Difficulties in Network Mapping & port scanning

From: David Ball (lostinvietnam@hotmail.com)
Date: Tue Jan 03 2006 - 05:23:06 EST

• Next message: Donald: "Order víagra from home - no doctors!!"
• Previous message: Mohamed Abdel Kader: "GFI False Positives"
• Next in thread: Pete Herzog: "Re: Difficulties in Network Mapping & port scanning"
• Reply: Pete Herzog: "Re: Difficulties in Network Mapping & port scanning"
• Reply: Don Parker: "Re: Difficulties in Network Mapping & port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all

Many publications detail nmap port scanning techniques but make many
assumptions. The truth is that a properly configured Stateful Firewall will
drop even the more esoteric nmap port scanning techniques (Null, Xmas, Fin,
ACK scans). Even fragmenting port scans isn't always successful (namely nmap
-f and fragrouter). So a pen-tester is stuck with a Firewalled public facing
DNS or mail server but with difficulties getting a reliable port scan to
that machine. What I would be interested to hear are people's real life
experiences port scanning networks where stateful firewalling is properly
architected and configured.

Same applies to ICMP network mapping. Any Network Admin worth his salt will
block outbound ICMP echo replies and time exceeded messages so traditional
traceroute and ping won't work. Sure there are plenty of networks out there
who aren't so security aware but for the sake of arguement let's say an
existing client has done this. What options are left to map a network where
ICMP messages are properly controlled? Are there IMCP mapping techniques
based on source quench and Path MTU discovery messages? Paratrace is an
interesting twist on the more traditional mapping techniques which I'm
investigating as is tcptraceroute. So same question as the above - what
other real life examples can someone quote that get around ICMP filtering to
map a network on the other side of a perimeter router and stateful FW.

I guess I'm looking for "I have used this technique in the past with some
success" type of reply rather than "this might work". Thanks for anyone who
takes the time to reply.

Dave.
"Paranoia is not the belief that people are out to get you.... they are!
Paranoia is the belief that people are conspiring to get you".

_________________________________________________________________
FREE English Booklet! Improve your English.
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Donald: "Order víagra from home - no doctors!!"
• Previous message: Mohamed Abdel Kader: "GFI False Positives"
• Next in thread: Pete Herzog: "Re: Difficulties in Network Mapping & port scanning"
• Reply: Pete Herzog: "Re: Difficulties in Network Mapping & port scanning"
• Reply: Don Parker: "Re: Difficulties in Network Mapping & port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:18 EDT