Firewall Wizards mailing list archives

Re: firewalk meets nmap - TTL (fwd)

From: Chris Boscolo <chrisb () watchguard com>
Date: Sun, 5 Nov 2000 14:27:36 -0800 (PST)

This is a pretty clever scan. But, I think the results are going to
vary across Firewalls. The issue is, does TTL processing happen
before or after rule lookup.

If the packet is not destined for the Firwall itself, (the firewall is
acting as a router), I'd argue it should always send a ICMP TTL
expired. This would minimize the information gained by the scan.

Alternatively, the Firewall could be configured to never send ICMP
Errors, which would also limit information gathered in this type of
scan. (But, obviously, might also cause valid connections to not work
properly.)

-chrisb

On Saturday 4-November, Lance Spitzner wrote (id <Pine.LNX.4.21.0011042112330.3112-100000 () marge spitzner net>):
%I sent this off to the nmap-list, was wondering what
%all the firewall weenies on board here thought. :0
%
%--
%Lance Spitzner
%http://www.enteract.com/~lspitz
%
%---------- Forwarded message ----------
%Date: Thu, 2 Nov 2000 23:00:53 -0600 (CST)
%From: Lance Spitzner <lance () spitzner net>
%To: nmap-hackers () insecure org
%Subject: firewalk meets nmap - TTL
%
%I'm not sure if anyone has thought of this, but this
%would be a REALLY cool feature for auditing firewall
%rulebases. Say you want to determine what ports a
%firewall allows through, what ports are NOT filtered.
%
%Have the option with nmap to set the TTL on the packets
%it sends. I set the TTL to be the same as the amount
%of hops to the firewall I am scanning. If the packet is
%filtered by the firewall, then it is dropped and nothing
%is sent back.
%
%However, if the packet is accepted by the firewall (and
%the port is not filtered), the firewall will attempt to
%forward it. However, the TTL will now be zero and the
%firewall will respond with ICMP TTL expired error message.
%You can now map what ports are passed through the firewall
%(i.e not filtered) without a packet ever passing through the
%firewall.
%
%firewalk meets nmap
%
%thoughts?
%
%--
%Lance Spitzner
%http://www.enteract.com/~lspitz
%
%
%
%
%_______________________________________________
%firewall-wizards mailing list
%firewall-wizards () nfr com
%http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

firewalk meets nmap - TTL (fwd) Lance Spitzner (Nov 06)
- Re: firewalk meets nmap - TTL (fwd) Chris Boscolo (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Chuck Swiger (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Mikael Olsson (Nov 08)
- <Possible follow-ups>
- RE: firewalk meets nmap - TTL (fwd) Kalat, Andrew (ISS Atlanta) (Nov 08)