Nmap Announce mailing list archives

Re: Nmap bug or am I missing something.

From: "Olaf Selke" <Olaf.Selke () mediaWays net>
Date: Sun, 14 Mar 1999 20:31:47 +0100 (MET)

According to Frank W. Keeney:


I've been messing around with nmap (on Linux) in my lab and I'm able to
port scan a Checkpoint Firewall 1 (NT Server sp4, fwt 3.0b) without
being logged. Unfortunately nmap "incorrectly" reports all the scanned
ports open. I only know which ports are open by using tcpdump or a
sniffer. 

Here are my command lines:

Nmap:

x.x.x.x is the attacked host.

nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x

Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans
with -sS -f are logged.


this is correct for Checkpoint FireWall-1 Version 3.0, even with
latest public available patch Build 3083. The firewall drops the
packets as expected but nothing is logged at all ;-(

In FireWall-1 version 4.0 (I've tested with Build 4037 VPN+DES) things
are improved and a 'nmap -f -sF' scan is logged by the firewall as

20:19:00 drop   x.x.x.x >le0 proto tcp src 62.52.134.110 dst x.x.x.x service 291 s_port 62851 rule 0 reason: TCP packet 
too short 
20:19:00 drop   x.x.x.x >le0 proto tcp src 62.52.134.110 dst x.x.x.x service 267 s_port 62851 rule 0 reason: TCP packet 
too short 

Olaf
-- 
Olaf Selke, olaf.selke () mediaways net, voice +49 5241 80-7069

Current thread:

Nmap bug or am I missing something. Frank W. Keeney (Mar 11)
- Re: Nmap bug or am I missing something. Lamont Granquist (Mar 13)
- Re: Nmap bug or am I missing something. Olaf Selke (Mar 14)
  - Small Comparison: Nmap, Queso OS Detection Hans Zoebelein (Mar 15)