Bugtraq mailing list archives

Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall

From: John Duksta <jduksta () genuity com>
Date: Thu, 26 Jul 2001 12:24:39 -0400


Dan,

Did you run this scan against the internal or external interface
of the SonicWall? Every scan I've ever run against a SonicWall
from the outside exhibited the OS Characteristics of the OS
actually running services port forwarded behind it.

e.g. a friend with a SonicWall was running his web and mail
servers behind a Sonicwall on an AIX box. When we nmap scanned
the external interface of the Sonicwall, it showed up as an
AIX box.

-john

At 05:17 PM 7/25/2001 -0600, Dan Ferris wrote:

This may not seem bad, but to me it seems that this defeats the point of NAT
if somebody can steal your sessions.  Note the section on TCP sequence
prediction.  This was a Sonicwall SOHO firewall.

=======
Host  (192.168.1.254) appears to be up ... good.
Initiating SYN half-open stealth scan against  (192.168.1.254)
Adding TCP port 80 (state open).
The SYN scan took 8 seconds to scan 1523 ports.
For OSScan assuming that port 80 is open and port 1 is closed and neither
are firewalled
Interesting ports on  (192.168.1.254):
(The 1518 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     filtered    telnet
67/tcp     filtered    bootps
80/tcp     open        http
137/tcp    filtered    netbios-ns
514/tcp    filtered    shell

TCP Sequence Prediction: Class=64K rule
                         Difficulty=1 (Trivial joke)

Sequence numbers: 3EC519BD 3EC613BD 3EC70DBD 3EC807BD 3EC901BD 3EC9FBBD
Remote operating system guess: Accelerated Networks - High Speed Integrated
Access VoDSL
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNW)
T2(Resp=N)
T3(Resp=Y%DF=N%W=2000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=2000%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=0%ULEN=134%DAT=E)


Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

Current thread:

Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Dan Ferris (Jul 25)
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Barney Wolff (Jul 26)
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall John Duksta (Jul 26)
- <Possible follow-ups>
- Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall Evan Pierce (Jul 26)