[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: packet filter fingerprinting(open but closed, closed but filtered)
From: Meder Kydyraliev <bugtraq () web ! areopag ! net>
Date: 2002-03-31 12:40:35
[Download RAW message or body]
Hi fellow bugtraqers,
recently playing with raw sockets and PF (OpenBSD 3.0) i noticed
that when you have return-rst rule for some tcp packet, ttl field
in ip header of rst packet, that is sent by PF, equals 128, while
default ttl for OpenBSD 3.0 is 64, so we can actually see what
tcp ports are blocked by pf and which are open, but closed(nothing
on them).
So then i grabed ipfilter(3.4.25) source and saw that for Solaris
(SunOS5) ipfilter's default ttl for rst packets is 60, while when
the port is open(by ipfilter) but nothing listens on it ttl is
reflected from the packet (ttl reflection could also be used for OS
figerprinting, some OSs (Sol7) reflect ttl and some use their default
ttl) the rst is being sent to; and for linux ipfilter's ttl is 127
while default is 255.
So if we know the distance to our target we could:
- use the information for packetfilter fingerprinting, possibly OS
fingerprinting;
- find out firewall acls, and what ports are actually blocked by
firewall and what ports are open but nothing listens on them(so that
we modify exploit to bind a shell on an open port, for example);
Regards,
Meder Kydyraliev
PS: it is fixed in OpenBSD -CURRENT, thanks to Daniel Hartmeier.
PPS: didn't have linux, so couldn't check that with iptables/ipchains
here is snort output for OpenBSD(PF) with return-rst for port 5555:
03/31-17:26:02.282644 xxx.xxx.xxx.xxx:61230 -> xxx.xxx.xxx.xxx:5555
TCP TTL:255 TOS:0x0 ID:24383 IpLen:20 DgmLen:44 DF
******S* Seq: 0x9379CC65 Ack: 0x0 Win: 0x2238 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/31-17:26:02.282793 xxx.xxx.xxx.xxx:5555 -> xxx.xxx.xxx.xxx:61230
TCP TTL:128 TOS:0x0 ID:48505 IpLen:20 DgmLen:40
^^^^^^^
***A*R** Seq: 0x0 Ack: 0x9379CC66 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
here is snort output for OpenBSD with an open(by PF) but closed(nothing
listening on it) port:
03/31-17:26:33.326327 xxx.xxx.xxx.xxx:61257 -> xxx.xxx.xxx.xxx:52000
TCP TTL:255 TOS:0x0 ID:24384 IpLen:20 DgmLen:44 DF
******S* Seq: 0x39DCC231 Ack: 0x0 Win: 0x2238 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/31-17:26:33.326481 xxx.xxx.xxx.xxx:52000 -> xxx.xxx.xxx.xxx:61257
TCP TTL:64 TOS:0x0 ID:57309 IpLen:20 DgmLen:40 DF
^^^^^^
***A*R** Seq: 0x0 Ack: 0x39DCC232 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
and now Solaris 7 with ipfilter(3.4.25) with return-rst rule:
03/31-17:30:16.997579 xxx.xxx.xxx.xxx:12879 -> xxx.xxx.xxx.xxx:1521
TCP TTL:64 TOS:0x10 ID:7967 IpLen:20 DgmLen:64 DF
******S* Seq: 0x6A3518CE Ack: 0x0 Win: 0x4000 TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
TCP Options => TS: 1615975242 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/31-17:30:16.997785 xxx.xxx.xxx.xxx:1521 -> xxx.xxx.xxx.xxx:12879
TCP TTL:60 TOS:0x10 ID:15731 IpLen:20 DgmLen:40 DF
^^^^^^
***A*R** Seq: 0x0 Ack: 0x6A3518CF Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
and just a port w/o daemon on it:
03/31-17:30:57.379170 xxx.xxx.xxx.xxx:29599 -> xxx.xxx.xxx.xxx:42000
TCP TTL:64 TOS:0x10 ID:25418 IpLen:20 DgmLen:64 DF
******S* Seq: 0xF016BF9 Ack: 0x0 Win: 0x4000 TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
TCP Options => TS: 1615975323 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/31-17:30:57.379449 xxx.xxx.xxx.xxx:42000 -> xxx.xxx.xxx.xxx:29599
TCP TTL:64 TOS:0x10 ID:15732 IpLen:20 DgmLen:40 DF
^^^^^^
***A*R** Seq: 0x0 Ack: 0xF016BFA Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic