Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux in order to make NMAP hide and seek with the firewall     - Linux 64-bit porting (Programming)

- installation of Piwik under Ubuntu (Programming)

- Linux System Getting Started tutorial: Ubuntu desktop using the command line to change the system proxy settings (Linux)

- 10 useful tools for Linux users (Linux)

- Linux kernel likely and unlikely to resolve macro definitions (Linux)

- Installation JDK 1.8 under CentOS7 (Linux)

- Linux Firewall Basics (Linux)

- Ubuntu 15.04 installed Nvidia Quadro series graphics driver (Linux)

- PyCharm new Python file name and the name of the module will import the same problem might arise (Programming)

- LVM management parameters commonly used commands explained in detail (Linux)

- Oracle bug Ora-04043 (Database)

- Ubuntu and Derivatives users install the latest KKEdit 0.0.31 (Linux)

- SQL statement to repair SQL Server database (Database)

- How to customize your Linux desktop: Gnome 3 (Linux)

- MySQL appears data too long for column 'name' at row 1 to solve (Database)

- Linux ldconfig command (Linux)

- How to identify memory leaks in Java (Programming)

- Linux Security and Optimization (Linux)

- PostgreSQL procedural language learning (Database)

- Redis Linux system installation guide (Database)

  Linux in order to make NMAP hide and seek with the firewall
  Add Date : 2017-01-08      
  In the Linux operating system to deploy a firewall, the firewall can be achieved through the scan the machine to prevent other hosts.

If the enterprise network has a separate firewall, it no longer can achieve similar restrictions. Some companies, such as the deployment of intrusion detection systems can proactively prevent suspected malicious behavior, such as NMAP scan and so on. But NMAP command combined with some option, but they can with the firewall or intrusion detection system hide and seek.

Although some administrators questioned NMAP developers intent of these options, these options are likely to be exploited by attackers. But the tools are not good or bad, on how to use the Man. Some system administrators often use these options NMAP commands to improve network security deployment. As I like to use this command with firewalls and other security software to play hide and seek game. That attacker disguised as a writer, to test these safety systems can stop the attack or whether I leave my traces in the safety system log. Another perspective, companies may be able to find security vulnerabilities.

Similar options are many. Due to space limitations, and can not elaborate too much. I'll just take some of the common options will be explained.

First, the packet is fragmented.

Like firewalls and other similar safety devices, it can be used to filter scan packets. But this strategy is not filtered very safe. Such as NMAP now use the -f option to Tcp head can be segmented in several packages. The case, firewall or intrusion detection system packet filter is difficult to filter the TCP packet. Which allows SNMP scan command with these security measures play hide and seek game.

When using the -f option, a 20-byte TCP header would be split into three packages, two packages were eight bytes of the TCP header; another packet having a TCP head remaining four bytes. Under normal circumstances, security measures applied packet filters on all the IP segment are queued, but do not use these fragmented packets. Because of the segmented packets, then these filters would be difficult to identify these types of packages. These packets are then re-integration at the host, become a legitimate TCP packet. In most cases, these security measures should prohibit these packages. Because these packages give great enterprise network performance impact, either firewall or terminal equipment will be affected. Linux firewall system as a configuration item, you can prohibit IP segment are queued and restrictions on the TCP packet segmentation.

Visible nmap -f command firewalls and other security measures have certain deceptive. We can just use this command to test the security software we use is really safe. I understand that, although this threat has emerged for many years, but now not all the security products are able to perform an effective prevention. So we can use the -f option to help system administrators sharply judgment adopted security products that can respond to possible attacks. Such as setting prevents scanning on the firewall, then the system administrator can not re-use nmap -f command should get results, then the firewall policy effectively. But instead it can still function normally returns the result (that may take longer), it indicates that nmap -f command can be successful with firewall play cat. System administrators need to pay attention to the security of the Linux firewall.

Second, the use of fake IP address to be scanned.

Under normal circumstances, like a firewall or the client computer can record information about visitors, such as IP addresses, and so on. If you use nmap for this command to scan, then the scan will leave the IP address on the firewall or client host. Leaving this "evidence" would be very detrimental to the scanning of the. Also in the firewall configuration, the system administrator may allow a particular IP address can be scanned job. The other IP address that scan data packets will be filtered out. In this case, whether it is in order to hide their true identity, or is fraudulent legal address NMAP scans will need to use a technique called source address spoofing technology.

When it comes to this technology, I have to talk about one kind of phone scams recently emerged, with the source address spoofing is very similar. Sometimes we will receive friends fight over the phone or sent me a short message asking us to send money in the past. Although the phone can be displayed on a friend's phone number, in fact, texting is not necessarily your friend. Because now there is a technology that can put the sender's phone number to be modified. The sender would like to show what number is what number. In fact, this source address spoofing with this phone number spoofing is similar reasoning. By "nmap -s scanning by IP address is scanned by IP Address" In this way, an attacker can hide your IP address, and use a fake IP address. Whether this IP address exists in the network, it can be used. It is camouflaged in the IP address of the firewall or operating system log to display.

To do this in the purchase of firewalls and other security products when, Linux system administrators can use nmap -s command to test whether the firewall has the means to deal with the source address spoofing attacks. As first enable logging on the firewall, and then use nmap -s command to scan the firewall or other host device. Go to view the logs. Look at the log record IP address information is disguised by scanning IP address or real IP address. This way you can simply judged firewalls and other security products can respond to a similar source address spoofing attacks. Although the attacker's true identity logging put a bit like an afterthought, but for us to quickly find the attacker, prevent the recurrence of attacks of great value. To this end a number of security products need to have some source address spoofing prevention function.

Third, the use bait to achieve covert scanning.

By source address spoofing can hide the identity of the scan, but the words of this technology in a single scanning process can camouflage an IP address. The current popular hide IP address of the host is to use bait. Simply put, illegal providers can use several IP address of the network is being used as their own IP address, the network host scan. The security device, then, does not know which IP address is the actual IP address. As the firewall may record a 5-8 port scan an IP address. This is a relatively hidden hide their IP address effective means.

Even more interesting is that the attacker can put their real IP addresses put in, in order to increase attack challenge, the challenge defender wisdom. The system administrator can ME option to its own IP address into the IP address to bait them. Typically own IP address in the rearward position, it is difficult to detect the firewall's IP address. However, the number of IP addresses that the bait is not much, but in essence. Some IP addresses such as these have a relatively high privileges (such as on a Linux server based on IP addresses to achieve some firewall policy) was added to the bait list of hosts, will play a surprise effect. While too much bait address it will make the scan time is too long or inaccurate results. The most terrible is likely to lead to scan the network performance degradation, causing the other network administrator's attention.

In fact, bait technology now have a method of prevention. Such as routing tracking, response discarded and other methods can be used to prevent an attacker from using bait covert scanning. Sometimes the security mechanism is very important for businesses. Because not only can attack hidden secret bait to collect important corporate network hosts, its follow-up attack ready. And nmap -D command also easily lead to SYN flood attacks. As the host when illegal bait used by the attacker is not in working condition, the target host will launch SYN flood attacks. This is a more dangerous means of attack.

Now that already have solutions to address bait covert scanning, then the Linux system administrators or network engineers need to do is to test the firewall or other security product provide a similar solution. Sometimes alone often can not describe the other clerk, and we need to test. Then use this command nmap can obviously help us to test this area.

In the nmap command, there are many similar options. As can be source-port option to implement source port trick; such as the use of date-length options, additional unwanted data when sending packets; by spoof-mac option to achieve MAC address spoofing, this with source address spoofing combination allows MAC address and IP address bundling security policy failure; and so on. If these options are using illegal attackers will undoubtedly threaten Linux network security. However, if we can use these options prior to test their network and host security, and the first to make up these loopholes. So illegal attacker had failed a. So I think that the tool does not matter good or bad, it depends on the user's state of mind. For this reason I suggest you may wish to use NMAP command with their corporate firewalls and other security products play hide and seek game, to determine what the so-called security system is really safe.
- CentOS card fails to start at boot progress bar certmonger solve (Linux)
- Linux Basics Tutorial: create your own Vim IDE (Linux)
- Observation network performance tools for Linux (Linux)
- Debian 8.1 (amd64) deployed Memcached (Server)
- The Objects in JavaScript (Programming)
- Linux SVN account password to save your settings (Linux)
- Java List add duplicate the same object (Programming)
- Hadoop + Zookeeper NameNode achieve high availability (Server)
- Scala REPL Shell call (Programming)
- JavaScript: understanding regular expressions (Programming)
- OGG-03510 Problem (Database)
- Ubuntu UFW firewall settings Introduction (Linux)
- Getting Started with Linux system to learn: how to check memory usage of Linux (Linux)
- Large computer network security policy Experience (Linux)
- Python configuration tortuous road of third-party libraries Numpy and matplotlib (Programming)
- Try debugfs restore the deleted files ext3 file system (Linux)
- Oracle ORA-01691 error message, a single data file size limit problem (Database)
- Ubuntu 14.04 running ASP.NET Configuration Mono + Jexus (Server)
- Linux systems for entry-learning - Install Go language in Linux (Linux)
- Open remote MySQL database connection managed under CentOS (Database)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.