Home page logo

Nmap Announce mailing list archives

RE: Updated scanning techniques
From: "Robert Purdy" <liteyear () ihug co nz>
Date: Sun, 10 Sep 2000 11:10:59 +1200

I think Lance is right here.

Since version 4.1? / and definitely 4.1 SP2 Checkpoint has changed how it
deals with established conections.  Prior to 4.1 SP2 it used to try and
recover the connections that weren't in the connections table.  From 4.1 SP2
and on, (I assume), it instead drops the connection and logs it as a unknown
established TCP packet on Rule 0.

Eariler versions tried to recover the session but if it failed would log as
either an error on unknown reason 12 or drop rule 0.

We had this problem migrating from 4.0 to 4.1SP2.

Rob Purdy

 Whereas FireWall-1 versions prior to 4.1 SP2 used to try and recover TCP
connections for which it did not have a connections table entry, it now
simply drops these packets on the floor on rule 0 with this error message.

-----Original Message-----
From: Dug Song [mailto:dugsong () monkey org]
Sent: Sunday, 10 September 2000 9:06 a.m.
To: Lance Spitzner
Cc: nmap-hackers () insecure org
Subject: Re: Updated scanning techniques

On Sat, 9 Sep 2000, Lance Spitzner wrote:

1. -sA
-sA is not the option of choice any more for newer firewalls, such as
CheckPoint FW-1 ver 4.1 SP2.  As most of you know, -sA is designed to
validate firewall rulebases using ACK packets. However, newer
firewalls only allow SYN packets to build a session in the state
table, so you can no longer initiate connecitons with an ACK packet.

are you sure this is what's happening?

from what i've heard, upon receipt of an ACK not associated with an
existing connection, Firewall-1 passes the ACK through as a window probe
(no payload) and intercepts any response from the destination itself to
determine if the connection actually exists (as it might in the case of a
firewall reboot).

the end result is the same, nmap-wise, but a bit different wrt the
stateful inspection mechanism at work.



For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]