You are making sense and I have seen the same thing. NMAP can't identify the servers behind the PIX. That's a good thing. I am not sure how you identify the PIX. How do you fingerprint servers when you don't know what the servers are or if they are behind a PIX? Jason Lewis http://www.packetnexus.com http://www.packetnexus.com/kb/greyarts/ It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Fernando Cardoso [mailto:fernando.cardosoat_private] Sent: Thursday, May 24, 2001 2:28 PM To: PEN-TESTat_private Subject: PIX and ttl I'm doing a pen-test for a client that has a "standard" config of router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware that the firewall is a Cisco PIX (BTW is there any way to change the banner for the fixup protocol smtp? :) Their router is at 5 hops of distance from me. Both router and fw gives me the ttl I was expecting when I ping them (251 and 250), but all the servers in the DMZ don't... traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets 1 a.a.a.a (a.a.a.a) 2.068 ms 2.031 ms 2.349 ms TTL:255 2 a.a.a.a (a.a.a.a) 153.681 ms 152.925 ms 131.445 ms TTL:254 3 a.a.a.a (a.a.a.a) 205.197 ms 269.539 ms 145.973 ms TTL:253 4 a.a.a.a (a.a.a.a) 38.078 ms 23.849 ms 23.497 ms TTL:252 5 router (router) 31.445 ms 27.277 ms 28.422 ms TTL:251 6 * * * (fw) TTL:250 7 * * * (server_in_dmz) TTL:123 The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122. I've made a quick test with other PIX protected servers and it seems that when the packet passes the PIX it somehow resets the ttl for the original one. If I'm correct with these assumptions we have another method of fingerprinting PIX. Am I making any sense?? Fernando PS: Nice article about firewall fingerprinting: http://www.kmu-security.ch/identifyingfirewalls.htm -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardosoat_private http://www.whatevernet.com/ _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:01:42 PDT