Re: PIX and ttl

[Nelson Brito <nelson () SECUNET COM BR>]

Fernando Cardoso wrote:

[...]

> I don't think so... I've tested all kind of Windows stuff and I always get
> 128 (local LAN). Maybe the results you're showing are the result of some
> kind of "PIX tweaking".
>
> > -- Windows NT 4.0 x86 SP6a ( ttl = 128 ) in MY LAN
> > 46 bytes from 10.1.3.20: flags=SA seq=0 ttl=128 id=25884 win=8576
> > rtt=0.5 ms

It's the default setting in WinNT´s Registry, but you can set it up to
whatever value you want, just editing your NT Box.

I already post, some times ago, talking about ICMP Fingerprint.

The registry key you need modify to confuse the attacker(maybe
penetration tester ;)) is:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DefaultTTL"=dword:000000ff

This means the TTL is now set to 255 or 0x000000ff in hex.

So, I could set this value to 0x00000081(129 in decimal), so it would be
weird when some attacker try to "traceroute" this host. What do you
think? ;))

PS: Sorry my poor English...

Sem mais
-- 
# Nelson Brito
# Security Analyst and Penetration Tester
# Security Networks AG - The trust Company!
#
# Usage: cat <file> | perl .signature
foreach(<STDIN>){chop;split;(//,$_);print reverse @_;print "\n";}