A firewall is deployed in the Linux operating system, which prevents other hosts from scanning the local machine. If an enterprise network has an independent firewall, similar restrictions can be implemented. For example, some enterprises have deployed intrusion detection systems to actively prevent suspicious malicious behaviors, such as NMAP scanning. However, the NMAP command can be used in combination with some options, but it can be used with the firewall or intrusion detection system.
Although some administrators question the NMAP developer's intention to provide these options, these options are easily exploited by attackers. But the tool is not good or bad, it depends on how people use it. Some System Administrators often use these NMAP commands to improve the security of network deployment. For example, I like to use this command to play games with security software such as firewalls. That is to say, I pretend to be an attacker to test whether these security systems can block my attacks or leave my traces in the security system logs. From another perspective, you may be able to discover security vulnerabilities in your enterprise.
There are many similar options. Due to space limitations, we cannot elaborate too much. I will illustrate it with some common options.
1. segment packets.
Similar security devices such as firewalls can be used to filter scan packets. However, this filtering policy is not very secure. If you use the-f option of the NMAP command, you can segment the Tcp Header in several packages. In this case, the packet filter in the firewall or intrusion detection system is difficult to filter the TCP packet. In this way, SNMP scan commands can be used with these security measures to play games that hide and hide.
When the-f option is used, a 20-byte TCP header is divided into three packages, two of which have eight bytes of the TCP Header; the other package has the remaining four bytes of the TCP header. Generally, the packet filters used by security measures queue all IP segments, rather than directly using these segments. Because packets are segmented, it is difficult for these filters to identify the packet types. Then these packages will be reintegrated at the host to become a valid TCP packet. In most cases, these security measures should disable these packages. These packages will have a great impact on the performance of the enterprise network, whether it is a firewall or a terminal device. For example, if a configuration item exists in the firewall of a Linux system, you can restrict the TCP packet segmentation by prohibiting the queuing of IP segments.
It can be seen that the nmap-f command is deceptive to firewall and other security measures. We can use this command to test whether the security software we use is truly secure. As far as I know, although this security risk has been around for many years, not all security products can effectively prevent it. Therefore, using this-f option can help the system administrator determine whether the adopted security product can respond to this possible attack. If scanning is disabled on the firewall and the system administrator fails to obtain the expected result using the nmap-f command, the firewall policy is valid. But on the contrary, it can still return normal results (which may take a long time), indicating that the nmap-f command can successfully play with the firewall. The system administrator should pay attention to the security of the Linux firewall.
2. Use a fake IP address for scanning.
Generally, information about visitors, such as IP addresses, can be recorded on firewalls or client computers. If the nmap command is used for scanning, the scanned IP address is left on the firewall or client host. Leaving this "evidence" is very unfavorable for scanning. In addition, in the firewall configuration, the system administrator may allow a specific IP address to scan jobs. Scan packets sent from other IP addresses are filtered out. In this case, either to hide your real identity or to use valid addresses for NMAP scanning, a technology called Source Address Spoofing is required.
Speaking of this technology, I have to talk about a recent mobile phone scam, which is very similar to this source address scam. Sometimes we receive a call from a friend or a short message asking us to remit money. Although the phone number of a friend is displayed on the phone at this time, in fact, the person who sends a text message is not necessarily your friend. Because there is now a technology that can modify the sender's mobile phone number. The sender wants to display what number is. In fact, this source address scam is similar to this mobile phone number scam. In this way, attackers can hide their IP addresses and use a fake IP address. This IP address can be used whether or not it exists in the network. The logs on the firewall or operating system show the disguised IP address.
Therefore, when purchasing security products such as firewalls, the Linux system administrator can use the nmap-s command to test whether the firewall can defend against source address spoofing attacks. For example, enable the log function on the firewall and then use the nmap-s command to scan the firewall or other host devices. Check the related logs. Check whether the IP address information recorded in this log is a disguised IP address or the real IP address of the scanner. In this way, you can easily determine whether firewall and other security products can respond to similar source address spoofing attacks. Although the real identity of the log-recorded attackers is a bit like a zombie, it is of great value for us to quickly search for attackers and prevent them from launching attacks again. For this reason, some security products must have some Source Address Fraud Prevention functions.
3. Use bait for concealed scanning.
You can use the source address to hide the identity of the scanner. However, this technology can disguise an IP address during a scan. Currently, the popular method to Hide IP addresses is to use bait hosts. In short, illegal providers can scan network hosts by using several IP addresses in the network as their own IP addresses. The security device does not know which IP address is the real IP address. For example, a firewall may record 5-8 port scans of an IP address. This is an effective way to Hide IP addresses.
What's more interesting is that attackers can also put their real IP addresses in order to increase the challenge of attacks and challenge the knowledge of defenders. For example, the system administrator can use the ME option to add his/her IP address to the bait IP address. Generally, if you place your IP address on the backend, it is difficult for the firewall to detect this real IP address. However, the number of IP addresses of this bait is not large, but precise. For example, adding some IP addresses with higher permissions (such as implementing some firewall policies on Linux servers based on IP addresses) to the bait host list will be a surprising result. Too many bait addresses may lead to too long scanning time or inaccurate results. The most terrible thing is that it may cause the performance of the scanned network to decline, thus attracting the attention of the network administrator of the other party.
In fact, the bait technology now has a way to prevent it. Such as route tracing and response Discarding can be used to prevent attackers from using bait for hidden scanning. Sometimes this security mechanism is very important to enterprises. As bait concealed attacks can not only secretly collect important information of enterprise network hosts, but also prepare for subsequent attacks. Moreover, the nmap-D command is prone to SYN flood attacks. If the bait host used by an illegal attacker is not in the working state, it will initiate a SYN Flood attack on the target host. This is a dangerous attack method.
Now that you have a solution to handle bait hidden scanning, what Linux system administrators or network engineers need to do is to test whether the firewall or other security products provide similar solutions. Sometimes it is not possible to rely solely on the descriptions of the sales personnel of the other party, but we need to perform the test. Using this nmap command can obviously help us to perform this test.
There are many similar options in the nmap command. For example, you can use the source-port option to spoof the source port. For example, you can use the date-length option to append harmful data when sending messages. Through the spoof-mac option, implement MAC address spoofing. This combination with source address spoofing can invalidate security policies such as binding MAC addresses and IP addresses. If these options are exploited by illegal attackers, they will undoubtedly threaten the security of the Linux network. However, if we can use these options in advance to test the security of our network and host, we will be the first to fix these vulnerabilities. Therefore, illegal attackers have to return without any help. So I don't think tools are good or bad. It mainly depends on the user's mentality. For this reason, I suggest that you use the NMAP command to play a games game with your enterprise's firewall and other security products to determine whether the so-called security protection system is truly secure.