On Thu, May 24, 2001 at 07:28:03PM +0100, Fernando Cardoso wrote: > I'm doing a pen-test for a client that has a "standard" config of > router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware > that the firewall is a Cisco PIX (BTW is there any way to change the banner > for the fixup protocol smtp? :) no way, but i think that security configuration of the MTA behind the pix it's thw right way and that "fixup protocol smtp" isn't necessary. It simply add overhead to the Firewall processing... > > Their router is at 5 hops of distance from me. Both router and fw gives me > the ttl I was expecting when I ping them (251 and 250), but all the servers > in the DMZ don't... > > traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets > 1 a.a.a.a (a.a.a.a) 2.068 ms 2.031 ms 2.349 ms TTL:255 > 2 a.a.a.a (a.a.a.a) 153.681 ms 152.925 ms 131.445 ms TTL:254 > 3 a.a.a.a (a.a.a.a) 205.197 ms 269.539 ms 145.973 ms TTL:253 > 4 a.a.a.a (a.a.a.a) 38.078 ms 23.849 ms 23.497 ms TTL:252 > 5 router (router) 31.445 ms 27.277 ms 28.422 ms TTL:251 > 6 * * * (fw) TTL:250 > 7 * * * (server_in_dmz) TTL:123 > > The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122. No, it's different from release to release of microsoft products... -- Windows NT 4.0 x86 SP6a ( ttl = 128 ) in MY LAN root@life:~# hping -c 2 -S -p 80 10.1.3.20 eth0 default routing interface selected (according to /proc) HPING gongolo (eth0 10.1.3.20): S set, 40 headers + 0 data bytes 46 bytes from 10.1.3.20: flags=SA seq=0 ttl=128 id=25884 win=8576 rtt=0.5 ms -- Windows 2k x86 SP1 ( ttl = 123 ) behind PIX 5.3(1) root@life:~# hping -c 2 -S -p 80 xxx.xxx.xx.xxx eth0 default routing interface selected (according to /proc) HPING www.www.www (eth0 xxx.xxx.xx.xxx): S set, 40 headers + 0 data bytes 46 bytes from xxx.xxx.xx.xxx: flags=SA seq=0 ttl=123 id=10872 win=8576 rtt=27.3 ms -- Windows NT 4.0 x86 unknown SP ( ttl = 118 ) behind 5.3(1) root@life:~# hping -c 1 -S -p 25 xxx.xxx.xxx.xxx eth0 default routing interface selected (according to /proc) HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes 46 bytes from xxx.xxx.xxx.xxx: flags=SA seq=0 ttl=118 id=45018 win=32768 rtt=860.1 ms -- PIX Itself 5.3(1) ( ttl = 247 ) root@life:~# ping -c 1 xxx.xxx.xxx.x PING xxx.xxx.xxx.x (xxx.xxx.xxx.x): 56 octets data 64 octets from xxx.xxx.xxx.x: icmp_seq=0 ttl=247 time=87.7 ms -- PIX Itself 5.1(4) ( ttl = 251 ) root@life:~# ping -c 1 xxx.xxx.xxx.xx PING xxx.xxx.xxx.x (xxx.xxx.xxx.xx): 56 octets data 64 octets from xxx.xxx.xxx.xx: icmp_seq=0 ttl=251 time=102.4 ms As you could see ttl it's different for the same pix release... I HATE PIX, I HATE CISCO ;> > I've made a quick test with other PIX protected servers and it seems that > when the packet passes the PIX it somehow resets the ttl for the original > one. If I'm correct with these assumptions we have another method of > fingerprinting PIX. Am I making any sense?? > > Fernando > > PS: Nice article about firewall fingerprinting: > http://www.kmu-security.ch/identifyingfirewalls.htm Fabio Pietrosanti ( naif ) E-mail: naifat_private PGP Key (DSS) http://naif.itapac.net/naif.asc -- Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:58:50 PDT