mailing list archives
nmap stealth FIN scan not detected by FW-1 V4.0?
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Thu, 27 May 1999 08:41:59 -0700
Back on 3/12/99 I sent out the article below. Can you try your scans
again using the tcpdump technique below?
I don't have access to a FW1 host with the same build number. I'm very
interested in your results since all my subsequent tests with later
patched versions have correctly logged the traffic.
FW1 behaves in a very predictable manner. I'm sure that PIX, Cisco
Firewall IOS and other firewalls do the same.
What do you think about Firewall fingerprinting?
---- Original 3/12/99 Article ----
I've been messing around with nmap (on Linux) in my lab and I'm able to
port scan a Checkpoint Firewall 1 (NT Server sp4, fw1 3.0b no patches
applied) without being logged. Unfortunately nmap "incorrectly" reports
all the scanned ports open. I only know which ports are open by using
tcpdump or a sniffer.
Here are my command lines:
x.x.x.x is the attacked host.
nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x
Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans
with -sS -f are logged.
The program says that -sN is only for UNIX but it works great here.
I run tcpdump -n -vv src host x.x.x.x on a third host.
I run the above and immediately tcpdump reports:
x.x.x.x.5900 > (nmap host).xxxx ack (abbreviated)
x.x.x.x.256 > (nmap host).xxxx ack
x.x.x.x.257 > (nmap host).xxxx ack
x.x.x.x.258 > (nmap host).xxxx ack
x.x.x.x.259 > (nmap host).xxxx ack
On the firewall ports 256-259 and 5900 are open. The response in tcpdump
Sniffer reports RST,ACK pair set in response.
After 30 seconds or so tcpdump receives an ICMP type 11 code 1 packet
(Fragment Reassembly Time Exceeded) from the firewall for each port
NOTHING is logged on the firewall!
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com / mailto:frank () pasadena net
From: Olaf Selke [SMTP:Olaf.Selke () mediaWays net]
Sent: Thursday, May 27, 1999 3:39 AM
To: fw-1-mailinglist () lists us checkpoint com
Cc: nmap-hackers () insecure org; spitzner () dimension net
Subject: nmap stealth FIN scan not detected by FW-1 V4.0?
FireWall-1 V4.0 Build 4037 VPN+DES, Solaris 2.6
nmap V2.12, Linux kernel 2.0.34
Today I did some nmap Stealth FIN scans (nmap -sF) against
V4.0 protected systems. The FIN scan uses a **** surprise FIN
as the probe.
foo () bar:/tmp > nmap -sF -P0 -p1-100 193.189.XXX.YYY
I was not able to get any logging from the firewall software
when sending these probes to protected systems. Neither directly
with 'fw log' nor in the exported logfile generated with 'fw
logexport' I found any clue.
The FIN packets are handled by the FW software correctly
rule set, so the systems behind the firewall should be secure.
Nevertheless, an intruder could scan protected networks without
risk to become detected.
What went wrong? Am I missing something or does FW-1 V4.0 really
log surprise FIN packets?
I would rather prefer the idea that I'm wrong ;-)