Strange replies on closed port
- From: thomas springer <tuevsec@xxxxxxx>
- Date: Sun, 29 Jan 2006 20:53:13 +0100
Hi,
Nmap 3.999 is out! - with a "--badsum"-option like it is described in
http://www.phrack.org/phrack/60/p60-0x0c.txt - have a look at the
release notes.
As a brave pen-tester I took hping2 to fiddle around and check the basic
statements of the ancient phrack-article.
What I expected to find was:
Connecting to a closed Port w/o Firewall: Target sends back an RST
Connecting to a closed Port with Firewall: Target drops packet, nothing
happens.
But things seems that things are more complicated. I tried
hping -S -c 1 -p 1 www.hostname.com (a simple TCP-Syn on Port 1, which
I consider closed everywhere) shows that
a) many hosts drop the packet as expected
b) some hosts respond as expected "len=46 ip=000.67.41.130 ttl=48
id=29443 sport=1 flags=RA seq=0 win=512 rtt=25.0 ms"
c) some hosts respond with ICMP: "ICMP Port Unreachable from
ip=000.227.127.227 name=<name of target>"
d) one hosts responds strange, like "ICMP Packet filtered from
ip=000.94.95.253 name=<router 1 hop before the server>
a and b seems to be clear:
a: firewalled host
b: non-firewalled host
c and d are a bit strange: Who is responding with the icmp-messages: the
target-host or a packetfilter? Especially the hping-message in d
confuses me a bit.
What should be the default behaviour for an ip-stack if it gets a SYN on
a closed Port?
A bit confused,
tom
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Relevant Pages
- Re: UPnP Port
... > attackers are gathering the information of hosts that DROP packet ... > They send TCP SYN packets to target with spoofing your IP address. ...
(comp.os.linux.security) - Re: UPnP Port
... > attackers are gathering the information of hosts that DROP packet ... > They send TCP SYN packets to target with spoofing your IP address. ...
(comp.os.linux.security) - RE: [fw-wiz] Vulnerability Response
... >>two evolving solution spaces that solve real problems. ... > management effort scales with the number of hosts. ... change control is an _enemy_ when talking about rank and file ... but not even the mjr perfectly secure firewall will work ...
(Firewall-Wizards) - Re: Using netmask ffffffff
... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
(comp.unix.bsd.freebsd.misc) - Re: XP vulnerabilities?
... Note that I also questioned your use of the "Corporate Edition" of Windows. ... If you were indeed running a network of 5 or more hosts for which you ... firewall host running the firewall software through which all your intranet ... export their rules so you can migrate them easily to another host, but NIS ...
(alt.computer.security) |
|
