Nmap Announce mailing list archives

Re: Updated scanning techniques

From: Dug Song <dugsong () monkey org>
Date: Sat, 9 Sep 2000 17:06:18 -0400 (EDT)

On Sat, 9 Sep 2000, Lance Spitzner wrote:

1. -sA
-sA is not the option of choice any more for newer firewalls, such as
CheckPoint FW-1 ver 4.1 SP2.  As most of you know, -sA is designed to
validate firewall rulebases using ACK packets. However, newer
firewalls only allow SYN packets to build a session in the state
table, so you can no longer initiate connecitons with an ACK packet.


are you sure this is what's happening?

from what i've heard, upon receipt of an ACK not associated with an
existing connection, Firewall-1 passes the ACK through as a window probe
(no payload) and intercepts any response from the destination itself to
determine if the connection actually exists (as it might in the case of a
firewall reboot).

the end result is the same, nmap-wise, but a bit different wrt the
stateful inspection mechanism at work.

-d.

---
http://www.monkey.org/~dugsong/


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Updated scanning techniques Lance Spitzner (Sep 12)
- Re: Updated scanning techniques Lennert Buytenhek (Sep 12)
  - Re: Updated scanning techniques Nelson Brito (Sep 12)
- Re: Updated scanning techniques Dug Song (Sep 12)
  - RE: Updated scanning techniques Robert Purdy (Sep 12)
  - Re: Updated scanning techniques Lance Spitzner (Sep 12)
    - Re: Updated scanning techniques Darren Reed (Sep 12)