Shulou(Shulou.com)06/01 Report--

Nmap Network Security Audit (5) Advanced Technology and Defense measures of Nmap camouflage Technology of Nmap

Most people believe that the ability to evade firewall rules and spoof IDS should not be provided in Nmap. However, many security tools already provide these features, so the inclusion of these features in Nmap can help network administrators enhance security. Nmap does not provide specialized tools and options for detecting and breaking firewalls and IDS systems, but it does provide related technologies.

Nmap-f goal

Use the-f option to segment probe packets sent by Nmap. In this way, the original data packet is divided into several parts, and the defense mechanisms of the target network, such as packet filtering and firewall, will become more difficult to detect these packets. In addition, this option must be used with caution, as some older systems often panic when dealing with segmented packages.

Nmap-f 192.168.0.103

If you want to see it more intuitively here, we can grab the package for this step through the bag grab tool. We will find that a large number of packets contain the Fragmented IP protocol logo. This flag indicates that these packets are segmented messages.

We can find a warning prompt in the test results, which indicates that the feature we have just demonstrated may not work properly under windows.

-mtu (using the specified MTU)

MTU (maximum output unit) refers to the maximum big data packet size that can be passed by a certain layer of a communication protocol. Generally speaking, the default MTU value of Ethernet is 1500 bytes, which means that when the sender's protocol layer sends a 2008 bytes data packet to the IP layer, the total length of the IP packet is 2028 bytes when a 20 bytes IP header is added to the message. 2028 is greater than 1500, so the data packet is fragmented.

Use the-mtu parameter in Nmap to specify the size of the MTU. Here the value of MTU must be an integral multiple of 8.

Nmap-mtu 16 192.168.0.103

Because my windows here is not successful, I will not paste it here for the time being. Here we also use the packet capture tool to check, and we will find that the size of each packet sent has been modified to 16bytes.

-D (covert scanning using bait host)

Usually when the target is scanned, it may be found. A better method is to forge a large number of host addresses to scan the target at the same time, which is when the target host discovers that someone is scanning, but because the scanning packet comes from multiple hosts, even IDS can only know that it is currently being scanned, but does not know which host is scanning. This is a common technique for concealing your own IP.

Bait hosts are supported in Nmap. When scanning, use option-D to specify bait hosts, use commas to separate each bait IP address, or use your own real IP as bait. You can use ME option for your ip address. If you use the ME option in the sixth and later locations, some commonly used port scan detectors will not report this real IP. If you do not use the ME option, Nmap puts the real IP in a random location.

The host as the decoy must be working, otherwise the scan may become SYN FLOOD, which is what we often call DDoS. If there is only one host working in the network, no matter how many baits you generate, this host is scanning.

In the Ping scan (ICMP, SYN, ACK, etc.) phase that we talked about earlier, or the real port scan. As well as the remote operating system detection phase, the bait host option can be used. However, the bait host option cannot be used for version testing or TCP connection scanning.

We use this command to test, adding RND:10 after the parameter-D to produce ten bait hosts. (the more bait hosts are generated, the slower the scan and the inaccurate results. )

Nmap-D RND:10 192.168.0.103

At this time, if we use the packet capture tool for packet capture detection, we can find that many packets with different source addresses are sent.

-- source-port;-g (source port spoofing)

There is an access control list technology (Access Control Lists, ACL) in network security control. This technology mainly depends on ip address and port number to limit packets. Sometimes it is necessary to ensure that DNS and FTP protocols work properly. DNS response comes from port 53, and FTP connection comes from port 20. In many cases, the network administrator will directly allow data from these ports to enter the network, which is actually a loophole in the protective network boundary.

Nmap provides-g and-- source-port parameters to take advantage of the above weaknesses so that nmap can send data from infrequent or forgotten ports. Let's test it and specify the source port for scanning as 8888.

Nmap-g 8888 192.168.0.103

Here, we can also use the packet capture tool to detect the data packets sent out. In the Source port field in the packet, we can see that the source port is 8888.

5.--date-length (attach random data when sending a message)

By default, the Nmap sends only the header to the message, and the content part is empty. As a result, the packet size of TCP is only 40 bytes, while the ICMP ECHO request is only 28 bytes We also talked about this kind of empty message before, which is easy to be found by the network detection mechanism, so when trying to pass these network detection mechanisms, you can attach a specified number of random bytes to the packet. This option will slow down most Ping and port scanning, but the impact is not significant.

Use-- data-length to specify 25

Nmap-data-length 25 192.168.0.103

To further check whether the change is successful, you also need to grab the package through the software. In the packet capture software, you can see that the length of the data part of the packet sent is 25 bytes.

-- ttl (set IP time to live)

TTL (time to live time to live). In Nmap, you can set the ttl field of an IPv4 packet to a specified value and specify a parameter of-ttl.

Nmap-ttl 25 192.168.0.103

No more pictures are posted here, because the results are all the same. The difference is that you need to use the packet capture software to analyze the modified values in the packet.

-spoof-mac (MAC address spoofing)

This option allows you to artificially specify the Mac address that Nmap sends when it scans. This option defaults to the-- send-eth parameter, so that Nmap sends the real Ethernet packet. Nmap supports multiple formats. If you simply use the string 0, Nmap chooses a completely random MAC address. If the given character is a hexadecimal even number separated by a semicolon, Nmap will use this MAC address. If it is a hexadecimal number less than 12, Nmap randomly populates the remaining six bytes. If the parameter is not a 0 and hexadecimal string, Nmap looks for the manufacturer's name through Nmap-mac-prefixes, and if a match is found, it uses the manufacturer's three-byte prefix, and then randomly populates the remaining three bytes.

Scanning method of forged MAC address (- PR ARP ping scan)

Nmap-sn-PR-- spoof-mac 0 192.168.0.103

Detection of TCP Connect scan

This TCP Connect scan said before, there will be no more writing here, forget it or write it down.

TCP Connect scanning is one of the most basic scanning methods. Nmap initiates a connection request to an open port and completes the three-way handshake before ending the connection. This scan is easy to detect because Nmap sends a packet to each destination port. If the port is closed, the destination replies with a packet of RST and ACK flag bits. If the port is open, the destination replies with a packet with the SYN/ACK flag bit set. Nmap then sends a packet with the ACK flag bit set to complete the three-way handshake, which produces a large number of error messages. Let's test and analyze this experiment. I use the physical machine 192.168.126.1 to scan the virtual machine 192.168.126.139. We can see a lot of TCP Connect activity during this period. Initiating connections to a large number of TCP ports so frequently is likely to mean that someone is scanning your host. If a network detection device is deployed in the network, an alarm will be given when a certain threshold is reached.

You can see that a large number of ports are trying to connect during this period of time.

Prevention of operating system scanning

When maintaining a network, the easiest way is to patch the system and install updates in time. But really this does not prevent others from scanning, it is best to add security devices such as firewalls. In addition, Morph and IP Personality are also excellent protection software.

The best way to prevent operating system scanning on the network is to provide false information to confuse each other, you can use the above two software.

I have not used the specific one either. If you are interested, you can try it yourself.

problem

There should be no big problem, this link mainly requires Nmap with wireshake to use, so that the effect of the experiment will be more obvious, and it is helpful to understand.

Why did I post the wireshake picture only on the last point? because I am lazy in mapping. After a period of time will update the usage and operation of wireshake articles may be written in some places more, what TTL,ACL this basic network knowledge actually do not want to write, as for their own review.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.