Nmap and fwall experts?

[siouxchief]

Just a quick question which some people might find easy.
When im scanning with nmap from time to time i get
a response saying filtered response which as you know
probably means that the port is being blocked by a firewall.

By using techniques like idle scanning using hping or
nmap or using source port scanning you can trick the firewall
to allow your scan through it from time to time if the firewall
doesnt keep state for example.

My question though is, if you do those techniques and discover
that the services are actually running ,what good is it to me
if the latest exploit cant reach those ports behind the firewall
(because of the filtering)
which idle scanning has show me to be running.

Basically ,why use these very cool techniques to see what
services are running behind the firewall if you cant get at them
afterwards.

Maybe a tool to source port your exploit to get through the
firewall and then attack any numbered port you want beyond the firewall?

Be very interested in your responses.
Thanks

[Angrys Back]

there are ways to get at the services, you just cant do it conventionally. one way is through spoofing. it also may be possible to circumvent the firewall through methods such as dial-up, or even misconfigurations.

[blakdeth77]

Possibly spoof local IP to get some service to contact a remote machine?? Is something like that possible even?

[xmaddness]

Well, chances are if hping can allow a connection thru the firewall, it means its a very weak firewall. This means that you could possible crash, bring down, confuse, the firewall. Knowing what ports are open can in fact help you to make a next move on this test firewall. Its just going to take some creative thinking on your part.

[nebulus200]

By using techniques like idle scanning using hping or
nmap or using source port scanning you can trick the firewall
to allow your scan through it from time to time if the firewall
doesnt keep state for example.

It has been my understanding that this was only a problem a few years ago and that most, if not all, modern filtering devices (includes routers and firewalls), keep session state information and are not vulnerable to this type of trickery (sometimes load can change this though).

Basically ,why use these very cool techniques to see what
services are running behind the firewall if you cant get at them
afterwards.

Most exploits are just code, think about how the scan works, and you have your answer (yes that was deliberately vague, but if you think about it, it answers your question).

/nebulus

[THEJRC]

whether or not it is a firewall threat is one thing, if you are truly conscious of the problem you will have either layered your firewalls, or cut back on services running. an even better and more accurate solution would to run all systems in your DMZ as bastion hosts, planning AND testing a disaster recovery plan on those as well as your private lan (which should of course be proxied and firewalled behind a separate box)

If your truly worried, pull the plug.... in truth security is a no holds barred game, there are no rules, and if there were rules they would change constantly. The only time there is truly a problem is when people think a simple and quick fix will solve all the problems in the world. A firewall is simply a small part to security.

[siouxchief]

thanks everybody.
Nebulus could you a be a bit less vague?
Do you mean craft the exploit to take the same type
of route or act like the scan?

if so how?

[nebulus200]

Ok, think about what made the scan work (you said it yourself in your post), then think about how the code would work (most create their own sockets), if it creates its own sockets then you can control how the connection is established...if you control how the session is established, you have your answer.

/nebulus

[xmaddness]

Heh, To be even more less vauge (if its possible at this point), http://pont.net/socket/ Read, Learn, Execute.



EDIT: You could also check out nmap's source code and see how the scan is executed. This may give you even more information.