I was recently in need for a parser that would convert Nmap XML output to a HTML file. As far as I could see there was no tool available so I wrote my own. Feel free to use or adjust it.

<!--
Parse nmap XML output
	Koen Van Impe		cudeso.be
	20100303
-->
<html>
<head><title>nmap xml file to html</title></head>
<body>
	<form method="POST" enctype="multipart/form-data" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
		XML file: <input type="file" name="xmlfile"	<br />
		<input type="checkbox" checked name="open"> Open <br />
		<input type="checkbox"  name="closed"> Closed <br />
		<input type="checkbox"  name="filtered"> Filtered <br />
		<input type="submit" value="Press"> to upload the file!
	</form>
<?php

if(isset($_FILES['xmlfile'])) {

	// init
	if (trim($_POST["open"]) == "on") 	$printOpen = true;
	else   								$printOpen = false;
	if (trim($_POST["closed"]) == "on") 	$printClosed = true;
	else   								$printClosed = false;
	if (trim($_POST["filtered"]) == "on") 	$printFiltered = true;
	else   								$printFiltered = false;
	$xmlObject = simplexml_load_file($_FILES['xmlfile']['tmp_name']);

	// output the header
	echo "<h1>".(string)$xmlObject["args"]."</h1>";
	echo "<h2>Hosts up: ".(string) $xmlObject->runstats->hosts["up"]." / Hosts down: ".
			(string) $xmlObject->runstats->hosts["down"]. " / Hosts total: ".(string) $xmlObject->runstats->hosts["total"]."</h2>";

	// run through the xml and print hostinfo
	foreach($xmlObject as $host => $value) {

		// Only grab the data if it's host related info
		if ((string) $host == "host") {

			// declare portsarray
			$nmap["ports"] = array();

			// get the hostinfo
			echo "<h2>".(string) $value->hostnames->hostname["name"].
						" (".(string) $value->address["addr"]." / ".(string) $value->address["addrtype"].")</h2>";
			echo "<table>";

			// put the discovered ports in an array
			foreach ($value->ports->port as $port) {

				if (  ( ((string) $port->state["state"] == "filtered")	and	($printFiltered)) or
					  ( ((string) $port->state["state"] == "closed")	and	($printClosed)) or
					  ( ((string) $port->state["state"] == "open")	and	($printOpen))
					) {
					echo "<tr><td>".(string)$port["portid"]."/".(string)$port["protocol"]."</td><td>".
							(string)$port->state["state"]."(".(string)$port->state["reason"].")</td>
							<td>".$port->service["name"]."(".(string)$port->service["product"].")
								</tr>";
				}
			}
			echo "</table>";
		}
	}

}
?>
</body>
</html>

An interesting post by Martin Roesch on the new architecture in the beta release of Snort.

It’s a sad day for IT security when even D. J. Bernstein has to admit that there’s a flaw in DJBDNS. Luckily the patch that needs to be applied is straightforward and has no known side-effects (at least, not on the DJBDNS servers that I patched).

I attended the last joint TF-CSIRT / FIRST meeting in Riga. One of the most interesting talks was by Wayne Routly from Dante. He talked on Quantitative Cross Comparative Analysis of Tools for Anomaly Detection. He gave some very good information on StealthWatch and Netreflex. If you’re moving Gbs of data then the set of tools you can use to analyze traffic are limited. According to the presentation both tools did quite well though.

SSL Blacklist is a nice addon for Firefox that has the ability to detect MD5 signed certificates and block access. If you don’t know what’s the problem with MD5 signed certificates then enjoy reading this.

Recently I needed to wipe a couple of disks because I wanted to sell them. I’ve played around with shred under Linux (like from a Knoppix live cd) but why go through all this hassle? I encountered Darik’s Boot and Nuke. Boot from the cd, select the drives and press F10. That’s all there is.

As incident handlers we always need to look out for sources that report possible malicious activity coming (or going to) our networks. We run a couple of honeypots and have a netflow monitor that alerts us when something is out of the ordinary. Extra sources however are always an extra bonus.

Recently I came across ATLAS from Arbor Networks.

They have an excellent service where you can easily sign up and if they approve your account you get access to alerts from their honeypots. According to their website they cover a large part of the Internet. There’s of course some commercial mumbo jumbo but at first their service seems to be very useful. A feed (RSS) allows you to get instant updates with a short description with the type of incident -scan, phish, …-, a timeframe and a link to their site with additional information.

Joined action against the excessive surveillance by governments and businesses

11-Oct-2008,
More info at http://www.vorratsdatenspeicherung.de/content/view/242/144/

The video of the Dan Kaminsky presentation of the DNS cache bug is available on the Black Hat site. It’s a 100 MB download but it sure is worth it. There’s also an MP3-version.

The Defcon 16 CD is available.

Blackhat 2008 slides are also published.