Bypassing the firewall

[Beryllium9]

Now to answer the question...

The reason nmap is reporting the host is down is probably because of the type of ping it's been told to use. By default, nmap when run through nmapfe will ICMP ping the target, but Linux pings use UDP by default. This sounds to me like the host isn't totally firewalled, and does allow certain types of traffic to pass.

[qod]

so it can be done using a UDP scan with the -sU option

[leapinglangoor]

Will you please look at my title and no. of posts.
I just joined a month ago. And please Explain.
May be the problem is that you have chosen the under 13 reg by mistake. Check that out too. Sorry If I have offended anyone.

And back to this topic, Try netscan tools Pro 2000. It has all such scanning utils. Also try Pandora from http://www.nmrc.org. I dunt know how good it is but do try it.

[Beryllium9]

No. UDP port scanning and UDP pings are 2 totally different things. A UDP port scan works like this: A UDP packet is sent to a UDP socket on the remote host. If it doesn't respond, the socket is assumed to be open. If it responds with an unreachable message, the port is considered closed. If every UDP socket seems open, then it's safe to assume the host is silently dropping UDP traffic. So, as you can see, UDP scans are really a bit of a black art and involve educated guesses when firewalls are being used, and this is why they're not used very often.

A UDP ping is similar to a UDP port scan in that your PC sends a UDP packet to the remote host. It then waits for the unreachable message, and this is how the remote host shows up in a standard linux ping.

[foxyloxley]

I agree with spurious_inode with regard to 'security' questions, this is supposed to be a site where we can find out about this sort of subject. Yes, we could read it up, or Google. But the site gets you a real life answer, with any additional probs that might have popped up. And it is possible that someone might make illegal use of their new found knowledge, but it is also possible that if you are aware of security issues, then you will be better placed to resist / stop it in the first place.

As an O/T question, how DO you know that qod got negged for this post. To spurious_inode, as he made reference to this in his first post of the thread?

[qod]

Originally posted here by Beryllium9
No. UDP port scanning and UDP pings are 2 totally different things. A UDP port scan works like this: A UDP packet is sent to a UDP socket on the remote host. If it doesn't respond, the socket is assumed to be open. If it responds with an unreachable message, the port is considered closed. If every UDP socket seems open, then it's safe to assume the host is silently dropping UDP traffic. So, as you can see, UDP scans are really a bit of a black art and involve educated guesses when firewalls are being used, and this is why they're not used very often.

A UDP ping is similar to a UDP port scan in that your PC sends a UDP packet to the remote host. It then waits for the unreachable message, and this is how the remote host shows up in a standard linux ping.

so how are the 2 different??

btw: i am just trying to scan my network from another location, i do not think it is illegal, and this is my home network that i am scanning.

[spurious_inode]

Originally posted here by Beryllium9
Now to answer the question...

The reason nmap is reporting the host is down is probably because of the type of ping it's been told to use. By default, nmap when run through nmapfe will ICMP ping the target, but Linux pings use UDP by default. This sounds to me like the host isn't totally firewalled, and does allow certain types of traffic to pass.

Beryllium9:

From the ping(8) man page (SuSE 9.0)....

NAME
ping, ping6 - send ICMP ECHO_REQUEST to network hosts

SYNOPSIS
ping [ -LRUbdfnqrvVaAB] [ -c count] [ -i interval] [ -l preload] [ -p pat_
tern] [ -s packetsize] [ -t ttl] [ -w deadline] [ -F flowlabel] [ -I inter_
face] [ -M hint] [ -P policy] [ -Q tos] [ -S sndbuf] [ -T timestamp option]
[ -W timeout] [ hop ...] destination


DESCRIPTION
ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP
ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (``pings'') have an
IP and ICMP header, followed by a struct timeval and then an arbitrary number of
``pad'' bytes used to fill out the packet.

.......

From the ping(1M) man page (Solairs 8)

NAME
ping - send ICMP (ICMP6) ECHO_REQUEST packets to network
hosts

SYNOPSIS
/usr/sbin/ping host [ timeout ]

/usr/sbin/ping -s [ -l | -U ] [ -adlLnrRv ] [
-A addr_family ] [ -c traffic_class ] [ -g gateway [ -g
gateway ... ] ] [ -F flow_label ] [ -I interval ] [
-i interface ] [ -P tos ] [ -p port ] [ -t ttl ] host [
data_size ] [ count ]

DESCRIPTION
The utility ping utilizes the ICMP (ICMP6 in IPv6)
protocol's ECHO_REQUEST datagram to elicit an ICMP (ICMP6)
ECHO_RESPONSE from the specified host or network gateway. If
host responds, ping will print

...........

From the ping(8) man page (FreeBSD 4.9-RELEASE)

NAME
ping -- send ICMP ECHO_REQUEST packets to network hosts

SYNOPSIS
ping [-AQRadfnqrv] [-c count] [-i wait] [-l preload] [-m ttl]
[-p pattern] [-P policy] [-s packetsize] [-S src_addr] [-t timeout]
[host | [-L] [-I interface] [-T ttl] mcast-group]

DESCRIPTION
Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit
an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams
(``pings'') have an IP and ICMP header, followed by a ``struct timeval''
and then an arbitrary number of ``pad'' bytes used to fill out the
packet. The options are as follows:


Hmmmmm. You may have read something, or have other reason to believe that Linux sends UDP pings,
howerver I would have to politely disagree. Ping is an ICMP (Internet Control Message Protocol) utility
on any OS I can think of .

-- spurious

[spurious_inode]

Originally posted here by foxyloxley
I agree with spurious_inode with regard to 'security' questions, this is supposed to be a site where we can find out about this sort of subject. Yes, we could read it up, or Google. But the site gets you a real life answer, with any additional probs that might have popped up. And it is possible that someone might make illegal use of their new found knowledge, but it is also possible that if you are aware of security issues, then you will be better placed to resist / stop it in the first place.

As an O/T question, how DO you know that qod got negged for this post. To spurious_inode, as he made reference to this in his first post of the thread?

foxyloxley: This post started out with god having been neg'd. Enough people must have seen the error
and given god some positive AP's to even him out.

[qod]

i think Beryllium9 was trying to say that UDP ping is just doing a ping ip_address which is mostly used in ping sweeps to detect if a machine is alive.
which is better documented in the man nmap:

-sP Ping scanning: Sometimes you only want to know
which hosts on a network are up. Nmap can do this
by sending ICMP echo request packets to every IP
address on the networks you specify. Hosts that
respond are up. Unfortunately, some sites such as
microsoft.com block echo request packets. Thus
nmap can also send a TCP ack packet to (by default)
port 80. If we get an RST back, that machine is
up. A third technique involves sending a SYN
packet and waiting for a RST or a SYN/ACK. For
non-root users, a connect() method is used.

By default (for root users), nmap uses both the
ICMP and ACK techniques in parallel. You can
change the -P option described later.

Note that pinging is done by default anyway, and
only hosts that respond are scanned. Only use this
option if you wish to ping sweep without doing any
actual port scans.



while UDP scanning is
from man namp:

-sU UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. The technique is to send 0 byte
UDP packets to each port on the target machine. If
we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is
open. Unfortunately, firewalls often block the
port unreachable messages, causing the port to
appear open. Sometimes an ISP will block only a
few specific dangerous ports such as 31337 (back
orifice) and 139 (Windows NetBIOS), making it look
like these vulnerable ports are open. So don't
panic immediately. Unfortunately, it isn't always
trivial to differentiate between real open UDP
ports and these filtered false-positives.

Some people think UDP scanning is pointless. I usu_
ally remind them of the recent Solaris rcpbind
hole. Rpcbind can be found hiding on an undocu_
mented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall.
But can you find which of the more than 30,000 high
ports it is listening on? With a UDP scanner you
can! There is also the cDc Back Orifice backdoor
program which hides on a configurable UDP port on
Windows machines. Not to mention the many commonly
vulnerable services that utilize UDP such as snmp,
tftp, NFS, etc.

Unfortunately UDP scanning is sometimes painfully
slow since most hosts implement a suggestion in RFC
1812 (section 4.3.2.8) of limiting the ICMP error
message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable
message generation to 80 per 4 seconds, with a 1/4
second penalty if that is exceeded. Solaris has
much more strict limits (about 2 messages per sec_
ond) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accord_
ingly, rather than flood the network with useless
packets that will be ignored by the target machine.

As is typical, Microsoft ignored the suggestion of
the RFC and does not seem to do any rate limiting
at all on Win95 and NT machines. Thus we can scan
all 65K ports of a Windows machine very quickly.
Whoop!

[spurious_inode]

Originally posted here by Beryllium9
No. UDP port scanning and UDP pings are 2 totally different things. A UDP port scan works like this: A UDP packet is sent to a UDP socket on the remote host. If it doesn't respond, the socket is assumed to be open. If it responds with an unreachable message, the port is considered closed. If every UDP socket seems open, then it's safe to assume the host is silently dropping UDP traffic. So, as you can see, UDP scans are really a bit of a black art and involve educated guesses when firewalls are being used, and this is why they're not used very often.

A UDP ping is similar to a UDP port scan in that your PC sends a UDP packet to the remote host. It then waits for the unreachable message, and this is how the remote host shows up in a standard linux ping.

god / Beryllium9:

[..... and this is how the remote host shows up in a standard linux ping.]

I may have misunderstood what Beryllium9 was saying in reference to what protocol Linux uses as the default
for ping. Apologies Beryllium9, no ball-busting intended....

-- spurious