RE: RE: Attack profiling tool?

["Gareth Blades" <list.fulldisclosure () webscreen-technology com>]

> -----Original Message-----
> From: Dimitris Chontzopoulos [mailto:dchontzo () abc gr]
> Sent: 11 July 2003 17:37
> To: 'Gareth Blades'
> Subject: RE: [Full-disclosure] RE: Attack profiling tool?
>
>
> I am not trying to start a technical debate over things here, but, AFAIK
> you shouldn't blame the product (FW-1) if the reseller wasn't able to
> configure it ;-)

Very true but we did install it ourselves and go through all the options and
configure everything which would help the defence. This was a few months ago
and I believe there has been a new version since then. I wasn't involved
with the testing myself so I cannot say what the exact configuration was.

> <Yes we are limiting the number of connections but we are doing it
> selectivly by not allowing the attacker to make new connections but
> allowing everyone else to...>
>
> You can also do that with FW-1, not to mention "Smart Defense" and
> "Application Inteligence" that give the product a great push so as to
> not be thought as a common "Stateful Packet Inspection Technology
> Firewall" ;-) But this is another issue, clearly not belonging in this
> list ;-)

What version where these options available in?
Are they additional license or software options?
It would be interesting to see how well they work.

> <The particular machine is a demo server so anyone may connect...>
>
> Maybe it is but when I tried to connect I was prompted for a
> username/password... This is where my "lucky guessing" regarding "Brute
> Force" was made.

There is form on our website where people request access to the box and are
emailed the password straight away. You wern't to know this though.

> <They are TCP connections and as the client is completing the handshake
> they cannot be spoofing the source address. If the source address was
> spoofed then they would not get the SYN-ACK packet which they reply to,
> to complete the connection...>
>
> Who said anything about a three-way TCP handshake session? I am merely
> saying that the attacker CAN spoof other IP Addresses by sending SYN
> packets without expecting a SYN/ACK. Isn't that possible? I think so.

Sorry I assumed you had looked at the packet capture URL I originally posted
which shows the TCP handshake session being established.

> <I don't think they are trying to brute force the console as once the
> TCP connection is established there is no furthur data transfer until
> they close the connections.>
>
> This is why I mentioned "PortFuck". Download it from astalavista.box.sk
> and give it a try (you should disable your AV though because it is
> recognized as a "BAD tool"). Then all you have to do is tell "PortFuck"
> to connect to the IP Address attacked, open lots-lots-lots of
> connections to port 443 and you can have your favorite "Sniffer" or
> Webgear capturing. Then all you have to do is examine the data pattern
> from "PortFuck" against the data pattern you allready have.

Thanks I will have a look at that when I get in Monday.

> Cheers,
>
> Dimitris.
>
> P.S. Don't take it personaly, I am just trying to justify what I say.

No offense taken

Regards
Gareth




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html