Nmap Development mailing list archives
OS-detecting a firewall?
From: Andrew Lutomirski <luto () myrealbox com>
Date: Tue, 7 Feb 2006 12:33:55 -0800
I have a server with a b0rked firewall in the way. I'm trying to identify it. This firewall has the property that it always RSTs ACK packets that it sees unless they match a known connection. So I did this: nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv -d <server behind firewall> The idea being that, since it's a closed and filtered port, I'll see the firewall, not the server. The results are like this: # nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv XXXXXXXXXXXXX Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:36 PST DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan against XXXXXXXXXXXXX [1 port] at 02:36 The SYN Stealth Scan took 1.51s to scan 1 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host XXXXXXXXXXXXX appears to be up ... good. Interesting ports on XXXXXXXXXXXXX: PORT STATE SERVICE 4376/tcp filtered unknown Device type: router|general purpose Running: Cisco IOS 12.X, Linux 2.6.X OS details: Cisco 2611 router running IOS 12.0(7)T, Linux 2.6.11 OS Fingerprint: T5(Resp=N) T6(Resp=Y%DF=N%W=400%ACK=S%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL) PU(Resp=N) Nmap finished: 1 IP address (1 host up) scanned in 10.187 seconds Raw packets sent: 10 (1044B) | Rcvd: 3 (166B) # nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv -d XXXXXXXXXXXXX Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:37 PST <snip> Failed exact match #0 (0-based): T5(Resp=N) T6(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL) PU(Resp=N) Host XXXXXXXXXXXXX appears to be up ... good. Interesting ports on XXXXXXXXXXXXX: PORT STATE SERVICE 4376/tcp filtered unknown Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.8 - 2.6.9 OS Fingerprint: T5(Resp=N) T6(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL) PU(Resp=N) Final times for host: srtt: 82557 rttvar: 82557 to: 500000 # nmap -sS -p4376 -O --fuzzy --scan-delay 2000 -vvvv -d XXXXXXXXXXXXX Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:44 PST <snip> PORT STATE SERVICE 4376/tcp filtered unknown Device type: router|broadband router|general purpose Running: Cisco IOS 12.X, Linksys embedded, Linux 2.6.X, Sun Solaris 8 OS details: Cisco 2611 router running IOS 12.0(7)T, Linksys WRT54G Wireless Broadband Router (Linux kernel 2.4.20), Linux 2.6.8 - 2.6.9, Sun Solaris 8 OS Fingerprint: T5(Resp=N) T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) PU(Resp=N) Final times for host: srtt: 81853 rttvar: 81853 to: 2000000 Nmap finished: 1 IP address (1 host up) scanned in 40.189 seconds Raw packets sent: 10 (1044B) | Rcvd: 3 (166B) Note the different answers. I doubt this is an nmap bug. I'm wondering if it could be improved, though. Ideally there would be a whole separate set of fingerprints for firewalls with a feature to identify even firewalls to (partially/fully) open ports. Thoughts? Is there a better way I could do this? --Andy _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- OS-detecting a firewall? Andrew Lutomirski (Feb 07)