Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Idle (Witness) Scanning

From: Evrim ULU <evrim () envy com tr>
Date: Sat, 27 Apr 2002 11:52:54 +0300
I hope this time it will pass. ehe:-)


Hi,
i'm trying to scan inside my local nat, but i'm having some problems and i thought people here might help. 

setup is simple:

w2k prof. nat machine. with real ip xx.xx.xx.90 and nat gw ip 192.168.0.1
client behind nat machine has ip 192.168.0.2 (linux)

my box: xx.xx.xx.66 (linux)

first from xx.66 i wrote :

hping2 -W -r xx.xx.xx.90


then, i send spoofed packs:

hping2 -S -p 22 -a 192.168.0.2 xx.xx.xx.90
Port 22 of client box is open. After that, i sniff from the client box and saw that it generates RST packet normally to xx.xx.90.90 machine. Also, id goes from +256 to +512. (nat machine is kept idle of course during the test) From these, i understood that port 22 is open since RST packet is 
generated vs vs.
Then, i send second packet to port 1(tcpmux) which is close. But the same thing happens. id goes from +256 to +512 and nothing more happens.
NAT machine behaves same in both cases, at first, taking the RST packet from client, at second taking UDP Port uncreachble. Btw, i've checked generated messages from the sniffer at the client machine.
So, is there a way to identify open and close(filtered) ports inside nat? or w2k assigns different id numbers for different ether interfaces? (i've read solaris assigns different id's for different processes.i think w2k may do this for not every process but for each ethernet)
PS: Before trying to go inside the NAT , i've successfully achieved idlescanning client behind the firewall with both client and firewall having real ip's. I've faced with no problem. ID field goes to +512 from +256 in case the port open. Stays as +256 if it gets ICMP port uncreahble message.
Besides, i think that since during nat exploitation, we'r sending two packs, and expecting for third. Shouldn't be the id field bigger than +512? 


Thnx.

--
Evrim ULU
evrim () envy com tr / evrim () core gen tr
sysadm
http://www.core.gen.tr


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: