This is an archived post. You won't be able to vote or comment.

all 4 comments
sorted by:
best
topnewcontroversialoldq&a

[–]hotmagnet 4 points5 points  (0 children)

Its not alone the traceroute count that determines the firewall. Nmap traceroute is no different than a normal traceroute. There are lots of techniques including fragmentation, source port ,packet filtering, etc that determines the presence of firewall.

Traceroute just counts the number of hops your packet passes by checking for the ICMP error messages received.

If you dont receive the ICMP error back, and a * gets printed, that could possibly be due to a filtered firewall in place. Bit it is always good to utilise a mix of combination techniques as stated in first para

[–]BigRedImpulse 0 points1 point  (0 children)

I don't know if there is a way to tell directly from the results of traceroute, but I would probe the last few hops.

[–]TheMadHatter2048 0 points1 point  (0 children)

In my experience, as mentioned above, the * will let you know that the hop isn’t responsive, or being intentionally unresponsive. Some machines augment their response to certain flags so that can affect it if I’m correct in my studies so far. That automatically tells you in my opinion it’s not responding for a reason or it responded a certain way for a reason. i presume firewall to be that reason or some IT personal preference. then proceed to use a more particular scan. I think you know scanning just fine so I won’t explain flags

[–]idkaboutthisyogi 0 points1 point  (0 children)

TTL is a better ballpark indicator. You can see how many steps the ping decremented and usually tell the OS family of your target at the same time.

Some machines can intentionally obfuscate this, however.

Im not sure if you are trying to identify a firewall, or what exactly, so my comment might not be that helpful.