Nmap Development mailing list archives
Re: Idle Scanning behind stateful firewalls
From: "uz - do not reply" <spam () verisign com>
Date: Fri, 26 Mar 2004 17:59:08 +0100
Hi Glyn, Your goal is perfectly understandable.
A long time ago I created a nmap patch for a very old nmap version that allows to scan the Internet to find idle hosts and to perform idle host scanning using ICMP packets (echo/reply) rather than SYN/ACK. This feature could help you if the firewall allows icmp packets to the zombie and if it doesn't perform an anti-spoofing protection (internal IPs knocking at the external interface). IMHO, you should first validate that anti-spoofing isnot used by using the antirez hping tool manually.
My patch was published on the www.isecurelabs.com website. I didn't advertise it on this list or anywhere else on the Internet because of the very poor quality of the code (I wanted to make it more "clean" before releasing it worldwide). Unfortunaly I haven't found/taken time toachieve this goal.
I think idle host scanning is one of the most interesting scanning approach because it makes it possible to perform an "internal" scanning (like whatyou are trying to do) using only one reachable computer.
I'd be really interested in finding such a feature coded into nmap (idle host scanning using icmp, SYN flagged or UDP packets)... Is there any goodsoul with some free time out there ? ;)
Feel free to contact me (uzy at isecurelabs . com) if you want to have a look at the patch file in order to produce something that could really becalled "code".
Regards,uZy
nmap () moiler com writes:
Hi Paul,Yep - but if the zombie and target are behind the stateful firewall, then nmap's SYNs could get through to the target, the target's SYN/ACKs would hit the zombie and nmap's SYN's would get through the stateful firewall whereSYN/ACKs wouldn't. This one might need a picture! Glyn Geoghegan.-----Original Message-----From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: 26 March 2004 20:40To: Glyn Geoghegan Cc: nmap-dev () insecure orgSubject: Re: Idle Scanning behind stateful firewalls Glyn, For idle scan to work, SYN ACK packets from the target host must get through to the zombie. If these don't get through then the scan won't work, regardless of what packets nmap uses to probe the ipid on the zombie. Paul >But, because nmap uses a SYN/ACK, its probes get dropped by any stateful >devices (coz they aren't part of an active connection), preventing their use>as zombies.> >-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd ukweb: www.westpoint.ltd.uk---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Idle Scanning behind stateful firewalls Glyn Geoghegan (Mar 26)
- <Possible follow-ups>
- Re: Idle Scanning behind stateful firewalls Paul Johnston (Mar 26)
- RE: Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls uz - do not reply (Mar 26)
- Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls CBuH. (Mar 27)