Firewall Wizards mailing list archives
Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass
From: Franklin DeMotto <franklin_demotto () yahoo com>
Date: Sun, 22 Oct 2000 20:19:35 -0700 (PDT)
SUMMARY: * A nmap -sO (protocol) scan somehow disables all, making all ports that were previously filtered either closed or open now. * After the firewall was 'opened', connection attempts to the previously blocked ports were successful * I HAVE been able to reproduce this repeatedly (on the same host) ( A detailed log is included below) CAUSE: unknown to me, but nmap -d -d reports back: 'Received strange ICMP destunreach response' like this: I'm censoring out the address which is echoed in the ICMP Received strange ICMP destunreach response -- code: 0 Here it is: 3 0 FD FF 0 0 0 0 45 0 0 14 1D 29 0 0 26 70 E3 C C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0 0 Received strange ICMP destunreach response -- code: 0 Here it is: 3 0 FD FF 0 0 0 0 45 0 0 14 D2 25 0 0 26 CC 2D B4 C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0 0 Received strange ICMP destunreach response -- code: 0 Here it is: 3 0 FD FF 0 0 0 0 45 0 0 14 65 B3 0 0 26 5E 9A 94 C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0 0 Received strange ICMP destunreach response -- code: 0 Here it is: 3 0 FD FF 0 0 0 0 45 0 0 14 9B .. 0 0 26 E3 63 DA C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0 0 Received strange ICMP destunreach response -- code: 0 Here it is: 3 0 FD FF 0 0 0 0 45 0 0 14 63 CE 0 0 26 3B 9C 9C C0 A8 1 78 .. .. 3 3C 0 0 0 0 0 0 0 0 Now, I do not know exactly why it's considered strange. I got similar messages when scanning -d -d -sO other hosts. What is very interesting is that according to RFC 792, the code 0 (the second byte) is net unreachable, and may only be sent by a gateway, not a host. I double checked, however, that the source IP address WAS the host I was scanning DETAILS: Here is the log: I censored out a lot of the private info (ie names, ip addresses) - but whenever I use the letter 'x', it is consistent ('*' are not consistent) Note: I also had to clean it up a little to take care of the backspaces and control char (someone should make a version of script that handles this!), but I may have missed some. Let me add that I'm working from behind a router/firewall that does NAT on my address (although I can't see why this sho uld matter) Also, I have a tcpdump, but didnot include it (too much work censoring it up). But if you have questions, contact me. Script started on Thu Oct 19 15:27:35 2000 root]# /usr/local/sbin/mtr -r www.censored.censored.org HOST LOSS RCVD SENT BEST AVG WORST *****.my-isp.my-isp.com 0% 16 16 47.42 76.67 140.69 ***.***.33.1 0% 16 16 10.80 71.57 131.35 my-isp.my-isp.my-isp.com 0% 16 16 27.75 57.73 111.11 ***.***.224.17 0% 16 16 13.08 60.50 101.98 ****-7507-1.***.my-isp.com 0% 16 16 15.69 51.30 98.72 ***.130.74.41 0% 16 16 17.87 59.94 136.34 at-*****-2-0-OC12.****.net 0% 16 16 20.64 75.96 156.80 at-*****-4-0-OC12.****.net 0% 16 16 22.88 67.14 134.34 at-*****-4-0-OC12.***.net 0% 16 16 25.34 53.29 124.33 ***.130.3.26 0% 16 16 38.13 74.12 108.72 ***.130.3.122 0% 16 16 35.56 90.58 173.58 at-***********.net 0% 16 16 41.68 74.29 118.98 ??? 100% 0 16 0.00 0.00 0.00 /* NOTE: The '???' are real, not my censoring. The mtr couldn't identify them */ root]# ping www.censored.censored.org PING www.censored.censored.org (xxx.xxx.120.70) from 192.168.1.100 : 56(84) bytes of data. --- www.censored.censored.org ping statistics --- 10 packets transmitted, 0 packets received, 100% packet loss root]# nc xxx.xxx.120.70 80 www.censored.censored.org [xxx.xxx.120.70] 80 (www) open GET / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Thu, 19 Oct 2000 19:23:05 GMT Content-Type: text/html <HEAD> etc etc etc (cut out) </BODY> sent 16, rcvd 5936 root]# nmap -sT -p1-150 -P0 -v -v xxx.xxx.120.70 Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Initiating SYN Stealth Scan against www.censored.censored.org (xxx.xxx.120.70) Adding TCP port 80 (state open). The SYN Stealth Scan took 75 seconds to scan 150 ports. Interesting ports on www.censored.censored.org (xxx.xxx.120.70): (The 146 ports scanned but not shown below are in state: filtered) Port State Service 25/tcp closed smtp 80/tcp open http 110/tcp closed pop-3 119/tcp closed nntp Nmap run completed -- 1 IP address (1 host up) scanned in 76 seconds /* Now, I scan xxx.xxx.3.60 Why? Well, the day before, a traceroute was able to identify the entire path. It was that day that I tried scanning the host before xxx.xxx.120.70, which was xxx.3.60, and noticed WILD effects!!! Here is that day's traceroute (Note: as you will see later, eventually the traceroute opened up today as well) traceroute to www.censored.censored.org (xxx.xxx.xxx.70), 30 hops max, 38 byte packets etc etc 10 ***.130.3.26 (***.130.3.26) 118.510 ms 58.637 ms 97.880 ms 11 ***.130.3.122 (***.130.3.122) 187.941 ms 34.884 ms 102.835 ms 12 at-*****net (***.130.91.38) 104.734 ms 54.686 ms 112.322 ms 13 xxx.xxx.3.98 (xxx.xxx.3.98) 116.993 ms 151.689 ms 101.940 ms 14 xxx.xxx.3.60 (xxx.xxx.3.60) 115.803 ms 82.232 ms 110.506 ms 15 www.censored.censored.org (xxx.xxx.120.70) 110.186 ms 54.684 ms 90.386 ms Unfortunately, I didn't pay attention (or even realize) and try and determine if the reason why traceroute sucseeded and mtr failed was do to the app's method or just the fact that they were done on different days. Now, being that number 13 & 14 have no reverse DNS, we can assume that they are most likely firewall/routers/gateways/etc ...back to the log */ root]# nmap -sO -O -v -v xxx.xxx.3.60 Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Host (xxx.xxx.3.60) appears to be down, skipping it. Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds root]# nmap -sO -O -v -v xxx.xxx.3.60 -P0 Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Initiating IPProto Scan against (xxx.xxx.3.60) The IPProto Scan took 313 seconds to scan 254 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting protocols on (xxx.xxx.3.60): Protocol State Name 1 open icmp 2 open igmp 3 open ggp 4 open ip 5 open st 6 open tcp 7 open cbt 8 open egp 9 open igp 10 open bbn-rcc-mon 11 open nvp-ii 12 open pup 13 open argus 14 open emcon 15 open xnet 16 open chaos 17 open udp 18 open mux 19 open dcn-meas 20 open hmp 21 open prm 22 open xns-idp 23 open trunk-1 24 open trunk-2 25 open leaf-1 26 open leaf-2 27 open rdp 28 open irtp 29 open iso-tp4 30 open netblt 31 open mfe-nsp 32 open merit-inp 33 open sep 34 open 3pc 35 open idpr 36 open xtp 37 open ddp 38 open idpr-cmtp 39 open tp++ 40 open il 41 open ipv6 42 open sdrp 43 open ipv6-route 44 open ipv6-frag 45 open idrp 46 open rsvp 47 open gre 48 open mhrp 49 open bna 50 open esp 51 open ah 52 open i-nlsp 53 open swipe 54 open narp 55 open mobile 56 open tlsp 57 open skip 58 open ipv6-icmp 59 open ipv6-nonxt 60 open ipv6-opts 61 open unknown 62 open cftp 63 open unknown 64 open sat-expak 65 open kryptolan 66 open rvd 67 open ippc 68 open unknown 69 open sat-mon 70 open visa 71 open ipcv 72 open cpnx 73 open cphb 74 open wsn 75 open pvp 76 open br-sat-mon 77 open sun-nd 78 open wb-mon 79 open wb-expak 80 open iso-ip 81 open vmtp 82 open secure-vmtp 83 open vines 84 open ttp 85 open nsfnet-igp 86 open dgp 87 open tcf 88 open eigrp 89 open ospfigp 90 open sprite-rpc 91 open larp 92 open mtp 93 open ax.25 94 open ipip 95 open micp 96 open scc-SP 97 open etherip 98 open encap 99 open unknown 100 open gmtp 101 open ifmp 102 open pnni 103 open pim 104 open aris 105 open scps 106 open qnx 107 open a/n 108 open ipcomp 109 open snp 110 open compaq-peer 111 open ipx-in-ip 112 open vrrp 113 open pgm 114 open unknown 115 open l2tp 116 open ddx 117 open iatp 118 open stp 119 open srp 120 open uti 121 open smp 122 open sm 123 open ptp 124 open isis-over-ipv4 125 open fire 126 open crtp 127 open crudp 128 open sscopmce 129 open iplt 130 open sps 131 open pipe 132 open sctp 133 open fc 134 open unknown 135 open unknown 136 open unknown 137 open unknown 138 open unknown 139 open unknown 140 open unknown 141 open unknown 142 open unknown 143 open unknown 144 open unknown 145 open unknown 146 open unknown 147 open unknown 148 open unknown 149 open unknown 150 open unknown 151 open unknown 152 open unknown 153 open unknown 154 open unknown 155 open unknown 156 open unknown 157 open unknown 158 open unknown 159 open unknown 160 open unknown 161 open unknown 162 open unknown 163 open unknown 164 open unknown 165 open unknown 166 open unknown 167 open unknown 168 open unknown 169 open unknown 170 open unknown 171 open unknown 172 open unknown 173 open unknown 174 open unknown 175 open unknown 176 open unknown 177 open unknown 178 open unknown 179 open unknown 180 open unknown 181 open unknown 182 open unknown 183 open unknown 184 open unknown 185 open unknown 186 open unknown 187 open unknown 188 open unknown 189 open unknown 190 open unknown 191 open unknown 192 open unknown 193 open unknown 194 open unknown 195 open unknown 196 open unknown 197 open unknown 198 open unknown 199 open unknown 200 open unknown 201 open unknown 202 open unknown 203 open unknown 204 open unknown 205 open unknown 206 open unknown 207 open unknown 208 open unknown 209 open unknown 210 open unknown 211 open unknown 212 open unknown 213 open unknown 214 open unknown 215 open unknown 216 open unknown 217 open unknown 218 open unknown 219 open unknown 220 open unknown 221 open unknown 222 open unknown 223 open unknown 224 open unknown 225 open unknown 226 open unknown 227 open unknown 228 open unknown 229 open unknown 230 open unknown 231 open unknown 232 open unknown 233 open unknown 234 open unknown 235 open unknown 236 open unknown 237 open unknown 238 open unknown 239 open unknown 240 open unknown 241 open unknown 242 open unknown 243 open unknown 244 open unknown 245 open unknown 246 open unknown 247 open unknown 248 open unknown 249 open unknown 250 open unknown 251 open unknown 252 open unknown 253 open unknown 254 open unknown Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=10/19%Time=39EF4FC9%O=-1%C=-1) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) Nmap run completed -- 1 IP address (1 host up) scanned in 533 seconds /* I'm leaving the time in the prompt because it may be important */ 15:48:29 root]# nc -v -v xxx.xxx.120.70 80 GET / HTTP/1.0 sent 0, rcvd 0 15:49:39 root]# nmap -sT -P0 -v -v -p1-150 xxx.xxx.120.70 Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Initiating Connect() Scan against www.censored.censored.org (xxx.xxx.120.70) Adding TCP port 80 (state open). The Connect() Scan took 160 seconds to scan 150 ports. Interesting ports on www.censored.censored.org (xxx.xxx.120.70): (The 146 ports scanned but not shown below are in state: filtered) Port State Service 25/tcp closed smtp 80/tcp open http 110/tcp closed pop-3 119/tcp closed nntp Nmap run completed -- 1 IP address (1 host up) scanned in 160 seconds 15:52:51 root]# date; while true; do nmap -sS -P0 -v -v -F xxx.xxx.120.70; sleep 2m; done Thu Oct 19 15:56:45 EDT 2000 Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Initiating SYN Stealth Scan against www.censored.censored.org (xxx.xxx.120.70) Adding TCP port 139 (state open). Adding TCP port 135 (state open). Adding TCP port 21 (state open). Adding TCP port 65301 (state open). Adding TCP port 515 (state open). Adding TCP port 5000 (state open). Adding TCP port 80 (state open). Adding TCP port 443 (state open). Adding TCP port 5631 (state open). Adding TCP port 1487 (state open). The SYN Stealth Scan took 211 seconds to scan 1073 ports. Interesting ports on www.censored.censored.org (xxx.xxx.120.70): (The 1063 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 515/tcp open printer 1487/tcp open localinfosrvr 5000/tcp open fics 5631/tcp open pcanywheredata 65301/tcp open pcanywhere Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ ) Initiating SYN Stealth Scan against www.censored.censored.org (xxx.xxx.120.70) Adding TCP port 139 (state open). Adding TCP port 1487 (state open). Adding TCP port 21 (state open). Adding TCP port 135 (state open). Adding TCP port 80 (state open). Adding TCP port 65301 (state open). Adding TCP port 515 (state open). Adding TCP port 443 (state open). Adding TCP port 5000 (state open). Port State Service 21/tcp open ftp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 515/tcp open printer 1487/tcp open localinfosrvr 5000/tcp open fics 5631/tcp open pcanywheredata 65301/tcp open pcanywhere Nmap run completed -- 1 IP address (1 host up) scanned in 21 seconds /* WOW! For some reason the firewall shut off after a minute. I can't figure out why. If you notice, it stays on for a minute, and then goes off. When I first discovered this, I remember that it didn't stay firewalled, but rather was a total DoS, even when tried via remote proxies. After a minute, however, it went back up, but sans a firewall. My theory was that one of the IP protoscan packets caused the firewall to reboot. While it was booting, there was DoS. After it booted, it reverted to all open settings. However, I'm really not sure if this is possible. Anyway, back to our log, I wanted to make sure that nmap wasn't lying to me, so I connected */ 16:04:13 root]# nc -v -v xxx.xxx.120.70 21 www.censored.censored.org [xxx.xxx.120.70] 21 (ftp) open 220 www Microsoft FTP Service (Version 4.0). sent 0, rcvd 46 /* I''ve also had success connecting over other ports */ root]# exit Script done on Thu Oct 19 16:08:07 2000 I know there's more testing that should have been done, but I was unable to do it. Maybe in the future. __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)