Firewall Wizards mailing list archives
Re: firewalk meets nmap - TTL (fwd)
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Tue, 07 Nov 2000 20:09:42 +0100
Lance Spitzner wrote:
I sent this off to the nmap-list, was wondering what all the firewall weenies on board here thought. :0
Hah. Try that through our contrapments and all you'll get is a "DROP: TTL too low" entry in the logs >:] On the other hand, it may very well be very effective against plenty of firewalls out there, based on what I've seen. People tend to do filtering FIRST and then pass it to "route_ip()" or whatever, which does the actual TTL decrement and check. About a year ago, I talked to a couple of pen-testers about firewalk being able to detect hosts directly behind firewalls this way. One interesting side effect is that the firewall will have carried out address translation before passing it to the routing section, so the ICMP unreachable data passed back might contain private IPs. If memory serves me, I think they said there was some talk about this sort of firewalking on defcon'99 (but don't take my word for it). -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05 Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50 WWW: http://www.enternet.se/ E-mail: mikael.olsson () enternet se On bosses and technology: "There are bosses who don't know, and there are bosses who don't know that they don't know" /Anonymous techie _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- firewalk meets nmap - TTL (fwd) Lance Spitzner (Nov 06)
- Re: firewalk meets nmap - TTL (fwd) Chris Boscolo (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Chuck Swiger (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Mikael Olsson (Nov 08)
- <Possible follow-ups>
- RE: firewalk meets nmap - TTL (fwd) Kalat, Andrew (ISS Atlanta) (Nov 08)