Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: [fw-wiz] TTL, works with Cisco ACL's to :)

Re: [fw-wiz] TTL, works with Cisco ACL's to :)

From: Lance Spitzner <lance_at_spitzner.net>
Date: Tue, 7 Nov 2000 20:32:28 -0600 (CST)

On Wed, 8 Nov 2000, Alex Goldney wrote:

> Lance,
> could you post the ACL of the router as well please? I'll
> run a check myself as well, it will be interesting to know if it is a
> function of the router irregardless of the ACL configuration.

Sure, keep in mind, this router is internal, so the IP addressing
is RFC 1918. The filtering happens on the external interface, Eth0.

interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
 ip access-group 125 in
 no ip unreachables
 no ip directed-broadcast
 no cdp enable

router#show ip access-list 125
Extended IP access list 125
    deny tcp any any eq 5000 (3 matches)
    deny udp any any eq 5000 (2 match)
    permit ip any any (8949 matches)

ACL 125 allows ANYTHING inbound except port 5000. So, I send any
packet I want to test what happens when a packet is NOT filtered.
I then sent packets to port 5000 to test what happens when a packet
is fitlered. This is a production router, so I am limited to what
I can block/filter :)

hope that helps

lance

> Recently I posted about setting TTL's on a scanner
> (such as nmap) to map unfiltered ports on a firewall.
> Proof of concept was done on CheckPoint FW-1 4.1 SP2.
> Fyodor asked me to check out some other systems, so
> I obliged.
>
> I have access to a Cisco 2514 with IOS 12.0(7). The
> method worked like a champ. As standard security
> procedure, I set the router interface with
> "no ip unreachables" however this had no effect
> (which I expected).
>
>
> Below I probed the system 'victim7' to determine which
> ports are open. For this example, I probe port 5100
> to see if it is unfiltered. See diagram below:
>
> Me ---> FW-1 ---> Cisco --> victim7
>
> Both the Firewall and router allow port 5100 through.
> I use hping2 to set the TTL and determine the port is open.
>
> TTL set for firewall (TTL of 1)
> -------------------------------
> marge #hping2 -S -c 1 -t 1 -p 5100 victim7
> eth0 default routing interface selected (according to /proc)
> HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
> TTL 0 during transit from 192.168.1.254 (firewall)
>
> marge #hping2 -2 -S -c 1 -t 1 -p 5100 victim7
> eth0 default routing interface selected (according to /proc)
> HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
> TTL 0 during transit from 192.168.1.254 (firewall)
>
> TTL set for router (TTL of 2)
> ------------------------------
> marge #hping2 -S -c 1 -t 2 -p 5100 victim7
> eth0 default routing interface selected (according to /proc)
> HPING victim7 (eth0 172.16.1.107): S set, 40 headers + 0 data bytes
> TTL 0 during transit from 10.1.1.1 (router)
>
> marge #hping2 -2 -S -c 1 -t 2 -p 5100 victim7
> eth0 default routing interface selected (according to /proc)
> HPING victim7 (eth0 172.16.1.107): udp mode set, 28 headers + 0 data bytes
> TTL 0 during transit from 10.1.1.1 (router)
>
> I would say that CheckPoint and Cisco ACLs account for a VERY large
> percentage of filtering that happens on the net :)
>
> Oh, and before the hardcore geeks ask, here are the ICMP traces :)
>
> -*> Snort! <*-
> Version 1.6.3
> By Martin Roesch (roesch_at_clark.net, www.snort.org)
> 11/06-20:44:27.424173 192.168.1.254 -> 192.168.1.10
> ICMP TTL:255 TOS:0x0 ID:10529 DF
> TTL EXCEEDED
> 00 00 00 00 45 00 00 28 03 B9 00 00 00 06 47 EA ....E..(......G.
> C0 A8 01 0A AC 10 01 6B 07 D2 13 EC 57 60 8A CA .......k....W`..
> 7C 1F 01 96 50 02 02 00 C3 16 00 00 |...P.......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 11/06-20:44:30.597322 10.1.1.1 -> 192.168.1.10
> ICMP TTL:254 TOS:0xC0 ID:499
> TTL EXCEEDED
> 00 00 00 00 45 00 00 28 6D 2C 00 00 01 06 DD 76 ....E..(m,.....v
> C0 A8 01 0A AC 10 01 6B 05 CF 13 EC 75 97 8D 81 .......k....u...
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 11/06-20:44:36.393898 192.168.1.254 -> 192.168.1.10
> ICMP TTL:255 TOS:0x0 ID:10530 DF
> TTL EXCEEDED
> 00 00 00 00 45 00 00 1C B4 31 00 00 00 11 97 72 ....E....1.....r
> C0 A8 01 0A AC 10 01 6B 05 ED 13 EC 00 08 76 D7 .......k......v.
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 11/06-20:44:40.029069 10.1.1.1 -> 192.168.1.10
> ICMP TTL:254 TOS:0xC0 ID:500
> TTL EXCEEDED
> 00 00 00 00 45 00 00 1C 15 F5 00 00 01 11 34 AF ....E.........4.
> C0 A8 01 0A AC 10 01 6B 09 8C 13 EC 00 08 73 38 .......k......s8
>
>
> --
> Lance Spitzner
> http://www.enteract.com/~lspitz
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_nfr.com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
>
> 

-- 
Lance Spitzner
http://www.enteract.com/~lspitz
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 09 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos