Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: The TCP Flags Playground
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Tue, 28 Mar 2000 11:34:31 -0800


Unfortunately, it isn't anywhere near as simple as this.  For example,
older Linux stacks will respond to a SYN|FIN to an open port with a
SYN|FIN|ACK.  Also, when hitting a Solaris (2.5.1 and 2.6 at least) box,
the URG flag being turned on with a SYN will cause that packet to be
dropped.  There are other flag combinations which respond differently on
different systems, e.g. not everything that is FIN scannable is NULL
(no flags) scannable.

There are also other fun things that you can do to try to bypass firewalls
such as fragmenting your packets and sending them out-of-order.  You can
also try more advanced things like exploiting the 2.2.x ipchains fragment
reassembly bug.

On Mon, 27 Mar 2000, Ofir Arkin wrote:
Ok, once and for all I want to list what certain TCP Flags combination do:

Host Detection:
Any combination of the ACK bit, except with a RST, would elicit a RST back
from a probed machines whether we
probe an opened port or a closed one.

SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a
closed one.

SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH,
FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK
from an opened port.

OS Distinguish:
FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags
would all elicit a
RST|ACK on a closed port, *NIX machines will not respond when probed for an
opened port, Windows machines
still reply with RST|ACK.

Filtering Device Present:
If we use one of the Host Detection Combinations and we do not get a reply -
a filtering device is present and
prevent the probe from going inside the protected "zone" or the reply from
coming out.

The Filtering Device is lame:
if the firewall is just a simple packet filter that blocks incoming SYN's
than some of the combinations I have listed
would elicit a reply. If the Firewall is statefull (AND do his job as it
should. I have seen some idiotically cases were
statefull was not implemented as it should.) nothing should pass it.

Hope this clarifies some questions I have seen people asked on various
mailing lists.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ofir Arkin                      <ofir () packet-technologies com>
Security QA Manager    http://www.packet-technologies.com
Packet Technologies
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The opinions in this message are my own, and not in any
way representative of Packet Technologies.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault