[fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 01/10/05

  • Next message: Aravinda babu: "[fw-wiz] Regarding ICSA certification"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 10 Jan 2005 20:47:21 +0100
    
    

    During a penetration test I've come around something which seems to be
    a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has
    single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The
    rest of ports are filtered.

    The strange thing happens when I send a SYN+ACK packet to the open
    port (1723/tcp). The device replies back with SYN+ACK too (with a new
    TCP ISN). My guess is that it just ignores the ACK flag in the first
    SYN packet but in any case, it could have serious consequences.

    I want to know if this is common behaviour or a specific problem.

    Please, could you test sending SYN+ACK probe against an open port on
    your PIX boxes and drop me a note what happens in your case? Do you
    get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?

    Howto:
    % hping2 -S -A -c 1 -p <open_tcp_port> <pix>

    Or send me your PIX's IP:port privately if it is accessible from the
    Internet and I will test it by myself. (Just a few packets, absolutely
    harmless)

    Thank you

    Martin Mačok
    ICT Security Consultant
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Aravinda babu: "[fw-wiz] Regarding ICSA certification"

    Relevant Pages

    • Re: Slowing attackes on IIS
      ... Even with a Cisco PIX 525 I ... I have a website and port 80 is open on ... This is something an attacker could use against me in attack ... I changed the IIS header ...
      (microsoft.public.inetserver.iis.security)
    • Re: [fw-wiz] Syslog montioring and usage.
      ... Your Cisco PIX docu set contains a PDF file entitled, "Cisco PIX Firewall ... On tracking down port scans, you may want to look at SnortSam and its PIX ... Activity Monitor, wherein dynamic firewall rules may be ...
      (Firewall-Wizards)
    • Exchange Server 2000, Barracuda Spam Filter and Cisco Pix506
      ... Does anyone know if you can do port forwarding on a PIX 506 with v ... Is it totally necessary to upgrade the Cisco PIX 506 software? ... We have an Exchange server behind a Barracuda spam filter which is ... I have contacted Barracuda Networks, but have yet to receive a reply. ...
      (comp.security.firewalls)
    • Is this question unanswerable?
      ... Does anyone know if you can do port forwarding on a PIX 506 with v ... Is it totally necessary to upgrade the Cisco PIX 506 software? ... We have an Exchange server behind a Barracuda spam filter which is ... I have contacted Barracuda Networks, but have yet to receive a reply. ...
      (comp.security.firewalls)
    • Re: SBS 2003 Standard; SMTP weirdness??
      ... Cannot send or receive e-mail messages behind a Cisco PIX firewall ... > I'm in the process of configuring Exchange on an SBS 2003 Std. ... > questions to allow SMTP e-mail to come in to the server. ... > when I telnet to the box on port 25 from an external host, ...
      (microsoft.public.windows.server.sbs)