[fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: Martin Mačok (martin.macok_at_underground.cz)
To: firstname.lastname@example.org Date: Mon, 10 Jan 2005 20:47:21 +0100
During a penetration test I've come around something which seems to be
a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has
single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The
rest of ports are filtered.
The strange thing happens when I send a SYN+ACK packet to the open
port (1723/tcp). The device replies back with SYN+ACK too (with a new
TCP ISN). My guess is that it just ignores the ACK flag in the first
SYN packet but in any case, it could have serious consequences.
I want to know if this is common behaviour or a specific problem.
Please, could you test sending SYN+ACK probe against an open port on
your PIX boxes and drop me a note what happens in your case? Do you
get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?
% hping2 -S -A -c 1 -p <open_tcp_port> <pix>
Or send me your PIX's IP:port privately if it is accessible from the
Internet and I will test it by myself. (Just a few packets, absolutely
ICT Security Consultant
firewall-wizards mailing list