Firewall Wizards mailing list archives
PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: Martin Mačok <martin.macok () underground cz>
Date: Mon, 10 Jan 2005 20:47:21 +0100
During a penetration test I've come around something which seems to be a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The rest of ports are filtered. The strange thing happens when I send a SYN+ACK packet to the open port (1723/tcp). The device replies back with SYN+ACK too (with a new TCP ISN). My guess is that it just ignores the ACK flag in the first SYN packet but in any case, it could have serious consequences. I want to know if this is common behaviour or a specific problem. Please, could you test sending SYN+ACK probe against an open port on your PIX boxes and drop me a note what happens in your case? Do you get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply? Howto: % hping2 -S -A -c 1 -p <open_tcp_port> <pix> Or send me your PIX's IP:port privately if it is accessible from the Internet and I will test it by myself. (Just a few packets, absolutely harmless) Thank you Martin Mačok ICT Security Consultant _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- <Possible follow-ups>
- RE: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Smith, Aaron (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Message not available
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Chuck Swiger (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)