Re: packet filter fingerprinting(open but closed, closed but filtered)

From: Jonas Eriksson (jeat_private)
Date: Wed Apr 03 2002 - 02:42:42 PST

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Web interface vulnerabilities in ACS for Windows"

Previous message: Andreas Sandblad: "Winamp: Mp3 file can control the minibrowser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can verify this behaivor on Firewall-1 (NG):

12:15:19.134412 12.12.12.12.pop3 > test.sekure.net.3231: R [tcp sum
ok] 0:0(0) ack 10189299 win 0 (DF) [tos 0x70]  (ttl 55, id 3807, len 40)
12:15:20.335463 12.12.12.12.auth > test.sekure.net.3232: R [tcp sum
ok] 0:0(0) ack 1755038388 win 0 (DF) (ttl 50, id 6343, len 40)

As you can se here the TTL diffs with 5 between the port (auth) with a
"Reject" rule and the open port with no answering service (pop3)

We can also se here that the TOS field on the pop3 port is 0x70 but not
on the auth port.


Regards,

Jonas Eriksson
jeat_private

On Sun, 31 Mar 2002, Meder Kydyraliev wrote:

> Hi fellow bugtraqers,
>
> recently playing with raw sockets and PF (OpenBSD 3.0) i noticed
> that when you have return-rst rule for some tcp packet, ttl field
> in ip header of rst packet, that is sent by PF, equals 128, while
> default ttl for OpenBSD 3.0 is 64, so we can actually see what
> tcp ports are blocked by pf and which are open, but closed(nothing
> on them).
> So then i grabed ipfilter(3.4.25) source and saw that for Solaris
> (SunOS5) ipfilter's default ttl for rst packets is 60, while when
> the port is open(by ipfilter) but nothing listens on it ttl is
> reflected from the packet (ttl reflection could also be used for OS
> figerprinting, some OSs (Sol7) reflect ttl and some use their default
> ttl) the rst is being sent to; and for linux ipfilter's ttl is 127
> while default is 255.
>
> So if we know the distance to our target we could:
>
> - use the information for packetfilter fingerprinting, possibly OS
> fingerprinting;
> - find out firewall acls, and what ports are actually blocked by
> firewall and what ports are open but nothing listens on them(so that
> we modify exploit to bind a shell on an open port, for example);
>
> Regards,
> Meder Kydyraliev
>
> PS: it is fixed in OpenBSD -CURRENT, thanks to Daniel Hartmeier.
> PPS: didn't have linux, so couldn't check that with iptables/ipchains
>
>
> here is snort output for OpenBSD(PF) with return-rst for port 5555:
>
> 03/31-17:26:02.282644 xxx.xxx.xxx.xxx:61230 -> xxx.xxx.xxx.xxx:5555
> TCP TTL:255 TOS:0x0 ID:24383 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0x9379CC65  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/31-17:26:02.282793 xxx.xxx.xxx.xxx:5555 -> xxx.xxx.xxx.xxx:61230
> TCP TTL:128 TOS:0x0 ID:48505 IpLen:20 DgmLen:40
>     ^^^^^^^
> ***A*R** Seq: 0x0  Ack: 0x9379CC66  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> here is snort output for OpenBSD with an open(by PF)  but closed(nothing
> listening on it) port:
>
> 03/31-17:26:33.326327 xxx.xxx.xxx.xxx:61257 -> xxx.xxx.xxx.xxx:52000
> TCP TTL:255 TOS:0x0 ID:24384 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0x39DCC231  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/31-17:26:33.326481 xxx.xxx.xxx.xxx:52000 -> xxx.xxx.xxx.xxx:61257
> TCP TTL:64 TOS:0x0 ID:57309 IpLen:20 DgmLen:40 DF
>     ^^^^^^
> ***A*R** Seq: 0x0  Ack: 0x39DCC232  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> and now Solaris 7 with ipfilter(3.4.25) with return-rst rule:
>
> 03/31-17:30:16.997579 xxx.xxx.xxx.xxx:12879 -> xxx.xxx.xxx.xxx:1521
> TCP TTL:64 TOS:0x10 ID:7967 IpLen:20 DgmLen:64 DF
> ******S* Seq: 0x6A3518CE  Ack: 0x0  Win: 0x4000  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
> TCP Options => TS: 1615975242 0
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/31-17:30:16.997785 xxx.xxx.xxx.xxx:1521 -> xxx.xxx.xxx.xxx:12879
> TCP TTL:60 TOS:0x10 ID:15731 IpLen:20 DgmLen:40 DF
>     ^^^^^^
> ***A*R** Seq: 0x0  Ack: 0x6A3518CF  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> and just a port w/o daemon on it:
>
> 03/31-17:30:57.379170 xxx.xxx.xxx.xxx:29599 -> xxx.xxx.xxx.xxx:42000
> TCP TTL:64 TOS:0x10 ID:25418 IpLen:20 DgmLen:64 DF
> ******S* Seq: 0xF016BF9  Ack: 0x0  Win: 0x4000  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
> TCP Options => TS: 1615975323 0
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/31-17:30:57.379449 xxx.xxx.xxx.xxx:42000 -> xxx.xxx.xxx.xxx:29599
> TCP TTL:64 TOS:0x10 ID:15732 IpLen:20 DgmLen:40 DF
>     ^^^^^^
> ***A*R** Seq: 0x0  Ack: 0xF016BFA  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>


--
 Favourite pickup line: Hey baby, wanna synchronize sequence numbers?
 Warning: not always effective

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Web interface vulnerabilities in ACS for Windows"
Previous message: Andreas Sandblad: "Winamp: Mp3 file can control the minibrowser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 09:42:50 PST