Security Basics mailing list archives

Re: Nmap, Firewall Testing, Idlescan?

From: david kuhlman <david.kuhlman () gmail com>
Date: Thu, 3 Feb 2005 10:06:45 -0500

That doesn't seem to make much sense.  At first glance, I would guess
the Idlescan isn't working because the zombie you are trying to use
doesn't have easily guessable sequence numbers.  But nmap shouldn't be
sending out packets straight to 1.2.5.1 if 1.2.4.1 isn't a good
zombie.  Look at this for more info on seq number attacks 
http://lcamtuf.coredump.cx/newtcp/

David


On Wed, 02 Feb 2005 14:22:27 -0800 (PST), j_goodman00 () yahoo co uk
<j_goodman00 () yahoo co uk> wrote:



Hi,

I have a couple of routers at various sites which include firewalls & I would like to use nmap to test them.

I have been experimenting with idlescans in an attempt to fool the firewall, but have been unsuccessful & am unsure 
if this is the firewall working, or me failing! :)

I am attempting to 'bounce' the scans off another computer of mine on a different connection:

e.g.
MyIP is 1.2.3.1
BounceIP is 1.2.4.1
TargetIP is 1.2.5.1
nmap -T5 -v -P0 -sI 1.2.4.1 1.2.5.1

When I look at the firewall logs they show logs along the lines of the following:
Source 1.2.3.1 Destination:1.2.5.1

Does this mean the firewall is working & successfully filtering the spoofed IP packets, or am I doing something wrong?

Cheers,

James

Current thread:

Nmap, Firewall Testing, Idlescan? j_goodman00 (Feb 02)
- Re: Nmap, Firewall Testing, Idlescan? Joachim Schipper (Feb 03)
- Re: Nmap, Firewall Testing, Idlescan? david kuhlman (Feb 03)
  - Re: Nmap, Firewall Testing, Idlescan? James Goodman (Feb 03)
  - Re: Nmap, Firewall Testing, Idlescan? Times Enemy (Feb 04)