Penetration Testing: RE: RE: PIX and ttl

[Dario Ciccarone <dciccaro () employees org>]

>        Another option is to do some research on the possibility of
> doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
> ...).
>        A method I use to discover windows machines behind a statefull
> aware firewall with syndefender is to create ESTABILISHED connections
> and analyze the ip.id increments. This analysis can be expanded to other
> fields of the packets and other states by doing some research.
>        Perhaps a fingerprinting system that uses traces from a tcpdump
> session? anyone?
siphon is a passive fingerprint system that works analyzing the informacion on a SYN TCP segment - same idea used in 
p0f. for both to work the "target" computer has to start a session towards a machine under your control, while you've 
siph0n/p0f running on it . . . and i of them (at least) can read & analyze tcpdump files.

AFAIK nobody has done the same kind of analysis on non SYN flags . . . . but if the firewall in question also 
randomizes/changes the SEQ number (as the PIX does) and/or IP ID fields, what you're going to learn is what kind of 
firewall is in use, not what hosts are behind it . . . 

                                                                                                                D



> --
> Filipe Almeida filipe () rnl ist utl pt
> Aka LiquidK
> Administração da Rede das Novas Licenciaturas