:::success # INR Lab 2: IPv4 & IPv6 ## Name: Daniil Sinelnik ::: ## Task 1 Ports and Protocols :::info 1. Check the open ports and listening Unix sockets against ssh and http on Admin and Web respectively. ::: 1. I have used `netstat -ln` and also `grep tcp`. The `netstat` command lists the listening UDP and TCP sockets. `-l` for netstat shows only listening ports, `-n` shows numerical addresses. Port 22 is for ssh, 80 is for http. 2. Then i have opened UNIX sockets that are listening on Web VM: <center>  Figure 1. </center> 3. The open Unix sockets that are listenting on the Admin VM: <center>  Figure 2. </center> :::info 2. Scan your gateway from the outside. What are the known open ports? ::: <center>  Figure 3. </center> :::info 3. A gateway has to be transparent, you should not see any port that is not specifically forwarded. Adjust your firewall rules to make this happen. Disable any unnecessary services and scan again. ::: The services discovered in the previous task were provided by my Mikrotik router. One way to disable access to them is to erect a firewall that drops all the packets that try to reach some port from some interface. This is what I have done: <center>  Figure 5. </center> <center>  Figure 6. </center> :::info It suppose that some scanners start by scanning the known ports and pinging a host to see if it is alive. 4.1. Scan the Worker VM from Admin. Can you see any ports? ::: There is one ssh port opened. Other ports are filtered. <center>  Figure 7. </center> :::info 4.2 Block ICMP traffic on Worker and change the port for SSH to one that is above 10000. 4.3. Scan it without extra arguments. ::: 1. Blocking of the ICMP traffic can be done via config: <center>  Port over 10000  Blocking traffic Figure 8. </center> 2. Now the Worker VM can not be found by pinging it: <center>  nmap admin  ping admin Figure 9. </center> To apply the changes i have restarted the `sshd` using `sudo systemctl restart sshd`. The ssh port is no longer displayed because by default nmap does not scan ports above 10000. :::info 4.4. Now make necessary changes to the command to force the scan on all possible ports. ::: Nmap allows to specify the port range with the -p option. Now that we scan all ports from 0 to 65535. <center>  Figure 12. </center> :::info 4.5 Gather some information about your open ports on Web (ssh and http). ::: Full port scan: <center>  Figure 12. </center> ## Task 2 Traffic Captures & IPv6 :::info Access your Web Page from the outside and capture the traffic between the gateway and the bridged interface. 1.1. Can you see what is being sent? 1.2. What kind of information can you get from this? 1.3. What do the headers mean? ::: 2. I created a filter in the Wireshark that filters only the packets between my machine `192.168.31.110` and the Gateway `192.168.31.39`: <center>  Figure 14. </center> 3. Then I accessed the Gatewat from the browser at port 8888: <center>  Figure 15. </center> Since the HTTP messages are not encrypted, I can read all the headers and the payload of the response: Headers: <center>  Figure 16. </center> `HTTP/1.1 200 OK`. -- This part is called the status line. The first part is the version of the HTTP protocol to which this response is supposed to comply. `Server: nginx/1.18.0` -- Description of the HTTP server that produced the response. In my case the name of the application is nginx and its version is 1.22.0 `Date` -- The date and the time on which the response was created.The date and the time on which the response was created. `Content-Type: text/html` -- The MIME type of the data transferred in the response body. In this case it is correctly set to HTML plain text. `Content-Length` -- The length of the data in the response body measured in bytes. `Last-Modified` -- The date and time of the last modification made to the resource (according to the server that created the response). :::info 2. SSH to the Admin from the outside and capture the traffic (make sure to start capturing before connecting to the server). 2.1. Can you see what is being sent? 2.2. What kind of information can you get from this? 2.3. What are the names of the ciphers used? ::: 1. Prev exercise capture. 2. Then I created the ssh session using the Solar PuTTY client: <center>  Figure 18. </center> 3. Then we have the following: <center>  Figure 19. </center> 4. Since the traffic is encrypted, I can not extract much information from it. What I can see, though, is the encryption, compression and hashing algorithms used: <center>  Figure 20. </center> public keys and the encryption algorithms that were used for the key exchange: <center>  Figure 21. </center> :::info Configure Burp Suite as a proxy on your machine and intercept your HTTP traffic. 3.1. Show that you can modify the contents by changing something in the request. 3.2. Why are you able to do this here and not in an SSH connection? 3.3. Do you know any other tools that are analogues to Burp suite ? List and give a one-line description of them. ::: 3.1 . We can add our headers using Brup Suite, therefore we can catch the response and alert it and also can do forward the response and see it in the browser: <center>  Figure 22. </center> 3.2 Burp Suite is designed to intercept HTTP traffic. If SSH worked over HTTP, then it would be possible to intercept it: <center>  Figure 25. </center> 3.3 There are these tools that work similarly to Burp Suite: 1. https://www.intruder.io/ 2. https://www.acunetix.com/vulnerability-scanner/ (need to use vpn) 3. https://www.charlesproxy.com/ ## Task 3 :::info 4. Configure IPv6 from the Web Server to the Worker. This includes IPs on the servers and the default gateways. ::: Using `system package enable ipv6` and then reboot. <center>  web </center> <center>  worker </center> <center>  router </center> <center>  pings between </center>