Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Idle Scanning behind stateful firewalls
From: "uz - do not reply" <spam () verisign com>
Date: Fri, 26 Mar 2004 17:59:08 +0100

Hi Glyn, Your goal is perfectly understandable.
A long time ago I created a nmap patch for a very old nmap version that
allows to scan the Internet to find idle hosts and to perform idle host
scanning using ICMP packets (echo/reply) rather than SYN/ACK. This feature
could help you if the firewall allows icmp packets to the zombie and if it
doesn't perform an anti-spoofing protection (internal IPs knocking at the
external interface). IMHO, you should first validate that anti-spoofing is
not used by using the antirez hping tool manually.
My patch was published on the www.isecurelabs.com website.
I didn't advertise it on this list or anywhere else on the Internet because
of the very poor quality of the code (I wanted to make it more "clean"
before releasing it worldwide). Unfortunaly I haven't found/taken time to
achieve this goal.
I think idle host scanning is one of the most interesting scanning approach
because it makes it possible to perform an "internal" scanning (like what
you are trying to do) using only one reachable computer.
I'd be really interested in finding such a feature coded into nmap (idle
host scanning using icmp, SYN flagged or UDP packets)... Is there any good
soul with some free time out there ? ;)
Feel free to contact me (uzy at isecurelabs . com) if you want to have a
look at the patch file in order to produce something that could really be
called "code".

nmap () moiler com writes:
Hi Paul,
Yep - but if the zombie and target are behind the stateful firewall, then
nmap's SYNs could get through to the target, the target's SYN/ACKs would hit
the zombie and nmap's SYN's would get through the stateful firewall where
SYN/ACKs wouldn't. This one might need a picture! Glyn Geoghegan.
-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: 26 March 2004 20:40
To: Glyn Geoghegan
Cc: nmap-dev () insecure org
Subject: Re: Idle Scanning behind stateful firewalls Glyn, For idle scan to work, SYN ACK packets from the target host must get through to the zombie. If these don't get through then the scan won't work, regardless of what packets nmap uses to probe the ipid on the zombie. Paul >But, because nmap uses a SYN/ACK, its probes get dropped by any stateful >devices (coz they aren't part of an active connection), preventing their use
>as zombies.
> >
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk
For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org

For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]