Re: hacking TCP.

["Scott Havlak" <shavlak () lurhq com>]

> Something which the nmap hackers might like to ponder over is the
> latest technology inside Gauntlet firewalls - the supposed ability
> to change a connection from proxy to packet filter and back.  One
> would think that if different OS's were at the end points, the
> connection would have different fingerprints during its lifetime.
> Can nmap detect this ?


I have done extensive testing with Gauntlet on all platforms using nmap.
The Gauntlet (4.X-5.0) packet filter seems to mask the real OS fingerprint.
Scan a Gauntlet firewall on ports where proxies are typically running (like
80, 21, 25, etc...) and then scan ports that are typically protected by a
packet filter rule (like 514 and 6000) and compare the results.  The first
scan will properly detect the OS on all Unix platforms, but the second will
not.  Not sure the effect the "adaptive proxy" will have, but I would
imagine that it would be similar.  Will be sure to try it...

S