Testing IPtables using Nmap Scanning Tool

This eye represents the Nmap Scanning tool. Testing IPtables using Nmap Scanning Tool is a crucial Audit after applying IPtables Firewall Script. Although I have applied complex IPtables rules, but running a Firewall without testing it’s rules, is like building a security cam system without testing it. Since the test is only for IPtables, the main focus will be only at Layer 3 and up to 4 of TCP/IP stack.

Objectives:

1. Understanding Penetration Test Concept

2. Brief Introduction to Nmap Scan Tool

3. Preparing Nmap Pen Testing Environment

4. Information Gathering – Port Scanning

Prerequisites:

A. Basic Debian or Red Hat System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Implementing Stateful Firewall Using IPtables

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Understanding Penetration Test Concept

Testing to verify if security measures in place is very important step, hence, Pen testing includes too many types of IT Security tools to test almost every components such Operating Systems, Network devices, Web Applications, and much more. The aim of this lab is to find if an intruder using port scan tools, can gather information about your VPS.

To understand what Pen testing is, you have to visualize how an Attacker think. You probably heard about White, Gray, and Black Hat Hackers, however, at first they all do the same thing: Gather Information, or for short “Reconnaissance”. The hacking tools available for White, Gray, and Black Hackers are often the same tools.

Different tools can be combined together in a piece of software or suite to perform an intensive different types of Pen testing, starting from Layer 3 all the way through to Layer 7. Such Pen testing suite include Port Scanning and Probing, Intrusion such Brute Force Attacks, and the list can go on and on. Simple tests can be perform though, by using individual tools to test one layer or one service at a time.

In order to reach a useful Pen test, you need proper information in hand, hence, using Port Scanning tools to gather starting at layer 3. In any Hat color type, the concept is the same, gathering information as mush as possible using different type of tools before starting any type of Penetration Test is always the first stage.

Since I am testing my own VPS, I consider myself a White Hat Hacker, if I was hired by someone, then I am a Gray Hat Hacker, and finally, the bots that keep trying to hack my VPS and yours, day and night, and never get tired, are considered Black Hat Hackers tools. Bots reconnaissance about your VPS by trying to identify possible entry points, they even attempt to break in so they can report their findings back to their masters.

My main objective when I do pen testing is to determine the security weaknesses that I am trying to protect or harden. Since I am testing an IPtables Stateful Firewall, my focus will be at layer 3 and 4 using port scanning and probing. Eventually, using different sections and labs, I will try to complete all Pen Testing types in order to reach solid protection.

So, my ultimate target at the end of my Web Hosting Solution is to protect my VPS starting by IPtables at Layer 3 up to Web Application Firewall at Layer 7. You probably asking what would be the information you need to gather about a VPS before running Port Scanning or Probing. The answer is simple, follow the TCP/IP Layers.

I won’t be interested about Layer 1 and 2, therefore, I will start at Layer 3, meaning, I should at least know my VPS IP address. With this in mind, and as you probably guessed, Port scanning is to revile what ports are open at the VPS, hence, I can later run a useful Pen Test against a service in order to retrieve any vulnerabilities.

As you can imagine, in order for an attacker to attack your VPS, it should gather a lot of information, one of them would be the Public IP Address of your Network or VPS, then uses this IP to scan known ports (doors) at your VPS. Port Scanning is not only used to know what ports are being used, it’s actually used for too many purposes.

The known ones are: to determine what operating system is being used, to exploit Vulnerabilities, crashing systems by sending INVALID packets, and much more. There are few known tools for Gathering information such nmap, hping3, and the list can go on and on, however, I am going to use nmap GUI and command line interface version.

Since nmap can be used across Windows, MAC, and Linux, it’s my favorite choice. hping3 is very powerful tool as well, if you familiar with Kali Linux, it got all the tools that any Hat color is looking for, in fact, I use it myself to test my Servers and Networks. Kali Linux is very convenience since it carries all Pen Testing tools organized in one place.

Remember, if Pen Testing happened by you, then it’s a White Hat Pen Testing, if you are hired by someone to do the job, then it’s a Gray Hat Pen Testing, and the guys that you and me trying to stop or prevent are the Black Hat Attacks. The following Lab is by all means NOT a complete Pen Testing Lab, rather, it’s just a single type of Pen Testing, called Port Scanning or Probing.

Disclaimer

This Lab is provided to assist users of Nmap in scanning their own System (VPS) for which they have own or have been given permission to scan, so they can determine the security of their VPS. This Lab not intended to assist with scanning remote sites with the intention of breaking into or exploiting services on those sites, or for information gathering purposes beyond those allowed by law. Please make sure you are using your VPS IP Address during port scanning. Probing someone else IP Address by mistake might create series problem between you and the VPS provider, or worse, between you and the authority.

CCNA HUB website and admins declaim any responsibility for any actions taken by its users or visitors during implementing the following pen testing lab. The following pen testing lab must be used only for personal use, scanning only personal VPS machines. I hereby or CCNA HUB disclaim any responsibility for actions taken based upon the information in this Lab/Article, and urge all who seek information towards a destructive end to reconsider their life, and do something constructive instead.

Brief Introduction to Nmap Scan Tool

So what is a port scanner? Basically, it’s a piece of software which used to probe Network devices such VPS systems, or any Network device runs on TCP/IP stack. Hence, a scan tool will be used to determine if TCP or UDP ports are open and listening to requests, which will indicate the services being used by that VPS.

For instance, if you are sending an email to someone, you would expect the receiver mail server is listening at port 25 in order to receive emails. Web servers listen at port 80 and 443, POP3 at 110, and IMAP at port 143, etc… Attackers gather information based on these ports.

This information can be used to narrow the attack on those ports (services) because the scanner shows Service’s port if open and listening. Next, would be to check if there are any known vulnerabilities with the service being used at the VPS, hence, it can be exploited.

I am not going to scare someone in here, but bad Bots and Worms equipped with Port scanner tools will keep scanning the whole Internet, including your VPS and my VPS for open ports in order to attack the service that is listening, however, proper security setup can protect web services from these scanning techniques.

Nmap Scan Methods

The following nmap scan methods will be used to test IPtables Firewall. Below, you will find a brief explanation of each scan type. I high recommend you become familiar with the scan type being used to understand how your VPS is being protected.

-sF -sX -sN

Stealth FIN, Xmas Tree, or Null scan modes.The FIN scan uses a bare (surprise) FIN packet as the probe, while the Xmas tree scan turns on the FIN, URG, and PUSH flags. The Null scan turns off all flags.

-sA -sS -sU -f

-sA: It consists in sending TCP packets with the ACK flag set. The goal of the ACK scan is to guess if a port is filtered or if it is not. If you combine that with the upper FIN scan or a XMAS scan you can guess which ports are opened, filtered and closed.

-sS: SYN scan is the default scan mode when using nmap and it is also the most used scan technique. This technique is often referred to as “half-open” scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response.

-sU: Scanning UDP open ports is not easy since you do not get any response if the port is open, and that is the normal UDP port reaction when receiving a packet. So, If the port is closed it return an “ICMP Port Unreachable” packet. If nothing is returned you can guess that the port is opened or filtered by a firewall.

-f: This  option causes the requested scan (including ping scans) to use tiny fragmented IP packets.  The idea is to split up the TCP header  over  several  packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this, some operating systems and programs might crash since they can’t handle these tiny packets.

For more information, check this Site.

The six port states recognized by Nmap are:

Prepare Nmap Pen Testing Environment

Preparing the right Pen Testing Environment is crucial in order to have successful test, beneficial feedback, and overall a useful experience. Nmap is mainly used on Linux, however, it can be used on Windows and MAC as well. My favorite would be to have it on Linux, therefore, I will recommend a professional Pen Testing Linux platform for you called Kali Linux.

Nmap available on the following Platforms:

a. Install Nmap on Linux

Debian Based

apt-get install nmap

Red Hat Based

yum install nmap

b. Install Nmap on Windows

Navigate to the following link https://nmap.org/download.html, scroll down and look for “Microsoft Windows Binaries” section. Download and install the self installer exe file. I’ve test it on windows and looks decent, it’s called Zenmap once installed.

c. Run Nmap from Kali Linux

Navigate to the following link https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/, and pick the ready VirtualBox Kali Linux torrent which I found it faster than installing Kali Linux from ISO file.

Once downloaded, you need to extract the file to your VirtualBox VM folder, than you can delete the Zipped file. From VirtualBox File menu, choose “Import Appliance” and point to where you have extracted the Kali Linux. Once done, you will have a Kali Linux under VirtualBox as shown below:

Once it’s on, login as root and default password is toor. I recommend to run apt-get update from the Terminal CLI once you are at the desktop, follow all the update/upgrade instructions and reboot Kali Linux to use the latest and greatest tools.

TIP: Only if needed, sometimes and after the update/upgrade, you need to install VirtualBox Drivers called VirtualBox Additions, however, edit fstab file first.

nano /etc/fstab

In order to install the Guest Additions smoothly, add exec option at the end of the line as shown below:

Save: Ctrl-X, Hit Y Key, and Enter

Now, you can go to the Machine Window and Choose Insert Guest Additions from the Device Menu. You will be prompted to Run the Installer, hit Ok, then you will be prompted by the following question as shown below, choose yes to continue then reboot the machine.

Note: I recommend you snapshot your Kali Linux once it’s working fine, and no need to shut it down, save it instead.

Information Gathering – Port Scanning

After each Nmap scan, you need to re-apply IPtables Firewall Script from the VPS Web Console to prepare it for the next new nmap scan. Therefore, please make sure you went through the following:

• Implementing Stateful Firewall Using IPtables, and
• Know how to access your VPS using the Web Console,

before running any of these scans below you need to know that your home IP Address might be trapped by the firewall and you won’t be able to access your VPS through SSH client software such Putty.

Note: if for any reason your VPS is not allowing you to establish SSH connection using ssh client such Putty, and even after Re-applying IPtables Firewall Script (IPtables Script Clears all Traps), then restart the SSH service from the Web Console as follows: (You can’t copy paste commands into the Web Console)

Debian Based

service ssh restart

Red Hat Based

service sshd restart

I noticed that SSH service might glitch after few scanning attempts.

Following the steps below, make sure you substitute the “YOUR-VPS-IP-ADDRESS” using your Public VPS IP address before hitting the Enter key.

Run the following steps (1 to 9)

1. Nmap Fin Scan

nmap -v -sF YOUR-VPS-IP-ADDRESS

The moment you hit Enter, the statefull INVALID IPtables will Drop the packets and Trap your home public IP address. Wait till the scan is done.

If you see the following output, try running the command again till the probe get hooked and go through the whole scan as shown below.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-05 16:02 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

What you should see, after the scan is done:

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-05 16:10 EDT
Initiating Ping Scan at 16:10
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 16:10, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:10
Completed Parallel DNS resolution of 1 host. at 16:10, 0.03s elapsed
[...]
Completed FIN Scan at 16:12, 119.97s elapsed (1000 total ports)
Nmap scan report for node1.ccanhub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.022s latency).
All 1000 scanned ports on node1.ccanhub.com 
(YOUR-VPS-IP-ADDRESS) are open|filtered

As you can see above, all the 1000 ports were open|filtered state, meaning, Nmap is unable to determine whether a port is closed or filtered, hence, the IPtables was able to block nmap from viewing ports and services being used at the VPS.

2. Nmap Xmas Scan

Xmas scan is another type of scan to find out what ports are being used, hence, what services are being used.

nmap -v -sX YOUR-VPS-IP-ADDRESS

Sure enough Xmas scan has failed as well.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-05 22:30 EDT
Initiating Ping Scan at 22:30
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 22:30, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:30
Completed Parallel DNS resolution of 1 host. at 22:30, 0.00s elapsed
Initiating XMAS Scan at 22:30
[...]
Completed XMAS Scan at 22:32, 120.09s elapsed (1000 total ports)
Nmap scan report for node1.ccanhub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.033s latency).
All 1000 scanned ports on node1.ccanhub.com 
(YOUR-VPS-IP-ADDRESS) are open|filtered

3. Nmap Null Scan

nmap -v -sN YOUR-VPS-IP-ADDRESS

Null scan type has been failed as well.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-05 22:49 EDT
Initiating Ping Scan at 22:49
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 22:49, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:49
Completed Parallel DNS resolution of 1 host. at 22:49, 0.00s elapsed
Initiating NULL Scan at 22:49
[...]
Completed NULL Scan at 22:51, 122.67s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.039s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are open|filtered

As you can see, the most stealth port scanning type were failed at my IPtables Firewall Script. Besides, I will show you below what rules and drop such packets and trap the intruder IP address. What left are ACK, SYN, and UDP scans.

4. Nmap ACK Scan

nmap -v -sA YOUR-VPS-IP-ADDRESS

It took almost half an hour to finish the ACK scan, however, the scan has failed as well to identify any service port.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-05 23:05 EDT
Initiating Ping Scan at 23:05
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 23:05, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:05
Completed Parallel DNS resolution of 1 host. at 23:05, 0.02s elapsed
Initiating ACK Scan at 23:05
Scanning node1.ccnahub.com (YOUR-VPS-IP-ADDRESS) [1000 ports]
Completed ACK Scan at 23:27, 1311.87s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.021s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are filtered

5. Nmap SYN Scan

I believe, SYN scan is one of the hardest scan to catch, since it appears to the IPtables Firewall as legitimate traffic, however, let’s see how the scan went through.

nmap -v -sS YOUR-VPS-IP-ADDRESS

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-06 01:29 EDT
Initiating Ping Scan at 01:29
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 01:29, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.00s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning node1.ccnahub.com (YOUR-VPS-IP-ADDRESS) [1000 ports]
[...]
Completed SYN Stealth Scan at 01:48, 1161.44s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.015s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are filtered

Awesome! all ports appear filtered, which makes it very hard for a Port Scanning tool to gather information about TCP services being used, and at the same time, allows legitimate traffic to pass. In the next Lab, I will show you how SYN scan was stopped and trapped.

6. Nmap UDP Scan

As mentioned, Scanning UDP open ports would be dificult for a scanner tool to determine if the the port is open or filtered by a Firewall. Let’s see how IPtables response to UDP scans.

nmap -v -sU YOUR-VPS-IP-ADDRESS

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-06 13:39 EDT
Initiating Ping Scan at 13:39
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 13:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:39
Completed Parallel DNS resolution of 1 host. at 13:39, 0.10s elapsed
Initiating UDP Scan at 13:39
[...]
Completed UDP Scan at 14:07, 1692.49s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.035s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are open|filtered

open|filtered state is what you should see when you run UDP scan. In the next Lab, I will show you how UDP scan was stopped and trapped.

7. Nmap Fragment Scan

nmap -v -f YOUR-VPS-IP-ADDRESS

Fragment, can be very tricky and nasty. A professional Attacker might craft his own packets and send it through, I frankly, can’t tell if a firewall can stop a crafted Fragment packet, however, it can  stop the known ones that is being used by nmap or similar tools. Fragment scan will be blocked by TCP-PORTSCAN Trap for one day.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-07 17:06 EDT
Initiating Ping Scan at 17:06
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 17:06, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:06
Completed Parallel DNS resolution of 1 host. at 17:06, 0.04s elapsed
Initiating SYN Stealth Scan at 17:06
Scanning node1.ccnahub.com (YOUR-VPS-IP-ADDRESS) [1000 ports]
[...]
Completed SYN Stealth Scan at 17:27, 1223.73s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.021s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are filtered

8. Nmap OS Fingerprinting Scan

nmap -v -O --fuzzy --osscan-guess YOUR-VPS-IP-ADDRESS

Detecting or guessing the Operating System can be very useful for the attacker to narrow it’s attack. Operating System discovery with aggressive guessing command, let’s see how the IPtables will respond to such scan.

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-07 20:48 EDT
Initiating Ping Scan at 20:48
Scanning YOUR-VPS-IP-ADDRESS [4 ports]
Completed Ping Scan at 20:48, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:48
Completed Parallel DNS resolution of 1 host. at 20:48, 0.00s elapsed
Initiating SYN Stealth Scan at 20:48
[...]
Completed SYN Stealth Scan at 21:10, 1327.06s elapsed (1000 total ports)
Initiating OS detection (try #1) against node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Retrying OS detection (try #2) against node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.027s latency).
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are filtered
Too many fingerprints match this host to give specific OS details

Bingo! The scan returned nothing. Usually, if an OS aggressive guess scan pass by a firewall, nmap will return the following message:

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-01 17:07 Eastern Daylight Time
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS)
Host is up (0.035s latency).
Not shown: 971 filtered ports, 27 closed ports
PORT    STATE SERVICE
110/tcp open  pop3
995/tcp open  pop3s
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|2.6.X (93%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.2 - 3.8 (93%), Linux 2.6.32 - 3.0 (86%), Linux 3.8 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2351.96 seconds

9. Nmap Probing Scan

nmap -v -Pn YOUR-VPS-IP-ADDRESS

This type of scan will treat the target as online and force the scan tool to look for open ports. Let’s see how it goes:

Starting Nmap 7.11 ( https://nmap.org ) at 2016-04-08 08:10 EDT
Initiating Parallel DNS resolution of 1 host. at 08:10
Completed Parallel DNS resolution of 1 host. at 08:10, 0.00s elapsed
Initiating SYN Stealth Scan at 08:10
Scanning node1.ccnahub.com (YOUR-VPS-IP-ADDRESS) [1000 ports]
[...]
Completed SYN Stealth Scan at 08:13, 201.29s elapsed (1000 total ports)
Nmap scan report for node1.ccnahub.com (YOUR-VPS-IP-ADDRESS) 
Host is up.
All 1000 scanned ports on node1.ccnahub.com 
(YOUR-VPS-IP-ADDRESS) are filtered

Wow! IPtables Firewall was able to block -Pn scan type as well. So, I picked up the most famous scan types for this Lab, and there are many nmap scan types available for you to test if you want to, the following link https://nmap.org/book/man-briefoptions.html will show you all of them.

10. Nmap Slow Comprehensive Scan

This long comprehensive Nmap command looks scary, so I kept it to the end of the test. Warning! This scan might take hours, run it before you go to bed. If you see other than Error, Filtered, and Closed states, please let me know. By the way, windows version of nmap hung when I used this type of scan.

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" YOUR-VPS-IP-ADDRESS

When I woke up in the morning, I seen a long report at my Kali Linux Nmap Terminal, yet the scan failed to report any open port or OS details.

All 2000 scanned ports on node1.ccnahub.com (MY-VPS-IP-ADDRESS) 
are filtered (1000) or open|filtered (1000)
Too many fingerprints match this host to give specific OS details

Scan Summary

As you probably guessed, using an attacker tool such nmap is a key to test your VPS security defense layers. Pen testing is important for number of reasons, 1) the intruders use the same or similar tool to gather information about your VPS, 2) it allows you to spot any visible service ports before they get exploited, 3) port scanning provide you with an excellent opportunity to Audit your VPS security policies before potential exposures.

For more information about Pen Testing, check Pluralsight Security Courses. Next, I will show you how the upper scans were logged and trapped using xt_recent IPtables Module which made IPtables a statefull Firewall.

Subject Related