[14424] in bugtraq
The TCP Flags Playground
daemon@ATHENA.MIT.EDU (Ofir Arkin)
Mon Mar 27 23:59:53 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1255"
Content-Transfer-Encoding: 7bit
Message-Id: <003401bf97b5$d06e2f60$0f05a8c0@packettechnologies.com>
Date: Mon, 27 Mar 2000 08:29:32 +0200
Reply-To: ofir@packet-technologies.com
From: Ofir Arkin <ofir@PACKET-TECHNOLOGIES.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Ok, once and for all I want to list what certain TCP Flags combination do:
Host Detection:
Any combination of the ACK bit, except with a RST, would elicit a RST back
from a probed machines whether we
probe an opened port or a closed one.
SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a
closed one.
SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH,
FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK
from an opened port.
OS Distinguish:
FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags
would all elicit a
RST|ACK on a closed port, *NIX machines will not respond when probed for an
opened port, Windows machines
still reply with RST|ACK.
Filtering Device Present:
If we use one of the Host Detection Combinations and we do not get a reply -
a filtering device is present and
prevent the probe from going inside the protected "zone" or the reply from
coming out.
The Filtering Device is lame:
if the firewall is just a simple packet filter that blocks incoming SYN's
than some of the combinations I have listed
would elicit a reply. If the Firewall is statefull (AND do his job as it
should. I have seen some idiotically cases were
statefull was not implemented as it should.) nothing should pass it.
Hope this clarifies some questions I have seen people asked on various
mailing lists.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ofir Arkin <ofir@packet-technologies.com>
Security QA Manager http://www.packet-technologies.com
Packet Technologies
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The opinions in this message are my own, and not in any
way representative of Packet Technologies.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
