Nmap Development mailing list archives

RE: Deny/Reject patch

From: "Ofir Arkin" <ofir () sys-security com>
Date: Thu, 25 Oct 2001 01:20:53 +0200

Gents,

To conclude this mail, i want to start a talk about the utility to
fingerprints system with these icmp unreachable (if we got them, let's
use them, it can't kill us), i worked a little on this topic and i

still

think it can "easily" be done.

Well one issue is that they are often sent by other machines rather
than the actual destination -- so fingerprinting that doesn't help.
In some cases, filters can even forge the packets to make them look
like they came from the destination host.  And even when the packets
really do come from target host, the actual packets may depend on the
firewalling software being used.  On Solaris, ipf and firewall-1 may
send different "destination prohibited by filter" ICMP messages.  An
vice versa: ipf may send the same packet whether it is running on
Solaris or Linux.  I haven't done a whole lot of experimentation, but
those are the risks that come to mind.  This is one reason that Nmap
is pretty picky about what kinds of ICMP messages are used for
fingerprints.


Using the ICMP Error Message received from a different IP (you can
actually understand that when you are scanning), analyzing the severity
of the error message and its meaning (port unreachable is not like
administratively prohibited) you can try to guess the firewalls own IP
Stack according to the ICMP Error message and the fingerprints it leaves
in the error message it generates. 

You can also detect that something is suspicious when you use TCP and
see some fingerprints, and when using ICMP and seeing other
fingerprints. This happens when certain protocols are diverted to
another place and not reaching the targeted host. 

So there is a lot to understand here, and to analyze. 



Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Deny/Reject patch Guillaume Valadon (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Fyodor (Oct 24)
  - RE: Deny/Reject patch Ofir Arkin (Oct 24)
  - Re: Deny/Reject patch Guillaume Valadon (Oct 25)