Penetration Testing mailing list archives
Re: Low Level Enumeration with ECE/CWR
From: "Don Parker" <dparker () rigelksecurity com>
Date: Fri, 27 Feb 2004 20:30:55 -0500 (EST)
Hello again Joe, I can't say that I am aware of any really. Besides many IDS's out there will fire off when they get packets with those fields set. You are still better off using other methods depending on what you are trying to enumerate ie: http server, OS type and so forth. One thing that people often don't seem to realize is that you are *much* better off using one packet only vice a torrent to enumerate a service/OS. Quite often (read almost always) the one packet will be buried beneath a tidal wave of other stuff, and by extension is largely ignored by the IDS analyst. Same goes with always using nmap and other such tools which have signatures out for them (code your own stuff or use a packet crafter). Anyhow before I get sidetracked here any further I will sign off. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 27, Joe <joe_nasdaq () yahoo com> wrote: Hi, Let me clarify/generalize here a bit. . Are there any known reconnaisssance techniques or attacks methods that make use of the ECE/CWR bits? To date I haven't seen anything from a penetration perspective that uses them. It might just be I haven't looked in the right places... thanks, Joe Don Parker <dparker () rigelksecurity com> wrote: Hi Joe, I am uncertain as to what you mean by enumeration here. Do you mean that you wish to find out the target machines operating system by using these packets? ie: send some packets with these values enabled and then measure the returning metrics such as the mss/mtu/ttl and the such? Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 26, Joe wrote: Hi, I recently read "Low Level Enumeration with TCP/IP" by Rnady Williams. Think its an excellent read. My question is, does anyone know of any enumeration techniques that use the Explicit Congestion Notification Echo (ECE) bit or the Congestion Window Reduction (CWR) bit? (see RFC-3168 for more info). I noticed the article failed to mention these bits but many manufacturers claim support. thanks, Joe --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------- Do you Yahoo!? Get better spam protection with Yahoo! Mail <DIV>Hi,</DIV> <DIV> </DIV> <DIV>Let me clarify/generalize here a bit.</DIV> <DIV>.</DIV> <DIV>Are there any known reconnaisssance techniques or attacks methods that make use of the ECE/CWR bits?</DIV> <DIV>To date I haven't seen anything from a penetration perspective that uses them. It might just be I haven't looked in the right places...</DIV> <DIV> </DIV> <DIV>thanks,</DIV> <DIV>Joe <BR><BR><B><I>Don Parker <dparker () rigelksecurity com></I></B> wrote:</DIV> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Hi Joe, I am uncertain as to what you mean by enumeration here. Do you mean that you <BR>wish to find out the target machines operating system by using these packets? ie: send <BR>some packets with these values enabled and then measure the returning metrics such as <BR>the mss/mtu/ttl and the such?<BR><BR>Cheers! <BR><BR>Don<BR><BR>-------------------------------------------<BR>Don Parker, GCIA<BR>Intrusion Detection Specialist<BR>Rigel Kent Security & Advisory Services Inc<BR>www.rigelksecurity.com<BR>ph :613.249.8340<BR>fax:613.249.8319<BR>---------------- ----------------------------<BR><BR>On Feb 26, Joe <JOE_NASDAQ () YAHOO COM>wrote:<BR><BR><BR><BR>Hi,<BR><BR>I recently read "Low Level Enumeration with TCP/IP" by Rnady Williams. Think its an <BR>excellent read.<BR><BR>My question is, does anyone know of any enumeration techniques that use the Explicit <BR>Congestion Notification Echo (ECE) bit or the Congestion Window Reduction (CWR) bit? <BR>(see RFC-3168 for more info). <BR><BR>I noticed the article failed to mention these bits but many manufacturers claim support.<BR><BR>thanks,<BR>Joe <BR><BR>-------------------------------------------- -------------------------------<BR>------------------------------------------------------ ----------------------<BR><BR></BLOCKQUOTE><p><hr SIZE=1> Do you Yahoo!?<br> Get better spam protection with <a href="<a href='http://us.rd.yahoo.com/mailtag_us/*<a href='http://antispam.yahoo.com/tools">Yahoo!'>http://antispam.yahoo.com/tools">Yahoo! </a>'>http://us.rd.yahoo.com/mailtag_us/*<a href='http://antispam.yahoo.com/tools">Yahoo!'>http://antispam.yahoo.com/tools">Yahoo! </a></a> Mail</a> --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Low Level Enumeration with ECE/CWR Joe (Feb 27)
- <Possible follow-ups>
- Re: Low Level Enumeration with ECE/CWR Don Parker (Feb 28)