Nmap Announce mailing list archives
nmap stealth FIN scan not detected by FW-1 V4.0?
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Thu, 27 May 1999 08:41:59 -0700
Olaf, Back on 3/12/99 I sent out the article below. Can you try your scans again using the tcpdump technique below? I don't have access to a FW1 host with the same build number. I'm very interested in your results since all my subsequent tests with later patched versions have correctly logged the traffic. FW1 behaves in a very predictable manner. I'm sure that PIX, Cisco Firewall IOS and other firewalls do the same. Fydor, What do you think about Firewall fingerprinting? ---- Original 3/12/99 Article ---- I've been messing around with nmap (on Linux) in my lab and I'm able to port scan a Checkpoint Firewall 1 (NT Server sp4, fw1 3.0b no patches applied) without being logged. Unfortunately nmap "incorrectly" reports all the scanned ports open. I only know which ports are open by using tcpdump or a sniffer. Here are my command lines: Nmap: x.x.x.x is the attacked host. nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans with -sS -f are logged. The program says that -sN is only for UNIX but it works great here. I run tcpdump -n -vv src host x.x.x.x on a third host. I run the above and immediately tcpdump reports: x.x.x.x.5900 > (nmap host).xxxx ack (abbreviated) x.x.x.x.256 > (nmap host).xxxx ack x.x.x.x.257 > (nmap host).xxxx ack x.x.x.x.258 > (nmap host).xxxx ack x.x.x.x.259 > (nmap host).xxxx ack On the firewall ports 256-259 and 5900 are open. The response in tcpdump is 100%! Sniffer reports RST,ACK pair set in response. After 30 seconds or so tcpdump receives an ICMP type 11 code 1 packet (Fragment Reassembly Time Exceeded) from the firewall for each port scanned. NOTHING is logged on the firewall! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frank Keeney, Network Services, Home Savings of America +1 626-814-5080 mailto:fkeeney () hsa com / mailto:frank () pasadena net ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------- From: Olaf Selke [SMTP:Olaf.Selke () mediaWays net] Sent: Thursday, May 27, 1999 3:39 AM To: fw-1-mailinglist () lists us checkpoint com Cc: nmap-hackers () insecure org; spitzner () dimension net Subject: nmap stealth FIN scan not detected by FW-1 V4.0? platform: FireWall-1 V4.0 Build 4037 VPN+DES, Solaris 2.6 nmap V2.12, Linux kernel 2.0.34 Today I did some nmap Stealth FIN scans (nmap -sF) against FireWall-1 V4.0 protected systems. The FIN scan uses a **** surprise FIN packet as the probe. foo@bar:/tmp > nmap -sF -P0 -p1-100 193.189.XXX.YYY I was not able to get any logging from the firewall software when sending these probes to protected systems. Neither directly with 'fw log' nor in the exported logfile generated with 'fw logexport' I found any clue. The FIN packets are handled by the FW software correctly according the rule set, so the systems behind the firewall should be secure. Nevertheless, an intruder could scan protected networks without the risk to become detected. What went wrong? Am I missing something or does FW-1 V4.0 really not log surprise FIN packets? I would rather prefer the idea that I'm wrong ;-)
Current thread:
- nmap stealth FIN scan not detected by FW-1 V4.0? Olaf Selke (May 27)
- <Possible follow-ups>
- nmap stealth FIN scan not detected by FW-1 V4.0? Frank W. Keeney (May 27)
- RE: nmap stealth FIN scan not detected by FW-1 V4.0? BIDOU Renaud (May 27)