Re: Low Level Enumeration with ECE/CWR

• Previous message: Omar Herrera: "Re: By passing surf control"
• Maybe in reply to: Joe: "Low Level Enumeration with ECE/CWR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Feb 2004 20:30:55 -0500 (EST)
To: Joe <joe_nasdaq@yahoo.com>, Don Parker <dparker@rigelksecurity.com>, pen-test@securityfocus.com

Hello again Joe, I can't say that I am aware of any really. Besides many IDS's out there
will fire off when they get packets with those fields set. You are still better off
using other methods depending on what you are trying to enumerate ie: http server, OS
type and so forth.

One thing that people often don't seem to realize is that you are *much* better off
using one packet only vice a torrent to enumerate a service/OS. Quite often (read almost
always) the one packet will be buried beneath a tidal wave of other stuff, and by
extension is largely ignored by the IDS analyst. Same goes with always using nmap and
other such tools which have signatures out for them (code your own stuff or use a packet
crafter). Anyhow before I get sidetracked here any further I will sign off.

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 27, Joe <joe_nasdaq@yahoo.com> wrote:
Hi,
 
Let me clarify/generalize here a bit.
.
Are there any known reconnaisssance techniques or attacks methods that make use of the
ECE/CWR bits?
To date I haven't seen anything from a penetration perspective that uses them. It might
just be I haven't looked in the right places...
 
thanks,
Joe

Don Parker <dparker@rigelksecurity.com> wrote:
Hi Joe, I am uncertain as to what you mean by enumeration here. Do you mean that you
wish to find out the target machines operating system by using these packets? ie: send
some packets with these values enabled and then measure the returning metrics such as
the mss/mtu/ttl and the such?

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 26, Joe wrote:

Hi,

I recently read "Low Level Enumeration with TCP/IP" by Rnady Williams. Think its an
excellent read.

My question is, does anyone know of any enumeration techniques that use the Explicit
Congestion Notification Echo (ECE) bit or the Congestion Window Reduction (CWR) bit?
(see RFC-3168 for more info).

I noticed the article failed to mention these bits but many manufacturers claim support.

thanks,
Joe

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------
Do you Yahoo!?
Get better spam protection with Yahoo! Mail
<DIV>Hi,</DIV>
<DIV>&nbsp;</DIV>
<DIV>Let me clarify/generalize here a bit.</DIV>
<DIV>.</DIV>
<DIV>Are there any known reconnaisssance techniques or attacks methods that make use of
the ECE/CWR bits?</DIV>
<DIV>To date I haven't seen anything from a penetration perspective that&nbsp;uses
them.&nbsp; It might just be I haven't looked in the right places...</DIV>
<DIV>&nbsp;</DIV>
<DIV>thanks,</DIV>
<DIV>Joe <BR><BR><B><I>Don Parker &lt;dparker@rigelksecurity.com&gt;</I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT:
#1010ff 2px solid">Hi Joe, I am uncertain as to what you mean by enumeration here. Do
you mean that you <BR>wish to find out the target machines operating system by using
these packets? ie: send <BR>some packets with these values enabled and then measure the
returning metrics such as <BR>the mss/mtu/ttl and the such?<BR><BR>Cheers!
<BR><BR>Don<BR><BR>-------------------------------------------<BR>Don Parker,
GCIA<BR>Intrusion Detection Specialist<BR>Rigel Kent Security &amp; Advisory Services
Inc<BR>www.rigelksecurity.com<BR>ph :613.249.8340<BR>fax:613.249.8319<BR>----------------
----------------------------<BR><BR>On Feb 26, Joe
<JOE_NASDAQ@YAHOO.COM>wrote:<BR><BR><BR><BR>Hi,<BR><BR>I recently read "Low Level
Enumeration with TCP/IP" by Rnady Williams. Think its an <BR>excellent read.<BR><BR>My
question is, does anyone know of any enumeration techniques that use the Explicit
<BR>Congestion Notification
 Echo (ECE) bit or the Congestion Window Reduction (CWR) bit? <BR>(see RFC-3168 for more
info). <BR><BR>I noticed the article failed to mention these bits but many manufacturers
claim support.<BR><BR>thanks,<BR>Joe <BR><BR>--------------------------------------------
-------------------------------<BR>------------------------------------------------------
----------------------<BR><BR></BLOCKQUOTE><p><hr SIZE=1>
Do you Yahoo!?<br>
Get better spam protection with <a href="<a href='http://us.rd.yahoo.com/mailtag_us/*
href='http://antispam.yahoo.com/tools">Yahoo!'>http://antispam.yahoo.com/tools">Yahoo!
</a>'>http://us.rd.yahoo.com/mailtag_us/*
href='http://antispam.yahoo.com/tools">Yahoo!'>http://antispam.yahoo.com/tools">Yahoo!
</a></a> Mail</a>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Omar Herrera: "Re: By passing surf control"
• Maybe in reply to: Joe: "Low Level Enumeration with ECE/CWR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]