lancespitzner.net

• Next message: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Previous message: nmap-hackers-helpinsecure.org: "ezmlm warning"
• Next in thread: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Reply: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Reply: Fyodor: "Re: firewalk meets nmap - TTL"
• Reply: Mikael Olsson: "Re: firewalk meets nmap - TTL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm not sure if anyone has thought of this, but this
would be a REALLY cool feature for auditing firewall
rulebases. Say you want to determine what ports a
firewall allows through, what ports are NOT filtered.

Have the option with nmap to set the TTL on the packets
it sends. I set the TTL to be the same as the amount
of hops to the firewall I am scanning. If the packet is
filtered by the firewall, then it is dropped and nothing
is sent back.

However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it. However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the
firewall.

firewalk meets nmap

thoughts?

-- 
Lance Spitzner
http://www.enteract.com/~lspitz
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).

• Next message: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Previous message: nmap-hackers-helpinsecure.org: "ezmlm warning"
• Next in thread: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Reply: Ofir Arkin: "RE: firewalk meets nmap - TTL"
• Reply: Fyodor: "Re: firewalk meets nmap - TTL"
• Reply: Mikael Olsson: "Re: firewalk meets nmap - TTL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]