file

Sources

https://www.virtualbox.org/ticket/28
http://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvdi

http://trivialproof.blogspot.com/2011/01/resizing-virtualbox-virtual-hard-disk.html

http://www.youtube.com/watch?v=VB-nKzTNZS8




Gold and Silver Price

Price In Chennai


 

 

Gold price 30 Days per gram :-o



gold price charts provided by goldprice.org

Silver price 30 Days per Kilogram :-o




silver price charts provided by silverprice.org

Gold price per year per gram :-o



gold price charts provided by goldprice.org


Silver price per Two year per KG :-o



silver price charts provided by silverprice.org



Gold price 3 Days per gram :-o



gold price charts provided by goldprice.org

Silver price 3 Days per Kilogram :-o



silver price charts provided by silverprice.org

Wednesday, November 9, 2011

Numeric keypad not working in Ubuntu

Click on System > Preferences > Keyboard > Mouse Keys > Uncheck "Pointer can be controlled using the keypad"


Thursday, October 20, 2011

CUPSPDF

http://embraceubuntu.com/2006/03/23/print-to-pdf-using-cups-pdf/

Thursday, October 13, 2011

Wednesday, October 12, 2011

Python File Globbing

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Date: 12-Oct-2011
#Purpose: Demonstrating File Globbing using python
import glob

find = raw_input("Enter the file or directory to be searched : ")

result = glob.glob(find)

if result:
 for element in result:
  print element
 print "The total number of files are : ", len(result)
else:
 print "No match found"

#END

Output

bala@bala-laptop:~/python$ python glob.py
Enter the file or directory to be searched : /home/bala/Pictures/*.jpeg
/home/bala/Pictures/dslInside.jpeg
/home/bala/Pictures/RSA_Thumbnail.jpeg
/home/bala/Pictures/dslDMZ.jpeg
/home/bala/Pictures/dslOutside.jpeg
/home/bala/Pictures/python.jpeg
The total number of files are :  5
bala@bala-laptop:~/python$

McAfee's Free Tools

http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Get Suspected files
https://kc.mcafee.com/corporate/index?page=content&id=KB69385

Monday, October 10, 2011

Python RE

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression to match email
import re

re1 = re.compile('\d+',re.IGNORECASE)

f1 = open("data2","r")
f2 = open("changedfile","w")

for searchstr in f1.readlines():
#The count is optional, this will change the number of occurance in the line.
#IF count is not given it will change every match in that line
  print re1.sub("Changed_here",searchstr,count = 2)
  changed = re1.sub("Changed_here",searchstr,count = 2)
  f2.writelines(changed)

#END

Output

bala@bala-laptop:~/python$ cat data2
4562
234
 15.00
 1
234.234.234.234

bala@bala-laptop:~/python$ python RE.py
Changed_here

Changed_here

 Changed_here.Changed_here

 Changed_here

Changed_here.Changed_here.234.234

bala@bala-laptop:~/python$ cat changedfile
Changed_here
Changed_here
 Changed_here.Changed_here
 Changed_here
Changed_here.Changed_here.234.234

bala@bala-laptop:~/python$

Python RE

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression
import re

def search(searchstr):
    print "*********************************"
    print "searchstr = ", searchstr
    print "*********************************"

searchstr = raw_input("Enter a searching string '\d+\s+\w+' : ")
search(searchstr)

re1 = re.compile('\d+\s+\w+',re.IGNORECASE)

#Finditer will return a search which we are iterate through
finditer = re1.finditer(searchstr)

if finditer:
   for i in finditer:
    print i.group()
else:
   print "No search match"

#END

Output

bala@bala-laptop:~/python$ python RE.py
Enter a searching string '\d+\s+\w+' : Those are 500 toys, 100 games and 20 infants
*********************************
searchstr =  Those are 500 toys, 100 games and 20 infants
*********************************
500 toys
100 games
20 infants
bala@bala-laptop:~/python$

Python RE

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression
import re

def search(searchstr):
    print "*********************************"
    print "searchstr = ", searchstr
    print "*********************************"

searchstr = raw_input("Enter a searching string '\d+\s+\w+' : ")
search(searchstr)

re1 = re.compile('\d+\s+\w+',re.IGNORECASE)

#Match will look only at the start of the string
match1 = re1.match(searchstr)
#Search will look even in the middle of the string
search = re1.search(searchstr)
#Findall will look even look for additional matches in the string
findall = re1.findall(searchstr)

if match1:
   print "match1 Matching \d+\s+\w+ : ",match1.group()
if search:
   print "Search matching \d+\s+\w+ : ",search.group()
if findall:
   print "Findall matchin \d+\s+\w+ : ",findall
else:
   print "No search match"

#END

Output

bala@bala-laptop:~/python$ python RE.py
Enter a searching string '\d+\s+\w+' : 500 apples
*********************************
searchstr =  500 apples
*********************************
match1 Matching \d+\s+\w+ :  500 apples
Search matching \d+\s+\w+ :  500 apples
Findall matchin \d+\s+\w+ :  ['500 apples']

bala@bala-laptop:~/python$ python RE.py
Enter a searching string '\d+\s+\w+' : Those are 500 toys
*********************************
searchstr =  Those are 500 toys
*********************************
Search matching \d+\s+\w+ :  500 toys
Findall matchin \d+\s+\w+ :  ['500 toys']

bala@bala-laptop:~/python$ python RE.py
Enter a searching string '\d+\s+\w+' : Those are 500 toys and 100 games
*********************************
searchstr =  Those are 500 toys and 100 games
*********************************
Search matching \d+\s+\w+ :  500 toys
Findall matchin \d+\s+\w+ :  ['500 toys', '100 games']
bala@bala-laptop:~/python$



Friday, October 7, 2011

Disable Registry & Taskmgr

  • The newly created Registry Values are:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • DisableRegistryTools = 0x00000001
      • DisableTaskMgr = 0x00000001

      to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
      to prevent users from starting Task Manager (Taskmgr.exe)
       
       
      http://www.threatexpert.com/report.aspx?md5=8baf88111af782aaef0a0581b47ced68

Monday, October 3, 2011

Python Regular Expression

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression
import re

def search(searchstr):
    print "*********************************"
    print "searchstr = ", searchstr
    print "*********************************"

searchstr = raw_input("Enter a searching string : ")
search(searchstr)

re1 = re.compile('\w+\s\w+\s\w+\s\d',re.IGNORECASE)
match1 = re1.match(searchstr)

if match1:
   print "Matching \w+\s\w+\s\w+\s\d : ",match1.group()
else:
   print "No match"

#END

Output

bala@bala-laptop:~/python$ python RE.py
Enter a searching string : Apples cost RS 20
*********************************
searchstr =  Apples cost RS 20
*********************************
Matching \w+\s\w+\s\w+\s\d :  Apples cost RS 2
bala@bala-laptop:~/python$

Python Regular Expression

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression
import re

def search(searchstr):
    print "*********************************"
    print "searchstr = ", searchstr
    print "*********************************"

searchstr = "This is a test string"
search(searchstr)

re1 = re.compile('^T')
match1 = re1.match(searchstr)
print "Match for '^T' = ", match1.group()

re1 = re.compile('.*',re.DOTALL)
match1  = re1.match(searchstr)
print "Match for '.*' = ", match1.group()

searchstr = "this is first line\nthis is second line"
search(searchstr)

re1 = re.compile('.*',re.DOTALL)
match1 = re1.match(searchstr)
print "Match for '.*',re.DOTALL = ", match1.group()

re1 = re.compile('line$')
match1 = re1.match(searchstr)
print "Match for 'line$' = ", match1

re1 = re.compile('[a-z]')
match1 = re1.match(searchstr)
print "Match for '[a-z]' = ", match1

# Repeating metacharacter * (Zero or many), + (One or many), ? (Zero or one)

re1 = re.compile('[a-z]+')
match1 = re1.match(searchstr)
print "Match for '[a-z]+' = ", match1.group()

re1 = re.compile('[a-z]+.*')
match1 = re1.match(searchstr)
print "Match for '[a-z]+.*' = ", match1.group()

#The BackSlash will be interepreted by python to avoid that we specify lowercase r "raw expression"
#The \s stands for the space
re1 = re.compile(r'[a-z]+\s')
match1 = re1.match(searchstr)
print "Match for '[a-z]+\s' = ", match1.group()

#Here we want the next word as well
re1 = re.compile(r'[a-z]+\s[a-z]+')
match1 = re1.match(searchstr)
print "Match for r'[a-z]+\s[a-z]+' = ", match1.group()

re1 = re.compile(r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+')
match1 = re1.match(searchstr)
print "Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+' = ", match1.group()

searchstr = "This is first LINE"
search(searchstr)

re1 = re.compile(r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+',re.IGNORECASE)
match1 = re1.match(searchstr)
print "Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+',re.IGNORECASE = ", match1.group()

searchstr = "this is line number 987"
search(searchstr)

re1 = re.compile(r'[a-z]+\s[a-z]+\s\w+\s\w+\s\d+')
match1 = re1.match(searchstr)
print "Match for r'[a-z]+\s[a-z]+\s\w+\s\w+\s\d+' = ",match1.group()

#END

OUTPUT

bala@bala-laptop:~/python$ python RE.py
*********************************
searchstr =  This is a test string
*********************************
Match for '.*',re.DOTALL =  T
Match for '.*' =  This is a test string
*********************************
searchstr =  this is first line
this is second line
*********************************
Match for '.*',re.DOTALL =  this is first line
this is second line
Match for 'line$' =  None
Match for '[a-z]' =  <_sre.SRE_Match object at 0x7fa5ecf69238>
Match for '[a-z]+' =  this
Match for '[a-z]+.*' =  this is first line
Match for '[a-z]+\s' =  this
Match for r'[a-z]+\s[a-z]+' =  this is
Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+' =  this is first line
*********************************
searchstr =  This is first LINE
*********************************
Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+',re.IGNORECASE =  This is first LINE
*********************************
searchstr =  this is line number 987
*********************************
Match for r'[a-z]+\s[a-z]+\s\w+\s\w+\s\d+' =  this is line number 987
bala@bala-laptop:~/python$ clear

bala@bala-laptop:~/python$ python 30RE.py
*********************************
searchstr =  This is a test string
*********************************
Match for '^T' =  T
Match for '.*' =  This is a test string
*********************************
searchstr =  this is first line
this is second line
*********************************
Match for '.*',re.DOTALL =  this is first line
this is second line
Match for 'line$' =  None
Match for '[a-z]' =  <_sre.SRE_Match object at 0x7f646e2c0238>
Match for '[a-z]+' =  this
Match for '[a-z]+.*' =  this is first line
Match for '[a-z]+\s' =  this
Match for r'[a-z]+\s[a-z]+' =  this is
Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+' =  this is first line
*********************************
searchstr =  This is first LINE
*********************************
Match for r'[a-z]+\s[a-z]+\s[a-z]+\s[a-z]+',re.IGNORECASE =  This is first LINE
*********************************
searchstr =  this is line number 987
*********************************
Match for r'[a-z]+\s[a-z]+\s\w+\s\w+\s\d+' =  this is line number 987
bala@bala-laptop:~/python$

Friday, September 30, 2011

python RegularExpression 1

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use Regular Expression
import re
#Compile Regular Expression first.
re1 = re.compile('matchBullet')
print re1.match('matchBullet')
print re1.match('matchBullet').group()

re2 = re.compile('matchBala')
match1 = re2.match('matchBala')
print match1.group()

searchstr = "Bala"
re2=re.compile(searchstr)
match1 = re2.match(searchstr)
print match1.group()

#END

Output
bala@bala-laptop:~/python$ python RE.py
<_sre.SRE_Match object at 0x7feb846091d0>
matchBullet
matchBala
Bala
bala@bala-laptop:~/python$

Python shutil

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Demonstrate how to use file I/O high-level module
import shutil

#we will create an alias for shutil like s
s = shutil
#This would change the date and time on the file which is created
s.copy("data1","data2")
#This would not change the date and time on the file which is created
s.copy2("data1","data3")
#This would move data1 to the destination path
s.move("data2","/home/bala/data3")
#If we want to move an entire directory
src="bala"
dst="bullet"
s.copytree(src,dst)

dst="bullet1"
#The third argument if it is 0 we will copy the symbolic link file directly, if it is 1 it will just copy the symbolic link
s.copytree(src,dst,0)

dst="bullet"
s.rmtree(dst)

#END

Thursday, September 29, 2011

python functions

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Purpose: Demonstrate Function

def add(a,b):
    sum = a+b
    return sum

print "*********Demonstrating Functions***********"
a = input("Enter the first value to be added :")
b = input("Enter the second value to be added :")

addedvalue = add(a,b)

print "The sum of a : ",a," and b : ",b," is = ", addedvalue

#END
 
Output

bala@bala-laptop:~/python$ python function.py
*********Demonstrating Functions***********
Enter the first value to be added :2
Enter the second value to be added :3
The sum of a :  2  and b :  3  is =  5
bala@bala-laptop:~/python$

Forms

HTML forms

Name:
Password:

This would lead you no where


Wednesday, September 28, 2011

Non changable list

#!/usr/bin/python
lists = ["Bala","Subramaniam","Natarajan"]
print "The lists is of type : ", type(lists)
lists[2] = "changed"
print lists
tuples = ("Bala","Subramaniam","Natarajan")
print "The tuples is of type : ", type(tuples)
tuples[2] = "changed"
print tuples

Editing a log file

#!/usr/bin/python
#To print a list of numbers
import string

log_file = "20110923 10.0.0.1 1110 192.168.1.1 80 404 vaka.html"
print log_file
print "The type of log_file is : ", type(log_file)
print string.split(log_file)
log_file2 = string.split(log_file)
print "The type of log_file2 is: ", type(log_file2)
print "The date in our log file is : ", log_file2[0]
log_file3 = string.join(log_file2)
print "The type of log_file3 is : ", type(log_file3)


Friday, September 23, 2011

Python String List

#!/usr/bin/python
#To print a list of numbers
print range(11)
numlist = range(5)
print "I am printing numlist populated by range method", numlist
print "Here I am printing values starting from 1st position",range(1,5)
print "Printing values starting from 1st position i+2",range(1,11,2)
strlist1 = ['Bala','subramaniam','Natarajan']
print "I am printing the string list1", strlist1
strlist1.reverse()
print "Reversing string list1", strlist1
strlist1.reverse()
strlist2 = ['Bala','Revathi']
print "I am printing the string list2", strlist2
strlist1.append(strlist2)
print "I am printing the appended string list1", strlist1
print strlist1[3][1]
strlist1.extend(strlist2)
print "I am printing the extended string list1", strlist1



#!/usr/bin/python
#To print a log_file
import string

log_file = "20110923 10.0.0.1 1110 192.168.1.1 80 404 vaka.html"
print log_file
print "The type of log_file is : ", type(log_file)
print string.split(log_file)
log_file2 = string.split(log_file)
print "The type of log_file2 is: ", type(log_file2)
print "The date in our log file is : ", log_file2[0]
log_file3 = string.join(log_file2)
print "The type of log_file3 is : ", type(log_file3)


Thursday, September 22, 2011

Older versions of Java & PDF

http://www.oracle.com/technetwork/java/archive-139210.html

http://get.adobe.com/reader/otherversions/

Wednesday, September 21, 2011

#!/usr/bin/python
#Author: Balasubramaniam Natarajan
#Date: 21-Sep-2011
#Purpose: lists

nlist = [1,2,3,4,5,6,7]
print "The value of nlist is", nlist
nlist.reverse()
print "The reversed value of nlist is", nlist
nlist.reverse()
print "The re-reversed value of nlist is", nlist

nlist2 = [8,9,10]
print "The value of nlist2 is: ", nlist2

nlist.append(nlist2)
print "The value of nlist.append(nlist2) is: ", nlist

print "The first value in nlist is: ", nlist[0]
print "The second value in nlist is: ", nlist[1]
print "The third value in nlist is: ", nlist[2]
print "The eight value in nlist is: ", nlist[7]
print "The eight value in nlist separately is: ", nlist[7][0]
print "The nineth value in nlist separately is: ", nlist[7][1]

#POP will behave similar to STACK Last In First Out
nlist.pop()
print "We poped out the last value of nlist", nlist

nlist.extend(nlist2)
print "We'v incorporated nlist2 elements in nlist", nlist
print "The eight value in nlist is: ", nlist[7]

nlist.pop()
print "We poped out the last value of nlist", nlist

#To get First In First Out we need to specify the number.
nlist.pop(0)
print "We poped out the first value of nlist", nlist

#To insert value in the nlist
nlist.insert(0,1)
print "We populate the first value of nlist", nlist

#END


Friday, September 16, 2011

Tiny HTTPD Proxy

This URL has a small http proxy.

http://www.oki-osk.jp/esc/python/proxy/

Wednesday, September 7, 2011

DigiNotars are Back, be aware

I was keeping a tab about the CA compromize of DigiNotars for a few days now and I did manually remove that CA from my Trusted list.

Today 7-Sep-2011 I tried to update my Ubuntu 10.04 it told me that there are some mozilla firefox packages to be installed so I allowed it.



Once the update was over my browser restarted and what do you know the very certificate which I chose to distrust started appearing in the trusted CA.

http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

Got an answer at mozilla.com


https://support.mozilla.com/en-US/questions/871927#answer-242337


Sunday, September 4, 2011

PHP to unzip password protected file

You need apache2 and PHP installed on your system. The first file is index.html


 Next you need to have a file named zip.php


Wola all your encrypted files will get uploaded to the upload directory.

If needed you can comment the last 15 lines if you are just going to submit encrypted zip files.


Friday, September 2, 2011

Zip on BASH :-)

bala@bala-desktop:~/Desktop$ zip -e infected.zip 10199.exe
Enter password:
Verify password:
  adding: 10199.exe (deflated 9%)
bala@bala-desktop:~/Desktop$ md5sum 10199.exe
f469bf255c2c8fedec173cd17395ff11  10199.exe
bala@bala-desktop:~/Desktop$ md5sum infected/10199.exe
f469bf255c2c8fedec173cd17395ff11  infected/10199.exe
bala@bala-desktop:~/Desktop$

Wednesday, August 31, 2011

Grep and MD5SUM recursively :-)

If we need to grep for a particular word "cursor.execure" recursively with respect to current directory and all the subfolders do as shown below.

root@ubuntu:/var/www/cuckoo/cuckoo# grep -i "cursor.execute" -R .
./submit.py:    cursor.execute("SELECT * FROM queue WHERE target
./submit.py:    cursor.execute(sql)
./cuckoo/db.py: cursor.execute("CREATE TABLE queue (\n"               \
./cuckoo/db.py: self._cursor.execute("SELECT * FROM queue "        \
./cuckoo/db.py: self._cursor.execute("SELECT id FROM queue WHERE
./cuckoo/db.py: self._cursor.execute("UPDATE queue SET lock = 1 WHE
./cuckoo/db.py: self._cursor.execute("SELECT id FROM queue WHERE id = ./cuckoo/db.py: self._cursor.execute("UPDATE queue SET lock = 0 WHERE ./cuckoo/db.py: self._cursor.execute("SELECT id FROM queue WHERE id ./cuckoo/db.py: self._cursor.execute("UPDATE queue SET lock = 0, "  
root@ubuntu:/var/www/cuckoo/cuckoo#


To do MD5Sum recursively :-)

find . -type f -print0 | xargs -0 md5sum
 
85d745532558a575c1809fa35ac50ff2  ./impress.js
402f032048a9f560a4b18010509583dc  ./index.html
85d745532558a575c1809fa35ac50ff2  ./bala/impress.js 

Creating Chart in OpenOffice

Hi

Watch this small screen casting which I made to show how to create Chart using OpenOffice.


http://www.youtube.com/watch?v=zK0qBGO5G58

I found this very useful link too,  I am no way endorsing that link, however I liked it :-)

http://www.learnopenoffice.org/calccontents.htm

Sunday, August 28, 2011

Adding htpasswd to Apache

If we want to protect certain directories in Apache with a password then we need to edit the file

/etc/apache2/sites-available/default

STEP1: Copy paste these lines in there, base is the folder which I am trying to protect.

   

STEP2: Now restart apache.

root@test:/etc/apache2# /etc/init.d/apache2 restart
 * Restarting web server apache2   .... Waiting [ OK ]
root@test:/etc/apache2#


STEP3: Now we need to create a file called as .htaccess under the folder we want to protect and enter these lines in there.

AuthUserFile /etc/apache2/base_passwords
AuthName "Authorization Required"
AuthType Basic
require valid-user

Here base_passwords is the file which will store the passwords.

STEP4:To create base_passwords follow the steps give below.

root@test:/etc/apache2# htpasswd -c base_passwords bala
New password:
Re-type new password:
Adding password for user bala
root@test:/etc/apache2# cat base_passwords
bala:.GaT2yBDJ4Mu2ser4DR54GRR3


Wola now when we type the url http://localhost/base we will get an authorization prompt.

PHP installation on Ubuntu

https://help.ubuntu.com/10.04/serverguide/C/php5.html


PHP5 - Scripting Language

PHP is a general-purpose scripting language suited for Web development. The PHP script can be embedded into HTML. This section explains how to install and configure PHP5 in Ubuntu System with Apache2 and MySQL.
This section assumes you have installed and configured Apache2 Web Server and MySQL Database Server. You can refer to Apache2 section and MySQL sections in this document to install and configure Apache2 and MySQL respectively.

Installation

The PHP5 is available in Ubuntu Linux.
  • To install PHP5 you can enter the following command in the terminal prompt:
    sudo apt-get install php5 libapache2-mod-php5

    You can run PHP5 scripts from command line. To run PHP5 scripts from command line you should install php5-cli package. To install php5-cli you can enter the following command in the terminal prompt:
    sudo apt-get install php5-cli

    You can also execute PHP5 scripts without installing PHP5 Apache module. To accomplish this, you should install php5-cgi package. You can run the following command in a terminal prompt to install php5-cgi package:
    sudo apt-get install php5-cgi

    To use MySQL with PHP5 you should install php5-mysql package. To install php5-mysql you can enter the following command in the terminal prompt:
    sudo apt-get install php5-mysql

    Similarly, to use PostgreSQL with PHP5 you should install php5-pgsql package. To install php5-pgsql you can enter the following command in the terminal prompt:
    sudo apt-get install php5-pgsql

Configuration

Once you install PHP5, you can run PHP5 scripts from your web browser. If you have installed php5-cli package, you can run PHP5 scripts from your command prompt.
By default, the Apache 2 Web server is configured to run PHP5 scripts. In other words, the PHP5 module is enabled in Apache2 Web server automatically when you install the module. Please verify if the files /etc/apache2/mods-enabled/php5.conf and /etc/apache2/mods-enabled/php5.load exist. If they do not exists, you can enable the module using a2enmod command.
Once you install PHP5 related packages and enabled PHP5 Apache 2 module, you should restart Apache2 Web server to run PHP5 scripts. You can run the following command at a terminal prompt to restart your web server:
sudo /etc/init.d/apache2 restart 

Testing

To verify your installation, you can run following PHP5 phpinfo script:
phpinfo();
?>
You can save the content in a file phpinfo.php and place it under DocumentRoot directory of Apache2 Web server. When point your browser to http://hostname/phpinfo.php, it would display values of various PHP5 configuration parameters.

Saturday, August 27, 2011

WOW BIGBLUEBUTTON :-)

http://code.google.com/p/bigbluebutton/

I would like to have this built for myself, to host my own meeting :-)

Slidecasting-recorder

http://code.google.com/p/slidecasting-recorder/

I don't think that this would be able to show mouse movements oppose to gtk record my desktop.

SANS Cheat Sheet


www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

Sunday, August 21, 2011

Snort libdnet

http://forums.snort.org/forums/snort-newbies/topics/libdnet-not-found

whereis libdnet

LD_LIBRARY_PATH=/usr/local/lib
export LD_LIBRARY_PATH

Syslogging in Ubuntu

In order to log something to syslog in Ubuntu we need to edit the file.

#gedit /etc/rsyslog.d/50-default.conf

#Snort - Alerts
local0.*            /var/log/snort/snort_alerts_syslog.log

Then we need to restart the syslog so that it will reread the config file.

#service rsyslog restart

Now once this is done we can go inside the /var/log/snort/ folder and list it to see if the new file is created or not.

Friday, August 19, 2011

VirtualBox just permanent share

bala@bala-desktop:~$ cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#              
HOST_SHARE    /home/bala/share1    vboxsf    rw,uid=1000,gid=1000    0    0
bala@bala-desktop:~$

Wednesday, August 17, 2011

Tasklist & taskkill

c:\Temp>tasklist /FI "IMAGENAME eq USBDeview.exe"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
USBDeview.exe                 9860 Services                   0      5,308 K

c:\Temp>taskkill /FI "IMAGENAME eq USBDeview.exe"
ERROR: The process with PID 9860 could not be terminated.
Reason: This process can only be terminated forcefully (with /F option).

c:\Temp>taskkill /F /FI "IMAGENAME eq USBDeview.exe"
SUCCESS: The process with PID 9860 has been terminated.

c:\Temp>del /F USBDeview.exe

c:\Temp>del /F usb.html

Sunday, August 14, 2011

Awk command in Linux

root@ubuntu-mrt:/etc/snort/snortrules/rules# ls -ltr | awk '{ print $8 }'

experimental.rules
VRT-License.txt
x11.rules
web-php.rules
web-misc.rules
web-iis.rules

Saturday, August 13, 2011

Friday, August 12, 2011

List of useful URL

IP converstion.

http://www.searchlores.org/sonjas33.htm


Checking a website for Malware

http://www.antihacksecurity.com/scan-a-website-for-virus-malware

http://www.avg.com.au/resources/web-page-scanner/
http://www.virustotal.com/index.html#url-submission
http://siteinspector.comodo.com/

http://www.virustotal.com/
http://virusscan.jotti.org/en

5 steps for analysing Malware

http://zeltser.com/malware-analysis-toolkit/#utilize-online-analysis-tools

Sunday, August 7, 2011

Using dd to aquire Memory or host drive

Acquire Memory:

C:\Tools>dd.exe if=\\.\PhysicalMemory of="E:\images\host1-memoryimage-20110807.dd"
conv=sync,noerror --md5sum --verifymd5 --md5out="E:\images\host1-memoryimage-20110807.dd.md5" --log="E:\images\host1-memoryimage-20110807.dd_audit.log"

Acquire Harddisk

C:\Tools>dd.exe if=\\.\PhysicalDrive0 of="E:\images\host1-diskimage-20110807.dd"
conv=sync,noerror --md5sum --verifymd5 --md5out="E:\images\host1-diskimage-20110807.dd.md5" --log="E:\images\host1-diskimage-20110807.dd_audit.log"

Collecting Contents from Clipboard

We can see what is there in the system Memory with the help of this tool

http://www.nirsoft.net/utils/inside_clipboard.html




Scheduled Tasks

We can use the inbuilt at command.

c:\Tools>at
Status ID   Day                     Time          Command Line
----------------------------------------------------------------------------
        1   Today                   14:05         cmd.exe
        2   Today                   14:05         calc.exe

c:\Tools>tasklist | find "calc"
calc.exe                      1308 Services                   0      3,276 K


We can also use the inbuilt schtasks command.

c:\Tools>schtasks /Query /FO LIST /V

Folder: \
HostName:                             BALA-PC
TaskName:                             \At1
Next Run Time:                        N/A
Status:                               Running
Logon Mode:                           Interactive/Background
Last Run Time:                        07-08-2011 14:05:00
Last Result:                          267009
Author:                               N/A
Task To Run:                          cmd.exe
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          AtServiceAccount
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only
Start Time:                           14:05:00
Start Date:                           07-08-2011
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             BALA-PC
TaskName:                             \At2
Next Run Time:                        N/A
Status:                               Running
Logon Mode:                           Interactive/Background
Last Run Time:                        07-08-2011 14:05:00
Last Result:                          267009
Author:                               N/A
Task To Run:                          calc.exe
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          AtServiceAccount
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only
Start Time:                           14:05:00
Start Date:                           07-08-2011
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled



Determining Open Files

We can see what are all the files which are locally open with the link http://www.nirsoft.net/utils/opened_files_view.html


We can see what are all the files which are remotely open with the link


c:\Tools>net file

ID         Path                                    User name            # Locks

-------------------------------------------------------------------------------
12         C:\\                                    Bala                  0
230        C:\\                                    Bala                  0
233        C:\\Tools                               Bala                  0
689        C:\\Tools                               Bala                  0
The command completed successfully.

http://technet.microsoft.com/en-us/sysinternals/bb897552.aspx

c:\Tools>Psfile.exe

psfile v1.02 - psfile
Copyright ⌐ 2001 Mark Russinovich
Sysinternals

Files opened remotely on BALA-PC:

[12] C:\\
    User:   Bala
    Locks:  0
    Access: Read
[230] C:\\
    User:   Bala
    Locks:  0
    Access: Read
[233] C:\\Tools
    User:   Bala
    Locks:  0
    Access: Read
[689] C:\\Tools
    User:   Bala
    Locks:  0
    Access:

c:\Tools>

We can see all the recently accessed Documentation and Pictures with this command

http://www.nirsoft.net/utils/recent_files_view.html


Collecting Command Prompt History

We can see all the recently entered command in cmd prompt with the following command or F7.

c:\Tools>doskey /history
cls
serviwin.exe
net native start
net start
cls
svcutil.exe
svcutil.exe stop
svcutil.exe STOP

Identify Shares on the infected system
  
c:\Tools>net share

Share name   Resource                        Remark
-----------------------------------------------------------------------------
C$                  C:\                                     Default share
IPC$                                                        Remote IPC
ADMIN$         C:\Windows                      Remote Admin
The command completed successfully.


Finding the Services and Drivers

Often Malware makes itself as a service on the running system.

We can find the services which are running under a process with the command

c:\Tools>tasklist /svc

Image Name                     PID Services
========================= ======== =======
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       380 N/A
csrss.exe                      456 N/A
wininit.exe                    500 N/A
services.exe                   584 N/A
lsass.exe                      600 ProtectedStorage, SamSs
lsm.exe                        608 N/A
svchost.exe                    764 DcomLaunch, PlugPlay
VBoxService.exe                808 VBoxService
svchost.exe                    856 RpcSs
svchost.exe                    892 WinDefend
svchost.exe                   1012 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe                   1056 AudioEndpointBuilder, EMDMgmt, Netman,
                                   PcaSvc, SysMain, TabletInputService,
                                   TrkWks, UxSms, WdiSystemHost, WPDBusEnum,
                                   wudfsvc
svchost.exe                   1072 AeLookupSvc, Appinfo, BITS, IKEEXT,
                                   iphlpsvc, LanmanServer, MMCSS, ProfSvc,
                                   RasMan, Schedule, seclogon, SENS,
                                   ShellHWDetection, Themes, Winmgmt, wuauserv
audiodg.exe                   1136 N/A
svchost.exe                   1160 gpsvc
SLsvc.exe                     1180 slsvc
svchost.exe                   1208 EventSystem, FDResPub, LanmanWorkstation,
                                   netprofm, nsi, SLUINotify, SSDPSRV,
                                   SstpSvc, upnphost, W32Time, WebClient
svchost.exe                   1364 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
                                   TermService
spoolsv.exe                   1496 Spooler
svchost.exe                   1520 BFE, DPS, MpsSvc
svchost.exe                    280 PolicyAgent
taskeng.exe                    288 N/A
svchost.exe                    648 WerSvc
SearchIndexer.exe             1888 WSearch
csrss.exe                     2500 N/A
winlogon.exe                  2532 N/A
taskeng.exe                   2884 N/A
dwm.exe                       3868 N/A
explorer.exe                  3904 N/A
MSASCui.exe                   3996 N/A
VBoxTray.exe                  4004 N/A
sidebar.exe                   4012 N/A
wuauclt.exe                   3328 N/A
cmd.exe                       3464 N/A
tasklist.exe                  3704 N/A
WmiPrvSE.exe                  2828 N/A

c:\Tools>


We can get a whole list of details from PsService.exe
 http://technet.microsoft.com/en-us/sysinternals/bb897542.aspx
c:\Tools>PsService.exe

PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience
Processes application compatibility cache requests for applications as they are launched
        TYPE              : 20 WIN32_SHARE_PROCESS
        STATE             : 4  RUNNING
                               (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE   : 0  (0x0)
        SERVICE_EXIT_CODE : 0  (0x0)
        CHECKPOINT        : 0x0
        WAIT_HINT         : 0 ms

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
        TYPE              : 10 WIN32_OWN_PROCESS
        STATE             : 1  STOPPED
                               (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE   : 1077 (0x435)
        SERVICE_EXIT_CODE : 0  (0x0)
        CHECKPOINT        : 0x0
        WAIT_HINT         : 0 ms

We can also use Serviwin from http://www.nirsoft.net/utils/serviwin.html to get all the details about services.




We can also user servicelist from http://www.pathsolutions.com/support/tools.asp

c:\Tools>ServiceList.exe -t \\bala-pc
Service Name    Display Name    State   Win Own Process Win Shared Process      Kernel Device Driver
File System Driver      Desktop Interactive Process     Start   Stop    Pause   Continue        System
 Shutdown
AeLookupSvc     Application Experience  Running         X                               X       X

ALG     Application Layer Gateway Service       Stopped X

Appinfo Application Information Running         X                               X       X


We can also user a native utility such as.

c:\Tools>net start
These Windows services are started:

   Application Experience
   Application Information
   Background Intelligent Transfer Service
   Base Filtering Engine
   COM+ Event System

We can also user another tool called SvcUtil

http://www.joeware.net/freetools/tools/svcutil/index.htm

c:\Tools>svcutil.exe "Application Experience"

SvcUtil V02.04.00cpp  Joe Richards (joe@joeware.net) June 2005

SERVICE_NAME: AeLookupSvc
DISPLAY NAME: Application Experience
        TYPE                 : 32  WIN32_SHARE_PROCESS
        STATE                : 4  RUNNING
                                  (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE      : 0  (0x0)
        SERVICE_EXIT_CODE    : 0  (0x0)
        CHECKPOINT           : 0x0
        WAIT_HINT            : 0x0

c:\Tools>


We can find details about common Services and functions in the link

http://msdn2.microsoft.com/en-us/library/ms681921
http://www.theeldergeek.com/services_guide.htm#Services
http://msdn2.microsoft.com/en-us/library/ms685942


Drivers
we can see the drives on the system with the help of DriverView from http://www.nirsoft.net/utils/driverview.html

Here all Non-Microsoft Drivers will be highlighted.


This tool does the same thing over Command Line.

http://download.microsoft.com/download/win2000platform/drivers/1.0/NT5/EN-US/drivers.exe

c:\Tools>drivers.exe
  ModuleName    Code    Data     Bss   Paged    Init          LinkDate
------------------------------------------------------------------------------
ntoskrnl.exe  942080  290816       0 1966080  262144  Thu Oct 14 20:08:16 2010
     hal.dll   73728   16384       0   36864   16384  Sat Jan 19 10:57:20 2008
   kdcom.dll    4096    4096       0    4096    4096  Sat Jan 19 13:01:53 2008
mcupdate_GenuineIntel.dll    4096    4096       0  364544    4096  Sat Jan 19 12:59:43 2008
   PSHED.dll   12288   12288       0    8192    8192  Sat Jan 19 13:01:21 2008
 BOOTVID.dll    8192    4096       0       0    4096  Sat Jan 19 12:57:15 2008
    CLFS.SYS   77824   12288       0  131072    8192  Sat Jan 19 10:58:01 2008
      CI.dll  520192  303104       0   61440    4096  Fri Feb 22 10:30:56 2008






Associating Running processes and programs with open ports.

We can find a list of open ports on our machine with the command

c:\Tools>netstat -aon

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       856
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       500
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       1012
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1072
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       600
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       584
  TCP    10.0.2.15:139          0.0.0.0:0              LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       856
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5357              [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       500
  TCP    [::]:49153             [::]:0                 LISTENING       1012
  TCP    [::]:49154             [::]:0                 LISTENING       1072
  TCP    [::]:49155             [::]:0                 LISTENING       600
  TCP    [::]:49156             [::]:0                 LISTENING       584
  UDP    0.0.0.0:123            *:*                                    1208
  UDP    0.0.0.0:500            *:*                                    1072
  UDP    0.0.0.0:4500           *:*                                    1072
  UDP    0.0.0.0:5355           *:*                                    1364
  UDP    10.0.2.15:137          *:*                                    4
  UDP    10.0.2.15:138          *:*                                    4
  UDP    10.0.2.15:1900         *:*                                    1208
  UDP    127.0.0.1:1900         *:*                                    1208
  UDP    127.0.0.1:64594        *:*                                    1208
  UDP    [::]:123               *:*                                    1208
  UDP    [::]:500               *:*                                    1072
  UDP    [::1]:1900             *:*                                    1208
  UDP    [::1]:64593            *:*                                    1208
  UDP    [fe80::100:7f:fffe%11]:1900  *:*                                    1208
  UDP    [fe80::2031:52a2:cbee:b0b3%17]:1900  *:*                                    1208

We can find the executable associated with the ports number with the command

c:\Tools>netstat -anb

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  Eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
 [services.exe]
  TCP    10.0.2.15:139          0.0.0.0:0              LISTENING

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    [::]:135               [::]:0                 LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    [::]:5357              [::]:0                 LISTENING

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    [::]:49152             [::]:0                 LISTENING
 [wininit.exe]
  TCP    [::]:49153             [::]:0                 LISTENING
  Eventlog
 [svchost.exe]
  TCP    [::]:49154             [::]:0                 LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49155             [::]:0                 LISTENING
 [lsass.exe]
  TCP    [::]:49156             [::]:0                 LISTENING
 [services.exe]
  UDP    0.0.0.0:123            *:*
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*
  Dnscache
 [svchost.exe]
  UDP    10.0.2.15:137          *:*

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  UDP    10.0.2.15:138          *:*

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  UDP    10.0.2.15:1900         *:*
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:1900         *:*
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:64594        *:*
  SSDPSRV
 [svchost.exe]
  UDP    [::]:123               *:*
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*
  IKEEXT
 [svchost.exe]
  UDP    [::1]:1900             *:*
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:64593            *:*
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::100:7f:fffe%11]:1900  *:*
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::2031:52a2:cbee:b0b3%17]:1900  *:*
  SSDPSRV
 [svchost.exe]

c:\Tools>

We can obtain a similar information from openports http://www.diamondcs.com.au/openports/

c:\Tools>openports.exe -list -path
DiamondCS OpenPorts v1.0  (-? for help)
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
Free for personal and educational use only. See openports.txt for more details.
_______________________________________________________________________________

SYSTEM [0]
  TCP  0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP  10.0.2.15:139          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:49156          0.0.0.0:0              LISTENING
  TCP  0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP  0.0.0.0:5357           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:68             0.0.0.0:0              LISTENING
  UDP  0.0.0.0:123            0.0.0.0:0              LISTENING
  UDP  10.0.2.15:137          0.0.0.0:0              LISTENING
  UDP  10.0.2.15:138          0.0.0.0:0              LISTENING
  UDP  0.0.0.0:500            0.0.0.0:0              LISTENING
  UDP  10.0.2.15:1900         0.0.0.0:0              LISTENING
  UDP  127.0.0.1:1900         0.0.0.0:0              LISTENING
  UDP  0.0.0.0:4500           0.0.0.0:0              LISTENING
  UDP  0.0.0.0:5355           0.0.0.0:0              LISTENING
  UDP  127.0.0.1:64594        0.0.0.0:0              LISTENING

c:\Tools>

http://www.iana.org/assignments/port-numbers

We can obtain a detailed information with CurrPorts from this following link

http://www.nirsoft.net/utils/cports.html




The TCPView utility can also provide the same kind of output.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx