Re: Fw: blackice ignoring port 113

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Jim

Read down  it's a forwarded message  :o)
now I look it could be confusing

Andy

> > ----- Original Message -----
> > From: "vali" <vali () iname com>
> > To: <BUGTRAQ () securityfocus com>
> > Sent: Saturday, July 22, 2000 5:27 PM
> > Subject: blackice ignoring port 113
> >
> >
> > > It's as simple as that, blackice (a somehow popular windows 
> > firewall) is
> > > ignoring TCP trafic with destination port 113 (even with "paranoid"
> > seting).
> > > The most simple way to try this is
> > >
> > > nmap -sS -p 113 -P0 victim (victim's blackice is silent)
> > > nmap -sS -p any_other_port -P0 victim (blackice says "tcp 
> > port probe").
> > > Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
> > > blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
> > >
> > > This is not much, but is a simple way to flood a computer 
> > without blackice
> > > reacting in any way. Also, if somebody is using a buggy 
> > ident server this
> > is
> > > fatal (irc clients install sometimes ident servers, without users
> > knowledge).
> > > Other comments regarding BlackIce:
> > >
> > > Blackice is doing a good job in stoping malformed packets "bad" for
> > Microsoft
> > > IP stacks (including IGMP, fragmented ICMP aka teardrop, 
> > etc, etc). Can
> > detect
> > > nmap stealth scan but there is no simple way to tell from 
> > the interface
> > the
> > > port scaned (if the port is not a "standard" port). Anyway, it has
> > > extensive logging capabilities. In fact with "logging" and "evidence
> > logging"
> > > enabled sniffed sessions can linger in Blackice folder, 
> > alongside with
> > > sensitive information like passwords.
> > > Blackice can do (automatic)  DNS reverse lookup and a 
> > Netbios scan for the
> > > atackers (wich can be a *very* bad thing). I think this 
> > feature is enabled
> > by
> > > default.
> > >
> > > Blackice seems to have some limits for the number of 
> > packets loged and for
> > the
> > > alerts displayed. This is a good thing and a bad thing. 
> > This limit the
> > memory
> > > used but some packets can go unnoticed (and if someone send a lot of
> > spoofed
> > > packets the real atack will go unnoticed).