Re: Nmap, Firewall Testing, Idlescan?

[Joachim Schipper <j.schipper () math uu nl>]

On Tue, Feb 01, 2005 at 02:52:57PM -0000, j_goodman00 () yahoo co uk wrote:
> Hi,
>
> I have a couple of routers at various sites which include firewalls & I would like to use nmap to test them.
>
> I have been experimenting with idlescans in an attempt to fool the firewall, but have been unsuccessful & am unsure 
> if this is the firewall working, or me failing! :)
>
> I am attempting to 'bounce' the scans off another computer of mine on a different connection:
>
> e.g.
> MyIP is 1.2.3.1
> BounceIP is 1.2.4.1
> TargetIP is 1.2.5.1
> nmap -T5 -v -P0 -sI 1.2.4.1 1.2.5.1
>
> When I look at the firewall logs they show logs along the lines of the following:
> Source 1.2.3.1 Destination:1.2.5.1
>
> Does this mean the firewall is working & successfully filtering the spoofed IP packets, or am I doing something wrong?
>
>
> Cheers,
>
> James

Dear James,

You are doing something wrong. Check that you're not behind 1.2.5.1, or
something. (The above command line works for me, using nmap 3.75, and
manages to fool the logs as expected.)

It's hard to tell whether or not the firewall works - look at nmap's
output for that! However, it shouldn't be able to find out your IP.

Otherwise, please tell me what firewall this is, for I'd dearly love to
have one! Nmap's idlescan plain scares me. (Of course, it seems to be
easier just to hack a vulnerable host somewhere, and scan from that.)

                        Joachim