[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    packet filter fingerprinting(open but closed, closed but filtered)
From:       Meder Kydyraliev <bugtraq () web ! areopag ! net>
Date:       2002-03-31 12:40:35
[Download RAW message or body]

Hi fellow bugtraqers,

recently playing with raw sockets and PF (OpenBSD 3.0) i noticed 
that when you have return-rst rule for some tcp packet, ttl field
in ip header of rst packet, that is sent by PF, equals 128, while 
default ttl for OpenBSD 3.0 is 64, so we can actually see what
tcp ports are blocked by pf and which are open, but closed(nothing
on them).
So then i grabed ipfilter(3.4.25) source and saw that for Solaris
(SunOS5) ipfilter's default ttl for rst packets is 60, while when
the port is open(by ipfilter) but nothing listens on it ttl is 
reflected from the packet (ttl reflection could also be used for OS
figerprinting, some OSs (Sol7) reflect ttl and some use their default
ttl) the rst is being sent to; and for linux ipfilter's ttl is 127
while default is 255.

So if we know the distance to our target we could:

- use the information for packetfilter fingerprinting, possibly OS 
fingerprinting;
- find out firewall acls, and what ports are actually blocked by 
firewall and what ports are open but nothing listens on them(so that
we modify exploit to bind a shell on an open port, for example);

Regards,
Meder Kydyraliev

PS: it is fixed in OpenBSD -CURRENT, thanks to Daniel Hartmeier.
PPS: didn't have linux, so couldn't check that with iptables/ipchains


here is snort output for OpenBSD(PF) with return-rst for port 5555:

03/31-17:26:02.282644 xxx.xxx.xxx.xxx:61230 -> xxx.xxx.xxx.xxx:5555
TCP TTL:255 TOS:0x0 ID:24383 IpLen:20 DgmLen:44 DF
******S* Seq: 0x9379CC65  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/31-17:26:02.282793 xxx.xxx.xxx.xxx:5555 -> xxx.xxx.xxx.xxx:61230
TCP TTL:128 TOS:0x0 ID:48505 IpLen:20 DgmLen:40
    ^^^^^^^
***A*R** Seq: 0x0  Ack: 0x9379CC66  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



here is snort output for OpenBSD with an open(by PF)  but closed(nothing 
listening on it) port:

03/31-17:26:33.326327 xxx.xxx.xxx.xxx:61257 -> xxx.xxx.xxx.xxx:52000
TCP TTL:255 TOS:0x0 ID:24384 IpLen:20 DgmLen:44 DF
******S* Seq: 0x39DCC231  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/31-17:26:33.326481 xxx.xxx.xxx.xxx:52000 -> xxx.xxx.xxx.xxx:61257
TCP TTL:64 TOS:0x0 ID:57309 IpLen:20 DgmLen:40 DF
    ^^^^^^
***A*R** Seq: 0x0  Ack: 0x39DCC232  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


and now Solaris 7 with ipfilter(3.4.25) with return-rst rule:

03/31-17:30:16.997579 xxx.xxx.xxx.xxx:12879 -> xxx.xxx.xxx.xxx:1521
TCP TTL:64 TOS:0x10 ID:7967 IpLen:20 DgmLen:64 DF
******S* Seq: 0x6A3518CE  Ack: 0x0  Win: 0x4000  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP 
TCP Options => TS: 1615975242 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/31-17:30:16.997785 xxx.xxx.xxx.xxx:1521 -> xxx.xxx.xxx.xxx:12879
TCP TTL:60 TOS:0x10 ID:15731 IpLen:20 DgmLen:40 DF
    ^^^^^^
***A*R** Seq: 0x0  Ack: 0x6A3518CF  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and just a port w/o daemon on it:

03/31-17:30:57.379170 xxx.xxx.xxx.xxx:29599 -> xxx.xxx.xxx.xxx:42000
TCP TTL:64 TOS:0x10 ID:25418 IpLen:20 DgmLen:64 DF
******S* Seq: 0xF016BF9  Ack: 0x0  Win: 0x4000  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP 
TCP Options => TS: 1615975323 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/31-17:30:57.379449 xxx.xxx.xxx.xxx:42000 -> xxx.xxx.xxx.xxx:29599
TCP TTL:64 TOS:0x10 ID:15732 IpLen:20 DgmLen:40 DF
    ^^^^^^
***A*R** Seq: 0x0  Ack: 0xF016BFA  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic