J Wolfgang Goerlich's thoughts on Information Security
Nmap output to XML and SQL

By wolfgang. 28 November 2008 10:39

The Nmap port scanner has a handful of output options. It has its own proprietary format (-oN). If you want to play with the data, you can use XML output (-oX) or grep text files (-oG). The -oA will export in all three formats.

Why export to XML or grepable text? Typically, because you want to audit several IP hosts and store the results in a database.

A quicker method is to use the Nmap::Parser module with a Perl script. This method comes courtesy of Anthony Persaud. His Nmap-Parser automates reading the XML output and writing to SQL tables. MySQL and SQLite are both supported. Nmap-Parser is now up to version 1.19.

Use case: nightly IP scans of a subnet along with TCP scans of select hosts, as part of a security information management process.

Update: Paul Haas has a sample Perl script that uses Nmap::Parser and SQLite.


Security | Security Information Management

Tip: Cygwin for Steganography in Sounds (.wav)

By wolfgang. 25 November 2008 15:05

Cygwin can be used for hiding data in sound files.

First, run setup and select the "steghide: A steganography hiding tool" package under the Security category. You may also be prompted to install libjpeg7 and mhash. Complete the installation.

Second, copy your hidden file and cover file to the home folder (C:\cygwin\home\Administrator). For example, suppose we use "hidden.msg" and "applause.wav" to embed a text message inside a file of folks clapping. Let's use the word "secret" as the passphrase.

$ steghide --embed --embedfile hidden.msg --coverfile applause.wav --passphrase secret --stegofile output.wav

embedding "hidden.msg" in "applause.wav"... done
writing stego file "output.wav"... done

The resulting "output.wav" file now contains the message. To extract, we use steghide with the passphrase.

$ steghide --extract --stegofile output.wav --passphrase secret --extractfile output.msg

wrote extracted data to "output.msg".

That is how to use steghide in Cygwin to embed and extract files from sound files (.wav).


Security | Systems Engineering

More on VDI

By wolfgang. 14 November 2008 21:31

VDI is great in theory but doesn't price out right. Say we convert 25 desktops to VDI. That means we need 25 processors and 100 GB of memory (assuming each desktop has 4 GB). That figures out to be six servers, quadcore, with 18 GB of memory (assuming 1 GB for the OS). The servers would cost around $7K, so figure $42K plus licensing. Say $54K. That means I end up spending $2,160 per desktop (excluding the thin client) to have hardware that I could by at Dell for $1K.

But wait, I think, there are storage savings. Figure 100 GB per machine. A desktop hard drive runs about $50, or $2/GB. A server hard drive on the San runs $1,500 or $15/GB. The best case scenario would have  the provisioning gold-copy/stub model sharing one image across 25 machines. Desktop cost: $1,000. VDI cost: $1,500. Nope, storage is more expensive even assuming a best case.

The bottom line is I want to take a long, hard look at Citrix's ROI calculator. It does not make sense in terms of hardware. TCO is where the case will be made. Knowing our desktop demands would help us to know if we need 6 servers or could get away with fewer. I can enable perf counters and do a study on the desktops to determine typical utilization. It could be done with WMI, scripting, and a little elbow grease.



XenDesktop and Virtual Desktop Infrastructure

By wolfgang. 13 November 2008 20:43

Citrix was in to present and discuss the technical merits of XenDesktop. I am considering VDI, which requires XenDesktop Enterprise and their provisioning server. Citrix's technology sounds impressive. Still, the question looming large in my mind is what XenDesktop + Provisioning brings to the table that Hyper-V + SCCM lacks. It is impressive yet the proof is in the pudding. I may do a pilot Q1 or Q2 2009.



Security Journal: Developing Secure Disaster Recovery Programs

By wolfgang. 11 November 2008 21:42

Disaster recovery planning does not come easy for security professionals. It is often overlooked. In fact, some people are surprised when they learn ISC2 or ISACA considers business continuity as the domain of information security. Security staff may not fully engage in DR and, as a result, organizations are at increased security and financial risk. Accordingly, it is worthwhile to consider planning and designing a disaster recovery program.

Read more in this quarter's edition of the Security Journal.


Business Continuity

Tip: Cygwin for RAR Archives

By wolfgang. 5 November 2008 12:01

WinRAR archiver uses RAR files as its native format. Other freeware and nagware archiving tools support RAR, too. The archiving format is becoming increasingly popular. Like the Gzip format, I personally would prefer not having to install yet another software component that wants to be my primary archiving tool. Below are some notes on how I configured Cygwin for cli access to working with RAR files. Please note these steps assume you have already installed Cygwin with gcc, make, and makedepend.

Download the source files for RAR 3.80 to your source folder (/usr/src or C:\cygwin\usr\src). Extract the source files, and remove the download.

$ cd /usr/src
$ gzip -d rarlinux-3.8.0.tar.gz
$ tar -xvf rarlinux-3.8.0.tar
$ rm rarlinux-3.8.0.tar

Compile the RAR source files using make. Once done. move the unrar.exe file to your binaries folder (/bin or C:\cygwin\bin).

$ cd /usr/src/rar
$ make -f makefile.cygmin
$ mv unrar.exe /bin/

That is it. From there on out, you can use the unrar command to extract any archives.

$ unrar e YourArchiveHere.rar



Edit 2012-03/11: The makefile for Cygwin is no longer included. Please download the UnRAR source for 4.1.4 and follow these steps.

$ cd /usr/src/
$ gzip -d unrarsrc-4.1.4.tar.gz
$ tar -xvf unrarsrc-4.1.4.tar
$ cd unrar
$ make -f makefile.unix
$ mv unrar.exe /bin
$ unrar e YourArchiveHere.rar


Systems Engineering

    Log in