Rosenau, The best way to differ between a port which the firewall is configured to "drop" a packet(s) and a port the firewall is configured to "reject" a packet(s) is to look for the ICMP Error Message (Destination Unreachable - Communication with Destination Network is Administratively Prohibited) as you stated. Today, I am not familiar with any tool parsing the ICMP Error message coming from a port which the firewall rejects the packets for. As a thumb rule configuring a firewall to "reject" rather than "drop" is a mistake. The firewall needs to be transparent as possible for traffic going through. Other than differing between a port which is filtered "reject" or filtered "drop" you can differ between the operating systems the firewall is installed on (if this is a software based firewall). Than the best friend you have is your sniffer. You can look at several parameters very easily to establish your conclusion. It can range from the IP Time-To-Live field, to even changing/crafting the offending packet and looking for several changes with the ICMP Error message produced by the firewall. I bet adding this functionality to NMAP is easy. I will be looking to add this functionality to Xprobe as well. Resources you can use are: Xprobe & X: http://www.sys-security.com/html/projects/X.html [Version 0.2.x soon to be released] ICMP Usage in scanning research (more details): http://www.sys-security.com/html/projects/icmp.html Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Rosenau [mailto:rosenauat_private] Sent: ד 03 אוקטובר 2001 17:53 To: pen-testat_private Subject: DENY x REJECT Hi Does anybody know a port scanner that could distinguish a "deny" filtered tcp port (firewall drops packets for the port) from a "reject" filtered tcp port (firewall returns an ICMP - port unreachable)?. Nmap seems to report boths cases simply as "filtered". Actually, both cases are filtered, but when you receive a ICMP, you can be sure that the port is really filtered. If you do not receive nothing, the port could be filtered, or packets could have been lost... Regards, Rosenau. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 11:13:07 PDT