Penetration Testing: PIX and ttl

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

PIX and ttl

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Thu, 24 May 2001 19:28:03 +0100

I'm doing a pen-test for a client that has a "standard" config of
router-firewall-server_in_dmz. I'm fingerprinting the setup and I'm aware
that the firewall is a Cisco PIX (BTW is there any way to change the banner
for the fixup protocol smtp? :)

Their router is at 5 hops of distance from me. Both router and fw gives me
the ttl I was expecting when I ping them (251 and 250), but all the servers
in the DMZ don't...

traceroute to server_in_dmz (x.x.x.x), 30 hops max, 38 byte packets
 1  a.a.a.a (a.a.a.a)  2.068 ms  2.031 ms  2.349 ms               TTL:255
 2  a.a.a.a (a.a.a.a)  153.681 ms  152.925 ms  131.445 ms         TTL:254
 3  a.a.a.a (a.a.a.a)  205.197 ms  269.539 ms  145.973 ms         TTL:253
 4  a.a.a.a (a.a.a.a)  38.078 ms  23.849 ms  23.497 ms            TTL:252
 5  router (router)  31.445 ms  27.277 ms  28.422 ms              TTL:251
 6  * * * (fw)                                                    TTL:250
 7  * * * (server_in_dmz)                                         TTL:123

The servers in the DMZ are Microsoft boxes so the "right" TTL should be 122.
I've made a quick test with other PIX protected servers and it seems that
when the packet passes the PIX it somehow resets the ttl for the original
one. If I'm correct with these assumptions we have another method of
fingerprinting PIX. Am I making any sense??

Fernando

PS: Nice article about firewall fingerprinting:
http://www.kmu-security.ch/identifyingfirewalls.htm

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/




_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------

By Date By Thread

Current thread:

PIX and ttl Fernando Cardoso (May 24)
- RE: PIX and ttl Jason Lewis (May 25)
  - RE: PIX and ttl Fernando Cardoso (May 25)
    - Re: PIX and ttl Konstantin Rozinov (May 27)
  - RE: PIX and ttl Jacek Lipkowski (May 25)
    - RE: PIX and ttl Jason Lewis (May 26)