From: Shashank Rai (shashrai@emirates.net.ae)
Date: Wed Sep 15 2004 - 06:36:14 EDT
Hi all,
I observed the following during a pentest i am doing:
1) A port scan of the TARGET_IP (using nmap 3.7 with -sS, -sV and OS
identification), shows port 2443 open and remaining ports as "closed".
2) Nmap fails to identify the OS but identifies the service as
"Microsoft Distributed Transaction Server".
3) The interesting (and strange) part comes from here on. A
tcptraceroute to port 2443 on the TARGET_IP, showed RST/ACK packets
coming back. To further investigate this, i started sending packets by
manually increasing the ttl. I obtained the following results:
SYN packet to port 2443, ttl 7 (last but one hop from target) sends
RST/ACK....
hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes
len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40
sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms
seq=80210401 ack=1098187429 sum=ec0b urp=0
--- TARGET_IP hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.3/6.3/6.3 ms
==========================================================================
SYN packet to port 2443 ttl 8 (TARGET IP) gives SYN/ACK ..expected
response.......
hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes
len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44
sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms
seq=416937317 ack=1244107777 sum=61fe urp=0
--- TARGET_IP hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.1/6.1/6.1 ms
===========================================================================
SYN packet to port 25 (closed port) ttl 7 and there is NO response....
hping2 -S -V -n -c 1 -p 25 -t 7 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes
--- TARGET_IP hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
===========================================================================
SYN packet to port 25 ttl 8 ... NO RESPONSE.
hping2 -S -V -n -c 1 -p 25 -t 8 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes
--- TARGET_IP hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
===========================================================================
also note that the packets with ttl 7 still come back with TARGET IP,
implying that remote system is spoofing the IP. Even the difference in
ttl and IPID of incoming packets indicates different systems are sending
the response.
My questions:
a) any idea what kind of filtering system can this be
b) is it possible to determine the IP of the 7th HOP.
The nature of the service i am testing requires users to connect using a
client certificate. I connect to port 2443 using stunnel and the client
certificate supplied to me for the test. Now i send a GET / HTTP/1.0
request. The response that comes back is HTTP 403 and the server string
is "Apache-Coyote/1.1" .... in contradiction to what nmap detected as a
service. Any clues as to what is *Really* running on port 2443. Amap
returns nothing :(
TIA
cheers,
--
shashank
<--
Here is the Packet that was fragmented and has been assembled again.
(with apologies to JRR Tolkien :)
-->
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT