Penetration Testing mailing list archives

Re: Some unusual network features

From: Andrew Simmons <andrews () mis-cds com>
Date: Tue, 13 Jan 2004 20:28:30 +0000


Paul Johnston wrote:

I've come accross the following anomoloies while auditing a network, cananyone help explain what they are:
1) Ports that "hang open" i.e. you can connect, send data ok, but theother end never sends any data and never closes the connection.

Do you get any banners back to help identify the services, or use nmapversion scan? If so do they match anything well-known? Do the servers agreewith the remote OS? (eg IIS running on Solaris?)

2) HTTP ports that function normally when you issue some methods, but onother methods (including the imaginary method "SILLY") cause theconnection to "hang open" like in (1).



Could possibly be an application layer proxy?

3) Ports where the TTL is different on the SYN reply to the rest of theconnection. ipid's also imply that different hosts are handling the SYNand the rest of the connection.
I've got some theories, but I'm not sure how much I'm jumping toconclusions.

I guess you're thinking proxies or firewalls with 'security servers' (egCheckpoint) - although I don't know what the IPIDs,TTLs etc look like inthat situation. Hmmm, I think I just found a lab project for next week :)



> Paul
>


cheers

\a



The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the intended recipient.  If you are not the intended recipient any disclosure, reproduction, 
distribution or other dissemination or use of this
communications is strictly prohibited.   The views expressed in this e-mail
are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd.  Any prices quoted are only 
valid if followed up by a formal written quote.  If you have received this transmission in error, please contact our 
Security Manager on +44 (01622) 723410.

This email is intended for the recipient only and contains confidential information, some or all of which may be 
legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or 
rely on this email or any information contained within it. Please notify the sender by return and delete it from your 
computer. Thank you.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Some unusual network features Paul Johnston (Jan 13)
- Re: Some unusual network features Nathan R. Valentine (Jan 13)
- Re: Some unusual network features Andrew Simmons (Jan 13)
- Re: Some unusual network features Mike Hoskins (Jan 13)
- Re: Some unusual network features Shashank Rai (Jan 14)
- Re: Some unusual network features Alla Bezroutchko (Jan 14)
  - Re: Some unusual network features die tuere (Jan 15)
  - Re: Some unusual network features Daniel Lucq (Jan 15)
- <Possible follow-ups>
- RE: Some unusual network features Deckard, Jason (Jan 14)