Firewalls and IDS

This post is a walkthrough of the lab. I won't display the flags but I'll show how we go to obtain them. I recommend downloading this FREE Nmap Cheat Sheet which is based on the previous posts; this cheat sheet helped me get through these labs

Breaking down Firewall and IDS/IPS Evasion: Easy Lab

For this lab, we need to get the operating system running on the server. I'll attempt the following command:

nmap 10.129.63.36 -A -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -f -D RND:5

Let's break down my reasoning:

-A makes an aggressive scan
-F to check only the top 100 ports
-Pn -n -disable-arp-ping --packet-trace. These flags have been present during the module. They disable ARP ping, ICMP echo requests, and DNS resolution. This also provides packet tracing. From the modules, we can see the TCP response, see if there is RA, and check for rejected packets.
--source-port=53 disguises our Nmap scan as DNS queries
-f makes the packets tiny. If the packet is 24 bytes long, -f sends three packets, each of eight bytes
-D RND:5 applies decoy and uses 5 generated IP addresses

I'll run both scans, one with the flags --source-port=53 -f -D RND:5 and a second one without them. We can see the number of alerts at <ip>/status.php and start with 50/100.

Running the command returns a big output that may or may not be hard to read. And a rather interesting result.

But if we scroll through it, we can see the trace of NSOCK and know the system it is using:

NSOCK INFO [2.0230s] nsock_read(): Read request from IOD #1 [10.129.63.36:22] (timeout: 6000ms) EID 26
NSOCK INFO [2.0230s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [10.129.63.36:80]
Service scan sending probe NULL to 10.129.63.36:80 (tcp)
NSOCK INFO [2.0230s] nsock_read(): Read request from IOD #2 [10.129.63.36:80] (timeout: 6000ms) EID 34
NSOCK INFO [2.0700s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [10.129.63.36:22] (41 bytes): SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7..
Service scan hard match (Probe NULL matched with NULL line 3524): 10.129.63.36:22 is ssh.  Version: |OpenSSH|7.6p1 Ubuntu 4ubuntu0.7|Ubuntu Linux; protocol 2.0|
NSOCK INFO [2.0700s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [8.0270s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [10.129.63.36:80]
Service scan sending probe GetRequest to 10.129.63.36:80 (tcp)

We got the flag and the IDS/IPS system got 5 alerts:

But do the --source-port=53 -f -D RND:5 really help? How many alerts do we set if we send the command without them?

nmap 10.129.63.36 -A -F -Pn -n -disable-arp-ping --packet-trace

We got detected (doing this a second time, this raises approximately 50 alerts):

Interestingly enough, we got the ports that were open, and the -A flag worked.

Nmap scan report for 10.129.63.36
Host is up (0.029s latency).
Not shown: 60 closed tcp ports (reset), 38 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
|   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/17%OT=22%CT=7%CU=36034%PV=Y%DS=2%DC=T%G=Y%TM=671
OS:14E18%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=107%TI=Z%CI=Z%TS=1)SEQ(
OS:SP=103%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11N
OS:W7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88
OS:%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53C
OS:NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R
OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   28.62 ms 10.10.14.1
2   28.87 ms 10.129.63.36

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.51 seconds

Which makes me wonder, which flag stops -A from working?

Command

Alerts

Received or no response

nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53

received response

nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -f

received response

nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -D RND:5

no response

So there is an error with -D RND:5. Even though the command returned this lab's flag, it did not return a response.

We also technically don't receive the Lab's flag from the response but rather from the banner message. I'll fix that by making the following changes:

Changing -A to -sV -O
Removing -D RND:5

And we get a nice response with only 17 alerts.

Nmap scan report for 10.129.63.36
Host is up (0.029s latency).
Not shown: 60 closed tcp ports (reset), 38 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/17%OT=22%CT=7%CU=31167%PV=Y%DS=2%DC=I%G=Y%TM=671
OS:1585D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53
OS:CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.44 seconds

Breaking down Firewall and IDS/IPS Evasion: Medium Lab

For this lab, we want the DNS server version. If we google "DNS server version nmap" we learn that there is a script that can help us achieve our goal. Keeping in mind there is an IDS/IPS, the command we'll use will be the following:

nmap 10.129.192.108 -sS -sU -p53 --source-port=53 --script dns-nsid Pn -n -disable-arp-ping -f

Let's break down the new flags:

-sS -sU means TCP SYN and UDP scan
-p53 we're interested in the DNS server, and we know the DNS server is in port 53
--script dns-nsid we'll run the nse script to identify the DNS version

Once we run this command, we get a nice response with only 2 alerts.

Nmap scan report for 10.129.192.108
Host is up (0.031s latency).

PORT   STATE    SERVICE
53/tcp filtered domain
53/udp open     domain
| dns-nsid: 
|_  bind.version: HTB{flag}

Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds

There is another flag that we could try. Instead of -sS we can use -sA, and it would return the same response with 2 alerts.

If you're curious like me and do -sS and -sA, Nmap will send an error that you specified more than one TCP scan and then quit.

Breaking down Firewall and IDS/IPS Evasion: Hard Lab

Finally, we are told that the admin took precautions and now there is more security. By now I've realized the --source-port=53 -f raises few alerts, so I won't be focusing as much on the alerts.

Since we're looking for a version of a service, I'll run the following command:

nmap 10.129.22.234 -sV -O --source-port=53 -f --script version -Pn -n -disable-arp-ping

Which returns the following

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 15:35 CDT
Nmap scan report for 10.129.108.102
Host is up (0.029s latency).
Not shown: 869 closed tcp ports (reset), 128 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http       Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
50000/tcp open  tcpwrapped
|_drda-info: TIMEOUT
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/).

Port 50000 caught my eye, especially the drda-info: TIMEOUT. What is drda? From the nmap.org website, the drda protocol is related to databases.

Once a port catches your eye, see if it is vulnerable. Once locate the drda scripts, (with locate *.nse | grep drda) we run the following

nmap 10.129.22.234 -p50000 --source-port=53 -f --script drda-info,drda-brute -packet-trace

-sS is open and shows ibm-db2 -sA is unfiltered and shows ibm-db2 -sU is closed

Both TCP scans show that there are too many fingerprints. But if the port is open/unfiltered, we might be able to connect with ncat.

So we run ncat -nv --source-port=53 10.129.22.234 50000 and we successfully connect to the server:

$ sudo ncat -nv --source-port=53 10.129.22.234 50000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connected to 10.129.22.234:50000.
220 HTB{flag}

If you run the command and receive something like libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Permission denied (13), you might wanna add sudo at the beginning of the ncat command. I know this got me stuck for a while.

Now, we have successfully completed the Network Enumeration with Nmap Module!

Thank you for reading! Next post I'll start with the Login Bruteforcing Module! There will be some C and some Python involved, so, stay tuned for that. Thank you for reading, if you have any comments or would like to connect, I am always eager to chat on my linkedin

PreviousCont'd Nmap NextLogin Bruteforcing

Last updated 1 year ago