Re: Difficulties in Network Mapping & port scanning

["Don Parker" <dparker () bridonsecurity com>]

Hi David,

Well people use the same tried and true scanning/probing attempts for they 
still work. That said even
if the firewall, or router drops them you can still glean something from 
that. You would of course need
to be logging your probing via tcpdump or windump. Once done you can then go 
over your activity
and confirm what it is that you noted.

It is not so much that you will get nothing from the f/w dropping/blocking 
most of the well known scan attempts,
but rather that people don't really have an in-depth knowledge of the TCP/IP 
protocol suite. Were they to
have one then there is still a lot of information to be gleaned from a 
dropped or reset packet. Also in seeing
what triggers an IP address to be shunned by the f/w. At what rate does this 
happen when sending SYN
packets and the like. You have to be creative and think beyond the tired and 
true SYN scan.

You can make certain conclusions as to what the operating system is, what 
firewall it is, and so on by probing
it with low level packeting (new word I think!). There is profiling 
information to be had in the stimulus or lack
thereof when conducting the first steps in a pen test. Problem is, can the 
pentester make sense of it. To that
end one should always try and present a solution for a problem. There is a 
good course that is offered by a friend
of mine, which will help the pen tester get the most from low level packet 
probing.

http://www.rigelksecurity.com/Training/training_TCPIP.html

Hope this helps,

Don

----- Original Message ----- 
From: "David Ball" <lostinvietnam () hotmail com>
To: <pen-test () securityfocus com>
Sent: Tuesday, January 03, 2006 5:23 AM
Subject: Difficulties in Network Mapping & port scanning


> Hi all
>
> Many publications detail nmap port scanning techniques but make many 
> assumptions. The truth is that a properly configured Stateful Firewall 
> will drop even the more esoteric nmap port scanning techniques (Null, 
> Xmas, Fin, ACK scans). Even fragmenting port scans isn't always successful 
> (namely nmap -f and fragrouter). So a pen-tester is stuck with a 
> Firewalled public facing DNS or mail server but with difficulties getting 
> a reliable port scan to that machine. What I would be interested to hear 
> are people's real life experiences port scanning networks where stateful 
> firewalling is properly architected and configured.
>
> Same applies to ICMP network mapping. Any Network Admin worth his salt 
> will block outbound ICMP echo replies and time exceeded messages so 
> traditional traceroute and ping won't work. Sure there are plenty of 
> networks out there who aren't so security aware but for the sake of 
> arguement let's say an existing client has done this. What options are 
> left to map a network where ICMP messages are properly controlled? Are 
> there IMCP mapping techniques based on source quench and Path MTU 
> discovery messages? Paratrace is an interesting twist on the more 
> traditional mapping techniques which I'm investigating as is 
> tcptraceroute. So same question as the above - what other real life 
> examples can someone quote that get around ICMP filtering to map a network 
> on the other side of a perimeter router and stateful FW.
>
> I guess I'm looking for "I have used this technique in the past with some 
> success" type of reply rather than "this might work". Thanks for anyone 
> who takes the time to reply.
>
> Dave.
> "Paranoia is not the belief that people are out to get you.... they are! 
> Paranoia is the belief that people are conspiring to get you".
>
> _________________________________________________________________
> FREE English Booklet! Improve your English. 
> http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
> are futile against web application hacking. Check your website for 
> vulnerabilities to SQL injection, Cross site scripting and other web 
> attacks before hackers do! Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------