Firewall Wizards mailing list archives
Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass
From: Franklin DeMotto <franklin_demotto () yahoo com>
Date: Sun, 22 Oct 2000 20:19:35 -0700 (PDT)
SUMMARY: * A nmap -sO (protocol) scan somehow
disables all, making all ports that were previously
filtered either closed or open
now.
* After the firewall was 'opened', connection
attempts to the previously blocked ports were
successful
* I HAVE been able to reproduce this repeatedly (on
the same host)
( A detailed log is included below)
CAUSE: unknown to me, but nmap -d -d reports back:
'Received strange ICMP destunreach response'
like this:
I'm censoring out the address which is echoed in
the ICMP
Received strange ICMP destunreach response --
code: 0 Here it is: 3 0 FD FF 0 0 0 0
45 0 0 14 1D 29 0 0 26 70 E3 C C0 A8 1
78 .. .. 3 3C 0 0 0 0 0 0 0 0
Received strange ICMP destunreach response -- code: 0
Here it is: 3 0 FD FF 0 0 0 0 45 0 0
14 D2 25 0 0 26 CC 2D B4 C0 A8 1 78 .. ..
3 3C 0 0 0 0 0 0 0 0 Received strange
ICMP destunreach response -- code: 0 Here it is:
3 0 FD FF 0 0 0 0 45 0 0 14 65 B3 0 0
26 5E 9A 94 C0 A8 1 78 .. .. 3 3C 0 0 0
0 0 0 0 0 Received strange ICMP destunreach
response -- code: 0 Here it is: 3 0 FD FF
0 0 0 0 45 0 0 14 9B .. 0 0 26 E3 63 DA
C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0
0 Received strange ICMP destunreach response --
code: 0 Here it is: 3 0 FD FF 0 0 0 0
45 0 0 14 63 CE 0 0 26 3B 9C 9C C0 A8 1
78 .. .. 3 3C 0 0 0 0 0 0 0 0
Now, I do not know exactly why it's considered
strange. I got similar messages when scanning -d -d
-sO other hosts. What is very interesting is that
according to RFC 792, the code 0 (the second byte) is
net unreachable, and may only be sent by a
gateway, not a host. I double checked, however, that
the source IP address WAS the host I was scanning
DETAILS: Here is the log: I censored out a lot
of the private info (ie names, ip addresses) - but
whenever I use the letter 'x', it is consistent
('*' are not consistent)
Note: I also had to clean it up a little to take
care of the backspaces and control char (someone
should make a version of script that handles this!),
but I may have missed some.
Let me add that I'm working from behind a
router/firewall that does NAT on my address (although
I can't see why this sho
uld matter)
Also, I have a tcpdump, but didnot include it (too
much work censoring it up). But if you have
questions, contact me.
Script started on Thu Oct 19 15:27:35 2000 root]#
/usr/local/sbin/mtr -r www.censored.censored.org HOST
LOSS RCVD SENT
BEST AVG WORST *****.my-isp.my-isp.com
0% 16 16 47.42 76.67 140.69 ***.***.33.1
0% 16 16 10.80
71.57 131.35 my-isp.my-isp.my-isp.com 0%
16 16 27.75 57.73 111.11 ***.***.224.17
0% 16 16 13.08 60.50
101.98 ****-7507-1.***.my-isp.com 0%
16 16 15.69 51.30 98.72 ***.130.74.41
0% 16 16 17.87 59.94
136.34 at-*****-2-0-OC12.****.net 0% 16 16
20.64 75.96 156.80 at-*****-4-0-OC12.****.net 0%
16 16 22.88 67.14 134.34
at-*****-4-0-OC12.***.net 0% 16 16 25.34
53.29 124.33 ***.130.3.26
0% 16 16 38.13 74.12 108.72 ***.130.3.122
0% 16 16 35.56
90.58 173.58 at-***********.net 0% 16 16
41.68 74.29 118.98 ???
100% 0 16 0.00 0.00 0.00
/* NOTE: The '???' are real, not my censoring. The
mtr couldn't identify them */
root]# ping www.censored.censored.org PING
www.censored.censored.org (xxx.xxx.120.70) from
192.168.1.100 : 56(84) bytes of data.
--- www.censored.censored.org ping statistics --- 10
packets transmitted, 0 packets received, 100% packet
loss root]# nc xxx.xxx.120.70 80
www.censored.censored.org [xxx.xxx.120.70] 80 (www)
open GET / HTTP/1.0
HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Thu,
19 Oct 2000 19:23:05 GMT Content-Type: text/html
<HEAD>
etc etc etc (cut out)
</BODY> sent 16, rcvd 5936 root]# nmap -sT -p1-150
-P0 -v -v xxx.xxx.120.70
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating SYN Stealth Scan against
www.censored.censored.org (xxx.xxx.120.70) Adding TCP
port 80 (state open). The SYN Stealth Scan took 75
seconds to scan 150 ports. Interesting ports on
www.censored.censored.org (xxx.xxx.120.70): (The 146
ports scanned but not shown below are in state:
filtered) Port State Service 25/tcp
closed smtp 80/tcp open http 110/tcp
closed pop-3 119/tcp closed nntp
Nmap run completed -- 1 IP address (1 host up) scanned
in 76 seconds
/* Now, I scan xxx.xxx.3.60 Why? Well, the day
before, a traceroute was able to identify the entire
path. It was that day that I tried scanning the host
before xxx.xxx.120.70, which was xxx.3.60, and noticed
WILD effects!!!
Here is that day's traceroute (Note: as you will see
later, eventually the traceroute opened up today as
well)
traceroute to www.censored.censored.org
(xxx.xxx.xxx.70), 30 hops max, 38 byte packets etc etc
10 ***.130.3.26 (***.130.3.26) 118.510 ms 58.637
ms 97.880 ms 11 ***.130.3.122 (***.130.3.122)
187.941 ms 34.884 ms 102.835 ms 12 at-*****net
(***.130.91.38) 104.734 ms 54.686 ms 112.322 ms 13
xxx.xxx.3.98 (xxx.xxx.3.98) 116.993 ms 151.689 ms
101.940 ms 14 xxx.xxx.3.60 (xxx.xxx.3.60) 115.803
ms 82.232 ms 110.506 ms 15
www.censored.censored.org (xxx.xxx.120.70) 110.186 ms
54.684 ms 90.386 ms
Unfortunately, I didn't pay attention (or even
realize) and try and determine if the reason why
traceroute sucseeded and mtr
failed was do to the app's method or just the fact
that they were done on different days.
Now, being that number 13 & 14 have no reverse DNS, we
can assume that they are most likely
firewall/routers/gateways/etc
...back to the log */
root]# nmap -sO -O -v -v xxx.xxx.3.60
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Host (xxx.xxx.3.60) appears to be down, skipping it.
Note: Host seems down. If it is really up, but
blocking our ping probes, try -P0 Nmap run completed
-- 1 IP address (0 hosts up) scanned in 30 seconds
root]# nmap -sO -O -v -v xxx.xxx.3.60 -P0
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating IPProto Scan against (xxx.xxx.3.60) The
IPProto Scan took 313 seconds to scan 254 ports.
Warning: OS detection will be MUCH less reliable
because we did not find at least 1 open and 1 closed
TCP port Interesting protocols on (xxx.xxx.3.60):
Protocol State Name 1 open
icmp 2 open igmp 3 open
ggp 4 open ip 5 open
st 6 open tcp 7 open
cbt 8 open egp 9 open
igp 10 open bbn-rcc-mon 11 open
nvp-ii 12 open pup 13
open argus 14 open emcon 15
open xnet 16 open chaos 17
open udp 18 open mux 19
open dcn-meas 20 open hmp 21
open prm 22 open xns-idp
23 open trunk-1 24 open
trunk-2 25 open leaf-1 26 open
leaf-2 27 open rdp 28
open irtp 29 open iso-tp4 30
open netblt 31 open mfe-nsp
32 open merit-inp 33 open
sep 34 open 3pc 35 open
idpr 36 open xtp 37 open
ddp 38 open idpr-cmtp 39 open
tp++ 40 open il 41 open
ipv6 42 open sdrp 43 open
ipv6-route 44 open ipv6-frag 45
open idrp 46 open rsvp 47
open gre 48 open mhrp 49
open bna 50 open esp 51
open ah 52 open i-nlsp 53
open swipe 54 open narp 55
open mobile 56 open tlsp
57 open skip 58 open
ipv6-icmp 59 open ipv6-nonxt 60
open ipv6-opts 61 open unknown
62 open cftp 63 open
unknown 64 open sat-expak 65
open kryptolan 66 open rvd 67
open ippc 68 open unknown
69 open sat-mon 70 open
visa 71 open ipcv 72 open
cpnx 73 open cphb 74 open
wsn 75 open pvp 76 open
br-sat-mon 77 open sun-nd 78
open wb-mon 79 open wb-expak 80
open iso-ip 81 open vmtp
82 open secure-vmtp 83 open
vines 84 open ttp 85 open
nsfnet-igp 86 open dgp 87
open tcf 88 open eigrp 89
open ospfigp 90 open sprite-rpc
91 open larp 92 open mtp
93 open ax.25 94 open
ipip 95 open micp 96 open
scc-SP 97 open etherip 98 open
encap 99 open unknown 100
open gmtp 101 open ifmp 102
open pnni 103 open pim 104
open aris 105 open scps 106
open qnx 107 open a/n 108
open ipcomp 109 open snp 110
open compaq-peer 111 open
ipx-in-ip 112 open vrrp 113 open
pgm 114 open unknown 115
open l2tp 116 open ddx 117
open iatp 118 open stp 119
open srp 120 open uti 121
open smp 122 open sm 123
open ptp 124 open isis-over-ipv4
125 open fire 126 open
crtp 127 open crudp 128 open
sscopmce 129 open iplt 130 open
sps 131 open pipe 132 open
sctp 133 open fc 134 open
unknown 135 open unknown 136
open unknown 137 open unknown
138 open unknown 139 open
unknown 140 open unknown 141 open
unknown 142 open unknown 143
open unknown 144 open unknown
145 open unknown 146 open
unknown 147 open unknown 148 open
unknown 149 open unknown 150
open unknown 151 open unknown
152 open unknown 153 open
unknown 154 open unknown 155 open
unknown 156 open unknown 157
open unknown 158 open unknown
159 open unknown 160 open
unknown 161 open unknown 162 open
unknown 163 open unknown 164
open unknown 165 open unknown
166 open unknown 167 open
unknown 168 open unknown 169 open
unknown 170 open unknown 171
open unknown 172 open unknown
173 open unknown 174 open
unknown 175 open unknown 176 open
unknown 177 open unknown 178
open unknown 179 open unknown
180 open unknown 181 open
unknown 182 open unknown 183 open
unknown 184 open unknown 185
open unknown 186 open unknown
187 open unknown 188 open
unknown 189 open unknown 190 open
unknown 191 open unknown 192
open unknown 193 open unknown
194 open unknown 195 open
unknown 196 open unknown 197 open
unknown 198 open unknown 199
open unknown 200 open unknown
201 open unknown 202 open
unknown 203 open unknown 204 open
unknown 205 open unknown 206
open unknown 207 open unknown
208 open unknown 209 open
unknown 210 open unknown 211 open
unknown 212 open unknown 213
open unknown 214 open unknown
215 open unknown 216 open
unknown 217 open unknown 218 open
unknown 219 open unknown 220
open unknown 221 open unknown
222 open unknown 223 open
unknown 224 open unknown 225 open
unknown 226 open unknown 227
open unknown 228 open unknown
229 open unknown 230 open
unknown 231 open unknown 232 open
unknown 233 open unknown 234
open unknown 235 open unknown
236 open unknown 237 open
unknown 238 open unknown 239 open
unknown 240 open unknown 241
open unknown 242 open unknown
243 open unknown 244 open
unknown 245 open unknown 246 open
unknown 247 open unknown 248
open unknown 249 open unknown
250 open unknown 251 open
unknown 252 open unknown 253 open
unknown 254 open unknown
Too many fingerprints match this host for me to give
an accurate OS guess TCP/IP fingerprint:
SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=10/19%Time=39EF4FC9%O=-1%C=-1)
T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned
in 533 seconds
/* I'm leaving the time in the prompt because it may
be important */
15:48:29 root]# nc -v -v xxx.xxx.120.70 80
GET / HTTP/1.0
sent 0, rcvd 0 15:49:39 root]# nmap -sT -P0 -v -v
-p1-150 xxx.xxx.120.70
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating Connect() Scan against
www.censored.censored.org (xxx.xxx.120.70) Adding TCP
port 80 (state open). The Connect() Scan took 160
seconds to scan 150 ports. Interesting ports on
www.censored.censored.org (xxx.xxx.120.70): (The 146
ports scanned but not shown below are in state:
filtered) Port State Service 25/tcp
closed smtp 80/tcp open http 110/tcp
closed pop-3 119/tcp closed nntp
Nmap run completed -- 1 IP address (1 host up) scanned
in 160 seconds 15:52:51 root]# date; while true; do
nmap -sS -P0 -v -v -F xxx.xxx.120.70; sleep 2m; done
Thu Oct 19 15:56:45 EDT 2000
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating SYN Stealth Scan against
www.censored.censored.org (xxx.xxx.120.70) Adding TCP
port 139 (state open). Adding TCP port 135 (state
open). Adding TCP port 21 (state open). Adding TCP
port 65301 (state open). Adding TCP port 515 (state
open). Adding TCP port 5000 (state open). Adding TCP
port 80 (state open). Adding TCP port 443 (state
open). Adding TCP port 5631 (state open). Adding TCP
port 1487 (state open). The SYN Stealth Scan took 211
seconds to scan 1073 ports. Interesting ports on
www.censored.censored.org (xxx.xxx.120.70): (The 1063
ports scanned but not shown below are in state:
closed) Port State Service 21/tcp open
ftp 80/tcp open http 135/tcp open
loc-srv 139/tcp open netbios-ssn
443/tcp open https 515/tcp open
printer 1487/tcp open localinfosrvr 5000/tcp
open fics 5631/tcp open
pcanywheredata 65301/tcp open pcanywhere
Nmap run completed -- 1 IP address (1 host up) scanned
in 212 seconds
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating SYN Stealth Scan against
www.censored.censored.org (xxx.xxx.120.70) Adding TCP
port 139 (state open). Adding TCP port 1487 (state
open). Adding TCP port 21 (state open). Adding TCP
port 135 (state open). Adding TCP port 80 (state
open). Adding TCP port 65301 (state open). Adding TCP
port 515 (state open). Adding TCP port 443 (state
open). Adding TCP port 5000 (state open). Port
State Service 21/tcp open ftp 80/tcp
open http 135/tcp open loc-srv
139/tcp open netbios-ssn 443/tcp open
https 515/tcp open printer 1487/tcp
open localinfosrvr 5000/tcp open fics
5631/tcp open pcanywheredata 65301/tcp open
pcanywhere
Nmap run completed -- 1 IP address (1 host up) scanned
in 21 seconds
/* WOW! For some reason the firewall shut off after a
minute. I can't figure out why. If you notice, it
stays on for a minute, and then goes off. When I
first discovered this, I remember that it didn't stay
firewalled, but rather was a total DoS, even when
tried via remote proxies. After a minute, however,
it went back up, but sans a firewall.
My theory was that one of the IP protoscan packets
caused the firewall to reboot. While it was booting,
there was DoS. After it booted, it reverted to all
open settings.
However, I'm really not sure if this is possible.
Anyway, back to our log, I wanted to make sure that
nmap wasn't lying to me, so I connected
*/ 16:04:13 root]# nc -v -v xxx.xxx.120.70 21
www.censored.censored.org [xxx.xxx.120.70] 21 (ftp)
open 220 www Microsoft FTP Service (Version 4.0).
sent 0, rcvd 46
/* I''ve also had success connecting over other ports
*/ root]# exit
Script done on Thu Oct 19 16:08:07 2000
I know there's more testing that should have been
done, but I was unable to do it. Maybe in the future.
__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf! It's FREE.
http://im.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)