Firewall Wizards mailing list archives
nmap fun
From: Bret Watson <lists () ticm com>
Date: Tue, 24 Oct 2000 17:58:44 +0800
Whilst we are looking at nmap.. Has anyone noticed that scanning an address range "protected" by Gauntlet 5.x , interesting things appear?
Such as being able to identify all the ports that are open on the hosts behind the firewall?
What makes it really interesting for me is that an Application proxy should never replies for ports that are not permitted, but what seems to happen is that if one makes a TCP connect to an address protected by Gauntlet and this port is available on the machine, then Gauntlet will tell you to go away, but if the port is not open on the machine behind the wall then Gauntlet will not respond at all...
Thusly, one can do a TCP Connect scan of an address space covered by Gauntlet and get all the machines with their open ports - scary huh?
This works on NT and Solaris under the latest version of Gauntlet. NAI has been asked (a couple of months ago even!) - no answer.
Cheers, Bret _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)