Penetration Testing mailing list archives

RE: Firewall Scan

From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Fri, 26 Jun 2009 07:18:18 -0400
Yeah, that looks odd - I wonder if they are doing some type of passive
host profiling or something.  I think I'd capture the traffic from an
nmap scan of just port 5900 and then I'd look through that to see what's
going on.  Then I'd just do a simple telnet connect and capture that.  I
wonder if they are looking for something that nmap does to the header.

Another possibility is that there is portscan detection....by the time
it hits port 5900, your IP has been blocked for a short time....but, the
windows nmap scan seems like it should have triggered that action
also...but perhaps the linux box has already been blocked by the time
you did the single-port test...the tests you did make this seem
unlikely;)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of IPv7
Sent: Wednesday, June 24, 2009 3:45 PM
To: pen-test () securityfocus com
Subject: Firewall Scan

Hello Guys,

I was doing a normal TCP Scan on port 5900, when I found a strange
result:

1st I did a normal TCP scan with Nmap

Onix:~# nmap -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
Interesting ports on x.x.x.x:
PORT     STATE  SERVICE
5900/tcp closed vnc

Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds

But.. if I use telnet/nc with this port, they can connect:
Onix:~# telnet x.x.x.x 5900
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.003

^C
What? I can connect..
Ok, I will perform a more detailed scan:

Onix:~# hping -S  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512
rtt=2.6 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.6/2.6/2.6 ms

This host return an Reset/ACK, it should be ok if the port was closed,
but I can connect with him.

WINDOWS SCAN:

Onix:~# nmap -sW -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
Interesting ports on x.x.x.x:
PORT     STATE SERVICE
5900/tcp open  vnc

Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds

Ok, I will look the TCP Windows:
First I try to send a TCP Packet with WIN=1

Onix:~# hping -S -w 1  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1
rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms

In the most cases, shouldn't this host respond with its suggestion of
window's size??

Then I sent the same with WIN=4096

Onix:~# hping -S -w 4096  -p 5900 x.x.x.x
HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1
rtt=7.8 ms
^C
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.8 ms


I can't understad this!
Some idea?


--
---------------------------------------
-   El conocimiento es poder   -
- y el saber nos hace libres.    -
----------------------------------
netvulcano.wordpress.com
Linux User #405757
Machine Linux #310536

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Current thread:

Firewall Scan IPv7 (Jun 26)
- Re: Firewall Scan SD List (Jun 26)
- RE: Firewall Scan Shenk, Jerry A (Jun 26)
  - RE: Firewall Scan Erin Carroll (Jun 26)
- Re: Firewall Scan Todd Haverkos (Jun 26)
- Re: Firewall Scan Guilherme Alves (Jun 29)
  - Re: Firewall Scan Chris Brenton (Jun 30)