Updated scanning techniques

[Lance Spitzner <lance () spitzner net>]

Just completed a Firewall audit for a client last week
and realized I had to updated my nmap scanning methodologies.
Two things I noticed:

1. -sA
-sA is not the option of choice any more for newer firewalls,
such as CheckPoint FW-1 ver 4.1 SP2.  As most of you know,
-sA is designed to validate firewall rulebases using ACK packets.
However, newer firewalls only allow SYN packets to build a 
session in the state table, so you can no longer initiate 
connecitons with an ACK packet.  In other words, if you test
a rule base with -sA on newer firewalls, all of the ACK 
packets will be dropped.

Solution:  Fall back to the old/dependable -sS option.

2.  Layer 2
Many times when scanning a firewall you have to use the -P0
option since the firewall denies any connections to the system.
However, sometimes you can never confirm if you successfully
scanned the firewall, as you never have any ACK or RST packets
sent back.  If you are scanning a firewall that is on the local
network (such as an audit for a client), and can't find the firewall
since it blocks everything, here is a nifty hack.

Do a quick '-sP' ping sweep.  Then, do an 'arp -a' on your system.
This will show you the MAC address for all the IP address.  Any
system that you did NOT get in your ping sweep, but you DID see
in your MAC table is most likely firewalling any packets sent to
it.  Nothing exciting, but can be helpful.

hope this helps :)

lance


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).