using nmap to scan firewall

Which combination of parameters with nmap are best to test my firewall
for open ports? If all ports are closed am I 'safe'? or is that never
the case.

Thank you

Re: using nmap to scan firewall

On Sep 2, 12:56 pm, Ant wrote:
> Which combination of parameters with nmap are best to test my firewall
> for open ports? If all ports are closed am I 'safe'? or is that never
> the case.
>
> Thank you

I've also scanned it with nessus, is there anything else I can do?
Thank you

Re: using nmap to scan firewall

On Sun, 02 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1188752206.714313.312770@w3g2000hsg.googlegroups.com>, Ant wrote:

>Which combination of parameters with nmap are best to test my firewall
>for open ports?

From where? To find out what your firewall looks like from "outside",
you have to scan it from there - which might get you in trouble with
others, but that's besides the point. Or you could look at the
'netstat' output from the firewall device itself (netstat is a command
found in wincrap as well as most other operating systems, and this
shows what ports are OTHER THAN closed). Trying to scan your firewall
from "inside" won't show what's open/available "out there".

As for parameters to use, did you look at the rather extensive
documentation that comes with nmap? See the -sU and -p options

>If all ports are closed am I 'safe'? or is that never the case.

No firewall will protect against blatant stupidity. Most users get
0wn3d because they install something that they think they want or
need, and never realize it's mal-ware.

>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506),
gzip(gfe),gzip(gfe)

Yeah, you might have a problem there. Still, almost anything is better
than Internt Exploiter.

Old guy

Re: using nmap to scan firewall

Thanks Old Guy, I'm talking about using nmap to scan from the outside.
I'll try the parameters you've suggested. My firewall has it's external
interface into a 4 port router so I can plug into it and run scans from
there. The firewall is in the 'dmz' of this router and the inside port
plugs into another linksys wireless router running DD-WRT.

Since I've last wrote this message I've installed Thunderbird/Firefox
and removed the IE shortcuts (From vista) and posted my reply from the
TB-client so hopefully you won't quote my 'exploitable' headers in this
reply, however I'm probably doing something else wrong so please let me
know. Wish I could find how to uninstall IE from Vista... Although I
could should just post this from an ubuntu VM that I have running on
this machine.

Thanks again for your help.

Moe Trin wrote:
> On Sun, 02 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <1188752206.714313.312770@w3g2000hsg.googlegroups.com>, Ant wrote:
>
>> Which combination of parameters with nmap are best to test my firewall
>> for open ports?
>
> From where? To find out what your firewall looks like from "outside",
> you have to scan it from there - which might get you in trouble with
> others, but that's besides the point. Or you could look at the
> 'netstat' output from the firewall device itself (netstat is a command
> found in wincrap as well as most other operating systems, and this
> shows what ports are OTHER THAN closed). Trying to scan your firewall
> from "inside" won't show what's open/available "out there".
>
> As for parameters to use, did you look at the rather extensive
> documentation that comes with nmap? See the -sU and -p options
>
>> If all ports are closed am I 'safe'? or is that never the case.
>
> No firewall will protect against blatant stupidity. Most users get
> 0wn3d because they install something that they think they want or
> need, and never realize it's mal-ware.
>
>> X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
> SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506),
> gzip(gfe),gzip(gfe)
>
> Yeah, you might have a problem there. Still, almost anything is better
> than Internt Exploiter.
>
> Old guy

Re: using nmap to scan firewall

On Sun, 02 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Anthony B wrote:

>Thanks Old Guy, I'm talking about using nmap to scan from the outside.
>I'll try the parameters you've suggested.

As I wrote - be careful, as a full nmap scan may have unforeseen
consequences. Some firewalls have a reactive mode, where they "block
the attacker" after seeing a port scan - you might see that the first
fifty or a hundred ports are closed (being actual results), and then
the firewall kicks in and blocks you, so that even open stuff is no
longer seen. That's also true of some operating systems in regard to
UDP packets. That's why I prefer to use internal commands such as
netstat to see what the system is listening to.

[compton ~]$ netstat -tuan
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 192.168.1.0:* LISTEN
tcp 0 0 0.0.0.0:22 192.168.1.0:* LISTEN
[compton ~]$

This is a *nix box on an internal LAN, and the only thing open is SSH
and FTP, and only from the LAN address range.

>My firewall has it's external interface into a 4 port router so I can
>plug into it and run scans from there. The firewall is in the 'dmz'
>of this router and the inside port plugs into another linksys wireless
>router running DD-WRT.

OK, hand-waving time. Lets say that the big bad Internet has assigned
an address of... 198.18.20.21 to whatever is connected to the hose
coming out of the wall. Is that router translating that address to
something like an RFC1918 address (say 192.168.0.xx) for the other
ports on the "inside" of the router?

Next, there's a cable between the router and the firewall. THAT is
where you want to be when testing the firewall. There, you can flog
the snot out of your firewall without pissing of the ISP, and you can
see everything that might be open on the firewall from the outside.
My normal technique is to unplug that cable, and plug the end that
would normally go to the Internet into a lapdoggy that is configured
to look like what the firewall would see looking out to the Internet.
That way, nothing I do on the laptop causes packets to actually go
out to the Internet, and I can be as crude/brash/abusive as I want to
to the poor firewall and anything visible behind that. The only
caution would then be if your firewall autonomously reacts to block
the "attacking" IP (you'll have to reset the firewall before plugging
the cable back into the Internet, because the router is going to be
ignoring that nasty IP address).

Assuming the inside port of the Internet router is 192.168.0.1, your
firewall is 192.168.0.22, and your testing box is "tee-ed" in somehow
and is using 192.168.0.55 or is replacing the router as noted above,
then you might try

nmap -sS -sU -p 0- 192.168.1.22

_BUT_ see the caution in the -sU option - some O/S will ignore your
UDP scans if you scan to quickly. That's another reason to be using
the 'netstat' command instead.

>Since I've last wrote this message I've installed Thunderbird/Firefox
>and removed the IE shortcuts (From vista) and posted my reply from
>the TB-client so hopefully you won't quote my 'exploitable' headers
>in this reply

>User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
>MIME-Version: 1.0

That's a good bit better, but why not use a news reader to read/post
news, rather than an 'all-singing, all-dancing, do-everything' tool.
Browsers are for web pages, and typically are set up in a "let me
help you" mode which is what actually gets people in trouble. "Can't
see this web page? Let me download a plug-in for you." Oppsie!
By the way, versions _before_ 2.0.0.6 have a problem according to a
posting on Bugtraq a few weeks ago.

>however I'm probably doing something else wrong so please let me
>know. Wish I could find how to uninstall IE from Vista...

I think they've disabled that mechanism.

>Although I could should just post this from an ubuntu VM that I have
>running on this machine.

I don't see the Posting-Host: header in alt.os.linux.ubuntu ;-)
I'm assuming you have nmap installed on the ubuntu box, and can read
the 'nmap' and 'netstat' man pages.

Old guy