• Who’s Blocking
Generally for ports reported filtered by nmap for a host, it is hard to
tell who blocked the probes, for example.
#nmap -sS -p 139,135,445 203.197.219.33 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-04-12 22:38 IST Interesting ports on delhi-203.197.219-33.vsnl.net.in (203.197.219.33): PORT STATE SERVICE 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds Nmap finished: 1 IP address (1 host up) scanned in 9.848 seconds
Even with hping if no ICMP admin probhited filter response is recieved it is hard to tell, for example.
#hping -S -p 139 203.197.219.33 HPING 203.197.219.33 (ppp0 203.197.219.33): S set, 40 headers + 0 data bytes --- 203.197.219.33 hping statistic --- 4 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
But there is a techinique, with advanced tracerouting we can get the host dropping the probes
for example.
#tcptraceroute -nS 203.197.219.33 139 Selected device ppp0, address 220.224.43.246, port 2649 for outgoing packets Tracing the path to 203.197.219.33 on TCP port 139 (netbios-ssn), 30 hops max 1 97.235.1.3 293.053 ms 299.380 ms 299.337 ms 2 97.235.2.1 300.399 ms 318.835 ms 339.974 ms 3 * * * 4 * * *
We check that port 23 is open and try.
#tcptraceroute -nS 203.197.219.33 23 Selected device ppp0, address 220.224.43.246, port 1480 for outgoing packets Tracing the path to 203.197.219.33 on TCP port 23 (telnet), 30 hops max 1 97.235.1.3 285.576 ms 300.100 ms 299.363 ms 2 97.235.2.1 300.142 ms 299.639 ms 299.786 ms 3 202.138.117.146 299.731 ms 299.686 ms 299.282 ms 4 220.224.180.74 299.836 ms 318.862 ms 320.038 ms ---snipped----
hence we know host 202.138.117.146 is the first one dropping our packets.
you can find tcptraceroute here.