[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: ZoneAlarm
From:       Max Vision <vision () WHITEHATS ! COM>
Date:       2000-04-26 9:50:33
[Download RAW message or body]

On Mon, 24 Apr 2000, Alfred Huger wrote:
> >Additionally, using nmap's -f flag allows you to send traffic past
> >ZoneAlarm without any alerts.
>
> I set up a copy on a local machine here and while I found that source port
> scans from 67 slipped past the firewall -f seemed to be alerted on just
> fine. Can anyone else comment to this?
>
Hi Al,

I get the same results you did; ZoneAlarm 2.1.10 alerts on a fragmented
SYN scan, but does not make any noise when the source port is set to 67.

# nmap -sS -p 139 -v -f -P0 victim.example.com
Initiating SYN half-open stealth scan against victim.example.com
(23.23.23.23)

  04/26-02:11:52.260668 attacker -> 23.23.23.23
  TCP TTL:61 TOS:0x0 ID:15452  MF
  Frag Offset: 0x0   Frag Size: 0x10
  BC 49 00 8B 4D 4B C7 11 00 00 00 00 50 02 08 00  .I..MK......P...

  04/26-02:11:52.260745 attacker -> 23.23.23.23
  TCP TTL:61 TOS:0x0 ID:15452
  Frag Offset: 0x2   Frag Size: 0x4
  CA 49 00 00                                      .I..

ZoneAlarm reports
"The firewall has blocked Internet access to your computer (NetBIOS
Session) from attacker.example.com (TCP Port 3133)."

When I add the option for source port 67 (-g 67) ZoneAlarm does not alert
- however, the packets do not seem to be delivered either (no RST nor
SYN+ACK).

Now if you remove fragmentation from the picture, it looks like you can
use source porting (67 anyway) to circumvent the ZoneAlarm software.

# nc -p 67 victim.example.com 21
220 Serv-U FTP-Server v2.5e for WinSock ready...
quit

Without the bootp source port this connection is dropped and an alert is
generated.

Max

[prev in list] [next in list] [prev in thread] [next in thread]