Firewall Wizards mailing list archives
Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: L Cubed <lllcubed () gmail com>
Date: Fri, 14 Jan 2005 11:38:08 -0600
Responses below On Wed, 12 Jan 2005 11:28:02 +0100, Martin Mačok <martin.macok () underground cz> wrote:
On Tue, Jan 11, 2005 at 11:18:09AM -0600, L Cubed wrote:
snip, snip, snip
% hping2 -S -A -c 1 -p <open_tcp_port> <pix>
^^^^^ My quick (initial) test to get you some feedback targeted the pix, not an address past the pix, which is what was requested. There was nothing to block a SYN+ACK response between the test machine and the pix. I agree that targeting a host address protected by the pix returns a response, but is a RST+ACK in my version and configuration.
Answer is: A Cisco PIX Firewall Version 6.1(4)Did you really run it against open tcp port? (ie. the one you get (D) when sending just "-S" packet?) Is it default configuration of PIX or is there something changed/turned on/off?
Since we are talking about this in the context of pentesting, I'll share a bit more, since it looks like there are some differences, and they maybe attributed to configuration. Unfortunately, I don't currently have a test box where I can vet some of this, so I try to limit speculation to a minimum.. The firewall tested against is still using conduits, not acls. This *could* explain the difference. Acl conversion is scheduled.
On Tue, Jan 11, 2005 at 12:10:05PM -0600, L Cubed wrote:
snip, snip, snip
This way, you were not sending the packet to an UDP port but to the TCP port 500 and you are getting TCP response RST+ACK (=> closed TCP port).
agreed, my bad.
JFYI, other two responses I received off-list confirms SYN+ACK -> SYN+ACK behaviour. I'm going to contact Cisco soon...
While conduits are on the way out, you might ask Cisco about this and see what they say...
Thank you
You are welcome. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- <Possible follow-ups>
- RE: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Smith, Aaron (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Message not available
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Chuck Swiger (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)