I have access to a whale air-gap, i will check it out. Eliot Mansfield -----Original Message----- From: Yonatan Bokovza [mailto:Yonatanat_private] Sent: 20 March 2003 18:29 To: pen-testat_private Subject: Network mapping oddity Hi all, During the network mapping phase of a penetration test I've run into something weird, and I'd like to hear more opinions on this matter. The target (xx.xx.xx.1) is a web server behind a firewall (xx.xx.xx.2), 21 hops away. Between both of them there is a filter that: 1. Replies with RST+ACK to SYN with TTL=20. The RST+ACK source is of the tested target. 2. Ignores the fact that the TCP-checksum is wrong. I'm aware of http://www.phrack.org/show.php?p=60&a=12 suggesting this is a load-balancer. What do you think? At first I thought it might be an Air-Gap product, as they disassemble and reassemble the TCP session. I then found out a DNS server behind this filter, and I know Air-Gap products don't handle UDP by default. Please ignore the differences in TTL (in the first example, for instance, 21!=128-109). This client has a BGP connection and the incoming packets do not travel the same path as the outgoing packets. Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems Hping session follows: #> hping -S -c 1 -p 80 -t 21 xx.xx.xx.1 HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes len=46 ip=xx.xx.xx.1 ttl=109 id=33493 sport=80 flags=SA seq=0 win=512 rtt=224.9 ms --- xx.xx.xx.1 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 224.9/224.9/224.9 ms #> hping -S -c 1 -p 80 -t 21 -b xx.xx.xx.1 HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes len=46 ip=xx.xx.xx.1 ttl=109 id=64110 sport=80 flags=SA seq=0 win=512 rtt=190.8 ms --- xx.xx.xx.1 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 190.8/190.8/190.8 ms #> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1 HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes len=46 ip=xx.xx.xx.1 ttl=236 id=40067 sport=80 flags=RA seq=0 win=0 rtt=174.3 ms --- xx.xx.xx.1 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 174.3/174.3/174.3 ms #> hping -S -c 1 -p 80 -t 20 -b xx.xx.xx.1 HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes --- xx.xx.xx.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms #> hping -S -c 1 -p 80 -t 19 xx.xx.xx.1 HPING xx.xx.xx.1 (fxp0 xx.xx.xx.1): S set, 40 headers + 0 data bytes TTL 0 during transit from ip=xx.xx.xx.2 name=firewall.client.com --- xx.xx.xx.1 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms #> ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 08:07:46 PST