A loadable kernel firewall module that can detect specific packets and drop them. More specifically, using netfilter framework hook functions (kernel call back functions) that user modules could access and obtain the detail of packets.
On VM1, use the network reconnaissance tool nmap that sends crafted reconnaissance packets to the VM2 (e.g. TCP half-open scan packets, TCP connect packets, UDP packets etc.). So, install nmap in VM1
On VM2, load the kernel module that use the Netfilter hook functions to obtain packets and identify the three reconnaissance scans E.g. the TCP half open scan sends only a single TCP SYN packet, expecting a SYN/ACK, RST or at worst no response. Once identified logs these detections into syslog.
💡 The module is being loaded in artix system with runit as init system.All steps would be similar except installing headers and updation
pacman -SyU
pacman -Sy linux linux-headers
Get the script from this repo.
simple_netfilter_LKM.c file ****contains the script.
git clone [https://github.com/ashcode028/LKM-Reconnaissance-Detection](https://github.com/ashcode028/LKM-Reconnaissance-Detection)or downloading the zip file attached.
cd LKM-Reconnaissance-Detection/
make
Here, Makefile by default runs insmod command.So, before running make again, run make clean .
Netfilter is a framework for packet mangling, outside the normal Berkeley socket interface. It has four parts. Firstly, each protocol defines “hooks” (IPv4 defines 5) which are well-defined points in a packet’s traversal of that protocol stack. At each of these points, the protocol will call the netfilter framework with the packet and the hook number.
This kernel module intercepts TCP packets and logs the detected scan type using prink(). In each TCP packet, we parse the flag bits set in the tcp header using netfilter hook functions,then detect the type of scan based on it. Once the recon packet is detected, those packets are dropped. If a UDP packet is detected, then if it is destined to port 53 is accepted otherwise dropped.Dropped packets are not logged.
Supported scans/ recon packets are
- SYN scan: only syn flag set
- FIN scan: only fin flag set
- XMAS scan: fin,urg and psh set
- NULL scan: all flag bits unset
- ACK/Window scan: only ack bit set
Once you load the module using insmod LKM.ko , output of dmesg | tail
even if the verification is failed , dont worry you can proceed to next steps.
These steps are run in another (pen-testing) machine.
To check indivdual scans , generic command
nmap <flag> <ip of machine to scan>
For eg, XMAS scan nmap -sX 172.12.16.131
Check the system logs in the machine using dmesg after each scan.
To run all scans at once using
./Test-script.sh
https://github.com/repalash/Detect-Nmap-scans
https://infosecwriteups.com/linux-kernel-communication-part-1-netfilter-hooks-15c07a5a5c4e
https://github.com/naman/netfilter-module
https://github.com/wangm8/Netfilter-Kernel-Module
https://tuxthink.blogspot.com/2021/04/loading-modules-automatically-on-boot.html