[21886] in bugtraq
Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall
daemon@ATHENA.MIT.EDU (Barney Wolff)
Thu Jul 26 17:29:27 2001
Date: Wed, 25 Jul 2001 21:47:32 -0400
From: Barney Wolff <barney@databus.com>
To: Dan Ferris <danf@percept.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010725214732.A29231@tp.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ECEPLNJJBDCGPAJMKOLEKEMFCAAA.danf@percept.com>; from danf@percept.com on Wed, Jul 25, 2001 at 05:17:28PM -0600
You're nmap'ing from inside, right? Nobody from outside should
be able to connect to the Sonicwall at all. Sequence numbers
for connections *across* the NAT depend on the endpoint hosts,
not the NAT box. So this is a risk only if you have enemies
already inside your house.
Barney Wolff
On Wed, Jul 25, 2001 at 05:17:28PM -0600, Dan Ferris wrote:
> This may not seem bad, but to me it seems that this defeats the point of NAT
> if somebody can steal your sessions. Note the section on TCP sequence
> prediction. This was a Sonicwall SOHO firewall.
>
> =======
> Host (192.168.1.254) appears to be up ... good.
> Initiating SYN half-open stealth scan against (192.168.1.254)
> Adding TCP port 80 (state open).
> The SYN scan took 8 seconds to scan 1523 ports.
> For OSScan assuming that port 80 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on (192.168.1.254):
> (The 1518 ports scanned but not shown below are in state: closed)
> Port State Service
> 23/tcp filtered telnet
> 67/tcp filtered bootps
> 80/tcp open http
> 137/tcp filtered netbios-ns
> 514/tcp filtered shell
>
> TCP Sequence Prediction: Class=64K rule
> Difficulty=1 (Trivial joke)
