Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [fw-wiz] TTL, works with Cisco ACL's to :)

From: Lance Spitzner <lance () spitzner net>
Date: Tue, 7 Nov 2000 20:32:28 -0600 (CST)
On Wed, 8 Nov 2000, Alex Goldney wrote:


Lance,
                could you post the ACL of the router as well please?  I'll
run a check myself as well, it will be interesting to know if it is a
function of the router irregardless of the ACL configuration.


Sure, keep in mind, this router is internal, so the IP addressing
is RFC 1918.  The filtering happens on the external interface, Eth0.

interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
 ip access-group 125 in
 no ip unreachables
 no ip directed-broadcast
 no cdp enable

router#show ip access-list 125
Extended IP access list 125
    deny tcp any any eq 5000 (3 matches)
    deny udp any any eq 5000 (2 match)
    permit ip any any (8949 matches)

ACL 125 allows ANYTHING inbound except port 5000.  So, I send any
packet I want to test what happens when a packet is NOT filtered.
I then sent packets to port 5000 to test what happens when a packet
is fitlered.  This is a production router, so I am limited to what
I can block/filter :)

hope that helps

lance


Recently I posted about setting TTL's on a scanner
(such as nmap) to map unfiltered ports on a firewall.
Proof of concept was done on CheckPoint FW-1 4.1 SP2.
Fyodor asked me to check out some other systems, so
I obliged.

I have access to a Cisco 2514 with IOS 12.0(7).  The
method worked like a champ.  As standard security
procedure, I set the router interface with
"no ip unreachables" however this had no effect
(which I expected).


Below I probed the system 'victim7' to determine which
ports are open.  For this example, I probe port 5100
to see if it is unfiltered.  See diagram below:

 Me --->  FW-1 ---> Cisco --> victim7

Both the Firewall and router allow port 5100 through.
I use hping2 to set the TTL and determine the port is open.

TTL set for firewall (TTL of 1)
-------------------------------
marge #hping2 -S -c 1 -t 1 -p 5100 victim7
eth0 default routing interface selected (according to /proc)
HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254  (firewall)

marge #hping2 -2 -S -c 1 -t 1 -p 5100 victim7
eth0 default routing interface selected (according to /proc)
HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254  (firewall)

TTL set for router (TTL of 2)
------------------------------
marge #hping2 -S -c 1 -t 2 -p 5100 victim7
eth0 default routing interface selected (according to /proc)
HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
TTL 0 during transit from 10.1.1.1  (router)

marge #hping2 -2 -S -c 1 -t 2 -p 5100 victim7
eth0 default routing interface selected (according to /proc)
HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
TTL 0 during transit from 10.1.1.1  (router)

I would say that CheckPoint and Cisco ACLs account for a VERY large
percentage of filtering that happens on the net :)

Oh, and before the hardcore geeks ask, here are the ICMP traces :)

-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch () clark net, www.snort.org)
11/06-20:44:27.424173 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:10529  DF
TTL EXCEEDED
00 00 00 00 45 00 00 28 03 B9 00 00 00 06 47 EA  ....E..(......G.
C0 A8 01 0A AC 10 01 6B 07 D2 13 EC 57 60 8A CA  .......k....W`..
7C 1F 01 96 50 02 02 00 C3 16 00 00              |...P.......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/06-20:44:30.597322 10.1.1.1 -> 192.168.1.10
ICMP TTL:254 TOS:0xC0 ID:499
TTL EXCEEDED
00 00 00 00 45 00 00 28 6D 2C 00 00 01 06 DD 76  ....E..(m,.....v
C0 A8 01 0A AC 10 01 6B 05 CF 13 EC 75 97 8D 81  .......k....u...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/06-20:44:36.393898 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:10530  DF
TTL EXCEEDED
00 00 00 00 45 00 00 1C B4 31 00 00 00 11 97 72  ....E....1.....r
C0 A8 01 0A AC 10 01 6B 05 ED 13 EC 00 08 76 D7  .......k......v.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/06-20:44:40.029069 10.1.1.1 -> 192.168.1.10
ICMP TTL:254 TOS:0xC0 ID:500
TTL EXCEEDED
00 00 00 00 45 00 00 1C 15 F5 00 00 01 11 34 AF  ....E.........4.
C0 A8 01 0A AC 10 01 6B 09 8C 13 EC 00 08 73 38  .......k......s8


--
Lance Spitzner
http://www.enteract.com/~lspitz


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards





-- 
Lance Spitzner
http://www.enteract.com/~lspitz


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: