Saturday, July 30, 2011

Scanning an Internal Network Through A Firewall

OK - so this post's a quickie because a) the last 2 posts have totaled nearly 12 pages of source material and I need to focus on the new novel this weekend and b) it's so early on a Saturday morning that I've yet to grab a mug of "Jamaica Me Crazy" coffee yet. Thoughts aren't quite as coherent without Java. 

So here goes:

I stumbled across these posts this morning and while I haven't yet had time to try it, the write up seems solid.

According to this article, there are 2 new ways to implement an Idle scan (or variations of an Idle scan) in order to enumerate targets ON THE INSIDE of a firewall. This means that we, the attacker, don't have to be able to route to the victim/target in order to enumerate ports. The zombie we pick is the one that has to route, so in some cases, that can be the firewall or outlying router itself.

Are the terms "zombie" and "victim" not all that familiar to you? Don't quite remember what an "Idle scan" is? No problem.

Get caught up on traditional Idle scans here: http://www.networkuptime.com/nmap/page3-16.shtml

Then, check out this white paper detailing the 2 new ways to Idle scan here: http://people.csail.mit.edu/costan/readings/usenix_papers/Ensafi.pdf

And, just in case your head is spinning from that and you need the breakdown, check out this blog entry (http://www.malwarecity.com/community/index.php?app=blog&module=display&section=blog&blogid=23&showentry=7600) where MalwareCity has taken the time to explain them. 

Personally, I think scan #2 (SYN cache scan) is the way to go because the first option is dependent on having a FreeBSD box in the victim/target's DMZ or at least in the victim/target's external IP space. Chances of that are not exactly tiny, but they are limited. And why limit yourself when you have the option to use the SYN cache scan?


3 comments:

  1. Love the blog - keep it coming!!!

    ReplyDelete
  2. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

    Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

    ReplyDelete