Firewalls: RE: FIN Scanning through all kind of packet-filtering firewalls?

Firewalls
(November 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: FIN Scanning through all kind of packet-filtering firewalls?
From:	Robert Ståhlbrand <robert . stahlbrand @ nmac . ericsson . se>
Date:	Sat, 8 Nov 1997 10:40:53 +0100
To:	"'gary flynn'" <gary @ habanero . jmu . edu>
Cc:	"'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>

Ok! I will explain myself a little bit better.........

> -----Original Message-----
> From:	gary flynn [SMTP:gary @
 habanero .
 jmu .
 edu]
> Sent:	den 7 november 1997 21:06
> To:	firewalls @
 GreatCircle .
 COM; owner-firewalls-list @
 GreatCircle .
 COM
> Subject:	Re:  FIN Scanning through all kind of packet-filtering
> firewalls?
> 
> > From: <robert .
 stahlbrand @
 nmac .
 ericsson .
 se>
> > 
> > The FIN scanning method (presented in Phrack Magazine 49, article
> 15)
> > where you can scan for open ports on a host behind a
> packet-filtering
> > firewall even though your rules denys it is certainly working on
> > Checkpoint ver. 2.1(a) 
> 
> What exactly do you mean by working? You must have some type of
> filter that allows port communications if the sessions are
> established internally like the Cisco "established" ACL. 
> [Robert Ståhlbrand]  
> What I mean by working is even though I have rules that denys any type
> of packets (tcp, udp) to a specific host behind my firewall, I can
> still scan it for open ports (TCP only)!!! But in my logger it looks
> like the firewall is dropping all packets but a sniffer on the inside
> proofs that the packet gets through!!!
> The packets are small fragmented (I think that even none-fragmented
> works too but it's not verifyed yet) packets with the FIN-flag set
> (indicating that it's the last packet in a TCP-session) and if the
> remote host is sending back a Reset, the port is closed, otherwise
> it's open.
> 
> I'm not familiar with Checkpoint but any packet filter that is
> filtering on a destination port is going to toss the packet
> regardless of the SYN or any other flag unless there is some
> special programming.
> 
> It may get to the router/firewall itself if its an output filter
> or it may get through a Cisco-like "established" filter but I
> don't think its going to get through anything else.
> [Robert Ståhlbrand]  
> NO!!!! The packet gets through!!!!!!!!!!!!!!!! (Unless my sniffer is
> spoked :-)) Read the article in Phrack Magazine!!!
> 
> Gary Flynn
> Network Analyst
> James Madison University
> [Robert Ståhlbrand]  
> 
> /Robert Ståhlbrand, System and Security responsible, nmac.ericsson.se

Indexed By Date	Previous:	Re: FIN Scanning through all kind of packet-filtering firewalls? From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	Trish Sundgaard/Dallas/IBM is out of the office. From: D03NM014/03/M/IBM <d03nm014 @ us . ibm . com>
Indexed By Thread	Previous:	Re: FIN Scanning through all kind of packet-filtering firewalls? From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread	Next:	RE: FIN Scanning through all kind of packet-filtering firewalls? From: "melissa jimenez" <meli @ iamnet . com>