Re: All tcp ports open?

From: nathan@ccc-ltd.com
Date: Wed Sep 01 2004 - 10:44:15 EDT

• Next message: Philip Wagenaar: "Betr.: Craking Serv-u passwords stored in .ini file."
• Previous message: Arndt.WA@forces.gc.ca: "RE: Test scripts for NIDS"
• Maybe in reply to: Ben Timby: "All tcp ports open?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looks suspisiously like a FW1 syndefender in relay mode, here are some
(brief and probably inaccurate) notes that I made a while back. It all boils
down
to TTLs if you want to scan hosts behind it.

Hope this points you in the right direction;

Notes:

you will always get a spoofed syn/ack from the firewall (when unfiltered).

If the firewall is rejecting the port you will get a reset without a synack.

If the machine is not there, rst will appear (after arp? timeout) to have the
same
ttl as the firewall. (i.e. the same as the spoofed syn/ack sent back to the
client).

A reset should happen if the firewall is Rejecting the connection (i.e.
resetting it).

If the machine is there but port closed, rst will have a different ttl as the
initial syn/ack of the firewal.

If the machine is there but port open:
        If there is no data waiting, FIN the server and look for ACK FIN.
        
        If there is data waiting for you, you will get an ack + data, it might be
        prudent to fin the connection.

If the machine is there but filtered by the firewall, the firewall will
successfully
syn/ack from server on it's behalf, the ack comming back from the server
however will
be blocked and the client will be stuck retransmitting ack until client
timeout.

More detailed information:

http://www.phoneboy.com/bin/view.pl/FAQs/SynDefender

regards,

Nathan

-- 
Computer Crime Consultants Ltd
http://www.ccc-ltd.com
Support the fight against software patents:
http://petition.eurolinux.org
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Philip Wagenaar: "Betr.: Craking Serv-u passwords stored in .ini file."
• Previous message: Arndt.WA@forces.gc.ca: "RE: Test scripts for NIDS"
• Maybe in reply to: Ben Timby: "All tcp ports open?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT