[fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 01/10/05

  • Next message: Aravinda babu: "[fw-wiz] Regarding ICSA certification"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 10 Jan 2005 20:47:21 +0100

    During a penetration test I've come around something which seems to be
    a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has
    single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The
    rest of ports are filtered.

    The strange thing happens when I send a SYN+ACK packet to the open
    port (1723/tcp). The device replies back with SYN+ACK too (with a new
    TCP ISN). My guess is that it just ignores the ACK flag in the first
    SYN packet but in any case, it could have serious consequences.

    I want to know if this is common behaviour or a specific problem.

    Please, could you test sending SYN+ACK probe against an open port on
    your PIX boxes and drop me a note what happens in your case? Do you
    get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?

    % hping2 -S -A -c 1 -p <open_tcp_port> <pix>

    Or send me your PIX's IP:port privately if it is accessible from the
    Internet and I will test it by myself. (Just a few packets, absolutely

    Thank you

    Martin Mačok
    ICT Security Consultant
    firewall-wizards mailing list

  • Next message: Aravinda babu: "[fw-wiz] Regarding ICSA certification"