Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ZoneAlarm

From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 26 Apr 2000 02:50:33 -0700

On Mon, 24 Apr 2000, Alfred Huger wrote:

Additionally, using nmap's -f flag allows you to send traffic past
ZoneAlarm without any alerts.


I set up a copy on a local machine here and while I found that source port
scans from 67 slipped past the firewall -f seemed to be alerted on just
fine. Can anyone else comment to this?


Hi Al,

I get the same results you did; ZoneAlarm 2.1.10 alerts on a fragmented
SYN scan, but does not make any noise when the source port is set to 67.

# nmap -sS -p 139 -v -f -P0 victim.example.com
Initiating SYN half-open stealth scan against victim.example.com
(23.23.23.23)

  04/26-02:11:52.260668 attacker -> 23.23.23.23
  TCP TTL:61 TOS:0x0 ID:15452  MF
  Frag Offset: 0x0   Frag Size: 0x10
  BC 49 00 8B 4D 4B C7 11 00 00 00 00 50 02 08 00  .I..MK......P...

  04/26-02:11:52.260745 attacker -> 23.23.23.23
  TCP TTL:61 TOS:0x0 ID:15452
  Frag Offset: 0x2   Frag Size: 0x4
  CA 49 00 00                                      .I..

ZoneAlarm reports
"The firewall has blocked Internet access to your computer (NetBIOS
Session) from attacker.example.com (TCP Port 3133)."

When I add the option for source port 67 (-g 67) ZoneAlarm does not alert
- however, the packets do not seem to be delivered either (no RST nor
SYN+ACK).

Now if you remove fragmentation from the picture, it looks like you can
use source porting (67 anyway) to circumvent the ZoneAlarm software.

# nc -p 67 victim.example.com 21
220 Serv-U FTP-Server v2.5e for WinSock ready...
quit

Without the bootp source port this connection is dropped and an alert is
generated.

Max
Previous By Date Next
Previous By Thread Next

Current thread: