mailing list archives
Re: firewalk meets nmap - TTL
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Tue, 07 Nov 2000 20:54:21 +0100
Hmmm.. Already replied to this on fw-wiz, but I suppose
people here could benefit from it aswell.
Lance Spitzner wrote:
I sent this off to the nmap-list, was wondering what
all the firewall weenies on board here thought. :0
Hah. Try that through our contrapments and all you'll
get is a "DROP: TTL too low" entry in the logs >:]
On the other hand, it may very well be very effective
against plenty of firewalls out there, based on what
I've seen. People tend to do filtering FIRST and then
pass it to "route_ip()" or whatever, which does the
actual TTL decrement and check.
About a year ago, I talked to a couple of pen-testers
about firewalk being able to detect hosts directly
behind firewalls this way. One interesting side effect
is that the firewall will have carried out address
translation before passing it to the routing section,
so the ICMP unreachable data passed back might contain
If memory serves me, I think they said there was
some talk about this sort of firewalking on
defcon'99 (but don't take my word for it).
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: mikael.olsson () enternet se
On bosses and technology: "There are bosses who don't know, and there
are bosses who don't know that they don't know" /Anonymous techie
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).