RE: Port scan

To:	"Michel Arboi" <mikhail@nessus.org>
Subject:	RE: Port scan
From:	"Scott Pate" <spate@Spohncentral.com>
Date:	Wed, 24 Jan 2007 07:40:44 -0600
Cc:	Nessus@list.nessus.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	nessus-list1@securepoint.com
Delivered-to:	Nessus@list.nessus.org
List-archive:	<http://mail.nessus.org/pipermail/nessus>
List-help:	<mailto:nessus-request@list.nessus.org?subject=help>
List-id:	Discussion of Nessus software <nessus.list.nessus.org>
List-post:	<mailto:nessus@list.nessus.org>
List-subscribe:	<http://mail.nessus.org/mailman/listinfo/nessus>, <mailto:nessus-request@list.nessus.org?subject=subscribe>
List-unsubscribe:	<http://mail.nessus.org/mailman/listinfo/nessus>, <mailto:nessus-request@list.nessus.org?subject=unsubscribe>
Sender:	nessus-bounces@list.nessus.org
Thread-index:	Acc/N7i3weMXxU/eQQuHE8Q21zHqxgAhExag
Thread-topic:	Port scan

 
> I ran into this problem the other day running a port scan (1-65535) on

> a firewall (which dropped all packets - no open or closed ports)

>Considering what happened, I suspect that your firewall does not "drop"
>packets but rather "rejects" them with ICMP messages.

I was aware of the limitations of ICMP messages, and have seen that
before (mostly w/ nmap).  In fact, that would have explained the
situation for me.  I can tell you that of the packets that I saw b/w the
two hosts, I never saw any ICMP messages coming from the firewall.  I
did actually save a partial packet capture from my initial scan and I
went back through it and filtered for this one host.  Below is a
representative sample.  I have roughly 3800 SYN's to this host without
one reply (ICMP or RST).  I believe this was nessus_tcp_scanner 

src.x.x.x.38212 > dstx.x.x.x.3838: S 3208167900:3208167900(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.49767 > dst.x.x.x.3891: S 3204817310:3204817310(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.43774 > dst.x.x.x.3944: S 3205253786:3205253786(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.39130 > dst.x.x.x.3997: S 3201729308:3201729308(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.41805 > dst.x.x.x.4050: S 3198041800:3198041800(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.35136 > dst.x.x.x.4103: S 3214628214:3214628214(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.53891 > dst.x.x.x.4156: S 3200384851:3200384851(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2>
src.x.x.x.54316 > dst.x.x.x.4209: S 3206064725:3206064725(0) win 5840
<mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> 


>Any idea on the remote host OS and packet filter?
>Which was the value of max_check?

The information I have says it is 'supposed' to be a Netscreen firewall.


Max_checks = 4

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

<Prev in Thread]	Current Thread	[Next in Thread>
Port scan, Scott Pate Re: Port scan, Michel Arboi Re: Port scan, Michel Arboi Re: Port scan, Renaud Deraison RE: Port scan, Scott Pate <= Re: Port scan, Michel Arboi RE: Port scan, Scott Pate

Previous by Date:	Re: SSH Login - Test, Richard Moore
Next by Date:	Re: SSH Login - Test, George A. Theall
Previous by Thread:	Re: Port scan, Renaud Deraison
Next by Thread:	Re: Port scan, Michel Arboi
Indexes:	[Date] [Thread] [Top] [All Lists]