RE: PIX responding with SYN+ACK to SYN+ACK probe sent on open port

["Smith, Aaron" <SmithA () byui edu>]

Sent to PIX:
hping2 -S -A -c 1 -p 22 aaa.bbb.ccc.ddd

Reply from PIX:
len=46 ip=aaa.bbb.ccc.ddd ttl=254 id=25026 sport=22 flags=SA seq=0 win=4096 rtt=0.3 ms

@@ron Smith
 
-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of 
Martin Macok
Sent: Monday, January 10, 2005 12:47 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port

During a penetration test I've come around something which seems to be
a Cisco PIX 6.x device (TCP/IP OS fingerprint, ike-scan). It has
single one open tcp port 1723 (pptp) and udp port 500 (isakmp). The
rest of ports are filtered.

The strange thing happens when I send a SYN+ACK packet to the open
port (1723/tcp). The device replies back with SYN+ACK too (with a new
TCP ISN). My guess is that it just ignores the ACK flag in the first
SYN packet but in any case, it could have serious consequences.

I want to know if this is common behaviour or a specific problem.

Please, could you test sending SYN+ACK probe against an open port on
your PIX boxes and drop me a note what happens in your case? Do you
get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?

Howto:
% hping2 -S -A -c 1 -p <open_tcp_port> <pix>

Or send me your PIX's IP:port privately if it is accessible from the
Internet and I will test it by myself. (Just a few packets, absolutely
harmless)

Thank you

Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards