RE: RE: PIX and ttl

["Filipe Almeida" <filipe () ist utl pt>]

> -----Original Message-----
> From: pen-test-return-93-filipe=ist.utl.pt () securityfocus com
[mailto:pen-
> test-return-93-filipe=ist.utl.pt () securityfocus com] On Behalf Of
Fernando
> Cardoso
> Sent: domingo, 27 de Maio de 2001 21:02
> To: jlewis () jasonlewis net
> Cc: 'Jacek Lipkowski'; PEN-TEST () securityfocus com
> Subject: Re: RE: PIX and ttl
>
> NMAP scans for hosts beyond "stateful aware" firewalls is quite
> difficult. The first problem lies in the firewall design. If a packet
> is not in the connection table and it's not a SYN packet it is simply
> droped. The other problem is TCP options. Most firewalls will drop
> those packets also.
>
> In a recent pen-test I realize that Win 2k hosts beyond a PIX, would
> only respond to NMAP test #5, the only one that uses a standard SYN,
> while if those boxes where outside the filtered network, they would
> reply to all 8 tests.
        And if you are using some kind of SynDefender even the SYN
packets may be generated by the firewall, depending on the SynDefender
method you are using.

> The work around is break in and NMAP from the internal network ;)

        Another option is to do some research on the possibility of
doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
...).
        A method I use to discover windows machines behind a statefull
aware firewall with syndefender is to create ESTABILISHED connections
and analyze the ip.id increments. This analysis can be expanded to other
fields of the packets and other states by doing some research.
        Perhaps a fingerprinting system that uses traces from a tcpdump
session? anyone?

--
Filipe Almeida filipe () rnl ist utl pt
Aka LiquidK
Administração da Rede das Novas Licenciaturas