Home page logo
/

Nmap Announce mailing list archives

RE: firewalk meets nmap - TTL (tested)
From: Lance Spitzner <lance () spitzner net>
Date: Fri, 3 Nov 2000 09:20:48 -0600 (CST)

On Fri, 3 Nov 2000, Ofir Arkin wrote:

Some firewalls monitor for low TTL field values and will drop your packet.
If there are some who will generate the ICMP time exceeded error message
(and this is the firewall
here generating the message) in my opinion it is a mistake, because it will
reveal the firewall itself.

I definitely agree, this should be disabled, but can be difficult.  Many
OS's cannot disable this feature as it is part of the kernel ip_forwarding
code.  On many firewalls it can only be done with the firewall rulebase
(and remember, many people trust their firewalls).

In Blackhat 2K in Amsterdam I was talking about the ability to identify the
Operating System one firewall
might run on top because of the ICMP error messages it might generate / or
spoofed answers the firewall
generates instead of its protected machines.

Very cool idea.  This hack will not only map your firewall rulebase, but
your firewall OS type :)

If you have a trace I would like to have a look :P

Sure, below is the technique and traces from a test.  The firewall is
CheckPoint FW-1 ver 4.1 SP2 on Solaris 2.7 (Ultra 5).  The port 5190 TCP
and port 5190 UDP are NOT filtered by the firewall.  I scanned a system
behind the firewall on each port with hping2, TTL set to 1 (I am 1 hop 
away from the firewall).  Note how the firewall responds, and not the
system behind the firewall I was scanning.

mozart #hping2 -c 1 -t 1 -s 53 -p 5190 -S victim
eth0 default routing interface selected (according to /proc)
HPING victim (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254  (firewall.example.net)

mozart #hping2 -2 -c 1 -t 1 -s 53 -p 5190 -S victim
eth0 default routing interface selected (according to /proc)
HPING victim (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254  (firewall.example.net)

Now the packet traces (just for Ofir)

-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch () clark net, www.snort.org)
11/03-09:10:36.563267 192.168.1.10:53 -> 172.16.1.107:5190
TCP TTL:1 TOS:0x0 ID:36962 
**S***** Seq: 0x53C8F31C   Ack: 0x1A37A627   Win: 0x200

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:10:36.564040 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:31007  DF
TTL EXCEEDED
00 00 00 00 45 00 00 28 90 62 00 00 00 06 BB 40  ....E..(.b.....@
C0 A8 01 0A AC 10 01 6B 00 35 14 46 53 C8 F3 1C  .......k.5.FS...
1A 37 A6 27 50 02 02 00 22 F6 00 00              .7.'P..."...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:11:15.183464 192.168.1.10:53 -> 172.16.1.107:5190
UDP TTL:1 TOS:0x0 ID:49570 
Len: 8

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:11:15.184320 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:31009  DF
TTL EXCEEDED
00 00 00 00 45 00 00 1C C1 A2 00 00 00 11 8A 01  ....E...........
C0 A8 01 0A AC 10 01 6B 00 35 14 46 00 08 7C 35  .......k.5.F..|5

Thoughts?

lance


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault