4

I'm having trouble figuring this out. Supposedly, nmap can distinguish stateful firewalls from stateless firewalls by using the -sA or ACK scan, but I'm at a loss as to how one would discern that fact from the nmap output of an ACK scan.

I understand that nmap sends ACK flagged packets to the target and the target will respond or not respond based off certain criteria.

  1. Target will respond with RST if port is open or closed and unfiltered.
  2. Target will NOT respond at all if filter is DROPPING traffic
  3. Target will send ICMP error message if filter is REJECTING traffic

That being true, then ´nmap´ will report any port that responds with RST as unfiltered and all the other ports as filtered. This looks something like this... (using IPTABLES firewall with stateless rule(s))

$ sudo nmap -sA -T4 192.168.219.135 Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 16:35 EDT Nmap scan report for metasploitable (192.168.219.135) Host is up (0.00027s latency). Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp unfiltered ssh 25/tcp unfiltered smtp 53/tcp unfiltered domain 70/tcp unfiltered gopher 80/tcp unfiltered http 113/tcp unfiltered ident MAC Address: 00:0C:29:B7:F7:70 (VMware) Nmap done: 1 IP address (1 host up) scanned in 4.40 seconds

Based off of that output, how would one discern whether this was stateful or stateless?

I've been reading everything I can on the subject, including the nmap book, and none of the examples makes sense to me. This is basically the same output as example 10.2 in the nmap book; in fact it is almost identical! The problem is that the nmap book states that this is the output from nmap that targeted a host running IPTABLES with STATEFUL rules!

If I can get the same output from a stateless firewall as I can from a stateful firewall, then how am I supposed to tell from the nmap ACK scan which firewall I'm encountering?

I'm super frustrated and I really appreciate any help sent my way.

Improve this question

2 Answers 2

Reset to default
5

Let's consider what the behavior differences between a stateful and a stateless firewall would be. The stateless firewall will block based on port number, but it can't just block incoming ACK packets because those could be sent in response to an OUTGOING connection. So from the -sA scan point of view, the ports would show up as "unfiltered" because the firewall is only filtering SYN packets.

A stateful firewall, on the other hand, can determine if an incoming ACK packet is part of an established outgoing connection. It only blocks the packet if it is unsolicited (as it is in the case of -sA). So Nmap will label the port as "filtered."

So the final determination is this: if ACK scan shows some ports as "filtered," then it is likely a stateful firewall. If all show as "unfiltered," but a regular SYN scan shows some as "filtered," then it is a stateless firewall.

Improve this answer
3
  • Thanks for the feedback. I think your answer makes sense, but I want to make sure about something before I check it as answered. Am I correct in thinking that you can only HYPOTHESIZE that you are encountering a stateful or stateless firewall and there is no concrete ability to say a firewall is stateful/stateless? cont... Commented Jun 30, 2016 at 17:35
  • I say this because of your statement that ACK scans that show some ports as "filtered", are "LIKELY a stateful firewall." Also, my nmap output referenced is from scanning a stateless firewalled host, which contradicts your last statement, "So the final determination is this: if ACK scan shows some ports as "filtered," then it is likely a stateful firewall.If all show as "unfiltered," but a regular SYN scan shows some as "filtered," then it is a stateless firewall." cont... Commented Jun 30, 2016 at 17:36
  • My nmap output defies both of those propositions. I don't say that to be confrontational, but to try and understand correctly. Would you concur that one is NOT able to have certainty of the firewall state, but can only be deduced? Or am I missing something? Again, thanks for answering and hopefully continuing to help! Commented Jun 30, 2016 at 17:37
0

I agree with the answer given by bonasaiviking. To improvise on same, there's a Window scan (-sW) which basically exploits an implementation detail of certain (so nmap warns, it can't always be trusted) systems. The RST returned packet, with either -sA or -sW, is checked for TCP Window field, and open or closed port is concluded.

Reference: https://nmap.org/book/man-port-scanning-techniques.html

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.