I'm having trouble figuring this out. Supposedly, nmap can distinguish stateful firewalls from stateless firewalls by using the -sA or ACK scan, but I'm at a loss as to how one would discern that fact from the nmap output of an ACK scan.
I understand that nmap sends ACK flagged packets to the target and the target will respond or not respond based off certain criteria.
- Target will respond with RST if port is open or closed and unfiltered.
- Target will NOT respond at all if filter is DROPPING traffic
- Target will send ICMP error message if filter is REJECTING traffic
That being true, then nmap will report any port that responds with RST as unfiltered and all the other ports as filtered. This looks something like this… (using IPTABLES firewall with stateless rule(s) )
$ sudo nmap -sA -T4 192.168.219.135
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 16:35 EDT
Nmap scan report for metasploitable (192.168.219.135)
Host is up (0.00027s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp unfiltered ssh
25/tcp unfiltered smtp
53/tcp unfiltered domain
70/tcp unfiltered gopher
80/tcp unfiltered http
113/tcp unfiltered ident
MAC Address: 00:0C:29:B7:F7:70 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.40 seconds
Based off of that output, how would one discern whether this was stateful or stateless?
I've been reading everything I can on the subject, including the nmap book, and none of the examples makes sense to me. This is basically the same output as example 10.2 in the nmap book; in fact it is almost identical! The problem is that the nmap book states that this is the output from nmap that targeted a host running IPTABLES with STATEFUL rules!
If I can get the same output from a stateless firewall as I can from a stateful firewall, then how am I supposed to tell from the nmap ACK scan which firewall I'm encountering?
I'm super frustrated and I really appreciate any help sent my way.
Best Answer
Let's consider what the behavior differences between a stateful and a stateless firewall would be. The stateless firewall will block based on port number, but it can't just block incoming ACK packets because those could be sent in response to an OUTGOING connection. So from the
-sAscan point of view, the ports would show up as "unfiltered" because the firewall is only filtering SYN packets.A stateful firewall, on the other hand, can determine if an incoming ACK packet is part of an established outgoing connection. It only blocks the packet if it is unsolicited (as it is in the case of
-sA). So Nmap will label the port as "filtered."So the final determination is this: if ACK scan shows some ports as "filtered," then it is likely a stateful firewall. If all show as "unfiltered," but a regular SYN scan shows some as "filtered," then it is a stateless firewall.