Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
lahuja@amity.edu
5. XPROBE2
Description : It is the Operating System fingerprinting Tool .
From this tool we can detect which OS target host is
running . Tool is just a information gathering tool. While
scanning we also analyse the pfsense firewall logs and see
which packets are send to the target to do a OS
fingerprinting .
Fig.2.2
6. ARMITAGE
Description: This tool is used to do a target exploitation ,this
tool is developed by the rapd7 . Through this tool we exploit STEALTH SCAN (SYN SCAN)
the target according its weak hole or vulnerability in the It also known as half open scan because it never forms a complete
target machine and also check the what happen and connection between the target and the scanner machine .
importance of the firewall . Now let see the outcome of the stealth scan without a firewall
(scenario1) and with a pfsense firewall (scenario 2).
FINDING AND ANALYSIS
After setting labs we, we start our experiment, Our first step of WITHOUT FIREWALL
the experiment is Information Gathering . Command : nmap -sS 192.168.189.130
In this Information Gathering tool we use nmap to scan both the The below image shows the output of the Stealth scan .
scenarios.
INFORMATION GATHERING
We perform a scan through nmap(2),with this scan we get the
information about the host system , what ports are opened etc .
WITH FIREWALL
When we done same scanning on the scenario # 2 , it shows all Fig3.1
that port 21[ ftp ], 80[http],443 [ https ] are closed and rest of the
ports are filtered. WITH FIREWALL
BENEFIT OF FIREWALL: You can see that, the firewall filtered
all the ports and state as a close port.
Fig3.2
PFSENSE FIREWALL LOG FOR STEALTH SCAN
Fig 2.1 In the log we can analyse the what type of protocol used ,
scanning done from Source to destination and type of interface
PFSENSE FIREWALL LOG FOR TCP CONNECT SCAN and what time this scan is performed .
Now lets analyse the pfsense firewall log, here you can see that
the attack is start from the Source address (192.168.75.10) to
Destination (192.168.101.100) and also see the ports used in this
scanning .
The Protocol used in TCP connect scan is: TCP:S
International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013
It shows weather the target ports are filtered or unfiltered .It sends
TCP ACK frames to remote port and if there is no response , then
it is considered to be filtered .
And if the response come in RST (RESET) then it means it is
unfiltered.
WITHOUT FIREWALL
Without a firewall, it normally shows all the 1000 ports are
unfiltered.
Fig 3.3
4.UDP SCANNING
UDP scanning is used to check the remote target is open closed or
open/filtered .
In this scanning we used the UDP packets , we send the UDP Fig.5.1
packets to the target host and according to the reply it can give the WITH FIREWALL
result . When we done a acknowledgement scan in scenario 2 , it display
For example : when we send the udp packets to the target that host is block the ping probes .
machine a ICMP : Unreachable reply will come , it means that Basically this is done by the pfsense firewall that blocks the ping
the ports are closed . probes, that's why this type of response will come.
If UDP packet reached to the target machine and no reply will See the below image for more details -
come back it means , port is open but filtered .
And if the proper reply is come back then it means the port is
closed .
Fig.5.2
WITH FIREWALL PFSENSE FIREWALL LOG FOR ACKNOWLEDGEMENT
Now in the firewall environment, when we done a UDP scan the SCAN
output will look as shown below Now when we analyse the firewall logs we can see that the
acknowledgement scan is detected with the source and destination
ipv4 addresses.
See the below image for more details -
Fig 5.4
Fig.4.2 FIREWALL LOG :
In this firewall log you will see the Acknowledgement packets
4. ACKNOWLEDGEMENT SCAN are detected and it very easy for the administrator to understand
International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013
that the attacker is trying to get information about the filtered and WITH FIREWALL
unfiltered ports in the network . In this tcptraceroute example, without a lost transmission , our
See the below image for more details - packets successfully reached the target and gives all the route
information.
Fig.5.4
Fig 7.1
6.TRACEROUTE
It is a route analysis tool . which is used to trace the route of the
target host .
FIREWALL LOG FOR TCPTRACEROUTE
WITH FIREWALL
Below you can see that in the scenario 2 when we perform a
traceroute command on target ip address ,it shows packets are lost
during transmission ( reasoned could be the firewall filtering ).
See the below image for more details -
Fig.7.2
Fig.6.1
LOG FOR TRACEROUTE
Through the log analysis, we can see that the UDP protocol are
used .It means the the traceroute is used UDP packets.
See the below image for more details - Fig.8.1
Fig.6.2
WITHOUT FIREWALL
Here you can see that it detect the running OS as Linux kernel 2.4
which has a surety of 100% that it is a Linux Kernel .
See the below image for more details -
Fig.10.1
SCENARIO 2
When we trying to attack the target machine we are unable to
attack that machine . We try various techniques through Armitage
but all are unsuccessful because of filter device or firewall .
See the below image for more details -
Fig.9.1
Fig 10.2
Fig.9.2