Penetration Testing mailing list archives
Strange replies on closed port
From: thomas springer <tuevsec () gmx net>
Date: Sun, 29 Jan 2006 20:53:13 +0100
Hi, Nmap 3.999 is out! - with a "--badsum"-option like it is described in http://www.phrack.org/phrack/60/p60-0x0c.txt - have a look at the release notes. As a brave pen-tester I took hping2 to fiddle around and check the basic statements of the ancient phrack-article. What I expected to find was: Connecting to a closed Port w/o Firewall: Target sends back an RST Connecting to a closed Port with Firewall: Target drops packet, nothing happens. But things seems that things are more complicated. I tried hping -S -c 1 -p 1 www.hostname.com (a simple TCP-Syn on Port 1, which I consider closed everywhere) shows that a) many hosts drop the packet as expected b) some hosts respond as expected "len=46 ip=000.67.41.130 ttl=48 id=29443 sport=1 flags=RA seq=0 win=512 rtt=25.0 ms" c) some hosts respond with ICMP: "ICMP Port Unreachable from ip=000.227.127.227 name=<name of target>" d) one hosts responds strange, like "ICMP Packet filtered from ip=000.94.95.253 name=<router 1 hop before the server> a and b seems to be clear: a: firewalled host b: non-firewalled host c and d are a bit strange: Who is responding with the icmp-messages: the target-host or a packetfilter? Especially the hping-message in d confuses me a bit. What should be the default behaviour for an ip-stack if it gets a SYN on a closed Port? A bit confused, tom ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Strange replies on closed port thomas springer (Jan 31)