From: David Ball (lostinvietnam@hotmail.com)
Date: Sat Jan 07 2006 - 03:16:57 EST
Many thanks to everyone who replied to my original posting. The number of
in-depth technical papers on network scanning and enumeration are thin on
the ground from what I can gather. After some research I managed to turn up
a few decent papers which go beyond the usual "this is an nmap SYN scan" and
"this is an nmap ACK scan" type papers. I've listed each below. Chapter 11
(Firewalls) of Hacking Exposed Network Security Secrets and Solutions
(Fourth Edition) is also worth a read as it touches on enumeration through a
Firewall.
Happy reading!
SCANNING & ENUMERATION TECHNIQUES
----------------------------------------------------------
1. "Host Detection - Generating arbitrary responses to identify
inter-networked nodes".
http://www.zone-h.org/files/29/responses-tisc.txt
2. "Techniques to validate host connectivity"
http://packetstorm.linuxsecurity.com/papers/protocols/host-detection.txt
3. "Diggin em Walls - Detection of Firewalls, and Probing networks behind
firewalls".
http://neworder.box.sk/newsread.php?newsid=2914
4. "Host Discovery with Nmap"
http://www.l0t3k.net/biblio/fingerprinting/en/NMAP-mwdiscovery.pdf
Provides different enumeration scenarios (Firewall with Filtering, Firewall
with Generic Ruleset, Firewall with specific rules, Stateful Firewall with
specific rules) and describes how to customize nmap scans for best results
with each scenario. Provides example tcpdump output for each scan.
5. "Strategies for Defeating Distributed Attacks"
http://www.megasecurity.org/Dos/Simple_Nomad.txt
The title is a little misleading. Do a Find for the word "enumeration" and
read from there. Also a very interesting few paragraphs on using non-echo
ICMP messages for host enumeration. See especially the section titled "ICMP
Defense".
6. "Firewall Penetration Testing"
http://www.wittys.com/files/mab/fwpentesting.html
(Borrows heavily from the original Firewalk paper but still worth a read)
7. "Network Scanning Techniques" - Ofir Arkin
http://www.sys-security.com/archive/papers/Network_Scanning_Techniques.pdf
8. "Low Level enumeration with TCP/IP"
http://www.securitydocs.com/library/3012/2
TOOLS
---------
1. Mike Shiffman/David Goldsmith's Firewalk paper
http://www.packetfactory.net/projects/firewalk/firewalk-final.pdf
2. "Tcptraceroute examples"
http://michael.toren.net/code/tcptraceroute/examples.txt
3. "Paratrace Analysis and Defence" (SANS GIAC practical)
http://www.giac.org/certified_professionals/practicals/gcih/0392.php
Sincerely.
David Ball.
>From: "Don Parker" <dparker@bridonsecurity.com>
>To: <pen-test@securityfocus.com>, "David Ball" <lostinvietnam@hotmail.com>
>Subject: Re: Difficulties in Network Mapping & port scanning Date: Tue, 3
>Jan 2006 13:27:29 -0500
>
>Hi David,
>
>Well people use the same tried and true scanning/probing attempts for they
>still work. That said even
>if the firewall, or router drops them you can still glean something from
>that. You would of course need
>to be logging your probing via tcpdump or windump. Once done you can then
>go over your activity
>and confirm what it is that you noted.
>
>It is not so much that you will get nothing from the f/w dropping/blocking
>most of the well known scan attempts,
>but rather that people don't really have an in-depth knowledge of the
>TCP/IP protocol suite. Were they to
>have one then there is still a lot of information to be gleaned from a
>dropped or reset packet. Also in seeing
>what triggers an IP address to be shunned by the f/w. At what rate does
>this happen when sending SYN
>packets and the like. You have to be creative and think beyond the tired
>and true SYN scan.
>
>You can make certain conclusions as to what the operating system is, what
>firewall it is, and so on by probing
>it with low level packeting (new word I think!). There is profiling
>information to be had in the stimulus or lack
>thereof when conducting the first steps in a pen test. Problem is, can the
>pentester make sense of it. To that
>end one should always try and present a solution for a problem. There is a
>good course that is offered by a friend
>of mine, which will help the pen tester get the most from low level packet
>probing.
>
>http://www.rigelksecurity.com/Training/training_TCPIP.html
>
>Hope this helps,
>
>Don
>
>----- Original Message ----- From: "David Ball" <lostinvietnam@hotmail.com>
>To: <pen-test@securityfocus.com>
>Sent: Tuesday, January 03, 2006 5:23 AM
>Subject: Difficulties in Network Mapping & port scanning
>
>
>>Hi all
>>
>>Many publications detail nmap port scanning techniques but make many
>>assumptions. The truth is that a properly configured Stateful Firewall
>>will drop even the more esoteric nmap port scanning techniques (Null,
>>Xmas, Fin, ACK scans). Even fragmenting port scans isn't always successful
>>(namely nmap -f and fragrouter). So a pen-tester is stuck with a
>>Firewalled public facing DNS or mail server but with difficulties getting
>>a reliable port scan to that machine. What I would be interested to hear
>>are people's real life experiences port scanning networks where stateful
>>firewalling is properly architected and configured.
>>
>>Same applies to ICMP network mapping. Any Network Admin worth his salt
>>will block outbound ICMP echo replies and time exceeded messages so
>>traditional traceroute and ping won't work. Sure there are plenty of
>>networks out there who aren't so security aware but for the sake of
>>arguement let's say an existing client has done this. What options are
>>left to map a network where ICMP messages are properly controlled? Are
>>there IMCP mapping techniques based on source quench and Path MTU
>>discovery messages? Paratrace is an interesting twist on the more
>>traditional mapping techniques which I'm investigating as is
>>tcptraceroute. So same question as the above - what other real life
>>examples can someone quote that get around ICMP filtering to map a network
>>on the other side of a perimeter router and stateful FW.
>>
>>I guess I'm looking for "I have used this technique in the past with some
>>success" type of reply rather than "this might work". Thanks for anyone
>>who takes the time to reply.
>>
>>Dave.
>>"Paranoia is not the belief that people are out to get you.... they are!
>>Paranoia is the belief that people are conspiring to get you".
>>
>>_________________________________________________________________
>>FREE English Booklet! Improve your English.
>>http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E
>>
>>
>>------------------------------------------------------------------------------
>>Audit your website security with Acunetix Web Vulnerability Scanner:
>>Hackers are concentrating their efforts on attacking applications on your
>>website. Up to 75% of cyber attacks are launched on shopping carts, forms,
>>login pages, dynamic content etc. Firewalls, SSL and locked-down servers
>>are futile against web application hacking. Check your website for
>>vulnerabilities to SQL injection, Cross site scripting and other web
>>attacks before hackers do! Download Trial at:
>>
>>http://www.securityfocus.com/sponsor/pen-test_050831
>>-------------------------------------------------------------------------------
>>
>>
>
_________________________________________________________________
FREE English Booklet! Improve your English.
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:19 EDT