Penetration Testing mailing list archives
tcp oddities.
From: Josh Nunan <joshnunan123 () yahoo com>
Date: Tue, 14 Sep 2004 07:29:32 -0700 (PDT)
The following happened to me at work today... :s (IP Addresses removed for obvious reasons.) After syn-scanning an IP block, I noticed that an ip address in the dns records as a mail server did not have tcp/25 open... I telnet'd to it... and to my suprise there was an smtp server sitting on port 25. I've attached the relevant logs as tool output gets butchered when wrapped. The box running nmap is a Gentoo / Linux-2.6.7 (grsecurity/pax) -- no nat, simple (inbound) iptables rules. any idea what is happening here? - Josh Nunan _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
my_box = hostname/ip address remote_box = ip address I telnet'd to it on port 25: $ telnet remote_box 25 Trying remote_box... Connected to remote_box. Escape character is '^]'. 220 <removed> Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 14 Sep 2004 14:28:23 +0100 QUIT 221 2.0.0 <removed> Service closing transmission channel Connection closed by foreign host. ... tried syn scanning it again ... $ sudo nmap -sS -P0 -p 25 remote_box --packet_trace Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT SENT (0.0140s) TCP my_box:51278 > remote_box:25 S ttl=57 id=11229 iplen=40 seq=3329791464 win=2048 SENT (1.0140s) TCP my_box:51279 > remote_box:25 S ttl=58 id=32001 iplen=40 seq=3329857001 win=3072 Interesting ports on remote_box: PORT STATE SERVICE 25/tcp filtered smtp Nmap run completed -- 1 IP address (1 host up) scanned in 2.040 seconds ... and connect scanning ... $ sudo nmap -sT -P0 -p 25 remote_box --packet_trace Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT CONN (0.0070s) TCP localhost > remote_box:25 => Operation now in progress Interesting ports on remote_box: PORT STATE SERVICE 25/tcp open smtp Nmap run completed -- 1 IP address (1 host up) scanned in 0.055 seconds !?!?!?!?! tcpdump of connect-scan: my_box ~ # tcpdump | grep remote_box tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 14:17:51.071324 IP my_box.35020 > remote_box.smtp: S 3252464103:3252464103(0) win 5840 <mss 1460,sackOK,timestamp 618217384[|tcp]> 14:17:51.106785 IP remote_box.smtp > my_box.35020: S 2154984799:2154984799(0) ack 3252464104 win 65535 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]> 14:17:51.106888 IP my_box.35020 > remote_box.smtp: . ack 1 win 5840 <nop,nop,timestamp 618217420 0> 14:17:51.107142 IP my_box.35020 > remote_box.smtp: R 1:1(0) ack 1 win 5840 <nop,nop,timestamp 618217420 0> 14:17:51.146028 IP remote_box.smtp > my_box.35020: P 1:132(131) ack 1 win 65535 <nop,nop,timestamp 5122340 618217420> 14:17:51.146068 IP my_box.35020 > remote_box.smtp: R 3252464104:3252464104(0) win 0 1267 packets captured 1353 packets received by filter 0 packets dropped by kernel tcpdump of syn-scan: my_box ~ # tcpdump | grep remote_box tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 14:18:41.748726 IP my_box.42450 > remote_box.smtp: S 356421039:356421039(0) win 1024 14:18:42.749153 IP my_box.42451 > remote_box.smtp: S 356486574:356486574(0) win 3072 516 packets captured 516 packets received by filter 0 packets dropped by kernel using another packet injector (hping2 has the most stupid syntax)... my_box ~ # packit -t tcp -h -d remote_box -D 25 -F S Mode: Packet Injection using device: eth0 -| SND 1 |------------------------------------------------------------------ Timestamp: 14:27:56.833388 TCP header: Src Port: 63004 Dst Port: 25 Flag(s): S Window: 65535 Seqn: 1540860489 IP header: Src Address: my_box Dst Address: remote_box TTL: 128 ID: 19915 TOS: 0x0 Len: 40 -| No Response From Peer |-------------------------------------------------- -| Packet Injection Statistics |-------------------------------------------- Injected: 1 Received: 0 Loss: 100.0% Bytes Written: 40 Errors: 0 the random-source port generator seems to be little less biased towards lower ports, so I thought it might be dropping packets with a high-source port... my_box ~ # packit -t tcp -h -d remote_box -S 35020 -D 25 -F S Mode: Packet Injection using device: eth0 -| SND 1 |------------------------------------------------------------------ Timestamp: 14:41:41.484670 TCP header: Src Port: 35020 Dst Port: 25 Flag(s): S Window: 65535 Seqn: 782259597 IP header: Src Address: my_box Dst Address: remote_box TTL: 128 ID: 15211 TOS: 0x0 Len: 40 -| No Response From Peer |-------------------------------------------------- -| Packet Injection Statistics |-------------------------------------------- Injected: 1 Received: 0 Loss: 100.0% Bytes Written: 40 Errors: 0 I dont geddit... if connect sends that syn, remote_box sends an ack.... help??
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- tcp oddities. Josh Nunan (Sep 14)
- Re: tcp oddities. Frank Knobbe (Sep 15)