Difficulties in Network Mapping & port scanning

["David Ball" <lostinvietnam () hotmail com>]

Hi all

Many publications detail nmap port scanning techniques but make many 
assumptions. The truth is that a properly configured Stateful Firewall will 
drop even the more esoteric nmap port scanning techniques (Null, Xmas, Fin, 
ACK scans). Even fragmenting port scans isn't always successful (namely nmap 
-f and fragrouter). So a pen-tester is stuck with a Firewalled public facing 
DNS or mail server but with difficulties getting a reliable port scan to 
that machine. What I would be interested to hear are people's real life 
experiences port scanning networks where stateful firewalling is properly 
architected and configured.

Same applies to ICMP network mapping. Any Network Admin worth his salt will 
block outbound ICMP echo replies and time exceeded messages so traditional 
traceroute and ping won't work. Sure there are plenty of networks out there 
who aren't so security aware but for the sake of arguement let's say an 
existing client has done this. What options are left to map a network where 
ICMP messages are properly controlled? Are there IMCP mapping techniques 
based on source quench and Path MTU discovery messages? Paratrace is an 
interesting twist on the more traditional mapping techniques which I'm 
investigating as is tcptraceroute. So same question as the above - what 
other real life examples can someone quote that get around ICMP filtering to 
map a network on the other side of a perimeter router and stateful FW.

I guess I'm looking for "I have used this technique in the past with some 
success" type of reply rather than "this might work". Thanks for anyone who 
takes the time to reply.

Dave.
"Paranoia is not the belief that people are out to get you.... they are!  
Paranoia is the belief that people are conspiring to get you".

_________________________________________________________________
FREE English Booklet! Improve your English. 
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------