Home page logo

nmap-dev logo Nmap Development mailing list archives

Internal network scan
From: John Richard Moser <nigelenki () comcast net>
Date: Tue, 04 Dec 2007 13:17:11 -0500

In doing an idle scan I was wondering how to get inside the network with 
a port scan.  Here is basically what I had:

{Me} ----- {idle server} ----- { gw}

I hit the inet_target with an idle scan, and through really bad banners 
I managed to find the internal address (and guess the gateway) for the 
idle server I was using.

What I want to do is bounce packets off the internal gateway (and, of 
course, everything else) and find out wtf is going on in there.  So for 

{Me} ---[SYN s:gw d:idl]--> {idl} ---[SYN/ACK]--> {gw}

{Me} ---[ACK s:gw d:idl]--> {idl} ---[WTF/RST]--> {gw}

I think the most you could accomplish here is...

  - Non-existent machines will not send replies on anything

  - Live machines will send a RST

  - Unfiltered ports will send RST

  - Filtered ports will send nothing

The question of course is how does the ipid change with this?  RST does 
nothing... I can't think of another way to irritate the internal network 
and figure out how it's responding.
Bring back the Firefox plushy!

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
  • Internal network scan John Richard Moser (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]