#portscan

Got slow portscans on CTF's? You will not believe how much this post will help you!

Aaaaaargh, my port scan take forever to complete! Heard that one before? You should have, it is a common complaint often heard between CTF rookies. Today we are looking into some ways to mitigate slow scans.

Nmap

When looking at the various complaints, Nmap seem to be the culprit. Gamers bash it for being slow and whatnot. Is it that bad? No, it isn’t. It’s all PEBCAK. It’s all about knowing how…

Well the purpose might be secondary, you are a hacker or you might be a techie trying to connect two machines, or just building a client for an application. People who are working with different machines, routers, switches, proxies or just the machines behind a firewall might end up in a need to find what ports are open in a host/machine.

Mac provides with a simple utility called network utility for finding it out..

Enter the hostname or ipaddress and enter the  ports that needs to be scanned.

For example I will scan from port 80 to 443 and see what all are open.

Your boss has just heard about some nefarious computer activities called ping sweeps and port scans. He wants to know more about them and what their impact might be on the company. Write a brief description of what they are, and include your assessment of whether the activities are something to worry about or not. 

The most important firewall rules are those for the incoming connections. This article puts the focus on the INPUT rules and not the OUTPUT rules.

### ipv4 rules # flush firewall rules iptables -F # allow connections on localhost iptables -A INPUT -i lo -p tcp -j ACCEPT # accept echo replies from ping iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # allow remote login from certain ip addresses # example for heise.de and port 22 (ssh) iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.129.8.2-192.129.8.4 -j LOG iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.129.8.2-192.129.8.4 -j ACCEPT # allow packets from established connections iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT # allow responses from DNS queries - add a server with -s or --source iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # log and deny the rest iptables -A INPUT -j LOG iptables -A INPUT -j DROP # drop IPv6-in-IPv4 packets - not necessary with the previous rule iptables -A INPUT -p ipv6 -j DROP

To disable IPv6 use the following rules.

### ipv6 rules # flush the rules ip6tables -F # allow connections on localhost ip6tables -A INPUT -i lo -p tcp -j ACCEPT # disable the rest ip6tables -A INPUT -j LOG ip6tables -A INPUT -j DROP

To save your firewall settings install iptables-persistent.

# to make the rules persistent install: apt-get install iptables-persistent # see: /etc/iptables/rules.v4 /etc/iptables/rules.v6

Rules for RTMPsuck (Real Time Messaging Protocol, for internet music streams). Use this only if you need rtmpsuck.

# enable forwarding of packets echo 1 > /proc/sys/net/ipv4/ip_forward # create firewall rule to let rtmpsuck receive network traffic iptables -t nat -A OUTPUT -p tcp --dport 1935 -m owner \! --uid-owner root -j REDIRECT

To check your firewall use the port scanner from heise.de: http://www.heise.de/security/dienste/portscan/test/go.shtml?scanart=1

To check your log files for potential attacks:

# check: /var/log/syslog /var/log/kern.log # the files depend on your syslog configuration # example line in the log file: May 1 18:43:19 computer kernel: [ 7717.667033] IN=eth0 OUT= MAC=31:9b:e9:8c:3c:ca:dc:c7:a6:8c:17:23:08:00 SRC=192.168.178.1 DST=192.168.178.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54676 DF PROTO=TCP SPT=37552 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 # let a gxmessage window pop up with information about the attacker tailf /var/log/kern.log | \ grep --line-buffered DPT= | \ sed -u 's|^\(...............\).*'\ 'SRC=\([^ ]*\) DST.*DPT=\([^ ]*\) '\ '.*|IPTABLES: \1 fromIP: \2 toPort: \3|g' | \ xargs -i gxmessage -center -print "{}"

To check the ports look into /etc/services:

grep 5353 /etc/services

Persistent iptables rules in Linux Mint or other Linux distributions:

# set your iptables rules: iptables -A ... # save your rules iptables-save > /etc/firewall.conf vi /etc/rc.local iptables-restore < /etc/firewall.conf

With the parameter -A iptables rules are appended. With -I you can insert rules at the beginning of a chain.

# insert iptables rules: iptables -I INPUT ...

If you have problems with the configuration of iptables you can check where the packets go.

Bla bla bla nmap so on and so forth..

So here you are...a port scan result list. One column of data, and there's nothing between you plugging this info into your vuln scanner besides the fact that your vuln scanner needs a comma separated list.

If Laziness prevails, skip the script writing and turn to Excel.

if Column A contains your ports(or anything else you want to craft into a list separated by commas..or whatever)...

Insert this function into cell B1        =A1

Insert this function into cell B2

       =B1&","&A2

And then drag the formula in B2 down to fill the rest of the B columns until there is no more data to match in column A.

The value in the last nonblank cell in column B will be your separated one line list.

I have been doing lots of InfoSec research recently and have been learning quite a bit about nmap (Nmap is an open source security scanner that is used heavily by the pentesting community. Nmap can be used for several types of enumeration including host discovery, OS/version detection, port scanning, and even has its own scripting engine allowing the user to extend its functionality as desired). After reading what I can only describe as the nmap bible  (much the explanations provided for individual flags are heavily based on this book) and talking to some professionals I have a very robust nmap recipe for port scanning. 

sudo nmap --spoof-mac Cisco --data-length 9 \ -f -D 172.168.200.200,RND:5,ME -v -n -O -sS -sV \ -oA /home/rich/metasploit/172.168.1.1 --log-errors \ -append-output -p T:1-1024,1433,2222,2249,7778,8080,9999 \ --randomize-hosts 192.178.1.1 172.168.1.2

Important always run nmap as the root user, running nmap as anything other than the super user with not actually allow you to run a stealth scan on a tcp system because of the layer of abstraction between the regular user and the interface. Also, port scanning is legal in the US, however some of these techniques would be considered intrusive (nearly all of the "aggressive mode" features) so as with all pentesting related things don't be stupid and only scan what you have permission to scan.

Now for a flag by flag break down:

--spoof-mac Cisco: Spoof your mac address, other valid options would be a complete mac address, 0 for a completely random mac, a vendor's OUI prefix, or another vendor name

--data-length 9: Appends 9 random bytes to most of the packets it sends

-f: Fragment packets

-D 192.168.200.200,RND:5,ME: Causes decoy scans to run simultaneously with your actual scan to help ids evasion and cause far more traffic in system logs

-v: Increases the verbosity of the output, you can also run -v -v to increase the verbosity to a higher level

-n: No DNS resolution

-O: Enables OS detection, less aggressive than nmap's advanced OS detection and is usually just as good

-sS: Stealth TCP SYN scan, the most popular scan option. It is both quick and unobtrusive because it never completes any TCP connections.

-sV: Enables version detection

-oA /home/rich/metasploit/172.168.1.1: Output to all formats (normal, greppable, and XML) and where to save the information

--log-errors: Self explanatory 

-append-output: If you prefer to keep scan results in a single file and keep appending new information to it this option is perfect, if you would like to create new files for various reasons leave this flag out 

-p T:1-1024,1433,2222,2249,7778,8080,9999: Specifies which TCP ports to scan. The ports specified in list list are generally the ones that provide the most valuable information. If not interested in specifying each one a similar option is the --top-ports followed by an integer of one or greater. The integer is the N highest ratio of ports found in nmap services. Finally to specify UDP ports you would replace T: with U:

--randomize-hosts 192.178.1.1 172.168.1.2: Randomizes the target host order

Optional:

--traceroute: To trace path to host over various hops

-A: Aggressive mode, this could be used instead of -sV -O --traceroute amongst other things. Helps keep the list of flags one needs to know shorter but would be considered intrusive.

-T paranoid|sneaky|polite|agressive|insane: Various timing controls for your scans