├── modules.order ├── LKM.mod ├── LKM.ko ├── Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9 ├── Screenshot_from_2022-02-20_20-15-55.png ├── Screenshot_from_2022-02-20_23-19-45.png └── Screenshot_from_2022-02-21_12-57-08.png ├── Makefile ├── Test-Script.sh ├── simple_netfilter_LKM.c └── README.md /modules.order: -------------------------------------------------------------------------------- 1 | /root/netfilter_lkm/LKM.ko 2 | -------------------------------------------------------------------------------- /LKM.mod: -------------------------------------------------------------------------------- 1 | /root/netfilter_lkm/simple_netfilter_LKM.o 2 | 3 | -------------------------------------------------------------------------------- /LKM.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ashcode028/Reconnaissance-Detection/HEAD/LKM.ko -------------------------------------------------------------------------------- /Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_20-15-55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ashcode028/Reconnaissance-Detection/HEAD/Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_20-15-55.png -------------------------------------------------------------------------------- /Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_23-19-45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ashcode028/Reconnaissance-Detection/HEAD/Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_23-19-45.png -------------------------------------------------------------------------------- /Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-21_12-57-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ashcode028/Reconnaissance-Detection/HEAD/Linux Kernel Netfilter Module fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-21_12-57-08.png -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | obj-m :=LKM.o 2 | LKM-objs += simple_netfilter_LKM.o 3 | all: 4 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 5 | rm -r -f *.mod.c .*.cmd *.symvers *.o 6 | insmod LKM.ko 7 | clean: 8 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 9 | rmmod LKM.ko 10 | -------------------------------------------------------------------------------- /Test-Script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "ACK SCAN" 4 | nmap -sA 172.16.12.131 5 | echo "XMAS SCAN" 6 | nmap -sX 172.16.12.131 7 | echo "FIN SCAN" 8 | nmap -sF 172.16.12.131 9 | echo "SYN SCAN" 10 | nmap -sS 172.16.12.131 11 | echo "NULL SCAN" 12 | nmap -sN 172.16.12.131 13 | 14 | wait 15 | echo "All scans done" 16 | -------------------------------------------------------------------------------- /simple_netfilter_LKM.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | MODULE_LICENSE("GPL"); 11 | MODULE_AUTHOR("Ashita"); 12 | 13 | 14 | static struct nf_hook_ops *nfho = NULL; 15 | 16 | static unsigned int hfunc(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) 17 | { 18 | struct iphdr *iph; 19 | struct tcphdr *tcp_header; 20 | struct udphdr *udph; 21 | if (!skb) 22 | return NF_ACCEPT; 23 | 24 | iph = ip_hdr(skb); 25 | 26 | u32 src_ipa; 27 | src_ipa = ntohl(iph->saddr); 28 | 29 | if (iph->protocol == IPPROTO_TCP) { 30 | // printk(KERN_INFO "TCP packet detected!\n"); 31 | 32 | tcp_header = (struct tcphdr *) skb_transport_header(skb); 33 | /** 34 | * SYN Scan Detected, drop packets 35 | */ 36 | if(tcp_header->syn && 37 | !(tcp_header->urg || tcp_header->ack || tcp_header->psh || tcp_header->rst || tcp_header->fin)){ 38 | 39 | printk(KERN_INFO "SYN Scan detected! Src IP: %pI4h \n" ,&src_ipa); 40 | return NF_DROP; 41 | } 42 | 43 | /** 44 | * NULL Scan Detected, drop packets 45 | */ 46 | else if (!(tcp_header->syn || tcp_header->urg || tcp_header->ack || tcp_header->psh || tcp_header->rst || tcp_header->fin)) { 47 | printk(KERN_INFO "NULL Scan detected! Src IP: %pI4h \n" ,&src_ipa); 48 | } 49 | 50 | /** 51 | * ACK / Window Scan Detected, drop packets 52 | */ 53 | else if (tcp_header->ack && 54 | !(tcp_header->urg || tcp_header->syn || tcp_header->psh || tcp_header->rst || tcp_header->fin)) { 55 | 56 | printk(KERN_INFO "ACK/Window Scan detected! Src IP: %pI4h \n" ,&src_ipa); 57 | return NF_DROP; 58 | } 59 | 60 | /** 61 | * FIN Scan Detected, drop packets 62 | */ 63 | else if (tcp_header->fin && 64 | !(tcp_header->urg || tcp_header->ack || tcp_header->psh || tcp_header->rst || tcp_header->syn)) { 65 | 66 | printk(KERN_INFO "FIN Scan detected! Src IP: %pI4h \n" ,&src_ipa); 67 | return NF_DROP; 68 | } 69 | 70 | /** 71 | * XMAS Scan Detected , drop packets 72 | */ 73 | else if (tcp_header->fin && tcp_header->urg && tcp_header->psh && 74 | !(tcp_header->syn && tcp_header->rst && tcp_header->ack)) { 75 | 76 | printk(KERN_INFO "XMAS Scan detected! Src IP: %pI4h \n" ,&src_ipa); 77 | return NF_DROP; 78 | } 79 | /** 80 | * If the packet is not of the above types, then accept 81 | */ 82 | return NF_ACCEPT; 83 | }else if (iph->protocol == IPPROTO_UDP) { 84 | printk(KERN_INFO "UDP packet detected!\n"); 85 | 86 | /** 87 | * If the packet is destined to 53 port then only accept 88 | */ 89 | udph = udp_hdr(skb); 90 | if (ntohs(udph->dest) == 53) { 91 | return NF_ACCEPT; 92 | } 93 | } 94 | /** 95 | * Rest all type of connections are dropped 96 | */ 97 | return NF_DROP; 98 | } 99 | 100 | static int __init LKM_init(void) 101 | { 102 | nfho = (struct nf_hook_ops*)kcalloc(1, sizeof(struct nf_hook_ops), GFP_KERNEL); 103 | 104 | /* Initialize netfilter hook */ 105 | nfho->hook = (nf_hookfn*)hfunc; /* hook function */ 106 | nfho->hooknum = NF_INET_PRE_ROUTING; /* received packets */ 107 | nfho->pf = PF_INET; /* IPv4 */ 108 | nfho->priority = NF_IP_PRI_FIRST; /* max hook priority */ 109 | 110 | nf_register_net_hook(&init_net, nfho); 111 | return 0; 112 | } 113 | 114 | static void __exit LKM_exit(void) 115 | { 116 | nf_unregister_net_hook(&init_net, nfho); 117 | kfree(nfho); 118 | } 119 | 120 | module_init(LKM_init); 121 | module_exit(LKM_exit); 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux Kernel Netfilter Module 2 | 3 | A loadable kernel firewall module that can detect specific packets and drop them. 4 | More specifically, using netfilter framework hook functions 5 | (kernel call back functions) that user modules could access and obtain the detail of 6 | packets. 7 | 8 | ## Working 9 | On VM1, use the network reconnaissance tool nmap that sends crafted 10 | reconnaissance packets to the VM2 (e.g. TCP half-open scan packets, TCP connect 11 | packets, UDP packets etc.). So, install nmap in VM1 12 | 13 | On VM2, load the kernel module that use the Netfilter hook 14 | functions to obtain packets and identify the three reconnaissance scans E.g. the TCP half open 15 | scan sends only a single TCP SYN packet, expecting a SYN/ACK, RST or at worst no 16 | response. Once identified logs these detections into syslog. 17 | 18 | 22 | 23 | ## Step 1 : Update the kernel and then install headers 24 | 25 | >> `pacman -SyU` 26 | 27 | >> `pacman -Sy linux linux-headers` 28 | 29 | ## Step 2 : Module Usage 30 | 31 | Get the script from this repo. 32 | 33 | **simple_netfilter_LKM.c** file ****contains the script. 34 | 35 | >>`git clone [https://github.com/ashcode028/LKM-Reconnaissance-Detection](https://github.com/ashcode028/LKM-Reconnaissance-Detection)` or downloading the zip file attached. 36 | 37 | >>`cd LKM-Reconnaissance-Detection/` 38 | 39 | >> `make` 40 | 41 | Here, Makefile by default runs `insmod` command.So, before running `make` again, run `make clean` . 42 | 43 | ### About the module 44 | 45 | 51 | 52 | This kernel module intercepts TCP packets and logs the detected scan type using ***prink()***. In each TCP packet, we parse the flag bits set in the tcp header using netfilter hook functions,then detect the type of scan based on it. Once the recon packet is detected, those packets are dropped. If a UDP packet is detected, then if it is destined to port 53 is accepted otherwise dropped.Dropped packets are not logged. 53 | 54 | Supported scans/ recon packets are 55 | 56 | 1. SYN scan: only syn flag set 57 | 2. FIN scan: only fin flag set 58 | 3. XMAS scan: fin,urg and psh set 59 | 4. NULL scan: all flag bits unset 60 | 5. ACK/Window scan: only ack bit set 61 | 62 | Once you load the module using `insmod LKM.ko` , output of `dmesg | tail` 63 | 64 | ![Screenshot from 2022-02-20 20-15-55.png](Linux%20Kernel%20Netfilter%20Module%20fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_20-15-55.png) 65 | 66 | even if the verification is failed , dont worry you can proceed to next steps. 67 | 68 | ## Step 3: Running Test scripts 69 | 70 | >> These steps are run in another (pen-testing) machine. 71 | 72 | >> To check indivdual scans , generic command `nmap ` 73 | 74 | ### Sample output 75 | 76 | For eg, XMAS scan `nmap -sX 172.12.16.131` 77 | 78 | Check the system logs in the machine using `dmesg` after each scan. 79 | 80 | ![Screenshot from 2022-02-20 23-19-45.png](Linux%20Kernel%20Netfilter%20Module%20fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-20_23-19-45.png) 81 | 82 | >> To run all scans at once using `./Test-script.sh` 83 | 84 | ![Screenshot from 2022-02-21 12-57-08.png](Linux%20Kernel%20Netfilter%20Module%20fc5227bc12664995a805ab67986dabe9/Screenshot_from_2022-02-21_12-57-08.png) 85 | 86 | ### Resources used : 87 | 88 | [https://github.com/repalash/Detect-Nmap-scans](https://github.com/repalash/Detect-Nmap-scans) 89 | 90 | [https://infosecwriteups.com/linux-kernel-communication-part-1-netfilter-hooks-15c07a5a5c4e](https://infosecwriteups.com/linux-kernel-communication-part-1-netfilter-hooks-15c07a5a5c4e) 91 | 92 | [https://github.com/naman/netfilter-module](https://github.com/naman/netfilter-module) 93 | 94 | [https://stackoverflow.com/questions/39426783/netfilter-kernel-module-to-intercept-packets-and-log-them](https://stackoverflow.com/questions/39426783/netfilter-kernel-module-to-intercept-packets-and-log-them) 95 | 96 | [https://github.com/wangm8/Netfilter-Kernel-Module](https://github.com/wangm8/Netfilter-Kernel-Module) 97 | 98 | [https://tuxthink.blogspot.com/2021/04/loading-modules-automatically-on-boot.html](https://tuxthink.blogspot.com/2021/04/loading-modules-automatically-on-boot.html) 99 | 100 | [https://nmap.org/book/man-port-scanning-techniques.html](https://nmap.org/book/man-port-scanning-techniques.html) 101 | --------------------------------------------------------------------------------