Nmap Development mailing list archives

Re: Some thoughts from Defcon ...

From: Philippe Biondi <biondi () cartel-securite fr>
Date: Mon, 18 Aug 2003 11:05:37 +0200 (CEST)

Hi,
On Thu, 14 Aug 2003, Andrew A. Vladimirov wrote:

The general idea is to build port forwarding enumeration into nmap, e.g.
~  whatever the ports forwarded by the firewall are forwarded to the same
or different hosts. This is also related to finding out whether the
range of evaluated IP's belongs to the same or different hosts.

Lets say we have a host xxx.xxx.xxx.xxx which has ports 22 and 25 open.
~From the output of tcptraceroute or better lft (which would say
**   [firewall] the next gateway may statefully inspect packets )
you suspect that this host is a firewall which forwards these ports to
the sshd and sendmail behind it. Do the daemons run on the same or
different box ?


You can use scapy (http://www.cartel-securite.fr/pbiondi/scapy.html, or,
backup version http://perso.wanadoo.fr/secdev/scapy.html, as the first
one has annoying problems these times)

Using the ttl method is described slide 52 of
http://www.cartel-securite.fr/pbiondi/conf/scapy_lsm2003.pdf (or use
backup).

Using the timestamp method can also be implemented in less than 10 lines :

target = "www.target.com"
ans,unans = sr(IP(dst=target)/TCP(dport=[(20,30),80,443,8080],

                   options=[('Timestamp',(1L,1L))]))

for s,r in ans:

...     print s.getlayer(TCP).options


(ok, there, I realise that I need to implement a way to extract a given
option from the array.)


Anyway, even if scapy need a lot of resources, espcially for big scans, it
will be very helpful to test new techniques.


Best regards, Phil.



-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2




---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Some thoughts from Defcon ... Andrew A. Vladimirov (Aug 14)
- Message not available
  - Re: Some thoughts from Defcon ... Andrew A. Vladimirov (Aug 14)
    - Re: Some thoughts from Defcon ... Philippe Biondi (Aug 18)