Home page logo
/

pen-test logo Penetration Testing mailing list archives

tcp oddities.
From: Josh Nunan <joshnunan123 () yahoo com>
Date: Tue, 14 Sep 2004 07:29:32 -0700 (PDT)

The following happened to me at work today... :s (IP
Addresses removed for obvious reasons.)

After syn-scanning an IP block, I noticed that an ip
address in the dns records as a mail server did not
have tcp/25 open... I telnet'd to it... and to my
suprise there was an smtp server sitting on port 25.

I've attached the relevant logs as tool output gets
butchered when wrapped.

The box running nmap is a Gentoo / Linux-2.6.7
(grsecurity/pax) -- no nat, simple (inbound) iptables
rules.

any idea what is happening here?

- Josh Nunan


                
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
my_box = hostname/ip address
remote_box = ip address

I telnet'd to it on port 25:

    $ telnet remote_box 25
    Trying remote_box...
    Connected to remote_box.
    Escape character is '^]'.
    220 <removed> Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at  Tue, 14 Sep 2004 14:28:23 +0100
    QUIT
    221 2.0.0 <removed> Service closing transmission channel
    Connection closed by foreign host.

... tried syn scanning it again ...

    $ sudo nmap -sS -P0 -p 25 remote_box --packet_trace

    Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT
    SENT (0.0140s) TCP my_box:51278 > remote_box:25 S ttl=57 id=11229 iplen=40 seq=3329791464 win=2048
    SENT (1.0140s) TCP my_box:51279 > remote_box:25 S ttl=58 id=32001 iplen=40 seq=3329857001 win=3072
    Interesting ports on remote_box:
    PORT   STATE    SERVICE
    25/tcp filtered smtp
    
    Nmap run completed -- 1 IP address (1 host up) scanned in 2.040 seconds

... and connect scanning ...

    $ sudo nmap -sT -P0 -p 25 remote_box --packet_trace
    
    Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT
    CONN (0.0070s) TCP localhost > remote_box:25 => Operation now in progress
    Interesting ports on remote_box:
    PORT   STATE SERVICE
    25/tcp open  smtp

    Nmap run completed -- 1 IP address (1 host up) scanned in 0.055 seconds

!?!?!?!?!

tcpdump of connect-scan:

    my_box ~ # tcpdump | grep remote_box 
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
    14:17:51.071324 IP my_box.35020 > remote_box.smtp: S 3252464103:3252464103(0) win 5840 <mss 1460,sackOK,timestamp 
618217384[|tcp]>
    14:17:51.106785 IP remote_box.smtp > my_box.35020: S 2154984799:2154984799(0) ack 3252464104 win 65535 <mss 
1380,nop,wscale 0,nop,nop,timestamp[|tcp]>
    14:17:51.106888 IP my_box.35020 > remote_box.smtp: . ack 1 win 5840 <nop,nop,timestamp 618217420 0>
    14:17:51.107142 IP my_box.35020 > remote_box.smtp: R 1:1(0) ack 1 win 5840 <nop,nop,timestamp 618217420 0>
    14:17:51.146028 IP remote_box.smtp > my_box.35020: P 1:132(131) ack 1 win 65535 <nop,nop,timestamp 5122340 
618217420>
    14:17:51.146068 IP my_box.35020 > remote_box.smtp: R 3252464104:3252464104(0) win 0

    1267 packets captured
    1353 packets received by filter
    0 packets dropped by kernel

tcpdump of syn-scan:

    my_box ~ # tcpdump | grep remote_box 
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
    14:18:41.748726 IP my_box.42450 > remote_box.smtp: S 356421039:356421039(0) win 1024
    14:18:42.749153 IP my_box.42451 > remote_box.smtp: S 356486574:356486574(0) win 3072
    516 packets captured
    516 packets received by filter
    0 packets dropped by kernel

using another packet injector (hping2 has the most stupid syntax)...

    my_box ~ # packit -t tcp -h -d remote_box -D 25 -F S
    Mode:  Packet Injection using device: eth0

    -| SND 1 |------------------------------------------------------------------

    Timestamp:   14:27:56.833388
    TCP header:  Src Port: 63004  Dst Port: 25  Flag(s): S
                 Window: 65535  Seqn: 1540860489
    IP header:   Src Address: my_box  Dst Address: remote_box
                 TTL: 128  ID: 19915  TOS: 0x0  Len: 40

    -| No Response From Peer |--------------------------------------------------

    -| Packet Injection Statistics |--------------------------------------------
    Injected: 1  Received: 0  Loss: 100.0%  Bytes Written: 40  Errors: 0

the random-source port generator seems to be little less biased towards lower ports, so I thought it might be dropping
packets with a high-source port...

    my_box ~ # packit -t tcp -h -d remote_box -S 35020 -D 25 -F S
    Mode:  Packet Injection using device: eth0

    -| SND 1 |------------------------------------------------------------------

    Timestamp:   14:41:41.484670
    TCP header:  Src Port: 35020  Dst Port: 25  Flag(s): S
                 Window: 65535  Seqn: 782259597
    IP header:   Src Address: my_box  Dst Address: remote_box
                 TTL: 128  ID: 15211  TOS: 0x0  Len: 40
    
    -| No Response From Peer |--------------------------------------------------

    -| Packet Injection Statistics |--------------------------------------------
    Injected: 1  Received: 0  Loss: 100.0%  Bytes Written: 40  Errors: 0

I dont geddit... if connect sends that syn, remote_box sends an ack....

help??

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]