Penetration Testing mailing list archives
Re: Strange response from network
From: Mambo Dsouza <mamboz () gmail com>
Date: Wed, 15 Sep 2004 18:30:49 +0200
try running nc in verbose mode instead of stunnel and then send the get request. The get request also has more options which you can use...I think instead of relying on tools..manual techniques give you a much better output which you can rely on.... There are certain cases where Nmap detected 2003 as Linux also..so dont trust blindly.. and try to connect to that port using browser also..and see whts happening..which can give you some more inputs or ideas.. Cheers Mambo On Wed, 15 Sep 2004 14:36:14 +0400, Shashank Rai <shashrai () emirates net ae> wrote:
Hi all, I observed the following during a pentest i am doing: 1) A port scan of the TARGET_IP (using nmap 3.7 with -sS, -sV and OS identification), shows port 2443 open and remaining ports as "closed". 2) Nmap fails to identify the OS but identifies the service as "Microsoft Distributed Transaction Server". 3) The interesting (and strange) part comes from here on. A tcptraceroute to port 2443 on the TARGET_IP, showed RST/ACK packets coming back. To further investigate this, i started sending packets by manually increasing the ttl. I obtained the following results: SYN packet to port 2443, ttl 7 (last but one hop from target) sends RST/ACK.... hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40 sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms seq=80210401 ack=1098187429 sum=ec0b urp=0 --- TARGET_IP hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 6.3/6.3/6.3 ms ========================================================================== SYN packet to port 2443 ttl 8 (TARGET IP) gives SYN/ACK ..expected response....... hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44 sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms seq=416937317 ack=1244107777 sum=61fe urp=0 --- TARGET_IP hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 6.1/6.1/6.1 ms =========================================================================== SYN packet to port 25 (closed port) ttl 7 and there is NO response.... hping2 -S -V -n -c 1 -p 25 -t 7 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes --- TARGET_IP hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms =========================================================================== SYN packet to port 25 ttl 8 ... NO RESPONSE. hping2 -S -V -n -c 1 -p 25 -t 8 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes --- TARGET_IP hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms =========================================================================== also note that the packets with ttl 7 still come back with TARGET IP, implying that remote system is spoofing the IP. Even the difference in ttl and IPID of incoming packets indicates different systems are sending the response. My questions: a) any idea what kind of filtering system can this be b) is it possible to determine the IP of the 7th HOP. The nature of the service i am testing requires users to connect using a client certificate. I connect to port 2443 using stunnel and the client certificate supplied to me for the test. Now i send a GET / HTTP/1.0 request. The response that comes back is HTTP 403 and the server string is "Apache-Coyote/1.1" .... in contradiction to what nmap detected as a service. Any clues as to what is *Really* running on port 2443. Amap returns nothing :( TIA cheers, -- shashank <-- Here is the Packet that was fragmented and has been assembled again. (with apologies to JRR Tolkien :) --> ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Strange response from network Shashank Rai (Sep 15)
- Re: Strange response from network Ben Timby (Sep 15)
- Re: Strange response from network David Coppa (Sep 16)
- Re: Strange response from network Mambo Dsouza (Sep 16)
- Re: Strange response from network Martin Mačok (Sep 16)
- <Possible follow-ups>
- Re: Strange response from network shashrai (Sep 16)
- Re: Strange response from network shashrai (Sep 16)
- Re: Strange response from network Ben Timby (Sep 15)