Security Basics mailing list archives

Re: Nmap, Firewall Testing, Idlescan?

From: "Times Enemy" <times () krr org>
Date: Thu, 3 Feb 2005 11:51:24 -0700 (MST)

Greetings.

What is nmap telling you during/after the scan?  To find out, it may help
if you use the verbose option(s).  From the nmap man page:

-------------------------------------------------
-v     Verbose mode.  This is a highly recommended option and it gives out
 more information about what is going on.  You can use it twice for
greater effect.  You can also use -d a few times if you really want to get
crazy with scrolling the screen!
-------------------------------------------------

Are you sniffing all network traffic to see what all is transpiring?  I
suggest you do this as well.

Another thing to keep in mind is the use of the -P0 option, to ensure the
initial ping is not sent.

#man nmap

&

http://www.insecure.org/nmap/idlescan.html

ciao
.te

That doesn't seem to make much sense.  At first glance, I would guess
the Idlescan isn't working because the zombie you are trying to use
doesn't have easily guessable sequence numbers.  But nmap shouldn't be
sending out packets straight to 1.2.5.1 if 1.2.4.1 isn't a good
zombie.  Look at this for more info on seq number attacks
http://lcamtuf.coredump.cx/newtcp/

David


On Wed, 02 Feb 2005 14:22:27 -0800 (PST), j_goodman00 () yahoo co uk
<j_goodman00 () yahoo co uk> wrote:



Hi,

I have a couple of routers at various sites which include firewalls & I
would like to use nmap to test them.

I have been experimenting with idlescans in an attempt to fool the
firewall, but have been unsuccessful & am unsure if this is the firewall
working, or me failing! :)

I am attempting to 'bounce' the scans off another computer of mine on a
different connection:

e.g.
MyIP is 1.2.3.1
BounceIP is 1.2.4.1
TargetIP is 1.2.5.1
nmap -T5 -v -P0 -sI 1.2.4.1 1.2.5.1

When I look at the firewall logs they show logs along the lines of the
following:
Source 1.2.3.1 Destination:1.2.5.1

Does this mean the firewall is working & successfully filtering the
spoofed IP packets, or am I doing something wrong?

Cheers,

James

Current thread:

Nmap, Firewall Testing, Idlescan? j_goodman00 (Feb 02)
- Re: Nmap, Firewall Testing, Idlescan? Joachim Schipper (Feb 03)
- Re: Nmap, Firewall Testing, Idlescan? david kuhlman (Feb 03)
  - Re: Nmap, Firewall Testing, Idlescan? James Goodman (Feb 03)
  - Re: Nmap, Firewall Testing, Idlescan? Times Enemy (Feb 04)