RE: Firewall Scan

["Erin Carroll" <amoeba () amoebazone com>]

Several firewall and IPS vendors now incorporate nmap signature detection
which is probably what you are running into. Sygate, Tipping Point, and
others I can't recall off the top of my head. On the OS side, PF merged
p0f's passive fingerprinting features so a rule like:

set fingerprints "/etc/pf.os"
block in log quick on $ExtIF from any os "NMAP" to any label ExtNMAPScan

will show all ports as filtered regardless of actual open ports. Psad and
other tools also incorporate nmap fingerprint detection. Looks like you've
run into them :)

You can try an XMAS or FIN run which may work depending on how the target is
configured but you'll most likely have better luck using an alternate
scanner with a lesser known signature.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
"I cannot brain today, I have the dumb"


> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Shenk, Jerry A
> Sent: Friday, June 26, 2009 4:18 AM
> To: IPv7; pen-test () securityfocus com
> Subject: RE: Firewall Scan
>
> Yeah, that looks odd - I wonder if they are doing some type of passive
> host profiling or something.  I think I'd capture the traffic from an
> nmap scan of just port 5900 and then I'd look through that to see
> what's
> going on.  Then I'd just do a simple telnet connect and capture that.
> I
> wonder if they are looking for something that nmap does to the header.
>
> Another possibility is that there is portscan detection....by the time
> it hits port 5900, your IP has been blocked for a short time....but,
> the
> windows nmap scan seems like it should have triggered that action
> also...but perhaps the linux box has already been blocked by the time
> you did the single-port test...the tests you did make this seem
> unlikely;)
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> On Behalf Of IPv7
> Sent: Wednesday, June 24, 2009 3:45 PM
> To: pen-test () securityfocus com
> Subject: Firewall Scan
>
> Hello Guys,
>
> I was doing a normal TCP Scan on port 5900, when I found a strange
> result:
>
> 1st I did a normal TCP scan with Nmap
>
> Onix:~# nmap -p 5900 x.x.x.x
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
> Interesting ports on x.x.x.x:
> PORT     STATE  SERVICE
> 5900/tcp closed vnc
>
> Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds
>
> But.. if I use telnet/nc with this port, they can connect:
> Onix:~# telnet x.x.x.x 5900
> Trying x.x.x.x...
> Connected to x.x.x.x.
> Escape character is '^]'.
> RFB 003.003
>
> ^C
> What? I can connect..
> Ok, I will perform a more detailed scan:
>
> Onix:~# hping -S  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512
> rtt=2.6 ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 2.6/2.6/2.6 ms
>
> This host return an Reset/ACK, it should be ok if the port was closed,
> but I can connect with him.
>
> WINDOWS SCAN:
>
> Onix:~# nmap -sW -p 5900 x.x.x.x
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
> Interesting ports on x.x.x.x:
> PORT     STATE SERVICE
> 5900/tcp open  vnc
>
> Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds
>
> Ok, I will look the TCP Windows:
> First I try to send a TCP Packet with WIN=1
>
> Onix:~# hping -S -w 1  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1
> rtt=7.8 ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 7.8/7.8/7.8 ms
>
> In the most cases, shouldn't this host respond with its suggestion of
> window's size??
>
> Then I sent the same with WIN=4096
>
> Onix:~# hping -S -w 4096  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1
> rtt=7.8 ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 7.8/7.8/7.8 ms
>
>
> I can't understad this!
> Some idea?
>
>
> --
> ---------------------------------------
> -   El conocimiento es poder   -
> - y el saber nos hace libres.    -
> ----------------------------------
> netvulcano.wordpress.com
> Linux User #405757
> Machine Linux #310536
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
>
> http://www.iacertification.org
> -----------------------------------------------------------------------
> -
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for
> the use of the individual or entity to which they are addressed and may
> contain information that is privileged, proprietary and confidential.
> If you are not the intended recipient, you may not use, copy or
> disclose to anyone the message or any information contained in the
> message. If you have received this communication in error, please
> notify the sender and delete this e-mail message. The contents do not
> represent the opinion of D&E except to the extent that it relates to
> their official business.
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
>
> http://www.iacertification.org
> -----------------------------------------------------------------------
> -


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------