Network Diagram

The network features a Moodle instance, which is protected by a firewall that will be configured as requested by the exercise.
Diagrama sin título.drawio (1).png

Scanning and Blocking TCP Scan.

In this first exercise, the following steps will be performed:

  • A TCP scan (-sT) to check the open ports of the machine.
  • We will add the necessary iptables rule to block this scan, then verify the TCP Scan behavior again.

First scan

Using nmap, I perform a TCP scan against the target before applying any firewall blocks. This is the result:

nmap -p- --open -vvv -sT --min-rate 5000 192.168.48.131

c0575d14487d5e2fad789eddb25ea132.png

Firewall Configuration

The following rules have been applied to iptables:

sudo iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP

A TCP scan is quite difficult to block, as doing so would also mean blocking legitimate traffic, which we want to avoid. Therefore, the limitation has been focused on packet frequency rather than the packets themselves.

Second TCP Scan

When performing the exact same scan as in section 1 of this exercise, we obtain the following result:

nmap -p- --open -vvv -sT --min-rate 5000 192.168.48.131

1392efb4e81fa28599c6227d73f76180.png

Bypass

Since we cannot block TCP packets without blocking legitimate traffic, the applied restriction is based on the frequency of incoming packets. Therefore, the only thing we need to do to bypass the firewall is to reduce the scanning speed.

nmap -p- --open -vvv -sT -T2 192.168.48.131

ae9013b9838d14a68451ce7915548f2f.png
As we can see, it detects the ports, but it takes quite a long time.

Wireshark

755c0472a167d721faf8d6b663340765.png
Here we can verify how everything is working: the host sends TCP packets with a SYN flag to the target, and the target responds with a RST ACK packet. This is typical behavior for legitimate systems.

Bypassing Firewall SYN Packet Blocking.

In this exercise, different types of scans will be tested to try to evade the previous filtering. Wireshark will be used to analyze the generated traffic.

  • Perform a FIN Scan (-sF) to check if open ports are detected and if we can bypass the firewall restrictions.
  • Perform a NULL Scan (-sN) to check if open ports are detected and if we can bypass the firewall restrictions.
  • Perform an XMAS Scan (-sX) to check if open ports are detected and if we can bypass the firewall restrictions.

FIN Scan

nmap -p- --open -vvv -sF --min-rate 5000 192.168.48.131

6b6a6688f87e2e0f969a8901b43dc044.png
As we can see, nmap sends numerous FIN packets, and the host responds with RST, ACK packets, allowing nmap to detect the open ports.
0941c72d18ad39f039b1ed5dbbf155e3.png

NULL Scan

nmap -p- --open -vvv -sN --min-rate 5000 192.168.48.131

9affd53fc13e6bef7112a0f9dc79ee96.png
The NULL scan successfully detected the ports. As shown, nmap sends the NULL TCP packets to the host, and it responds with RST, ACK, allowing the identification of the ports.
dad6fbf60c05b41e8f487109e097d646.png

XMAS Scan

nmap -p- --open -vvv -sX --min-rate 5000 192.168.48.131

189f327de1871b8aea02306acbc0428b.png
The XMAS scan sends packets with a specific set of flags (FIN, PSH, URG), and the host responds to them.
40c3bd2cd68b14d3a02d9909057920bd.png

Blocking FIN, NULL, and XMAS Packets.

In this exercise, we are going to block the scan types that are still revealing open port information.

  • Add the necessary rule in iptables to block FIN packets. Re-verify all three scans to see if the rule works properly and if the other two scans still work.
  • Add the necessary rules in iptables to block NULL and XMAS packets and verify that these scans no longer provide open port information.
sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

FIN Scan

nmap -p- --open -vvv -sF --min-rate 5000 192.168.48.131

90e1f1f347e352f831ac2cf887d8cb9b.png
As we can see, packets with the FIN flag no longer receive a response. This is because the firewall dropped them, which causes ALL ports to be marked as OPEN. Consequently, the attacker will be unable to identify which ports are actually open.
bd19f4cd763dea78c27cb78eb3887f5b.png

NULL Scan

nmap -p- --open -vvv -sN --min-rate 5000 192.168.48.131

The NULL scan was unable to find any open ports.
d5e4b79af4c71bab1513546f5a7fefe8.png
As shown in the following Wireshark capture, there is no response from the host to the NULL packets, proving that the firewall rules are working properly.
970142d2a37d4454849451f0946f9bae.png

XMAS Scan

nmap -p- --open -vvv -sX --min-rate 5000 192.168.48.131

The XMAS scan was unable to bypass the firewall.
9088d234839f77ab2886623ae5bfdc6c.png
ecf1000495d5797f98fcf0fd40935f35.png

Packet Size Filtering and Stealth Scan Bypass.

In this exercise, instead of blocking packets using flags, we will do it using packet length. You must use a clean iptables configuration by flushing the rules created in previous exercises.

  • Add a block for packets with a length of 60 bytes to block TCP Connect scans (-sT).
  • Perform a Stealth scan (-sS) and check if the firewall restrictions are bypassed.

Firewall

sudo iptables -A INPUT -p tcp -m length --length 60 -j DROP

Stealth Scan

nmap -p- --open -vvv --min-rate 5000 -sS 192.168.48.131

The scan is able to bypass the block without much difficulty.
d47b88abf227876f56a4048e2a39f561.png
10b5b95de88f231df088a9dab9dc9a59.png

Fragment Scan and Bypassing Packet Size Filters.

  • Add a block for packets with lengths of 40, 44, and 60 bytes, and verify that FIN, NULL, and XMAS scans do not work.
  • Employ the Fragment scan (-f) and check the results.
  • Employ a scan customizing the packet size (--data-length) and check the results.
  • Add a packet filter for sizes between 1-100 bytes and test the --data-length option to evade the filtering.

Firewall

sudo iptables -A INPUT -p tcp -m length --length 40 -j DROP
sudo iptables -A INPUT -p tcp -m length --length 44 -j DROP
sudo iptables -A INPUT -p tcp -m length --length 60 -j DROP

This configuration successfully blocked all the specified attacks.

Fragmentation

nmap -p- --open -vvv -sX -f --data-length 30 --min-rate 5000 192.168.48.131

Once the packets are fragmented, as we can see, the firewall does not drop anything, allowing the ports to be successfully identified.
940ead4047711597ffd30a08de103414.png
da830e95ba4cfe3d5f491e6f4641796b.png

TTL Filtering and Bypass.

Another field used for packet filtering is the Time-To-Live (TTL). In this exercise, filtering and bypass tests based on this value will be conducted.

  • Establish an iptables rule to filter packets with a ttl=64 value and check the behavior of different scanners.
  • Establish an iptables rule to filter packets with a value less than or equal to 64 and check the behavior of different scanners.
  • Perform the bypass for the previous rules.

Firewall

sudo iptables -A INPUT -m ttl --ttl-eq 64 -j DROP

First Scan

nmap -p- --open -vvv -sT -f --min-rate 5000 192.168.48.131

This fragmented TCP scan was unable to pass the filter, and therefore its packets were blocked.
1067f421612ddd705b843b9340e3b8db.png
d801c2b04b901a0d2a4aafa1654475da.png

Bypass

By using the ttl option, I am able to bypass the filter.

nmap -p- --open -vvv -sT -ttl 128 --min-rate 5000 192.168.48.131

9b8f5a412695047ff2bab05ffa923d6f.png

Filtering by Packet Source Port.

In this exercise, rules will be applied to filter packets based on their source port.

  • Add a rule in iptables to only allow connections from a source port of your choice and block all other traffic.
  • Check if the different nmap scanners are successful.
  • Use the -g option to define the source port of the nmap packets and check if the scans are successful.

Firewall

sudo iptables -A INPUT -p tcp --sport 4444 -j ACCEPT
sudo iptables -A INPUT -p tcp -j DROP

This configuration will block all packets that do not originate from port 4444.

First Scan

nmap -p- --open -vvv -sT -ttl 128 --min-rate 5000 192.168.48.131

ca85ec35e917b56a820a772478378ccb.png
A standard TCP scan is unable to pass through the firewall because the ports used by nmap are randomized by default, meaning very few packets will match the allowed source port.
2a352d78db5f16567b42ce1337533f6b.png

Bypass

Let's assume that through brute force and extensive testing, we have found out that the allowed port is 4444. Therefore, we simply need to specify the source port from which the scan will be launched.

nmap -p- --open -vvv -sS -g 4444 --min-rate 5000 192.168.48.131

39ff50ca135d2a7b03f9d4733fdbd684.png
As we can see in Wireshark, all packets have now been sent from the specified source port.
765d2878d8cc539e30cd9384fe6dd0ad.png

MAC Address Filtering and MAC Spoofing Techniques with Nmap.

In this exercise, we will verify how an administrator can block or allow access only to specific MAC addresses and how we can evade these restrictions using nmap.

  • Add iptables rules to only allow connections from a specific MAC address of your choice.
  • Perform the scan using nmap options to spoof the utilized MAC address.

Firewall

iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A INPUT -j DROP

This configures the firewall to only accept packets coming from the MAC address 00:11:22:33:44:55.

Initial Scan

nmap -p- --open -vvv -sS -g 4444 --min-rate 5000 192.168.40.129

This scan cannot be completed.
8c0b92d0049d67dce4641f6cf823a401.png
Since the packet does not match the required MAC address, iptables is dropping all traffic.
4d68d5a4dd1ffc7d1f4154832565a15e.png

Bypass

nmap -p- --open -vvv -sS --min-rate 5000 --spoof-mac 00:11:22:33:44:55 192.168.40.129

We will use the --spoof-mac directive to send packets with a fake MAC address. This MAC address matches the one explicitly allowed by the system.
b8a65deeecaaf0789ed73c21c307748f.png
If we inspect the packet, we can see that the specified MAC address is indeed the spoofed one.
e706afdf015ac7daff46ed888e8b99a2.png
de4cf3a63f12dec5ed6c16dd4c02e78d.png

IP Address Filtering and IP Spoofing Techniques with Nmap.

This exercise is similar to the previous one, but the filtering and spoofing must be performed on IP addresses.

Firewall

iptables -A INPUT -s 192.168.40.50 -j ACCEPT
iptables -A INPUT -j DROP

First Scan

nmap -p- --open -vvv -sS --min-rate 5000 192.168.40.129

This scan will be blocked by the firewall because the source IP is not the one accepted by the system.
31c597d87c2d9bb1e800f30a6ed66ec9.png
12e9f2d17cf1155856064f1f780d1c42.png

Bypass

We need to spoof our IP address. To do this, we will map the allowed IP to our interface using the following command:

ip addr add 192.168.40.50/24 dev eth0

ae734da79e7cbbc5c5ff450d006e3a3c.png
And now we execute the scan:

nmap -sS -S 192.168.40.50 -e eth0 -Pn 192.168.40.129

0556ddf0521dd8876779f5267f39fe6b.png

NSE Script Programming.

Investigate how NSE (Nmap Scripting Engine) scripts are developed and create a basic example script so you can use it in your testing. Explain your script's code and test it.

NSE scripts are written in Lua and are stored in the /usr/share/nmap/scripts/ path.

6223859f17bdd07127d0411a2e59bfff.png

For this task, I have created a very simple script that appends a clean custom banner to the scan output.

nano /usr/share/nmap/scripts/banner-bonico.nse

local stdnse = require "stdnse"

description = [[
Displays an informational banner before the scan results.
]]

author = "Student"

license = "Same as Nmap"

categories = {"safe","discovery"}

-- Always executes
hostrule = function(host)
    return true
end

action = function(host)

    local banner = [[

========================================
        NMAP CUSTOM AUDIT BANNER
========================================

 Target   : ]] .. host.ip .. [[
 Hostname : ]] .. (host.name or "unknown") .. [[

 Scan performed using NSE
 Script   : banner-bonico.nse

========================================

]]

    return banner
end

We update the script database:

sudo nmap --script-updatedb

And we run any scan using this new banner script:

nmap -p- --open -vvv -sS --script banner-bonico.nse --min-rate 5000 192.168.40.129

101e7d32e2622dda8236894f63a03d00.png