Full Disclosure mailing list archives
RE: RE: Attack profiling tool?
From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
Date: Fri, 11 Jul 2003 19:22:51 +0100
-----Original Message----- From: Dimitris Chontzopoulos [mailto:dchontzo () abc gr] Sent: 11 July 2003 17:37 To: 'Gareth Blades' Subject: RE: [Full-disclosure] RE: Attack profiling tool? I am not trying to start a technical debate over things here, but, AFAIK you shouldn't blame the product (FW-1) if the reseller wasn't able to configure it ;-)
Very true but we did install it ourselves and go through all the options and configure everything which would help the defence. This was a few months ago and I believe there has been a new version since then. I wasn't involved with the testing myself so I cannot say what the exact configuration was.
<Yes we are limiting the number of connections but we are doing it selectivly by not allowing the attacker to make new connections but allowing everyone else to...> You can also do that with FW-1, not to mention "Smart Defense" and "Application Inteligence" that give the product a great push so as to not be thought as a common "Stateful Packet Inspection Technology Firewall" ;-) But this is another issue, clearly not belonging in this list ;-)
What version where these options available in? Are they additional license or software options? It would be interesting to see how well they work.
<The particular machine is a demo server so anyone may connect...> Maybe it is but when I tried to connect I was prompted for a username/password... This is where my "lucky guessing" regarding "Brute Force" was made.
There is form on our website where people request access to the box and are emailed the password straight away. You wern't to know this though.
<They are TCP connections and as the client is completing the handshake they cannot be spoofing the source address. If the source address was spoofed then they would not get the SYN-ACK packet which they reply to, to complete the connection...> Who said anything about a three-way TCP handshake session? I am merely saying that the attacker CAN spoof other IP Addresses by sending SYN packets without expecting a SYN/ACK. Isn't that possible? I think so.
Sorry I assumed you had looked at the packet capture URL I originally posted which shows the TCP handshake session being established.
<I don't think they are trying to brute force the console as once the TCP connection is established there is no furthur data transfer until they close the connections.> This is why I mentioned "PortFuck". Download it from astalavista.box.sk and give it a try (you should disable your AV though because it is recognized as a "BAD tool"). Then all you have to do is tell "PortFuck" to connect to the IP Address attacked, open lots-lots-lots of connections to port 443 and you can have your favorite "Sniffer" or Webgear capturing. Then all you have to do is examine the data pattern from "PortFuck" against the data pattern you allready have.
Thanks I will have a look at that when I get in Monday.
Cheers, Dimitris. P.S. Don't take it personaly, I am just trying to justify what I say.
No offense taken Regards Gareth _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Attack profiling tool?, (continued)
- Re: Attack profiling tool? morning_wood (Jul 10)
- Re: Attack profiling tool? daniel uriah clemens (Jul 10)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)