[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: The TCP Flags Playground
From:       "Granquist, Lamont" <lamont () ICOPYRIGHT ! COM>
Date:       2000-03-28 19:34:31
[Download RAW message or body]

Unfortunately, it isn't anywhere near as simple as this.  For example,
older Linux stacks will respond to a SYN|FIN to an open port with a
SYN|FIN|ACK.  Also, when hitting a Solaris (2.5.1 and 2.6 at least) box,
the URG flag being turned on with a SYN will cause that packet to be
dropped.  There are other flag combinations which respond differently on
different systems, e.g. not everything that is FIN scannable is NULL
(no flags) scannable.

There are also other fun things that you can do to try to bypass firewalls
such as fragmenting your packets and sending them out-of-order.  You can
also try more advanced things like exploiting the 2.2.x ipchains fragment
reassembly bug.

On Mon, 27 Mar 2000, Ofir Arkin wrote:
> Ok, once and for all I want to list what certain TCP Flags combination do:
>
> Host Detection:
> Any combination of the ACK bit, except with a RST, would elicit a RST back
> from a probed machines whether we
> probe an opened port or a closed one.
>
> SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a
> closed one.
>
> SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH,
> FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK
> from an opened port.
>
> OS Distinguish:
> FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags
> would all elicit a
> RST|ACK on a closed port, *NIX machines will not respond when probed for an
> opened port, Windows machines
> still reply with RST|ACK.
>
> Filtering Device Present:
> If we use one of the Host Detection Combinations and we do not get a reply -
> a filtering device is present and
> prevent the probe from going inside the protected "zone" or the reply from
> coming out.
>
> The Filtering Device is lame:
> if the firewall is just a simple packet filter that blocks incoming SYN's
> than some of the combinations I have listed
> would elicit a reply. If the Firewall is statefull (AND do his job as it
> should. I have seen some idiotically cases were
> statefull was not implemented as it should.) nothing should pass it.
>
> Hope this clarifies some questions I have seen people asked on various
> mailing lists.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Ofir Arkin                      <ofir@packet-technologies.com>
> Security QA Manager    http://www.packet-technologies.com
> Packet Technologies
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> The opinions in this message are my own, and not in any
> way representative of Packet Technologies.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>

[prev in list] [next in list] [prev in thread] [next in thread]