Scribd
Upload
139 views5 pages

NMAP Testing: Iptables Flushed in The Target (Default)

What happens at the target when we run a nmap scan - Syn Scan, Fin Scan, Null Scan and XMAS Scan. Interpret the tcpdump.

Uploaded by

Kanthanathan S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
139 views5 pages

NMAP Testing: Iptables Flushed in The Target (Default)

What happens at the target when we run a nmap scan - Syn Scan, Fin Scan, Null Scan and XMAS Scan. Interpret the tcpdump.

Uploaded by

Kanthanathan S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

NMAP Testing

Environment:
Target system(metasploitable): 192.168.40.160 ;
Kali Linux: 192.168.40.155

iptables flushed in the target (default)

$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 18:40 IST
Nmap scan report for 192.168.40.160
Host is up (0.0025s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

TCPDUMP on Target and observed traffic for port 445

11:40:24.378537 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: S 1749119242:1749119242(0) win 64240 <mss 1460,s


11:40:24.378606 IP 192.168.40.160.microsoft-ds > 192.168.40.155.57862: S 550805118:550805118(0) ack 1749119243 win 5792
11:40:24.378728 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: . ack 1 win 502 <nop,nop,timestamp 4121042567 25
11:40:24.378957 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: R 1:1(0) ack 1 win 502 <nop,nop,timestamp 412104

Observed that the tcp 3-way handshake gets completed on port 445. The fourth packet recd I assume is the reset packet for the
acknowledge tcp session.

Port 445 REJECTed using iptables

Blocking a specific port on target with iptables using REJECT on the target

$root@metasploitable:~# sudo iptables -A INPUT -p tcp --dport 445 -j REJECT

Output of NMAP in Kali Linux

$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 18:45 IST
Nmap scan report for 192.168.40.160
Host is up (0.0022s latency).
Not shown: 978 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 2.70 secondstcpdump on target with NMAP

Observed that port 445 is missing in the above list

TCPDUMP on Target

root@metasploitable:~# tcpdump -i eth0 tcp port 445 and ip host 192.168.40.155


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:18:07.609988 IP 192.168.40.155.45959 > 192.168.40.160.microsoft-ds: S 2616920712:2616920712(0) win 1024 <mss 1460>

Observed one syn packet at the target system. No ack packet

Port 445 DROPped with iptables

Reset the iptables (iptables -F) and use DROP instead of REJECT

$ sudo iptables -F
$ sudo iptables -A INPUT -p tcp --dport 445 -j DROP

Output at Kali system

$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 19:54 IST
Nmap scan report for 192.168.40.160
Host is up (0.0066s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds

Notice that the port 445 is shown as filtered

TCPDUMP output on target system

root@metasploitable:~# iptables -F && iptables -A INPUT -p tcp --dport 445 -j DROP


root@metasploitable:~# tcpdump -i eth0 tcp port 445 and ip host 192.168.40.155
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:27:29.230396 IP 192.168.40.155.47390 > 192.168.40.160.microsoft-ds: S 1435373240:1435373240(0) win 1024 <mss 1460>
11:27:30.338686 IP 192.168.40.155.47391 > 192.168.40.160.microsoft-ds: S 1435438777:1435438777(0) win 1024 <mss 1460>

Observed two Syn packets arrive at the target system. But no Ack.

Stealth Mode scan ("nmap -sS" as root user in Kali )

iptables flushed in Target

No change in nmap output, but TCPDUMP shows after Syn+Ack, a reset packet is recd from kali to target

11:45:06.039132 IP 192.168.40.155.53162 > 192.168.40.160.microsoft-ds: S 1519556688:1519556688(0) win 1024 <mss 1460>


11:45:06.039300 IP 192.168.40.160.microsoft-ds > 192.168.40.155.53162: S 683855253:683855253(0) ack 1519556689 win 5840
11:45:06.039509 IP 192.168.40.155.53162 > 192.168.40.160.microsoft-ds: R 1519556689:1519556689(0) win 0

Fin mode scan ("nmap -sF" as root user in Kali )

nmap Output

─# nmap -sF 192.168.40.160


Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 21:20 IST
Nmap scan report for 192.168.40.160
Host is up (0.0052s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
111/tcp open|filtered rpcbind
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
512/tcp open|filtered exec
513/tcp open|filtered login
514/tcp open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:A7:AC:26 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

The output shows open|filtered instead of just open. Mac address of the target system is visible

TCPDUMP output does not have any syn packets, rather it directly has fin packets

11:48:12.907571 IP 192.168.40.155.58431 > 192.168.40.160.microsoft-ds: F 1930951553:1930951553(0) win 1024


11:48:14.016658 IP 192.168.40.155.58432 > 192.168.40.160.microsoft-ds: F 1930886016:1930886016(0) win 1024

Wanted to trace tcpdump for a closed port (port in which no service is run). So stopped the samba service which is running in the
target system

# /etc/init.d/samba stop

TCPDUMP output is interesting with fin scan in this regard

11:56:09.825858 IP 192.168.40.155.48356 > 192.168.40.160.microsoft-ds: F 2748265675:2748265675(0) win 1024


11:56:09.825908 IP 192.168.40.160.microsoft-ds > 192.168.40.155.48356: R 0:0(0) ack 2748265676 win 0

The output shows that the target receives a fin packet from Kali, however a reset packet by Target as there is no service running
in this.

Null Scan ("nmap -sN" as root user in Kali)

─# nmap -sN 192.168.40.160


Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 21:46 IST
Nmap scan report for 192.168.40.160
Host is up (0.0026s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
111/tcp open|filtered rpcbind
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
512/tcp open|filtered exec
513/tcp open|filtered login
514/tcp open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:A7:AC:26 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

TCPDUMP

12:13:58.976296 IP 192.168.40.155.64962 > 192.168.40.160.microsoft-ds: . win 1024


12:14:00.069307 IP 192.168.40.155.64963 > 192.168.40.160.microsoft-ds: . win 1024

Observed two packets with no flags set directed to the target

XMAS Scan ("nmap -sX" as root user in Kali)

This uses FIN, PSH and URG flags to be set in the scan packets

TCPDUMP

12:30:18.827285 IP 192.168.40.155.44744 > 192.168.40.160.microsoft-ds: FP 3324991969:3324991969(0) win 1024 urg 0


12:30:18.928963 IP 192.168.40.155.44745 > 192.168.40.160.microsoft-ds: FP 3324926432:3324926432(0) win 1024 urg 0

You might also like