Penetration Testing mailing list archives
Re: traceroute interpretations, where is the firewall ?
From: "sami seclist" <sg.seclists () gmail com>
Date: Tue, 12 Dec 2006 21:53:17 +0100
Hi all, I finally found answers to my questions thanks to an intensive and manual retuned packets TTL study (by the way is there a tool that can do it automatically ?). In the TCP traceroute to port 80, we can be sure that it's the web server that replied with a SYN ACK whose TTL is about 120. I assume there isn't any kind of layer 3 cloaking that forged the TTL, so it's a windows 2000 box. In the UDP traceroute, the last hop replied with a packet TTL of 57, so it can not be the same box. the retuned packet is a ICMP port unreacheable packet, so this must be the firewall, and it rejected the incoming packet. And finally the 192.168.0.94 is the router, cause it replied with a icmp time exceeded packet whose TTL isabout 248 (may be cisco). So hop 9 is the router, hop 10 the fw and hop 11 the web server. about the the proposed tools: sinFP and lft I didn't know these two seem interesting to test in my next audit firewalk I tried it once some time ago, but I didn't liked it as I didn't really understand what it exactly does scapy: I discovered this tool during the last audit and I promised my self to test it, but I still didn't ftest: one must have two hosts one inside and the other outside, not suitable here hping and tcptraceroute (or tctrace): excellent tools Although I don't know all the tools above, I don't think they will automate the reasoning I did with TTLs. If such a tool don't already exist, I think it would be useful to the community to develop it ... John, I will focus on application level audit tomorrow ... Sami. 2006/12/12, John Babio <jbabio () po-box esu edu>:
Do you have any idea what the backend database is? There are a plethora of Mysql and MSsql 2000 tools available to find injections. For instance the xp_cmd stuff for an MS box. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of sami seclist Sent: Monday, December 11, 2006 3:32 PM To: pen-test () securityfocus Com Subject: traceroute interpretations, where is the firewall ? Hi list, I'm currently pen testing a website . I'm still in the first step, trying to discover the network layout. I sniffed the HTTP get request packet, and according to the banner it's a windows 2000 server with IIS 5. TTL of the packet is 118 (original TTL is then 128, so it's another clue of the system being a windows server). Below are the TCP/UDP/ICMP traceroutes. Things I'm sure of: there is a firewall (great finding !) FW is discarding inbound ICMP echo request but not outbound ICMP destination unreachable (in udp traceroute) I need your opinion about the following points: I cannot find any plausible explanation about why web server's TTL in the UDP traceroute is 55 (is it some kind of cloaking ?) what do you think hop 10 in icmp traceroute is ? 192.168.0.94 is a firewall ? I know that the firewall is a watchguard (social engineering), do u think this can help (personally i don't know how, i didn't find any exploitable vuln on public databases) ? I used standard linux traceroute an tctrace. Any other suggestions about tools to discover the firewall an its rules ? ICMP traceroute 1 192.168.2.1 (192.168.2.1) 147.976 ms (64) 0.472 ms (64) 0.391 ms (64) 2 192.168.169.1 (192.168.169.1) 19.389 ms (126) 26.403 ms (126) 19.812 ms (126) 3 X.X.X.X 22.211 ms (252) 19.227 ms (252) 23.219 ms (252) 4 X.X.X.X 21.274 ms (251) 25.580 ms (251) 18.337 ms (251) 5 X.X.X.X 25.978 ms (250) 19.707 ms (250) 24.313 ms (250) 6 X.X.X.X 30.838 ms (250) 26.228 ms (250) 29.696 ms (250) 7 X.X.X.X 28.214 ms (249) 28.684 ms (249) 33.339 ms (249) 8 X.X.X.X 97.799 ms (247) 28.246 ms (247) 30.445 ms (247) 9 192.168.0.94 (not real address) 200.087 ms (247) 151.751 ms (247) 181.627 ms (247) 10 * * * 11 * * * UDP traceroute 1 192.168.2.1 (192.168.2.1) 1.297 ms (64) 0.855 ms (64) 0.529 ms (64) 2 192.168.169.1 (192.168.169.1) 18.014 ms (126) 54.012 ms (126) 48.182 ms (126) 3 X.X.X.X 47.598 ms (252) 77.360 ms (252) 19.444 ms (252) 4 X.X.X.X 15.483 ms (251) 43.974 ms (251) 27.602 ms (251) 5 X.X.X.X 37.405 ms (250) 14.281 ms (250) 17.060 ms (250) 6 X.X.X.X 16.883 ms (250) 14.179 ms (250) 48.096 ms (250) 7 X.X.X.X 55.970 ms (249) 14.518 ms (249) 17.161 ms (249) 8 X.X.X.X 18.400 ms (247) 17.086 ms (247) 32.555 ms (247) 9 192.168.0.94 (not real address) 89.282 ms (247) 164.469 ms (247) 87.946 ms (247) 10 192.168.98.3 (not real address) 192.122 ms (55) 228.251 ms (55) 193.657 ms (55) TCP taceroute on port 80 1(1) [192.168.2.1] 2(1) [192.168.169.1] 3(1) [X.X.X.X] 4(3) [X.X.X.X] 5(1) [X.X.X.X] 6(1) [X.X.X.X] 7(1) [X.X.X.X] 8(1) [X.X.X.X] 9(1) [192.168.0.94] 10(all) Timeout 11(1) [192.168.98.3] (reached; open) ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- traceroute interpretations, where is the firewall ? sami seclist (Dec 11)
- RE: traceroute interpretations, where is the firewall ? John Babio (Dec 12)
- Re: traceroute interpretations, where is the firewall ? sami seclist (Dec 12)
- RE: traceroute interpretations, where is the firewall ? MARTIN Benoni (Dec 13)
- RE: traceroute interpretations, where is the firewall ? Paul Melson (Dec 16)
- RE: traceroute interpretations, where is the firewall ? John Babio (Dec 12)