Network Enumeration with Nmap - Firewall and IDS IPS Evasion

#readwise # Network Enumeration with Nmap - Firewall and IDS/IPS Evasion ![rw-book-cover](https://academy.hackthebox.com/images/apple-touch-icon.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Network Enumeration with Nmap - Firewall and IDS/IPS Evasion - URL: https://academy.hackthebox.com/module/19/section/106 ## Summary Nmap is a tool that helps bypass firewall rules and intrusion detection systems (IDS/IPS). Firewalls monitor network traffic and can block or allow connections based on their rules. IDS scans for potential attacks and reports them, while IPS takes action to prevent detected threats. Techniques like TCP ACK scans and using decoys can help evade these security measures during network enumeration. ## Highlights `Nmap` gives us many different ways to bypass firewalls rules and IDS/IPS. These methods include the fragmentation of packets, the use of decoys, and others ([View Highlight](https://read.readwise.io/read/01jp4xbm9z4nr5saj0gqbwaqn9)) --- Like the firewall, the intrusion detection system (`IDS`) and intrusion prevention system (`IPS`) are also software-based components. `IDS` scans the network for potential attacks, analyzes them, and reports any detected attacks. `IPS` complements `IDS` by taking specific defensive measures if a potential attack should have been detected. The analysis of such attacks is based on pattern matching and signatures. If specific patterns are detected, such as a service detection scan, `IPS` may prevent the pending connection attempts. ([View Highlight](https://read.readwise.io/read/01jp4xcnhssrt8n65s59shkz3c)) ^8dylop --- We already know that when a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be `dropped`, or `rejected`. The `dropped` packets are ignored, and no response is returned from the host. This is different for `rejected` packets that are returned with an `RST` flag. These packets contain different types of ICMP error codes or contain nothing at all. ^jro43z - Such errors can be: ^z6m7ye - Net Unreachable - Net Prohibited - Host Unreachable - Host Prohibited - Port Unreachable - Proto Unreachable ([View Highlight](https://read.readwise.io/read/01jp4xdyz26n0hmqz9jx6qpdzt)) --- Nmap's TCP ACK scan (`-sA`) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (`-sS`) or Connect scans (`sT`) because they only send a TCP packet with only the `ACK` flag. When a port is closed or open, the host must respond with an `RST` flag. Unlike outgoing connections, all connection attempts (with the `SYN` flag) from external networks are usually blocked by firewalls. However, the packets with the `ACK` flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network. ([View Highlight](https://read.readwise.io/read/01jp4xg9xqs1z1f40twq2j1h5z)) ^1fkcjb --- Please pay attention to the RCVD packets and its set flag we receive from our target. With the SYN scan (`-sS`) our target tries to establish the TCP connection by sending a packet back with the SYN-ACK (`SA`) flags set and with the ACK scan (`-sA`) we get the `RST` flag because TCP port 22 is open. For the TCP port 25, we do not receive any packets back, which indicates that the packets will be dropped. ([View Highlight](https://read.readwise.io/read/01jp4xmpaxg6xtmr9gh9n97j7m)) ^mwpgz5 --- Unlike firewalls and their rules, the detection of IDS/IPS systems is much more difficult because these are passive traffic monitoring systems. `IDS systems` examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case. `IPS systems` take measures configured by the administrator independently to prevent potential attacks automatically. It is essential to know that IDS and IPS are different applications and that IPS serves as a complement to IDS. ([View Highlight](https://read.readwise.io/read/01jp4xqn75dj403am2smvczrd8)) ^w4mquq --- There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (`-D`) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (`RND`) a specific number (for example: `5`) of IP addresses separated by a colon (`:`). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms. ([View Highlight](https://read.readwise.io/read/01jp4xyb0ysvmsx1tbw9x5ja94)) ^xo3zra --- `-D RND:5` Generates five random IP addresses that indicates the source IP the connection comes from. ([View Highlight](https://read.readwise.io/read/01jp4y08stdakk37p4ten80251)) ^e7mkfh --- The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range. Therefore, we can also specify our VPS servers' IP addresses and use them in combination with "`IP ID`" manipulation in the IP headers to scan the target. ([View Highlight](https://read.readwise.io/read/01jp4y28s7aqj8jce1qarey94p)) --- Decoys can be used for SYN, ACK, ICMP scans, and OS detection scans. ([View Highlight](https://read.readwise.io/read/01jp4y38h4a3nk8yjjsmjp5tj2)) ^o5j8vi --- By default, `Nmap` performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. ([View Highlight](https://read.readwise.io/read/01jp4y8s02ssve2k5xghv4e4p4)) ^e1xekp --- `Nmap` still gives us a way to specify DNS servers ourselves (`--dns-server <ns>,<ns>`). This method could be fundamental to us if we are in a demilitarized zone (`DMZ`). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use `TCP port 53` as a source port (`--source-port`) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through. ([View Highlight](https://read.readwise.io/read/01jp4y9s1xaq5fnp8gh9zk36mt)) ^tpcadz --- ```sh sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 22:50 CEST SENT (0.0417s) TCP 10.10.14.2:33436 > 10.129.2.28:50000 S ttl=41 id=21939 iplen=44 seq=736533153 win=1024 <mss 1460> SENT (1.0481s) TCP 10.10.14.2:33437 > 10.129.2.28:50000 S ttl=46 id=6446 iplen=44 seq=736598688 win=1024 <mss 1460> Nmap scan report for 10.129.2.28 Host is up. PORT STATE SERVICE 50000/tcp filtered ibm-db2 Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds ``` ([View Highlight](https://read.readwise.io/read/01jp4yd1n18593jze51q8g0d4a)) --- ```sh sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 ``` ``` SENT (0.0482s) TCP 10.10.14.2:53 > 10.129.2.28:50000 S ttl=58 id=27470 iplen=44 seq=4003923435 win=1024 <mss 1460> RCVD (0.0608s) TCP 10.129.2.28:50000 > 10.10.14.2:53 SA ttl=64 id=0 iplen=44 seq=540635485 win=64240 <mss 1460> Nmap scan report for 10.129.2.28 Host is up (0.013s latency). PORT STATE SERVICE 50000/tcp open ibm-db2 MAC Address: DE:AD:00:00:BE:EF (Intel Corporate) Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds ``` ([View Highlight](https://read.readwise.io/read/01jp4yd64my688a9akz220ewqa)) --- `--source-port 53` Performs the scans from specified source port. ([View Highlight](https://read.readwise.io/read/01jp4yddpz3tf9q70tj6zk27xp)) ^4dbvht --- Now that we have found out that the firewall accepts `TCP port 53`, it is very likely that IDS/IPS filters might also be configured much weaker than others. We can test this by trying to connect to this port by using `Netcat`. ```sh ncat -nv --source-port 53 10.129.2.28 50000 ``` ``` Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 10.129.2.28:50000. 220 ProFTPd ``` ([View Highlight](https://read.readwise.io/read/01jp4ye5e07gy42cq60wp5wamd)) ---