INR Lab 2 - IPv4 & IPv6

###### tags: `finished` :::success # INR Lab 2 - IPv4 & IPv6 ::: ## Task 1 - Ports and Protocols :::info 1. Check the open ports and listening Unix sockets against ssh and http on Admin and Web respectively. ::: #### **This screenshots from Web** <center> ![](https://i.imgur.com/uD5rt3r.png) Picture 1 - netstat -l for listening Unix sockets on Web ![](https://i.imgur.com/keKTYnN.png) Picture 2 - Lsof for opened ports on Web </center> #### **This screenshots from Admin** <center> ![](https://i.imgur.com/Iofmhdj.png) Picture 3 - Lsof and netstat for opened ports and listening Unix sockets on Admin </center> :::info 2. Scan your gateway from the outside. What are the known open ports? ::: Here we can see a lot of open ports that are open from the outside. For example, here you can see port 22, which is used by the ssh service, and there was also port 53, which was used by Microtik as its own DNS service, but I have already closed it (with a not very correct setting, so I had to redo everything again). <center> ![](https://i.imgur.com/f8AcWSw.png) Picture 4 - This is a scan of the gateway from my workstation </center> :::info 3. A gateway has to be transparent, you should not see any port that is not specifically forwarded. Adjust your firewall rules to make this happen. Disable any unnecessary services and scan again. ::: To install the filter, we will use the rule - " everything is prohibited except...". Since the rules are read sequentially by the router, first the rules that allow traffic transmission were issued, and then the rules that prohibit it. <center> ![](https://i.imgur.com/NOHvJ99.png) Picture 5 - Filter Settings ![](https://i.imgur.com/McSbsXm.png) Picture 6 - The result of the filter operation </center> :::info 4. It suppose that some scanners start by scanning the known ports and pinging a host to see if it is alive. 4.1. Scan the Worker VM from Admin. Can you see any ports? 4.2. Block ICMP traffic on Worker and change the port for SSH to one that is above 10000. 4.3. Scan it without extra arguments. 4.4. Now make necessary changes to the command to force the scan on all possible ports. ::: I used these filter settings just to show the connection between the hosts. One of the few problems I have encountered is that when specifying forward, you must not forget that it captures both incoming and outgoing traffic. If for some reason the incoming traffic is blocked (one of the former rules that took me half a day of work - input drop), then all the flowing traffic will also not enter the router. While the settings for incoming and outgoing traffic are created specifically for their tasks, that is, the input rule loses its force as soon as the traffic enters the router through the port. And in the case of output, this is traffic generated by the router itself or coming from input (ping, VPN, SSH session from the router itself). <center> ![](https://i.imgur.com/pUSPA3u.png) Picture 7 - Rule for Worker's ICMP </center> When the firewall rules did not allow ICMP traffic, the nmap operation looked like this: <center> ![](https://i.imgur.com/rWqpyzv.png) Picture 8 - Scanning Worker's ports from Admin </center> That is, all services were filtered out. However, in GNS3, I can't always update applications or install some new utility, for example, now the same "nmap" simply because it gives a network connection error. I do not know what this is due to, because NAT is configured for the en1 interface, but even when trying to build a test version of the network from just a computer and NAT - the Internet is available, but I cannot update or install packages. Changes to resolv. conf do not change anything, unfortunately. In general, ICMP does not use ports (as it is written in RFC 792 - "ICMP is actually an integral part of IP"), so I can assume that even if some ports could be reflected in nmap, these would be ports for echo requests (TCP or UDP port 7). <center> ![](https://i.imgur.com/5hZbu1N.png) ![](https://i.imgur.com/bHIzSBJ.png) Picture 9 - Permanent errors </center> ## Task 2 - Traffic Captures & IPv6 :::info 1. Access your Web Page from the outside and capture the traffic between the gateway and the bridged interface. Can you see what is being sent? What kind of information can you get from this? What do the headers mean? ::: We can see the traffic movement between the two interfaces, we see that the gateway establishes a tcp connection with the interface on which the forwarding takes place. For example, the ACK flag means that all packets have been received successfully. We can get information about who is the host, what is the full address of the request, time of request and etc. Headers mean a special part of the packet by which the device can distinguish them and sort them, for example, the header contains information about the sender, recipient, packet type, protocol, header length, and much more. <center> ![](https://i.imgur.com/p3CyVDh.png) Picture 10 - Scanning Web from outside ![](https://i.imgur.com/KBzJEqD.png) Picture 11 - Header </center> :::info 2. SSH to the Admin from the outside and capture the traffic (make sure to start capturing before connecting to the server). Can you see what is being sent? What kind of information can you get from this? What are the names of the ciphers used? ::: After starting the ssh session, we see the connection being established and traffic being exchanged. <center> ![](https://i.imgur.com/AUE8R21.jpg) Picture 12 - Scanning Admin in shh process ![](https://i.imgur.com/94CWI1W.jpg) Picture 13 - Decryption of the TCP stream </center> If you switch to Follow TCP Stream, you can see the exchange algorithms that both machines use for communication, on example belove. You can also see information about how the machines exchange keys, and then encrypt and decrypt packets on the main screen above. <center> ![](https://i.imgur.com/yjJW0kd.png) Picture 14 - Exchange algorithms ![](https://i.imgur.com/Jj9O8F7.png) Picture 15 - Also algorithms but in more readable format </center> But, according to the SSH article of the Wireshark Wiki, only the plaintext parts of the connection (for key-exchange and other hand-shaking) are available and it is not possible to decrypt the encrypted packets. :::danger 3. Configure Burp Suite as a proxy on your machine and intercept your HTTP traffic. Show that you can modify the contents by changing something in the request. Why are you able to do this here and not in an SSH connection? Do you know any other tools that are analogues to Burp suite ? List and give a one-line description of them. ::: :::info 4. Configure IPv6 from the Web Server to the Worker. This includes IPs on the servers and the default gateways. ::: To do this, we need to make changes to the file again: ``` sudo nano /etc/netplan/50-cloud-init.yaml ``` <center> ![](https://i.imgur.com/H9U10IA.png) Picture 16 - New lines in the configuration file for Web ![](https://i.imgur.com/5WdqMjh.png) Picture 17 - New lines in the configuration file for Worker ![](https://i.imgur.com/k5RYpdD.png) ![](https://i.imgur.com/KM3Acth.png) Picture 18 - Adding the gateway address to the MikroTik ![](https://i.imgur.com/XH1aMTV.png) Picture 19 - Successful ping result </center> :::info 5. Access the Web Page using IPv6 from Admin while capturing again. Can you see the difference? What's the difference? Attach you IPv6 captures in a folder captures with your report. ::: <center> ![](https://i.imgur.com/defICuO.png) Picture 19 - New lines in the configuration file for Admin ![](https://i.imgur.com/mhnP6TD.png) Picture 20 - Adding the gateway address to the MikroTik ![](https://i.imgur.com/jWHamcg.png) Picture 21 - Result of ping ![](https://i.imgur.com/PRxVXtt.png) Picture 21 - ICMPv6 Packages appeared </center> References: 1. [Manual:IP/Firewall/NAT](https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT) 2. [Wireshark/sshdump](https://www.wireshark.org/docs/man-pages/sshdump.html) 3. [Yaml Checker](http://www.yamllint.com/) 4. [Manual:IPv6](https://wiki.mikrotik.com/wiki/Manual:IPv6/Address#EUI-64) 5. [Wireshark/SSH](https://wiki.wireshark.org/SSH)