Penetration Testing mailing list archives
RE: firewalk and nmap
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Thu, 18 Aug 2005 11:35:28 +0200
Chris, If understand your question correctly, you are asking what is firewalking good for nowadays. Suppose you ran nmap on a machine, and you got "port 25 is filtered". Now, this can be caused by one of the following: (and perhaps a few others) 1. There is indeed a traditional firewall filtering packets for this port. 2. There is an IPS, completely independent from the firewall. (which realized you're doing something you're not supposed to, such as port scanning, and started dropping your packets). 3. You are testing a stealthy machine that is configured not to return rst, but instead just drop the packet if the port is closed. Another scenario is - you nmap to port 25 and get "port 25 is closed". This means SOMETHING returned an rst, but it doesn't have to be the machine, it could be the firewall that is configured to return closed on specific ports (yes, this happens in real life). Now, by firewalking you can see whether the closed is initiated by the firewall or by the machine. You check whether you get your closed AT the firewall (or get ttl 0 from the firewall meaning it's not what returned the rst), or you get the rst from the machine itself - another hop forward. When you want to know what you are facing, firewalking will allow you to test the firewall ACLs to see whether it's the firewall that's blocking you or something else along the way (or at the destination). Then you'll know whether you should plan an attack against the firewall, change your port scanning method to avoid detection, think of a way to sneak past the IDS/IPS system, or that the machine you're testing is plain evil. Additionally, I often use firewalking to map firewall locations. I must add however, that I am not a big fan of automatic tools (Firewalk?), so I have not the slightest idea whether they are capable of all of the above. All you need is Hping2 and common sense. Hope I could help, Irene --------------- Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: www.hacktics.com -----Original Message----- From: Christian Perst [mailto:chris_perst () gmx de] Sent: Wednesday, August 17, 2005 8:54 AM To: pen-test () securityfocus com Subject: firewalk and nmap Hi list, three years ago I could read that firewalk is for better use for testing ACLs on firewalls compared to nmap. Today I can test with nmap if a port on a machine is open (Syn - Syn-ack), closed or unfiltered (Syn - Rst-ack) and filterd (Syn - nothing). If firewalk does the scan on the firewall in front of the server I get open, closed and filtered. Isn't the closed port from nmap the same as an open port on the firewall? e.g. -->-------------FW--------------Server open 22 80 ports: 80 nmap will show: 22 closed 80 open .. filtered firewalk: 22 A! open (port not listen) 80 A! open (port listen) .. *no response* If a port with nmap is closed, it surely is not filterd by the FW, since I get a RST back. So is there a difference anymore? Are there any settings where firewalk can take advantage of? Thanks, Chris ------------------------------------------------------------------------ ------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 ------------------------------------------------------------------------ ------- -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.10/73 - Release Date: 8/15/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date: 8/17/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date: 8/17/2005 ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- firewalk and nmap Christian Perst (Aug 17)
- Re: firewalk and nmap fatb (Aug 18)
- <Possible follow-ups>
- RE: firewalk and nmap Irene Abezgauz (Aug 18)