RE: Strange replies on closed port

Thomas:

It would help immensely to those interested in answering your
question to have a copy of the traffic as a PCAP file - while the test
can easily be reproduced, would save time just to check your capture
instead of doing it all again ;)

About your assumptions:

a) hosts shouldn't by default just 'drop the packet and forget
about it'. In TCP, the standard reply to a SYN segment sent to a closed
port should be a RST - not dropping the packet. Dropping the packet w/o
sending anything back smells of firewall in the middle, or some kernel
tweaks

b) that is the expected behaviour - but the ip field doesn't
make any sense

c) that message (AFAIR) should only be sent by the host when
receiving an UDP datagram (not TCP) to a non 'listening' port.

d) that message isn't generated by the end host, but by
something in the path filtering packets - probably a router with ACLs

Packet filtering devices behaviour is all over the place. As an
example, firewalls will probably drop the packet and send nothing back.
Routers with an ACL blocking the packet in question will drop - and
could, or could not, send an 'ICMP admin prohibited' back.

nmap does have a bunch of logic embedded to deal with all those
variations - that's why when scanning a host it can print status like
'closed, open, firewalled, etc' for ports.

Thanks,
Dario

-----Original Message-----
From: thomas springer [mailto:tuevsec@xxxxxxx]
Sent: Sunday, January 29, 2006 2:53 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Strange replies on closed port

Hi,

Nmap 3.999 is out! - with a "--badsum"-option like it is described in
http://www.phrack.org/phrack/60/p60-0x0c.txt - have a look at the
release notes.
As a brave pen-tester I took hping2 to fiddle around and
check the basic
statements of the ancient phrack-article.
What I expected to find was:

Connecting to a closed Port w/o Firewall: Target sends back an RST
Connecting to a closed Port with Firewall: Target drops
packet, nothing
happens.
But things seems that things are more complicated. I tried

hping -S -c 1 -p 1 www.hostname.com (a simple TCP-Syn on
Port 1, which
I consider closed everywhere) shows that
a) many hosts drop the packet as expected
b) some hosts respond as expected "len=46 ip=000.67.41.130 ttl=48
id=29443 sport=1 flags=RA seq=0 win=512 rtt=25.0 ms"
c) some hosts respond with ICMP: "ICMP Port Unreachable from
ip=000.227.127.227 name=<name of target>"
d) one hosts responds strange, like "ICMP Packet filtered from
ip=000.94.95.253 name=<router 1 hop before the server>

a and b seems to be clear:
a: firewalled host
b: non-firewalled host

c and d are a bit strange: Who is responding with the
icmp-messages: the
target-host or a packetfilter? Especially the hping-message in d
confuses me a bit.
What should be the default behaviour for an ip-stack if it
gets a SYN on
a closed Port?

A bit confused,

tom



--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking
applications on your
website. Up to 75% of cyber attacks are launched on shopping
carts, forms,
login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are
futile against web application hacking. Check your website
for vulnerabilities
to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Relevant Pages

  • Re: Strange pings from 127.0.0.1
    ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
    (Security-Basics)
  • Re: Tons of Source port 80 to random Dest Port Traffic
    ... from the same consumer DSL equipment) that have a src port of 80 and a ... Host is not a proxy, just a firewalled webserver with only port 80 ... ACK is the first reply packet when attempting to establish a TCP ... From Q1, Q2, If the host is not a proxy server and there are SYN packets. ...
    (Security-Basics)
  • Re: non-random IP IDs
    ... > make it somewhat harder to insert bogus fragments into a packet stream. ... For example, if you have a low volume host with one port open, you can ... You never see the response, or lack thereof, to the ...
    (FreeBSD-Security)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Basic NAT / Firewall Question
    ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ...
    (Security-Basics)