From: sami seclist (sg.seclists@gmail.com)
Date: Tue Dec 12 2006 - 15:53:17 EST
Hi all,
I finally found answers to my questions thanks to an intensive and
manual retuned packets TTL study (by the way is there a tool that can
do it automatically ?).
In the TCP traceroute to port 80, we can be sure that it's the web
server that replied with a SYN ACK whose TTL is about 120. I assume
there isn't any kind of layer 3 cloaking that forged the TTL, so it's
a windows 2000 box.
In the UDP traceroute, the last hop replied with a packet TTL of 57,
so it can not be the same box. the retuned packet is a ICMP port
unreacheable packet, so this must be the firewall, and it rejected the
incoming packet.
And finally the 192.168.0.94 is the router, cause it replied with a
icmp time exceeded packet whose TTL isabout 248 (may be cisco).
So hop 9 is the router, hop 10 the fw and hop 11 the web server.
about the the proposed tools:
sinFP and lft I didn't know these two seem interesting to test in my next audit
firewalk I tried it once some time ago, but I didn't liked it as I
didn't really understand what it exactly does
scapy: I discovered this tool during the last audit and I promised my
self to test it, but I still didn't
ftest: one must have two hosts one inside and the other outside, not
suitable here
hping and tcptraceroute (or tctrace): excellent tools
Although I don't know all the tools above, I don't think they will
automate the reasoning I did with TTLs. If such a tool don't already
exist, I think it would be useful to the community to develop it ...
John, I will focus on application level audit tomorrow ...
Sami.
2006/12/12, John Babio <jbabio@po-box.esu.edu>:
> Do you have any idea what the backend database is? There are a plethora
> of Mysql and MSsql 2000 tools available to find injections. For instance
> the xp_cmd stuff for an MS box.
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of sami seclist
> Sent: Monday, December 11, 2006 3:32 PM
> To: pen-test@securityfocus.Com
> Subject: traceroute interpretations, where is the firewall ?
>
> Hi list,
>
> I'm currently pen testing a website . I'm still in the first step,
> trying to discover the network layout.
> I sniffed the HTTP get request packet, and according to the banner
> it's a windows 2000 server with IIS 5.
> TTL of the packet is 118 (original TTL is then 128, so it's another
> clue of the system being a windows server).
> Below are the TCP/UDP/ICMP traceroutes.
> Things I'm sure of:
> there is a firewall (great finding !)
> FW is discarding inbound ICMP echo request but not outbound ICMP
> destination unreachable (in udp traceroute)
> I need your opinion about the following points:
> I cannot find any plausible explanation about why web server's TTL in
> the UDP traceroute is 55 (is it some kind of cloaking ?)
> what do you think hop 10 in icmp traceroute is ?
> 192.168.0.94 is a firewall ?
> I know that the firewall is a watchguard (social engineering), do u
> think this can help (personally i don't know how, i didn't find any
> exploitable vuln on public databases) ?
> I used standard linux traceroute an tctrace. Any other suggestions
> about tools to discover the firewall an its rules ?
>
>
>
>
> ICMP traceroute
> 1 192.168.2.1 (192.168.2.1) 147.976 ms (64) 0.472 ms (64) 0.391 ms
> (64)
> 2 192.168.169.1 (192.168.169.1) 19.389 ms (126) 26.403 ms (126)
> 19.812 ms (126)
> 3 X.X.X.X 22.211 ms (252) 19.227 ms (252) 23.219 ms (252)
> 4 X.X.X.X 21.274 ms (251) 25.580 ms (251) 18.337 ms (251)
> 5 X.X.X.X 25.978 ms (250) 19.707 ms (250) 24.313 ms (250)
> 6 X.X.X.X 30.838 ms (250) 26.228 ms (250) 29.696 ms (250)
> 7 X.X.X.X 28.214 ms (249) 28.684 ms (249) 33.339 ms (249)
> 8 X.X.X.X 97.799 ms (247) 28.246 ms (247) 30.445 ms (247)
> 9 192.168.0.94 (not real address) 200.087 ms (247) 151.751 ms
> (247) 181.627 ms (247)
> 10 * * *
> 11 * * *
>
> UDP traceroute
> 1 192.168.2.1 (192.168.2.1) 1.297 ms (64) 0.855 ms (64) 0.529 ms
> (64)
> 2 192.168.169.1 (192.168.169.1) 18.014 ms (126) 54.012 ms (126)
> 48.182 ms (126)
> 3 X.X.X.X 47.598 ms (252) 77.360 ms (252) 19.444 ms (252)
> 4 X.X.X.X 15.483 ms (251) 43.974 ms (251) 27.602 ms (251)
> 5 X.X.X.X 37.405 ms (250) 14.281 ms (250) 17.060 ms (250)
> 6 X.X.X.X 16.883 ms (250) 14.179 ms (250) 48.096 ms (250)
> 7 X.X.X.X 55.970 ms (249) 14.518 ms (249) 17.161 ms (249)
> 8 X.X.X.X 18.400 ms (247) 17.086 ms (247) 32.555 ms (247)
> 9 192.168.0.94 (not real address) 89.282 ms (247) 164.469 ms (247)
> 87.946 ms (247)
> 10 192.168.98.3 (not real address) 192.122 ms (55) 228.251 ms (55)
> 193.657 ms (55)
>
> TCP taceroute on port 80
> 1(1) [192.168.2.1]
> 2(1) [192.168.169.1]
> 3(1) [X.X.X.X]
> 4(3) [X.X.X.X]
> 5(1) [X.X.X.X]
> 6(1) [X.X.X.X]
> 7(1) [X.X.X.X]
> 8(1) [X.X.X.X]
> 9(1) [192.168.0.94]
> 10(all) Timeout
> 11(1) [192.168.98.3] (reached; open)
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:26 EDT