.

firewall with de-ice help

<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Mon Aug 13, 2012 3:11 pm

firewall with de-ice help

Hello all. I finally built a lab with a firewall in it. I am using vmware workstation 8. the newest one. here is my lab set up

Backtrack 5 vm. net adapter is set with lan segment option with name as lan1 and is in the 192.168.75.0/24 subnet(wan side of pfsense)

pfsense firewall has 2 nics. nic1=lan segment(name is lan1) ip =192.168.75.1/24

nic2= lan segment(name is lan2) ip =192.168.1.0/24

The OS of pfsense is setup with lan1 as the WAN with ip 192.168.75.1/24 no dhcp

lan2 is the LAN portion of pfsense with dhcp and ip as 192.168.1.1/24

The firewall is allowing ports 80,443,21 and icmp to be passed through.

I have ubuntu 12.04 on lan segment(lan2). It grabs the dhcp and i can ping the firewall and even log into the web gui. So that vm is perfect.

I can even ping from bt5 to ubuntu just fine. nmap works so far on the ubuntu machine from teh bt5 side.

now the fun part. i add de-ice lvl1 to the lan segment(lan2). Ubuntu can nmap de-ice just fine. so i know the de-ice vm is loading correctly.

ok, so from the bt5 machine, i run nmap on the de-ice machine and it keeps saying that it is down. I try nmap from bt to ubuntu and it finds the closed/open ports on ubuntu vm just fine. I have even tried the following commands from bt5 to de-ice machine

nmap -sT 192.168.1.100
nmap -sP 192.168.1.0/24
nmap -sN 192.168.1.100
nmap -sS 192.168.1.100
nmap -sS -T5 192.168.1.100
nmap -Pn -T5 192.168.1.100(1 host up with all 1000 ports filtered)

ok, so im not sure if its the config of the system or if the firewall is doing what it is supposed to be, but then why would the ubuntu ports show up on bt5 nmap scan but not the de-ice.

here is some output from the ubuntu machine whos ip is 192.168.1.2 and is in same subnet as de0ice

matt@ubuntu#
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-03 00:22 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00023s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  closed ftp
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
MAC Address: 00:0C:29:9A:56:D7 (VMware)

(interesting they are all closed though. they should be open since the data didnt even go through the firewall since they are on the same lan. UPDATE. i grabbed the wrong out put, they are open)
---------------------

here it is from an nmap sacn on the other side of the firewall. Nmap is being ran from bt5:

root@bt:~# nmap 192.168.1.2(ubuntu vm on other side of FW)

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:01 EDT
Nmap scan report for 192.168.1.2
Host is up (0.0010s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
21/tcp  closed ftp
80/tcp  closed http
443/tcp closed https
-------------------

ok so i know namp is working fine. now scanning from bt5 to de-ice which we know is up and running according to the ubuntu scan on the same network:

root@bt:~# nmap 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:06 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

oot@bt:~# nmap -sT 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:37 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
root@bt:~# nmap -sN 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:38 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
root@bt:~# nmap -sS 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds
root@bt:~# nmap -sS -T5 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.55 seconds


nothing. port 80 should at least show up since i have allowed traffic to that port and when i scan the ubuntu machine, port 80 shows up and it is even closed. so for some reason the ports for de-ice are not making it back to the bt5 vm.

Any ideas what i can try out?

tahnks

Matt
Last edited by LT72884 on Mon Aug 13, 2012 3:23 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Aug 13, 2012 9:01 pm

Re: firewall with de-ice help

Perform a packet capture while running a scan from the BT system and see what type of responses you're getting.

Running nmap with both --reason and -Pn may provide a bit more information.

Check your firewall logs and see what it's blocking.
The day you stop learning is the day you start becoming obsolete.
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Tue Aug 14, 2012 1:08 am

Re: firewall with de-ice help

all right, now its gettin strange. i tried hping2 and when i attacked the ubuntu machine, it shows the open ports, but when i attack de-ice with hping2, nothin, nothin at all. i think its just having a bad day is all. still trying to look at logs and see what is happening.

i can access the de-ice webpage from the ubuntu which is in same subnet but the BT machine cant. I can ping the ubuntu from wan to lan so i know FW is allowing icmp threw like i set it up to. I allowed tcp ports 80,https,ftp and also icmp to be allowed.

here is what it is blocking:
192.168.1.100:80 TCP:A

here is what the firewall rule is
allow TCP from HTTP to HTTP
haha

Ok, according to the firewall logs, nmap is using the udp protocol on port 53 when i issue the comman nmap 192.168.1.100 BUT when i clear the logs and use nmap 192.168.1.2 which is the ubuntu machine, the logs all of a sudden populate with tcp connections. so why is it using UDP for a standard nmap scan but then using the exact same syntax, it uses tcp. makes no sense to me


UPDATE:

Ok so more reading and diving into the logs, it shows that the tcp scan to ubuntu is set with the S flag and scanning the de-ice it is using the A flag. I am using the exact same syntax for both scans and i do not know why it is changing between syn and ack scanning between OS's.
I checked to see if any were actual ack,s telling the system it was alive but to ubuntu it was all syns even on port 80 but de-ice, they are all acks, but that should not matter because i have allowed tcp port 80. the firewall logs can only show up to 50 entries and and it does show what is passed threw as well.
thanks
Last edited by LT72884 on Tue Aug 14, 2012 1:39 am, edited 1 time in total.
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Tue Aug 14, 2012 3:16 pm

Re: firewall with de-ice help

ran a wireshark scan from the BT5 disk which resides on the 192.168.75.0/24 subnet against de-ice on the 192.168.1.0/24 subnet that is on other side of firewall.

i use a tcp filter so only tcp traffic is seen. so nmap sends the 3 tcp packets, but never gets any back what so ever.

now, when i run the same syntax against the ubuntu machine, i get replies back and tons of info.

so in conclusion, i think the de-ice disk somehow does not know how to send replies back to the 75.0/24 subnet. But then again, de-ice should send replies to the LAN interface of the FW which is in the same subnet and then the FW forward them to the 75.0 subnet. It is not making any sense at all.

firewall is setup to allow tcp on 80,21,443 and icmp. I SHOULD at least get a reply back from de-ice saying that port 80 is open.

thanks

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software