Nmap Announce mailing list archives
Re: [PATCH] improvements and a new(?) type of scan
From: "L. Walker" <k_aneda () yahoo com>
Date: Thu, 23 May 2002 01:13:40 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 2 Apr 2002, Phil wrote:
* A new(?) type of scan : Well, I've never seen any references to this technique nor have I heard anybody speaking about it, so I imagine I have the privilege to give it a name. I've chosen the TTL scan. (Please correct me if I'm wrong). This consists in sending packets as in a normal scan, but with a TTL small enough to only reach the gateway we want to firewalk. If this gateway send ICMP time exceeded, it usually do so only for packets that could have gone through. Else it drops the packet or send an ICMP dest unreach.
Sorry I took forever to reply... had several problems - 1) internet account, stupid ISP... 2) Yahoo cut off my POP axs *boohoo*, now limited to using FetchYahoo... greets to whoever wrote that damn nice Perl script :) The TTL scan that you refer to is used in a program called Firewalk (which does what it says), and also referred to in a white paper involving hping2, great little program IMHO. If gateway will allow the packet your sending (of course, you set the TTL so it expires on the gateway, whereas firewalk sets the TTL to expire 1 hop past the gateway/router I think), then you'll get back ICMP "TTL expired in transit". Hping2 example to follow. If it dosen't allow it, it'll either drop the packet (like most good routers) or send back ICMP 13 "Admin Prohibited". Small example. Please give positive comments on me explaining techniques. Btw, if you have any other techniques for discovering ACLs, etc. please email me :) Route: 10.x.x.1 - Us 10.x.x.2 - Router (Hop 1) 10.x.x.3 - Router (Hop 2) 10.x.x.4 - Host we're sending packets to (Hop 3) Here we see if we can get a packet from us to 10.x.x.4, TCP, port 139: k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -p 139 -S -c 1 HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data bytes - --- 10.x.x.4 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Timeout :P Let's see if the packet even made it through 10.x.x.3... k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -t 2 -p 139 -S -c 1 HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data bytes - --- 10.x.x.4 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Obviously not. To the neophytes/newbies, yes, you could guess straight away that Hop 1 allows it... but you never know, could be your own machine blocking the packets :P Let's test Hop 1 now... k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -t 1 -p 139 -S -c 1 HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data bytes TTL 0 during transit from ip=10.x.x.2 - --- 10.x.x.4 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Well there we go. We now know a small bit of the ACL... yes, it could take forever to do a ACL, but that's what NMAP is for, and the wonderful patch that you've supplied. If I was a better coder I would have done it myself... :P - -- L. Walker NOTICE: By spamming this account or scanning the IP address that this message was sent from, you consent to a free and unrestricted security audit. - -- If one wants to be a policeman, one must learn how to be a thief. - -- That's why we spend so much time trying to understand our own motivations and those of others. That's what makes life so interesting. Kaji, Evangelion Ep 18 - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE867WtBJ6saYuOFLgRAiZ2AJ9MnV0izLiG2JK5RpOnEvPL5mwFVACdHMcn XjAV71Y7MaYLk1Pa5mCoXEk= =LQyf -----END PGP SIGNATURE----- -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- [PATCH] improvements and a new(?) type of scan Phil (Apr 02)
- Re: [PATCH] improvements and a new(?) type of scan Darren Reed (Apr 02)
- Re: [PATCH] improvements and a new(?) type of scan L. Walker (May 22)