Re: [fw-wiz] result question

From: franco segna (fsegna_at_web.de)
Date: 08/28/03

  • Next message: Paul Robertson: "Re: [fw-wiz] security of private leased lines"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 28 Aug 2003 21:27:47 +0200
    
    

    rmck wrote:

    >Hello,
    >
    >I was wondering if somone could explain to me why the tool (nmap) gives the
    >following results. Is it really getting through my firewalls??
    >
    >I have a mysql (port 3306) machine that is behind two firewalls (both
    >netscreens).
    >
    >I run nmap from home (3 scans), outside of all the firewalls, as so:
    >
    >First A:
    >nmap -sT -P0 -p 3306 -T 3 111.111.111.111
    >Result A:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/tcp filtered mysql
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 38 seconds
    >
    >I feel I understand these results nmap labels a port as "filtered" if it
    >does not receive either a
    >SYN-ACK or a RST in response to a SYN packet.
    >A ?????????sT scan sends a SYN.
    >
    >But these last two just get me....
    >
    >B:
    >nmap -sF -P0 -p 3306 -T 3 111.111.111.111
    >Result B:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/tcp open mysql
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
    >
    >Whats happening here?? Nothing shows in my firewall logs?? Is it really
    >getting through? Or is it assuming its open because it gets no response??
    >
    >C:
    >nmap -sU -P0 -p 3306 -T 3 111.111.111.111
    >Result C:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/udp open unknown
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
    >
    >So reading on nmap pages I got this "UDP scanning (-sU) in NMAP has the
    >same problem as FIN scans in that packet filtered ports will turn up as being
    >open ports."
    >
    >So am I correct in thinking nmap is assuming a port is opened if no
    >response is given.
    >
    >Or does nmap get through with out being logged??
    >
    >Thank you for your time, and any input you can give me ...
    >
    >Ron
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    >
    The U scan sends an UDP packet to the port 3306. If the packet is
    dropped by one (or both) firewall, or if the target does not respond
    with a ICMP "port unreacheable" message, or if one (or both) firewall
    doesn't let the ICMP message out, nmap can only assume that port 3306 is
    open and behaves accordingly to the man page.
    The same reasoning applies to the FIN scan.
    But if the T scan (TCP connect) gives the answer "filtered" we should
    assume that the packet is being rejected from one of the firewalls.
    I don't see anything strange, but I'm only a newbie. UDP and FIN scans
    should be used for specific purposes.

    Franco

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Robertson: "Re: [fw-wiz] security of private leased lines"

    Relevant Pages

    • Re: How do I remove the server header in IIS6?
      ... Firewalls will probably not ... > If one opens only a few or even one port, say 80 and 443 on a server. ... > like nmap will get a more difficult time at determing the system OS. ... nmap can be used to send a legitimate TCP 80 SYN packet ...
      (microsoft.public.inetserver.iis.security)
    • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
      ... There are firewalls that can detect this sort of thing, ... We've tried just regular VNC, with no luck, then tried it on port 80, ... were easily broken out of because, well, they're shell scripts! ...
      (comp.security.ssh)
    • Re: How to Stealth POP3 Port 110 using NIS2000?
      ... > What do you want to protect by 'stealth-ports'? ... > stealthed port protects your privacy, 'cause I really don't get it. ... I can't answer that as I am no expert on firewalls. ...
      (comp.security.firewalls)
    • Re: How to Stealth POP3 Port 110 using NIS2000?
      ... >> how a stealthed port protects your privacy, 'cause I really don't get it. ... > I can't answer that as I am no expert on firewalls. ... The only thing you risk when not stealthing port 110 is for people to find ...
      (comp.security.firewalls)
    • Re: firewall question
      ... > I posted this to the security basics list but nobody answered the ... > answer since they are the ones who have to get around firewalls. ... > connection to me via netcat with a destination port of 80, ... > SecurityFocus' SIA service which automatically alerts you to the ...
      (Pen-Test)