Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: Deny/Reject patch

RE: Deny/Reject patch

From: Ofir Arkin <ofir_at_sys-security.com>
Date: Thu, 25 Oct 2001 01:20:53 +0200

Gents,

> To conclude this mail, i want to start a talk about the utility to
> fingerprints system with these icmp unreachable (if we got them, let's
> use them, it can't kill us), i worked a little on this topic and i
still
> think it can "easily" be done.

>>Well one issue is that they are often sent by other machines rather
>>than the actual destination -- so fingerprinting that doesn't help.
>>In some cases, filters can even forge the packets to make them look
>>like they came from the destination host. And even when the packets
>>really do come from target host, the actual packets may depend on the
>>firewalling software being used. On Solaris, ipf and firewall-1 may
>>send different "destination prohibited by filter" ICMP messages. An
>>vice versa: ipf may send the same packet whether it is running on
>>Solaris or Linux. I haven't done a whole lot of experimentation, but
>>those are the risks that come to mind. This is one reason that Nmap
>>is pretty picky about what kinds of ICMP messages are used for
>>fingerprints.

Using the ICMP Error Message received from a different IP (you can
actually understand that when you are scanning), analyzing the severity
of the error message and its meaning (port unreachable is not like
administratively prohibited) you can try to guess the firewalls own IP
Stack according to the ICMP Error message and the fingerprints it leaves
in the error message it generates.

You can also detect that something is suspicious when you use TCP and
see some fingerprints, and when using ICMP and seeing other
fingerprints. This happens when certain protocols are diverted to
another place and not reaching the targeted host.

So there is a lot to understand here, and to analyze.

Ofir Arkin [ofir_at_sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 24 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos