mailing list archives
Re: Updated scanning techniques
From: Darren Reed <avalon () coombs anu edu au>
Date: Sun, 10 Sep 2000 14:29:00 +1100 (Australia/NSW)
In some mail from Lance Spitzner, sie said:
On Sat, 9 Sep 2000, Dug Song wrote:
-sA is not the option of choice any more for newer firewalls, such as
CheckPoint FW-1 ver 4.1 SP2. As most of you know, -sA is designed to
validate firewall rulebases using ACK packets. However, newer
firewalls only allow SYN packets to build a session in the state
table, so you can no longer initiate connecitons with an ACK packet.
are you sure this is what's happening?
from what i've heard, upon receipt of an ACK not associated with an
existing connection, Firewall-1 passes the ACK through as a window probe
(no payload) and intercepts any response from the destination itself to
determine if the connection actually exists (as it might in the case of a
Prior to FW-1 ver 4.1 SP2, a session could be added to the state table by
almost any packet, as long as the session was allowed by the rulebase. For
example, if telnet is allowed, you can create a session simply be sending
a ACK packet through the firewall on port 23. The ACK packet will build
the session in the state table, regardless if the other system responds
with any packet or not. This creates a vulnerability for DoS attacks (see
http://www.securityfocus.com/vdb/bottom.html?vid=549). For details on this
functionality, see my writeup at http://www.enteract.com/~lspitz/fwtable.html.
Now, starting with FW-1 ver 4.1 SP2 (and I assume any version after), this
functionality has been changed. Starting with this new version, ONLY a
SYN packet can build a session table, regardless if the rulebase allows the
packet. So, when the '-sA' option will not work with the latest version
of FW-1, as all the ACK packets will be dropped. As such, I had to revert
to scanning the FW-1 rulebase with -sS option (which uses SYN packets).
Just confirmed this on my system :0
sent some ACK packets with hping2, nothing made it through the firewall.
God damnit! What do they think they're doing - making a secure product ?
Don't they know cutomers will complain now that they're used to being so
I'll have to try harder now to ensure IPFilter continues to have an edge
on FW-1 :-)
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).