Network mapping oddity
From: Yonatan Bokovza (Yonatan@xpert.com)
Date: 03/20/03
- Previous message: Alfred Huger: "Microsoft Windows 2000 WebDAV buffer overflow vulnerability signature available (fwd)"
- Next in thread: Eliot Mansfield: "RE: Network mapping oddity"
- Maybe reply: Eliot Mansfield: "RE: Network mapping oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Mar 2003 20:28:42 +0200 From: "Yonatan Bokovza" <Yonatan@xpert.com> To: <pen-test@securityfocus.com>
Hi all,
During the network mapping phase of a penetration test
I've run into something weird, and I'd like to hear
more opinions on this matter.
The target (xx.xx.xx.1) is a web server behind a
firewall (xx.xx.xx.2), 21 hops away. Between both of them
there is a filter that:
1. Replies with RST+ACK to SYN with TTL=20. The RST+ACK
source is of the tested target.
2. Ignores the fact that the TCP-checksum is wrong.
I'm aware of http://www.phrack.org/show.php?p=60&a=12
suggesting this is a load-balancer. What do you think?
At first I thought it might be an Air-Gap product, as
they disassemble and reassemble the TCP session. I then
found out a DNS server behind this filter, and I know
Air-Gap products don't handle UDP by default.
Please ignore the differences in TTL (in the first example,
for instance, 21!=128-109). This client has a BGP
connection and the incoming packets do not travel the same
path as the outgoing packets.
Best Regards,
Yonatan Bokovza
IT Security Consultant
Xpert Systems
Hping session follows:
#> hping -S -c 1 -p 80 -t 21 xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=109 id=33493 sport=80 flags=SA seq=0 win=512 rtt=224.9 ms
--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 224.9/224.9/224.9 ms
#> hping -S -c 1 -p 80 -t 21 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=109 id=64110 sport=80 flags=SA seq=0 win=512 rtt=190.8 ms
--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 190.8/190.8/190.8 ms
#> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
len=46 ip=xx.xx.xx.1 ttl=236 id=40067 sport=80 flags=RA seq=0 win=0 rtt=174.3 ms
--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 174.3/174.3/174.3 ms
#> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
#> hping -S -c 1 -p 80 -t 19 xx.xx.xx.1
HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=xx.xx.xx.2 name=firewall.client.com
--- xx.xx.xx.1 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
#>
----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html
- Previous message: Alfred Huger: "Microsoft Windows 2000 WebDAV buffer overflow vulnerability signature available (fwd)"
- Next in thread: Eliot Mansfield: "RE: Network mapping oddity"
- Maybe reply: Eliot Mansfield: "RE: Network mapping oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
