On Fri, 3 Nov 2000, Ofir Arkin wrote:
> Some firewalls monitor for low TTL field values and will drop your packet.
> If there are some who will generate the ICMP time exceeded error message
> (and this is the firewall
> here generating the message) in my opinion it is a mistake, because it will
> reveal the firewall itself.
I definitely agree, this should be disabled, but can be difficult. Many
OS's cannot disable this feature as it is part of the kernel ip_forwarding
code. On many firewalls it can only be done with the firewall rulebase
(and remember, many people trust their firewalls).
> In Blackhat 2K in Amsterdam I was talking about the ability to identify the
> Operating System one firewall
> might run on top because of the ICMP error messages it might generate / or
> spoofed answers the firewall
> generates instead of its protected machines.
Very cool idea. This hack will not only map your firewall rulebase, but
your firewall OS type :)
> If you have a trace I would like to have a look :P
Sure, below is the technique and traces from a test. The firewall is
CheckPoint FW-1 ver 4.1 SP2 on Solaris 2.7 (Ultra 5). The port 5190 TCP
and port 5190 UDP are NOT filtered by the firewall. I scanned a system
behind the firewall on each port with hping2, TTL set to 1 (I am 1 hop
away from the firewall). Note how the firewall responds, and not the
system behind the firewall I was scanning.
mozart #hping2 -c 1 -t 1 -s 53 -p 5190 -S victim
eth0 default routing interface selected (according to /proc)
HPING victim (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254 (firewall.example.net)
mozart #hping2 -2 -c 1 -t 1 -s 53 -p 5190 -S victim
eth0 default routing interface selected (according to /proc)
HPING victim (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
TTL 0 during transit from 192.168.1.254 (firewall.example.net)
Now the packet traces (just for Ofir)
-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch_at_clark.net, www.snort.org)
11/03-09:10:36.563267 192.168.1.10:53 -> 172.16.1.107:5190
TCP TTL:1 TOS:0x0 ID:36962
**S***** Seq: 0x53C8F31C Ack: 0x1A37A627 Win: 0x200
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:10:36.564040 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:31007 DF
TTL EXCEEDED
00 00 00 00 45 00 00 28 90 62 00 00 00 06 BB 40 ....E..(.b.....@
C0 A8 01 0A AC 10 01 6B 00 35 14 46 53 C8 F3 1C .......k.5.FS...
1A 37 A6 27 50 02 02 00 22 F6 00 00 .7.'P..."...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:11:15.183464 192.168.1.10:53 -> 172.16.1.107:5190
UDP TTL:1 TOS:0x0 ID:49570
Len: 8
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/03-09:11:15.184320 192.168.1.254 -> 192.168.1.10
ICMP TTL:255 TOS:0x0 ID:31009 DF
TTL EXCEEDED
00 00 00 00 45 00 00 1C C1 A2 00 00 00 11 8A 01 ....E...........
C0 A8 01 0A AC 10 01 6B 00 35 14 46 00 08 7C 35 .......k.5.F..|5
Thoughts?
lance
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 04 2000
Intro
