TCP Connect 스캔 (Full Connection Scan)

Linux/모의해킹

TCP Connect 스캔 (Full Connection Scan)

GGkeeper 2021. 12. 30. 20:33

TCP 3웨이핸드쉐이킹
     SYN
A -------------> B
     SYN + ACK
A <------------- B
      ACK
A -------------> B

화면으로 출력하는 경우
o 방화벽이 없는 경우

1. 포트가 열린 경우
-n : 숫자로 출력
-i : 인터페이스
tcp : TCP
port 80 : 80번 포트
Victim ~# systemctl start httpd
Victim ~# iptables -F
Victim ~# tcpdump -i ens33
Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

TCP Connect 스캔
Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 03:52 EST
Nmap scan report for 192.168.108.100
Host is up (0.0017s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
08:34:46.870398 IP 192.168.108.102.50616 > 192.168.108.100.http: Flags [S], seq 1912071476, win 64240, options [mss 1460,sackOK,TS val 4067377867 ecr 0,nop,wscale 7], length 0
SYN + ACK
08:34:46.870564 IP 192.168.108.100.http > 192.168.108.102.50616: Flags [S.], seq 334962318, ack 1912071477, win 28960, options [mss 1460,sackOK,TS val 55629651 ecr 4067377867,nop,wscale 6], length 0
ACK
08:34:46.871523 IP 192.168.108.102.50616 > 192.168.108.100.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 4067377868 ecr 55629651], length 0
RST
08:34:46.872081 IP 192.168.108.102.50616 > 192.168.108.100.http: Flags [R.], seq 1, ack 1, win 502, options [nop,nop,TS val 4067377869 ecr 55629651], length 0

2. 포트가 닫힌 경우
Victim ~# systemctl stop httpd
Victim ~# tcpdump -n -i ens33 tcp port 80

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 03:59 EST
Nmap scan report for 192.168.108.100
Host is up (0.00042s latency).

PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
08:39:22.344286 IP 192.168.108.102.50620 > 192.168.108.100.http: Flags [S], seq 4083057269, win 64240, options [mss 1460,sackOK,TS val 4067626082 ecr 0,nop,wscale 7], length 0
RST
08:39:22.344304 IP 192.168.108.100.http > 192.168.108.102.50620: Flags [R.], seq 0, ack 4083057270, win 0, length 0

o 방화벽이 있는 경우

1. 포트가 열린 경우
Victim에서 방화벽을 설정한다.
iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW  -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW  -j ACCEPT
iptables -A INPUT -j DROP

Victim ~# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Victim ~# systemctl start httpd
Victim ~# vi /var/www/html/index.html
Server : 192.168.108.100

Directory : /var/www/html

Attacker ~# vi /etc/resolv.conf
nameserver 168.126.63.1
Attacker ~# apt -y install lynx
Attacker ~# lynx --dump 192.168.108.100
   Server : 192.168.108.100
   Directory : /var/www/html

패킷을 모니터링한다.
Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

포트 스캔을 한다.
Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 04:11 EST
Nmap scan report for 192.168.108.100
Host is up (0.00073s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

패킷을 모니터링 결과는 방화벽이 설정되지 않을 때와 동일하다.
Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
08:52:24.123232 IP 192.168.108.102.50626 > 192.168.108.100.http: Flags [S], seq 2035860398, win 64240, options [mss 1460,sackOK,TS val 4068330886 ecr 0,nop,wscale 7], length 0
SYN/ACK
08:52:24.123344 IP 192.168.108.100.http > 192.168.108.102.50626: Flags [S.], seq 2277579472, ack 2035860399, win 28960, options [mss 1460,sackOK,TS val 56686903 ecr 4068330886,nop,wscale 6], length 0
ACK
08:52:24.123661 IP 192.168.108.102.50626 > 192.168.108.100.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 4068330886 ecr 56686903], length 0
RST
08:52:24.123732 IP 192.168.108.102.50626 > 192.168.108.100.http: Flags [R.], seq 1, ack 1, win 502, options [nop,nop,TS val 4068330886 ecr 56686903], length 0

2. 포트가 닫힌 경우
Victim ~# systemctl stop httpd
Victim ~# netstat -nltp | grep 80
  <-- 포트가 열리지 않았다.

Victim ~# tcpdump -n -i ens33 tcp port 80

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:02 EST
Nmap scan report for 192.168.108.100
Host is up (0.00081s latency).

PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
09:47:57.376376 IP 192.168.108.102.50628 > 192.168.108.100.http: Flags [S], seq 2189207374, win 64240, options [mss 1460,sackOK,TS val 4071335965 ecr 0,nop,wscale 7], length 0
RST
09:47:57.376414 IP 192.168.108.100.http > 192.168.108.102.50628: Flags [R.], seq 0, ack 2189207375, win 0, length 0

80번 포트가 방화벽 룰에 ACCEPT로 설정되지 않는다면 INPUT 체인의 마지막에 DROP에 매칭되기 때문에 RST 패킷이 날라가지 않는다.
     SYN
A -------------> V (Attacker에게 응답 패킷을 주지 않음)
A -------------> V (Attacker에게 응답 패킷을 주지 않음)
Victim ~# iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0
Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:10 EST
Nmap scan report for 192.168.108.100
Host is up (0.0017s latency).

PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Victim ~# tcpdump -n -i ens33 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
09:56:30.553966 IP 192.168.108.102.50632 > 192.168.108.100.http: Flags [S], seq 1638910152, win 64240, options [mss 1460,sackOK,TS val 4071798587 ecr 0,nop,wscale 7], length 0
SYN
09:56:30.664959 IP 192.168.108.102.50634 > 192.168.108.100.http: Flags [S], seq 2587965610, win 64240, options [mss 1460,sackOK,TS val 4071798688 ecr 0,nop,wscale 7], length 0

파일로 저장하는 경우
o 방화벽이 없는 경우

1. 포트가 열린 경우
Victim ~# iptables -F
Victim ~# systemctl start httpd
Victim ~# tcpdump -w tcpScan.pcap -n -i ens33 tcp port 80

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:17 EST
Nmap scan report for 192.168.108.100
Host is up (0.00085s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

-w tcpScan.pcap : tcpScan.pcap 파일로 패킷을 저장한다.
Victim ~# tcpdump -w tcpScan.pcap -n -i ens33 tcp port 80
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C4 packets captured
4 packets received by filter
0 packets dropped by kernel

저장된 tcpScan.pcap 파일을 192.168.108.102 로 원격 복사를 한다.
Victim ~# scp tcpScan.pcap 192.168.108.102:
root@192.168.108.102's password:
tcpScan.pcap                                100%  368   230.8KB/s   00:00

Attacker에서 wireshark 로 원격 복사된 tcpScan.pcap 파일을 분석한다.
root로 로그인을 해서 wireshark 로 확인한다.
Attacker ~# wireshark tcpScan.pcap

2. 포트가 닫힌 경우
웹서버를 중지한다.
Victim ~# systemctl stop httpd

패킷을 덤프한다.
Victim ~# tcpdump -w tcpScan2.pcap -n -i ens33 tcp port 80
tcpdump: listening on ens33, link-type EN10MB (Ethernet),

포트스캔을 시도한다.
Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:31 EST
Nmap scan report for 192.168.108.100
Host is up (0.00042s latency).

PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

덤프받은 패킷을 Ctrl + C를 눌러서 중지한다.
Victim ~# tcpdump -w tcpScan2.pcap -n -i ens33 tcp port 80
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
2 packets received by filter
0 packets dropped by kernel

저장된 tcpScan2.pcap 파일을 192.168.108.102 로 원격 복사를 한다.
Victim ~# scp tcpScan2.pcap 192.168.108.102:
root@192.168.108.102's password:
tcpScan2.pcap 100% 184 164.0KB/s 00:00

Attacker에서 wireshark 로 원격 복사된 tcpScan2.pcap 파일을 분석한다.
Attacker ~# wireshark tcpScan2.pcap &

o 방화벽이 있는 경우

1. 포트가 열린 경우
Victim에서 방화벽 룰을 설정한다.
iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP

Victim ~# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 state NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Victim ~# tcpdump -w tcpScan4.pcap -n tcp port 80 -i ens33
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:57 EST
Nmap scan report for 192.168.108.100
Host is up (0.00068s latency).

PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Victim ~# tcpdump -w tcpScan4.pcap -n tcp port 80 -i ens33
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
2 packets received by filter
0 packets dropped by kernel

Victim ~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  144  9484 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 state NEW
    3   182 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Victim ~# scp tcpScan4.pcap 192.168.108.102:
root@192.168.108.102's password:
tcpScan4.pcap                               100%  184   165.1KB/s   00:00

Attacker에서 wireshark 로 원격 복사된 tcpScan4.pcap 파일을 분석한다.
Attacker ~# wireshark tcpScan4.pcap &

2. 포트가 닫힌 경우

80번 포트가 방화벽 룰에 ACCEPT로 설정되지 않는다면 INPUT 체인의 마지막에 DROP에 매칭되기 때문에 RST 패킷이 날라가지 않는다.
     SYN
A -------------> V (Attacker에게 응답 패킷을 주지 않음)
A -------------> V (Attacker에게 응답 패킷을 주지 않음)

Victim에서 방화벽 룰을 설정한다.
iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP

Victim ~# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 state NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Victim ~# tcpdump -w tcpScan3.pcap -n tcp port 80 -i ens33

Attacker ~# nmap -sT -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 05:52 EST
Nmap scan report for 192.168.108.100
Host is up (0.00041s latency).

PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

Victim ~# tcpdump -w tcpScan3.pcap -n tcp port 80 -i ens33
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
3 packets received by filter
0 packets dropped by kernel

Victim ~# scp tcpScan3.pcap 192.168.108.102:
root@192.168.108.102's password:
tcpScan3.pcap                               100%  204   140.5KB/s   00:00

Attacker ~# wireshark tcpScan3.pcap &

'Linux > 모의해킹' 카테고리의 다른 글

TCP FIN 스캔 (-sF) (0)	2021.12.31
TCP SYN stealth 스캔 (Half open scan) (0)	2021.12.31
nmap 을 이용한 포트 스캐닝 (0)	2021.12.30
IP 헤더에서 TTL 값 변경하기 (0)	2021.12.30
쉘 스크립트를 이용한 DNS Attack tool 제작하기 (0)	2021.12.29

현재글TCP Connect 스캔 (Full Connection Scan)

정보 보안 분야

리눅스, Python, Network, 설치, Netcat, php, 파이썬, 물리계층, iptables, ubuntu, Linux, html, 반복문, http, physical, 가상 호스트, 도메인, 1계층, for 문, 서버,

Today :
Yesterday :

정보 보안 분야