Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Strange response from network
From: Mambo Dsouza <mamboz () gmail com>
Date: Wed, 15 Sep 2004 18:30:49 +0200

try running nc in verbose mode instead of stunnel and then send the get request.

The get request also has more options which you can use...I think
instead of relying on tools..manual techniques give you a much better
output which you can rely on....

There are certain cases where Nmap detected 2003 as Linux also..so
dont trust blindly..

and try to connect to that port using browser also..and see whts
happening..which can give you some more inputs or ideas..

Cheers
Mambo

On Wed, 15 Sep 2004 14:36:14 +0400, Shashank Rai
<shashrai () emirates net ae> wrote:
Hi all,

I observed the following during a pentest i am doing:

1) A port scan of the TARGET_IP (using nmap 3.7 with -sS, -sV and OS
identification), shows port 2443 open and remaining ports as "closed".
2) Nmap fails to identify the OS but identifies the service as
"Microsoft Distributed Transaction Server".
3) The interesting (and strange) part comes from here on. A
tcptraceroute to port 2443 on the TARGET_IP, showed RST/ACK packets
coming back. To further investigate this, i started sending packets by
manually increasing the ttl. I obtained the following results:

SYN packet to port 2443, ttl 7 (last but one hop from target) sends
RST/ACK....

hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes

len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40
sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms
seq=80210401 ack=1098187429 sum=ec0b urp=0

--- TARGET_IP hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.3/6.3/6.3 ms

==========================================================================

SYN packet to port 2443 ttl 8 (TARGET IP) gives SYN/ACK ..expected
response.......

hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes
len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44
sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms
seq=416937317 ack=1244107777 sum=61fe urp=0

--- TARGET_IP hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.1/6.1/6.1 ms

===========================================================================

SYN packet to port 25 (closed port) ttl 7 and there is NO response....

hping2 -S -V -n -c 1 -p 25 -t 7 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes

--- TARGET_IP hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

===========================================================================

SYN packet to port 25 ttl 8 ... NO RESPONSE.

hping2 -S -V -n -c 1 -p 25 -t 8 TARGET_IP
using eth0, addr: MY_IP, MTU: 1500
S set, 40 headers + 0 data bytes

--- TARGET_IP hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

===========================================================================

also note that the packets with ttl 7 still come back with TARGET IP,
implying that remote system is spoofing the IP. Even the difference in
ttl and IPID of incoming packets indicates different systems are sending
the response.

My questions:
a) any idea what kind of filtering system can this be
b) is it possible to determine the IP of the 7th HOP.

The nature of the service i am testing requires users to connect using a
client certificate. I connect to port 2443 using stunnel and the client
certificate supplied to me for the test. Now i send a GET / HTTP/1.0
request. The response that comes back is HTTP 403 and the server string
is "Apache-Coyote/1.1" .... in contradiction to what nmap detected as a
service. Any clues as to what is *Really* running on port 2443. Amap
returns nothing :(

TIA

cheers,
--
shashank

<--
Here is the Packet that was fragmented and has been assembled again.
                                      (with apologies to JRR Tolkien :)
-->

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]