In some mail from gary flynn, sie said:
>
> > From: <robert .
stahlbrand @
nmac .
ericsson .
se>
> >
> > The FIN scanning method (presented in Phrack Magazine 49, article 15)
> > where you can scan for open ports on a host behind a packet-filtering
> > firewall even though your rules denys it is certainly working on
> > Checkpoint ver. 2.1(a)
[...]
> I'm not familiar with Checkpoint but any packet filter that is
> filtering on a destination port is going to toss the packet
> regardless of the SYN or any other flag unless there is some
> special programming.
I wouldn't be so sure about that. Checkpoint's FW-1 will pass all
packets through with the ACK flag set (except, I think SYN-ACK)
but will strip the body of any data. They do this so that they can
rebuild state for a connection which has remained open over (say)
the firewall rebooting or connection information expiring. If the
reply packet was returned, anyway, there's your scan!
Darren
References:
|
|
