Penetration Testing mailing list archives
Strange response from network
From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 15 Sep 2004 14:36:14 +0400
Hi all, I observed the following during a pentest i am doing: 1) A port scan of the TARGET_IP (using nmap 3.7 with -sS, -sV and OS identification), shows port 2443 open and remaining ports as "closed". 2) Nmap fails to identify the OS but identifies the service as "Microsoft Distributed Transaction Server". 3) The interesting (and strange) part comes from here on. A tcptraceroute to port 2443 on the TARGET_IP, showed RST/ACK packets coming back. To further investigate this, i started sending packets by manually increasing the ttl. I obtained the following results: SYN packet to port 2443, ttl 7 (last but one hop from target) sends RST/ACK.... hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40 sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms seq=80210401 ack=1098187429 sum=ec0b urp=0 --- TARGET_IP hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 6.3/6.3/6.3 ms ========================================================================== SYN packet to port 2443 ttl 8 (TARGET IP) gives SYN/ACK ..expected response....... hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44 sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms seq=416937317 ack=1244107777 sum=61fe urp=0 --- TARGET_IP hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 6.1/6.1/6.1 ms =========================================================================== SYN packet to port 25 (closed port) ttl 7 and there is NO response.... hping2 -S -V -n -c 1 -p 25 -t 7 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes --- TARGET_IP hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms =========================================================================== SYN packet to port 25 ttl 8 ... NO RESPONSE. hping2 -S -V -n -c 1 -p 25 -t 8 TARGET_IP using eth0, addr: MY_IP, MTU: 1500 S set, 40 headers + 0 data bytes --- TARGET_IP hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms =========================================================================== also note that the packets with ttl 7 still come back with TARGET IP, implying that remote system is spoofing the IP. Even the difference in ttl and IPID of incoming packets indicates different systems are sending the response. My questions: a) any idea what kind of filtering system can this be b) is it possible to determine the IP of the 7th HOP. The nature of the service i am testing requires users to connect using a client certificate. I connect to port 2443 using stunnel and the client certificate supplied to me for the test. Now i send a GET / HTTP/1.0 request. The response that comes back is HTTP 403 and the server string is "Apache-Coyote/1.1" .... in contradiction to what nmap detected as a service. Any clues as to what is *Really* running on port 2443. Amap returns nothing :( TIA cheers, -- shashank <-- Here is the Packet that was fragmented and has been assembled again. (with apologies to JRR Tolkien :) --> ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Strange response from network Shashank Rai (Sep 15)
- Re: Strange response from network Ben Timby (Sep 15)
- Re: Strange response from network David Coppa (Sep 16)
- Re: Strange response from network Mambo Dsouza (Sep 16)
- Re: Strange response from network Martin Mačok (Sep 16)
- <Possible follow-ups>
- Re: Strange response from network shashrai (Sep 16)
- Re: Strange response from network shashrai (Sep 16)
- Re: Strange response from network Ben Timby (Sep 15)