[14693] in bugtraq
Re: ZoneAlarm
daemon@ATHENA.MIT.EDU (Max Vision)
Wed Apr 26 22:17:46 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Enip.BSO.23.0004260220050.15969-100000@www.whitehats.com>
Date: Wed, 26 Apr 2000 02:50:33 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0004241321400.844-100000@mail>
On Mon, 24 Apr 2000, Alfred Huger wrote:
> >Additionally, using nmap's -f flag allows you to send traffic past
> >ZoneAlarm without any alerts.
>
> I set up a copy on a local machine here and while I found that source port
> scans from 67 slipped past the firewall -f seemed to be alerted on just
> fine. Can anyone else comment to this?
>
Hi Al,
I get the same results you did; ZoneAlarm 2.1.10 alerts on a fragmented
SYN scan, but does not make any noise when the source port is set to 67.
# nmap -sS -p 139 -v -f -P0 victim.example.com
Initiating SYN half-open stealth scan against victim.example.com
(23.23.23.23)
04/26-02:11:52.260668 attacker -> 23.23.23.23
TCP TTL:61 TOS:0x0 ID:15452 MF
Frag Offset: 0x0 Frag Size: 0x10
BC 49 00 8B 4D 4B C7 11 00 00 00 00 50 02 08 00 .I..MK......P...
04/26-02:11:52.260745 attacker -> 23.23.23.23
TCP TTL:61 TOS:0x0 ID:15452
Frag Offset: 0x2 Frag Size: 0x4
CA 49 00 00 .I..
ZoneAlarm reports
"The firewall has blocked Internet access to your computer (NetBIOS
Session) from attacker.example.com (TCP Port 3133)."
When I add the option for source port 67 (-g 67) ZoneAlarm does not alert
- however, the packets do not seem to be delivered either (no RST nor
SYN+ACK).
Now if you remove fragmentation from the picture, it looks like you can
use source porting (67 anyway) to circumvent the ZoneAlarm software.
# nc -p 67 victim.example.com 21
220 Serv-U FTP-Server v2.5e for WinSock ready...
quit
Without the bootp source port this connection is dropped and an alert is
generated.
Max
