On Wed, Oct 24, 2007 at 02:59:36PM -0400, Dario Ciccarone (dciccaro) wrote:
> Hm. If "ASA" refers to the Cisco Adaptive Security Appliance, there is a
> possible explanation - whoever configured the device enabled the
> "service resetinbound" option:
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.
> html#wp1348346
>
> The ICMP probe might then be dropped, and the probe to 80/tcp replied
> with an RST. Hard then to determine what is going on just by looking at
> a packet capture and with no additional info. My money would be on
> "resetinbound" plus ACL dropping ICMP echo request. But it could also be
> that the ruleset drops indeed ICMP echo request, but has an entry that
> says "permit tcp any host X" - and host X isn't actually listening on
> 80/tcp.
Actually it would be possible to detect such a behaviour, as in my
experience this devices are before a firewall, so nmap usually sees very
much RSTs, like ping is dead *and* all scanned ports are "closed", which is
odd and could be noticed. Other thing is, when the TTL of the RST is lower
than the TTL of a SYN-ACK this could be noticed by nmap as well. With hping
you get to see this details, so can differentiate manually.
Gruss
--
Pluto - SysAdmin of Hades
Free information! Freedom through knowledge. Wisdom for all!! =:-)
PGP://0xB4BBB4A9?524CB500A8F3EAA2&6A3E5272F9072A17 ICQ: 286852401
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 26 2007
Intro
