Nmap Development mailing list archives

Re: [NSE] firewalking

From: David Fifield <david () bamsoftware com>
Date: Thu, 26 Aug 2010 11:40:45 -0600

On Tue, Aug 17, 2010 at 09:21:40PM +0200, Henri Doreau wrote:

Hi,

here is an updated version of my firewalk script.

I've changed a few things:
  - checking the validity of catched replies
  - removed the sleep() after a timeout
  - use the new stdnse.get_script_args() function


It appears that the script only uses traceroute results in order to
calculate the TTL to send. You could remove the requirement to use
--traceroute if you provide another script argument, firewalk.ttl, that
lets you set it directly. firewalk.gateway can remain as an alternate
way when --traceroute is available.

I tested against scanme.nmap.org and skullsecurity.org and got different
results. No ports were forwarded in one case and all ports were
formatted in the other. Is this expected?

# ./nmap -Pn --traceroute scanme.nmap.org --datadir . --script firewalk --script-args firewalk.gateway=69.36.239.221 
--top-ports 10 -d
PORT     STATE    SERVICE      REASON
21/tcp   filtered ftp          no-response
22/tcp   open     ssh          syn-ack
23/tcp   filtered telnet       no-response
25/tcp   closed   smtp         reset
80/tcp   open     http         syn-ack
110/tcp  filtered pop3         no-response
139/tcp  filtered netbios-ssn  no-response
443/tcp  filtered https        no-response
445/tcp  filtered microsoft-ds no-response
3389/tcp filtered ms-term-serv no-response

Host script results:
|_firewalk:  no forwarded ports found

TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   5.48 ms  192.168.0.1
2   45.61 ms 206.81.73.81
3   45.52 ms 206.81.73.82
4   43.64 ms 66.54.149.185
5   42.99 ms ge-6-24-515.car1.denver1.level3.net (63.211.250.17)
6   46.70 ms ae-31-53.ebr1.denver1.level3.net (4.68.107.94)
7   71.94 ms ae-3-3.ebr2.sanjose1.level3.net (4.69.132.57)
8   75.47 ms ae-62-62.csw1.sanjose1.level3.net (4.69.134.210)
9   66.64 ms ae-12-79.car2.sanjose2.level3.net (4.68.18.76)
10  65.70 ms layer42.car2.sanjose2.level3.net (4.59.4.78)
11  67.45 ms xe6-2.core1.svk.layer42.net (69.36.239.221)
12  65.88 ms scanme.nmap.org (64.13.134.52)

# ./nmap -Pn --traceroute skullsecurity.org --datadir . --script firewalk --script-args firewalk.gateway=206.220.192.10 
--top-ports 10 -d
Scanned at 2010-08-26 10:54:31 MDT for 6s
PORT     STATE    SERVICE      REASON
21/tcp   filtered ftp          no-response
22/tcp   open     ssh          syn-ack
23/tcp   open     telnet       syn-ack
25/tcp   filtered smtp         no-response
80/tcp   open     http         syn-ack
110/tcp  filtered pop3         no-response
139/tcp  filtered netbios-ssn  no-response
443/tcp  open     https        syn-ack
445/tcp  filtered microsoft-ds no-response
3389/tcp filtered ms-term-serv no-response

Host script results:
|_firewalk:  forwarded ports (tcp): 21,25,110,139,445,3389

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   6.30 ms   192.168.0.1
2   45.61 ms  206.81.73.81
3   45.19 ms  206.81.73.82
4   44.67 ms  66.54.149.185
5   43.54 ms  ge-6-24-515.car1.denver1.level3.net (63.211.250.17)
6   51.62 ms  ae-31-53.ebr1.denver1.level3.net (4.68.107.94)
7   65.35 ms  ae-2-2.ebr2.dallas1.level3.net (4.69.132.106)
8   55.26 ms  ae-2-70.edge2.Dallas3.Level3.net (4.69.145.76)
9   60.47 ms  4.59.36.18
10  93.13 ms  te3-4.bbr1.ash1.bandcon.com (216.151.179.218)
11  278.65 ms te3-3.bbr1.nyc1.bandcon.com (216.151.179.226)
12  92.92 ms  te3-2.bbr1.tor1.bandcon.com (216.151.179.245)
13  122.66 ms ax1rb1-ge1.winnipeg.voinetworks.net (216.151.186.174)
14  125.06 ms ax1rdc1-ge0.winnipeg.voinetworks.net (206.220.192.2)
15  127.25 ms ax1smc1-pos0-1.winnipeg.voinetworks.net (206.220.192.6)
16  129.47 ms ax1smb1-ge0.winnipeg.voinetworks.net (206.220.192.10)
17  131.63 ms dhcp-ip-152.biz2.winnipeg.voinetworks.net (206.220.193.152)

Because the script tests every filtered port, it will be slow when there
are many filtered ports. I think it's okay in this case because you have
to supply a special script argument to activate the script. It also
doesn't make sense to run this script against more than one target at a
time unless they have a gateway in common.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] firewalking Henri Doreau (Aug 10)
- Re: [NSE] firewalking Henri Doreau (Aug 17)
  - Re: [NSE] firewalking: NSE traceroute patch David Fifield (Aug 26)
    - Re: [NSE] firewalking: NSE traceroute patch Henri Doreau (Aug 28)
    - Re: [NSE] firewalking: NSE traceroute patch David Fifield (Aug 28)
  - Re: [NSE] firewalking David Fifield (Aug 26)
    - Re: [NSE] firewalking Henri Doreau (Aug 27)
    - Re: [NSE] firewalking David Fifield (Aug 27)
    - Re: [NSE] firewalking David Fifield (Aug 27)
    - Re: [NSE] firewalking David Fifield (Aug 27)
    - Re: [NSE] firewalking Henri Doreau (Aug 27)
    - Re: [NSE] firewalking Henri Doreau (Aug 28)
    - Re: [NSE] firewalking David Fifield (Aug 28)