Penetration Testing mailing list archives
PIX and ttl
From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Thu, 24 May 2001 19:28:03 +0100
I'm doing a pen-test for a client that has a "standard" config of router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware that the firewall is a Cisco PIX (BTW is there any way to change the banner for the fixup protocol smtp? :) Their router is at 5 hops of distance from me. Both router and fw gives me the ttl I was expecting when I ping them (251 and 250), but all the servers in the DMZ don't... traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets 1 a.a.a.a (a.a.a.a) 2.068 ms 2.031 ms 2.349 ms TTL:255 2 a.a.a.a (a.a.a.a) 153.681 ms 152.925 ms 131.445 ms TTL:254 3 a.a.a.a (a.a.a.a) 205.197 ms 269.539 ms 145.973 ms TTL:253 4 a.a.a.a (a.a.a.a) 38.078 ms 23.849 ms 23.497 ms TTL:252 5 router (router) 31.445 ms 27.277 ms 28.422 ms TTL:251 6 * * * (fw) TTL:250 7 * * * (server_in_dmz) TTL:123 The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122. I've made a quick test with other PIX protected servers and it seems that when the packet passes the PIX it somehow resets the ttl for the original one. If I'm correct with these assumptions we have another method of fingerprinting PIX. Am I making any sense?? Fernando PS: Nice article about firewall fingerprinting: http://www.kmu-security.ch/identifyingfirewalls.htm -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/ _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ---------------------------------------------------------------------
Current thread:
- PIX and ttl Fernando Cardoso (May 24)
- RE: PIX and ttl Jason Lewis (May 25)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: PIX and ttl Konstantin Rozinov (May 27)
- RE: PIX and ttl Jacek Lipkowski (May 25)
- RE: PIX and ttl Jason Lewis (May 26)
- RE: PIX and ttl Fernando Cardoso (May 25)
- <Possible follow-ups>
- Re: PIX and ttl Fabio Pietrosanti (naif) (May 25)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: PIX and ttl Nelson Brito (May 26)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: RE: PIX and ttl Fernando Cardoso (May 28)
- RE: RE: PIX and ttl Filipe Almeida (May 28)
(Thread continues...)
- RE: PIX and ttl Jason Lewis (May 25)