Re: PIX and ttl

["Fabio Pietrosanti (naif)" <naif () sikurezza org>]

On Thu, May 24, 2001 at 07:28:03PM +0100, Fernando Cardoso wrote:
> I'm doing a pen-test for a client that has a "standard" config of
> router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware
> that the firewall is a Cisco PIX (BTW is there any way to change the banner
> for the fixup protocol smtp? :)
no way, but i think that security configuration of the MTA behind the pix it's
thw right way and that "fixup protocol smtp" isn't necessary.
It simply add overhead to the Firewall processing...
> Their router is at 5 hops of distance from me. Both router and fw gives me
> the ttl I was expecting when I ping them (251 and 250), but all the servers
> in the DMZ don't...
>
> traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets
>  1  a.a.a.a (a.a.a.a)  2.068 ms  2.031 ms  2.349 ms               TTL:255
>  2  a.a.a.a (a.a.a.a)  153.681 ms  152.925 ms  131.445 ms         TTL:254
>  3  a.a.a.a (a.a.a.a)  205.197 ms  269.539 ms  145.973 ms         TTL:253
>  4  a.a.a.a (a.a.a.a)  38.078 ms  23.849 ms  23.497 ms            TTL:252
>  5  router (router)  31.445 ms  27.277 ms  28.422 ms              TTL:251
>  6  * * * (fw)                                                    TTL:250
>  7  * * * (server_in_dmz)                                         TTL:123
>
> The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122.

No, it's different from release to release of microsoft products...

-- Windows NT 4.0 x86 SP6a ( ttl = 128 ) in MY LAN
root@life:~# hping -c 2 -S -p 80 10.1.3.20
eth0 default routing interface selected (according to /proc)
HPING gongolo (eth0 10.1.3.20): S set, 40 headers + 0 data bytes
46 bytes from 10.1.3.20: flags=SA seq=0 ttl=128 id=25884 win=8576 rtt=0.5 ms

-- Windows 2k x86 SP1 ( ttl = 123 ) behind PIX 5.3(1)
root@life:~# hping -c 2 -S -p 80 xxx.xxx.xx.xxx
eth0 default routing interface selected (according to /proc)
HPING www.www.www (eth0 xxx.xxx.xx.xxx): S set, 40 headers + 0 data bytes
46 bytes from xxx.xxx.xx.xxx: flags=SA seq=0 ttl=123 id=10872 win=8576 rtt=27.3 ms

-- Windows NT 4.0 x86 unknown SP ( ttl = 118 ) behind 5.3(1)
root@life:~# hping -c 1 -S -p 25 xxx.xxx.xxx.xxx
eth0 default routing interface selected (according to /proc)
HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes
46 bytes from xxx.xxx.xxx.xxx: flags=SA seq=0 ttl=118 id=45018 win=32768 rtt=860.1 ms

-- PIX Itself 5.3(1)  ( ttl = 247 )
root@life:~# ping -c 1 xxx.xxx.xxx.x
PING xxx.xxx.xxx.x (xxx.xxx.xxx.x): 56 octets data
64 octets from xxx.xxx.xxx.x: icmp_seq=0 ttl=247 time=87.7 ms

-- PIX Itself 5.1(4)  ( ttl = 251 )
root@life:~# ping -c 1 xxx.xxx.xxx.xx
PING xxx.xxx.xxx.x (xxx.xxx.xxx.xx): 56 octets data
64 octets from xxx.xxx.xxx.xx: icmp_seq=0 ttl=251 time=102.4 ms

As you could see ttl it's different for the same pix release...
I HATE PIX, I HATE CISCO ;>

> I've made a quick test with other PIX protected servers and it seems that
> when the packet passes the PIX it somehow resets the ttl for the original
> one. If I'm correct with these assumptions we have another method of
> fingerprinting PIX. Am I making any sense??
>
> Fernando
>
> PS: Nice article about firewall fingerprinting:
> http://www.kmu-security.ch/identifyingfirewalls.htm


Fabio Pietrosanti ( naif )
E-mail: naif () sikurezza org
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS