Professional Documents
Culture Documents
Environment:
Target system(metasploitable): 192.168.40.160 ;
Kali Linux: 192.168.40.155
$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 18:40 IST
Nmap scan report for 192.168.40.160
Host is up (0.0025s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Observed that the tcp 3-way handshake gets completed on port 445. The fourth packet recd I assume is the reset packet for the
acknowledge tcp session.
Blocking a specific port on target with iptables using REJECT on the target
$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 18:45 IST
Nmap scan report for 192.168.40.160
Host is up (0.0022s latency).
Not shown: 978 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.70 secondstcpdump on target with NMAP
TCPDUMP on Target
Reset the iptables (iptables -F) and use DROP instead of REJECT
$ sudo iptables -F
$ sudo iptables -A INPUT -p tcp --dport 445 -j DROP
$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 19:54 IST
Nmap scan report for 192.168.40.160
Host is up (0.0066s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Observed two Syn packets arrive at the target system. But no Ack.
No change in nmap output, but TCPDUMP shows after Syn+Ack, a reset packet is recd from kali to target
nmap Output
The output shows open|filtered instead of just open. Mac address of the target system is visible
TCPDUMP output does not have any syn packets, rather it directly has fin packets
Wanted to trace tcpdump for a closed port (port in which no service is run). So stopped the samba service which is running in the
target system
# /etc/init.d/samba stop
The output shows that the target receives a fin packet from Kali, however a reset packet by Target as there is no service running
in this.
TCPDUMP
This uses FIN, PSH and URG flags to be set in the scan packets
TCPDUMP