Re: Firewalled Flooding

[Fyodor <fyodor () dhp com>]

On Fri, 5 Nov 1999, phantom rewt wrote:

> Question: Can I use nmap to scan ONLY open ports and ignore the filtered
> ones? Is there such an option?

An option to only scan the open ports?  If Nmap knew which ports were open
then there wouldn't be much point in scanning :).

Seriously though -- I agree that Nmap does take too long to scan some
heavily filtered hosts.  The root of the problem is that when hosts don't
give *any* type of response to the scan, Nmap does not know whether it is
safe to speed up.  And it has to perform more retransmissions to account
for the possibility that the probe packet was dropped on the network by a
congested router rather than intentionally by a firewall.

That being said, there are *some* optimisations I can do to speed up these
types of scans.  I have released 2.3BETA8 which makes major strides in
this area (but keep in mind it will still be much slower than scanning
unfirewalled hosts).  See http://www.insecure.org/nmap/ .

Here are the changes for BETA8:

-- Added "firewall mode" timing optimizations which can decrease the
   ammount of time neccessary to SYN or connect scan some heavily
   filtered hosts.

-- Added min_rtt_timeout timing option (see man page for details)

-- Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
   called Snort was using this to detect Nmap TCP Pings).

-- Some changes for better Alpha/Linux support based on investigation
   by Bill Beers <wbeers () carolina rr com>

-- Applied changes for FDDI support by Tobias J. Nijweide <tobias () mesa nl

-- Applied a socket binding patch from LaMont Jones
   <lamont () security hp com>
   which can be useful when using -S to specify one of multiple interfaces
   on a machine.

-- Made OS detection smart enough to first check scan results for a known
   closed port instead of immediately resorting to a random one.  This
   improves OS detection against some machines behind packet
   filters. (suggested by van Hauser)

-- Applied a shortcut suggestion by Thomas Reinke which can lead to
   a tremendous speedup against some firewalled hosts.

-- Added some ports commonly used for RPC to nmap-services

-- Fixed a problem with the timing of an RPC scan (could come before
   the UDP scans they rely on)

-- Added a number of new ports to nmap-services

Note that this version does not include new fingerprints -- I haven't had
a chance to integrate them in yet.

By the way, does anyone know of a fast HTTP Basic Auth cracker for UNIX?
I've seen ADM's http-crack and ADMw3pass, but I am looking for something
faster.  It would be nice if it did sshd as well :).  I'll write my own if
I have to, but I wanted to see what you guys are using first.

Cheers,
Fyodor


--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"The percentage of users running Windows NT Workstation 4.0 whose PCs
 stopped working more than once a month was less than half that of Windows 
 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp