Re: Low Level Enumeration with ECE/CWR

["Don Parker" <dparker () rigelksecurity com>]

Hello again Joe, I can't say that I am aware of any really. Besides many IDS's out there 
will fire off when they get packets with those fields set. You are still better off 
using other methods depending on what you are trying to enumerate ie: http server, OS 
type and so forth. 

One thing that people often don't seem to realize is that you are *much* better off 
using one packet only vice a torrent to enumerate a service/OS. Quite often (read almost 
always) the one packet will be buried beneath a tidal wave of other stuff, and by 
extension is largely ignored by the IDS analyst. Same goes with always using nmap and 
other such tools which have signatures out for them (code your own stuff or use a packet 
crafter). Anyhow before I get sidetracked here any further I will sign off.

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 27, Joe <joe_nasdaq () yahoo com> wrote:
Hi,
 
Let me clarify/generalize here a bit.
.
Are there any known reconnaisssance techniques or attacks methods that make use of the 
ECE/CWR bits?
To date I haven't seen anything from a penetration perspective that uses them.  It might 
just be I haven't looked in the right places...
 
thanks,
Joe 

Don Parker <dparker () rigelksecurity com> wrote:
Hi Joe, I am uncertain as to what you mean by enumeration here. Do you mean that you 
wish to find out the target machines operating system by using these packets? ie: send 
some packets with these values enabled and then measure the returning metrics such as 
the mss/mtu/ttl and the such?

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 26, Joe wrote:



Hi,

I recently read "Low Level Enumeration with TCP/IP" by Rnady Williams. Think its an 
excellent read.

My question is, does anyone know of any enumeration techniques that use the Explicit 
Congestion Notification Echo (ECE) bit or the Congestion Window Reduction (CWR) bit? 
(see RFC-3168 for more info). 

I noticed the article failed to mention these bits but many manufacturers claim support.

thanks,
Joe 

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------
Do you Yahoo!?
Get better spam protection with Yahoo! Mail
<DIV>Hi,</DIV>
<DIV>&nbsp;</DIV>
<DIV>Let me clarify/generalize here a bit.</DIV>
<DIV>.</DIV>
<DIV>Are there any known reconnaisssance techniques or attacks methods that make use of 
the ECE/CWR bits?</DIV>
<DIV>To date I haven't seen anything from a penetration perspective that&nbsp;uses 
them.&nbsp; It might just be I haven't looked in the right places...</DIV>
<DIV>&nbsp;</DIV>
<DIV>thanks,</DIV>
<DIV>Joe <BR><BR><B><I>Don Parker &lt;dparker () rigelksecurity com&gt;</I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: 
#1010ff 2px solid">Hi Joe, I am uncertain as to what you mean by enumeration here. Do 
you mean that you <BR>wish to find out the target machines operating system by using 
these packets? ie: send <BR>some packets with these values enabled and then measure the 
returning metrics such as <BR>the mss/mtu/ttl and the such?<BR><BR>Cheers!
<BR><BR>Don<BR><BR>-------------------------------------------<BR>Don Parker, 
GCIA<BR>Intrusion Detection Specialist<BR>Rigel Kent Security &amp; Advisory Services 
Inc<BR>www.rigelksecurity.com<BR>ph :613.249.8340<BR>fax:613.249.8319<BR>----------------
----------------------------<BR><BR>On Feb 26, Joe 
<JOE_NASDAQ () YAHOO COM>wrote:<BR><BR><BR><BR>Hi,<BR><BR>I recently read "Low Level 
Enumeration with TCP/IP" by Rnady Williams. Think its an <BR>excellent read.<BR><BR>My 
question is, does anyone know of any enumeration techniques that use the Explicit 
<BR>Congestion Notification
 Echo (ECE) bit or the Congestion Window Reduction (CWR) bit? <BR>(see RFC-3168 for more 
info). <BR><BR>I noticed the article failed to mention these bits but many manufacturers 
claim support.<BR><BR>thanks,<BR>Joe <BR><BR>--------------------------------------------
-------------------------------<BR>------------------------------------------------------
----------------------<BR><BR></BLOCKQUOTE><p><hr SIZE=1>
Do you Yahoo!?<br>
Get better spam protection with <a href="<a href='http://us.rd.yahoo.com/mailtag_us/*<a 
href='http://antispam.yahoo.com/tools";>Yahoo!'>http://antispam.yahoo.com/tools";>Yahoo!
</a>'>http://us.rd.yahoo.com/mailtag_us/*<a 
href='http://antispam.yahoo.com/tools";>Yahoo!'>http://antispam.yahoo.com/tools";>Yahoo!
</a></a> Mail</a>


---------------------------------------------------------------------------
----------------------------------------------------------------------------