'Re: Some thoughts from Defcon ...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Re: Some thoughts from Defcon ...
From:       Philippe Biondi <biondi () cartel-securite ! fr>
Date:       2003-08-18 9:05:37
[Download RAW message or body]

Hi,
On Thu, 14 Aug 2003, Andrew A. Vladimirov wrote:

> The general idea is to build port forwarding enumeration into nmap, e.g.
> ~  whatever the ports forwarded by the firewall are forwarded to the same
> or different hosts. This is also related to finding out whether the
> range of evaluated IP's belongs to the same or different hosts.
>
> Lets say we have a host xxx.xxx.xxx.xxx which has ports 22 and 25 open.
> ~From the output of tcptraceroute or better lft (which would say
> **   [firewall] the next gateway may statefully inspect packets )
> you suspect that this host is a firewall which forwards these ports to
> the sshd and sendmail behind it. Do the daemons run on the same or
> different box ?
>

You can use scapy (http://www.cartel-securite.fr/pbiondi/scapy.html, or,
backup version http://perso.wanadoo.fr/secdev/scapy.html, as the first
one has annoying problems these times)

Using the ttl method is described slide 52 of
http://www.cartel-securite.fr/pbiondi/conf/scapy_lsm2003.pdf (or use
backup).

Using the timestamp method can also be implemented in less than 10 lines :
>>> target = "www.target.com"
>>> ans,unans = sr(IP(dst=target)/TCP(dport=[(20,30),80,443,8080],
                   options=[('Timestamp',(1L,1L))]))

>>> for s,r in ans:
...     print s.getlayer(TCP).options


(ok, there, I realise that I need to implement a way to extract a given
option from the array.)


Anyway, even if scapy need a lot of resources, espcially for big scans, it
will be very helpful to test new techniques.


Best regards, Phil.



-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2




---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic