A small recap: to scan a firewall effectively, you must check all open ports, their status, and the services running on them. The best strategy is to use as many scan types as possible. Combine all of them and arrive at the final list of ports and corresponding services. While scanning, do not forget to use Nmap timing options to fine-tune the scan and get fast results. Table 1 gives details on the basics of firewall scanning.
| Table 1: Firewall scanning details | ||
| Port status | Port type | Details |
| Blocked | Closed port | Most of the firewall ports should be in a closed state |
| Filtered | Filtered port | A few ports may be filtered to restrict the access of the running services to a few IP addresses |
| Allowed | Open port | Very few ports should be in an open state. Whenever you find them, do not forget to probe further and close non-required ports. |
The test setup is as follows:
- Nmap PC: openSUSE Linux; 192.168.1.201 (scans performed with root privileges)
- Firewall Internet (Red) port: PPPoE IP 117.x.x.x
- Firewall Internal (Green) port: 192.168.1.1
Before we begin, let’s have a quick review of the recommendations:
- Firewall HTTPS interface (TCP port 775) is being used for remote management. This should be enabled only at the time of remote management/reconfiguration.
- Disable the transparent proxy mode of the firewall
- Restrict HTTPS and SSH access to the firewall only to the MAC address of the administrator PC.
- Further scan all remaining ports (1,001-65,535) to identify running services.
- Reconfigure the firewall to provide the NTP service on the internal network.
Now, let us go ahead with the actual interrogatory scans.
Earlier, Port 775 was found to be open by a TCP Connect scan and a SYN scan. We run both these scans again, as shown in Table 2. (Some of the lines in the actual scan result were removed for space constraints.)
| Table 2: TCP Connect scan | |
| Command and results | Explanation |
nmap -PN -sT -vv -n -p1-1000 -T4 -oNmapTCPConnect.txt 117.X.X.X |
-n does not do reverse DNS, thus saving time; -T4 is for faster execution of the command. |
| Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-23 15:23 IST Initiating Connect Scan at 15:23 Scanning 117.195.44.148 [1000 ports] Connect Scan timing: About 30.00% done; ETC: 15:25 (0:01:12 remaining) Connect Scan timing: About 60.00% done; ETC: 15:25 (0:00:41 remaining) Completed Connect Scan at 15:25, 101.04s elapsed (1000 total ports) Nmap scan report for 117.X.X.X Host is up. All 1000 scanned ports on 117.X.X.X are filtered |
First 1,000 TCP ports found closed. |
TCP Connect Scan, as well as the SYN scan, finds all ports between 1 and 1,000 as filtered ports. External access stands blocked. Let us continue scanning the firewall for ports between 1,001 to 65,535 (Table 3). To save scan time, reduce the RTT timeout.
| Table 3: SYN scan of TCP ports 1001 to 65535 | |
| Command and results | Explanation |
nmap -PN -sS -f -vv -n -p1001-65535 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X |
Timing settings changed for better performance |
| WARNING: You specified a round-trip time timeout (15 ms) that is EXTRAORDINARILY SMALL. Accuracy may suffer. | As soon as the timing is changed to a very low value, Nmap warns of a possible problem with its accuracy. |
| Nmap scan report for 117.X.X.X Host is up |
|
| All 64535 scanned ports on 117.195.44.128 are filtered | All ports are filtered — none are open. |
| Nmap done: 1 IP address (1 host up) scanned in 209.93 seconds | Make a note of the time required. To scan 1,000 ports, it required about 101 seconds in the earlier scan. |
Continue probing further to detect open UDP ports (Table 4).
| Table 4: UDP ports scan | |
| Command and results | Explanation |
nmap -PN -sU -vv -n -p U:1-65535 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X |
UDP port scan, scanning all ports |
| Starting Nmap 5.21 (http://nmap.org) at 2011-01-23 15:47 IST Initiating UDP Scan at 15:47 Completed UDP Scan at 15:50, 212.71s elapsed (65535 total ports) Nmap scan report for 117.195.44.128 Host is up. |
|
| All 65535 scanned ports on 117.195.44.128 are open/filtered | All ports are filtered — none are open. |
| Nmap done: 1 IP address (1 host up) scanned in 212.94 seconds | |
After scanning all 65,535 TCP and UDP ports, we find that none of them are open. Now, the firewall scanning continues by scanning it internally. Here, the command used is:
nmap -vv -sU -sT -p1-1000 -n -r -T4 -oNmapIPCopInternal.txt 192.168.1.1
| Table 5: Firewall scanned internally | |
| Command and results | Explanation |
| Starting Nmap 5.21 (http://nmap.org) at 2011-01-25 21:56 IST | Nmap scan starts; various scanning techniques used, as detailed in the command line. |
| Completed ARP Ping Scan at 21:56, 0.00s elapsed (1 total hosts) Completed UDP Scan at 21:57, 23.10s elapsed (1000 total ports) Discovered open port 53/udp on 192.168.1.1 Initiating Connect Scan at 21:57 |
|
| Scanning 192.168.1.1 [1000 ports] Discovered open port 53/tcp on 192.168.1.1 Discovered open port 800/tcp on 192.168.1.1 |
Only two open ports found. |
| Nmap scan report for 192.168.1.1 Host is up (0.043s latency). Not shown: 999 open/filtered ports, 998 filtered ports PORT STATE SERVICE 53/tcp open domain 800/tcp open mdbs_daemon 53/udp open domain |
Service discovery gives more details |
| MAC Address: 00:21:97:88:28:21 (Elitegroup Computer System) Nmap done: 1 IP address (1 host up) scanned in 37.78 seconds |
|
The scanning continues further for service detection:
nmap -vv -n -sV -p:800 192.168.1.1
This gives the following details:
PORT STATE SERVICE VERSION 800/tcp open http-proxy Squid webproxy 2.7.STABLE9
Scanning all ports on the firewall is done by issuing the following command:
nmap -vv -sU -sT -p T:1-65535,U:1-65535 -n -r -T4 -oNmapIPCopInternalAllPorts.txt 192.168.1.1
This single command scans all TCP and UDP ports in one go. The results are the same as for the earlier scan — only two open ports. The UDP scan requires more than three minutes, while the TCP scan requires about 100 seconds.
Observations
After scanning all TCP and UDP ports, the result clearly shows that the only open ports are port 53 (offering domain service) and TCP port 800 (offering Squid Web proxy service). All other ports are closed. Even the NTP service has been stopped, and the corresponding port 123 is closed, instead of offering the service to the internal network. Also, note that port 80, which was being used for transparent proxy, is closed.
Further recommendations for this firewall
- Schedule regular scans for the firewall from inside as well as from outside, to check rule modifications/changes.
- Monitor firewall and proxy logs regularly.
- Check for IPCop version updates/security patches regularly.
References and further reading
- SecLists.Org Security Mailing List Archive
- Filtered: NMAP Port Scanner Sees Through IPtables Firewall
Nmap, great port scanner, Nessus it’s ok. But still prefer Nmap =)
Thanks for the wonderful posts