Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Freaky output from scanning a NAT pool

from [Wozny, Scott \(US - New York\)] Network Security [Permanent Link]
Subject: RE: Freaky output from scanning a NAT pool
Date: Tue, 20 Nov 2007 10:34:13 -0500 
Hi Ron,

The scanner is sitting on an Internet facing segment at a different ISP.
This is purely Internet based scanning with no credentials.

I get where you're coming from in regards to hitting a NAT / PAT table
with stuff that makes no "sense" to the firewall.  I've just not seen
anything like it before and would have expected the Firewall to just
give no information back which I would have expected Nessus to interpret
as a "host appears to be behind a firewall" type of notation for each
IP.

There's no IPS in the way at this point so I don't think that's the
issue here.  I'll send you firewall log samples from the time of the
scan.

Thanks,

Scott
-----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com] 
Sent: Monday, November 19, 2007 8:58 PM
To: Wozny, Scott (US - New York)
Cc: nessus@list.nessus.org
Subject: Re: Freaky output from scanning a NAT pool

Hi Scott,

Many comments. Most of these are opinions because of the lack of
details. I am also a bit unsure of where your scanner is at. If you are
inside the NAT and on the Ethernet you will get different results
scanning out as compared to being outside the NAT and scanning in with
port forwarding.

- Most commercial scanners actually use NMAP for their port scanning and
OS finger-printing, so it is very likely that you won't get any
different results with a basic scan.

- When you scanned with safe checks off, you caused Nessus to likely try
something that put the firewall into a state that is unknown. Exactly
what happened is probably based on the state of the firewall and now its
NAT (and PAT) table is different. It's also possible that a mere second
scan could have had the same side effects. Many network devices have
tables based on combinations of source IP, destination IP and
destination port. Re-doing your original scan is now scanning a
different network environment which is likely why you are  getting
different results.

- If the firewall is a UTM/IPS and offering decoy services (perhaps
services not tested by some commercial scanners) this may also put the
firewall into a state it can't handle. If you have logs from the
firewall, it would be interesting to see if it has logged any errors or
warnings.

Ron Gula
Tenable Network Security 


This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message. 


Any disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited. [v.E.1]
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Freaky output from scanning a NAT pool, Ron Gula
Next by Date:  False plugin id 11475, Johannes.Badenhorst
Previous by Thread:  Re: Freaky output from scanning a NAT pool, Ron Gula
Next by Thread:  False plugin id 11475, Johannes.Badenhorst
Indexes:  [Date] [Thread] [Top] [All Lists]