Re: nmap = trivial joke ??
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 04/26/02
- Next message: Jason: "port 137~139"
- Previous message: Qian Xiubin: "Problem about iptables _messages suppressed"
- In reply to: Casey: "Re: nmap = trivial joke ??"
- Next in thread: Todd Senn: "Re: nmap = trivial joke ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Fri, 26 Apr 2002 08:45:09 +0000 (UTC)
< Casey
>It is a web server
We hope you will inform more preciously 1) nmap version, 2) nmap
commandline which you used, 3) your new box informations (OS Windoze
version?, applied patches SP?), 4) web server version (IIS version?,
applied patches?) and please don't top post. To post the result of
`nmap -O -vv ...` will help us.
>>>> TCP Sequence Prediction: Class=trivial time dependency
TCP sequence number generation looks Micro$oft style time dependent.
nmap/osscan.c
| if (si->index < 75) {
| si->seqclass = SEQ_TD;
| /* printf("Target is a Micro$oft style time dependent box\n");*/
nmap/nmap.c
| case SEQ_TD:
| return "trivial time dependency";
>>>> Difficulty=0 (Trivial joke)
'Difficulty=0' mean TCP sequence number is not changed. Looks Windoze
2000 TCP stack responses during a "one way data flow".
"Windows 2000 TCP/IP" (Wilson), "The TCP/IP Protocol Suite - Reset
Processing - Managing the Window" p52.
nmap/nmap.c
| return (idx < 10)? "Trivial joke" : ... : "Good luck!";
>>>> IPID Sequence Generation: Duplicated ipid (!)
'Duplicated ipid' mean IP ID number is not changed. Perhaps the bug
or future of Windoze some version some service patch with some
situation. For example DF flag is set.
nmap/osscan.c
| if (ipid_diffs[i] == 0) {
| return IPID_SEQ_CONSTANT;
nmap/nmap.c
| case IPID_SEQ_CONSTANT:
| return "Duplicated ipid (!)";
<mayhap>
Your new box Linux box
Windoze 2000 ===== Redhat7.2 ===
IIS web server firewall
<---- nmap (TCP sequence and IP ID isn't changed)
</mayhap>
>>>> I only show ports 80 and 8080 open... what do I need to do?
Your new box TCP stack implementation seems vulnerable from TCP hijack
(blind attack, sequence number prediction). IIS web server have many
vulnerabilities. This is not FUD but my individual suggestion that you
would better to change Windoze to Linux and IIS to Apache. (Or update
Windoze and IIS currently.)
-- Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: Jason: "port 137~139"
- Previous message: Qian Xiubin: "Problem about iptables _messages suppressed"
- In reply to: Casey: "Re: nmap = trivial joke ??"
- Next in thread: Todd Senn: "Re: nmap = trivial joke ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
