Nmap Announce mailing list archives
Re: [fw-wiz] TTL, works with Cisco ACL's to :)
From: Lance Spitzner <lance () spitzner net>
Date: Tue, 7 Nov 2000 20:32:28 -0600 (CST)
On Wed, 8 Nov 2000, Alex Goldney wrote:
Lance, could you post the ACL of the router as well please? I'll run a check myself as well, it will be interesting to know if it is a function of the router irregardless of the ACL configuration.
Sure, keep in mind, this router is internal, so the IP addressing is RFC 1918. The filtering happens on the external interface, Eth0. interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip access-group 125 in no ip unreachables no ip directed-broadcast no cdp enable router#show ip access-list 125 Extended IP access list 125 deny tcp any any eq 5000 (3 matches) deny udp any any eq 5000 (2 match) permit ip any any (8949 matches) ACL 125 allows ANYTHING inbound except port 5000. So, I send any packet I want to test what happens when a packet is NOT filtered. I then sent packets to port 5000 to test what happens when a packet is fitlered. This is a production router, so I am limited to what I can block/filter :) hope that helps lance
Recently I posted about setting TTL's on a scanner (such as nmap) to map unfiltered ports on a firewall. Proof of concept was done on CheckPoint FW-1 4.1 SP2. Fyodor asked me to check out some other systems, so I obliged. I have access to a Cisco 2514 with IOS 12.0(7). The method worked like a champ. As standard security procedure, I set the router interface with "no ip unreachables" however this had no effect (which I expected). Below I probed the system 'victim7' to determine which ports are open. For this example, I probe port 5100 to see if it is unfiltered. See diagram below: Me ---> FW-1 ---> Cisco --> victim7 Both the Firewall and router allow port 5100 through. I use hping2 to set the TTL and determine the port is open. TTL set for firewall (TTL of 1) ------------------------------- marge #hping2 -S -c 1 -t 1 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall) marge #hping2 -2 -S -c 1 -t 1 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes TTL 0 during transit from 192.168.1.254 (firewall) TTL set for router (TTL of 2) ------------------------------ marge #hping2 -S -c 1 -t 2 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes TTL 0 during transit from 10.1.1.1 (router) marge #hping2 -2 -S -c 1 -t 2 -p 5100 victim7 eth0 default routing interface selected (according to /proc) HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes TTL 0 during transit from 10.1.1.1 (router) I would say that CheckPoint and Cisco ACLs account for a VERY large percentage of filtering that happens on the net :) Oh, and before the hardcore geeks ask, here are the ICMP traces :) -*> Snort! <*- Version 1.6.3 By Martin Roesch (roesch () clark net, www.snort.org) 11/06-20:44:27.424173 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:10529 DF TTL EXCEEDED 00 00 00 00 45 00 00 28 03 B9 00 00 00 06 47 EA ....E..(......G. C0 A8 01 0A AC 10 01 6B 07 D2 13 EC 57 60 8A CA .......k....W`.. 7C 1F 01 96 50 02 02 00 C3 16 00 00 |...P....... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:30.597322 10.1.1.1 -> 192.168.1.10 ICMP TTL:254 TOS:0xC0 ID:499 TTL EXCEEDED 00 00 00 00 45 00 00 28 6D 2C 00 00 01 06 DD 76 ....E..(m,.....v C0 A8 01 0A AC 10 01 6B 05 CF 13 EC 75 97 8D 81 .......k....u... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:36.393898 192.168.1.254 -> 192.168.1.10 ICMP TTL:255 TOS:0x0 ID:10530 DF TTL EXCEEDED 00 00 00 00 45 00 00 1C B4 31 00 00 00 11 97 72 ....E....1.....r C0 A8 01 0A AC 10 01 6B 05 ED 13 EC 00 08 76 D7 .......k......v. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/06-20:44:40.029069 10.1.1.1 -> 192.168.1.10 ICMP TTL:254 TOS:0xC0 ID:500 TTL EXCEEDED 00 00 00 00 45 00 00 1C 15 F5 00 00 01 11 34 AF ....E.........4. C0 A8 01 0A AC 10 01 6B 09 8C 13 EC 00 08 73 38 .......k......s8 -- Lance Spitzner http://www.enteract.com/~lspitz _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- Lance Spitzner http://www.enteract.com/~lspitz -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Re: [fw-wiz] TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 08)