Penetration Testing mailing list archives
RE: DENY x REJECT
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 8 Oct 2001 11:26:28 +0200
Rosenau, The best way to differ between a port which the firewall is configured to "drop" a packet(s) and a port the firewall is configured to "reject" a packet(s) is to look for the ICMP Error Message (Destination Unreachable - Communication with Destination Network is Administratively Prohibited) as you stated. Today, I am not familiar with any tool parsing the ICMP Error message coming from a port which the firewall rejects the packets for. As a thumb rule configuring a firewall to "reject" rather than "drop" is a mistake. The firewall needs to be transparent as possible for traffic going through. Other than differing between a port which is filtered "reject" or filtered "drop" you can differ between the operating systems the firewall is installed on (if this is a software based firewall). Than the best friend you have is your sniffer. You can look at several parameters very easily to establish your conclusion. It can range from the IP Time-To-Live field, to even changing/crafting the offending packet and looking for several changes with the ICMP Error message produced by the firewall. I bet adding this functionality to NMAP is easy. I will be looking to add this functionality to Xprobe as well. Resources you can use are: Xprobe & X: http://www.sys-security.com/html/projects/X.html [Version 0.2.x soon to be released] ICMP Usage in scanning research (more details): http://www.sys-security.com/html/projects/icmp.html Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Rosenau [mailto:rosenau () netsec com br] Sent: ד 03 אוקטובר 2001 17:53 To: pen-test () securityfocus com Subject: DENY x REJECT Hi Does anybody know a port scanner that could distinguish a "deny" filtered tcp port (firewall drops packets for the port) from a "reject" filtered tcp port (firewall returns an ICMP - port unreachable)?. Nmap seems to report boths cases simply as "filtered". Actually, both cases are filtered, but when you receive a ICMP, you can be sure that the port is really filtered. If you do not receive nothing, the port could be filtered, or packets could have been lost... Regards, Rosenau. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- DENY x REJECT Rosenau (Oct 04)
- Re: DENY x REJECT R. DuFresne (Oct 04)
- Re: DENY x REJECT Fyodor (Oct 04)
- RE: DENY x REJECT Ofir Arkin (Oct 09)
- Re: DENY x REJECT niceshorts (Oct 09)
- RE: DENY x REJECT Ofir Arkin (Oct 10)
- Re: DENY x REJECT niceshorts (Oct 10)
- Re: DENY x REJECT niceshorts (Oct 09)
- <Possible follow-ups>
- RE: DENY x REJECT Frank Knobbe (Oct 04)
- Fw: DENY x REJECT Mehmet Murat Gunsay (Oct 05)