Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Penetration Testing: Re: PIX and ttl

Re: PIX and ttl

From: Fabio Pietrosanti (naif) <naif_at_sikurezza.org>
Date: Fri, 25 May 2001 12:18:00 +0200

On Thu, May 24, 2001 at 07:28:03PM +0100, Fernando Cardoso wrote:
> I'm doing a pen-test for a client that has a "standard" config of
> router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware
> that the firewall is a Cisco PIX (BTW is there any way to change the banner
> for the fixup protocol smtp? :)
no way, but i think that security configuration of the MTA behind the pix it's
thw right way and that "fixup protocol smtp" isn't necessary.
It simply add overhead to the Firewall processing...
>
> Their router is at 5 hops of distance from me. Both router and fw gives me
> the ttl I was expecting when I ping them (251 and 250), but all the servers
> in the DMZ don't...
>
> traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets
> 1 a.a.a.a (a.a.a.a) 2.068 ms 2.031 ms 2.349 ms TTL:255
> 2 a.a.a.a (a.a.a.a) 153.681 ms 152.925 ms 131.445 ms TTL:254
> 3 a.a.a.a (a.a.a.a) 205.197 ms 269.539 ms 145.973 ms TTL:253
> 4 a.a.a.a (a.a.a.a) 38.078 ms 23.849 ms 23.497 ms TTL:252
> 5 router (router) 31.445 ms 27.277 ms 28.422 ms TTL:251
> 6 * * * (fw) TTL:250
> 7 * * * (server_in_dmz) TTL:123
>
> The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122.

No, it's different from release to release of microsoft products...

-- Windows NT 4.0 x86 SP6a ( ttl = 128 ) in MY LAN
root_at_life:~# hping -c 2 -S -p 80 10.1.3.20
eth0 default routing interface selected (according to /proc)
HPING gongolo (eth0 10.1.3.20): S set, 40 headers + 0 data bytes
46 bytes from 10.1.3.20: flags=SA seq=0 ttl=128 id=25884 win=8576 rtt=0.5 ms

-- Windows 2k x86 SP1 ( ttl = 123 ) behind PIX 5.3(1)
root_at_life:~# hping -c 2 -S -p 80 xxx.xxx.xx.xxx
eth0 default routing interface selected (according to /proc)
HPING www.www.www (eth0 xxx.xxx.xx.xxx): S set, 40 headers + 0 data bytes
46 bytes from xxx.xxx.xx.xxx: flags=SA seq=0 ttl=123 id=10872 win=8576 rtt=27.3 ms

-- Windows NT 4.0 x86 unknown SP ( ttl = 118 ) behind 5.3(1)
root_at_life:~# hping -c 1 -S -p 25 xxx.xxx.xxx.xxx
eth0 default routing interface selected (according to /proc)
HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes
46 bytes from xxx.xxx.xxx.xxx: flags=SA seq=0 ttl=118 id=45018 win=32768 rtt=860.1 ms

-- PIX Itself 5.3(1) ( ttl = 247 )
root_at_life:~# ping -c 1 xxx.xxx.xxx.x
PING xxx.xxx.xxx.x (xxx.xxx.xxx.x): 56 octets data
64 octets from xxx.xxx.xxx.x: icmp_seq=0 ttl=247 time=87.7 ms

-- PIX Itself 5.1(4) ( ttl = 251 )
root_at_life:~# ping -c 1 xxx.xxx.xxx.xx
PING xxx.xxx.xxx.x (xxx.xxx.xxx.xx): 56 octets data
64 octets from xxx.xxx.xxx.xx: icmp_seq=0 ttl=251 time=102.4 ms

As you could see ttl it's different for the same pix release...
I HATE PIX, I HATE CISCO ;>

> I've made a quick test with other PIX protected servers and it seems that
> when the packet passes the PIX it somehow resets the ttl for the original
> one. If I'm correct with these assumptions we have another method of
> fingerprinting PIX. Am I making any sense??
>
> Fernando
>
> PS: Nice article about firewall fingerprinting:
> http://www.kmu-security.ch/identifyingfirewalls.htm

Fabio Pietrosanti ( naif )
E-mail: naif_at_sikurezza.org
PGP Key (DSS) http://naif.itapac.net/naif.asc 

--
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
Received on May 25 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]