What the hackers see when they look at you
Tuesday, November 13, 2012 at 4:51PM
Glynn Taylor in security, vpn firewall security

The first thing a hacker will do is some early reconnaissance.  It is the bank robber equivalent of “casing the joint”.  The reconnaissance software pokes and prods the target, checking to see if any doors or windows are unlocked, checking to see what model safe is in use if there is one.


Below is what Nmap shows about a typical Apple laptop running OS X Lion. In 136 seconds the hacker knows what operating system you are running and what services are available.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-26 09:32 EST
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 09:32
Scanning 10.99.100.180 [1 port]
Completed ARP Ping Scan at 09:32, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:32
Completed Parallel DNS resolution of 1 host. at 09:32, 0.00s elapsed
Initiating SYN Stealth Scan at 09:32
Scanning ddv (10.99.100.180) [1000 ports]
Discovered open port 5900/tcp on 10.99.100.180
Discovered open port 88/tcp on 10.99.100.180
Discovered open port 548/tcp on 10.99.100.180
Discovered open port 44176/tcp on 10.99.100.180
Increasing send delay for 10.99.100.180 from 0 to 5 due to max_successful_tryno increase to 5
Completed SYN Stealth Scan at 09:32, 8.09s elapsed (1000 total ports)
Initiating Service scan at 09:32
Scanning 4 services on ddv (10.99.100.180)
Service scan Timing: About 75.00% done; ETC: 09:34 (0:00:35 remaining)
Completed Service scan at 09:34, 111.12s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against ddv (10.99.100.180)
Retrying OS detection (try #2) against ddv (10.99.100.180)
Retrying OS detection (try #3) against ddv (10.99.100.180)
Retrying OS detection (try #4) against ddv (10.99.100.180)
Retrying OS detection (try #5) against ddv (10.99.100.180)
NSE: Script scanning 10.99.100.180.
NSE: Starting runlevel 1 scan
Initiating NSE at 09:34
Completed NSE at 09:34, 0.22s elapsed
NSE: Script Scanning completed.
Host ddv (10.99.100.180) is up (0.00077s latency).
Interesting ports on ddv (10.99.100.180):
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
548/tcp open afp?
5900/tcp open vnc Apple remote desktop vnc
44176/tcp open unknown
2 services unrecognized despite returning data. 
If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port548-TCP:V=5.00%I=7%D=1/26%Time=4F2163F1%P=i686-pc-linux-gnu%r(SSLSe
SF:ssionReq,1B9,”\x01\x03\0\0Q\xec\xff\xff\0\0\x01\xa9\0\0\0\0\0\x18\0#\0G

——————-Snip———————-

SF:\x92\x84\x96\x97\rproto-version\x86\x92\x84\x84\x84\x08NSNumber\0\x84\x
SF:84\x07NSValue\0\x94\x84\x01\*\x84\x95\x95\x0e\x86\x86”);
MAC Address: 00:23:32:9B:33:7F (Apple)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=1/26%OT=88%CT=1%CU=38284%PV=Y%DS=1%G=Y%M=002332%TM=4F21646
OS:8%P=i686-pc-linux-gnu)SEQ(SP=F9%GCD=2%ISR=104%TI=RD%CI=RD%II=RI%TS=A)SEQ
OS:(SP=FB%GCD=1%ISR=FE%TI=RD%CI=RI%II=RI%TS=A)SEQ(SP=101%GCD=1%ISR=106%TI=R
OS:D%CI=RD%II=RI%TS=A)SEQ(SP=106%GCD=1%ISR=109%TI=RD%CI=RD%II=RI%TS=A)SEQ(S
OS:P=104%GCD=1%ISR=103%TI=RD%CI=RD%II=RI%TS=A)OPS(O1=M5B4NW3NNT11SLL%O2=M5B
OS:4NW3NNT11SLL%O3=M5B4NW3NNT11%O4=M5B4NW3NNT11SLL%O5=M5B4NW3NNT11SLL%O6=M5
OS:B4NNT11SLL)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%D
OS:F=Y%T=40%W=FFFF%O=M5B4NW3SLL%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IP
OS:L=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)

Uptime guess: 12.282 days (since Sat Jan 14 02:47:57 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OSs: Windows, Mac OS X

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.65 seconds
Raw packets sent: 1422 (66.616KB) | Rcvd: 1071 (44.908KB)

At this point the hacker would run something like Wireshark to “sniff”,  watch or record all the packets going in and out of your computer (email, http, chats) or fire up something like Metasploit to further probe and actually take advantage of any vulnerabilities you have and hack into your computer.

 

With the TinyHardwareFirewall this is not possible because the hacker won’t even see your computer, just the TinyHardwareFirewall.

Now lets run the same program on the same laptop with the Tiny Hardware Firewall in place.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-26 09:26 EST

NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 09:26
Scanning 10.99.100.195 [1 port]
Completed ARP Ping Scan at 09:26, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:26
Completed Parallel DNS resolution of 1 host. at 09:27, 13.00s elapsed
Initiating SYN Stealth Scan at 09:27
Scanning 10.99.100.195 [1000 ports]
Increasing send delay for 10.99.100.195 from 0 to 5 due to 35 out of 86 dropped probes since last increase.
Increasing send delay for 10.99.100.195 from 5 to 10 due to 25 out of 62 dropped probes since last increase.
Completed SYN Stealth Scan at 09:27, 38.06s elapsed (1000 total ports)
Initiating Service scan at 09:27
Initiating OS detection (try #1) against 10.99.100.195
NSE: Script scanning 10.99.100.195.
NSE: Script Scanning completed.
Host 10.99.100.195 is up (0.00096s latency).
All 1000 scanned ports on 10.99.100.195 are closed
MAC Address: 00:24:8C:2D:C0:1B (Asustek Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds
Raw packets sent: 1748 (78.194KB) | Rcvd: 1013 (42.046KB)

 

The hacker does not see any open ports, services, or know the operating system your laptop is running.  All of the information about your laptop has been hidden by the Tiny Hardware Firewall.

 

Other things the TinyHardwareFirewall Can do:
  1. Scan for and block viruses, trojans, malware before any bad packets get to you.
  2. Block advertisements for faster loading websites and less chance of getting infected with drive by ad based viruses.
  3. Encrypt all of your traffic with 256bit AES encryption through HotSpotVPN.

 

 

Article originally appeared on Tiny Hardware Firewall (http://tinyhardwarefirewall.squarespace.com/).
See website for complete article licensing information.