Re: [PATCH] improvements and a new(?) type of scan

[Darren Reed <avalon () coombs anu edu au>]

In some mail from Phil, sie said:
[...]
> * A new(?) type of scan :
>   Well, I've never seen any references to this technique nor have I heard
>   anybody speaking about it, so I imagine I have the privilege to give it
>   a name. I've chosen the TTL scan. (Please correct me if I'm wrong).

This has been talked about before, although I'm not sure where.
To counter this, IPFilter can enforce a "minimum ttl" for all packets
transitting it.  This is not yet available on a per-rule basis, rather
you have to decide something like "I expect all packets to have a ttl
of at least 4 to reach any publicly accessible systems".  I don't know
whether it came up on bugtraq or elsewhere, but the idea dates back to
at least December 2000.

> We can get those types of results :
>
> ./nmap -sS  mymachine -p 22,23,666,667 -t 9
>
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on AMontsouris-103-1-1-86.abo.wanadoo.fr (193.252.8.86):
> Port       State       Service
> 22/tcp     open        ssh
> 23/tcp     filtered    telnet
> 666/tcp    UNfiltered  unknown                  DNAT to 192.168.8.10:22
> 667/tcp    UNfiltered  unknown                  DNAT to 192.168.26.10:22

mmm, be nice if you could identify what sort of buggy firewall they are
running that returns untranslated addresses in the ICMP error message :)
God knows I've had enough trouble keeping that right!

Darren

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).