Home page logo

Nmap Announce mailing list archives

Re: firewalk meets nmap - TTL
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Tue, 07 Nov 2000 20:54:21 +0100

Hmmm.. Already replied to this on fw-wiz, but I suppose
people here could benefit from it aswell.

Lance Spitzner wrote:

I sent this off to the nmap-list, was wondering what
all the firewall weenies on board here thought. :0

Hah. Try that through our contrapments and all you'll
get is a "DROP: TTL too low" entry in the logs >:]

On the other hand, it may very well be very effective
against plenty of firewalls out there, based on what 
I've seen. People tend to do filtering FIRST and then
pass it to "route_ip()" or whatever, which does the
actual TTL decrement and check.

About a year ago, I talked to a couple of pen-testers 
about firewalk being able to detect hosts directly 
behind firewalls this way. One interesting side effect 
is that the firewall will have carried out address 
translation before passing it to the routing section, 
so the ICMP unreachable data passed back might contain 
private IPs.

If memory serves me, I think they said there was
some talk about this sort of firewalking on
defcon'99 (but don't take my word for it).

Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

On bosses and technology: "There are bosses who don't know, and there 
are bosses who don't know that they don't know" /Anonymous techie

For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]