Making our way to the next folder is the ‘enumeration’ folder. In this case enumeration really means gathering information/DNS.

Within the enumeration folder are multiple sub folders containing, in my opinion, an eclectic collection of tools. Starting with the first folder we have complemento. Within this folder is really three seperate tools. HTTPSquash, the first of the tools I looked is used to find the version of an HTTP server running. When scanned against a Win2k3 machine running IIS this is what it saw.

Yup, that's IIS 6

This is a nice tool to keep in your toolset when nmap or other tools are giving you conflicting answers. What is interesting is that the enumeration folder also contains another tool for identifying an HTTP server: HTTPrint. HTTPring also performs a scan and guesses which webserver is running on a given IP:

It means 'Eat At Joes'

Returning back to the complement folder we have Letdown. Letdown is a tool designed for performing a DoS attack on a given server and finally reverseraider which is a tool designed to brute force subdomains/domains for a given website, it does this through the use of a wordlist. You’ll notice a trend with the tools in the enumeration folder. Many of them are designed to gather DNS information. In my opinion a tool like Maltego is better served for some of these tasks.

DNS Enumeration

Instead of slowly walking through all the DNS enumeration tools one by one I’m simply going to list them all here. The command line options vary from tool to tool but the concept is the same:

DNSmap: Performs a map of your domains/subdomains using wordlists.

DNSwalk: A tool designed to troubleshoot dns zones and to detect where zone transfers are possible.

DNSenum: Using word lists or brute force this tool will discover machines on a certain domain. It also uses Google to help discover machines.

DNSRecon: Yet another DNS enumeration tool, this one written in ruby

Fierce: A wordlist based DNS enumerator written in perl.

Moving on we get to some of my favorite tools. The three following tools actually use Google to gather information instead of touching your target machines. This information can be useful in helping identify usernames, paths etc. Gooscan is a command line tool designed to scan a Google appliance for interesting folder/cgi-exploits by only talking to the goodle appliance. This means Google is doing all the research instead of identifying yourself.

Quite the frightening message. Better not test this at work.

Metagoofil is one of my new favorite toys. You give it a domain name and it will grab the files (such as Word Documents, PDF, Excel etc) and search those files for metadata such as usernames, paths, deleted text etc. It uses the ‘extract’ command to break out the metadata so you don’t really need this tool if you have some strong Google-fu. Though it is nice because it can give you an insight in to how a company is run. I had some initial problems getting this tool to run. You MUST but the #!/user/bin/python on the very first line of this script or it will not run (you can also issue the command “python metagoofil.py” but where’s the fun in that?

Who created this document? What kind of funky name is that?

The final Google tool is Goorecon. This tool uses Google to gather subdomains it may know about or email addresses. Why email addresses? Well knowing an email address may give you some insight in to account naming conventions and other interesting tidbits. You could also use it to social engineer yourself to access.

Now that we’re done with the Google and DNS Enumerators we can look at some of the other tools. The first tool on that list is LBD. LBD stands for Load Balancer Detector. It literally does what it’s called. You give it an IP address and it tells you if it’s being load balanced or not. List-URLS, in this same vein, also does exactly as advertised. You give it a website and it spiders the site for a listing or all URLs listed on the site.

There are two SNMP tools within this folder: SNMPcheck and SNMPenum. Both of them pretty much perform the same task: discover SNMP services running on a given IP address. This, again, is more about gathering information than gaining access.

The last tool in this folder is also very interesting. It’s called SEAT or Search Engine Assessment Tool.

Take a SEAT. See what I did there?

SEAT is a tool which performs the same functions as the Google tools but as you can see uses many more search engines to perform the searches. Using SEAT you can mine information from multiple sources using multiple queries to specify what you’re searching for. An interesting tool for any tool set.

Initially I thought this folder would contain tools for exploiting common database vulnerabilities or something simple like a mysql/mssql bruteforcers. Instead it contains some rather robust tools for testing databases and SQL injections.

For most of the testing performed here I used a Linux distro called ‘Moth’. Moth is a vulnerable Linux distro which runs a web app designed for exactly what I was doing, testing webapp/SQLInjection tools.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

1. Testing Web Application Security Scanners

2. Testing Static Code Analysis tools (SCA)

3. Giving an introductory course to Web Application Security.”

Speaking of SQL injections the first tool: blindsql fits right in. This tool is really just two shell scripts:

1. Sqlcheck.sh. This script simply takes a known URL and a known value that the page is supposed to return and checks if its vulnerably to SQL injection
2. Sqldata.sh. This script should be able to grab data from the SQL server itself. I, however, was unable to get it to do much more than complain and return nothing

The next three tools I’m going to lump in together here because I wasn’t really able to put them through their paces.

Metacoretex is a slick looking Java tool that’s supposedly to be used for testing Oracle databases. Not running Oracle in my lab (yet) made testing this tool tough. Also, walking through the tool I don’t think I ever got it working right and trying to read about it on the internet proved impossible because the site for the tool is down (and because Metacoretex is a term used in the Matrix Online which makes finding anything about it non Matrix Online related even harder).

SQLNinja sounds like a great tool for testing vulnerable ASP/.NET pages and getting a shell on a remote machine. Currently, however, I don’t have a vulnerable web-app I can bang this tool against in my lab. I’m sure ones exist all over the net (the entire .cn TLD perhaps, Exotic Liability shoutout!) but the way I’ve setup this lab is to be completely segregated from any outside network so I won’t be testing that.

Finally there’s sqlbrute. Presumably a tool used for brute forcing SQL databases. Unfortunately it’s only good for MS SQL and ORACLE database. Neither of which I have so I wasn’t able to test this tool. Though if you have tested this tool out let me know in the comments.

Next on the list is MiniMysqlat0r. I loaded this tool up and was surprised by the nice gui interface. I put in the ‘moth’ server IP address and let it scan away for about 10 minutes. What I was presented with was a whole slew of places where injection were possible. I selected one of these URLs from the list presented and tested out the SQL Exploiter feature

SQLater Exploit Tab

This tool was literally able to give me anything I wanted from the server. I could dump the MySQL users table, dump all the databases and even grab a copy of the /etc/passwd file!

That right there is a nice /etc/passwd file

I tried the /etc/shadow file but alas the mysql user didn’t have the right permissions. Given the time though I would be able to get enough information about this server to find another way in since I’d be able to grab every config file and read through them for weaknesses. One caveat, this was against a very vulnerable server and I’m curious if it’s able to work this well in the real world.

After spending about an hour playing with SQLator I pulled myself away to check out Pblind. Not a very complicated tool. You supply it with the URL to test and it tells you if it worked or not, plus a little bit extra. I was able to use it to get the current user but not much else beyond that.

T h a t i s t h e u s e r n a m e. Hard to read and other tools do a better job.

Next I tested out SQLiX. No idea what the name of the tool means or what exactly it’s supposed to do. But I was able to get it to tell me that the server I’m testing was vulnerable. Though the tool is a little old and there are far better tools available today.

SQLiX sounds like a charecter from Star Trek: Voyager

Finally we have SQLMap.

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Same as SQLator I really liked this tool and was able to get some interesting information gleaned from the database. In this screenshot you can see I was able to get all the users usernames from the MySQL user database:

It even recreates the formatting

Keep in mind this screenshot is from SQLMap itself, pulling information from a blind SQL injection. I don’t have access to the database other than the URL I supplied in the screenshot. However that was just the tip of the iceberg. Using sqlmap I was able to retrieve the name of all the databases I had access to, all the tables within those databases and, if I wanted them, the columns within those tables. All in all I was fairly impressed with this tool.

The version  provided on the back track 4 CD, however, is a little old and I’d recommend getting the most recent version from http://sqlmap.sourceforge.net. The newer version has even more interesting functionality such as creating a remote shell and your own sql shell. If you don’t want to download sqlmap yourself I would recommend you check out the Samurai LiveCD. A LiveCD designed specifically for testing web frameworks.

That pretty much wraps up the ‘database’ folder. There was one folder I didn’t touch: The UDF folder.  I have no idea what it’s for and apparently neither does the good people Remote Exploit https://wiki.remote-exploit.org/backtrack/wiki/UDF either (the makers of backtrack).

Throughout my career in IT security I’ve always seen hacks, exploits and vulnerabilities and thought ‘hey, that’s interesting, Too bad I don’t run XYZ to test this out’. Around last year I was given a client where I had to install software on my machine. Not wanting to actually install this software on my work laptop I obtained a VMware license. Now I have been using VMware at home for a long time to try out LiveCD versions of operating systems or to play around with stuff like OS X. Mostly with the free VMPlayer software. This software allows you to test out one vmware image but it’s a little locked down. Now that I had VMware installed I was able to actually setup some test networks with various operating systems. I tried this out last year and figured out (to my dismay) that VMware + Encrypted harddrive = A very SLOW death. With one image running VMware was barely usable, starting up a second image would just kill my machine. So I let the topic die for a while. Then earlier this year someone posted a harddrive image from a machine they found running Win95. They supposedly found this computer in a parking lot and made an image of the harddrive. The problem was, it was made for Virtual Box. Being curious about this harddrive image I installed Virtual Box and took a look. While there was nothing too excited about the image I found that Virtual Box ran really great on my system. I decided to try out another OS and installed Ubuntu. What would originally bring my computer to a crawl was now running at almost full speed. With this in mind I slowly built up a virtual lab to test various exploits, scanners etc against. This is the lab I’m currently using for my Backtrack articles and find it works great!

My Lab

The current lab I have setup was really more for my entertainment than anything else. I set it up in such a way that I can install software used for security (such at NetMiner, Wireshark, nmap, metasploit etc) but I wanted to be sure that the data flying around inside this network couldn’t get out to my actual network. Virtual Box has a nice feature were you can setup a simple internal network where all the machines can communicate with one another but not the outside network. But if you need to update a machine it’s as simple as changing the network type drop down booting the OS and making your updates. Virtual box also allows you to set a DHCP server for this internal network so you don’t have to worry about setting static IP’s (not that setting static IPs is a problem but when setting up WinNT, Windows 95/98/ME it saves time not having to reboot all the time.

Let’s walk through my current lab setup:

1)       Windows NT 4. This is an unpatched machine. Really super vulnerable. I just keep it around for nostalgic reasons. If you’re still running Windows NT run, don’t walk, do your IT guy and tell him to upgrade to the newest windows server version. If your vendor is telling you it’s because their software won’t run on a newer OS then you should weigh the cost of upgrading with a different vendor vs. the cost of having a data breach. But that’s a different article.

2)       Windows 2003. This is windows 2003 server. I use it to test Web apps to learn Injection techniques as well as a DNS server, Fileserver and MS SQL database server.

3)       Ubuntu Server 9.04. This the newest release from Ubuntu. I use this to test vulnerable web apps and web app scanning tools. I installed Damn Vulnerable Web App over the weekend and really like it.

4)       Windows 95. Just a nostalgic machine. Nothing really worthwile on it except ski-free.

5)       Windows XP. This is my XP machine with SP3. I don’t really run tests against it (though I will be shortly). Mostly it’s for testing out windows tools such as Net Miner, Cain & Able, L0pht Crack and running my Cisco emulator

6)       Cisco 7200 router. This is my cisco emulated hardware running a 7200 image. I used this in the most recent article about backtrack where I was testing the cisco tools. It runs on top of GNS3 (Graphic Network Simulator) and worked great.

7)       This is the Backtrack 4b image running. It runs from the ISO so as I do my testing I know I’m not changing anything from the default. Eventually I’ll install it to a harddrive image but not until I’ve gone through all the /pentest apps.

Once I got the lab setup it was easy to expand my knowledge about how to use the tools, which tools work which don’t etc.  One thing you’ll notice absent is a windows 2000 server. I’ll get around to setting one up eventually but for now I think what I’ve got works pretty good.

Pentest Folder Listing

So let’s get started shall we?

Not too many programs here!

This one is an easy one. There’s not too many Bluetooth tools here to begin with (mainly because a lot of the Bluetooth tools are built in to the OS (such as HCI Dump).

Taking a look at blueprint it’s a tool which allows you to profile a a Bluetooth device. You tell it the Bluetooth device ID and it will spit out as much information as it can

Bluesmash is a GUI tool designed for getting information from phones and exploiting a range of vulnerabilities.  Since I don’t really have access to Bluetooth on this machines I can’t go in to more detail than that. I have played with these tools in the past but since I didn’t have a vulnerable phone available at the time I couldn’t really test the vulnerabilities.

Moving on to the next folder, CISCO, we see there are a selection of tools for dealing with (and discovering) Cisco devices (what else did you expect?).  To test these tools out I used GNS3 (a Cisco router emulator) and setup my own virtual cisco 7200 router. Took me a while to set it up but your best bet is to follow the tutorials at BlindHog. I won’t be supplying any image files, I’ll leave that up to the reader to find.  The basic GNS3 configuration was setup like this:

Go go gadget Cisco emulator!

Since I’m running all these tests in my lab (with Virtual Box) on a virtualized internal network I had to run GNS3 on a virtual Windows XP instance. In the end, though,  it didn’t really give me too many problems getting it setup.

So once I had setup the practice router I was able to test all the tools available in the cisco folder.

A few more apps here

The first tool I took a look at was CAT, or Cisco Auditing Tool. To call it an auditing tool is a little bit of a misnomer since it’s really just a password brute force tool which connects over the telnet port (23). It has some other features for exploiting an old IOS bug but other than that it just takes a wordlist and attempts to guess the password. You’d be better served using something like hydra or medusa instead (we’ll get to those later on). But I have to say it did work at bruteforcing my password and successfully told me what the password was.

hack you? don't mind if I do

Cisco-Global-exploiter has some interesting functions:

Wish I could test all of these

However, since I didn’t have an image for any of the above cisco machines to try out I can’t really confirm if any of these work. But if you do have a cisco device and have tested this out let me know in the comments section.

Cisco-OCS simply scans for vulnerable Cisco devices. Turns out the device I was running wasn’t vulnerable, it was found but not vulnerable.

Ciscos-1.3 does the same as CAS but instead of trying multiple passwords it simply tries to connect to every IP trying the default password ‘cisco’.

And finally we’ve got copy-router-config. This really isn’t too hard to guess. Just start up the tftpd daemon in backtrack and provided you know the community name (an SNMP thing) it will strip out the full config. Letting you analyze it later and identify any weaknesses in the config.

And so ends part 1 of our series. As part of this series I’m going to also tell you how I put together my practice lab and a list of other tools that you can use in windows which are not included in the backtrack cd.

Update: So a friend brought to my attention that I was using an older version of the /pentest folder. Backtrack had released a new CD with a few more tools. Looking through I found two new tools: Redsnarf and Bluebugger. Redsnarf is a bluetooth tool designed to hunt down non-discoverable bluetooth devices (by guessing the last six bytes of the bluetooth address). Bluetooth bugger simply pulls down as much information from a bluetooth phone as it can. Unfortunately since I don’t allow Virtual Box access to my bluetooth hardware I wasn’t able to test these tools. If you have let me know in the comments.

 Further more in the Cisco folder I noticed a rather odd addition, a tool entitled ‘oscanner’. When I looked up what this tool does it doesn’t sound like it’s in the correct folder at all. This tool is really called ‘Oracle Scanner’ and is used to perform a slew of tests again an Oracle database. Since I don’t have Oracle installed I wasn’t able to test it out but from what I’ve read about the tool it sounds promising, if only it was located in the Database folder instead.

X-Originating-IP: The IP address of the computer on which the email originated.

When you use a web based email service like Hotmail, Yahoo! Or Gmail they add the X-Originating-IP to the email headers. Most people think they can simply create a fake account on one of these web based email services and they are completely anonymous. There are ways to make it anonymous but I’ll get to those later.

With email headers in hand I went to my favorite web resource: Domain Dossier at CentralOps.net. It gives me a wealth of information while keeping my IP out of the logs, it also combines all the tools I would do by hand (nslookup, traceroute, whois, nmap etc) in one click.

<!–[if !vml]–><!–[endif]–>

It takes about 10 seconds to run through the whole search. After reading through the report I saw the person had a web server running on port 80 (Ubuntu if you must know). So the first thing I did was fire up Firefox and see if they have a website. I was hoping they would be hosting their own personal website and that would be the end of this. When the site loaded I was greeted with the words “Holder Page”. No formatting just those words. But having the server running gave me some hope. So I fired up my copy of Backtrack (I have a love hate relationship with Backtrack, see my previous entry) and ran the tool Nikto.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

It gave me a plethora of lovely information. Not much at first but I just let it run for an hour.

<!–[if !vml]–><!–[endif]–>

After waiting for the scan to finish I noticed something interesting. The web server had a folder sitting off of root called pics. I went back to firefox, typed in the IP of our harrassers IP and added /pics/ to the end. Since indexing was still enabled on the server (which should really be turned off people) I was able to get a listing of all the pictures this person was “secretly” sharing with the rest of the world. I saved all the pictures to my hard drive and sent them off to my friend who was able to identify the person sending the harassing emails and confront him with the evidence I put together for him in.

How could all of this been avoided?

Its really simple to avoid this sort of thing and I’m just going to give a quick listing:

Use Tor. Tor, while slow, would have made it impossible to trace back.

Use the library or a school. While it would have given me the persons school or approximate location my searches would have ended there

Don’t run your own webserver on the same connection you’re sending harassing emails from. Doubly so if you’re going to store pictures on that server

Use a webservice that doesn’t log X-Originating-IP. I won’t tell you were you can find these. But Google is a good resource

Don’t send harassing emails to people you know

Update: According to my friend once he brought some of the evidence I sent him to the person who we suspected sent the email he confessed. Mission accomplished!

THC-Hydra, made by The Hackers Choice was really the first brute forcing pentest tool using multiple threads and having multiple protocols. The most recent version was updated 2 years ago. You can find the most recent version and more information here: http://freeworld.thc.org/thc-hydra/

Medusa was made by Foofus. It was really built because the developer wasn’t happy with the way THC-Hydra was handling threading. The most recent version is about a year old. You can find more information here: http://www.foofus.net/jmk/medusa/medusa.html

Both tools fundamentally do the same thing, they allow you to specify a username (or supply a list of usernames) and a list of passwords to test against a given protocol. For this test we’re going to try to brute force the user ‘Brutus’ on the local machine using SSH.

One little caveat, I went into this task assuming that Medusa would leave THC-Hydra’s stone corpse sinking to the bottom of the ocean.

The Setup

To test each tool I installed Vector Linux to a new VMware image. Vector linux is a great lightweight Linux distribution based on Slackware made for older machines and is really fast.

Compiling

I compiled each tool from their source by issuing the ol’ ‘./configure, make’ and running the compiled binaries. This is where I hit my first snag with THC-Hydra. Vector Linux comes with only the newest version of the SSH libraries. After working for about an hour I was finally able to force it to use a downloaded older version of the libraries. Medusa however uses the newer libraries and was able to compile without any hiccups. Each tool, however, has their own set of dependencies for various brute forcing options. For example in Medusa you would need extra libraries to brute force SubVersion (SVN) logons.

Testing the tools

Hydra and Medusa have their own syntax but they are very similar. To run the for Hydra I entered in the following command:

./hydra -l brutus -P /home/grassmunk/dict.txt 192.168.1.130 ssh

The Hydra command works like this: The -l is the username you want to test, in this case it’s ‘brutus’. The –P is the password file you want to use. Once you’ve established the username(s) and passwords to test you simply tell Hydra which server to use, in this case 192.168.1.130 and the protocol to use which was ssh.

Here’s where I hit my second snag.

./hydra: error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

So even though it compiled fine it wasn’t able to locate the library files. I copied that damn file everywhere but to no avail.

To test Medusa I entered the following command:

./medusa -h 192.168.1.130 -u brutus -p /home/grassmunk/dict.txt -M ssh

As you can see the syntax is very similar. The –u is the username, the –p Is the password file and the –M is the protocol to use (which Medusa calls a ‘Module’).

This is where I hit my first problem with Medusa, after running the command it crashed and spit out this lovely debug information

It was at this point I was about ready to give up. Neither of these tools were really usable or good at testing SSH bruteforcing. One needed old SSH libraries to work and the other crashed and burned upon the first use.

Seeing as this might be due to Vector Linux I tried each tool in BackTrack. BackTrack is a pentesters Linux livecd distribution. It has a lot of tools you can use to scan, test and break into systems. You can find it here: http://www.remote-exploit.org/backtrack.html

With backtrack loaded I was able to test each tool, and the outcomes were astounding! For a newer and better tool Medusa was the slowest and least usable of the two tools. Medusa would fail after 4 or 5 logon attempts. Initially I thought this was due to my configuration of SSH but THC-Hydra had no problems blowing through 42 logons every second.

I also tested FTP on Vector Linus, which worked in both tools, and the results were exactly the same. THC-Hydra runs flawlessly while Medusa stops after a handful of logons.

Conclusion

When I first discovered Medusa I was really excited. It sounded like a faster and newer tool than THC-Hydra but in the end The Hackers Choice really stands true. It’s the best and fastest tool out there and easiest to use.

Note: I also tested a tool included with BackTtack called SSHater. I can’t say how disappointed I was with this tool. When I setup the server’s I picked a password and put it about in between the 900 and 901st password so I could see what happened when the tool returned a positive. SSHater tested every password with multiple errors, passes my password without even blinking and continued on. I wanted until the tool went through every password and I didn’t even say anything. As far as I could tell SSHater just lists the passwords and a bunch of errors. I didn’t bother looking at the SSH log to see if it was actually trying to initiate a connections though.

]]> http://itbreathes.com/?feed=rss2&p=4 0 http://itbreathes.com/?p=3 http://itbreathes.com/?p=3#comments Fri, 09 May 2008 14:59:18 +0000 phil http://itbreathes.com/?p=3 Microsoft just recently released a tool to help IT security people do their forensics work. The tool is called COFEE (Computer Online Forensic Evidence Extractor) and it’s a USB key with U3 capabilities. A U3 USB thumb drive works such that Windows accepts the drive as a CD with autorun capabilities. Once inserted the USB key drive goes to work collecting what it can using whatever tools Microsoft has at its disposal. Here’s an excerpt from their site:

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of command line tools. It is a framework that law enforcement can use to leverage publically available tools to access information on a live Windows system operating from a USB storage device. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. 

Now the problem I see with this tool is you have to initiate the scanning manually. What if you’re trying to gather data off of a running headless server? You’ll have to get a username and password for the server which might prove difficult if you’re law enforcement.

Unfortunately Microsoft is only providing this tool to those in Law Enforcement and so far only Interpol. So what can we, the lay person, use? Well there are plenty of alternatives out there.

Linux Live CDs

There are a multitude of Live CDs out there for your choose from do this type of work. Backtrack, which gives you a slew of tools for forensics and other tools such as adding a user to windows and downloading the entire LMHash db. There’s also Helix which provides you with a multitude of forensic tools. The only problem with a live CD is that you must shutdown the machine and reboot it into Linux. This erases all memory on the machine. One of the upsides however is you can mount the Windows hard drives as read only.

Hak5’s USB Switchblade

This is where I think windows got the whole idea for this anyway. It’s basically a USB key that has U3 and contains a whole slew of tools for gathering evidence. The key with Swithblade is that it doesn’t need any interaction from a user. The main downside is it can get caught up by Anti-virus software. You can find information about the tool and download it here: http://wiki.hak5.org/wiki/USB_Switchblade.

In the end Microsoft really isn’t doing anything new here. The reason everyone is in an uproar over this is because privacy experts are concerned COFEE is using some as yet unknown backdoors into Windows. While I doubt that’s the case it is interesting that Microsoft is only releasing COFEE to Law Enforcement and no one outside that are is allowed access to the tool. That doesn’t mean people wont get access but if it smells fishy it’s probably fish.