------- 1) binary logfile are used to handle very large logfiles (like network-sniffing, where a huge amount of traffic must be saved in short time) for example: tcpdump -w xxx.log (the according program which creates the binary-file is using compression, much smaller the normal ascii-logfiles) ----- 2) md5 calculates a message-digest fingerprint. the value is you have a unique 128-bit fingerprint (or message digest) for your file, ones you create a file and the according md5 checksum, everyone who is downloading the file, can cross-check the md5 checksum you provided and can be pretty sure the file is the original you posted and not a fake from another person. ----- 3) attackers ip : 192.168.0.9 ----- 4) destination ip: 192.168.0.99 ----- 5) methods: -nmap xmas scan (-sX) According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a FIN/URG/PUSH packet for a specific port. -nmap nullscan (-sN) According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a packet without any specified IP flags for a specific port. -nmap udp port unreachable scanning (-sU) UDP is a connectionless protocol. Therefore no three-way-handshake as with TCP is established to start communication between client and server. If a client sends an UDP packet to a UDP port on a specific system, the system will respond with an ICMP PORT UNREACHABLE reply. Therefore, if no such answer is received, it can be deducted that the UDP port is active. Because of this behaviour and many factors that can influence the communication results are usually unreliable. this scan is very slow, because most host implementations limit the icmp_unreachable messages (RFC1812) -nmap fingerprint (-O) detecting targets operating system, based on a fingerprint-database (combination of TTL/TCP initial window/InitialSequenceNumbers,/FIN-Probe/BodusFlagProbe/ IPID/TCP Timestamp/Don't FragmentBit/Ack value/ICMP error-message quenching/ICMP message quoting/ TOS/TCP Options/Fragmentation Handling) -snmp trap/request/agent-request fin/psh/urg coming from src: 192.168.0.9, 192.168.0.1, 192.168.0.254, 192.168.0.99,192.168.0.199 Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages ----- 6) nmap was used i used snort to produce the alert.log: snort -r 0826\@19-snort.log (based on the snort-ruleset, Version 1.9.0beta6 (Build 204)) you can also see in the raw tcpdump the typical nmap tcp-flags (example: nmap fingerprint: flags SFPU ----- 7) the purpose is to see which udp/tcp ports are open on the target machine, to have a basic overview, which services are running and to guess which operating system. so a *bad-guy* can start further investigation, like determing daemon version of ssh, ftp etc) (other examples: xploits, DoS attacks, existing backdoors etc) ----- 8) open ports founded (syn/ack flag): 22, 111, 32768, 80, 443, 53 ----- 9) checked all kind of flag-combinations/options, grrrr not really 100% positive results, but according to my research, i guess> linux 2.4.x i really wanna see the postings from the real cracks....*sniff,sniff* ...the next time...and in the meantime i will study, study tcpdumps...) ~~~~~~~~~~~~~~~~~~~~~~~~ bl0wf8sh http://bl0wf8sh.ath.cx