In some mail from Phil, sie said:
[...]
> * A new(?) type of scan :
> Well, I've never seen any references to this technique nor have I heard
> anybody speaking about it, so I imagine I have the privilege to give it
> a name. I've chosen the TTL scan. (Please correct me if I'm wrong).

This has been talked about before, although I'm not sure where.
To counter this, IPFilter can enforce a "minimum ttl" for all packets
transitting it. This is not yet available on a per-rule basis, rather
you have to decide something like "I expect all packets to have a ttl
of at least 4 to reach any publicly accessible systems". I don't know
whether it came up on bugtraq or elsewhere, but the idea dates back to
at least December 2000.

> We can get those types of results :
>
> ./nmap -sS mymachine -p 22,23,666,667 -t 9
>
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on AMontsouris-103-1-1-86.abo.wanadoo.fr (193.252.8.86):
> Port State Service
> 22/tcp open ssh
> 23/tcp filtered telnet
> 666/tcp UNfiltered unknown DNAT to 192.168.8.10:22
> 667/tcp UNfiltered unknown DNAT to 192.168.26.10:22

mmm, be nice if you could identify what sort of buggy firewall they are
running that returns untranslated addresses in the ICMP error message :)
God knows I've had enough trouble keeping that right!

Darren

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]