Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: All tcp ports open?

Re: All tcp ports open?

From: <nathan_at_ccc-ltd.com>
Date: Wed, 01 Sep 2004 14:44:15 +0000

Looks suspisiously like a FW1 syndefender in relay mode, here are some
(brief and probably inaccurate) notes that I made a while back. It all boils
down
to TTLs if you want to scan hosts behind it.

Hope this points you in the right direction;

Notes:

you will always get a spoofed syn/ack from the firewall (when unfiltered).

If the firewall is rejecting the port you will get a reset without a synack.

If the machine is not there, rst will appear (after arp? timeout) to have the
same
ttl as the firewall. (i.e. the same as the spoofed syn/ack sent back to the
client).

A reset should happen if the firewall is Rejecting the connection (i.e.
resetting it).

If the machine is there but port closed, rst will have a different ttl as the
initial syn/ack of the firewal.

If the machine is there but port open:
        If there is no data waiting, FIN the server and look for ACK FIN.
        
        If there is data waiting for you, you will get an ack + data, it might be
        prudent to fin the connection.

If the machine is there but filtered by the firewall, the firewall will
successfully
syn/ack from server on it's behalf, the ack comming back from the server
however will
be blocked and the client will be stuck retransmitting ack until client
timeout.

More detailed information:

http://www.phoneboy.com/bin/view.pl/FAQs/SynDefender

regards,

Nathan 

-- 
Computer Crime Consultants Ltd
http://www.ccc-ltd.com
Support the fight against software patents:
http://petition.eurolinux.org
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Received on Sep 01 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]