Open Source Tools: Part Two (More nmap options)

nmap optionsIn the previous article, we began our look at open source tools, beginning with nmap. In this article, we continue our look at some nmap options.

nmap Options: Stealth Scanning

For any scanning you perform, it is not a good idea to use a connect scan (-sT), which fully establishes a connection to a port. Excessive port connections can cause a DoS to older machines, and will definitely raise alarms on any IDS system. Therefore, you should use a stealthy port testing method with nmap, such as a SYN scan. To launch a SYN scan from nmap, you use the -sS flag, which produces a listing of the open ports on the target, and possibly open/filtered ports if the target is behind a firewall. The ports returned as open are listed with what service that port corresponds to, based on IANA port registrations, as well as any commonly used ports.


In addition to lowering your profile with half-open scans, an nmap option you may also consider is the FTP or “bounce” scan and idle scan options that can mask your IP from the target. The FTP scan (which was discussed in a previous article) takes advantage of a feature of some FTP servers, which allow anonymous users to proxy connections to other systems. If you find during your enumeration that an anonymous FTP server exists or one to which you have login credentials, try using the -b option with user:pass@server:ftpport. If the server does not require authentication, you can skip the username and password, and unless FTP is running on a nonstandard port, you can leave out the FTP port option as well. The idle scan, using -sI zombiehost:port, has a similar result, but a different method of scanning. If you can identify a target with low traffic and predictable IPID values, you can send spoofed packets to your target, with the source set to the idle target. The result is that an IDS sees the idle scan target as the system performing the scanning, keeping your system hidden. If the idle target is a trusted IP address and can bypass host-based access control lists (ACLs), then you’ll get even better results. Do not expect to be able to use a bounce or idle scan on every penetration test, but keep looking around for potential targets. Older systems, which do not offer useful services, may be the best targets for some of these scan options.

nmap Options: Fingerprinting

You should be able to create a general idea of the remote target’s operating system from the services running and the ports open. For example, ports 135, 137, 139 or 445 often indicate a Windows-based target. [135 is used by the End Point Manager (EPMAP) to remotely manage services (and is also used by DCOM); 137 and 139 are used by NetBIOS; 445 is used by Active Directory.] However, if you want to get more specific, you can use nmap’s -O flag, which invokes nmap’s fingerprinting mode. Care needs to be taken here as well, as some older operating systems such as AIX prior to 4.1 and older SunOS versions have been known to die when presented with a malformed packet. Keep this in mind before using -O across a Class B subnet. Note also that the fingerprint option without any scan types will invoke a SYN scan, the equivalent of -sS.


In the next article, we will look at some more nmap options.

External Links:

nmap.org – the nmap site

Penetration Testing: Enumeration

penetration testingOnce you have hardened your system and network, it is always a good idea to scan, or penetration test, your own systems for weaknesses that may already exist or may develop. Changes are constantly made to production systems. In addition, malicious users are constantly discovering and exploiting new weaknesses. Penetration testing your own network will help you see potential weaknesses through the eyes of an attacker and will help you to close the holes.

During the scanning phase of penetration testing, you will begin to gather information about your network’s purpose: specifically, what ports, and possibly what services, it offers. Information gathered during this phase is traditionally also used to determine the operating system (or firmware version) of the target devices. The list of active targets gathered from the footprinting phase is used as the target list for this phase. You can specify any host within your approved ranges, but you may lose time trying to scan a system that perhaps does not exist, or may not be reachable from your network location.

Penetration Testing: The Enumeration Process

In penetration testing, enumeration is the process of listing and identifying the specific services and resources that are offered by a network. You perform enumeration by starting with a set of parameters, like an IP address range, or a specific Domain Name Service (DNS) entry, and the open ports on the system. You goal for enumeration is a list of services that are known and reachable from your source. From these services, you move further into deeper scanning, including security scanning and testing. Terms such as banner grabbing and fingerprinting fall under the category of enumeration. The most common tools associated with enumeration include nmap and amap.


An example of successful enumeration would be to start with host 10.0.0.10, and TCP port 22 open. After enumeration, you should be able to state that OpenSSH is running, and what version of OpenSSH is running along with the protocol versions. Moving into fingerprinting, ideal results would tell what version of Linux/Unix is running, and what version of the kernel is running. Often your enumeration will not get to this level of detail, but you should set that as your goal.

Keeping good notes is also important during penetration testing, and is important during this phase as well. If the tool you are using cannot output a log follow, make sure you use tools like tee, which allow you to direct the output of a command to a log file. Sometimes you may also want to know the exact flags or switches you used when you ran a tool, or what the verbose output was.

You can perform enumeration using either active or passive methods. Proxy methods may also be considered passive, as the information you gather will be from a third source, rather than intercepted from the target itself. But a truly passive scan should not involve any data being sent from the host system. Active methods are the more familiar ones in which you send certain types of packets and then receive packets in return.


Once enumeration is complete, you will have a list of targets that you will use for the next stage: scanning. You need to have specific services that are running, versions of these services, and any host or system fingerprinting that you could determine. Moving forward without this information could hamper your further efforts in exploitation.

External Links:

Penetration Testing at Wikipedia

Firewall Rules in pfSense: Part One

Firewall Rules: Part One

Firewall: Rules page in the pfSense web GUI.

In the previous article about NAT port forwarding, we used “Add associated filter rule” in order to generate the firewall rule for the Apache web server. We could, however, have chosen “None” for the “Filter Rule Association” and created the rule ourselves. This next article describes how to create firewall rules.


Adding Firewall Rules

In order to do this, first browse to Firewall -> Rules. There will be two pre-configured firewall rules by default: “Block private networks” (for blocking 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses) and “Block bogon networks” (for blocking bogus addresses). There will be at least three tabs: “Floating“, “WAN” and “LAN“. Select “WAN” if it isn’t already selected. Press the “Plus” button to add a new firewall rule. Under “Action”, there are three options: “Pass“, “Block”, and “Reject“. The web GUI has the following explanation of the difference between “Block” and “Reject“:

Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.

In this case, you can leave the default unchanged as “Pass“. Next is the option to “Disable this rule“; we don’t want to do this so leave this box unchecked. At “Interface”, you will again have a choice of “LAN“, “WAN” and whatever other interfaces were configured; choose “WAN“.

Firewall Rules: Part One

Adding a firewall rule in pfSense.

At “Protocol“, there are a number of options in addition to the four listed under NAT port forwarding. “ICMP” stands for Internet Control Message Protocol and is used to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. “AH” stands for Authentication Header, which is part of the IPsec suite and provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks. “IGMP” stands for Internet Group Management Protocol and is a connectionless protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships; it is used for one-to-many networking applications such as online streaming video and gaming, among other uses. “OSPF” stands for Open Shortest Path First, a link-state routing protocol for IP networks that uses a link state routing algorithm and falls into the group of interior routing protocols. “CARP” stands for Common Address Redundancy Protocol, a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy. Finally, “pfsync” is a computer protocol used to synchronize firewall states between machines running Packet Filter (PF) for High Availability. If is used along with CARP to make sure a backup firewall has the same information as the main firewall. In this case, we should leave the default protocol “TCP” unchanged.


At “Source“, specify “any”, as the “Type” and at “Source Port Range“, also specify any. The “Type” options are the same as the options under “Source” and “Destination” for NAT port forwarding; therefore I will not go into detail on them here. In “Destination“, select “Single host or alias” as the type, and specify 192.168.1.125 (our Apache server) for the “Address”. At “Destination Port Range“, specify “HTTP“. You can leave “Log packets that are handled by this rule” unchecked unless you have reason to log the packets. Specify a “Description” if you wish and press the “Save” button to save the changes.

Firewall Rules: The Source Port Range is Usually Unknown

It should be noted that when a firewall rule is created, the “Source Port Range” is almost always set to “any“. This is because the client decides which port to open on the client computer, which may or may not be the same as the port requested on the server. The source port is an an ever-changing port which the end user probably never knows about. So most of the time, we will not know the Source Port Range of the traffic being allowed in.

In the next article, I will go into some detail on rules governing firewall rules, and some of the advanced options for firewall rules under pfSense 2.0.

External Links:

Firewall Rule Basics at doc.pfsense.org

Firewall Configuration: Aliases

One of the main functions of any firewall is to carry out port forwarding and firewall security rules, and pfSense, like any firewall, is capable of performing these functions, which can be found on the “Firewall” menu of the pfSense web interface. In this article, the first in a series covering pfSense firewall configuration, I cover creating an alias in pfSense.

Firewall Configuration: Aliases

Firewall configuration

Firewall -> Aliases page in the pfSense web GUI.

A good description of aliases can be found from the pfSense web GUI page for Firewall -> Aliases:

Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. You can enter the name of an alias instead of the host, network or port in all fields that have a red background. The alias will be resolved according to the list above. If an alias cannot be resolved (e.g. because you deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

Firewall configuration

Here, I create a sub-alias called “allhosts”.

With this in mind, here is how you can set up an alias in pfSense. First, browse to Firewall -> Aliases. Click the “plus” button to add a new alias. The first field is “Name“. Here, you should type in a name for the alias. At “Description“, you can add an optional description. Next, select an alias type at “Type“. Depending on which type you choose (Host, Network, Ports, URL, or URL Table), you will have different fields which must be filled out to complete the configuration. Selecting “Host(s)” as an a type allows you to create an alias that holds one or more IP addresses. Selecting “Network” allows you to create an alias that holds one or more networks (i.e. ranges of IP addresses). Selecting “Ports” allows you to create an alias that holds one or more ports. Selecting “OpenVPN Users” allows you to create an alias that holds one or more OpenVPN usernames. Selecting “URL” allows you to create an alias that holds one or more URLs. And selecting “URL Table” allows you to create an alias that holds a single URL pointing to a large list of addresses. This can come in handy if you need to import a large list of IP addresses and/or subnets. When you are done entering the configuration data for whichever type you selected, press “Save” to save the changes, and if necessary, press “Apply changes” to apply the changes.


Firewall configuration

An example of using an alias in adding a NAT port forwarding rule.

It is also possible to set up sub-aliases, which potentially make firewall management even easier. For example, if we have three hosts – host1, host2, and host3 – all of which must connect to our FTP server. We could set up a sub-alias called allhosts composed of host1, host2, and host3.

Once you have added an alias, you can use it wherever there is a red text box in the pfSense GUI. Just type the name of the alias and it can be invoked.

That covers firewall configuration of aliases under pfSense. In a future installation, I will cover NAT and firewall rules.


External Links:

Aliases from the pfSense wiki at doc.pfsense.org

© 2013 David Zientara. All rights reserved. Privacy Policy