Re: Nmap, Firewall Testing, Idlescan?

[James Goodman <j_goodman00 () yahoo co uk>]

Yup, thats what I thought, but that is exactly whats
happening.
 
If I try this internally on our network the packets
fool the firewall, but as soon as I try probing one of
our remote routers with another remote machine it
seems to log the non-zombie machine. I wonder if the
ISP is somehow blocking this kind of scan?


 --- david kuhlman <david.kuhlman () gmail com> wrote: 
> That doesn't seem to make much sense.  At first
> glance, I would guess
> the Idlescan isn't working because the zombie you
> are trying to use
> doesn't have easily guessable sequence numbers.  But
> nmap shouldn't be
> sending out packets straight to 1.2.5.1 if 1.2.4.1
> isn't a good
> zombie.  Look at this for more info on seq number
> attacks 
> http://lcamtuf.coredump.cx/newtcp/
>
> David
>
>
> On Wed, 02 Feb 2005 14:22:27 -0800 (PST),
> j_goodman00 () yahoo co uk
> <j_goodman00 () yahoo co uk> wrote:
> > Hi,
> >
> > I have a couple of routers at various sites which
> include firewalls & I would like to use nmap to test
> them.
> > I have been experimenting with idlescans in an
> attempt to fool the firewall, but have been
> unsuccessful & am unsure if this is the firewall
> working, or me failing! :)
> > I am attempting to 'bounce' the scans off another
> computer of mine on a different connection:
> > e.g.
> > MyIP is 1.2.3.1
> > BounceIP is 1.2.4.1
> > TargetIP is 1.2.5.1
> > nmap -T5 -v -P0 -sI 1.2.4.1 1.2.5.1
> >
> > When I look at the firewall logs they show logs
> along the lines of the following:
> > Source 1.2.3.1 Destination:1.2.5.1
> >
> > Does this mean the firewall is working &
> successfully filtering the spoofed IP packets, or am
> I doing something wrong?
> > Cheers,
> >
> > James
>  


        
        
                
___________________________________________________________ 
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com