Bugtraq mailing list archives
Re: The TCP Flags Playground
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Tue, 28 Mar 2000 11:34:31 -0800
Unfortunately, it isn't anywhere near as simple as this. For example, older Linux stacks will respond to a SYN|FIN to an open port with a SYN|FIN|ACK. Also, when hitting a Solaris (2.5.1 and 2.6 at least) box, the URG flag being turned on with a SYN will cause that packet to be dropped. There are other flag combinations which respond differently on different systems, e.g. not everything that is FIN scannable is NULL (no flags) scannable. There are also other fun things that you can do to try to bypass firewalls such as fragmenting your packets and sending them out-of-order. You can also try more advanced things like exploiting the 2.2.x ipchains fragment reassembly bug. On Mon, 27 Mar 2000, Ofir Arkin wrote:
Ok, once and for all I want to list what certain TCP Flags combination do: Host Detection: Any combination of the ACK bit, except with a RST, would elicit a RST back from a probed machines whether we probe an opened port or a closed one. SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a closed one. SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH, FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK from an opened port. OS Distinguish: FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags would all elicit a RST|ACK on a closed port, *NIX machines will not respond when probed for an opened port, Windows machines still reply with RST|ACK. Filtering Device Present: If we use one of the Host Detection Combinations and we do not get a reply - a filtering device is present and prevent the probe from going inside the protected "zone" or the reply from coming out. The Filtering Device is lame: if the firewall is just a simple packet filter that blocks incoming SYN's than some of the combinations I have listed would elicit a reply. If the Firewall is statefull (AND do his job as it should. I have seen some idiotically cases were statefull was not implemented as it should.) nothing should pass it. Hope this clarifies some questions I have seen people asked on various mailing lists. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin <ofir () packet-technologies com> Security QA Manager http://www.packet-technologies.com Packet Technologies -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions in this message are my own, and not in any way representative of Packet Technologies. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- The TCP Flags Playground Ofir Arkin (Mar 26)
- Re: The TCP Flags Playground Granquist, Lamont (Mar 28)
- Vulnerability in IRIX 5.3 and 6.2 objectserver SGI Security Coordinator (Mar 28)