Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf
Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives.

Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.  Metasploitable Linux as a victim machine.

Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }
Configurations of my Virtual Lab:

   Kali Linux                Snort IDS            Metasploitable Linux

[192.168.197.209] --->   [192.168.197.217]  --->   [192.168.197.216]                               

TCP Connect

The attacker makes a full TCP connection to the target machine. In the other words, attacker attempts to make 3-way handshake to the target machine.

I’ve created the snort rule in order to detect TCP Connect Scan and saved it to the /etc/snort/rules/local.rules. But please enable/uncomment include $RULE_PATH/local.rules in snort configurations:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Connect Scan"; flow:stateless; flags:SA; sid:1000001; rev:1;)

Then, updated the configurations:

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 –T

* Make sure there is no error.

root@fikri:~# nmap -sT 192.168.197.216

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 16:02 MYT
Nmap scan report for 192.168.197.216
Host is up (0.0018s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

Alert from snort that detected TCP Connect Scan attacks:

05/06-09:26:19.210985  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:25 -> 192.168.197.209:38746
05/06-09:26:19.211105  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:3306 -> 192.168.197.209:60963
05/06-09:26:19.211433  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:80 -> 192.168.197.209:58625
05/06-09:26:19.212025  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:445 -> 192.168.197.209:59766
05/06-09:26:19.212333  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:53 -> 192.168.197.209:51084
05/06-09:26:19.212376  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:111 -> 192.168.197.209:51750
05/06-09:26:19.212500  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:21 -> 192.168.197.209:33474
05/06-09:26:19.212540  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:139 -> 192.168.197.209:52834
05/06-09:26:19.212776  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:22 -> 192.168.197.209:59959
05/06-09:26:19.213051  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:23 -> 192.168.197.209:33255
05/06-09:26:19.213258  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:5900 -> 192.168.197.209:51164
05/06-09:26:19.217692  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:2121 -> 192.168.197.209:49352
05/06-09:26:19.219711  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:514 -> 192.168.197.209:59499
05/06-09:26:19.223887  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:513 -> 192.168.197.209:54317
05/06-09:26:19.224417  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:6000 -> 192.168.197.209:42055
05/06-09:26:19.236785  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:2049 -> 192.168.197.209:44309
05/06-09:26:19.238558  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:512 -> 192.168.197.209:60276
05/06-09:26:19.256701  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:8009 -> 192.168.197.209:43587
05/06-09:26:19.257160  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:6667 -> 192.168.197.209:49832
05/06-09:26:19.260140  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:8180 -> 192.168.197.209:58712
05/06-09:26:19.260169  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:1099 -> 192.168.197.209:56473
05/06-09:26:19.260188  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:5432 -> 192.168.197.209:57675
05/06-09:26:19.260394  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:1524 -> 192.168.197.209:53600
05/06-09:26:22.840996  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:80 -> 192.168.197.209:58625


Notice that the attacker is sending a SYN to different random ports on our target (The grey lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line).
Notice the Red line directly after the Green line; you will notice that the attacker sends an immediate RST after the SYN/ACK of the target.

To filter in Wireshark, we applied ip.proto == 6 and tcp.flags == 18 whereby 6 refer to decimal number for TCP {reference: http://www.iana.org/assignments/protocol-numbers} and 18 is the value of flags; SYN (2) + ACK (16) = 18.




We can see that TCP Connect Scan made full TCP connection/3-way handshake.

SYN Stealth Scan

Also known as half-open scanning and not make full TCP connection or 3-way handshake. SYN / ACK response indicates the port is listening (open), while a RST (reset) indicates the port is closed. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response.

* Reference: https//svn.nmap.org/nmap/docs/nmap.1

root@fikri:~# nmap -sS 192.168.197.216

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 16:47 MYT
Nmap scan report for 192.168.197.216
Host is up (0.00017s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

Results should be the same with TCP Connect Scan. Our “TCP Port Scanning” rule will detect this scan.

05/06-11:38:10.693940  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:23 -> 192.168.197.209:44857
05/06-11:38:10.694252  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:21 -> 192.168.197.209:44857
05/06-11:38:10.694293  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:25 -> 192.168.197.209:44857
05/06-11:38:10.694607  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:5900 -> 192.168.197.209:44857
05/06-11:38:10.694740  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:139 -> 192.168.197.209:44857
05/06-11:38:10.694785  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:80 -> 192.168.197.209:44857
05/06-11:38:10.695195  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:111 -> 192.168.197.209:44857
05/06-11:38:10.695297  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:3306 -> 192.168.197.209:44857
05/06-11:38:10.695503  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:53 -> 192.168.197.209:44857
05/06-11:38:10.695623  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:22 -> 192.168.197.209:44857
05/06-11:38:10.695951  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:445 -> 192.168.197.209:44857
05/06-11:38:10.703872  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:6000 -> 192.168.197.209:44857
05/06-11:38:10.707457  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:1524 -> 192.168.197.209:44857
05/06-11:38:10.708202  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:512 -> 192.168.197.209:44857
05/06-11:38:10.710717  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:5432 -> 192.168.197.209:44857
05/06-11:38:10.713844  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:1099 -> 192.168.197.209:44857
05/06-11:38:10.731247  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:6667 -> 192.168.197.209:44857
05/06-11:38:10.734803  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:2121 -> 192.168.197.209:44857
05/06-11:38:10.736164  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:8009 -> 192.168.197.209:44857
05/06-11:38:10.738459  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:514 -> 192.168.197.209:44857
05/06-11:38:10.738461  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:8180 -> 192.168.197.209:44857
05/06-11:38:10.742900  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:2049 -> 192.168.197.209:44857
05/06-11:38:10.743216  [**] [1:1000001:1] TCP Connect Scan [**] [Priority: 0] {TCP} 192.168.197.216:513 -> 192.168.197.209:44857


We applied ip.proto == 6 and tcp.flags == 2 whereby 6 refer to decimal number for TCP and 2 is the value of flags; SYN = 2



FIN Scan

If we send a FIN packet to a closed port we get a RST back. If we get no response we know that is either dropped by the firewall or the port is open.

The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Such firewalls try to prevent incoming TCP connections (while allowing outbound ones). Demonstrating the full, firewall-bypassing power of these scans requires a rather lame target firewall configuration. With a modern stateful firewall, a FIN scan should not produce any extra information. {NMAP Network Discovery by Gordon "Fyodor" Lyon}

According to RFC 793: "Traffic to a closed port should always return RST". RFC 793 also states if a port is open and segment does not have flag SYN, RST or ACK set. The packet should be dropped. It could be an old datagram from an already closed session.

root@fikri:~# nmap -sF 192.168.197.216

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 16:52 MYT
Nmap scan report for 192.168.197.216
Host is up (0.00021s latency).
Not shown: 977 closed ports
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
25/tcp   open|filtered smtp
53/tcp   open|filtered domain
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
512/tcp  open|filtered exec
513/tcp  open|filtered login
514/tcp  open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown
MAC Address: 00:0C:29:01:6C:33 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds

Snort have created rule against FIN scan:

04/25-11:15:03.455600  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:42215 -> 192.168.197.216:8180
04/25-11:15:03.455609  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:42215 -> 192.168.197.216:1099
04/25-11:15:03.455610  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:42215 -> 192.168.197.216:6667
04/25-11:15:03.455641  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:42215 -> 192.168.197.216:513
04/25-11:15:03.455959  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted
04/25-11:15:03.456448  [**] [1:621:7] SCAN FIN [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:42215 -> 192.168.197.216:25

We applied ip.proto == 6 and tcp.flgs == 1 whereby 6 refer to decimal number for TCP and 2 is the value of flags; SYN = 1





XMAS Scan

This type of scan will send packets FIN, PSH, and URG flags set. If the port is open, there is no response but if the port is closed, it will return RST/ACK flag. Just work only if target systems that follow the RFC 793 and not work against any version of Windows. Its also intend to bypassing firewall or evading IDS/IPS.

root@fikri:~# nmap -sX 192.168.197.216

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 16:59 MYT
Nmap scan report for 192.168.197.216
Host is up (0.00022s latency).
Not shown: 977 closed ports
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
25/tcp   open|filtered smtp
53/tcp   open|filtered domain
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
512/tcp  open|filtered exec
513/tcp  open|filtered login
514/tcp  open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown

By default, Snort have created rule for XMAS Scan:

04/25-11:22:25.936394  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:3306
04/25-11:22:25.936408  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:21
04/25-11:22:25.936409  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:445
04/25-11:22:25.936457  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:25
04/25-11:22:25.936458  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:139
04/25-11:22:25.936809  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:8888
04/25-11:22:25.936812  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.197.209:53005 -> 192.168.197.216:443

To filter on Wireshark, type ip.proto == 6 for TCP, and tcp.flags == 41; cause FIN [1] + PSH [8] + URG [32] = 41





Null Scan

If the port is open, there is no response but if the port is closed, it will return RST flag.

root@fikri:~# nmap -sN 192.168.197.216
Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 17:11 MYT
Nmap scan report for 192.168.197.216
Host is up (0.00016s latency).
Not shown: 977 closed ports
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
25/tcp   open|filtered smtp
53/tcp   open|filtered domain
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
512/tcp  open|filtered exec
513/tcp  open|filtered login
514/tcp  open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2049/tcp open|filtered nfs
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
5900/tcp open|filtered vnc
6000/tcp open|filtered X11
6667/tcp open|filtered irc
8009/tcp open|filtered ajp13
8180/tcp open|filtered unknown

I have created Snort rule to detect TCP Null Scan.
alert tcp  $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP NULL Scan"; flow:stateless; flags:0; sid:1000002; rev:2;)

05/13-11:31:16.757242  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:44501
05/13-11:31:16.757243  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:4848
05/13-11:31:16.757559  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:2190
05/13-11:31:16.757560  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:5280
05/13-11:31:16.757561  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:9415
05/13-11:31:16.757562  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:1719
05/13-11:31:16.757600  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:9090
05/13-11:31:16.757603  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:9200
05/13-11:31:16.757715  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35381 -> 192.168.197.216:783
05/13-11:31:16.779717  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:6000
05/13-11:31:16.786572  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:2049
05/13-11:31:16.803884  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:8009
05/13-11:31:16.816795  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:514
05/13-11:31:16.819093  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:6667
05/13-11:31:16.823661  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:1524
05/13-11:31:16.830341  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:8180
05/13-11:31:16.834752  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:513
05/13-11:31:16.841145  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:1099
05/13-11:31:16.845869  [**] [1:1000002:2] TCP NULL Scan [**] [Priority: 0] {TCP} 192.168.197.209:35382 -> 192.168.197.216:5432

On Wireshark, type ip.proto == 6 for TCP, and tcp.flags == 0:




TCP ACK Scan

An ACK Scan will sending ACK flags to attacker machine. If there are no responses or ICMP destination unreachable message is returned, then the port is considered "filtered". If the RST flag is returned, it considered "unfiltered".

root@fikri:~# nmap -sA 192.168.197.216
Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 17:18 MYT
Nmap scan report for 192.168.197.216
Host is up (0.00087s latency).
All 1000 scanned ports on 192.168.197.216 are unfiltered



UDP Scan

Target system will responds with Destination Unreachable (ICMP Port Unreachable).

root@fikri:~# nmap -sU 192.168.197.216
Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-04 17:22 MYT

Snort alert for UDP Scan:

04/25-11:48:15.353943  [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.197.216 -> 192.168.197.209
04/25-11:48:16.155937  [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.197.216 -> 192.168.197.209
04/25-11:48:16.957610  [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.197.216 -> 192.168.197.209
04/25-11:48:18.560793  [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.197.216 -> 192.168.197.209
04/25-11:48:19.362707  [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.197.216 -> 192.168.197.209




Portscan Captured by Snort. View it by tail –f /var/log/snort/portscan.log:

IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 1008:49640

Time: 04/25-11:48:16.155691
event_ref: 0
192.168.197.209 -> 192.168.197.216 (portscan) UDP Portscan
Priority Count: 13
Connection Count: 17
IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 1008:49640

Time: 04/25-11:49:47.514771
event_ref: 0
192.168.197.209 -> 192.168.197.216 (portscan) UDP Portscan
Priority Count: 13
Connection Count: 17
IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 1000:49185

Time: 04/25-11:49:47.514765
event_ref: 0
192.168.197.209 -> 192.168.197.216 (portscan) UDP Portscan
Priority Count: 13
Connection Count: 17
IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 1000:49185

Time: 04/25-11:51:18.872331
event_ref: 0
192.168.197.209 -> 192.168.197.216 (portscan) UDP Portscan
Priority Count: 13
Connection Count: 18
IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 983:49204

Time: 04/25-11:51:18.872323
event_ref: 0
192.168.197.209 -> 192.168.197.216 (portscan) UDP Portscan
Priority Count: 13
Connection Count: 18
IP Count: 1
Scanner IP Range: 192.168.197.209:192.168.197.209
Port/Proto Count: 15
Port/Proto Range: 983:49204






Comments

Post a Comment

Popular posts from this blog

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:} ———————— All Machines Running on VM 1. Kali Linux (172.16.66.193) 2. Windows XP SP2 (172.16.66.193) 3. IDS - Suricata {Scan for open ports:} ———————————- root@fikri:~# nmap -n -sV 172.16.66.199 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT Nmap scan report for 172.16.66.199 Host is up (0.11s latency). Not shown: 918 closed ports, 79 filtered ports PORT    STATE SERVICE      VERSION 135/tcp open  msrpc        Microsoft Windows RPC 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:D1:55:23 (VMware) Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds {Exploit:} ————— msf > use exploit/win
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more