Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: PIX and ttl

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Sun, 27 May 2001 21:01:53 +0100
[...]

I am running load balanced web servers behind a PIX.  I have never 
been able
to identify the server OS with NMAP.  Is there a secret?  I am 
aware of
doing banner checks.  The scenario would be someone doing 
automated scans
for Linux and using NMAP to put known Linux hosts into a file.



NMAP scans for hosts beyond "stateful aware" firewalls is quite 
difficult. The first problem lies in the firewall design. If a packet 
is not in the connection table and it's not a SYN packet it is simply 
droped. The other problem is TCP options. Most firewalls will drop 
those packets also.

In a recent pen-test I realize that Win 2k hosts beyond a PIX, would 
only respond to NMAP test #5, the only one that uses a standard SYN, 
while if those boxes where outside the filtered network, they would 
reply to all 8 tests.

The work around is break in and NMAP from the internal network ;)


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: