Advanced Nmap: Scanning Firewalls Continued

Verify firewall security

The previous article detailed methods to scan an IPCop-based firewall in a test environment. The scan output revealed several open ports, which could lead to various vulnerabilities. Based on the scan results, several recommendations were given to secure the firewall better. Now, it is time to verify whether these recommendations have been implemented. Of course, the tool to be used for verification is Nmap.

A small recap: to scan a firewall effectively, you must check all open ports, their status, and the services running on them. The best strategy is to use as many scan types as possible. Combine all of them and arrive at the final list of ports and corresponding services. While scanning, do not forget to use Nmap timing options to fine-tune the scan and get fast results. Table 1 gives details on the basics of firewall scanning.

Table 1: Firewall scanning details
Port status Port type Details
Blocked Closed port Most of the firewall ports should be in a closed state
Filtered Filtered port A few ports may be filtered to restrict the access of the running services to a few IP addresses
Allowed Open port Very few ports should be in an open state. Whenever you find them, do not forget to probe further and close non-required ports.

The test setup is as follows:

  • Nmap PC: openSUSE Linux; 192.168.1.201 (scans performed with root privileges)
  • Firewall Internet (Red) port: PPPoE IP 117.x.x.x
  • Firewall Internal (Green) port: 192.168.1.1

Before we begin, let’s have a quick review of the recommendations:

  • Firewall HTTPS interface (TCP port 775) is being used for remote management. This should be enabled only at the time of remote management/reconfiguration.
  • Disable the transparent proxy mode of the firewall
  • Restrict HTTPS and SSH access to the firewall only to the MAC address of the administrator PC.
  • Further scan all remaining ports (1,001-65,535) to identify running services.
  • Reconfigure the firewall to provide the NTP service on the internal network.

Now, let us go ahead with the actual interrogatory scans.

Earlier, Port 775 was found to be open by a TCP Connect scan and a SYN scan. We run both these scans again, as shown in Table 2. (Some of the lines in the actual scan result were removed for space constraints.)

Table 2: TCP Connect scan
Command and results Explanation
nmap -PN -sT -vv -n -p1-1000 -T4 -oNmapTCPConnect.txt 117.X.X.X -n does not do reverse DNS, thus saving time; -T4 is for faster execution of the command.
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-23 15:23 IST
Initiating Connect Scan at 15:23
Scanning 117.195.44.148 [1000 ports]
Connect Scan timing: About 30.00% done; ETC: 15:25 (0:01:12 remaining)
Connect Scan timing: About 60.00% done; ETC: 15:25 (0:00:41 remaining)
Completed Connect Scan at 15:25, 101.04s elapsed (1000 total ports)
Nmap scan report for 117.X.X.X
Host is up.
All 1000 scanned ports on 117.X.X.X are filtered
First 1,000 TCP ports found closed.

TCP Connect Scan, as well as the SYN scan, finds all ports between 1 and 1,000 as filtered ports. External access stands blocked. Let us continue scanning the firewall for ports between 1,001 to 65,535 (Table 3). To save scan time, reduce the RTT timeout.

Table 3: SYN scan of TCP ports 1001 to 65535
Command and results Explanation
nmap -PN -sS -f -vv -n -p1001-65535 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X Timing settings changed for better performance
WARNING: You specified a round-trip time timeout (15 ms) that is EXTRAORDINARILY SMALL. Accuracy may suffer. As soon as the timing is changed to a very low value, Nmap warns of a possible problem with its accuracy.
Nmap scan report for 117.X.X.X
Host is up
All 64535 scanned ports on 117.195.44.128 are filtered All ports are filtered — none are open.
Nmap done: 1 IP address (1 host up) scanned in 209.93 seconds Make a note of the time required. To scan 1,000 ports, it required about 101 seconds in the earlier scan.

Continue probing further to detect open UDP ports (Table 4).

Table 4: UDP ports scan
Command and results Explanation
nmap -PN -sU -vv -n -p U:1-65535 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X UDP port scan, scanning all ports
Starting Nmap 5.21 (http://nmap.org) at 2011-01-23 15:47 IST
Initiating UDP Scan at 15:47
Completed UDP Scan at 15:50, 212.71s elapsed (65535 total ports)
Nmap scan report for 117.195.44.128
Host is up.
All 65535 scanned ports on 117.195.44.128 are open/filtered All ports are filtered — none are open.
Nmap done: 1 IP address (1 host up) scanned in 212.94 seconds

After scanning all 65,535 TCP and UDP ports, we find that none of them are open. Now, the firewall scanning continues by scanning it internally. Here, the command used is:

nmap -vv -sU -sT -p1-1000 -n -r -T4 -oNmapIPCopInternal.txt 192.168.1.1
Table 5: Firewall scanned internally
Command and results Explanation
Starting Nmap 5.21 (http://nmap.org) at 2011-01-25 21:56 IST Nmap scan starts; various scanning techniques used, as detailed in the command line.
Completed ARP Ping Scan at 21:56, 0.00s elapsed (1 total hosts)
Completed UDP Scan at 21:57, 23.10s elapsed (1000 total ports)
Discovered open port 53/udp on 192.168.1.1
Initiating Connect Scan at 21:57
Scanning 192.168.1.1 [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 800/tcp on 192.168.1.1
Only two open ports found.
Nmap scan report for 192.168.1.1
Host is up (0.043s latency).
Not shown: 999 open/filtered ports, 998 filtered ports

PORT    STATE SERVICE
53/tcp  open  domain
800/tcp open  mdbs_daemon
53/udp  open  domain
Service discovery gives more details
MAC Address: 00:21:97:88:28:21 (Elitegroup Computer System)
Nmap done: 1 IP address (1 host up) scanned in 37.78 seconds

The scanning continues further for service detection:

nmap -vv -n -sV -p:800 192.168.1.1

This gives the following details:

PORT        STATE     SERVICE        VERSION
800/tcp     open      http-proxy     Squid webproxy 2.7.STABLE9

Scanning all ports on the firewall is done by issuing the following command:

nmap -vv -sU -sT -p T:1-65535,U:1-65535 -n -r -T4 -oNmapIPCopInternalAllPorts.txt 192.168.1.1

This single command scans all TCP and UDP ports in one go. The results are the same as for the earlier scan — only two open ports. The UDP scan requires more than three minutes, while the TCP scan requires about 100 seconds.

Observations

After scanning all TCP and UDP ports, the result clearly shows that the only open ports are port 53 (offering domain service) and TCP port 800 (offering Squid Web proxy service). All other ports are closed. Even the NTP service has been stopped, and the corresponding port 123 is closed, instead of offering the service to the internal network. Also, note that port 80, which was being used for transparent proxy, is closed.

Further recommendations for this firewall

  1. Schedule regular scans for the firewall from inside as well as from outside, to check rule modifications/changes.
  2. Monitor firewall and proxy logs regularly.
  3. Check for IPCop version updates/security patches regularly.
References and further reading
  • Omar De La O

    Nmap, great port scanner, Nessus it’s ok. But still prefer Nmap =)

  • http://www.swiftit.ae/ ibrahim52

    Thanks for the wonderful posts

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.