Re: [PATCH] improvements and a new(?) type of scan

["L. Walker" <k_aneda () yahoo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 2 Apr 2002, Phil wrote:

> * A new(?) type of scan :
>   Well, I've never seen any references to this technique nor have I heard
>   anybody speaking about it, so I imagine I have the privilege to give it
>   a name. I've chosen the TTL scan. (Please correct me if I'm wrong).
>
>   This consists in sending packets as in a normal scan, but with a TTL
>   small enough to only reach the gateway we want to firewalk.
>
>   If this gateway send ICMP time exceeded, it usually do so only for
>   packets that could have gone through. Else it drops the packet or send
>   an ICMP dest unreach.

Sorry I took forever to reply... had several problems - 1) internet
account, stupid ISP... 2) Yahoo cut off my POP axs *boohoo*, now limited
to using FetchYahoo... greets to whoever wrote that damn nice Perl script
:)

The TTL scan that you refer to is used in a program called Firewalk (which
does what it says), and also referred to in a white paper involving
hping2, great little program IMHO.

If gateway will allow the packet your sending (of course, you set the TTL
so it expires on the gateway, whereas firewalk sets the TTL to expire 1
hop past the gateway/router I think), then you'll get back ICMP "TTL
expired in transit".  Hping2 example to follow.

If it dosen't allow it, it'll either drop the packet (like most good routers)
or send back ICMP 13 "Admin Prohibited".

Small example.  Please give positive comments on me explaining techniques.
Btw, if you have any other techniques for discovering ACLs, etc. please
email me :)

Route:
10.x.x.1 - Us
10.x.x.2 - Router (Hop 1)
10.x.x.3 - Router (Hop 2)
10.x.x.4 - Host we're sending packets to (Hop 3)

Here we see if we can get a packet from us to 10.x.x.4, TCP, port 139:

k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -p 139 -S -c 1
HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data
bytes

- --- 10.x.x.4 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms



Timeout :P
Let's see if the packet even made it through 10.x.x.3...

k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -t 2 -p 139 -S -c 1
HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data
bytes

- --- 10.x.x.4 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms



Obviously not.  To the neophytes/newbies, yes, you could
guess straight away that Hop 1 allows it... but you never know,
could be your own machine blocking the packets :P
Let's test Hop 1 now...

k_aneda@myst:~/hk/logs$ hping 10.x.x.4 -n -t 1 -p 139 -S -c 1
HPING 10.x.x.4 (eth0 10.x.x.1): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=10.x.x.2

- --- 10.x.x.4 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


Well there we go.  We now know a small bit of the ACL... yes, it
could take forever to do a ACL, but that's what NMAP is for, and
the wonderful patch that you've supplied.  If I was a better coder
I would have done it myself... :P

- -- 
L. Walker
NOTICE: By spamming this account or scanning the IP address that this message
was sent from, you consent to a free and unrestricted security audit.
- -- 
If one wants to be a policeman, one must learn how to be a thief.
- --
That's why we spend so much time trying to understand our own motivations
and those of others.  That's what makes life so interesting.
   Kaji, Evangelion Ep 18
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE867WtBJ6saYuOFLgRAiZ2AJ9MnV0izLiG2JK5RpOnEvPL5mwFVACdHMcn
XjAV71Y7MaYLk1Pa5mCoXEk=
=LQyf
-----END PGP SIGNATURE-----


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).