Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: All tcp ports open?

From: nathan () ccc-ltd com
Date: Wed, 01 Sep 2004 14:44:15 +0000

Looks suspisiously like a FW1 syndefender in relay mode, here are some
(brief and probably inaccurate) notes that I made a while back. It all boils 
down
to TTLs if you want to scan hosts behind it.

Hope this points you in the right direction;

Notes:

you will always get a spoofed syn/ack from the firewall (when unfiltered).

If the firewall is rejecting the port you will get a reset without a synack.

If the machine is not there, rst will appear (after arp? timeout) to have the 
same
ttl as the firewall. (i.e. the same as the spoofed syn/ack sent back to the 
client).

A reset should happen if the firewall is Rejecting the connection (i.e. 
resetting it).

If the machine is there but port closed, rst will have a different ttl as the 
initial syn/ack of the firewal.

If the machine is there but port open:
        If there is no data waiting, FIN the server and look for ACK FIN.
        
        If there is data waiting for you, you will get an ack + data, it might be
        prudent to fin the connection.

If the machine is there but filtered by the firewall, the firewall will 
successfully
syn/ack from server on it's behalf, the ack comming back from the server 
however will
be blocked and the client will be stuck retransmitting ack until client 
timeout.

More detailed information:

http://www.phoneboy.com/bin/view.pl/FAQs/SynDefender

regards,

Nathan

-- 
Computer Crime Consultants Ltd
http://www.ccc-ltd.com

Support the fight against software patents:
http://petition.eurolinux.org



------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: