RE: firewalk and nmap

[Irene Abezgauz <irene.abezgauz () gmail com>]

Chris,

If understand your question correctly, you are asking what is
firewalking good for nowadays.

Suppose you ran nmap on a machine, and you got "port 25 is filtered".
Now, this can be caused by one of the following: (and perhaps a few
others)

1. There is indeed a traditional firewall filtering packets for this
port.
2. There is an IPS, completely independent from the firewall. (which
realized you're doing something you're not supposed to, such as port
scanning, and started dropping your packets).
3. You are testing a stealthy machine that is configured not to return
rst, but instead just drop the packet if the port is closed.

Another scenario is - you nmap to port 25 and get "port 25 is closed".
This means SOMETHING returned an rst, but it doesn't have to be the
machine, it could be the firewall that is configured to return closed on
specific ports (yes, this happens in real life). Now, by firewalking you
can see whether the closed is initiated by the firewall or by the
machine. You check whether you get your closed AT the firewall (or get
ttl 0 from the firewall meaning it's not what returned the rst), or you
get the rst from the machine itself - another hop forward.

When you want to know what you are facing, firewalking will allow you to
test the firewall ACLs to see whether it's the firewall that's blocking
you or something else along the way (or at the destination). Then you'll
know whether you should plan an attack against the firewall, change your
port scanning method to avoid detection, think of a way to sneak past
the IDS/IPS system, or that the machine you're testing is plain evil.

Additionally, I often use firewalking to map firewall locations.

I must add however, that I am not a big fan of automatic tools
(Firewalk?), so I have not the slightest idea whether they are capable
of all of the above. All you need is Hping2 and common sense.

Hope I could help,
Irene

---------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com
 

-----Original Message-----
From: Christian Perst [mailto:chris_perst () gmx de] 
Sent: Wednesday, August 17, 2005 8:54 AM
To: pen-test () securityfocus com
Subject: firewalk and nmap

Hi list,

three years ago I could read that firewalk is for better use
for testing ACLs on firewalls compared to nmap.

Today I can test with nmap if a port on a machine is open (Syn -
Syn-ack), closed or unfiltered (Syn - Rst-ack) and filterd (Syn
- nothing).
If firewalk does the scan on the firewall in front of the server
I get open, closed and filtered. Isn't the closed port from nmap 
the same as an open port on the firewall?


e.g.

-->-------------FW--------------Server
open            22                80
ports:          80

nmap will show:
22 closed
80 open
.. filtered

firewalk:
22 A! open (port not listen)
80 A! open (port listen)
.. *no response*

If a port with nmap is closed, it surely is not filterd by the FW,
since I get a RST back.
So is there a difference anymore? Are there any settings where
firewalk can take advantage of?

Thanks,
Chris

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.10/73 - Release Date:
8/15/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date:
8/17/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date:
8/17/2005
 


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------