Penetration Testing mailing list archives
Re: Firewall Scan
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Tue, 30 Jun 2009 14:48:08 -0400
Greets, Actually, I believe Fydor dropped the Echo-Request probe in 4.x. nmap simply hits TCP/80 with a SYN or ACK, depending on the version. Either way, don't think this is nmap getting confused as hping produces similar results and it never probes first. IPv7, Try setting some TCP options. Little trick I use with many clients (if they are willing to run an open source firewall) is to filter out all packets where the TCP header is 20 bytes. Every modern OS uses some number of TCP options. The only time you see no options set is SYN floods or port scanning. HTH, C On Mon, 2009-06-29 at 10:25 -0300, Guilherme Alves wrote:
You should consider "-P0" to prevent ping before scan. This can help with systems that block ping and mix up Nmap. reference: [http://nmap.org/book/man-host-discovery.html] On Wed, Jun 24, 2009 at 4:44 PM, IPv7 <listas.internet () gmail com> wrote:Hello Guys, I was doing a normal TCP Scan on port 5900, when I found a strange result: 1st I did a normal TCP scan with Nmap Onix:~# nmap -p 5900 x.x.x.x Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART Interesting ports on x.x.x.x: PORT STATE SERVICE 5900/tcp closed vnc Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds But.. if I use telnet/nc with this port, they can connect: Onix:~# telnet x.x.x.x 5900 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. RFB 003.003 ^C What? I can connect.. Ok, I will perform a more detailed scan: Onix:~# hping -S -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512 rtt=2.6 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 2.6/2.6/2.6 ms This host return an Reset/ACK, it should be ok if the port was closed, but I can connect with him. WINDOWS SCAN: Onix:~# nmap -sW -p 5900 x.x.x.x Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART Interesting ports on x.x.x.x: PORT STATE SERVICE 5900/tcp open vnc Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds Ok, I will look the TCP Windows: First I try to send a TCP Packet with WIN=1 Onix:~# hping -S -w 1 -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.8/7.8/7.8 ms In the most cases, shouldn't this host respond with its suggestion of window's size?? Then I sent the same with WIN=4096 Onix:~# hping -S -w 4096 -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.8/7.8/7.8 ms I can't understad this! Some idea? -- --------------------------------------- - El conocimiento es poder - - y el saber nos hace libres. - ---------------------------------- netvulcano.wordpress.com Linux User #405757 Machine Linux #310536 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- Guilherme Alves GRIS - Grupo de Resposta a Incidentes de Segurança (Computer Security Incident Response Team) www.gris.dcc.ufrj.br DCC - Departamento de Ciência da Computação (Computer Science Department - UFRJ) www.dcc.ufrj.br UFRJ - Universidade Federal do Rio de Janeiro (Federal University of Rio de Janeiro - Brazil) www.ufrj.br ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Firewall Scan IPv7 (Jun 26)
- Re: Firewall Scan SD List (Jun 26)
- RE: Firewall Scan Shenk, Jerry A (Jun 26)
- RE: Firewall Scan Erin Carroll (Jun 26)
- Re: Firewall Scan Todd Haverkos (Jun 26)
- Re: Firewall Scan Guilherme Alves (Jun 29)
- Re: Firewall Scan Chris Brenton (Jun 30)