> -----Original Message----- > From: pen-test-return-93-filipe=ist.utl.ptat_private [mailto:pen- > test-return-93-filipe=ist.utl.ptat_private] On Behalf Of Fernando > Cardoso > Sent: domingo, 27 de Maio de 2001 21:02 > To: jlewisat_private > Cc: 'Jacek Lipkowski'; PEN-TESTat_private > Subject: Re: RE: PIX and ttl > > NMAP scans for hosts beyond "stateful aware" firewalls is quite > difficult. The first problem lies in the firewall design. If a packet > is not in the connection table and it's not a SYN packet it is simply > droped. The other problem is TCP options. Most firewalls will drop > those packets also. > > In a recent pen-test I realize that Win 2k hosts beyond a PIX, would > only respond to NMAP test #5, the only one that uses a standard SYN, > while if those boxes where outside the filtered network, they would > reply to all 8 tests. > And if you are using some kind of SynDefender even the SYN packets may be generated by the firewall, depending on the SynDefender method you are using. > The work around is break in and NMAP from the internal network ;) Another option is to do some research on the possibility of doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT, ...). A method I use to discover windows machines behind a statefull aware firewall with syndefender is to create ESTABILISHED connections and analyze the ip.id increments. This analysis can be expanded to other fields of the packets and other states by doing some research. Perhaps a fingerprinting system that uses traces from a tcpdump session? anyone? -- Filipe Almeida filipeat_private Aka LiquidK Administração da Rede das Novas Licenciaturas
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 12:31:51 PDT