Bugtraq mailing list archives
Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall
From: Barney Wolff <barney () databus com>
Date: Wed, 25 Jul 2001 21:47:32 -0400
You're nmap'ing from inside, right? Nobody from outside should be able to connect to the Sonicwall at all. Sequence numbers for connections *across* the NAT depend on the endpoint hosts, not the NAT box. So this is a risk only if you have enemies already inside your house. Barney Wolff On Wed, Jul 25, 2001 at 05:17:28PM -0600, Dan Ferris wrote:
This may not seem bad, but to me it seems that this defeats the point of NAT if somebody can steal your sessions. Note the section on TCP sequence prediction. This was a Sonicwall SOHO firewall. ======= Host (192.168.1.254) appears to be up ... good. Initiating SYN half-open stealth scan against (192.168.1.254) Adding TCP port 80 (state open). The SYN scan took 8 seconds to scan 1523 ports. For OSScan assuming that port 80 is open and port 1 is closed and neither are firewalled Interesting ports on (192.168.1.254): (The 1518 ports scanned but not shown below are in state: closed) Port State Service 23/tcp filtered telnet 67/tcp filtered bootps 80/tcp open http 137/tcp filtered netbios-ns 514/tcp filtered shell TCP Sequence Prediction: Class=64K rule Difficulty=1 (Trivial joke)
Current thread:
- Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Dan Ferris (Jul 25)
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Barney Wolff (Jul 26)
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall John Duksta (Jul 26)
- <Possible follow-ups>
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Evan Pierce (Jul 26)