Firewalls And nmap

Nmap is one of the most popular security tools.  Chances are you already know what nmap is and what it does so I’ll spare the introduction.

As part of  my IT Security self-education, I set out to see how nmap interacts with firewalls.  I chose iptables/netfilter on Linux since it’s free and there are a lot of GUI tools that allow one to setup and configure it quickly.

nmap has many options for performing port scans, one of them being IP spoofing.  IP spoofing is commonly used in Denial-of-Service attacks to modify the source IP address of the packets to hide where the traffic is coming from.  When used it port scanning, IP spoofing isn’t very useful as the traffic will never return to you since the source IP isn’t the same as your source IP.  However, if you’re on a local network, the ARP entry for the spoofed source IP will have your MAC address associated with it, so you will get the return traffic.

In my test setup I used the following:

  • Backtrack 5 R3 VM
  • Ubuntu 12.04 VM with iptables and Firestarter GUI
  • Debian 6 VM
  • Wireshark
  • nmap 6.01

I began by scanning with a version scan on port 22 of the Ubuntu VM.  iptables was disabled.

nmap connected and identified the service.  Below is a Wireshark capture of the session from the Ubuntu VM.  You can see the establishment of the connection and the tear-down.

Below is a Wireshark capture of a connection with the SSH client itself.  You can see the key exchange and connection establishment.

I then ran the same scan with both the firewall disabled and SSHd disabled.  Below is a Wireshark capture of the session.

Note that when the firewall is disabled and SSHd is disabled a TCP RST is sent back which states that the port is closed.  When repeating the same scan with the firewall enabled the following occurred:

nmap returns that the port is filtered, meaning that the firewall is silently dropping the packets.  The Wireshark capture shows that the Ubuntu VM is not returning any packets back to the scanning host.

I then configured a rule on the firewall to only allow SSH traffic from a specific IP.

After doing that I proceeded to use nmap to spoof the source IP address of the allowed host with the following results:

nmap was able to determine that the host was up and as you can see from the Wireshark captures, the spoofed traffic is reaching the Ubuntu VM and is being received by the scanning VM.  The reason the traffic is being received by the scanning VM is because the ARP entry for the spoofed IP is associated with the MAC address of the scanning VM as shown in the screen shots below.

 The real host associated with the IP
 The ARP cache of the Ubuntu VM
 The real MAC address of the scanning VM

nmap is a very powerful tool that usually isn’t exploited to it’s full potential.  If you’re going to use nmap, at minimum read the man page.  If you want to get the most out of it check out the following resources:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s