nmap stealth FIN scan not detected by FW-1 V4.0?

["Frank W. Keeney" <FKeeney () hsa com>]

Olaf,

Back on 3/12/99 I sent out the article below. Can you try your scans
again using the tcpdump technique below?

I don't have access to a FW1 host with the same build number. I'm very
interested in your results since all my subsequent tests with later
patched versions have correctly logged the traffic.

FW1 behaves in a very predictable manner. I'm sure that PIX, Cisco
Firewall IOS and other firewalls do the same.

Fydor,

What do you think about Firewall fingerprinting?

---- Original 3/12/99 Article ----

I've been messing around with nmap (on Linux) in my lab and I'm able to
port scan a Checkpoint Firewall 1 (NT Server sp4, fw1 3.0b no patches
applied) without being logged. Unfortunately nmap "incorrectly" reports
all the scanned ports open. I only know which ports are open by using
tcpdump or a sniffer. 

Here are my command lines:

Nmap:

x.x.x.x is the attacked host.

nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x

Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans
with -sS -f are logged.

The program says that -sN is only for UNIX but it works great here.

I run tcpdump -n -vv src host x.x.x.x on a third host.

I run the above and immediately tcpdump reports:

x.x.x.x.5900 > (nmap host).xxxx ack    (abbreviated)
x.x.x.x.256 > (nmap host).xxxx ack
x.x.x.x.257 > (nmap host).xxxx ack
x.x.x.x.258 > (nmap host).xxxx ack
x.x.x.x.259 > (nmap host).xxxx ack

On the firewall ports 256-259 and 5900 are open. The response in tcpdump
is 100%!

Sniffer reports RST,ACK pair set in response.

After 30 seconds or so tcpdump receives an ICMP type 11 code 1 packet
(Fragment Reassembly Time Exceeded) from the firewall for each port
scanned.

NOTHING is logged on the firewall!



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com / mailto:frank () pasadena net
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


        ----------
        From:  Olaf Selke [SMTP:Olaf.Selke () mediaWays net]
        Sent:  Thursday, May 27, 1999 3:39 AM
        To:  fw-1-mailinglist () lists us checkpoint com
        Cc:  nmap-hackers () insecure org; spitzner () dimension net
        Subject:  nmap stealth FIN scan not detected by FW-1 V4.0?

        platform:
        FireWall-1 V4.0 Build 4037 VPN+DES, Solaris 2.6
        nmap V2.12, Linux kernel 2.0.34


        Today I did some nmap Stealth FIN scans (nmap -sF) against
FireWall-1 
        V4.0 protected systems. The FIN scan uses a **** surprise FIN
packet 
        as the probe.
        foo@bar:/tmp > nmap -sF -P0 -p1-100 193.189.XXX.YYY

        I was not able to get any logging from the firewall software
        when sending these probes to protected systems. Neither directly

        with 'fw log' nor in the exported logfile generated with 'fw
        logexport' I found any clue.
        The FIN packets are handled by the FW software correctly
according the
        rule set, so the systems behind the firewall should be secure.
        Nevertheless, an intruder could scan protected networks without
the
        risk to become detected.

        What went wrong? Am I missing something or does FW-1 V4.0 really
not
        log surprise FIN packets?
        I would rather prefer the idea that I'm wrong ;-)