[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: packet filter fingerprinting(open but closed, closed but filtered)

To: misc@openbsd.org
Subject: Fwd: packet filter fingerprinting(open but closed, closed but filtered)
From: Black Berry <berry@sikurezza.org>
Date: Mon, 01 Apr 2002 21:05:12 +0200
Reveived: FROM n0rad.sikurezza.org ([127.0.0.1]) BY n0rad.local WITH ESMTP ; Mon, 1 Apr 2002 21:05:12 +0200

Sorry for the spam, but it's very interesting this.
Cheers
Berry

PS: I really hope that this post doesn't launch any annoying pf && ipf flames.


>To: bugtraq@securityfocus.com
>Subject: packet filter fingerprinting(open but closed, closed but filtered)
>Mail-Followup-To: bugtraq@securityfocus.com
>User-Agent: Mutt/1.3.28i
>
>Hi fellow bugtraqers,
>
>recently playing with raw sockets and PF (OpenBSD 3.0) i noticed
>that when you have return-rst rule for some tcp packet, ttl field
>in ip header of rst packet, that is sent by PF, equals 128, while
>default ttl for OpenBSD 3.0 is 64, so we can actually see what
>tcp ports are blocked by pf and which are open, but closed(nothing
>on them).
>So then i grabed ipfilter(3.4.25) source and saw that for Solaris
>(SunOS5) ipfilter's default ttl for rst packets is 60, while when
>the port is open(by ipfilter) but nothing listens on it ttl is
>reflected from the packet (ttl reflection could also be used for OS
>figerprinting, some OSs (Sol7) reflect ttl and some use their default
>ttl) the rst is being sent to; and for linux ipfilter's ttl is 127
>while default is 255.
>
>So if we know the distance to our target we could:
>
>- use the information for packetfilter fingerprinting, possibly OS
>fingerprinting;
>- find out firewall acls, and what ports are actually blocked by
>firewall and what ports are open but nothing listens on them(so that
>we modify exploit to bind a shell on an open port, for example);
>
>Regards,
>Meder Kydyraliev
>
>PS: it is fixed in OpenBSD -CURRENT, thanks to Daniel Hartmeier.
>PPS: didn't have linux, so couldn't check that with iptables/ipchains
>
>
>here is snort output for OpenBSD(PF) with return-rst for port 5555:
>
>03/31-17:26:02.282644 xxx.xxx.xxx.xxx:61230 -> xxx.xxx.xxx.xxx:5555
>TCP TTL:255 TOS:0x0 ID:24383 IpLen:20 DgmLen:44 DF
>******S* Seq: 0x9379CC65  Ack: 0x0  Win: 0x2238  TcpLen: 24
>TCP Options (1) => MSS: 1460
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>03/31-17:26:02.282793 xxx.xxx.xxx.xxx:5555 -> xxx.xxx.xxx.xxx:61230
>TCP TTL:128 TOS:0x0 ID:48505 IpLen:20 DgmLen:40
>     ^^^^^^^
>***A*R** Seq: 0x0  Ack: 0x9379CC66  Win: 0x0  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>here is snort output for OpenBSD with an open(by PF)  but closed(nothing
>listening on it) port:
>
>03/31-17:26:33.326327 xxx.xxx.xxx.xxx:61257 -> xxx.xxx.xxx.xxx:52000
>TCP TTL:255 TOS:0x0 ID:24384 IpLen:20 DgmLen:44 DF
>******S* Seq: 0x39DCC231  Ack: 0x0  Win: 0x2238  TcpLen: 24
>TCP Options (1) => MSS: 1460
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>03/31-17:26:33.326481 xxx.xxx.xxx.xxx:52000 -> xxx.xxx.xxx.xxx:61257
>TCP TTL:64 TOS:0x0 ID:57309 IpLen:20 DgmLen:40 DF
>     ^^^^^^
>***A*R** Seq: 0x0  Ack: 0x39DCC232  Win: 0x0  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>and now Solaris 7 with ipfilter(3.4.25) with return-rst rule:
>
>03/31-17:30:16.997579 xxx.xxx.xxx.xxx:12879 -> xxx.xxx.xxx.xxx:1521
>TCP TTL:64 TOS:0x10 ID:7967 IpLen:20 DgmLen:64 DF
>******S* Seq: 0x6A3518CE  Ack: 0x0  Win: 0x4000  TcpLen: 44
>TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
>TCP Options => TS: 1615975242 0
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>03/31-17:30:16.997785 xxx.xxx.xxx.xxx:1521 -> xxx.xxx.xxx.xxx:12879
>TCP TTL:60 TOS:0x10 ID:15731 IpLen:20 DgmLen:40 DF
>     ^^^^^^
>***A*R** Seq: 0x0  Ack: 0x6A3518CF  Win: 0x0  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>and just a port w/o daemon on it:
>
>03/31-17:30:57.379170 xxx.xxx.xxx.xxx:29599 -> xxx.xxx.xxx.xxx:42000
>TCP TTL:64 TOS:0x10 ID:25418 IpLen:20 DgmLen:64 DF
>******S* Seq: 0xF016BF9  Ack: 0x0  Win: 0x4000  TcpLen: 44
>TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
>TCP Options => TS: 1615975323 0
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>03/31-17:30:57.379449 xxx.xxx.xxx.xxx:42000 -> xxx.xxx.xxx.xxx:29599
>TCP TTL:64 TOS:0x10 ID:15732 IpLen:20 DgmLen:40 DF
>     ^^^^^^
>***A*R** Seq: 0x0  Ack: 0xF016BFA  Win: 0x0  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Follow-Ups:
- Re: packet filter fingerprinting(open but closed, closed but filtered)
  - From: "Isch" <nirwana@ecce.homeip.net>
- Re: Fwd: packet filter fingerprinting(open but closed, closed but filtered)
  - From: Henning Brauer <lists-openbsd@bsws.de>

Prev by Date: Re: Discontinuing Old OpenBSD Support
Next by Date: How to set up PPP server over PPPOE?
Prev by thread: configuring ccd
Next by thread: Re: packet filter fingerprinting(open but closed, closed but filtered)
Index(es):
- Date
- Thread