Penetration Testing mailing list archives
Difficulties in Network Mapping & port scanning
From: "David Ball" <lostinvietnam () hotmail com>
Date: Tue, 03 Jan 2006 18:23:06 +0800
Hi allMany publications detail nmap port scanning techniques but make many assumptions. The truth is that a properly configured Stateful Firewall will drop even the more esoteric nmap port scanning techniques (Null, Xmas, Fin, ACK scans). Even fragmenting port scans isn't always successful (namely nmap -f and fragrouter). So a pen-tester is stuck with a Firewalled public facing DNS or mail server but with difficulties getting a reliable port scan to that machine. What I would be interested to hear are people's real life experiences port scanning networks where stateful firewalling is properly architected and configured.
Same applies to ICMP network mapping. Any Network Admin worth his salt will block outbound ICMP echo replies and time exceeded messages so traditional traceroute and ping won't work. Sure there are plenty of networks out there who aren't so security aware but for the sake of arguement let's say an existing client has done this. What options are left to map a network where ICMP messages are properly controlled? Are there IMCP mapping techniques based on source quench and Path MTU discovery messages? Paratrace is an interesting twist on the more traditional mapping techniques which I'm investigating as is tcptraceroute. So same question as the above - what other real life examples can someone quote that get around ICMP filtering to map a network on the other side of a perimeter router and stateful FW.
I guess I'm looking for "I have used this technique in the past with some success" type of reply rather than "this might work". Thanks for anyone who takes the time to reply.
Dave."Paranoia is not the belief that people are out to get you.... they are! Paranoia is the belief that people are conspiring to get you".
_________________________________________________________________FREE English Booklet! Improve your English. http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Difficulties in Network Mapping & port scanning David Ball (Jan 03)
- Re: Difficulties in Network Mapping & port scanning Pete Herzog (Jan 04)
- Re: Difficulties in Network Mapping & port scanning Petr . Kazil (Jan 15)
- Re: Difficulties in Network Mapping & port scanning Don Parker (Jan 05)
- Re: Difficulties in Network Mapping & port scanning David Ball (Jan 07)
- Re: Difficulties in Network Mapping & port scanning david lodge (Jan 11)
- Re: Difficulties in Network Mapping & port scanning David Ball (Jan 07)
- Re: Difficulties in Network Mapping & port scanning Pete Herzog (Jan 04)