Try catch a fish: August 2010

Monday, August 30, 2010

GNU/Linux Live

Clonezilla Live on USB flash drive or USB hard drive

Some machine, e.g. Asus Eee PC or Acer Aspire One, comes without CD/DVD drive. In this case, USB flash drive or USB hard drive is the best way to boot Clonezilla live. To make your USB flash drive or hard drive bootable, first download Clonezilla live zip file. Then you can extract the files on your USB flash drive or USB hard drive and make it bootable on a MS Windows or GNU/Linux computer by the following steps (This method only works for the file system in USB flash drive or USB hard drive is FAT format. For other file system, you can try to use grub or other bootloader):

* On MS windows
o Choice 1 (Manually):
*****************************
WARNING! WARNING! WARNING!
*****************************
WARNING!: ***DO NOT RUN*** makeboot.bat from your local hard drive! It should only be run from your USB flash drive or USB hard drive. Executing it incorrectly could cause your MS windows not to boot!!!
1. Create a partition on your flash drive as FAT16 or FAT32 if there is no any FAT16 or FAT32 partition on that. If there is, you can use the existing one.
2. Extract all the contents of the clonezilla-live-usb.zip to FAT16/FAT32 partition on your "flash drive." Keep the directory architecture, for example, file "COPYING" should be in the USB flash drive or USB hard drive's top directory (e.g. G:\COPYING).
3. Browse to your "flash drive" and enter the directory "utils", then sub-directory "win32", then click the file "makeboot.bat" to execute it. WARNING! Makeboot.bat must be run from your USB flash drive or USB hard drive. Executing it incorrectly could cause your MS windows not to boot.
4. Follow the on-screen instructions.
(PS: The above description was modified from: http://www.pendrivelinux.com/2007/01/02/all-in-one-usb-dsl. Thanks to PDLA from http://pendrivelinux.com)
o Choice 2 (Use GUI program on MS windows):
1. Download Unetbootin to help you to create this Live USB flash drive. Just run the program on MS windows, then you can follow the GUI to create the live. You will need the Clonezilla live iso file in this method. PS. The boot menu created by Unetbootin is not exactly the same boot menu as the one created in choice 1. Therefore it's recommended to use the choice 1.
* On GNU/Linux
o Choice 1 (Manually):
1. Prepare an USB flash drive or USB hard drive or external disk which has a partition using FAT (either FAT16, FAT32) file system. If the USB flash drive or USB hard drive does not have any partition, you can use disk tool (e.g. gparted, fdisk, cfdisk or sfdisk) to create a partition with size 200 MB or more, Here we assume your USB flash drive or USB hard drive is /dev/sdb (You have to comfirm your the device name, since it's _NOT_ always /dev/sdb) on your GNU/Linux, so the partition table is like:

# fdisk -l /dev/sdb
Disk /dev/sdb: 12.8 GB, 12884901888 bytes
15 heads, 63 sectors/track, 26630 cylinders
Units = cylinders of 945 * 512 = 483840 bytes
Disk identifier: 0x000c2aa7

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 26630 12582643+ b W95 FAT32

Then format the partition as FAT (e.g. "mkfs.vfat -F 32 /dev/sdb1" WARNING! Executing it incorrectly could cause your GNU/Linux not to boot. Confirm the command before you run it.).

# mkfs.vfat -F 32 /dev/sdb1
mkfs.vfat 2.11 (12 Mar 2005)

2. Insert your USB flash drive or USB hard drive into the USB port on your Linux machine and wait a few seconds. Next, run the command "dmesg" to query the device name of the USB flash drive or USB hard drive. Let's say, for example, that you find it is /dev/sdb1. In this example, we assume /dev/sdb1 has FAT filesystem, and it is automatically mounted in dir /media/usb/. If it's not automatically mounted, manually mount it by "mkdir -p /media/usb; mount /dev/sdb1 /media/usb/".
3. Unzip all the files, and copy them into your USB flash drive or USB hard drive (You can make it by the command like: "unzip clonezilla-live-1.0.10-8.zip -d /media/usb/"). Keep the directory architecture, for example, file "COPYING" should be in the USB flash drive or USB hard drive's top directory (e.g. /media/usb/COPYING).
4. To make your USB flash drive bootable, first change the working dir, e.g. "cd /media/usb/utils/linux", then run "bash makeboot.sh /dev/sdb1" (replace /dev/sdb1 as your USB flash drive device name), and follow the prompts to finish that. WARNING! Executing it with wrong device name could cause your GNU/Linux not to boot. Confirm the command before you run it. (There is a known problem if you run makeboot.sh on Debian Etch, since the program utils/linux/syslinux does not work on that. Make sure you run it on newer GNU/Linux, e.g. Debian Lenny, Ubuntu 8.04, Fedora 9...).
5. If your USB flash drive or USB hard drive is not able to boot, check (1) Is there any partition in your flash drive ? It must contain 1 partition at least. (2) The partition must be marked as "bootable" in the partition table. (3) The partition must be on the cylinder boundary.
o Choice 2 (Use GUI program on GNU/Linux):
1. Download Unetbootin to help you to create this Live USB flash drive. Just run the program on MS windows, then you can follow the GUI to create the live. You will need the Clonezilla live iso file in this method. PS. The boot menu created by Unetbootin is not exactly the same boot menu as the one created in choice 1. Therefore it's recommended to use the choice 1.

knoppix stuff

CHEATCODES AND HINTS FOR KNOPPIX V6.2.0
==============================================================================
(last update: 11.11.2009)

These options (can be combined) work from the ISOLINUX bootprompt:

### General ###
adriane Start blind-friendly, talking desktop
debug Debug boot process step-by-step
expert Interactive setup for experts
knoppix (Default) Knoppix startup
knoppix 2 Runlevel 2, Textmode only

### Language/Country ###
knoppix lang=ch|cn|de|da|es|fr|it specify language/keyboard
knoppix lang=nl|pl|ru|sk|tr|tw|us specify language/keyboard
knoppix keyboard=us xkeyboard=us Use different keyboard (text/X)
knoppix utc Use Universal Time
knoppix tz=Europe/Berlin Use this timezone for TZ
(default: tz=localtime)

### Hardware/Workarounds ###
knoppix ide1=reset Try this if knoppix can't find the
CD/DVD drive
knoppix no{apic,lapic,acpi,apm} Skip parts of HW-detection (1)
knoppix no{hwsetup,udev,dhcp,fstab} Skip parts of HW-detection (2)
knoppix no{pcmcia,sound,swap} Skip parts of HW-detection (3)
knoppix nousb Skip parts of HW-detection (4)
knoppix nolapic Disable local APIC (differs from noapic)
knoppix noideraid Disable IDE-Raiddisk detection
knoppix pnpbios=off No PnP Bios initialization
knoppix acpi=off Disable ACPI Bios completely
knoppix acpi=noirq Disable ACPI IRC routing only
knoppix acpi=force FORCE ACPI Bios initialization
knoppix noacpid Do not start ACPI even daemon
failsafe Boot with (almost) no HW-detection
knoppix pci=irqmask=0x0e98 Try this, if PS/2 mouse doesn't work *)
knoppix pci=bios Workaround for bad PCI controllers
knoppix ide2=0x180 nopcmcia Boot from PCMCIA-CD-Rom (some notebooks)
knoppix mem=512M Specify Memory size in MByte
knoppix wheelmouse Enable IMPS/2 protocol for wheelmice
knoppix nowheelmouse Force plain PS/2 protocol for PS/2-mouse

### Desktop ###
knoppix desktop=kde|gnome|icewm Use specified WM instead of LXDE (1)
knoppix desktop=fluxbox|openbox Use specified WM instead of LXDE (2)
knoppix desktop=larswm|evilwm|twm Use specified WM instead of LXDE (3)
knoppix no3d Don't use compiz 3d fuctions

### Graphics ###
knoppix screen=1280x1024 Use specified Screen resolution for X
knoppix hsync=95 Use 95 kHz horizontal X refresh rate
knoppix vsync=60 Use 60 Hz vertical refresh rate for X
knoppix xmodule=ati|fbdev|intel|mga Use specified Xorg-Module (1)
knoppix xmodule=nv|radeon|savage|s3 Use specified Xorg-Module (2)
knoppix xmodule=vesa|svga|vmware Use specified Xorg-Module (3)
knoppix norandr Disable Xorg RandR feature (may be
useful if wrong resolution was detected)
knoppix noddc Don't query monitor for resoution
knoppix no3d|nocomposite Don't use Xorg Composite extension
knoppix vga=normal No-framebuffer mode, but X
fb1280x1024 Use fixed framebuffer graphics (1)
fb1024x768 Use fixed framebuffer graphics (2)
fb800x600 Use fixed framebuffer graphics (3)

### Configuration / Persistent image ###
knoppix nonetworkmanager Don't start network manager
knoppix home=/dev/sda1/knoppix.img Mount loopback file for overlay
knoppix toram Copy to RAM and run from there
knoppix tohd=/dev/sda1 Copy to Harddisk and run from there
knoppix fromhd=/dev/sda1 Boot from previously copied CD-Image
knoppix bootfrom=/dev/sda1/KNX.iso Access image, boot from ISO-Image. ***)
knoppix knoppix_dir=KNOPPIX Directory to search for on the CD.
knoppix knoppix_name=KNOPPIX Cloop-File to search for on the CD.
knoppix noswap Don't use existing swap partitions
knoppix forensic Don't use swap and mount read-only
knoppix secure Disable root access
knoppix noimage Do NOT use persistent image

### Knoppix Terminalserver/Client ###
knoppix nfsdir=hostip:path Use nfsdir as /mnt-system for TS client
knoppix hostname=name Set TS client hostname
knoppix hostname=auto-mac Set TS client hostname from MAC address
knoppix hostname=auto-clock Set TS client hostname from clock

### Various ###
knoppix noeject Do NOT eject CD after halt
knoppix noprompt Do NOT prompt to remove the CD
knoppix testcd|testdvd Check CD or DVD for defects
knoppix splash Use splash.ppm in initrd as boot pic
knoppix trace create an open() trace in /open.trace

Hint: Using the default DE-bootimage, SYSLINUX boots with german keyboard
layout. The '=' letter is located at Shift-0 on this keyboard (just in
case you want to change keyboard and language with lang=us).

*) Try "knoppix pci=irqmask=0x0e98" if (you have a notebook and) your
PS/2 mouse doesn't work. (Possibly caused by a BIOS-flaw on your board,
BIOS updates can help.)

If your KNOPPIX CD produces strange noises during boot, or you see
frequent errors like "cloop: read error", or programs on your KDE
desktop keep crashing randomly, then your CD image is probably defective
or incomplete, or your CD-burner created a defective CD due to wrong
writing speed or bad media. This is the most common error reported.
Please boot with "knoppix testcd" to check if the CD is OK.

In case of a failing hardware autodetection, try booting with any of
the "no-" options as shown in the table above, like in
knoppix noagp noaudio noapm noapic nolapic acpi=off pci=bios
pnpbios=off nodma nopcmcia noscsi nousb ...
to skip some critical parts of the autodetection system.

The "noswap" and/or "forensic" boot option is useful for a forensic
analysis without touching existing swap partitions.

Some Boards apparently don't pass the proper memory size to the
linux-kernel. It may cause the message "Panic: cannot mount root file
system" and the system hangs. Use "knoppix mem=512M" to solve that
problem if your system has 512MByte memory for example (caution:
you MUST use a capital "M" here).

---

If you need additional modules for starting controllers needed at boot
time, just copy the corresponding *.ko files from /lib/modules/* over to
/modules in the initial ramdisk (remaster needed).

If you place an update*.zip or update*tar.gz file on the medium holding
the KNOPPIX data, it will be unpacked onto the overlayed filesystem
before starting "init", thus allowing quick reconfiguration of the
system.

The file "knoppix.sh", if residing in the main KNOPPIX directory, will
be execuded after autoconfiguration and before starting the graphical
desktop. It can be used in order to start additional services.

If you wish to remaster the CD, please don't forget to specify
-no-emul-boot -boot-load-size 4 -boot-info-table \
-b boot/isolinux/isolinux.bin -c boot/isolinux/boot.cat
as option to mkisofs. Otherwise your CD or DVD won't be bootable. The
directory KNOPPIX, containig the compressed filesystem file "KNOPPIX",
must be located in the top level directory of the CD.

Caution: X-Screensaver: Don't start xlock or any screensaver that
requires a password. There are no default passwords on KNOPPIX,
i.e. all accounts are LOCKED unless you explicitly set a password.
See also README_Security.txt about this issue.
If you accidentially hit the screensaver button in KDE,
switch to one of the textconsoles by Control-Alt-F1 and kill
the screensaver (or just set a password for the knoppix user).

If you would like to edit your X-Server configuration manually
(config file /etc/X11/xorg.conf), use "knoppix 2" to boot
into runlevel 2 (textmode only) and, after changing the X
configuration, start the X environment with "init 5". Note that
you can always leave the graphical environment with "init 2", and
restart it later with "init 5".

Saturday, August 28, 2010

radio streaming

behind proxy/ socks or sth else

globus@earth:~$ mplayer try_jaya_fm_20100823.mp3
globus@earth:~$ tsocks wget http://radio.mitra.net.id:8110/ --limit-rate=1.1k -O trijaya_fm_sby20100827.mp3 | mplayer -cache 8192 trijaya_fm_sby20100827.mp3

mpich2

Setting Up an MPICH2 Cluster in Ubuntu

Creator: Omid Alemi

omid.alemi@gmail.com

This guide describes how to building a simple MPICH cluster in ubuntu.

Before , you need an basic knowledge about mpich & clustering.

Here we have 4 nodes running ubuntu 7.04 with these host names: ub0,ub1,ub2,ub3;

1. Defining hostnames in etc/hosts/

Edit /etc/hosts like these:

127.0.0.1 localhost
192.168.133.100 ub0
192.168.133.101 ub1
192.168.133.102 ub2
192.168.133.103 ub3

Note that the file shouldn't be like this:

127.0.0.1 localhost
127.0.1.1 ub0
192.168.133.100 ub0
192.168.133.101 ub1
192.168.133.102 ub2
192.168.133.103 ub3

or like this:

127.0.0.1 localhost
127.0.1.1 ub0
192.168.133.101 ub1
192.168.133.102 ub2
192.168.133.103 ub3

otherwise other hosts will try to connect to localhost when they try to reach ub0.

2. Installing NFS

NFS allows us to create a folder on the master node and have it synced on all the other nodes. This folder can be used to store programs. To Install NFS just run this in the master node's terminal:

omid@ub0:~$ sudo apt-get install nfs-kernel-server

3. Sharing Master Folder

Make a folder in all nodes, we'll store our data and programs in this folder.

omid@ub0:~$ sudo mkdir /mirror

And then we share the contents of this folder located on the master node to all the other nodes. In order to do this we first edit the /etc/exports file on the master node to contain the additional line

/mirror *(rw,sync)

This can be done using vim or by issuing this command:

omid@ub0:~$ sudo echo /mirror *(rw,sync) >> /etc/exports

Note than we store out data and programs only in master node and other nodes will access them with NFS.
4. Mounting /master in nodes

Now all we need to do is to mount the folder on the other nodes. This can be done manually each time like this:

omid@ub1:~$sudo mount ub0:/mirror /mirror
omid@ub2:~$sudo mount ub0:/mirror /mirror
omid@ub3:~$sudo mount ub0:/mirror /mirror

But it's better to change fstab in order to mount it on every boot. We do this by editing /etc/fstab and adding this line:

ub0:/mirror /mirror nfs

5. Defining a user for running MPI programs

We define a user with same name and same userid in all nodes with a home directory in /mirror.

Here we name it "mpiu"! Also we change the owner of /mirror to mpiu:

omid@ub0:~$ sudo chown mpiu /mirror

6. Installing SSH Server

Run this command in all nodes in order to install OpenSSH Server

omid@ub0:~$ sudo apt-get install openssh-server

7. Setting up SSH with no pass phrase for communication between nodes

First we login with our new user:

omid@ub0:~$ su - mpiu

Then we generate DSA key for mpiu:

mpiu@ub0:~$ ssh-keygen -t dsa

Leave passphrase empty.

Next we add this key to authorized keys:

mpiu@ub0:~$ cd .ssh
mpiu@ub0:~/.ssh$ cat id_pub.dsa >> authorized_keys2

As the home directory of mpiu in all nodes is the same (/mirror/mpiu) , there is no need to run these commands on all nodes.

To test SSH run:

mpiu@ub0:~$ ssh ub1 hostname

It should return remote hostname without asking for passphrase.

8. Installing GCC

Install build-essential package:

mpiu@ub0:~$ sudo apt-get install build-essential

9.Installing Other Compilers

Other prefered compilers should be installed before installing MPICH.

In this step we install other compilers such as Inter Fortran, SGI compiler , ... .

10. Installing MPICH2

You can install mpich2 using Synaptic by typing:

sudo apt-get install mpich2

Alternatively it can be installed from source...

Download MPICH2 source code from http://www-unix.mcs.anl.gov/mpi/mpich .

Extract .tar.bz2 file in /mirror. Also make a folder for MPICH installation.

mpiu@ub3:/mirror$ mkidr mpich2
mpiu@ub3:/mirror$ tar xvf mpich2-1.0.5p3.tar.gz
mpiu@ub3:/mirror$ cd mpich2-1.0.5p3
mpiu@ub3:/mirror/mpich2-1.0.5p3$ ./configure --prefix=/mirror/mpich2
mpiu@ub3:/mirror/mpich2-1.0.5p3$ make
mpiu@ub3:/mirror/mpich2-1.0.5p3$ sudo make install

For more information about compilation see README file in source package.

After successfully compiling and installing mpich, add these lines to "/mirror/mpiu/.bashrc/"

export PATH=/mirror/mpich2/bin:$PATH
export PATH
LD_LIBRARY_PATH="/mirror/mpich2/lib:$LD_LIBRARY_PATH"
export LD_LIBRARY_PATH

Next we run this command in order to define MPICH installation path to SSH.

mpiu@ub0:~$ sudo echo /mirror/mpich2/bin >> /etc/environment

For testing our installation run:

mpiu@ub0:~$ which mpd
mpiu@ub0:~$ which mpiexec
mpiu@ub0:~$ which mpirun

11. setting up MPD

Create mpd.hosts in mpiu's home directory with nodes names:

ub3
ub2
ub1
ub0

and run :

mpiu@ub0:~$ echo secretword=something >> ~/.mpd.conf
mpiu@ub0:~$ chmod 600 .mpd.conf

To test MPD run above commands. The output should be the current hostname.

mpiu@ub0:~$ mpd &
mpiu@ub0:~$ mpdtrace
mpiu@ub0:~$ mpdallexit

After all run mpd daemon:

mpiu@ub0:~$ mpdboot -n 4
mpiu@ub0:~$ mpdtrace

The output should be name of all nodes. If this doesn't succeed try running mpdcheck on all hosts to find possible errors in conf files (they will be marked with **).

There are some examples in "mpich2-1.0.5/examples", we'll run one :

mpiu@ub0:~$ mpiexec -n 4 cpi

That's it!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
globus@earth:~$ tar xzf mpich2-1.2.1p1.tar.gz
globus@earth:~/mpich2-1.2.1p1$ ./configure --prefix=/usr/local/mpich2-1.2.1/ 2>&1 | tee c.txt
globus@earth:~/mpich2-1.2.1p1$ make 2>&1 |tee d.txt
globus@earth:~/mpich2-1.2.1p1$ make install
globus@earth:~$ sudo apt-get install mpich2

What is MPICH2?

MPICH2 is a high-performance and widely portable implementation of the Message Passing Interface (MPI) standard (both MPI-1 and MPI-2). The goals of MPICH2 are to provide an MPI implementation that efficiently supports different computation and communication platforms including commodity clusters (desktop systems, shared-memory systems, multicore architectures), and high-speed networks (10 Gigabit Ethernet, InfiniBand, Myrinet, Quadrics). To setup a grid/ring, initially one needs to download the MPICH2 package and install it on your home directory. The following steps will guide you to install MPICH2 and then use it thereafter.
Using MPICH2

1. Add a bin subdirectory

setenv PATH "/local/wecn-linux/apps/mpich2/bin:$PATH"

At this point check that everything is in order by doing

which mpd mpiexec mpirun

2. Place in your home directory a file named .mpd.conf containing the line "secretword=" where is a string known only to yourself. Also, make this file readable and writable only by you by entering:

chmod 600 .mpd.conf

3. Check the working of a "ring" using mpd command on the local machine and bring the ring down

mpd & mpdtrace mpdallexit

The output of mpdtrace should be the hostname of the machine you are running on. The mpdallexit causes the mpd daemon to exit.

4. To bring up a ring on a set of machines start a local daemon:

mpd &

5. To make the local daemon print its host and port in the form _, enter:

mpdtrace -l

6. Log into each of the other machines and do:

setenv PATH /local/wecn-linux/apps/mpich2/bin:$PATH

mpd -h -p &

where the hostname and port belong to the original mpd that you started.

7. From each machine, after starting the mpd, you can do mpdtrace to see which machines are in the ring so far. Repeat the above for as many machines you need to set up in a ring. Remember to exit mpd by using mpdallexit once your job is executed.

Friday, August 27, 2010

daily log

2008.08.28
r, al, satr, band, ctr, anto, rice, asw, ard, bing, kimp, yuk, pug, bne, frz, mti, jue, ris, sug, bank, park, sat, esk

Friday, August 20, 2010

row 1, cell 1	row 1, cell 2	row 1, cell 2	row 1, cell 2
row 2, cell 1	row 2, cell 2	row 1, cell 2

Monday, August 16, 2010

wine stuff

globus@earth:~$ wine npp.5.7.Installer.exe > /dev/null 2> 1&
globus@earth:~$ cat /usr/bin/npp
wine /home/globus/.wine/drive_c/Program\ Files/Notepad++/notepad++.exe > /dev/null 2> 1&
globus@earth:~$ chmod 755 /usr/bin/npp

watch stuff

watch --differences -n1 ls -l /media/

Wednesday, August 11, 2010

download stuff

aria2c --no-proxy -i target.txt -j
aria2c --no-proxy -i target.txt -j --max-concurrent-downloads=8

axel --verbose --no-proxy download_link

Tuesday, August 10, 2010

bash stuff

let a=1
for i in `ls `pwd` `
do
mv $i bm_eps00$a
let a=$a+1
done

Friday, August 6, 2010

grid stuff

deb http://kambing.ui.ac.id/ubuntu lucid main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-updates main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-security main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-backports main restricted universe multiverse

deb file:///media/doc/lucid lucid main restricted universe multiverse
deb file:///media/doc/lucid lucid-updates main restricted universe multiverse
deb file:///media/doc/lucid lucid-security main restricted universe multiverse
deb file:///media/doc/lucid lucid-backports main restricted universe multiverse

APT::Get::AutomaticRemove "true";
APT::Install-Recommends "false";
APT::Get::force-yes "true";
APT::Get::Assume-Yes "true";

#cli only
apt-get dist-upgrade && apt-get -y -q --force-yes --no-install-recommends --auto-remove install vim htop mc nmap openssh-server proftpd-basic links localepurge sudo
#GT prequisite
apt-get install openssl libssl-dev zlib1g build-essential locate libxml-parser-perl sudo
updatedb && locate XML/Parser.pm
adduser globus
adduser globus sudo

apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get install vim htop mc nmap openssh-server proftpd-basic links localepurge sudo openssl libssl-dev zlib1g build-essential locate libxml-parser-perl && updatedb && locate XML/Parser.pm

cat /etc/sudoers
+++++++++++++++++++++++++++++++++++
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
+++++++++++++++++++++++++++++++++++
#
$ cat ~/.bashrc
+++++++++++++++++++++++++++++++++++
http_proxy="http://princeofun@chem.its.ac.id:jewkco@202.46.129.10:8080/"
export http_proxy
ftp_proxy="http://princeofun@chem.its.ac.id:jewkco@202.46.129.10:8080/"
export ftp_proxy
export JAVA_HOME=/usr/local/jdk1.5.0_22
export PATH=$PATH:$JAVA_HOME/bin
export ANT_HOME=/usr/local/apache-ant-1.8.1
export PATH=$PATH:$ANT_HOME/bin

export GLOBUS_LOCATION=/usr/local/globus-4.2.1
#export CATALINA_HOME=/opt/apache-tomcat-5.5.26
#export PATH=$PATH:$CATALINA_HOME/bin
#source GLOBUS_LOCATION/etc/globus-user-env.sh
+++++++++++++++++++++++++++++++++++
sudo chown globus:globus /usr/local && exit
globus@debianserver:/usr$ ls -l |grep local
drwxrwsr-x 11 globus globus 4096 2010-07-19 09:30 local

transfer jdk1.5.0_22 apache-ant-1.8.1 gt && untar && copy /usr/local

tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/ && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install

sudo chown globus:globus /usr/local && exit
source ~/.bashrc && tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/ && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade && sudo apt-get install vim htop mc nmap proftpd-basic elinks localepurge openssl libssl-dev zlib1g build-essential xinetd ntp ntpdate
sudo chown globus:globus /usr/local && tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/
source ~/.bashrc && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install | tee install.log

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade && sudo apt-get install vim htop mc nmap proftpd-basic elinks localepurge openssl libssl-dev zlib1g build-essential

# /etc/apt/sources.list
deb http://kambing.ui.ac.id/ubuntu lucid main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-updates main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-security main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-backports main restricted universe multiverse

deb file:///media/doc/lucid lucid main restricted universe multiverse
deb file:///media/doc/lucid lucid-updates main restricted universe multiverse
deb file:///media/doc/lucid lucid-security main restricted universe multiverse
deb file:///media/doc/lucid lucid-backports main restricted universe multiverse

# /etc/apt/apt.conf
APT::Get::AutomaticRemove "true";
APT::Install-Recommends "false";
APT::Get::force-yes "true";
APT::Get::Assume-Yes "true";

#cli only
apt-get dist-upgrade && apt-get -y -q --force-yes --no-install-recommends --auto-remove install vim htop mc nmap openssh-server proftpd-basic links localepurge sudo
#GT prequisite
apt-get install openssl libssl-dev zlib1g build-essential locate libxml-parser-perl sudo
updatedb && locate XML/Parser.pm
adduser globus
adduser globus sudo

apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get install vim htop mc nmap openssh-server proftpd-basic links localepurge sudo openssl libssl-dev zlib1g build-essential locate libxml-parser-perl && updatedb && locate XML/Parser.pm

cat /etc/sudoers
+++++++++++++++++++++++++++++++++++
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
+++++++++++++++++++++++++++++++++++
#
$ cat ~/.bashrc
+++++++++++++++++++++++++++++++++++
http_proxy="http://princeofun@chem.its.ac.id:jewkco@202.46.129.10:8080/"
export http_proxy
ftp_proxy="http://princeofun@chem.its.ac.id:jewkco@202.46.129.10:8080/"
export ftp_proxy
export JAVA_HOME=/usr/local/jdk1.5.0_22
export PATH=$PATH:$JAVA_HOME/bin
export ANT_HOME=/usr/local/apache-ant-1.8.1
export PATH=$PATH:$ANT_HOME/bin

export GLOBUS_LOCATION=/usr/local/globus-4.2.1
#export CATALINA_HOME=/opt/apache-tomcat-5.5.26
#export PATH=$PATH:$CATALINA_HOME/bin
#source GLOBUS_LOCATION/etc/globus-user-env.sh
+++++++++++++++++++++++++++++++++++
sudo chown globus:globus /usr/local && exit
globus@debianserver:/usr$ ls -l |grep local
drwxrwsr-x 11 globus globus 4096 2010-07-19 09:30 local

transfer jdk1.5.0_22 apache-ant-1.8.1 gt && untar && copy /usr/local

tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/ && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install

sudo chown globus:globus /usr/local && exit
source ~/.bashrc && tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/ && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install

# /etc/apt/sources.list
deb http://kambing.ui.ac.id/ubuntu lucid main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-updates main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-security main restricted universe multiverse
deb http://kambing.ui.ac.id/ubuntu lucid-backports main restricted universe multiverse

deb file:///media/doc/lucid lucid main restricted universe multiverse
deb file:///media/doc/lucid lucid-updates main restricted universe multiverse
deb file:///media/doc/lucid lucid-security main restricted universe multiverse
deb file:///media/doc/lucid lucid-backports main restricted universe multiverse

globus@mars:~/old$ cat /etc/apt/sources.list
deb http://10.151.35.203/lucid lucid main restricted universe multiverse
deb http://10.151.35.203/lucid lucid-updates main restricted universe multiverse
deb http://10.151.35.203/lucid lucid-security main restricted universe multiverse
deb http://10.151.35.203/lucid lucid-backports main restricted universe multiverse
#deb http://10.151.35.203/lucid lucid-proposed main restricted universe multiverse

globus@mars:~/old$ cat /etc/apt/apt.conf
APT::Get::AutomaticRemove "true";
APT::Install-Recommends "true";
APT::Get::force-yes "true";
APT::Get::Assume-Yes "true";

globus@mars:~/old$ cat /home/globus/.bashrc
export JAVA_HOME=/usr/local/jdk1.5.0_22
export PATH=$PATH:$JAVA_HOME/bin
export ANT_HOME=/usr/local/apache-ant-1.8.1
export PATH=$PATH:$ANT_HOME/bin

export GLOBUS_LOCATION=/usr/local/globus-4.2.1
source $GLOBUS_LOCATION/etc/globus-user-env.sh
source $GLOBUS_LOCATION/etc/globus-devel-env.sh
[...unrelated output...]

globus@mars:~/old$ sudo apt-get update && sudo apt-get upgrade && [ sudo apt-get dist-upgrade ] && sudo apt-get install vim htop mc nmap proftpd-basic elinks localepurge openssl libssl-dev zlib1g build-essential xinetd ntp ntpdate locate libxml-parser-perl && updatedb && locate XML/Parser.pm

globus@mars:~$ sudo chown globus:globus /usr/local && tar xjf apache-ant-1.8.1-bin.tar.bz2 -C /usr/local && tar xjf gt4.2.1-all-source-installer.tar.bz2 && ./jdk-1_5_0_22-linux-i586.bin && mv jdk1.5.0_22/ /usr/local/

globus@mars:~$ source ~/.bashrc && cd gt4.2.1-all-source-installer/ && ./configure --prefix=$GLOBUS_LOCATION && make | tee build.log && make install | tee install.log

### begin venus
## backup ~/.globus
$ tar --bzip2 -cvf dot.globus.old.tar.bz2 .globus/ && rm -rfv ~/.globus/

## backup /etc/grid-security
# cd /etc/ && tar --bzip2 -cvf grid-security.old_1.tar.bz2 grid-security/ && rm -rfv /etc/grid-security

## remove gsiftp service
$ cat /etc/services
.....
[urrelated output]
.....
# Local services
#gsiftp 2811/tcp

# /etc/init.d/xinetd restart

### venus end

### mercury begin
## backup /etc/grid-security
# tar --bzip2 -cvf grid-security.old.tar.bz2 grid-security/
### end mercury

### earth begin
## backup ~/.globus
$ tar --bzip2 -cvf dot.globus.old.tar.bz2 .globus/ && rm -rfv ~/.globus/
### end earth

##[start with simpleCA]
globus@earth:~$ /usr/local/globus-4.2.1/setup/globus/setup-simple-ca
globus@earth:~$ scp .globus/simpleCA/globus_simple_ca_bb771705_setup-0.20.tar.gz venus:~

## host certificate
globus@venus:~$ /usr/local/globus-4.2.1/sbin/gpt-build globus_simple_ca_bb771705_setup-0.20.tar.gz gcc32dbg -force
globus@venus:~$ /usr/local/globus-4.2.1/sbin/gpt-postinstall
root@venus:~# /usr/local/globus-4.2.1/setup/globus_simple_ca_bb771705_setup/setup-gsi -default
root@venus:~# grid-cert-request -host `hostname -f`
root@venus:~# scp /etc/grid-security/hostcert_request.pem globus@earth:~

## sign the request
globus@earth:~$ grid-ca-sign -in hostcert_request.pem -out hostcert.pem
globus@earth:~$ scp hostcert.pem mars:~

root@venus:~# cp hostcert.pem /etc/grid-security

## sign the user cert
root@venus:~# adduser agriduser
root@venus:~# cp /home/globus/.bashrc /home/agriduser/ -v

agriduser@venus:~$ grid-cert-request
agriduser@mars:~$ scp /home/agriduser/.globus/usercert_request.pem globus@earth:~

globus@earth:~$ grid-ca-sign -in usercert_request.pem -out usercert.pem
globus@earth:~$ scp usercert.pem agriduser@venus:~/.globus

agriduser@venus:~/.globus$ grid-proxy-init -debug -verify

usercert can be copied to all grid host but not with hostcert

[mapping info]
p189
agriduser@venus:~/.globus$ grid-cert-info -subject -f usercert.pem
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons

root@venus:/etc/grid-security# grid-cert-info -subject -f /home/agriduser/.globus/usercert.pem
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons

root@venus:/etc/grid-security# grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons" -ln agriduser

root@venus:/etc/grid-security# cat /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons" agriduser

root@venus:/etc/grid-security# grid-mapfile-check-consistency
root@venus:/etc/grid-security# cp hostcert.pem containercert.pem && cp hostkey.pem containerkey.pem && chown globus:globus container*

[verifying the installation and configuration of java ws core]
p174
globus@venus:~$ globus-start-container

agriduser@venus:~$ grid-proxy-init
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons
Enter GRID pass phrase for this identity:
Creating proxy .................................. Done
Your proxy is valid until: Mon Aug 9 23:39:52 2010

agriduser@venus:~$ counter-create -s https://10.151.35.202:8443/wsrf/services/CounterService > test.epr
agriduser@venus:~$ while true; do counter-add -e test.epr 99999; sleep 1; done

gsiftp
agriduser@venus:~$ cat /etc/services
[.. unrelated info .. ]
gsiftp 2811/tcp
agriduser@venus:~$ cat /etc/xinetd.d/gsiftp
service gsiftp
{
instances = 100
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/globus-4.2.1
env += LD_LIBRARY_PATH=/usr/local/globus-4.2.1/lib
server = /usr/local/globus-4.2.1/sbin/globus-gridftp-server
server_args = -i
log_on_success += DURATION
disable = no
}

root@venus:/etc/xinetd.d# /etc/init.d/xinetd restart

agriduser@venus:~$ telnet localhost 2811
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 venus.gridx.dept.orgz.country GridFTP Server 3.15 (gcc32dbgpthr, 1222656151-78) [Globus Toolkit 4.2.1] ready.
(..seems that gridftp server works..)

agriduser@venus:~$ netstat -an |grep 2811
tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:39526 127.0.0.1:2811 TIME_WAIT

**
### begin mars
## backup ~/.globus
$ tar --bzip2 -cvf dot.globus.old.tar.bz2 .globus/ && rm -rfv ~/.globus/

## backup /etc/grid-security
# tar --bzip2 -cvf grid-security.old.tar.bz2 grid-security/

## remove gsiftp service
$ cat /etc/services
.....
[urrelated output]
.....
# Local services
#gsiftp 2811/tcp

# /etc/init.d/xinetd restart

globus@earth:~$ scp .globus/simpleCA/globus_simple_ca_bb771705_setup-0.20.tar.gz mars:~

## host certificate
globus@mars:~$ /usr/local/globus-4.2.1/sbin/gpt-build globus_simple_ca_bb771705_setup-0.20.tar.gz gcc32dbg -force
globus@mars:~$ /usr/local/globus-4.2.1/sbin/gpt-postinstall
root@mars:~# /usr/local/globus-4.2.1/setup/globus_simple_ca_bb771705_setup/setup-gsi -default
root@mars:~# grid-cert-request -host `hostname -f`
root@mars:~# scp /etc/grid-security/hostcert_request.pem globus@earth:~

## sign the request
globus@earth:~$ grid-ca-sign -in hostcert_request.pem -out hostcert.pem
globus@earth:~$ scp hostcert.pem mars:~

root@mars:~# cp hostcert.pem /etc/grid-security

## sign the user cert
root@mars:~# adduser agriduser
root@mars:~# cp /home/globus/.bashrc /home/agriduser/ -v
agriduser@mars:~$ grid-cert-request
agriduser@mars:~$ scp /home/agriduser/.globus/usercert_request.pem globus@earth:~

globus@earth:~$ grid-ca-sign -in usercert_request.pem -out usercert.pem
globus@earth:~$ scp usercert.pem agriduser@mars:~/.globus

agriduser@mars:~/.globus$ grid-proxy-init -debug -verify

usercert can be copied to all grid host but not with hostcert

globus@mars:~$ globus-start-container

agriduser@mars:~$ grid-proxy-init
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons
Enter GRID pass phrase for this identity:
Creating proxy .................................. Done
Your proxy is valid until: Mon Aug 9 23:39:52 2010

agriduser@mars:~$ counter-create -s https://10.151.35.204:8443/wsrf/services/CounterService > test.epr
agriduser@mars:~$ while true; do counter-add -e test.epr 99999; sleep 1; done

agriduser@mars:~$ cat /etc/services
[.. unrelated info .. ]
gsiftp 2811/tcp
agriduser@mars:~$ cat /etc/xinetd.d/gsiftp
service gsiftp
{
instances = 100
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/globus-4.2.1
env += LD_LIBRARY_PATH=/usr/local/globus-4.2.1/lib
server = /usr/local/globus-4.2.1/sbin/globus-gridftp-server
server_args = -i
log_on_success += DURATION
disable = no
}

root@mars:/etc/xinetd.d# /etc/init.d/xinetd restart

agriduser@mars:~$ telnet localhost 2811
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mars.gridx.dept.orgz.country GridFTP Server 3.15 (gcc32dbgpthr, 1222656151-78) [Globus Toolkit 4.2.1] ready.
(..seems that gridftp server works..)

agriduser@mars:~$ netstat -an |grep 2811
tcp 0 0 0.0.0.0:2811 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:39526 127.0.0.1:2811 TIME_WAIT

agriduser@mars:~$ echo "GridFTP Test" > /tmp/gridftptest
agriduser@mars:~$ globus-url-copy gsiftp://mars/tmp/gridftptest file:///tmp/gridftptest.1
agriduser@mars:~$ cat /tmp/gridftptest
agriduser@mars:~$ cat /tmp/gridftptest.1
agriduser@mars:~$ globus-url-copy file:///tmp/gridftptest.1 gsiftp://mars/tmp/gridftptest.2
agriduser@mars:~$ cat /tmp/gridftptest.2

We can make several user certificate on the host

agriduser@venus:~$ cat /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=Alex Bacons" agriduser
"/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=auser1" agriduser

agriduser@mars:~$ cat /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=auser" agriduser
"/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/OU=gridx.dept.orgz.country/CN=auser1" agriduser

after make sure the same entry like above on the host
agriduser@venus:~$ echo "Thirdparty GridFTP Test" > /tmp/thirdparty
agriduser@venus:~$ globus-url-copy gsiftp://venus/tmp/thirdparty gsiftp://mars/tmp/thirdparty

globus@mars:~$ cat /tmp/thirdparty
Thirdparty GridFTP Test

RFT
globus@venus:~$ sudo bash
root@venus:~# cat /etc/postgresql/8.4/main/postgresql.conf |grep listen
listen_addresses = '*' # what IP address(es) to listen on;

root@venus:~# cat /etc/postgresql/8.4/main/pg_hba.conf |grep rftDatabase
host rftDatabase globus 10.151.35.202 255.255.255.255 trust
root@venus:~# /etc/init.d/postgresql-8.4 restart
root@venus:~# su postgres

postgres@venus:~$ createuser globus
globus@venus:~$ createdb rftDatabase
globus@venus:~$ psql -d rftDatabase -f /usr/local/globus-4.2.1/share/globus_wsrf_rft/rft_schema.sql
[ default value for "cat /usr/local/globus-4.2.1/etc/globus_wsrf_rft/jndi-config.xml" ]

if error
<<> test.epr
Error: ; nested exception is:
org.globus.common.ChainedIOException: Failed to initialize security context [Caused by: Expired credentials detected]
>> then do
<< o="Grid/OU=" ou="simpleCA-earth.gridx.dept.orgz.country/OU=" cn="auser">>

agriduser@venus:/etc/grid-security$ grid-cert-info -subject -f hostcert.pem
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/CN=host/venus.gridx.dept.orgz.country

root@mars:/etc/grid-security# grid-cert-info -subject -f hostcert.pem
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/CN=host/mars.gridx.dept.orgz.country

agriduser@venus:~$ cat transfer.xfr
#true=binary false=ascii
true
#Block size in bytes
16000
#TCP Buffer size in bytes
16000
#Notpt (No thirdPartyTransfer)
false
#Number of parallel streams
1
#Data Channel Authentication (DCAU)
true
# Concurrency of the request
1
#Grid Subject name of the source gridftp server
#/DC=org/DC=doegrids/OU=People/CN=Ravi Madduri 134710
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/CN=host/venus.gridx.dept.orgz.country
#Grid Subject name of the destination gridftp server
#/DC=org/DC=doegrids/OU=People/CN=Ravi Madduri 134710
/O=Grid/OU=GlobusTest/OU=simpleCA-earth.gridx.dept.orgz.country/CN=host/mars.gridx.dept.orgz.country

#Transfer all or none of the transfers
false
#Maximum number of retries
10
#Source/Dest URL Pairs
#gsiftp://localhost:5678/tmp/rftTest.tmp
#gsiftp://localhost:5678/tmp/rftTest_Done.tmp
gsiftp://venus.gridx.dept.orgz.country/tmp/dhcpd.conf
gsiftp://mars.gridx.dept.orgz.country/tmp/fileFromVenus.conf

### begin mars
### mars end

tar stuff

#make tar.bz2 from 2 files
tar --bzip2 -cvf /var/home/auser/debianserver.tar.bz2 storage_deb.vdi system_deb.vdi

#extract tar.bz2 file
tar –bzip2 -xvf /home/globus/ubuntuserver.vdi.tar.bz2

about time

to set the date/time for Fri Aug 6 05:01:24 WIT 2010
date 080605012010.24

https://help.ubuntu.com/community/UbuntuTime

dpkg-reconfigure tzdata

Thursday, August 5, 2010

online course

http://www.cs.wcupa.edu/~rkline/

nmap stuff

NMAP - A Stealth Port Scanner
Andrew J. Bennieston
http://nmap.org/bennieston-tutorial/
Contents
1 Introduction

Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an optional graphical front-end, NmapFE, and supports a wide variety of scan types, each one with different benefits and drawbacks.

This article describes some of these scan types, explaining their relative benefits and just how they actually work. It also offers tips about which types of scan would be best against which types of host.

The article assumes you have Nmap installed (or that you know how to install it. Instructions are available on the Nmap website, http://www.insecure.org/nmap/install/inst-source.html ), and that you have the required privileges to run the scans detailed (many scans require root or Administrator privileges).

A frequently asked questions section has been added since the first version of this article, and this is included as the last section in this version. This is a fully revised and updated version of this tutorial, re-typed and converted to a TeX format, allowing more output formats to be utilised. At the time of writing, the latest Nmap version was 4.11.
2 Disclaimer

This information is provided to assist users of Nmap in scanning their own networks, or networks for which they have been given permission to scan, in order to determine the security of such networks. it is not intended to assist with scanning remote sites with the intention of breaking into or exploiting services on those sites, or for imformation gathering purposes beyond those allowed by law. I hereby disclaim any responsibility for actions taken based upon the information in this article, and urge all who seek information towards a destructive end to reconsider their life, and do something constructive instead.
3 Basic Scan Types [-sT, -sS]

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS].

These two types are explained in detail below.
3.1 TCP connect() Scan [-sT]

These scans are so called because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was made. If it fails, the connection could not be made (the remote system is offline, the port is closed, or some other error occurred along the way). This allows a basic type of port scan, which attempts to connect to every port in turn, and notes whether or not the connection succeeded. Once the scan is completed, ports to which a connection could be established are listed as open, the rest are said to be closed.

This method of scanning is very effective, and provides a clear picture of the ports you can and cannot access. If a connect() scan lists a port as open, you can definitely connect to it - that is what the scanning computer just did! There is, however, a major drawback to this kind of scan; it is very easy to detect on the system being scanned. If a firewall or intrusion detection system is running on the victim, attempts to connect() to every port on the system will almost always trigger a warning. Indeed, with modern firewalls, an attempt to connect to a single port which has been blocked or has not been specifically "opened" will usually result in the connection attempt being logged. Additionally, most servers will log connections and their source IP, so it would be easy to detect the source of a TCP connect() scan.

For this reason, the TCP Stealth Scan was developed.
3.2 SYN Stealth Scan [-sS]

I’ll begin this section with an overview of the TCP connection process. Those familiar with TCP/IP can skip the first few paragraphs.

When a TCP connection is made between two systems, a process known as a "three way handshake" occurs. This involves the exchange of three packets, and synchronises the systems with each other (necessary for the error correction built into TCP. Refer to a good TCP/IP book for more details.

The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is.

Here, I will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection is to be reset (closed immediately).

To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.

SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states - open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions, and closed to others.

Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination with other features of Nmap, it is possible to create a virtually undetectable SYN scan by altering timing and other options (explained later).
4 FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]

With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these type of scans is that a closed port should respond with an RST upon receiving packets, whereas an open port should just drop them (it’s listening for packets with SYN set). This way, you never make even part of a connection, and never send a SYN packet; which is what most IDS’ look out for.

The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.

These scan types will work against any system where the TCP/IP implementation follows RFC 793. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)

The sample below shows a SYN scan and a FIN scan, performed against a Linux system. The results are, predictably, the same, but the FIN scan is less likely to show up in a logging system.

1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds
15 [chaos]# nmap -sF 127.0.0.1
16
17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
18 Interesting ports on chaos (127.0.0.1):
19 (The 1668 ports scanned but not shown below are in state:
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
28 seconds

5 Ping Scan [-sP]

This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping.

The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.

A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything.

When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)

The ICMP scan type can be disabled by setting -P0 (that is, zero, not uppercase o).
6 UDP Scan [-sU]

Scanning for open UDP ports is done with the -sU option. With this scan type, Nmap sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed, otherwise it is assumed open.

One major problem with this technique is that, when a firewall blocks outgoing ICMP Port Unreachable messages, the port will appear open. These false-positives are hard to distinguish from real open ports.

Another disadvantage with UDP scanning is the speed at which it can be performed. Most operating systems limit the number of ICMP Port Unreachable messages which can be generated in a certain time period, thus slowing the speed of a UDP scan. Nmap adjusts its scan speed accordingly to avoid flooding a network with useless packets. An interesting point to note here is that Microsoft do not limit the Port Unreachable error generation frequency, and thus it is easy to scan a Windows machine’s 65,535 UDP Ports in very little time!!

UDP Scanning is not usually useful for most types of attack, but it can reveal information about services or trojans which rely on UDP, for example SNMP, NFS, the Back Orifice trojan backdoor and many other exploitable services.

Most modern services utilise TCP, and thus UDP scanning is not usually included in a pre-attack information gathering exercise unless a TCP scan or other sources indicate that it would be worth the time taken to perform a UDP scan.
7 IP Protocol Scans [-sO]

The IP Protocol Scans attempt to determine the IP protocols supported on a target. Nmap sends a raw IP packet without any additional protocol header (see a good TCP/IP book for information about IP packets), to each protocol on the target machine. Receipt of an ICMP Protocol Unreachable message tells us the protocol is not in use, otherwise it is assumed open. Not all hosts send ICMP Protocol Unreachable messages. These may include firewalls, AIX, HP-UX and Digital UNIX). These machines will report all protocols open.

This scan type also falls victim to the ICMP limiting rate described in the UDP scans section, however since only 256 protocols are possible (8-bit field for IP protocol in the IP header) it should not take too long.

Results of an -sO on my Linux workstation are included below.

1 [chaos]# nmap -sO 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
4 Interesting protocols on chaos(127.0.0.1):
5 (The 251 protocols scanned but not shown below are
6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
13
14 Nmap finished: 1 IP address (1 host up) scanned in
15 1.259 seconds

8 Idle Scanning [-sI]

Idle scanning is an advanced, highly stealthed technique, where no packets are sent to the target which can be identified to originate from the scanning machine. A zombie host (and optionally port) must be specified for this scan type. The zombie host must satisfy certain criteria essential to the workings of this scan.

This scan type works by exploiting "predictable IP fragmentation ID" sequence generation on the zombie host, to determine open ports on the target. The scan checks the IPID on the zombie, then spoofs a connection request to the target machine, making it appear to come from the zombie. If the target port is open, a SYN/ACK session acknowledgement will be sent from the target machine back to the zombie, which will RST the connection since it has no record of having opened such a connection. If the port on the target is closed, an RST will be sent to the zombie, and no further packets will be sent. The attacker then checks the IPID on the zombie again. If it has incremented by 2 (or changed by two steps in its sequence), this corresponds to the packet received from the target, plus the RST from the zombie, which equates to an open port on the target. If the IPID has changed by one step, an RST was received from the target and no further packets were sent.

Using this mechanism, it is possible to scan every port on a target, whilst making it appear that the zombie was the one doing the scanning. Of course, the spoofed connection attempts will likely be logged, so the target system will have the zombie IP address, and the zombie system’s logs are likely to contain the attacker’s IP address, so it is still possible, after acquiring logs through legal channels, to determine the attacker, but this method makes it much more difficult to do so than if the packets were sent directly from the attacker. In addition, some IDS and firewall software makes attempts to detect spoofed packets based on the network they arrive from. As long as the zombie host and the attacker are both "out on the Internet", or on the same network as each other, relative to the target, techniques to identify spoofed packets are not likely to succeed.

This scan type requires certain things of the zombie. The IPID sequence generation must be predictable (single-step increments, for example). The host must also have low traffic so that it is unlikely for other packets to hit the zombie whilst Nmap is carrying out its scan (as these will artificially inflate the IPID number!). Cheap routers or MS Windows boxes make good zombie hosts. Most operating systems use randomised sequence numbers (see the OS Fingerprinting section for details on how to check a target’s sequence generation type).

The idle scan can also be used to determine IP trust based relationships between hosts (e.g. a firewall may allow a certain host to connect to port x, but not other hosts). This scan type can help to determine which hosts have access to such a system.

For more information about this scan type, read http://www.insecure.org/nmap/idlescan.html
9 Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be critical in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection, as well as any other advanced features which may be added in future releases.

Version detection is based on a complex series of probes, detailed in the Version Detection paper at http://www.insecure.org/nmap/vscan/
10 ACK Scan [-sA]

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls, this scan type sends ACK packets to a host. If an RST comes back, the port is classified "unfiltered" (that is, it was allowed to send its RST through whatever firewall was in place). If nothing comes back, the port is said to be "filtered". That is, the firewall prevented the RST coming back from the port. This scan type can help determine if a firewall is stateless (just blocks incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets).

Note that an ACK scan will never show ports in the "open" state, and so it should be used in conjunction with another scan type to gain more information about firewalls or packet filters between yourself and the victim.
11 Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list, or the nmap-hackers mailing list for the full list of susceptible OS’).

RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service, and if so, which program, and version numbers are running on it. Decoys are not supported with RPC scans (see section on Timing and Hiding Scans, below).

List scanning simply prints a list of IPs and names (DNS resolution will be used unless the -n option is passed to Nmap) without actually pinging or scanning the hosts.
12 Timing and Hiding Scans
12.1 Timing

Nmap adjusts its timings automatically depending on network speed and response times of the victim. However, you may want more control over the timing in order to create a more stealthy scan, or to get the scan over and done with quicker.

The main timing option is set through the -T parameter. There are six predefined timing policies which can be specified by name or number (starting with 0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite, Normal, Aggressive and Insane.

A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between each packet sent. This makes it almost impossible for a firewall to detect a port scan in progress (since the scan takes so long it would most likely be attributed to random network traffic). Such a scan will still show up in logs, but it will be so spread out that most analysis tools or humans will miss it completely.

A -T Insane (or -T5) scan will map a host in very little time, provided you are on a very fast network or don’t mind losing some information along the way.

Timings for individual aspects of a scan can also be set using the –host_timeout, –max_rtt_timeout, –min_rtt_timeout, –initial_rtt_timeout, –max_parallelism, –min_parallelism, and –scan_delay options. See the Nmap manual for details.
12.2 Decoys

The -D option allows you to specify Decoys. This option makes it look like those decoys are scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look more scary, but reduces the chance of you being traced from your scan (difficult to tell which system is the "real" source).
12.3 FTP Bounce

The FTP protocol (RFC 959) specified support for a "proxy" ftp, which allowed a connection to an FTP server to send data to anywhere on the internet. This tends not to work with modern ftpds, in which it is an option usually disabled in the configuration. If a server with this feature is used by Nmap, it can be used to try to connect to ports on your victim, thus determining their state.

This scan method allows for some degree of anonymity, although the FTP server may log connections and commands sent to it.
12.4 Turning Off Ping

The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PT option switches on TCP Pings, you can specify a port after the -PT option to be the port to use for the TCP ping.

Disabling pings has two advantages: First, it adds extra stealth if you’re running one of the more stealthy attacks, and secondly it allows Nmap to scan hosts which don’t reply to pings (ordinarily, Nmap would report those hosts as being "down" and not scan them).

In conjunction with -PT, you can use -PS to send SYN packets instead of ACK packets for your TCP Ping.

The -PU option (with optional port list after) sends UDP packets for your "ping". This may be best to send to suspected-closed ports rather than open ones, since open UDP ports tend not to respond to zero-length UDP packets.

Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP Timestamp Request), -PM (Netmask Request) and -PB (default, uses both ICMP Echo Request and TCP ping, with ACK packets)
12.5 Fragmenting

The -f option splits the IP packet into tiny fragments when used with -sS, -sF, -sX or -sN. This makes it more difficult for a firewall or packet filter to determine the packet type. Note that many modern packet filters and firewalls (including iptables) feature optional defragmenters for such fragmented packets, and will thus reassemble the packet to check its type before sending it on. Less complex firewalls will not be able to cope with fragmented packets this small and will most likely let the OS reassemble them and send them to the port they were intended to reach. Using this option could crash some less stable software and hardware since packet sizes get pretty small with this option!
12.6 Idle Scanning

See the section on -sI for information about idle scans.
13 OS Fingerprinting

The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP Sequenmce Number generation (useful for planning Idle scans).

An article on OS detection is available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html
14 Outputting Logs

Logging in Nmap can be provided by the -oN, -oX or -oG options. Each one is followed by the name of the logfile. -oN outputs a human readable log, -oX outputs an XML log and -oG outputs a grepable log. The -oA option outputs in all 3 formats, and -oS outputs in a format I’m sure none of you would ever want to use (try it; you’ll see what I mean!)

The –append-output option appends scan results to the output files you specified instead of overwriting their contents.
15 Other Nmap Options
15.1 IPv6

The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Currently only TCP connect, and TCP connect ping scan are supported. For other scantypes, see http://nmap6.sourceforge.net
15.2 Verbose Mode

Highly recommended, -v

Use -v twice for more verbosity. The option -d can also be used (once or twice) to generate more verbose output.
15.3 Resuming

Scans cancelled with Ctrl+C can be resumed with the --resume option. The logfile must be a Normal or Grepable logfile (-oN or -oG).
15.4 Reading Targets From A File

-iL reads targets from inputfilename rather than from the command-line.

The file should contain a hostlist or list of network expressions separated by spaces, tabs or newlines. Using a hyphen as inputfile makes Nmap read from standard input.
15.5 Fast Scan

The -F option scans only those ports listed in the nmap_services file (or the protocols file if the scan type is -sO). This is far faster than scanning all 65,535 ports!!
15.6 Time-To-Live

The -ttl option sets the IPv4 packets time-to-live. The usefulness of this is in mapping paths through networks and determining ACL’s on firewalls (setting the ttl to one past the packet filter can help to determine information about the filtering rules themselves). Repeated Nmap scans to a single port using differing ttl values will emulate a traceroute style network path map (Try it, its great fun for a while, until you get bored and realise traceroute does it all for you automatically!).
16 Typical Scanning Session

First, we’ll sweep the network with a simple Ping scan to determine which hosts are online.

1 [chaos]# nmap -sP 10.0.0.0/24
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:19 BST
5 Host 10.0.0.1 appears to be up.
6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
7 Host 10.0.0.2 appears to be up.
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
9 Host 10.0.0.4 appears to be up.
10 Host 10.0.0.5 appears to be up.
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds

Now we’re going to take a look at 10.0.0.1 and 10.0.0.2, both listed as Netgear in the ping sweep. These IPs are good criteria for routers (in fact I know that 10.0.0.1 is a router and 10.0.0.2 is a wireless access point, since it’s my network, but lets see what Nmap makes of it...)

We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.

1 [chaos]# nmap -sS -A 10.0.0.1
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:23 BST
5 Insufficient responses for TCP sequencing (0),
6 OS detection may be less accurate
7 Interesting ports on 10.0.0.1:
8 (The 1671 ports scanned but not shown below are in state:
9 closed)
10 PORT STATE SERVICE VERSION
11 80/tcp open tcpwrapped
12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
13 Device type: WAP
14 Running: Compaq embedded, Netgear embedded
15 OS details: WAP: Compaq iPAQ Connection Point or
16 Netgear MR814
17
18 Nmap finished: 1 IP address (1 host up) scanned in
19 3.533 seconds

The only open port is 80/tcp - in this case, the web admin interface for the router. OS fingerprinting guessed it was a Netgear Wireless Access Point - in fact this is a Netgear (wired) ADSL router. As it said, though, there were insufficient responses for TCP sequencing to accurately detect the OS.

Now we’ll do the same for 10.0.0.2...

1 [chaos]# nmap -sS -A 10.0.0.2
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:26 BST
5 Interesting ports on 10.0.0.2:
6 (The 1671 ports scanned but not shown below are in state:
7 closed)
8 PORT STATE SERVICE VERSION
9 80/tcp open http Boa HTTPd 0.94.11
10 MAC Address: 00:0F:B5:96:38:5D (Netgear)
11 Device type: general purpose
12 Running: Linux 2.4.X|2.5.X
13 OS details: Linux 2.4.0 - 2.5.20
14 Uptime 14.141 days (since Fri Jun 30 11:03:05 2006)
15
16 Nmap finished: 1 IP address (1 host up) scanned in 9.636
17 seconds

Interestingly, the OS detection here listed Linux, and the version detection was able to detect the httpd running. The accuracy of this is uncertain, this is a Netgear home wireless access point, so it could be running some embedded Linux!

Now we’ll move on to 10.0.0.4 and 10.0.0.5, these are likely to be normal computers running on the network...

1 [chaos]# nmap -sS -P0 -A -v 10.0.0.4
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
4 2006-07-14 14:31 BST
5 DNS resolution of 1 IPs took 0.10s. Mode:
6 Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
7 Initiating SYN Stealth Scan against 10.0.0.4 [1672 ports] at 14:31
8 Discovered open port 21/tcp on 10.0.0.4
9 Discovered open port 22/tcp on 10.0.0.4
10 Discovered open port 631/tcp on 10.0.0.4
11 Discovered open port 6000/tcp on 10.0.0.4
12 The SYN Stealth Scan took 0.16s to scan 1672 total ports.
13 Initiating service scan against 4 services on 10.0.0.4 at 14:31
14 The service scan took 6.01s to scan 4 services on 1 host.
15 For OSScan assuming port 21 is open, 1 is closed, and neither are
16 firewalled
17 Host 10.0.0.4 appears to be up ... good.
18 Interesting ports on 10.0.0.4:
19 (The 1668 ports scanned but not shown below are in state: closed)
20 PORT STATE SERVICE VERSION
21 21/tcp open ftp vsftpd 2.0.3
22 22/tcp open ssh OpenSSH 4.2 (protocol 1.99)
23 631/tcp open ipp CUPS 1.1
24 6000/tcp open X11 (access denied)
25 Device type: general purpose
26 Running: Linux 2.4.X|2.5.X|2.6.X
27 OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or
28 Gentoo 1.2 Linux 2.4.19 rc1-rc7
29 TCP Sequence Prediction: Class=random positive increments
30 Difficulty=4732564 (Good luck!)
31 IPID Sequence Generation: All zeros
32 Service Info: OS: Unix
33
34 Nmap finished: 1 IP address (1 host up) scanned in 8.333 seconds
35 Raw packets sent: 1687 (74.7KB) | Rcvd: 3382 (143KB)

From this, we can deduce that 10.0.0.4 is a Linux system (in fact, the one I’m typing this tutorial on!) running a 2.4 to 2.6 kernel (Actually, Slackware Linux 10.2 on a 2.6.19.9 kernel) with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp. All but 6000 have version information listed. The scan found the IPID sequence to be all zeros, which makes it useless for idle scanning, and the TCP Sequence prediction as random positive integers. The -v option is needed to get Nmap to print the IPID information out!

Now, onto 10.0.0.5...

1 [chaos]# nmap -sS -P0 -A -v 10.0.0.5
2
3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
4 at 2006-07-14 14:35 BST
5 Initiating ARP Ping Scan against 10.0.0.5 [1 port] at 14:35
6 The ARP Ping Scan took 0.01s to scan 1 total hosts.
7 DNS resolution of 1 IPs took 0.02s. Mode: Async
8 [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
9 Initiating SYN Stealth Scan against 10.0.0.5 [1672 ports] at 14:35
10 The SYN Stealth Scan took 35.72s to scan 1672 total ports.
11 Warning: OS detection will be MUCH less reliable because we did
12 not find at least 1 open and 1 closed TCP port
13 Host 10.0.0.5 appears to be up ... good.
14 All 1672 scanned ports on 10.0.0.5 are: filtered
15 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
16 Too many fingerprints match this host to give specific OS details
17 TCP/IP fingerprint:
18 SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A)
19 T5(Resp=N)
20 T6(Resp=N)
21 T7(Resp=N)
22 PU(Resp=N)
23
24 Nmap finished: 1 IP address (1 host up) scanned in 43.855 seconds
25 Raw packets sent: 3369 (150KB) | Rcvd: 1 (42B)

No open ports, and Nmap couldn’t detect the OS. This suggests that it is a firewalled or otherwise protected system, with no services running (and yet it responded to ping sweeps).

We now have rather more information about this network than we did when we started, and can guess at several other things based on these results. Using that information, and the more advanced Nmap scans, we can obtain further scan results which will help to plan an attack, or to fix weaknesses, in this network.
17 Frequently Asked Questions

This section was added as an extra to the original tutorial as it became popular and some questions were asked about particular aspects of an nmap scan. I’ll use this part of the tutorial to merge some of those into the main tutorial itself.
17.1 I tried a scan and it appeared in firewall logs or alerts. What else can I do to help hide my scan?

This question assumes you used a scan command along the lines of:

1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
2 xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxx

Note: Each xxx corresponds to an octet of the IP address/addresses. This is instructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1 to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The three comma-separated IPs are the decoy IPs to use. It also specifies to use version scanning (-sV) which attempts to determine precisely which program is running on a port.

Now, heres the analysis of this command: A stealth scan (-sS) is often picked up by most firewalls and IDS systems nowdays. It was originally designed to prevent logging of a scan in the logs for whatever server is running on the port the scanner connects to. In other words, if the scan connects to port 80 to test if its open, Apache (or whatever other webserver they may be using) will log the connection in its logfiles.

The -sS scan option doesn’t make a full TCP connect (which can be achieved with the -sT option, or by not running as root) but resets the connection before it can be fully established. As such, most servers will not log the connection, but an IDS or firewall will recognise this behaviour (in repeated cases) as typical of a port scan. This will mean that the scan shows up in firewall or IDS logs and alerts. There are few ways around this, to be honest. Most firewall/IDS software nowdays is quite good at detecting these things; particularly if its running on the same host as the victim (the system you are scanning).

Note also, that decoys will not prevent your IP showing entirely; it just lists the others as well. A particularly well designed IDS may even be able to figure out which is the real source of the scans.

Where speed of scan isn’t essential, the -P0 option is a good idea. Nmap gains timing information from pinging the host, and can often complete its scans faster with this information, but the ping packets will be sent to the victim from your IP, and any IDS worth its CPU cycles will pick up on the pattern of a few pings followed by connects to a variety of ports. -P0 also allows scanning of hosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or by in-kernel settings).

I mentioned timing in the above paragraph. You can use the -T timing option to slow the scan down. The slower a scan is, the less likely it is to be detected by an IDS. There are bound to be occasional random connects occurring, people type an IP in wrong or try to connect and their computer crashes half way through the connect. These things happen, and unless an IDS is configured extremely strictly, they generally aren’t reported (at least, not in the main alert logs, they may be logged if logging of all traffic is enabled, but typically these kind of logs are only checked if theres evidence of something going on). Setting the timing to -T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned in my main tutorial, you can also set timing options for each aspect of a scan,

Timings for individual aspects of a scan can also be set using the –host_timeout, –max_rtt_timeout, –min_rtt_timeout, –initial_rtt_timeout, –max_parallelism, –min_parallelism, and –scan_delay options. See the Nmap manual for details.

The final note I will add to this answer is that use of the Idle scan method (-sI) means that not a single packet is sent to the victim from your IP (provided you also use the -P0 option to turn off pings). This is the ultimate in stealth as there is absolutely no way the victim can determine that your IP is responsible for the scan (short of obtaining log information from the host you used as part of your idle scan).
17.2 NMAP seems to have stopped, or my scan is taking a very long while. Why is this?

The timing options can make it take a very long time. I believe the -T Paranoid ( -T 0 )option waits up to 5 minutes between packets... now, for 65000 ports, thats 65000 x 5 = 325000 minutes = 225 days!!

-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is therefore more useful; but scans will still take a long while! You can use -v to get more verbose output, which will alert you as to the progress of the scan. Using -v twice makes the output even more verbose.
17.3 Will -sN -sX and -sF work against any host, or just Windows hosts?

-sN -sX and -sF scans will work against any host, but Windows computers do not respond correctly to them, so scanning a Windows machine with these scans results in all ports appearing closed. Scanning a *nix or other system should work just fine, though. As I said in the main tutorial, -sX -sF and -sN are commonly used to determine if you’re scanning a Windows host or not, without using the -O fingerprinting option.

The Nmap manual page should help to determine which scans work alongside which options, and on which target systems they are most effective.
17.4 How do I find a dummy host for the Idle Scan (-sI)?

You simply have to scan for hosts using sequential IPID sequences, these are (often) suitable for use as a dummy host for the -sI Idle Scan.
17.5 What does "Host seems down. If it is really up, but blocking our ping probes, try -P0" mean?

When Nmap starts, it tries to ping the host to check that it is online. Nmap also gains timing information from this ping. If the remote host, or a system on the path between you and the remote host, is blocking pings, this ping will not be replied to, and Nmap will not start scanning. Using the -P0 option, you can turn off ping-on-start and have Nmap try to scan anyway.
17.6 Where can I find NmapFE?

NmapFE is a graphical front-end for Nmap.

NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSX is available at http://faktory.org/m/software/nmap/ NmapFE for Windows is under development as part of NmapFE++, a new frontend for Linux, OSX and Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html
18 About This Document

This document is copyright ©2003-2009, Andrew J. Bennieston. This document is provided in several formats, including LaTeX source, and it may be freely redistributed in any form, providing no changes are made to the content. The latest version can always be found at http://nmap.org/bennieston-tutorial/

Tuesday, August 3, 2010

wget stuff

wget -–http-password=isa -–http-user=isa -np -nc -w 3 -e robots=off -rbc -e http_proxy=202.46.129.10:8080 --proxy-user=princeofun@chem.its.ac.id --proxy-password=secret --limit-rate=1000 http://202.46.129.43/~yono/data/asus-titipan/ohyes/?url_addr=http%3A%2F%2Fwww.dreamtemplate.com%2Fproduct%2Fimages%2F111%2F&http_submit=DownloadHTTP&url_user=&url_pass=&ftp_url_addr=&ftp_url_user=&ftp_url_pass=

with tsocks
Add this to /etc/tsocks.conf:
server = 127.0.0.1
server_type = 5
server_port = 9999

in a separate terminal run:
ssh -f -N -L local_dynamic_port:localhost:source_port username@ip_remote_host

remove any proxy cmds from ~/.wgetrc
run 'tsocks wget REMOTEURL'

Try catch a fish