From: Mambo Dsouza (mamboz@gmail.com)
Date: Wed Sep 15 2004 - 12:30:49 EDT
try running nc in verbose mode instead of stunnel and then send the get request.
The get request also has more options which you can use...I think
instead of relying on tools..manual techniques give you a much better
output which you can rely on....
There are certain cases where Nmap detected 2003 as Linux also..so
dont trust blindly..
and try to connect to that port using browser also..and see whts
happening..which can give you some more inputs or ideas..
Cheers
Mambo
On Wed, 15 Sep 2004 14:36:14 +0400, Shashank Rai
<shashrai@emirates.net.ae> wrote:
> Hi all,
>
> I observed the following during a pentest i am doing:
>
> 1) A port scan of the TARGET_IP (using nmap 3.7 with -sS, -sV and OS
> identification), shows port 2443 open and remaining ports as "closed".
> 2) Nmap fails to identify the OS but identifies the service as
> "Microsoft Distributed Transaction Server".
> 3) The interesting (and strange) part comes from here on. A
> tcptraceroute to port 2443 on the TARGET_IP, showed RST/ACK packets
> coming back. To further investigate this, i started sending packets by
> manually increasing the ttl. I obtained the following results:
>
> SYN packet to port 2443, ttl 7 (last but one hop from target) sends
> RST/ACK....
>
> hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
>
> len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40
> sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms
> seq=80210401 ack=1098187429 sum=ec0b urp=0
>
> --- TARGET_IP hping statistic ---
> 1 packets tramitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 6.3/6.3/6.3 ms
>
> ==========================================================================
>
> SYN packet to port 2443 ttl 8 (TARGET IP) gives SYN/ACK ..expected
> response.......
>
> hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
> len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44
> sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms
> seq=416937317 ack=1244107777 sum=61fe urp=0
>
> --- TARGET_IP hping statistic ---
> 1 packets tramitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 6.1/6.1/6.1 ms
>
> ===========================================================================
>
> SYN packet to port 25 (closed port) ttl 7 and there is NO response....
>
> hping2 -S -V -n -c 1 -p 25 -t 7 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
>
> --- TARGET_IP hping statistic ---
> 1 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
>
> ===========================================================================
>
> SYN packet to port 25 ttl 8 ... NO RESPONSE.
>
> hping2 -S -V -n -c 1 -p 25 -t 8 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
>
> --- TARGET_IP hping statistic ---
> 1 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
>
> ===========================================================================
>
> also note that the packets with ttl 7 still come back with TARGET IP,
> implying that remote system is spoofing the IP. Even the difference in
> ttl and IPID of incoming packets indicates different systems are sending
> the response.
>
> My questions:
> a) any idea what kind of filtering system can this be
> b) is it possible to determine the IP of the 7th HOP.
>
> The nature of the service i am testing requires users to connect using a
> client certificate. I connect to port 2443 using stunnel and the client
> certificate supplied to me for the test. Now i send a GET / HTTP/1.0
> request. The response that comes back is HTTP 403 and the server string
> is "Apache-Coyote/1.1" .... in contradiction to what nmap detected as a
> service. Any clues as to what is *Really* running on port 2443. Amap
> returns nothing :(
>
> TIA
>
> cheers,
> --
> shashank
>
> <--
> Here is the Packet that was fragmented and has been assembled again.
> (with apologies to JRR Tolkien :)
> -->
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT