search

vitaly-kamluk / bitscout

Remote forensics meta tool
GNU General Public License v2.0
461 stars 109 forks source link

Port 2000 again with nbd-server #22

Closed melorium closed 5 years ago

melorium commented 5 years ago

I don't know what I'm really doing wrong.

The first day all work with port 2000 when the host where started with adress 10.1.0.2.

But I'm using duplicate-cn setting in my openvpn and the host get 10.1.0.3.

Now I didn't get access to port 2000 again from my WS on the same net.

I can SSH to the host and when I start the NBD-Server using systemctl restart nbd-server.service it starts and I can telnet port 2000 from inside the container using telnet 10.1.0.3 2000 it works.

But from my WS 10.1.0.5 I can't telnet port 2000 it got stucked.

What du you thing I'm doing wrong?

I could mount a block device just after we talked the other day.

:( I'm feel so bad and I can't solve it.

Dennis

vitaly-kamluk commented 5 years ago

I am not sure if this is related to Bitscout or your setup. I tested this and it works fine on my side. Please try to double-check you are using correct addresses and ports. You can use nmap and tcpdump tools to see where packets are not going through. If VPN was established correctly on your expert’s workstation, you should be able to reach port 2000 if you started a service (i.e. nbd-server) on this port in the container. Here is how you can check if the port is open or closed from your expert’s host: $ nmap -p2000 -n 10.1.0.2

If your expert’s host VPN IP is 10.1.0.5 then you can also run the following command on bitscout-host to see incoming packets from 10.1.0.5 via vpn: $ sudo tcpdump -i tap0 -n host 10.1.0.5

If there is no packets it means something is wrong with your setup outside Bitscout.

melorium commented 5 years ago
  1. my Bitscout has ip 10.1.0.3 and expert is 10.1.0.2 right now sudo tcpdump -i tap0 -n host 10.1.0.2

and when run this from container is cames a lot of traffic

20:30:36.020734 IP 10.1.0.2.37096 > 10.1.0.3.23: Flags [.], ack 218519896, win 3662, options [nop,nop,TS val 2785199397 ecr 1595095443], length 0 20:30:36.020751 IP 10.1.0.2.37096 > 10.1.0.3.23: Flags [P.], seq 67213:67249, ack 218520100, win 3662, options [nop,nop,TS val 2785199397 ecr 1595095443], length 36 20:30:36.020755 IP 10.1.0.3.23 > 10.1.0.2.37096: Flags [P.], seq 218522940:218523296, ack 67213, win 313, options [nop,nop,TS val 1595095445 ecr 2785199397], length 356 20:30:36.020766 IP 10.1.0.2.37096 > 10.1.0.3.23: Flags [.], ack 218521528, win 3662, options [nop,nop,TS va

  1. When I run nmap -p2000 -n 10.1.0.3 from expert it says..

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-13 21:36 CET Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds.

Something is block my traffic from expert to host. Strange.

melorium commented 5 years ago

I can use SSH to the container on port 23 but I can not reach port 2000

vitaly-kamluk commented 5 years ago

Please note that port 23 was allocated for SSH connections to Bitscout host system (not container). Container is an isolated environment which runs as unprivileged user and by default should be accessible via port 22 for SSH service. You can see where you are by the background color of the command prompt (Bitscout container uses blue, while Bitscout host system uses red color). If you are looking for more details about iptables setup and rules for TCP port forwarding (for port 22 and port 23) check “resources/sbin/host-iptables” file. See your local file or check online: https://github.com/vitaly-kamluk/bitscout/blob/master/resources/sbin/host-iptables

Here is the most important fragment which enables port 23 (when host control is on via Bitscout management tool’s network menu):

Incoming host connections

$IPT -A HOST_INCOMING -p tcp --dport 23 -j ACCEPT $IPT -A HOST_INCOMING -j RETURN

If you prefer to work on Bitscout host instead of using container, then you can continue working over SSH port 23, and in this case you can enable additional port(s) for nbd-server or other service using iptables. Here is an example of enabling port 9999 via one time command on Bitscout host: $ sudo iptables -A INPUT -p tcp --dport 9999 -j ACCEPT

Try running that on bitscout and see if you can use nbd-server on port 9999.

In this case I don’t recommend using ports 2000-2009 because they are forwarded to the container.

I hope it helps.

melorium commented 5 years ago

Thanks alot for your help. It was my vpn server who was ha hacked but i reinstall it now. Now everything works perfekt. You are the best and nicest person ever. Dennis