Firewall Wizards mailing list archives
TTL, works with Cisco ACL's to :)
From: Lance Spitzner <lance () spitzner net>
Date: Mon, 6 Nov 2000 20:57:02 -0600 (CST)
Recently I posted about setting TTL's on a scanner (such as nmap) to map unfiltered ports on a firewall. Proof of concept was done on CheckPoint FW-1 4.1 SP2. Fyodor asked me to check out some other systems, so I obliged. I have access to a Cisco 2514 with IOS 12.0(7). The method worked like a champ. As standard security procedure, I set the router interface with "no ip unreachables" however this had no effect (which I expected). Below I probed the system 'victim7' to determine which ports are open. For this example, I probe port 5100 to see if it is unfiltered. See diagram below: Me ---> FW-1 ---> Cisco --> victim7 Both the Firewall and router allow port 5100 through. I use hping2 to set the TTL and determine the port is open. TTL set for firewall (TTL of 1) ------------------------------- marge #hping2 -S -c 1 -t 1 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall) marge #hping2 -2 -S -c 1 -t 1 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall) TTL set for router (TTL of 2) ------------------------------ marge #hping2 -S -c 1 -t 2 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 10.1.1.1 (router) marge #hping2 -2 -S -c 1 -t 2 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes TTL 0 during transit from 10.1.1.1 (router) I would say that CheckPoint and Cisco ACLs account for a VERY large percentage of filtering that happens on the net :) Oh, and before the hardcore geeks ask, here are the ICMP traces :) -*> Snort! <*- Version 1.6.3 By Martin Roesch (roesch () clark net, www.snort.org) 11/06-20:44:27.424173 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:10529 DF TTL EXCEEDED 00 00 00 00 45 00 00 28 03 B9 00 00 00 06 47 EA ....E..(......G. C0 A8 01 0A AC 10 01 6B 07 D2 13 EC 57 60 8A CA .......k....W`.. 7C 1F 01 96 50 02 02 00 C3 16 00 00 |...P....... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:30.597322 10.1.1.1 -> 192.168.1.10 ICMP TTL:254 TOS:0xC0 ID:499 TTL EXCEEDED 00 00 00 00 45 00 00 28 6D 2C 00 00 01 06 DD 76 ....E..(m,.....v C0 A8 01 0A AC 10 01 6B 05 CF 13 EC 75 97 8D 81 .......k....u... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:36.393898 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:10530 DF TTL EXCEEDED 00 00 00 00 45 00 00 1C B4 31 00 00 00 11 97 72 ....E....1.....r C0 A8 01 0A AC 10 01 6B 05 ED 13 EC 00 08 76 D7 .......k......v. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:40.029069 10.1.1.1 -> 192.168.1.10 ICMP TTL:254 TOS:0xC0 ID:500 TTL EXCEEDED 00 00 00 00 45 00 00 1C 15 F5 00 00 01 11 34 AF ....E.........4. C0 A8 01 0A AC 10 01 6B 09 8C 13 EC 00 08 73 38 .......k......s8 -- Lance Spitzner http://www.enteract.com/~lspitz _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 08)
- <Possible follow-ups>
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 10)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 11)
- RE: TTL, works with Cisco ACL's to :) Ofir Arkin (Nov 12)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 11)