inverse mapping

Discussion in 'Computer Security' started by piotrkura_sobolewski@o2.pl, Jun 13, 2004.

  1. Guest

    Hello,

    I just read Ofir Arkin's article in which he describes inverse mapping -
    technique used to scan the network behind the firewall:
    http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.5.pdf
    The idea (in a bit simplified version) is that I can try to send packets to
    computers behind the firewall. If the computer exists, I can hear no answer
    (the firewall blocks everything). If it does not exist, I receive
    "ICMP host unreachable" from the router.

    Then I tried to do it. I set up such simple network:

                   +-----(3)
                  /
    (1)----(2)---+
                  \
                   +-----(4)

    (1) is intruder's computer, (2) is is a firewall computer, with two network
    cards, (3) is some www server, (4) is a normal user computer.

    Assumptions: from the outside (from (1)'s point of view) only one computer
    should be visible: www server, ie (3). The 80th port of it should be
    visible.

    Computer (4) should not be visible from the outside. The user working at it
    should be able to initiate TCP connections to 80th port of outside
    computers.

    Given that assumptions I created such iptables script. I run it on linux
    firewall, (2):

    # (3)
    iptables -A FORWARD -d 172.16.193.129 -p TCP  -m state \
      --state ESTABLISHED -j ACCEPT
    iptables -A FORWARD -d 172.16.193.129 -p TCP --destination-port 80 -j ACCEPT
    iptables -A FORWARD -s 172.16.193.129 -p TCP -m state \
      --state ESTABLISHED -j ACCEPT

    # (4)
    iptables -A FORWARD -d 172.16.193.130 -p TCP -m state \
      --state ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 172.16.193.130 -p TCP -m state \
      --state ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 172.16.193.130 -p TCP --destination-port 80 -j ACCEPT

    iptables -A FORWARD -j DROP

    This is my model situation.
    Now I try to nmap the network behind the firewall. As a result I detect www
    server (3), but I don't detect normal client (4). Ok.

    Then I try to send syn packet to (4):

    # sendip 172.16.193.129 -p ipv4 -is 10.10.10.88 -id 172.16.193.129 \
      -it 2 -p tcp -td 80

    Meanwhile I listen with tcpdump - but there's silence.

    Then I try to send the same way a syn packet to notexisting computer behind
    the firewall:

    # sendip 172.16.193.140 -p ipv4 -is 10.10.10.88 -id 172.16.193.140 \
      -it 2 -p tcp -td 80

    I expect to receive "ICMP host unreachable", but I don't receive any. Well,
    of course, it is blocked by:
    iptables -A FORWARD -j DROP

    Conclusion: in my testing network method described by Ofir doesn't work.

    Question: so when (in what situations, that be met in a real world) using
    this method makes sense?
    Does anybody know it?

    --
    piotr sobolewski
    remove polish name of an animal from my email
     
    , Jun 13, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SysAdmin

    CEF vs MLPPP vs Inverse Multiplex

    SysAdmin, Nov 20, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,609
  2. Andre Beck

    Re: CEP vs Inverse Multiplexing

    Andre Beck, Nov 21, 2003, in forum: Cisco
    Replies:
    0
    Views:
    467
    Andre Beck
    Nov 21, 2003
  3. jmarkotic

    Frame-Relay Inverse ARP problem

    jmarkotic, Jan 7, 2004, in forum: Cisco
    Replies:
    7
    Views:
    3,599
    scott enwright
    Jan 9, 2004
  4. Replies:
    7
    Views:
    9,603
    vatsalp24
    Apr 3, 2009
  5. Web Science
    Replies:
    0
    Views:
    457
    Web Science
    Nov 16, 2004
Loading...

Share This Page