Re: Firewall Scan



Greets,

Actually, I believe Fydor dropped the Echo-Request probe in 4.x. nmap
simply hits TCP/80 with a SYN or ACK, depending on the version. Either
way, don't think this is nmap getting confused as hping produces similar
results and it never probes first.

IPv7,

Try setting some TCP options. Little trick I use with many clients (if
they are willing to run an open source firewall) is to filter out all
packets where the TCP header is 20 bytes. Every modern OS uses some
number of TCP options. The only time you see no options set is SYN
floods or port scanning.

HTH,
C

On Mon, 2009-06-29 at 10:25 -0300, Guilherme Alves wrote:
You should consider "-P0" to prevent ping before scan.
This can help with systems that block ping and mix up Nmap.


reference: [http://nmap.org/book/man-host-discovery.html]




On Wed, Jun 24, 2009 at 4:44 PM, IPv7 <listas.internet@xxxxxxxxx> wrote:

Hello Guys,

I was doing a normal TCP Scan on port 5900, when I found a strange result:

1st I did a normal TCP scan with Nmap

Onix:~# nmap -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
Interesting ports on x.x.x.x:
PORT STATE SERVICE
5900/tcp closed vnc

Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds

But.. if I use telnet/nc with this port, they can connect:
Onix:~# telnet x.x.x.x 5900
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.003

^C
What? I can connect..
Ok, I will perform a more detailed scan:

Onix:~# hping -S -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512 rtt=2.6 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.6/2.6/2.6 ms

This host return an Reset/ACK, it should be ok if the port was closed,
but I can connect with him.

WINDOWS SCAN:

Onix:~# nmap -sW -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
Interesting ports on x.x.x.x:
PORT STATE SERVICE
5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds

Ok, I will look the TCP Windows:
First I try to send a TCP Packet with WIN=1

Onix:~# hping -S -w 1 -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms

In the most cases, shouldn't this host respond with its suggestion of
window's size??

Then I sent the same with WIN=4096

Onix:~# hping -S -w 4096 -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms


I can't understad this!
Some idea?


--
---------------------------------------
- El conocimiento es poder -
- y el saber nos hace libres. -
----------------------------------
netvulcano.wordpress.com
Linux User #405757
Machine Linux #310536

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--
Guilherme Alves

GRIS - Grupo de Resposta a Incidentes de Segurança
(Computer Security Incident Response Team)
www.gris.dcc.ufrj.br
DCC - Departamento de Ciência da Computação
(Computer Science Department - UFRJ)
www.dcc.ufrj.br
UFRJ - Universidade Federal do Rio de Janeiro
(Federal University of Rio de Janeiro - Brazil)
www.ufrj.br

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • RE: Firewall Scan
    ... nmap scan of just port 5900 and then I'd look through that to see what's ... wonder if they are looking for something that nmap does to the header. ... 1 IP address (1 host up) scanned in 0.361 seconds ... packets transmitted, 1 packets received, 0% packet loss ...
    (Pen-Test)
  • Re: UDP vs TCP
    ... TCP for instance will break up a large packet into smaller ... into the packets and then the receiving app would have to read ... Network Layer -> ethernet ... DOMAIN over port 53 ...
    (microsoft.public.vb.enterprise)
  • RE: Firewall Scan
    ... Several firewall and IPS vendors now incorporate nmap signature detection ... it hits port 5900, your IP has been blocked for a short time....but, ... packets transmitted, 1 packets received, 0% packet loss ... Information Assurance Certification Review ...
    (Pen-Test)
  • Re: Firewall Scan
    ... This can help with systems that block ping and mix up Nmap. ... I was doing a normal TCP Scan on port 5900, when I found a strange result: ... packets transmitted, 1 packets received, 0% packet loss ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Help understanding NMAP results
    ... >to do with IT) but I have been playing with old computers and Linux in my ... and is set to default DROP any packets ... Went over to a friend's house, and ran an NMAP scan against myself ... You could listen on that port and see what traffic is passing when you ...
    (Security-Basics)