Penetration Testing mailing list archives
RE: RE: PIX and ttl
From: "Filipe Almeida" <filipe () ist utl pt>
Date: Mon, 28 May 2001 15:58:15 +0100
-----Original Message----- From: pen-test-return-93-filipe=ist.utl.pt () securityfocus com
[mailto:pen-
test-return-93-filipe=ist.utl.pt () securityfocus com] On Behalf Of
Fernando
Cardoso Sent: domingo, 27 de Maio de 2001 21:02 To: jlewis () jasonlewis net Cc: 'Jacek Lipkowski'; PEN-TEST () securityfocus com Subject: Re: RE: PIX and ttl NMAP scans for hosts beyond "stateful aware" firewalls is quite difficult. The first problem lies in the firewall design. If a packet is not in the connection table and it's not a SYN packet it is simply droped. The other problem is TCP options. Most firewalls will drop those packets also. In a recent pen-test I realize that Win 2k hosts beyond a PIX, would only respond to NMAP test #5, the only one that uses a standard SYN, while if those boxes where outside the filtered network, they would reply to all 8 tests.
And if you are using some kind of SynDefender even the SYN packets may be generated by the firewall, depending on the SynDefender method you are using.
The work around is break in and NMAP from the internal network ;)
Another option is to do some research on the possibility of doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT, ...). A method I use to discover windows machines behind a statefull aware firewall with syndefender is to create ESTABILISHED connections and analyze the ip.id increments. This analysis can be expanded to other fields of the packets and other states by doing some research. Perhaps a fingerprinting system that uses traces from a tcpdump session? anyone? -- Filipe Almeida filipe () rnl ist utl pt Aka LiquidK AdministraĆ§Ć£o da Rede das Novas Licenciaturas
Current thread:
- PIX and ttl Fernando Cardoso (May 24)
- RE: PIX and ttl Jason Lewis (May 25)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: PIX and ttl Konstantin Rozinov (May 27)
- RE: PIX and ttl Jacek Lipkowski (May 25)
- RE: PIX and ttl Jason Lewis (May 26)
- RE: PIX and ttl Fernando Cardoso (May 25)
- <Possible follow-ups>
- Re: PIX and ttl Fabio Pietrosanti (naif) (May 25)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: PIX and ttl Nelson Brito (May 26)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: RE: PIX and ttl Fernando Cardoso (May 28)
- RE: RE: PIX and ttl Filipe Almeida (May 28)
- RE: RE: PIX and ttl Dario Ciccarone (May 28)
- RE: RE: PIX and ttl Filipe Almeida (May 28)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)
- Re: RE: RE: PIX and ttl Eugene Tsyrklevich (May 29)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)
- RE: PIX and ttl Jason Lewis (May 25)