A Beginners Guide To Using IPTables

ABSTRACT

Readers, there are numerous reasons ... It is well known that the Internet is an unmanaged an decentralized network, running under a set of protocols, which are not designed to ensure the integrity and confidentiality of information and access controls.
There are several ways to breach a network, but these ways do nothing more than take advantage of flaws within network protocols and services.

CONCEPTS

IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet filtering is built into the kernel. Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.

STEP BY STEP

case "$1" in
start)

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP 
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan recent"

Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix "Packages fragmented entries"

Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level info --log-prefix "malformed XMAS packets"

DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT

FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT

MSF
iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT

#######################################
WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
exit 0
;;

stop)
echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

echo "Use: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac

Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall

CONCLUSION

Gentlemen, I hope to help you in configuring your network security and remind you to choose only the best options available.
Allow me to add a few Advantages of using your firewall. Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services. Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Automatic Address Conversion (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

A hug to all who follow RHA and my sweet brother Rafay Baloch.

ABOUT THE AUTHOR:

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

Certified Penetration Testing Consultant - C)PTC Review

Although most of the attacks have moved towards Web Application, but the most critical information resides upon the network and is not being exposed to the Web application, therefore a lot of the organizations are allocating a certain amount of budget to obtain a better security model. However, now a days network penetration testing is becoming a tedious job due to the fact that organizations are now implementing multiple layers of defenses. In such cases a better strategy and advanced attack strategies are required for conducting a better security assessment.

Recently, I got a chance to take the C | PTC course which was focused primarily on testing huge network infrastructures. So, therefore I thought to write an unbiased review about the course contents and the examination.
CPTC (Certified Penetration Testing Consultant) comes into two flavors, the practical and the theoretical exam. The theoretical exam costs about 300$ and comes in the form of multiple choice questions, whereas the CPTC practical exam costs 600$. The exam would consists of two IP addresses to pentest and 6 hours to exploit them and report the results to pass the examination. At the end of the engagement, you would need to submit full penetration testing report with all your technical findings under 90 days, the report would be evaluated by experts and based upon their decision, you'll be marked with a pass or fail.

The overall course is based upon Network infrastructure based attacks i.e. mostly related to layer 2, layer 3, Layer 4 attacks. The course included in depth coverage of much less discussed topics such as Vlan hopping at layer 2, routing protocols attacks (OSPF, EIGRP), HSRP, VPN, IPV6 based attacks etc. The course kit ships up with a workbook, a Lab guide and lab access to follow practice the attacks you have learnt through out the course. The course is strongly recommended to any one who is interested in taking their skills to the next level.

Course Content

The course is divided into 8 different modules and each module comes up with a lab of it's own. So that after each module you would be able to practice the attacks you learned.

According to mile2, the attendees of the course would be able to do the following things:

• Perform a penetration test and submit a deliverable report
• Capture and replay VoIP traffic
• Learning Network Infrastructure advanced Attacks.
• Find and exploit databases with SQL Injection vulnerabilities
• Manipulate prices on e-commerce websites
• Obtain and transfer information via Bluetooth enabled telephones
• Tools and resources for picking simple and complex locks
• Techniques for Wireless Site Surveying and Cracking WEP/WPA key
• Each day ends with a Capture the Flag Competition to ensure that participants retain the daily objectives.
• Additionally, attendees will be qualified to confidently undertake the CPT Consultant practical examination.

Pros

• The course offers wide varieties of topics for advanced penetration testing
• The examination is based upon real world practical challenge.
• Along with pentesting, they also teach you how to write reports, which is something that is often not taught in most of the penetration testing courses.
• The course talks about complex network Infrastructure attacks specifically focused on cisco.
• The cost for the exam and material is pretty reasonable when compared with other certifications such as eccouncil's CEH.

Cons

• Since the CPTE course covers much about webapplication penetration testing, the course being an advanced versions should also had contained a module on "WebApplication" security/pentesting. However, mile2 has specifically designed a course for webapplications known as CSWAE course, which we would review very soon here at RHA.
• The workbook/labguide should be downloadable as the PDF, so that people can study offline.

Conclusion

Overall, I found the course pretty fascinating and it's definitely recommended for individuals that want to dive inside the world of network infrastructure attacks and hack on lower layers.

Questions and Comments

If you have any questions feel free to contact: BillNelson@Mile2.com. Mile2 has been kind enough to offer a special discount rate of 14% specifically for RHA readers.

Discount Code: BNSpcl14

How to install and use Veil-Catapult in backtrack?

Today we are gonna talk about Veil-Catapult.Veil-Catapult is payload delivery for when metasploit’s psexec getting caught by AV.It utilizes Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution.It officially supported on kali linux only.I`m going to show you how to install Veil-Catapult in backtrack?

First if you have not already installed veil-evasion framework then first install it as mentioned here.After installing Veil-evasion follow steps.

root@bt:~wget https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip

root@bt:~unzip master.zip 

root@bt:~cd Veil-Catapult-master/

root@bt:~sh setup.sh

Now veil-catapult require impacket library & passing the hash toolkit.So setup script try to install PTH suite but we got error.So we have to manually do it.

Install passing the hash.

root@bt:~wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb

root@bt:~wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb

root@bt:~dpkg -i winexePTH1.1.0-1.deb

root@bt:~dpkg -i wmiPTH-1.0-1.deb

If you are using other OS then you have to manually build it as mentioned here .

It installed into the /opt/pth/bin folder , we have to move it into /usr/bin.

root@bt:~# ln -s /opt/pth/bin/wmis /usr/bin/pth-wmis

root@bt:~# ln -s /opt/pth/bin/winexe /usr/bin/pth-winexe

root@bt:~# ln -s /opt/pth/bin/wmic /usr/bin/pth-wmic

Installing impacket library

root@bt:~# wget http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=Impacket&file=impacket-0.9.11.tar.gz

root@bt:~# tar -xvzf impacket-0.9.11.tar.gz 

root@bt:~# cd impacket

root@bt:~# python setup.py build 

I know you have question that we can install it , but when we tried to install , it  installed succesfully ;but some of modules are missing.So we first gonna build it then copy it. Now copy folder impacket from build/lib.linux-i686-2.6/ and paste it into /usr/lib/pymodules/python2.6 

Now everything is ready ,we can run it. Before that open /etc/veil/settings.py and checkout all path.

root@bt:~/Veil-Catapult-master# python Veil-Catapult.py 

Now select number according to your choice & fill out necessary option.

Powershell injector

Barebones python injector

Sethc backdoor

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Also there is script for it in metasploit.Check it out this awesome blog for more details.

EXE delivery upload 

Cleanup resource script is generated , you can use it after your work completed for kill process & remove exe.

You can also host exe using temporary SMB server.This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection

Alternatives of Veil-Catapult are smbexec  and keimpx.

The Hacker's Manifesto

Every hacker has his own manifesto, and this is what our team member "Rafael Souza" has sent to us as his manifesto. 

This is my manifest... I dedicated more than half of my life to studying the martial arts, and the study of “Hacking”;these two seemingly unrelated paths, found many common points that I would like to share.

The first commonality is that normally people today are more interested in products "fast food", something that is fast, easy, with minimal effort and maximum results. Anyone who has really studied and practiced legitimate hacking knows that as in the Martial Arts Hacking is a way of life that never ends!

You see a simple example of this is to see the hundreds of self-defense academies that teach the individual how to defend against assaults, etc...When in fact they are just creating a false sense of security about the individual and therefore the individual will be more in danger.

This also happens in Hacking, there are thousands of books that say: "you’ll be e a hacker soon”, "Learn all the techniques of hackers”, "Maximum Security"... All sharing a minimum of knowledge and common sense, knowing that this is all nonsense!

Martial arts are part of an ancient culture, a people that has a very rich history. The term Kung Fu was created over 4000 years and at first was not directly linked to the practice of Martial Arts. For KUNG refers to work, effort, dedication, Kung ideogram represents the figure of anAgricola instrument, denoting effort, sweat. The term semiotic FU "Mature Man", was generally associated with her ​​husband, a man of great culture and great influence in society or a great artist of great creativity.

So Kung Fu was used to refer to a mature man who has achieved a high level of understanding and implementation in a particular area. Within this reasoning, you could have very Kung Fu for math,literature, cuisine...

The term Kung Fu only began to be associated with Chinese martial arts in the West in the 50's when the famous Bruce Lee came to America and made ​​a completely new method of struggle, and when questioned about what he did he just said“Kung Fu “. He started teaching Dai in the West and westerners began to associate the name “Kung Fu” exclusively with Chinese Martial Arts.

Centuries later when the monks began to employ the training Kung Fu in the Shaolin Monastery, WuShu(now has another connotation) Stop the violence through self-control, the monks developed the ability to hurt an individual or even kill him, but at the same time developed the self-control (i.e. retain within "themselves”), an ethic that had an emotional balance.

This same spirit is found in the Hacking in which people develop a series of abilities through intense dedication to the study of Hacking. For hacking practiced in essence develops in the individual focus (large ability of the individual to focus and determined on a problem and stick to it forhours, even days without sleep often ate until finding the solution).

Creativity: Many mistakenly think that the hacker is just a walking library that has accumulated much knowledge, but the real hacking begins at the starting point at which he learned by going beyond the point you have learned. 

The ability of abstraction and get rid of all logic.

The practical importance of these two pathways is essential: movement, action!

So you are not considered a hacker or legitimate martial artist why not develop your own discipline as mentioned earlier about the emotional control of warrior monks.

Inside there is a hacking ethic that must be cultivated, i.e.individuals have the ability to be able to do something destructive, but this does not have to be the larger goal. These principles which differentiate a Martial Artist fighter or an athlete.

Often the goal of the individual is in just winning competitions and win medals, while the Martial Artist focus on increasing levels of skill and self-discipline.

The same scenario is found in the difference between the hacker and cracker, one aims to achieve excellence of knowledge, the other is only interested in stealing, destroying and perhaps achieve profit. There is a gulf of difference in these ways and I hope that most can see these differences.

Another aspect that is worth to be mentioned, is about the relationship between man and machine. Or the ancient warriors, like the great samurai for example, had not his sword as a tool but as part of himself, such is the intimacy between a soldier and his gun. The samurai sword was simply an extension of his body, he reached such a high degree that the two were one!

I think we should have the same aim in hacking similar levels of self-discipline, know the system, the machine thoroughly so that you arrive at the level of running anything you want, without limitations, and you are part of it!

Another interesting feature in both paths that must be cultivated is malice: Because my master told me a phrase that I never forgot: "The Martial Artist can be accused of anything, least of naive". With malice does not mean doing something destructive, the individual's ability to see the good and bad of every possible situation.

Gentleman, I hope this clarifies some text for people who do not yet have a clear view on these paths, and the Martial Artists who see only as troublemakers and violent fighters and Hackers as virtual outcasts.