Re: Firewall Scan

[Chris Brenton <cbrenton () chrisbrenton org>]

Greets,

Actually, I believe Fydor dropped the Echo-Request probe in 4.x. nmap
simply hits TCP/80 with a SYN or ACK, depending on the version. Either
way, don't think this is nmap getting confused as hping produces similar
results and it never probes first.

IPv7,

Try setting some TCP options. Little trick I use with many clients (if
they are willing to run an open source firewall) is to filter out all
packets where the TCP header is 20 bytes. Every modern OS uses some
number of TCP options. The only time you see no options set is SYN
floods or port scanning.

HTH,
C

On Mon, 2009-06-29 at 10:25 -0300, Guilherme Alves wrote:
> You should consider "-P0" to prevent ping before scan.
> This can help with systems that block ping and mix up Nmap.
>
>
> reference: [http://nmap.org/book/man-host-discovery.html]
>
>
>
>
> On Wed, Jun 24, 2009 at 4:44 PM, IPv7 <listas.internet () gmail com> wrote:
> > Hello Guys,
> >
> > I was doing a normal TCP Scan on port 5900, when I found a strange result:
> >
> > 1st I did a normal TCP scan with Nmap
> >
> > Onix:~# nmap -p 5900 x.x.x.x
> >
> > Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
> > Interesting ports on x.x.x.x:
> > PORT     STATE  SERVICE
> > 5900/tcp closed vnc
> >
> > Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds
> >
> > But.. if I use telnet/nc with this port, they can connect:
> > Onix:~# telnet x.x.x.x 5900
> > Trying x.x.x.x...
> > Connected to x.x.x.x.
> > Escape character is '^]'.
> > RFB 003.003
> >
> > ^C
> > What? I can connect..
> > Ok, I will perform a more detailed scan:
> >
> > Onix:~# hping -S  -p 5900 x.x.x.x
> > HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> > len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512 rtt=2.6 ms
> > ^C
> > --- x.x.x.x hping statistic ---
> > 1 packets transmitted, 1 packets received, 0% packet loss
> > round-trip min/avg/max = 2.6/2.6/2.6 ms
> >
> > This host return an Reset/ACK, it should be ok if the port was closed,
> > but I can connect with him.
> >
> > WINDOWS SCAN:
> >
> > Onix:~# nmap -sW -p 5900 x.x.x.x
> >
> > Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
> > Interesting ports on x.x.x.x:
> > PORT     STATE SERVICE
> > 5900/tcp open  vnc
> >
> > Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds
> >
> > Ok, I will look the TCP Windows:
> > First I try to send a TCP Packet with WIN=1
> >
> > Onix:~# hping -S -w 1  -p 5900 x.x.x.x
> > HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> > len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
> > ^C
> > --- x.x.x.x hping statistic ---
> > 1 packets transmitted, 1 packets received, 0% packet loss
> > round-trip min/avg/max = 7.8/7.8/7.8 ms
> >
> > In the most cases, shouldn't this host respond with its suggestion of
> > window's size??
> >
> > Then I sent the same with WIN=4096
> >
> > Onix:~# hping -S -w 4096  -p 5900 x.x.x.x
> > HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> > len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
> > ^C
> > --- x.x.x.x hping statistic ---
> > 1 packets transmitted, 1 packets received, 0% packet loss
> > round-trip min/avg/max = 7.8/7.8/7.8 ms
> >
> >
> > I can't understad this!
> > Some idea?
> >
> >
> > --
> > ---------------------------------------
> > -   El conocimiento es poder   -
> > - y el saber nos hace libres.    -
> > ----------------------------------
> > netvulcano.wordpress.com
> > Linux User #405757
> > Machine Linux #310536
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> > CPT and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
>
> --
> Guilherme Alves
>
> GRIS - Grupo de Resposta a Incidentes de Segurança
>           (Computer Security Incident Response Team)
>          www.gris.dcc.ufrj.br
> DCC - Departamento de Ciência da Computação
>           (Computer Science Department - UFRJ)
>           www.dcc.ufrj.br
> UFRJ - Universidade Federal do Rio de Janeiro
>          (Federal University of Rio de Janeiro - Brazil)
>          www.ufrj.br
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------