Nmap Development mailing list archives
Re: [NSE] firewalking
From: David Fifield <david () bamsoftware com>
Date: Thu, 26 Aug 2010 11:40:45 -0600
On Tue, Aug 17, 2010 at 09:21:40PM +0200, Henri Doreau wrote:
Hi, here is an updated version of my firewalk script. I've changed a few things: - checking the validity of catched replies - removed the sleep() after a timeout - use the new stdnse.get_script_args() function
It appears that the script only uses traceroute results in order to calculate the TTL to send. You could remove the requirement to use --traceroute if you provide another script argument, firewalk.ttl, that lets you set it directly. firewalk.gateway can remain as an alternate way when --traceroute is available. I tested against scanme.nmap.org and skullsecurity.org and got different results. No ports were forwarded in one case and all ports were formatted in the other. Is this expected? # ./nmap -Pn --traceroute scanme.nmap.org --datadir . --script firewalk --script-args firewalk.gateway=69.36.239.221 --top-ports 10 -d PORT STATE SERVICE REASON 21/tcp filtered ftp no-response 22/tcp open ssh syn-ack 23/tcp filtered telnet no-response 25/tcp closed smtp reset 80/tcp open http syn-ack 110/tcp filtered pop3 no-response 139/tcp filtered netbios-ssn no-response 443/tcp filtered https no-response 445/tcp filtered microsoft-ds no-response 3389/tcp filtered ms-term-serv no-response Host script results: |_firewalk: no forwarded ports found TRACEROUTE (using port 25/tcp) HOP RTT ADDRESS 1 5.48 ms 192.168.0.1 2 45.61 ms 206.81.73.81 3 45.52 ms 206.81.73.82 4 43.64 ms 66.54.149.185 5 42.99 ms ge-6-24-515.car1.denver1.level3.net (63.211.250.17) 6 46.70 ms ae-31-53.ebr1.denver1.level3.net (4.68.107.94) 7 71.94 ms ae-3-3.ebr2.sanjose1.level3.net (4.69.132.57) 8 75.47 ms ae-62-62.csw1.sanjose1.level3.net (4.69.134.210) 9 66.64 ms ae-12-79.car2.sanjose2.level3.net (4.68.18.76) 10 65.70 ms layer42.car2.sanjose2.level3.net (4.59.4.78) 11 67.45 ms xe6-2.core1.svk.layer42.net (69.36.239.221) 12 65.88 ms scanme.nmap.org (64.13.134.52) # ./nmap -Pn --traceroute skullsecurity.org --datadir . --script firewalk --script-args firewalk.gateway=206.220.192.10 --top-ports 10 -d Scanned at 2010-08-26 10:54:31 MDT for 6s PORT STATE SERVICE REASON 21/tcp filtered ftp no-response 22/tcp open ssh syn-ack 23/tcp open telnet syn-ack 25/tcp filtered smtp no-response 80/tcp open http syn-ack 110/tcp filtered pop3 no-response 139/tcp filtered netbios-ssn no-response 443/tcp open https syn-ack 445/tcp filtered microsoft-ds no-response 3389/tcp filtered ms-term-serv no-response Host script results: |_firewalk: forwarded ports (tcp): 21,25,110,139,445,3389 TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 6.30 ms 192.168.0.1 2 45.61 ms 206.81.73.81 3 45.19 ms 206.81.73.82 4 44.67 ms 66.54.149.185 5 43.54 ms ge-6-24-515.car1.denver1.level3.net (63.211.250.17) 6 51.62 ms ae-31-53.ebr1.denver1.level3.net (4.68.107.94) 7 65.35 ms ae-2-2.ebr2.dallas1.level3.net (4.69.132.106) 8 55.26 ms ae-2-70.edge2.Dallas3.Level3.net (4.69.145.76) 9 60.47 ms 4.59.36.18 10 93.13 ms te3-4.bbr1.ash1.bandcon.com (216.151.179.218) 11 278.65 ms te3-3.bbr1.nyc1.bandcon.com (216.151.179.226) 12 92.92 ms te3-2.bbr1.tor1.bandcon.com (216.151.179.245) 13 122.66 ms ax1rb1-ge1.winnipeg.voinetworks.net (216.151.186.174) 14 125.06 ms ax1rdc1-ge0.winnipeg.voinetworks.net (206.220.192.2) 15 127.25 ms ax1smc1-pos0-1.winnipeg.voinetworks.net (206.220.192.6) 16 129.47 ms ax1smb1-ge0.winnipeg.voinetworks.net (206.220.192.10) 17 131.63 ms dhcp-ip-152.biz2.winnipeg.voinetworks.net (206.220.193.152) Because the script tests every filtered port, it will be slow when there are many filtered ports. I think it's okay in this case because you have to supply a special script argument to activate the script. It also doesn't make sense to run this script against more than one target at a time unless they have a gateway in common. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] firewalking Henri Doreau (Aug 10)
- Re: [NSE] firewalking Henri Doreau (Aug 17)
- Re: [NSE] firewalking: NSE traceroute patch David Fifield (Aug 26)
- Re: [NSE] firewalking: NSE traceroute patch Henri Doreau (Aug 28)
- Re: [NSE] firewalking: NSE traceroute patch David Fifield (Aug 28)
- Re: [NSE] firewalking: NSE traceroute patch David Fifield (Aug 26)
- Re: [NSE] firewalking David Fifield (Aug 26)
- Re: [NSE] firewalking Henri Doreau (Aug 27)
- Re: [NSE] firewalking David Fifield (Aug 27)
- Re: [NSE] firewalking David Fifield (Aug 27)
- Re: [NSE] firewalking David Fifield (Aug 27)
- Re: [NSE] firewalking Henri Doreau (Aug 27)
- Re: [NSE] firewalking Henri Doreau (Aug 28)
- Re: [NSE] firewalking David Fifield (Aug 28)
- Re: [NSE] firewalking Henri Doreau (Aug 17)