Penetration Testing mailing list archives
RE: Strange replies on closed port
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 1 Feb 2006 01:59:33 -0500
Thomas: It would help immensely to those interested in answering your question to have a copy of the traffic as a PCAP file - while the test can easily be reproduced, would save time just to check your capture instead of doing it all again ;) About your assumptions: a) hosts shouldn't by default just 'drop the packet and forget about it'. In TCP, the standard reply to a SYN segment sent to a closed port should be a RST - not dropping the packet. Dropping the packet w/o sending anything back smells of firewall in the middle, or some kernel tweaks b) that is the expected behaviour - but the ip field doesn't make any sense c) that message (AFAIR) should only be sent by the host when receiving an UDP datagram (not TCP) to a non 'listening' port. d) that message isn't generated by the end host, but by something in the path filtering packets - probably a router with ACLs Packet filtering devices behaviour is all over the place. As an example, firewalls will probably drop the packet and send nothing back. Routers with an ACL blocking the packet in question will drop - and could, or could not, send an 'ICMP admin prohibited' back. nmap does have a bunch of logic embedded to deal with all those variations - that's why when scanning a host it can print status like 'closed, open, firewalled, etc' for ports. Thanks, Dario
-----Original Message----- From: thomas springer [mailto:tuevsec () gmx net] Sent: Sunday, January 29, 2006 2:53 PM To: pen-test () securityfocus com Subject: Strange replies on closed port Hi, Nmap 3.999 is out! - with a "--badsum"-option like it is described in http://www.phrack.org/phrack/60/p60-0x0c.txt - have a look at the release notes. As a brave pen-tester I took hping2 to fiddle around and check the basic statements of the ancient phrack-article. What I expected to find was: Connecting to a closed Port w/o Firewall: Target sends back an RST Connecting to a closed Port with Firewall: Target drops packet, nothing happens. But things seems that things are more complicated. I tried hping -S -c 1 -p 1 www.hostname.com (a simple TCP-Syn on Port 1, which I consider closed everywhere) shows that a) many hosts drop the packet as expected b) some hosts respond as expected "len=46 ip=000.67.41.130 ttl=48 id=29443 sport=1 flags=RA seq=0 win=512 rtt=25.0 ms" c) some hosts respond with ICMP: "ICMP Port Unreachable from ip=000.227.127.227 name=<name of target>" d) one hosts responds strange, like "ICMP Packet filtered from ip=000.94.95.253 name=<router 1 hop before the server> a and b seems to be clear: a: firewalled host b: non-firewalled host c and d are a bit strange: Who is responding with the icmp-messages: the target-host or a packetfilter? Especially the hping-message in d confuses me a bit. What should be the default behaviour for an ip-stack if it gets a SYN on a closed Port? A bit confused, tom -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Strange replies on closed port Lars Troen (Feb 02)
- <Possible follow-ups>
- RE: Strange replies on closed port Dario Ciccarone (dciccaro) (Feb 02)