NMAP Testing: Iptables Flushed in The Target (Default)

NMAP Testing
Environment:
Target system(metasploitable): 192.168.40.160 ;
Kali Linux: 192.168.40.155
iptables flushed in the target (default)
$ nmap 192.168.40.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 18:40 IST
Nmap scan report for 192.168.40.160
Host is up (0.0025s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
TCPDUMP on Target and observed traffic for port 445
11:40:24.378537 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: S 1749119242:1749119242(0) win 64240 <mss 1460,s

11:40:24.378606 IP 192.168.40.160.microsoft-ds > 192.168.40.155.57862: S 550805118:550805118(0) ack 1749119243 win 5792
11:40:24.378728 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: . ack 1 win 502 <nop,nop,timestamp 4121042567 25
11:40:24.378957 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: R 1:1(0) ack 1 win 502 <nop,nop,timestamp 412104
Observed that the tcp 3-way handshake gets completed on port 445. The fourth packet recd I assume is the reset packet for the
acknowledge tcp session.
Port 445 REJECTed using iptables
Blocking a specific port on target with iptables using REJECT on the target
$root@metasploitable:~# sudo iptables -A INPUT -p tcp --dport 445 -j REJECT
Output of NMAP in Kali Linux
$ nmap 192.168.40.160
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
512/tcp open exec
513/tcp open login
514/tcp open shell
2049/tcp open nfs
3306/tcp open mysql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
Nmap done: 1 IP address (1 host up) scanned in 2.70 secondstcpdump on target with NMAP
Observed that port 445 is missing in the above list
TCPDUMP on Target
root@metasploitable:~# tcpdump -i eth0 tcp port 445 and ip host 192.168.40.155

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:18:07.609988 IP 192.168.40.155.45959 > 192.168.40.160.microsoft-ds: S 2616920712:2616920712(0) win 1024 <mss 1460>
Observed one syn packet at the target system. No ack packet
Port 445 DROPped with iptables
Reset the iptables (iptables -F) and use DROP instead of REJECT
$ sudo iptables -F
$ sudo iptables -A INPUT -p tcp --dport 445 -j DROP
Output at Kali system
$ nmap 192.168.40.160
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
445/tcp filtered microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
2049/tcp open nfs
3306/tcp open mysql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
Notice that the port 445 is shown as filtered
TCPDUMP output on target system
root@metasploitable:~# iptables -F && iptables -A INPUT -p tcp --dport 445 -j DROP

root@metasploitable:~# tcpdump -i eth0 tcp port 445 and ip host 192.168.40.155
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
Observed two Syn packets arrive at the target system. But no Ack.
Stealth Mode scan ("nmap -sS" as root user in Kali )
iptables flushed in Target
No change in nmap output, but TCPDUMP shows after Syn+Ack, a reset packet is recd from kali to target

11:45:06.039300 IP 192.168.40.160.microsoft-ds > 192.168.40.155.53162: S 683855253:683855253(0) ack 1519556689 win 5840
11:45:06.039509 IP 192.168.40.155.53162 > 192.168.40.160.microsoft-ds: R 1519556689:1519556689(0) win 0
Fin mode scan ("nmap -sF" as root user in Kali )
nmap Output
─# nmap -sF 192.168.40.160

PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
111/tcp open|filtered rpcbind
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
512/tcp open|filtered exec
513/tcp open|filtered login
514/tcp open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:A7:AC:26 (VMware)
The output shows open|filtered instead of just open. Mac address of the target system is visible
TCPDUMP output does not have any syn packets, rather it directly has fin packets
11:48:12.907571 IP 192.168.40.155.58431 > 192.168.40.160.microsoft-ds: F 1930951553:1930951553(0) win 1024

Wanted to trace tcpdump for a closed port (port in which no service is run). So stopped the samba service which is running in the
target system
# /etc/init.d/samba stop
TCPDUMP output is interesting with fin scan in this regard

11:56:09.825908 IP 192.168.40.160.microsoft-ds > 192.168.40.155.48356: R 0:0(0) ack 2748265676 win 0
The output shows that the target receives a fin packet from Kali, however a reset packet by Target as there is no service running
in this.
Null Scan ("nmap -sN" as root user in Kali)
─# nmap -sN 192.168.40.160

PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
111/tcp open|filtered rpcbind
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
512/tcp open|filtered exec
513/tcp open|filtered login
514/tcp open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:A7:AC:26 (VMware)
TCPDUMP
12:13:58.976296 IP 192.168.40.155.64962 > 192.168.40.160.microsoft-ds: . win 1024

12:14:00.069307 IP 192.168.40.155.64963 > 192.168.40.160.microsoft-ds: . win 1024
Observed two packets with no flags set directed to the target
XMAS Scan ("nmap -sX" as root user in Kali)
This uses FIN, PSH and URG flags to be set in the scan packets
TCPDUMP
12:30:18.827285 IP 192.168.40.155.44744 > 192.168.40.160.microsoft-ds: FP 3324991969:3324991969(0) win 1024 urg 0

12:30:18.928963 IP 192.168.40.155.44745 > 192.168.40.160.microsoft-ds: FP 3324926432:3324926432(0) win 1024 urg 0

NMAP Testing: Iptables Flushed in The Target (Default)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NMAP Testing: Iptables Flushed in The Target (Default)

Uploaded by

Copyright:

Available Formats

NMAP Testing

iptables flushed in the target (default)

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

TCPDUMP on Target and observed traffic for port 445

11:40:24.378537 IP 192.168.40.155.57862 > 192.168.40.160.microsoft-ds: S 1749119242:1749119242(0) win 64240 <mss 1460,s

Port 445 REJECTed using iptables

$root@metasploitable:~# sudo iptables -A INPUT -p tcp --dport 445 -j REJECT

Output of NMAP in Kali Linux

Observed that port 445 is missing in the above list

root@metasploitable:~# tcpdump -i eth0 tcp port 445 and ip host 192.168.40.155

Observed one syn packet at the target system. No ack packet

Port 445 DROPped with iptables

Output at Kali system

Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds

Notice that the port 445 is shown as filtered

TCPDUMP output on target system

root@metasploitable:~# iptables -F && iptables -A INPUT -p tcp --dport 445 -j DROP

Stealth Mode scan ("nmap -sS" as root user in Kali )

iptables flushed in Target

11:45:06.039132 IP 192.168.40.155.53162 > 192.168.40.160.microsoft-ds: S 1519556688:1519556688(0) win 1024 <mss 1460>

Fin mode scan ("nmap -sF" as root user in Kali )

─# nmap -sF 192.168.40.160

Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

11:48:12.907571 IP 192.168.40.155.58431 > 192.168.40.160.microsoft-ds: F 1930951553:1930951553(0) win 1024

TCPDUMP output is interesting with fin scan in this regard

11:56:09.825858 IP 192.168.40.155.48356 > 192.168.40.160.microsoft-ds: F 2748265675:2748265675(0) win 1024

Null Scan ("nmap -sN" as root user in Kali)

─# nmap -sN 192.168.40.160

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

12:13:58.976296 IP 192.168.40.155.64962 > 192.168.40.160.microsoft-ds: . win 1024

Observed two packets with no flags set directed to the target

XMAS Scan ("nmap -sX" as root user in Kali)

12:30:18.827285 IP 192.168.40.155.44744 > 192.168.40.160.microsoft-ds: FP 3324991969:3324991969(0) win 1024 urg 0

You might also like