Fork me on GitHub

Defeating Nmap Scans v0.1 v0.2

The well-known scanning tool Nmap allows users to discover running services on a target machine. In this tutorial, we use Haka to fool Nmap scans by crafting reset packets.

When launching a NULL (-sN), FIN (-sF) or XMAS (-sX) scan, Nmap forges a malicious packet with some flags activated. Nmap concludes that a port is closed on the target machine if it receives a RST packet.

Thanks to Haka API, we can forge RST packets and fool Nmap queries letting him think that all ports are closed on the target side. The following script starts by loading ipv4 and tcp dissectors. The next line disable the tcp-connection dissector to avoid Haka dropping all packets do not belonging to a valid connection. Finally, we define the secuity rule which will create a RST tcp packet if a nmap scanning packet is detected. In the last lines, we inject the newly crafted packet and drop the Nmap forged packet.

Interactive Packet Filtering Mode v0.1

Haka is endowed with an interesting feature allowing to filter packets interactively. With this mode activated, a Haka shell prompt is diplayed to the end-user which will have access to the full Haka API to play with packet content: accessing and modifying packet fields, dropping packets, logging suspicious events, alerting, etc. The Lua console supports auto-completion and therefore is a good starting point to dive into the Haka API.

SQLi Attack Detection v0.1

SQL injection attacks (SQLi) are common web attacks that consist in injecting SQL commands through http requests, enabling thus sensitive data disclosure or authentication scheme bypass. SQLi are the most dangerous software attacks according to the SANS Institute ranking.