Re: [NSE] firewalking

[David Fifield <david () bamsoftware com>]

On Fri, Aug 27, 2010 at 09:01:06PM +0200, Henri Doreau wrote:
> 2010/8/26 David Fifield <david () bamsoftware com>
> >  Because the script tests every filtered port, it will be slow when there
> > are many filtered ports. I think it's okay in this case because you have
> > to supply a special script argument to activate the script. It also
> > doesn't make sense to run this script against more than one target at a
> > time unless they have a gateway in common.
>
> The scan is slow because performed sequentially, without any parallelism.
> I'm thinking about another way to implement the feature. I still have to
> think how that could be done, but maybe something like a new hybrid
> portscan/traceroute technique, or just pseudo parallelization with lua
> threads... This could even remove the need for the gateway address, and
> simply and quickly discover ACLs for every gateway on the route, and of
> course speed up the scan.

This is a darn good idea. You could show exactly where each port starts
getting blocked.

localhost  25 80 113 443
hop-1         80 113 443
hop-2         80 113 443
hop-3         80     443
target        80     443

That may not be the best way to show it if there are a lot of ports, but
you get the idea.

I forgot to mention earlier that it would be nice to have a script
argument that lets you say which ports to firewalk. (Default would be
all filtered ports).

> I'm looking for ideas and suggestions about this, I'm sure that nmap
> hackers will have a lot! From October, I'll have a school programming
> project, in which I would like to try to implement such a thing if I
> find out a nice approach.

Good, I look forward to it. Please make the few quick changes now so
that we can get an initial version of the script in right away.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/