Nmap Development mailing list archives
RE: Deny/Reject patch
From: "Ofir Arkin" <ofir () sys-security com>
Date: Thu, 25 Oct 2001 01:20:53 +0200
Gents,
To conclude this mail, i want to start a talk about the utility to fingerprints system with these icmp unreachable (if we got them, let's use them, it can't kill us), i worked a little on this topic and i
still
think it can "easily" be done.
Well one issue is that they are often sent by other machines rather than the actual destination -- so fingerprinting that doesn't help. In some cases, filters can even forge the packets to make them look like they came from the destination host. And even when the packets really do come from target host, the actual packets may depend on the firewalling software being used. On Solaris, ipf and firewall-1 may send different "destination prohibited by filter" ICMP messages. An vice versa: ipf may send the same packet whether it is running on Solaris or Linux. I haven't done a whole lot of experimentation, but those are the risks that come to mind. This is one reason that Nmap is pretty picky about what kinds of ICMP messages are used for fingerprints.
Using the ICMP Error Message received from a different IP (you can actually understand that when you are scanning), analyzing the severity of the error message and its meaning (port unreachable is not like administratively prohibited) you can try to guess the firewalls own IP Stack according to the ICMP Error message and the fingerprints it leaves in the error message it generates. You can also detect that something is suspicious when you use TCP and see some fingerprints, and when using ICMP and seeing other fingerprints. This happens when certain protocols are diverted to another place and not reaching the targeted host. So there is a lot to understand here, and to analyze. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Deny/Reject patch Guillaume Valadon (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Fyodor (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Guillaume Valadon (Oct 25)