Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Internal network scan
From: John Richard Moser <nigelenki () comcast net>
Date: Tue, 04 Dec 2007 13:17:11 -0500

In doing an idle scan I was wondering how to get inside the network with 
a port scan.  Here is basically what I had:


{Me} ----- {idle server} ----- {10.68.19.1 gw}
             /
            /
{inet_target}

I hit the inet_target with an idle scan, and through really bad banners 
I managed to find the internal address (and guess the gateway) for the 
idle server I was using.

What I want to do is bounce packets off the internal gateway (and, of 
course, everything else) and find out wtf is going on in there.  So for 
example:


{Me} ---[SYN s:gw d:idl]--> {idl} ---[SYN/ACK]--> {gw}
                                   <--[WTF/RST]--

{Me} ---[ACK s:gw d:idl]--> {idl} ---[WTF/RST]--> {gw}

I think the most you could accomplish here is...


  - Non-existent machines will not send replies on anything

  - Live machines will send a RST

  - Unfiltered ports will send RST

  - Filtered ports will send nothing

The question of course is how does the ipid change with this?  RST does 
nothing... I can't think of another way to irritate the internal network 
and figure out how it's responding.
-- 
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
  • Internal network scan John Richard Moser (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]