Nmap and fwall experts?
Results 1 to 9 of 9

Thread: Nmap and fwall experts?

  1. #1

    Nmap and fwall experts?

    Just a quick question which some people might find easy.
    When im scanning with nmap from time to time i get
    a response saying filtered response which as you know
    probably means that the port is being blocked by a firewall.

    By using techniques like idle scanning using hping or
    nmap or using source port scanning you can trick the firewall
    to allow your scan through it from time to time if the firewall
    doesnt keep state for example.

    My question though is, if you do those techniques and discover
    that the services are actually running ,what good is it to me
    if the latest exploit cant reach those ports behind the firewall
    (because of the filtering)
    which idle scanning has show me to be running.

    Basically ,why use these very cool techniques to see what
    services are running behind the firewall if you cant get at them
    afterwards.

    Maybe a tool to source port your exploit to get through the
    firewall and then attack any numbered port you want beyond the firewall?

    Be very interested in your responses.
    Thanks

  2. #2
    Junior Member
    Join Date
    Aug 2002
    Posts
    22
    there are ways to get at the services, you just cant do it conventionally. one way is through spoofing. it also may be possible to circumvent the firewall through methods such as dial-up, or even misconfigurations.

  3. #3
    Possibly spoof local IP to get some service to contact a remote machine?? Is something like that possible even?
    Analog = Classical
    Digital = Techno

  4. #4
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Well, chances are if hping can allow a connection thru the firewall, it means its a very weak firewall. This means that you could possible crash, bring down, confuse, the firewall. Knowing what ports are open can in fact help you to make a next move on this test firewall. Its just going to take some creative thinking on your part.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    By using techniques like idle scanning using hping or
    nmap or using source port scanning you can trick the firewall
    to allow your scan through it from time to time if the firewall
    doesnt keep state for example.
    It has been my understanding that this was only a problem a few years ago and that most, if not all, modern filtering devices (includes routers and firewalls), keep session state information and are not vulnerable to this type of trickery (sometimes load can change this though).

    Basically ,why use these very cool techniques to see what
    services are running behind the firewall if you cant get at them
    afterwards.
    Most exploits are just code, think about how the scan works, and you have your answer (yes that was deliberately vague, but if you think about it, it answers your question).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    whether or not it is a firewall threat is one thing, if you are truly conscious of the problem you will have either layered your firewalls, or cut back on services running. an even better and more accurate solution would to run all systems in your DMZ as bastion hosts, planning AND testing a disaster recovery plan on those as well as your private lan (which should of course be proxied and firewalled behind a separate box)

    If your truly worried, pull the plug.... in truth security is a no holds barred game, there are no rules, and if there were rules they would change constantly. The only time there is truly a problem is when people think a simple and quick fix will solve all the problems in the world. A firewall is simply a small part to security.
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  7. #7
    thanks everybody.
    Nebulus could you a be a bit less vague?
    Do you mean craft the exploit to take the same type
    of route or act like the scan?

    if so how?

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, think about what made the scan work (you said it yourself in your post), then think about how the code would work (most create their own sockets), if it creates its own sockets then you can control how the connection is established...if you control how the session is established, you have your answer.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Heh, To be even more less vauge (if its possible at this point), http://pont.net/socket/ Read, Learn, Execute.



    EDIT: You could also check out nmap's source code and see how the scan is executed. This may give you even more information.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •