Nmap Announce mailing list archives
RE: firewalk meets nmap - TTL (tested)
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Fri, 3 Nov 2000 18:24:58 +0200
In Blackhat 2K in Amsterdam I was talking about the ability to identify
the
Operating System one firewall might run on top because of the ICMP error messages it might generate /
or
spoofed answers the firewall generates instead of its protected machines.
Very cool idea. This hack will not only map your firewall rulebase, but your firewall OS type :)
If you have a trace I would like to have a look :P
Sure, below is the technique and traces from a test. The firewall is CheckPoint FW-1 ver 4.1 SP2 on Solaris 2.7 (Ultra 5). The port 5190 TCP and port 5190 UDP are NOT filtered by the firewall. I scanned a system behind the firewall on each port with hping2, TTL set to 1 (I am 1 hop away from the firewall). Note how the firewall responds, and not the system behind the firewall I was scanning.
mozart #hping2 -c 1 -t 1 -s 53 -p 5190 -S victim eth0 default routing interface selected (according to /proc) HPING victim (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall.example.net)
Now the packet traces (just for Ofir)
Thank you :)
-*> Snort! <*- Version 1.6.3 By Martin Roesch (roesch () clark net, www.snort.org) 11/03-09:10:36.563267 192.168.1.10:53 -> 172.16.1.107:5190 TCP TTL:1 TOS:0x0 ID:36962 **S***** Seq: 0x53C8F31C Ack: 0x1A37A627 Win: 0x200
11/03-09:10:36.564040 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:31007 DF TTL EXCEEDED 00 00 00 00 45 00 00 28 90 62 00 00 00 06 BB 40 ....E..(.b.....@ C0 A8 01 0A AC 10 01 6B 00 35 14 46 53 C8 F3 1C .......k.5.FS... 1A 37 A6 27 50 02 02 00 22 F6 00 00 .7.'P..."...
The Offending Packet: IP Version=4 Header Length=5 TOS = 00 16 bit total Length=00 28 16 bit Identification=90 00 3flags+13-bit frag.=00 00 TTL=06 Protocol=BB 40 Source IP Address=C0 A8 01 0A Destination IP Address=AC 10 01 6B Source Port=00 35 Destination Port=14 46 Sequence Number=53 C8 F3 1C Acknowledgment Number=1A 37 A6 27 50 02 02 00 Checksum=22 F6 Urgent Pointer=00 00 28 bytes were echoed back.
Thoughts?
This is exactly what I was talking about. If you look closely than: - DF bit is set with the ICMP Time Exceeded Error Message (SUN/HPUX11.x). It was not set with the request so we are not dealing with echoing issue here. - TTL used 255 (UNIX / UNIX-Like OS) - Quoting Size - Bigger than the first 8 bytes of data portion of the offending packet. In fact it quoted all the TCP packet (SUN/LINUX) - ICMP Echoing Integrity - The quote is OK. Sun Solaris do this OK. LINUX play with some parameters. So is it a Linux or Solaris? If you look at the possibilities you understand this is a Solaris. But lets play more. Since Linux set the Precedence field to 0x6 with its ICMP error messages we are left with Solaris. We can even go to www.checkpoint.com and look for the platform the firewall run on top. Solaris / NT. I think the point is now clear and understood :) Lance, we should automate this somehow. This is a cool thing. But again correct configuration will prevent this from happening. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer." -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- firewalk meets nmap - TTL Lance Spitzner (Nov 03)
- RE: firewalk meets nmap - TTL Ofir Arkin (Nov 03)
- RE: firewalk meets nmap - TTL (tested) Lance Spitzner (Nov 04)
- RE: firewalk meets nmap - TTL (tested) Ofir Arkin (Nov 04)
- RE: firewalk meets nmap - TTL (tested) Lance Spitzner (Nov 04)
- Re: firewalk meets nmap - TTL Fyodor (Nov 05)
- Re: firewalk meets nmap - TTL Mikael Olsson (Nov 08)
- RE: firewalk meets nmap - TTL Ofir Arkin (Nov 03)