mnin.org

NMAP Vs. IPTables

You may recall an entry in SPOC titled NMAP vs Snort. The main idea was to take a popular open-souce network reconnaissance tool (NMAP), a popular open-source Intrustion Detection System (Snort). and deploy them against each other to see which was the more powerful side: the attacker or defender.

NMAP proved to be the stronger entity, however this would have been the assumption. Snort allows defenders to detect reconnaissance and more critical exploits, but has weak ability to prevent, block, or obscure the results of these attempts. Snort is not an IPS (see Snort inline for IPS-like capabilities).

In the meantime, NMAP vs Iptables was conducted. This is in no way comprehensive, but it provides a good understanding of the ways a strategically configured Firewall can obscure network reconnaissance and allow defenders to remain in control.

These tests will consist of about 6 scans using the -sX, -sU, and -sT flags to NMAP. That will produce a christmas scan, UDP scan, and TCP scan, respectively. On the Iptables side, the packets will be welcolmed (or not!) with mixed DROP, REJECT --reject-with tcp-reset and REJECT --reject-with icmp-port-unreachable settings.

Scan #1

A. Iptables conditions:
REJECT --reject-with tcp-reset

B. Prediction
something crazy

C. NMAP options
nmap -P0 -O -p 1-1024 -T insane -sX 12.34.56.78

D. Iptables Log example:

Oct 25 22:05:05 fire kernel: IPTABLES DROP (IN): IN=eth1 OUT= \
MAC=00:04:5a:80:db:54:00:0d:66:27:34:54:08:00 SRC=66.92.164.176 DST=24.2.153.168 \
LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=49392 PROTO=TCP SPT=43091 DPT=851 \
WINDOW=3072 RES=0x00 URG PSH FIN URGP=0

E. NMAP results:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-25 22:21
Local time zone must be set--see zic manual page
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on c-24-2-153-168.client.comcast.net (24.2.153.168):
(The 1018 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
135/tcp open  msrpc
136/tcp open  profile
137/tcp open  netbios-ns
138/tcp open  netbios-dgm
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Device type: general purpose|broadband router
Running: Linux 2.4.X, Belkin embedded
OS details: Linux 2.4.6 - 2.4.21, Linux 2.4.19 - 2.4.20, Linux 2.4.21 (x86), \
 Belkin DSL/Cable Router

Nmap run completed -- 1 IP address (1 host up) scanned in 14.882 seconds

F. Discussion
non-preferable behavior here, don't want these ports showing open if they are really NOT open. It looks like this is happening because the listed ports are included in the DROP_TCP list, which is being rejected with tcp-reset instead of silently dropped. So when in fact we don't let attackers know which ports are truly open, they know which ones we choose to reject vs drop.

Scan #2

A. Iptables conditions:
REJECT --reject-with tcp-reset

B. Prediction
All UDP ports should show up closed

C. NMAP options:
nmap -P0 -O -p 1-1024 -T insane -sU 12.34.56.78

D. Iptables Log example:

Oct 25 22:10:30 fire kernel: IPTABLES DROP (IN): IN=eth1 OUT= \
MAC=00:04:5a:80:db:54:00:0d:66:27:34:54:08:00 SRC=66.92.164.176 DST=24.2.153.168 \
LEN=28 TOS=0x00 PREC=0x00 TTL=30 ID=63585 PROTO=UDP SPT=39045 DPT=338 LEN=8

E. NMAP results:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-25 22:26
Local time zone must be set--see zic manual page
Warning:  OS detection will be MUCH less reliable because we did not find \
at least 1 open and 1 closed TCP port
All 1024 scanned ports on c-24-2-153-168.client.comcast.net (24.2.153.168) \
are: filtered
Too many fingerprints match this host to give specific OS details

Nmap run completed -- 1 IP address (1 host up) scanned in 47.692 seconds

F. Discussion
preferable behavior, no UDP ports are open - all are being silently dropped. (Try rejecting these packets with an icmp-type reply and make comparisons)

Scan #3

A. Iptables conditions:
REJECT --reject-with tcp-reset

B. Prediction
smtp, http, and https should be open

C. NMAP options:
nmap -P0 -O -p 1-1024 -T insane -sT 12.34.56.78

D. Iptables Log example:

Oct 25 22:24:15 fire kernel: IPTABLES DROP (IN): IN=eth1 OUT= \
MAC=00:04:5a:80:db:54:00:0d:66:27:34:54:08:00 SRC=66.92.164.176 DST=24.2.153.168 \
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=29779 DF PROTO=TCP SPT=36549 DPT=574 \
WINDOW=5840 RES=0x00 SYN URGP=0

E. NMAP results:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-25 22:40
Local time zone must be set--see zic manual page
Warning:  OS detection will be MUCH less reliable because we did not find at \
least 1 open and 1 closed TCP port
Interesting ports on c-24-2-153-168.client.comcast.net (24.2.153.168):
(The 1021 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.18 - 2.6.4 (x86), Linux 2.4.20 (Itanium), Linux 2.4.3 \
SMP (RedHat), Linux 2.6.0-test5 - 2.6.0 (x86)
Uptime 17.178 days (since Fri Oct  8 18:24:10 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 32.119 seconds

F. Discussion
preferable behavior, the open ports show that they are open - no more no less.

Scan #4

A. Iptables conditions:
DROP

B. Prediction
something different than Scan #1 (yes, this is vague)

C. NMAP options:
nmap -P0 -O -p 1-1024 -T insane -sX 12.34.56.78

D. Iptables Log example:

Oct 25 22:36:38 fire kernel: IPTABLES DROP (IN): IN=eth1 OUT= \
MAC=00:04:5a:80:db:54:00:0d:66:27:34:54:08:00 SRC=66.92.164.176 DST=24.2.153.168 \
LEN=40 TOS=0x00 PREC=0x00 TTL=31 ID=62580 PROTO=TCP SPT=48088 DPT=900 \
WINDOW=4096 RES=0x00 URG PSH FIN URGP=0

E. NMAP results:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-25 22:52
Local time zone must be set--see zic manual page
Warning:  OS detection will be MUCH less reliable because we did not find at \
least 1 open and 1 closed TCP port
All 1024 scanned ports on c-24-2-153-168.client.comcast.net (24.2.153.168) \
are: filtered
Too many fingerprints match this host to give specific OS details

Nmap run completed -- 1 IP address (1 host up) scanned in 56.885 seconds

F. Discussion
preferable behavior here (fixed from the first -sX scan). Now we silently drop all and they appear consistent and correct

Scan #5

A. Iptables conditions:
Source IP on blocklist

B. Prediction
all packets from this IP are silently dropped, no response given

C. NMAP options:
nmap -P0 -O -p 1-1024 -sT -T insane 12.34.56.78.

D. Iptables Log example:
No Logs

E. NMAP results:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-25 23:11 \
Local time zone must be set--see zic manual page
Warning:  OS detection will be MUCH less reliable because we did not find \
at least 1 open and 1 closed TCP port
All 1024 scanned ports on c-24-2-153-168.client.comcast.net (24.2.153.168) \
are: filtered
Too many fingerprints match this host to give specific OS details

Nmap run completed -- 1 IP address (1 host up) scanned in 29.364 seconds

F. Discussion
preferable behavior here (except the missing logs) - the IP is on the blocklist and cannot access even the ports that are open to the rest of the world.

Art of Memory Forensics

Malware Analyst's Cookbook

Site design and layout with umm...a bash shell. Graphic by (Aaron Bieber)
Unless otherwise noted, this work is licensed with (Creative Commons Attribution License).