Re: NMAP Scanning
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 22 Dec 2001 15:39:33 -0600
Hi Gary,
From my experience, testing from an internal network client won't give
you meaningful results. Run NMAP on an external network client and run
it against the external interface of the ISA Server to get useful
results.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Gary Anderson [mailto:gary.anderson@xxxxxxxxxx]
Sent: Saturday, December 22, 2001 3:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: NMAP Scanning
http://www.ISAserver.org
Hi Jim,
I saw the hotfix and I did "read the book" on the IP Packet Filter being
applied to the external interface. I suspect that the problem is what
you
said.
As I recall, the IP log showed nothing. It did show a lot of blocked
packet
coming from the outside; nothing from the inside.
When the Protocol Rules were "Denied", FW log recorded the blocked
transmission.
Gary
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Saturday, December 22, 2001 19:46
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: NMAP Scanning
http://www.ISAserver.org
Testing ISA internal interface blocking is not completely useful.
ISA will not filter traffic on the internal interface without a
particular
hotfix (51) and adding the appropriate registry entries.
The question you should ask is whether or not ISA actually passed the
traffic to the external IP.
What's in the IP and FW logs for that scan?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Gary Anderson" <gary.anderson@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 22, 2001 10:26
Subject: [isalist] NMAP Scanning
http://www.ISAserver.org
Has anyone ever run NMAP from inside of an ISA Server network? By this
I
mean you have an address in the LAT, you are a SecureNAT client and you
are
scanning a machine on the Internet with a public address. I have done
it
with the parameters
-g53 -sA -T Aggessive -P0
This means Source Port 53 (DNS), TCP ACK, 5 minute scan, no ping.
This type of scan should detect unfiltered ports on a intermediate
firewall.
I'm getting back a whole bunch of unfiltered ports like 110 (POP3). I
can
understand that if it wasn't for a small thing.
I have all Procotol Rules at "Deny". Moreover, when I do a telnet to
port
110 on the external machine, the connection is blocked (as I would
expect).
If I "Allow" the Protocol Rules. I get the same results from the NMAP
but I
can telnet to port 110 on the external. Why is ISA report ports at
"unfiltered" in NMAP when they are "filtered" by protocol rules? The
internal versus external interfaces, perhaps?
Does anyone have any ideas why these ports would be showing up?
Thanks,
Gary Anderson
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gary.anderson@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
