Network mapping oddity

From: Yonatan Bokovza (Yonatan@xpert.com)
Date: Thu Mar 20 2003 - 13:28:42 EST

Hi all,
During the network mapping phase of a penetration test
I've run into something weird, and I'd like to hear
more opinions on this matter.

The target (xx.xx.xx.1) is a web server behind a
firewall (xx.xx.xx.2), 21 hops away. Between both of them
there is a filter that:
1. Replies with RST+ACK to SYN with TTL=20. The RST+ACK
source is of the tested target.
2. Ignores the fact that the TCP-checksum is wrong.

I'm aware of http://www.phrack.org/show.php?p=60&a=12
suggesting this is a load-balancer. What do you think?

At first I thought it might be an Air-Gap product, as
they disassemble and reassemble the TCP session. I then
found out a DNS server behind this filter, and I know
Air-Gap products don't handle UDP by default.

Please ignore the differences in TTL (in the first example,
for instance, 21!=128-109). This client has a BGP
connection and the incoming packets do not travel the same
path as the outgoing packets.

Best Regards,

Yonatan Bokovza
IT Security Consultant
Xpert Systems

Hping session follows:
#> hping -S -c 1 -p 80 -t 21 xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=109 id=33493 sport=80 flags=SA seq=0 win=512 rtt=224.9 ms

--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 224.9/224.9/224.9 ms
#> hping -S -c 1 -p 80 -t 21 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=109 id=64110 sport=80 flags=SA seq=0 win=512 rtt=190.8 ms

--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 190.8/190.8/190.8 ms
#> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=236 id=40067 sport=80 flags=RA seq=0 win=0 rtt=174.3 ms

--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 174.3/174.3/174.3 ms
#> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes

--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
#> hping -S -c 1 -p 80 -t 19 xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=xx.xx.xx.2 name=firewall.client.com

--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
#>

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT