Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: firewalk meets nmap - TTL (fwd)
From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Sun, 5 Nov 2000 12:12:21 -0500

Hey Lance,
        It's an interesting idea. Certainly one that would warrent an
attempt. One thing that comes to mind though, what if the firewall is
configured to not allow ICMP error messages to originate on itself. Although
that might impede some network operation, I have seen some sites do this
(mainly with Checkpoint)  to futher the stealthiness (is that a word?) of
their firewalls. But, as with all things, I'd wager very few sites have this
level of paranoia/disciple to envoke this config. 

Andrew Kalat
Internet Security Systems
IT Infrastructure Manager
(678) 443-6025 
Note; These comments are my own, yadda... yadda...

-----Original Message-----
From: Lance Spitzner [mailto:lance () spitzner net]
Sent: Saturday, November 04, 2000 10:14 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] firewalk meets nmap - TTL (fwd)

I sent this off to the nmap-list, was wondering what
all the firewall weenies on board here thought. :0

Lance Spitzner

---------- Forwarded message ----------
Date: Thu, 2 Nov 2000 23:00:53 -0600 (CST)
From: Lance Spitzner <lance () spitzner net>
To: nmap-hackers () insecure org
Subject: firewalk meets nmap - TTL

I'm not sure if anyone has thought of this, but this
would be a REALLY cool feature for auditing firewall
rulebases.  Say you want to determine what ports a
firewall allows through, what ports are NOT filtered.

Have the option with nmap to set the TTL on the packets
it sends.  I set the TTL to be the same as the amount
of hops to the firewall I am scanning.  If the packet is
filtered by the firewall, then it is dropped and nothing
is sent back.

However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it.  However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the 

firewalk meets nmap


Lance Spitzner

firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]