Saturday, July 30, 2011

Scanning an Internal Network Through A Firewall

OK - so this post's a quickie because a) the last 2 posts have totaled nearly 12 pages of source material and I need to focus on the new novel this weekend and b) it's so early on a Saturday morning that I've yet to grab a mug of "Jamaica Me Crazy" coffee yet. Thoughts aren't quite as coherent without Java. 

So here goes:

I stumbled across these posts this morning and while I haven't yet had time to try it, the write up seems solid.

According to this article, there are 2 new ways to implement an Idle scan (or variations of an Idle scan) in order to enumerate targets ON THE INSIDE of a firewall. This means that we, the attacker, don't have to be able to route to the victim/target in order to enumerate ports. The zombie we pick is the one that has to route, so in some cases, that can be the firewall or outlying router itself.

Are the terms "zombie" and "victim" not all that familiar to you? Don't quite remember what an "Idle scan" is? No problem.

Get caught up on traditional Idle scans here:

Then, check out this white paper detailing the 2 new ways to Idle scan here:

And, just in case your head is spinning from that and you need the breakdown, check out this blog entry ( where MalwareCity has taken the time to explain them. 

Personally, I think scan #2 (SYN cache scan) is the way to go because the first option is dependent on having a FreeBSD box in the victim/target's DMZ or at least in the victim/target's external IP space. Chances of that are not exactly tiny, but they are limited. And why limit yourself when you have the option to use the SYN cache scan?