Assignment 5
Iptables
Okay, I wanted to try to block one of the computers at my house from accessing the web pages on my linux box.
So I used this set of Commands.
[root@bill root]# iptables -A INPUT -s 192.168.1.101 -j DROP
I wanted to log activity for that rule so...
[root@bill root]# iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
[root@bill root]# service iptables status
Then I looked at the status.
[root@bill root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- 192.168.1.101 anywhere
LOG all -- anywhere anywhere LOG level warning prefix `INPUT_DROP: '
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- etna.msie.marlboro.edu anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- etna.msie.marlboro.edu anywhere udp spt:ntp dpt:ntp
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Okay, everything looked okay, but when I tried to access the site with the computer with the address 192.168.1.101, It didn't.
I think it didnt work because the ip address I put in was assigned by my router. Then I realized that my router address woudnt work either. It would have to be the address that the world sees, which is 24.218.92.235. I saw that using tethereal from my linux box.
8.989271 24.218.92.235 -> 216.114.150.54 TCP 4894 > http [ACK] Seq=394 Ack=49895 Win=17520 Len=0
8.997540 24.218.92.235 -> 216.114.150.54 TCP 4894 > http [ACK] Seq=394 Ack=51439 Win=17520 Len=0
9.004094 24.218.92.235 -> 216.114.150.54 TCP 4894 > http [FIN, ACK] Seq=394 Ack=51439 Win=17520 Len=0
9.004135 216.114.150.54 -> 24.218.92.235 TCP http > 4894 [ACK] Seq=51439 Ack=395 Win=6432 Len=0
So I was affraid to block that address, bc If I did, I might not be able to ssh back in. So I just put everything back the way it was.
[root@bill root]# iptables -D INPUT -s 192.168.1.101 -j DROP
[root@bill root]# iptables -D INPUT -j LOG --log-prefix "INPUT_DROP: "
[root@bill root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- etna.msie.marlboro.edu anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- etna.msie.marlboro.edu anywhere udp spt:ntp dpt:ntp
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Using "nmap", "host", and "telnet" to look for fun stuff
I used host first to find the ip addresses of several schools, both in the us, and in Australia.
Then I used nmap -sL [IP address range from xx.xx.xx.0 to xx.xx.xx.255 with xx.xx.xx.0/24]
I chose ip addresses that looked interesting and tried to telnet into them.
Out of many many tries, I only got into a few, but they all required a password.
as400.lander.edu
bessie.smith.edu
ais.smith.edu
Then I tried looking at the ports on the computer that Jim found a weakness in, just to compare it to the ones that I found. That didn't really go anywhere, but it was interisting to look at.
Badi-Jones-Computer:~ jones$ sudo nmap -sS -O 18.79.1.177
Password:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on hplaserjet6p.mit.edu (18.79.1.177):
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
515/tcp open printer
9100/tcp open jetdirect
No exact OS matches for host (If you know what OS is running on it,
see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=powerpc-apple-darwin7.5.0%D=11/12%Time=4194688E%O=23%C=1)
TSeq(Class=TD%gcd=4%SI=0%IPID=I%TS=U)
T1(Resp=Y%DF=N%W=860%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=F%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds
Badi-Jones-Computer:~ jones$ telnet 18.79.1.177
Trying 18.79.1.177...
Connected to hplaserjet6p.mit.edu.
Escape character is '^]'.
Please type [Return] two times, to initialize telnet configuration
For HELP type "?"
> ?
To Change/Configure Parameters Enter:
Parameter-name: value
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation
default-gw: address in dotted notation
syslog-svr: address in dotted notation
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
novell: 0 to disable, 1 to enable
dlc-llc: 0 to disable, 1 to enable
ethertalk: 0 to disable, 1 to enable
banner: 0 to disable, 1 to enable
Type passwd to change the password.
Type "?" for HELP, "/" for current settings or "quit" to save-and-exit.
Or type "exit" to exit without saving configuration parameter entries
> /
===JetDirect Telnet Configuration===
Present Config : FRONT PANEL/TELNET
MAC Address : 00:10:83:bb:89:1a
IP Address : 18.79.1.177
Subnet Mask : 255.255.0.0
Default Gateway : 18.79.0.1
Syslog Server : 0.0.0.0
Idle Timeout : 120 Seconds
Set Cmnty Name : Not Specified
Host Name : Not Specified
DHCP Config : Disabled
Passwd : Disabled
Novell : Enabled
DLC/LLC : Enabled
Ethertalk : Enabled
Banner page : Enabled
>
>
>
>
> dhcp
Illegal Entry, Please retry
Please type "?" for HELP, "/" for current settings or "quit" to save-and-exit.
Or type "exit" to exit without saving parameters
> ?
To Change/Configure Parameters Enter:
Parameter-name: value
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation
default-gw: address in dotted notation
syslog-svr: address in dotted notation
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
novell: 0 to disable, 1 to enable
dlc-llc: 0 to disable, 1 to enable
ethertalk: 0 to disable, 1 to enable
banner: 0 to disable, 1 to enable
Type passwd to change the password.
> banner:1
> exit
EXITING WITHOUT SAVING ANY ENTRIES
> Connection closed by foreign host.
Embeded HTML or SQL
I looked for some weaknesses in lots of different websites, but the only thing I found was a weak stats program that lots of people use.
I found several websites that use it. I can actually go in to the administration parts.
http://www.magneson.com/webanalyse_v13/?detail=visit
|