Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: Nmap and Watchguard firewalls
From: "Alex R" <alex () deviousmeans net>
Date: Tue, 24 May 2005 23:19:51 +0200

What about ingress? The firewall could be touching the responses from the
server which is what nmap analyzes. It does not analyze the outgoing packets
because it knows what is in them, it just built them.

-----Original Message-----
From: agiles () server2 eukdns com [mailto:agiles () server2 eukdns com] On
Behalf Of Kern, Tom
Sent: Tuesday, May 24, 2005 8:30 PM
To: Matthew Heine
Cc: 'Nmap-Dev (E-mail); Jorge Luis Jimenez
Subject: RE: Nmap and Watchguard firewalls

I'm passing packets out.
The watchguard doesn't do any egress deep packet analysis like that.
Thanks


Matthew Heine wrote:
OS detection depends on response to invalid packets.  Some firewalls,
and other network utilities do not pass invalid packets through.
Therefore whatever response nmap gets is from the firewall.

Kern, Tom wrote:

I'm sorry, I don't think I'm being clear here.


I want to know WHY nmap seems to fingerprint the firewall when i'm
scanning any host outside the firewall? I'm not running any kind of
proxy. I'd like to know why this happens.

Besides, turning off the firewall for the duration of a scan seems
risky to me...


Jorge Luis Jimenez wrote:


Proved with -sS why you can't disable the fw you are the
administrator right?

Jorge Luis Jimenez
Tech and Network Support
SIASoft
Santo Domingo, Republica Dominicana
Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603
Email   j.jimenez () siasoft net
Email   jorgel.jimenez () gmail com

-----Original Message-----
From: Kern, Tom [mailto:tkern () CHARMER COM]
Sent: Tuesday, May 24, 2005 1:33 PM
To: Jorge Luis Jimenez
Subject: RE: Nmap and Watchguard firewalls

I want to know the techincal reason why when i do a scan with nmap
from behind a Watchguard firewall, I don't get the host i'm scanning
but the attrubutes of the firewall instead?
Is this Watchguard or namp?
Why is it happening?
Thanks

Jorge Luis Jimenez wrote:


What is the really do yo want

Jorge Luis Jimenez
Tech and Network Support
SIASoft
Santo Domingo, Republica Dominicana
Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603 Email
j.jimenez () siasoft net Email   jorgel.jimenez () gmail com

-----Original Message-----
From: Kern, Tom [mailto:tkern () CHARMER COM]
Sent: Tuesday, May 24, 2005 11:44 AM
To: Jorge Luis Jimenez
Subject: RE: Nmap and Watchguard firewalls

I can't disable my FW just to port scan a host.
Do you or anyone knows why this occurs?
thanks


Jorge Luis Jimenez wrote:


I have more less the same problem but I have isa Server I disable
the isa Server and the nmap working show me my open port

Jorge Luis Jimenez
Tech and Network Support
SIASoft
Santo Domingo, Republica Dominicana
Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603
Email   j.jimenez () siasoft net
Email   jorgel.jimenez () gmail com

-----Original Message-----
From: Kern, Tom [mailto:tkern () CHARMER COM]
Sent: Tuesday, May 24, 2005 11:31 AM
To: Jorge Luis Jimenez
Subject: RE: Nmap and Watchguard firewalls

Sorry, I only speak english.
My apologies



Jorge Luis Jimenez wrote:


Please contac me by j.jimenez () siasot net not by Hotmail.com if
you speake spanish better

Jorge Luis Jimenez
Tech and Network Support
SIASoft
Santo Domingo, Republica Dominicana
Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603
Email   j.jimenez () siasoft net
Email   jorgel.jimenez () gmail com
-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Kern, Tom
Sent: Tuesday, May 24, 2005 9:16 AM
To: nmap-dev () insecure org
Subject: Nmap and Watchguard firewalls

Hi. I don't know if this is the appropriate place to send this
email so i apologize in advance.

I have an issue where i'm running an nmap scan against my
interent router(cisco). This router sits in front of a
Watchguard firebox X firewall. Whenever i run the scan, the
fingerprint that I get back is the Watchguard itself. This
happens when I run it against my home network(or any host
outside the firewall). It always comes back as Watchguard.

I run nmap with the -vv sS -O switches against the ip of the
host.

I've run nmap from a Windows xp sp1 box and a RedHat Enterprise
Linux box. Same result.

Also, the linux box is not NAT/PATed by the firewall or router.
The router does no NAT. The firewall is running an smtp and dns
proxy. All the other services are stateful packet inspection.
Watchguard has been silent on the issue but it seems the firebox
x is doing some rewriting but I can't tell for sure.
When i run ethereal from the nmap host, i can see the packets
going to the destination ok. However, at the router, when i run
a packet filter, i see nothing going to the destination i'm
nmaping or the source nmap host.

I was wondering if you knew of any isses with nmap and
Watchguard. I apologize again if this is the wrong place to
email this or for wasting your time.

Thank you



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault