OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: firewalk meets nmap - TTL
From: Mikael Olsson (mikael.olssonenternet.se)
Date: Tue Nov 07 2000 - 13:54:21 CST

Hmmm.. Already replied to this on fw-wiz, but I suppose
people here could benefit from it aswell.

Lance Spitzner wrote:
>
> I sent this off to the nmap-list, was wondering what
> all the firewall weenies on board here thought. :0

Hah. Try that through our contrapments and all you'll
get is a "DROP: TTL too low" entry in the logs >:]

On the other hand, it may very well be very effective
against plenty of firewalls out there, based on what
I've seen. People tend to do filtering FIRST and then
pass it to "route_ip()" or whatever, which does the
actual TTL decrement and check.

About a year ago, I talked to a couple of pen-testers
about firewalk being able to detect hosts directly
behind firewalls this way. One interesting side effect
is that the firewall will have carried out address
translation before passing it to the routing section,
so the ICMP unreachable data passed back might contain
private IPs.

If memory serves me, I think they said there was
some talk about this sort of firewalking on
defcon'99 (but don't take my word for it). 

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olssonenternet.se

On bosses and technology: "There are bosses who don't know, and there 
are bosses who don't know that they don't know" /Anonymous techie

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).