Nmap Announce mailing list archives
RE: firewalk meets nmap - TTL (tested)
From: Lance Spitzner <lance () spitzner net>
Date: Fri, 3 Nov 2000 09:20:48 -0600 (CST)
On Fri, 3 Nov 2000, Ofir Arkin wrote:
Some firewalls monitor for low TTL field values and will drop your packet. If there are some who will generate the ICMP time exceeded error message (and this is the firewall here generating the message) in my opinion it is a mistake, because it will reveal the firewall itself.
I definitely agree, this should be disabled, but can be difficult. Many OS's cannot disable this feature as it is part of the kernel ip_forwarding code. On many firewalls it can only be done with the firewall rulebase (and remember, many people trust their firewalls).
In Blackhat 2K in Amsterdam I was talking about the ability to identify the Operating System one firewall might run on top because of the ICMP error messages it might generate / or spoofed answers the firewall generates instead of its protected machines.
Very cool idea. This hack will not only map your firewall rulebase, but your firewall OS type :)
If you have a trace I would like to have a look :P
Sure, below is the technique and traces from a test. The firewall is CheckPoint FW-1 ver 4.1 SP2 on Solaris 2.7 (Ultra 5). The port 5190 TCP and port 5190 UDP are NOT filtered by the firewall. I scanned a system behind the firewall on each port with hping2, TTL set to 1 (I am 1 hop away from the firewall). Note how the firewall responds, and not the system behind the firewall I was scanning. mozart #hping2 -c 1 -t 1 -s 53 -p 5190 -S victim eth0 default routing interface selected (according to /proc) HPING victim (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall.example.net) mozart #hping2 -2 -c 1 -t 1 -s 53 -p 5190 -S victim eth0 default routing interface selected (according to /proc) HPING victim (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall.example.net) Now the packet traces (just for Ofir) -*> Snort! <*- Version 1.6.3 By Martin Roesch (roesch () clark net, www.snort.org) 11/03-09:10:36.563267 192.168.1.10:53 -> 172.16.1.107:5190 TCP TTL:1 TOS:0x0 ID:36962 **S***** Seq: 0x53C8F31C Ack: 0x1A37A627 Win: 0x200 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/03-09:10:36.564040 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:31007 DF TTL EXCEEDED 00 00 00 00 45 00 00 28 90 62 00 00 00 06 BB 40 ....E..(.b.....@ C0 A8 01 0A AC 10 01 6B 00 35 14 46 53 C8 F3 1C .......k.5.FS... 1A 37 A6 27 50 02 02 00 22 F6 00 00 .7.'P..."... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/03-09:11:15.183464 192.168.1.10:53 -> 172.16.1.107:5190 UDP TTL:1 TOS:0x0 ID:49570 Len: 8 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/03-09:11:15.184320 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:31009 DF TTL EXCEEDED 00 00 00 00 45 00 00 1C C1 A2 00 00 00 11 8A 01 ....E........... C0 A8 01 0A AC 10 01 6B 00 35 14 46 00 08 7C 35 .......k.5.F..|5 Thoughts? lance -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- firewalk meets nmap - TTL Lance Spitzner (Nov 03)
- RE: firewalk meets nmap - TTL Ofir Arkin (Nov 03)
- RE: firewalk meets nmap - TTL (tested) Lance Spitzner (Nov 04)
- RE: firewalk meets nmap - TTL (tested) Ofir Arkin (Nov 04)
- RE: firewalk meets nmap - TTL (tested) Lance Spitzner (Nov 04)
- Re: firewalk meets nmap - TTL Fyodor (Nov 05)
- Re: firewalk meets nmap - TTL Mikael Olsson (Nov 08)
- RE: firewalk meets nmap - TTL Ofir Arkin (Nov 03)