Re: firewalk meets nmap - TTL

[Mikael Olsson <mikael.olsson () enternet se>]

Hmmm.. Already replied to this on fw-wiz, but I suppose
people here could benefit from it aswell.

Lance Spitzner wrote:
> I sent this off to the nmap-list, was wondering what
> all the firewall weenies on board here thought. :0

Hah. Try that through our contrapments and all you'll
get is a "DROP: TTL too low" entry in the logs >:]

On the other hand, it may very well be very effective
against plenty of firewalls out there, based on what 
I've seen. People tend to do filtering FIRST and then
pass it to "route_ip()" or whatever, which does the
actual TTL decrement and check.

About a year ago, I talked to a couple of pen-testers 
about firewalk being able to detect hosts directly 
behind firewalls this way. One interesting side effect 
is that the firewall will have carried out address 
translation before passing it to the routing section, 
so the ICMP unreachable data passed back might contain 
private IPs.

If memory serves me, I think they said there was
some talk about this sort of firewalking on
defcon'99 (but don't take my word for it).

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

On bosses and technology: "There are bosses who don't know, and there 
are bosses who don't know that they don't know" /Anonymous techie

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).