[fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: Martin Mačok (martin.macok_at_underground.cz)
Date: 01/10/05
- Previous message: Joshua Thomas: "RE: [fw-wiz] External Load Balancing"
- Next in thread: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Maybe reply: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Reply: L Cubed: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Reply: L Cubed: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Maybe reply: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Mon, 10 Jan 2005 20:47:21 +0100
During a penetration test I've come around something which seems to be
a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has
single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The
rest of ports are filtered.
The strange thing happens when I send a SYN+ACK packet to the open
port (1723/tcp). The device replies back with SYN+ACK too (with a new
TCP ISN). My guess is that it just ignores the ACK flag in the first
SYN packet but in any case, it could have serious consequences.
I want to know if this is common behaviour or a specific problem.
Please, could you test sending SYN+ACK probe against an open port on
your PIX boxes and drop me a note what happens in your case? Do you
get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?
Howto:
% hping2 -S -A -c 1 -p <open_tcp_port> <pix>
Or send me your PIX's IP:port privately if it is accessible from the
Internet and I will test it by myself. (Just a few packets, absolutely
harmless)
Thank you
Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Joshua Thomas: "RE: [fw-wiz] External Load Balancing"
- Next in thread: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Maybe reply: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Reply: L Cubed: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Reply: L Cubed: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Maybe reply: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
