RE: traceroute interpretations, where is the firewall ?

From: John Babio (jbabio@po-box.esu.edu)
Date: Tue Dec 12 2006 - 07:15:07 EST


Do you have any idea what the backend database is? There are a plethora
of Mysql and MSsql 2000 tools available to find injections. For instance
the xp_cmd stuff for an MS box.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of sami seclist
Sent: Monday, December 11, 2006 3:32 PM
To: pen-test@securityfocus.Com
Subject: traceroute interpretations, where is the firewall ?

Hi list,

I'm currently pen testing a website . I'm still in the first step,
trying to discover the network layout.
I sniffed the HTTP get request packet, and according to the banner
it's a windows 2000 server with IIS 5.
TTL of the packet is 118 (original TTL is then 128, so it's another
clue of the system being a windows server).
Below are the TCP/UDP/ICMP traceroutes.
Things I'm sure of:
there is a firewall (great finding !)
FW is discarding inbound ICMP echo request but not outbound ICMP
destination unreachable (in udp traceroute)
I need your opinion about the following points:
I cannot find any plausible explanation about why web server's TTL in
the UDP traceroute is 55 (is it some kind of cloaking ?)
what do you think hop 10 in icmp traceroute is ?
192.168.0.94 is a firewall ?
I know that the firewall is a watchguard (social engineering), do u
think this can help (personally i don't know how, i didn't find any
exploitable vuln on public databases) ?
I used standard linux traceroute an tctrace. Any other suggestions
about tools to discover the firewall an its rules ?

ICMP traceroute
 1 192.168.2.1 (192.168.2.1) 147.976 ms (64) 0.472 ms (64) 0.391 ms
(64)
 2 192.168.169.1 (192.168.169.1) 19.389 ms (126) 26.403 ms (126)
19.812 ms (126)
 3 X.X.X.X 22.211 ms (252) 19.227 ms (252) 23.219 ms (252)
 4 X.X.X.X 21.274 ms (251) 25.580 ms (251) 18.337 ms (251)
 5 X.X.X.X 25.978 ms (250) 19.707 ms (250) 24.313 ms (250)
 6 X.X.X.X 30.838 ms (250) 26.228 ms (250) 29.696 ms (250)
 7 X.X.X.X 28.214 ms (249) 28.684 ms (249) 33.339 ms (249)
 8 X.X.X.X 97.799 ms (247) 28.246 ms (247) 30.445 ms (247)
 9 192.168.0.94 (not real address) 200.087 ms (247) 151.751 ms
(247) 181.627 ms (247)
10 * * *
11 * * *

UDP traceroute
 1 192.168.2.1 (192.168.2.1) 1.297 ms (64) 0.855 ms (64) 0.529 ms
(64)
 2 192.168.169.1 (192.168.169.1) 18.014 ms (126) 54.012 ms (126)
48.182 ms (126)
 3 X.X.X.X 47.598 ms (252) 77.360 ms (252) 19.444 ms (252)
 4 X.X.X.X 15.483 ms (251) 43.974 ms (251) 27.602 ms (251)
 5 X.X.X.X 37.405 ms (250) 14.281 ms (250) 17.060 ms (250)
 6 X.X.X.X 16.883 ms (250) 14.179 ms (250) 48.096 ms (250)
 7 X.X.X.X 55.970 ms (249) 14.518 ms (249) 17.161 ms (249)
 8 X.X.X.X 18.400 ms (247) 17.086 ms (247) 32.555 ms (247)
 9 192.168.0.94 (not real address) 89.282 ms (247) 164.469 ms (247)
87.946 ms (247)
10 192.168.98.3 (not real address) 192.122 ms (55) 228.251 ms (55)
193.657 ms (55)

TCP taceroute on port 80
 1(1) [192.168.2.1]
 2(1) [192.168.169.1]
 3(1) [X.X.X.X]
 4(3) [X.X.X.X]
 5(1) [X.X.X.X]
 6(1) [X.X.X.X]
 7(1) [X.X.X.X]
 8(1) [X.X.X.X]
 9(1) [192.168.0.94]
10(all) Timeout
11(1) [192.168.98.3] (reached; open)

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:26 EDT