Antisyphon KB

Restricting_Internal_Scope

Nov 04, 20242 min read

Restricting Internal Scope

This page describes how to reduce much but not all traffic from reaching out-of-scope hosts and subnets from the implant on a network test. Note that some broadcast and multicast traffic can still reach those hosts. The iptables INPUT rule is to block Responder from interacting with excluded hosts that may send unsolicited traffic.

Configure the Implant to ignore selected hosts/subnets

Process the scope to be compatible with our tooling. List hosts and ranges in separate files depending on scope inclusion, exclusion, or low-bandwidth network segments. List hosts/ranges as follows:

  • 10.20.30.2
  • 10.10.10.0/24
  • 10.30.40.50-10.30.40.60

For this article, the following file naming conventions are used:

  • ./exclude.txt // Hosts excluded from the test
  • ./targets.txt // Hosts without access restrictions
  • ./low-band.txt // Any low-bandwidth hosts

Block inbound and outbound traffic with iptables

Configure iptables to drop all inbound and outbound traffic to those hosts/subdomains.

iptables -L // List current rules
iptables -A OUTPUT -d 10.20.30.40 -j DROP // Drop all outbound traffic
iptables -A INPUT -d 10.20.30.40 -j DROP // Drop all incoming traffic
iptables -L // List current rules to confirm changes

For more information about using iptables, refer to Brad’s excellent documentation obsidian://open?vault=bhis_kb&file=Tools%2Fiptables

masscan

Masscan traffic is not filtered by iptables so we need to use masscan with an exclude file. Configure masscan to exclude hosts:

masscan --rate=1000 --ping 
	\ -p 21,22,23,25,135,445,139,445,443,80,8080,10000,88,636,1433,3389 
	\ -oG host_discovery.gnmap 
	\ -iL targets.txt 
	\ --excludefile exclude.txt

Nessus

Nessus is also not filtered by iptables. Configure Nessus to exclude certain hosts or ranges from a scan by editing the nessusd.rules file at: /opt/nessus/etc/nessusd/nessus.rules

Exclude hosts from scans by adding entries as follows

reject 10.20.30.40
reject 10.20.50.0-10.20.60.0
default accept

Nessus documentation about the Nessusd.rules file: https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US

Graph View

Backlinks

  • No backlinks found