OS-detecting a firewall?

[Andrew Lutomirski <luto () myrealbox com>]

I have a server with a b0rked firewall in the way.  I'm trying to identify
it.  This firewall has the property that it always RSTs ACK packets that it
sees unless they match a known connection.

So I did this:

nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv -d <server behind
firewall>

The idea being that, since it's a closed and filtered port, I'll see the
firewall, not the server.

The results are like this:

# nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv XXXXXXXXXXXXX

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:36 PST
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0,
SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against XXXXXXXXXXXXX [1 port] at 02:36
The SYN Stealth Scan took 1.51s to scan 1 total ports.
Warning:  OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port
Host XXXXXXXXXXXXX appears to be up ... good.
Interesting ports on XXXXXXXXXXXXX:
PORT     STATE    SERVICE
4376/tcp filtered unknown
Device type: router|general purpose
Running: Cisco IOS 12.X, Linux 2.6.X
OS details: Cisco 2611 router running IOS 12.0(7)T, Linux 2.6.11
OS Fingerprint:
T5(Resp=N)
T6(Resp=Y%DF=N%W=400%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
PU(Resp=N)


Nmap finished: 1 IP address (1 host up) scanned in 10.187 seconds
               Raw packets sent: 10 (1044B) | Rcvd: 3 (166B)


# nmap -sS -p4376 -O --fuzzy --scan-delay 500 -vvvv -d XXXXXXXXXXXXX

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:37 PST
<snip>
Failed exact match #0 (0-based):
T5(Resp=N)
T6(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
PU(Resp=N)

Host XXXXXXXXXXXXX appears to be up ... good.
Interesting ports on XXXXXXXXXXXXX:
PORT     STATE    SERVICE
4376/tcp filtered unknown
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.8 - 2.6.9
OS Fingerprint:
T5(Resp=N)
T6(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL)
PU(Resp=N)

Final times for host: srtt: 82557 rttvar: 82557  to: 500000

# nmap -sS -p4376 -O --fuzzy --scan-delay 2000 -vvvv -d XXXXXXXXXXXXX

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-07 02:44 PST
<snip>
PORT     STATE    SERVICE
4376/tcp filtered unknown
Device type: router|broadband router|general purpose
Running: Cisco IOS 12.X, Linksys embedded, Linux 2.6.X, Sun Solaris 8
OS details: Cisco 2611 router running IOS 12.0(7)T, Linksys WRT54G Wireless
Broadband Router (Linux kernel 2.4.20), Linux 2.6.8 - 2.6.9, Sun Solaris 8
OS Fingerprint:
T5(Resp=N)
T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
PU(Resp=N)

Final times for host: srtt: 81853 rttvar: 81853  to: 2000000

Nmap finished: 1 IP address (1 host up) scanned in 40.189 seconds
               Raw packets sent: 10 (1044B) | Rcvd: 3 (166B)


Note the different answers.

I doubt this is an nmap bug.  I'm wondering if it could be improved,
though.  Ideally there would be a whole separate set of fingerprints for
firewalls with a feature to identify even firewalls to (partially/fully)
open ports.

Thoughts?  Is there a better way I could do this?

--Andy


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev