Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Feb 03, 2023 7:15 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 30 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Fri Nov 02, 2007 8:31 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Sorry, but it seems that the following changes were added instead:
[code]
$device_type="na";
$running="na";
$ip_address="255.255.255.255";
$manufacturer="na";
$mac="ff:ff:ff:ff:ff:ff";
[/code]

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 02, 2007 11:50 pm 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
EF

What version of PHP are you using?
What version of IIS or Apache?

Can you post the section of include.php that is generating the error in the log? With all the changes I'm not sure which one you are using.


Top
 Profile  
Reply with quote  
PostPosted: Sat Nov 03, 2007 1:05 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
[quote="jpmorgan"]EF

What version of PHP are you using?
What version of IIS or Apache?

Can you post the section of include.php that is generating the error in the log? With all the changes I'm not sure which one you are using.

Hi JpMorgan, I'm using PHP 5.2.1 on IIS 6 (Windows Server 2003 SP2). I use LDAP auth. and SSL.
Following is the section of include.php (last SVN) that generates the error:
[code]
if ((isset($use_ldap_login) and ($use_ldap_login == 'y'))) {
echo "<table width=\"100%\">\n";
echo "<td colspan=\"3\" class=\"main_each\">\n";
echo "<a href=\"ldap_logout.php\">".__("Logout ").$_SESSION["username"]."</a>\n";
// Uncomment the following to see what tyoe of page this is
// echo "<a href=\"index.php\">"." We are in a ".$page_type." type of page"."</a>\n";
echo "</td>\n";
echo "</table>\n";
[/code]
Did you have time to try the admin_nmap_input.php I posted at 10.36 (not the SVN 880 one)?
Thanks

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Sat Nov 03, 2007 1:13 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
I have about the same configuration except my PHP is 5.2.3. Can you tell me where the log file is located for PHP? Is there a setting in PHP to make it log, or is it on by default?

I haven't tested any of the nmap stuff. I don't use it, but I hope to soon.


Top
 Profile  
Reply with quote  
PostPosted: Sat Nov 03, 2007 1:41 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
To enable php error logging I:
- created in %ProgramFiles%\php\ a file named php_error.log
- assigned to the IUSR_%ComputerName% local user the "Change" NTFS permission on the php_error.log file
- changed the following directives in the php.ini file
[code]
error_reporting = E_ALL
log_errors = On
error_log = "c:\program files\php\php_error.log"
[/code]
- restarted IIS
On that log are recorded notices/warnings/errors for every running site. If you want the same errors on display, set also
[code]
display_errors = On
[/code]

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Sat Nov 03, 2007 2:55 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
[quote="A_Hull"]Thanks for that. Added at SVN 880

Andrew, could you please check what you added to SVN? It seems that another version was added, instead of mine.
If you think that it's better to declare
[code]
$mac="ff:ff:ff:ff:ff:ff";
[/code]
please, change also line 160 to
[code]
if ($uuid == "" and $mac <> "ff:ff:ff:ff:ff:ff") {
[/code]
Let me know if it fixes the dummy 000.000.000.000 host creation, like it does for me.
Thank you

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 04, 2007 5:41 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Just re-added the contents of the previous zip file, try it now. Ver 882 ....very odd :? let me know if it is now what you expected, and any updates you want to add to it..

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 05, 2007 6:24 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Thank you, now it's OK. With this fix, I have no more the 0.0.0.0 other host and some more hosts are detected (like PBX/badge readers with all closed ports). Unfortunately, very few info is showed (IP, MAC and manifacturer). Probably, a deeper (and slower) scan (like probing UDP ports also) could add more info about them. But the "nmap_ports" table should be updated (added a field "nmap_port_type" with values TCP or UDP).

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 05, 2007 8:00 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
[quote="ef"]Thank you, now it's OK. With this fix, I have no more the 0.0.0.0 other host and some more hosts are detected (like PBX/badge readers with all closed ports). Unfortunately, very few info is showed (IP, MAC and manifacturer). Probably, a deeper (and slower) scan (like probing UDP ports also) could add more info about them. But the "nmap_ports" table should be updated (added a field "nmap_port_type" with values TCP or UDP).


I was also thinking of probing the web pages on any device which reports port 80 or 443 open. We may well discover a lot about the device from the splash screen on the built in web server. (See post here viewtopic.php?f=9&t=2456 regarding Cisco IP Phones). What in particular do you think would be revealed by UDP scanning, and how do you see this working? Can we mark this bug fixed, and put any new ideas in the feature request section?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 05, 2007 9:51 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Yes, for me it's fixed.
Running
[code]
nmap.exe -sS -sU -sV --version-intensity 5 -O -v -oN temp.txt IP_HOST
[/code]
TCP (-sS) and UDP (-sU) ports are scanned: then every open TCP/UDP port is further probed to discover service version (i.e if 80/TCP is open, not only "http" is showed as service name, but also the running webserver version is discovered). The number (0-9) after the parameter "-sV --version-intensity " gains the level (and speed) of service discovering.
Probably, it's better to move to a feature request topic, because it involves:
- adding fields "nmap_port_type" and "nmap_port_version" to the "nmap_ports" table
- changing
nmap.vbs at line 43
[code]
nmap = "nmap.exe -sS -sU -sV --version-intensity 5 -O -v -oN " & sTempFile & " " & nmap_subnet
[/code]
admin_nmap_input.php to parse and post further info
various views to show port_type and port_version

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 06, 2007 4:02 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Looks like a neat idea. :D Can you start a feature request for it, and we can take a serious look at it.
Thanks.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 06, 2007 11:16 am 
Offline
Contributor

Joined: Fri Sep 28, 2007 12:07 am
Posts: 189
Still having this problem:

[code]SELECT net_uuid FROM network_card WHERE net_mac_address = '00:00:00:00:00:00'
SELECT other_id, other_mac_address FROM other WHERE other_mac_address = '00:00:00:00:00:00' OR other_ip_address = '010.023.000.002' ORDER BY other_timestamp

SELECT other_id, other_mac_address FROM other WHERE other_mac_address = '00:00:00:00:00:00' OR other_ip_address = '010.023.000.002' ORDER BY other_timestamp
[/code]

Running nmap from 10.20.0.2

Weird.

js

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 06, 2007 7:03 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
It seems that you are scanning host 10.23.0.2 from a different subnet: the returned MAC would be your gateway's one, so nmap wouldn't report it and "$mac" will be always 00:00:00:00:00:00 as is declared. Try these fixes in admin_nmap_input.php:
- change line 116:
[code]
if (isset($mac) AND $mac <> "00:00:00:00:00:00"){
[/code]
- change line 139
[code]
if ($mac == "00:00:00:00:00:00"){
[/code]
Please, could developers check if it's the correct behaviour for the script? To fix the creation of a dummy 0.0.0.0 host, at SVN 882 we also modified line 160
[code]
if ($uuid == "" and $mac <> "00:00:00:00:00:00") {
[/code]
so only scanned hosts with a returned MAC address (internal subnet) will be added to the "other" table.
Thank you.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 06, 2007 9:19 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
For best results from nmap, you should always nmap scan from a machine on the same local subnet as your target, if you can, otherwise you will be unable to see the MAC addresses of any of the items on the subnet being scanned. Although not absolutely essential, the mac address allows us (or rather NMAP) to figure out who the hardware supplier is likely to be with quite a high degree of accuracy.

The reason for this is that the mac address is associated with the hardware (Media) layer of ethernet cards hence Media Access Control (MAC Address) see (http://en.wikipedia.org/wiki/Mac_address). Different hardware manufacturers use different parts of the limited address range, so MAC addresses are always unique, but MAC addresses from the same manufacturer are similar (usually they share the first few bytes).

However TCP/IP doesn't have to run over ethernet. Therefore mac addresses are not part of the TCP/IP frame, and are not passed between networks. In other words you can never see the mac address of a machine on a different subnet, because you are relying on TCP/IP. You can see the mac addresses of all of the machines on the same subnet if they are connected via ethernet, (or possibly on virtual subnets, if they use virtual mac addresses) because you are on the same media (hardware) segment. Hope this helps.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 07, 2007 2:35 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
So, do you think those 2 fixes to admin_nmap_input.php at lines 116 and 139 I suggested before are correct?

_________________
Edoardo


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 30 posts ]  Go to page Previous  1, 2

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group