Penetration Testing mailing list archives
RE: Firewall Scan
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Fri, 26 Jun 2009 05:08:03 -0700
Several firewall and IPS vendors now incorporate nmap signature detection which is probably what you are running into. Sygate, Tipping Point, and others I can't recall off the top of my head. On the OS side, PF merged p0f's passive fingerprinting features so a rule like: set fingerprints "/etc/pf.os" block in log quick on $ExtIF from any os "NMAP" to any label ExtNMAPScan will show all ports as filtered regardless of actual open ports. Psad and other tools also incorporate nmap fingerprint detection. Looks like you've run into them :) You can try an XMAS or FIN run which may work depending on how the target is configured but you'll most likely have better luck using an alternate scanner with a lesser known signature. -- Erin Carroll Moderator, SecurityFocus pen-test mailing list "I cannot brain today, I have the dumb"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Shenk, Jerry A Sent: Friday, June 26, 2009 4:18 AM To: IPv7; pen-test () securityfocus com Subject: RE: Firewall Scan Yeah, that looks odd - I wonder if they are doing some type of passive host profiling or something. I think I'd capture the traffic from an nmap scan of just port 5900 and then I'd look through that to see what's going on. Then I'd just do a simple telnet connect and capture that. I wonder if they are looking for something that nmap does to the header. Another possibility is that there is portscan detection....by the time it hits port 5900, your IP has been blocked for a short time....but, the windows nmap scan seems like it should have triggered that action also...but perhaps the linux box has already been blocked by the time you did the single-port test...the tests you did make this seem unlikely;) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of IPv7 Sent: Wednesday, June 24, 2009 3:45 PM To: pen-test () securityfocus com Subject: Firewall Scan Hello Guys, I was doing a normal TCP Scan on port 5900, when I found a strange result: 1st I did a normal TCP scan with Nmap Onix:~# nmap -p 5900 x.x.x.x Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART Interesting ports on x.x.x.x: PORT STATE SERVICE 5900/tcp closed vnc Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds But.. if I use telnet/nc with this port, they can connect: Onix:~# telnet x.x.x.x 5900 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. RFB 003.003 ^C What? I can connect.. Ok, I will perform a more detailed scan: Onix:~# hping -S -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512 rtt=2.6 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 2.6/2.6/2.6 ms This host return an Reset/ACK, it should be ok if the port was closed, but I can connect with him. WINDOWS SCAN: Onix:~# nmap -sW -p 5900 x.x.x.x Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART Interesting ports on x.x.x.x: PORT STATE SERVICE 5900/tcp open vnc Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds Ok, I will look the TCP Windows: First I try to send a TCP Packet with WIN=1 Onix:~# hping -S -w 1 -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.8/7.8/7.8 ms In the most cases, shouldn't this host respond with its suggestion of window's size?? Then I sent the same with WIN=4096 Onix:~# hping -S -w 4096 -p 5900 x.x.x.x HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8 ms ^C --- x.x.x.x hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.8/7.8/7.8 ms I can't understad this! Some idea? -- --------------------------------------- - El conocimiento es poder - - y el saber nos hace libres. - ---------------------------------- netvulcano.wordpress.com Linux User #405757 Machine Linux #310536 ----------------------------------------------------------------------- - This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ----------------------------------------------------------------------- - **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ----------------------------------------------------------------------- - This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ----------------------------------------------------------------------- -
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Firewall Scan IPv7 (Jun 26)
- Re: Firewall Scan SD List (Jun 26)
- RE: Firewall Scan Shenk, Jerry A (Jun 26)
- RE: Firewall Scan Erin Carroll (Jun 26)
- Re: Firewall Scan Todd Haverkos (Jun 26)
- Re: Firewall Scan Guilherme Alves (Jun 29)
- Re: Firewall Scan Chris Brenton (Jun 30)