Strange replies on closed port

From: thomas springer (tuevsec@gmx.net)
Date: Sun Jan 29 2006 - 14:53:13 EST

• Next message: Harry: "Rolex, Cartier, Tag Heuer, Breitling, Louis Vuitton"
• Previous message: Dharmendra: "Re: Different methods of obtaining exploits"
• Next in thread: Lars Troen: "RE: Strange replies on closed port"
• Maybe reply: Lars Troen: "RE: Strange replies on closed port"
• Maybe reply: Dario Ciccarone (dciccaro): "RE: Strange replies on closed port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Nmap 3.999 is out! - with a "--badsum"-option like it is described in
http://www.phrack.org/phrack/60/p60-0x0c.txt - have a look at the
release notes.
As a brave pen-tester I took hping2 to fiddle around and check the basic
statements of the ancient phrack-article.
What I expected to find was:

Connecting to a closed Port w/o Firewall: Target sends back an RST
Connecting to a closed Port with Firewall: Target drops packet, nothing
happens.
But things seems that things are more complicated. I tried

hping -S -c 1 -p 1 www.hostname.com (a simple TCP-Syn on Port 1, which
I consider closed everywhere) shows that
a) many hosts drop the packet as expected
b) some hosts respond as expected "len=46 ip=000.67.41.130 ttl=48
id=29443 sport=1 flags=RA seq=0 win=512 rtt=25.0 ms"
c) some hosts respond with ICMP: "ICMP Port Unreachable from
ip=000.227.127.227 name=<name of target>"
d) one hosts responds strange, like "ICMP Packet filtered from
ip=000.94.95.253 name=<router 1 hop before the server>

a and b seems to be clear:
a: firewalled host
b: non-firewalled host

c and d are a bit strange: Who is responding with the icmp-messages: the
target-host or a packetfilter? Especially the hping-message in d
confuses me a bit.
What should be the default behaviour for an ip-stack if it gets a SYN on
a closed Port?

A bit confused,

tom

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Harry: "Rolex, Cartier, Tag Heuer, Breitling, Louis Vuitton"
• Previous message: Dharmendra: "Re: Different methods of obtaining exploits"
• Next in thread: Lars Troen: "RE: Strange replies on closed port"
• Maybe reply: Lars Troen: "RE: Strange replies on closed port"
• Maybe reply: Dario Ciccarone (dciccaro): "RE: Strange replies on closed port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT