Nmap Announce mailing list archives
Re: hacking TCP.
From: "Scott Havlak" <shavlak () lurhq com>
Date: Mon, 28 Jun 1999 23:14:17 -0400
Something which the nmap hackers might like to ponder over is the latest technology inside Gauntlet firewalls - the supposed ability to change a connection from proxy to packet filter and back. One would think that if different OS's were at the end points, the connection would have different fingerprints during its lifetime. Can nmap detect this ?
I have done extensive testing with Gauntlet on all platforms using nmap. The Gauntlet (4.X-5.0) packet filter seems to mask the real OS fingerprint. Scan a Gauntlet firewall on ports where proxies are typically running (like 80, 21, 25, etc...) and then scan ports that are typically protected by a packet filter rule (like 514 and 6000) and compare the results. The first scan will properly detect the OS on all Unix platforms, but the second will not. Not sure the effect the "adaptive proxy" will have, but I would imagine that it would be similar. Will be sure to try it... S
Current thread:
- hacking TCP. Darren Reed (Jun 28)
- <Possible follow-ups>
- Re: hacking TCP. Scott Havlak (Jun 29)
- Re: hacking TCP. Scott Havlak (Jun 30)