Re: traceroute interpretations, where is the firewall ?

["sami seclist" <sg.seclists () gmail com>]

Hi all,

I finally found answers to my questions thanks to an intensive and
manual retuned packets TTL study (by the way is there a tool that can
do it automatically ?).
In the TCP traceroute to port 80, we can be sure that it's the web
server that replied with a SYN ACK whose TTL is about 120. I assume
there isn't any kind of layer 3 cloaking that forged the TTL, so it's
a windows 2000 box.
In the UDP traceroute, the last hop replied with a packet TTL of 57,
so it can not be the same box. the retuned packet is a ICMP port
unreacheable packet, so this must be the firewall, and it rejected the
incoming packet.
And finally the 192.168.0.94 is the router, cause it replied with a
icmp time exceeded packet whose TTL isabout 248 (may be cisco).
So hop 9 is the router, hop 10 the fw and hop 11 the web server.

about the the proposed tools:
sinFP and lft I didn't know these two seem interesting to test in my next audit
firewalk I tried it once some time ago, but I didn't liked it as I
didn't really understand what it exactly does
scapy: I discovered this tool during the last audit and I promised my
self to test it, but I still didn't
ftest: one must have two hosts one inside and the other outside, not
suitable here
hping and tcptraceroute (or tctrace): excellent tools

Although I don't know all the tools above, I don't think they will
automate the reasoning I did with TTLs. If such a tool don't already
exist, I think it would be useful to the community to develop it ...

John, I will focus on application level audit tomorrow ...

Sami.


2006/12/12, John Babio <jbabio () po-box esu edu>:
> Do you have any idea what the backend database is? There are a plethora
> of Mysql and MSsql 2000 tools available to find injections. For instance
> the xp_cmd stuff for an MS box.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of sami seclist
> Sent: Monday, December 11, 2006 3:32 PM
> To: pen-test () securityfocus Com
> Subject: traceroute interpretations, where is the firewall ?
>
> Hi list,
>
> I'm currently pen testing a website . I'm still in the first step,
> trying to discover the network layout.
> I sniffed the HTTP get request packet, and according to the banner
> it's a windows 2000 server with IIS 5.
> TTL of the packet is 118 (original TTL is then 128, so it's another
> clue of the system being a windows server).
> Below are the TCP/UDP/ICMP traceroutes.
> Things I'm sure of:
> there is a firewall (great finding !)
> FW is discarding inbound ICMP echo request but not outbound ICMP
> destination unreachable (in udp traceroute)
> I need your opinion about the following points:
> I cannot find any plausible explanation about why web server's TTL in
> the UDP traceroute is 55 (is it some kind of cloaking ?)
> what do you think hop 10 in icmp traceroute is ?
> 192.168.0.94 is a firewall ?
> I know that the firewall is a watchguard (social engineering), do u
> think this can help (personally i don't know how, i didn't find any
> exploitable vuln on public databases) ?
> I used standard linux traceroute an tctrace. Any other suggestions
> about tools to discover the firewall an its rules ?
>
>
>
>
> ICMP traceroute
>  1  192.168.2.1 (192.168.2.1)  147.976 ms (64)  0.472 ms (64)  0.391 ms
> (64)
>  2  192.168.169.1 (192.168.169.1)  19.389 ms (126)  26.403 ms (126)
> 19.812 ms (126)
>  3  X.X.X.X  22.211 ms (252)  19.227 ms (252)  23.219 ms (252)
>  4  X.X.X.X  21.274 ms (251)  25.580 ms (251)  18.337 ms (251)
>  5  X.X.X.X  25.978 ms (250)  19.707 ms (250)  24.313 ms (250)
>  6  X.X.X.X  30.838 ms (250)  26.228 ms (250)  29.696 ms (250)
>  7  X.X.X.X  28.214 ms (249)  28.684 ms (249)  33.339 ms (249)
>  8  X.X.X.X  97.799 ms (247)  28.246 ms (247)  30.445 ms (247)
>  9  192.168.0.94 (not real address)  200.087 ms (247)  151.751 ms
> (247)  181.627 ms (247)
> 10  * * *
> 11  * * *
>
> UDP traceroute
>  1  192.168.2.1 (192.168.2.1)  1.297 ms (64)  0.855 ms (64)  0.529 ms
> (64)
>  2  192.168.169.1 (192.168.169.1)  18.014 ms (126)  54.012 ms (126)
> 48.182 ms (126)
>  3  X.X.X.X  47.598 ms (252)  77.360 ms (252)  19.444 ms (252)
>  4  X.X.X.X  15.483 ms (251)  43.974 ms (251)  27.602 ms (251)
>  5  X.X.X.X  37.405 ms (250)  14.281 ms (250)  17.060 ms (250)
>  6  X.X.X.X  16.883 ms (250)  14.179 ms (250)  48.096 ms (250)
>  7  X.X.X.X  55.970 ms (249)  14.518 ms (249)  17.161 ms (249)
>  8  X.X.X.X  18.400 ms (247)  17.086 ms (247)  32.555 ms (247)
>  9  192.168.0.94 (not real address) 89.282 ms (247)  164.469 ms (247)
> 87.946 ms (247)
> 10  192.168.98.3 (not real address) 192.122 ms (55)  228.251 ms (55)
> 193.657 ms (55)
>
> TCP taceroute on port 80
>  1(1)   [192.168.2.1]
>  2(1)   [192.168.169.1]
>  3(1)   [X.X.X.X]
>  4(3)   [X.X.X.X]
>  5(1)   [X.X.X.X]
>  6(1)   [X.X.X.X]
>  7(1)   [X.X.X.X]
>  8(1)   [X.X.X.X]
>  9(1)   [192.168.0.94]
> 10(all) Timeout
> 11(1)   [192.168.98.3] (reached; open)
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------