Re: Idle Scanning behind stateful firewalls

["uz - do not reply" <spam () verisign com>]

Hi Glyn, 

Your goal is perfectly understandable. 

A long time ago I created a nmap patch for a very old nmap version that
allows to scan the Internet to find idle hosts and to perform idle host
scanning using ICMP packets (echo/reply) rather than SYN/ACK. This feature
could help you if the firewall allows icmp packets to the zombie and if it
doesn't perform an anti-spoofing protection (internal IPs knocking at the
external interface). IMHO, you should first validate that anti-spoofing is
not used by using the antirez hping tool manually. 

My patch was published on the www.isecurelabs.com website.
I didn't advertise it on this list or anywhere else on the Internet because
of the very poor quality of the code (I wanted to make it more "clean"
before releasing it worldwide). Unfortunaly I haven't found/taken time to
achieve this goal. 

I think idle host scanning is one of the most interesting scanning approach
because it makes it possible to perform an "internal" scanning (like what
you are trying to do) using only one reachable computer. 

I'd be really interested in finding such a feature coded into nmap (idle
host scanning using icmp, SYN flagged or UDP packets)... Is there any good
soul with some free time out there ? ;) 

Feel free to contact me (uzy at isecurelabs . com) if you want to have a
look at the patch file in order to produce something that could really be
called "code". 

Regards,
uZy 


nmap () moiler com writes: 

> Hi Paul, 
>
> Yep - but if the zombie and target are behind the stateful firewall, then
> nmap's SYNs could get through to the target, the target's SYN/ACKs would hit
> the zombie and nmap's SYN's would get through the stateful firewall where
> SYN/ACKs wouldn't.  This one might need a picture! 
>
> Glyn Geoghegan. 
>
> > -----Original Message-----
> > From: Paul Johnston [mailto:paul () westpoint ltd uk] 
> > Sent: 26 March 2004 20:40
> > To: Glyn Geoghegan
> > Cc: nmap-dev () insecure org
> > Subject: Re: Idle Scanning behind stateful firewalls 
> >
> > Glyn, 
> >
> > For idle scan to work, SYN ACK packets from the target host must get 
> > through to the zombie. If these don't get through then the scan won't 
> > work, regardless of what packets nmap uses to probe the ipid 
> > on the zombie. 
> >
> > Paul 
> >
> > >But, because nmap uses a SYN/ACK, its probes get dropped by 
> > any stateful
> > >devices (coz they aren't part of an active connection), 
> > preventing their use
> > >as zombies.
> > >  
> > >
> > --
> > Paul Johnston
> > Internet Security Specialist
> > Westpoint Limited
> > Albion Wharf, 19 Albion Street,
> > Manchester, M1 5LN
> > England
> > Tel: +44 (0)161 237 1028
> > Fax: +44 (0)161 237 1031
> > email: paul () westpoint ltd uk
> > web: www.westpoint.ltd.uk 
> >
> >  
>  
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to 
> nmap-dev-help () insecure org . List archive: http://seclists.org 



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org