Nmap TCP-SYN scan results with Linux firewall - ufw

192.168.1.2 [root@bt]
BackTrack 5 R2 running on Oracle VM Virtual Box
Linux 3.2.6
Network adapter : Host-only Adapter
Nmap verion 5.61


192.168.1.1 
Linux Mint 12 - 3.0.0-12-generic
Network Adapter : Host-only Adapter (vboxnet0)
Firewall : Graphical user interface for ufw
Firewall Configuration : Deny All incoming from 192.168.1.2 to 192.168.1.1


Scan 1 : TCP-SYN scan 
Firewall OFF
root@bt:~# nmap -PN -sS -n 192.168.1.1

Result : 3 open ports discovered.


Scan 2 : TCP-SYN scan
Firewall ON
root@bt:~# nmap -PN -sS -n 192.168.1.1

Note : ARP works at a layer below IP, so IP address not involved in the filtering!!!
Result : All 1000 scanned ports filtered.


Scan 3 : TCP-SYN scan with fragmentation
Firewall ON
root@bt:~# nmap -PN -sS -f -n 192.168.1.1

Result : All 1000 scanned ports filtered.


Scan 4 : TCP-SYN scan for ports 23,139,445
Firewall ON
root@bt:~# nmap -PN -sS -p23,139,445 -n 192.168.1.1

Result : 3 ports filtered ports discovered.


Scan 5 : TCP-SYN scan with Source IP as 192.168.1.3
Firewall ON
root@bt:~# nmap -PN -sS -e eth6 -S 192.168.1.3 -n 192.168.1.1

Note:  No host with IP 192.168.1.3 exists on the network.
Here Nmap sends packets with the MAC Addr of 192.168.1.2
Result : 3 open ports discovered.

Why and How to hide Server Information

This tutorial shows how to hide the server information displayed (example show left) at the footer of any server-generated document. We also look why it is important to hide such information.

How to hide
 The Apache version number and other information can be hidden by controlling two config directives.

 The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to the footer of any server-generated documents, such as error messages, mod_proxy ftp directory listings, mod_info output, etc. The Off setting, which is the default, suppresses the footer line (and is therefore compatible with the behavior of Apache-1.2 and below). The On setting simply adds a line with the server version number and ServerName of the serving virtual host, and the Email setting additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

 Syntax:
ServerSignature On|Off|EMail

 The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

 Syntax:
ServerTokens Full (or not specified)
Example Footer: Apache/2.2.17 (Win32) PHP/5.3.5 Server at localhost Port 80
ServerTokens Prod
Example Footer: Apache Server at localhost Port 80
ServerTokens Major
Example Footer: Apache/2 Server at localhost Port 80
ServerTokens Minor
Example Footer: Apache/2.2 Server at localhost Port 80
ServerTokens Min
Example Footer: Apache/2.2.17 Server at localhost Port 80
ServerTokens OS
Example Footer: Apache/2.2.17 (Win32) Server at localhost Port 80

To complete remove the footer, open your httpd.conf file and append/modify config directive as follows:
ServerSignature Off

If you want a part of the information to be displayed:
     ServerSignature On
  ServerTokens [Major|Minor|Min|Prod|OS|Full]


Why hide
The first step when a hacker tries to crack into site/server is Footprinting and Reconnaissance (ie gather as such information as possible). This is done to select the right kind of  hacks from a millions of hacks either available freely on the web or developed by the hacker. Trying out each and every hacks would take years, so the attacker spend a large amount of time on gathering as such as possible. Things become easy for the attacker if server information is displayed when he/she simply types a worng URL !!

In the above, the attacker can search for vulnerablities in Apache,OpenSSL, or FrontPage
So far this year (Aug-2013), 2 OpenSSL and 5 Apache vulnerabilites have been made public.
List of publicaly availabe vulnerablities
OpenSSL 0.9.8 : http://www.cvedetails.com/version/26306/Openssl-Openssl-0.9.8.html
Apache 2.2.17 : http://www.cvedetails.com/version/109443/Apache-Http-Server-2.2.17.html

So always use the lastest version and apply patches ;)

Scapy - Packet Crafting

Prerequisite : Basic understanding of the networking protocols whose packets you would like to craft and also the network layers.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, trace routing  probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. 

It is written in the Python, and is pre-installed on Backtrack 4+. On Ubuntu it can be installed by:

sudo apt-get install scapy

To start Scapy, execute sudo scapy (if normal user) or just scapy (if root).

basic commands

ls() : displays list of supported protocols

ls(IP) Show the contents of the IP structure

lsc() : Displays list of available commands in Scapy. 

  Some of the important commands for sending & receiving packets : 
sr               : Send and receive packets at layer 3
sr1             : Send packets at layer 3 and return only the first answer
srp             : Send and receive packets at layer 2
srp1           : Send and receive packets at layer 2 and return only the first answer
srloop         : Send a packet at layer 3 in loop and print the answer each time
 

Demo 1 : ICMP request
 
Create 3 variables :  E for Ethernet, I for IP, icmp for ICMP
 
 >>>E=Ether()
 >>>I=IP()
 >>>icmp=ICMP()
 
To see the field for each protocol use : <var>.show()
ex : >>>I.show()
 
To set field variable for protocol use : <var>.<field>=value
ex: >>>I.src='192.168.0.1'
Note: Dont set values fields whose values are calculated based on the packet content
 For ex : chksum
 To see their calculated value use show2() instead of show()

Set the fields to the values as specified below

To send packet
>>>sr1p(E/I/icmp)
This sends and show the 1st packet recieved at Layer 2
Use wireshark to capture and analyze the packets. Here since the Ethernet fields are specified, no ARP is used. Just a ICMP request and reply is captured.


Demo 2 : TCP-SYN
Create 2 variables :  I for IP, T for TCP

 >>>I=IP()
 >>>T=TCP()
 
Set the fields to the values as specified below

To send packet
>>>sr1(E/I/icmp)

This sends at Layer 3 and show the 1st packet received 
Use wireshark to capture and analyze the packets. Here since the Ethernet fields are not specified, ARP is used. ARP request and reply along with ICMP request and reply are captured.

Defense Against ARP Poisoning

Defense Against ARP Poisoning

The main reason why ARP Poisoning occurs is because the victim does not authenticate the ARP replies coming from a malicious user. As a result the ARP cache in the victim's PC contains invalid IP to MAC mapping and packet are sent to the attacker or dropped.

Defense in small networks

To view the current entries in the ARP table
   victim#arp

To add an entry in the ARP as static/permanent

   victim#arp -s <ip_Address> <MAC_address>

The ARP replies send by the attacker don't effect the static entries in the ARP. The ARP replies are recieved by the victim but they don't affect the statically entered ARP.

To delete an entry in the ARP table

  victim#arp -d <ip_address>

The mapping can be stored in a file and given as input to "arp" if there are too many entries.
Create a file with the entries in the following syntax
<MAC_ADDRESS> <IP_ADDRESS>
. .
. .
 
 victim#arp -f <file>

But the table is cleared everytime the system boot or the network is reset.


To make the entries load into table, everytime the network adapter is turned UP.
create a file in the /etc/network/if-up.d/ directory with the following syntax

#!/bin/sh
   arp -i eth0 -s <ip_address> <mac_address>
   .
   .

make it executable
  victim# chmod +x /etc/network/if-up.d/<file>
comes to effect only after reboot.

Also if you dont want to accept ARP replies from anyone.
  victim# echo 0 > /proc/sys/net/ipv4/conf/all/arp_accept