Nmap Announce mailing list archives

RE: firewalk meets nmap - TTL

From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Fri, 3 Nov 2000 09:24:53 +0200

Lance,
Some firewalls monitor for low TTL field values and will drop your packet.
If there are some who will generate the ICMP time exceeded error message
(and this is the firewall
here generating the message) in my opinion it is a mistake, because it will
reveal the firewall itself.

I have more to this one.
In Blackhat 2K in Amsterdam I was talking about the ability to identify the
Operating System one firewall
might run on top because of the ICMP error messages it might generate / or
spoofed answers the firewall
generates instead of its protected machines.

If you have a trace I would like to have a look :P

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."


-----Original Message-----
From: Lance Spitzner [mailto:lance () spitzner net]
Sent: Friday, November 03, 2000 7:01 AM
To: nmap-hackers () insecure org
Subject: firewalk meets nmap - TTL


I'm not sure if anyone has thought of this, but this
would be a REALLY cool feature for auditing firewall
rulebases.  Say you want to determine what ports a
firewall allows through, what ports are NOT filtered.

Have the option with nmap to set the TTL on the packets
it sends.  I set the TTL to be the same as the amount
of hops to the firewall I am scanning.  If the packet is
filtered by the firewall, then it is dropped and nothing
is sent back.

However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it.  However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the
firewall.

firewalk meets nmap

thoughts?

--
Lance Spitzner
http://www.enteract.com/~lspitz


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

firewalk meets nmap - TTL Lance Spitzner (Nov 03)
- RE: firewalk meets nmap - TTL Ofir Arkin (Nov 03)
  - RE: firewalk meets nmap - TTL (tested) Lance Spitzner (Nov 04)
    - RE: firewalk meets nmap - TTL (tested) Ofir Arkin (Nov 04)
- Re: firewalk meets nmap - TTL Fyodor (Nov 05)
- Re: firewalk meets nmap - TTL Mikael Olsson (Nov 08)