Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall Scan

From: Guilherme Alves <arealufrj () gmail com>
Date: Mon, 29 Jun 2009 10:25:12 -0300
You should consider "-P0" to prevent ping before scan.
This can help with systems that block ping and mix up Nmap.


reference: [http://nmap.org/book/man-host-discovery.html]




On Wed, Jun 24, 2009 at 4:44 PM, IPv7 <listas.internet () gmail com> wrote:


Hello Guys,

I was doing a normal TCP Scan on port 5900, when I found a strange result:

1st I did a normal TCP scan with Nmap

Onix:~# nmap -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
Interesting ports on x.x.x.x:
PORT     STATE  SERVICE
5900/tcp closed vnc

Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds

But.. if I use telnet/nc with this port, they can connect:
Onix:~# telnet x.x.x.x 5900
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.003

^C
What? I can connect..
Ok, I will perform a more detailed scan:

Onix:~# hping -S  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512 rtt=2.6 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.6/2.6/2.6 ms

This host return an Reset/ACK, it should be ok if the port was closed,
but I can connect with him.

WINDOWS SCAN:

Onix:~# nmap -sW -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
Interesting ports on x.x.x.x:
PORT     STATE SERVICE
5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds

Ok, I will look the TCP Windows:
First I try to send a TCP Packet with WIN=1

Onix:~# hping -S -w 1  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms

In the most cases, shouldn't this host respond with its suggestion of
window's size??

Then I sent the same with WIN=4096

Onix:~# hping -S -w 4096  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms


I can't understad this!
Some idea?


--
---------------------------------------
-   El conocimiento es poder   -
- y el saber nos hace libres.    -
----------------------------------
netvulcano.wordpress.com
Linux User #405757
Machine Linux #310536

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





--
Guilherme Alves

GRIS - Grupo de Resposta a Incidentes de Segurança
          (Computer Security Incident Response Team)
         www.gris.dcc.ufrj.br
DCC - Departamento de Ciência da Computação
          (Computer Science Department - UFRJ)
          www.dcc.ufrj.br
UFRJ - Universidade Federal do Rio de Janeiro
         (Federal University of Rio de Janeiro - Brazil)
         www.ufrj.br

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: