Determine Firewalls and Their Rules
| State | Description |
|---|---|
open | This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations. |
closed | When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not. |
filtered | Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target. |
unfiltered | This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed. |
open|filtered | If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port. |
closed|filtered | This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall. |
In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. The dropped packets are ignored, and no response is returned from the host. |
This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes or contain nothing at all.
Such errors can be:
- Net Unreachable
- Net Prohibited
- Host Unreachable
- Host Prohibited
- Port Unreachable
- Proto Unreachable
Nmap’s TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag.
When a port is closed or open, the host must respond with an RST flag
SYN-Scan
sudo nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n
--disable-arp-ping --packet-traceACK-Scan
sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n
--disable-arp-ping --packet-traceWith the SYN scan (-sS) our target tries to establish the TCP connection by sending a packet back with the SYN-ACK (SA) flags set and with the ACK scan (-sA) we get the RST flag because TCP port 22 is open. For the TCP port 25, we do not receive any packets back, which indicates that the packets will be dropped.
Detect IDS/IPS
-
IDS systemsalone are usually there to help administrators detect potential attacks on their network. They can then decide how to handle such connections. We can trigger certain security measures from an administrator, for example, by aggressively scanning a single port and its service. Based on whether specific security measures are taken, we can detect if the network has some monitoring applications or not. -
One method to determine whether such
IPS systemis present in the target network is to scan from a single host (VPS). If at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with anotherVPS.
Decoys
There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice.
Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:).
Our real IP address is then randomly placed between the generated IP addresses.
Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.
Scan by Using Decoys
sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping
--packet-trace -D RND:5--disable-arp-ping | Disables ARP ping. |
--packet-trace | Shows all packets sent and received. |
-D RND:5 | Generates five random IP addresses that indicates the source IP the connection comes from. |
-n | Disables DNS resolution. |
The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range. Therefore, we can also specify our VPS servers’ IP addresses and use them in combination with “IP ID” manipulation in the IP headers to scan the target.
we can also manually specify the source IP address (-S) to test if we get better results with this one
Decoys can be used for SYN, ACK, ICMP scans, and OS detection scans. So let us look at such an example and determine which operating system it is most likely to be.
Testing Firewall Rule
sudo nmap 10.129.2.28 -n -Pn -p445 -OScan by Using Different Source IP
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0| Scanning Options | Description |
|---|---|
10.129.2.28 | Scans the specified target. |
-n | Disables DNS resolution. |
-Pn | Disables ICMP Echo requests. |
-p 445 | Scans only the specified ports. |
-O | Performs operation system detection scan. |
-S | Scans the target by using different source IP address. |
10.129.2.200 | Specifies the source IP address. |
-e tun0 | Sends all requests through the specified interface. |
DNS Proxying
Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target.
Nmap still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>).
his method could be fundamental to us if we are in a demilitarized zone (DMZ)
As another example, we can use TCP port 53 as a source port (--source-port) for our scans
If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.
SYN-Scan of a Filtered Port
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-traceSYN-Scan From DNS Port
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53Now that we have found out that the firewall accepts TCP port 53, it is very likely that IDS/IPS filters might also be configured much weaker than others. We can test this by trying to connect to this port by using Netcat.
Connect To The Filtered Port
ncat -nv --source-port 53 10.129.2.28 50000