[21894] in bugtraq
Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall
daemon@ATHENA.MIT.EDU (John Duksta)
Thu Jul 26 18:02:14 2001
Message-Id: <5.0.2.1.0.20010726121930.0367fd28@pobox3.genuity.com>
Date: Thu, 26 Jul 2001 12:24:39 -0400
To: "Dan Ferris" <danf@percept.com>, <bugtraq@securityfocus.com>
From: John Duksta <jduksta@genuity.com>
In-Reply-To: <ECEPLNJJBDCGPAJMKOLEKEMFCAAA.danf@percept.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Dan,
Did you run this scan against the internal or external interface
of the SonicWall? Every scan I've ever run against a SonicWall
from the outside exhibited the OS Characteristics of the OS
actually running services port forwarded behind it.
e.g. a friend with a SonicWall was running his web and mail
servers behind a Sonicwall on an AIX box. When we nmap scanned
the external interface of the Sonicwall, it showed up as an
AIX box.
-john
At 05:17 PM 7/25/2001 -0600, Dan Ferris wrote:
>This may not seem bad, but to me it seems that this defeats the point of NAT
>if somebody can steal your sessions. Note the section on TCP sequence
>prediction. This was a Sonicwall SOHO firewall.
>
>=======
>Host (192.168.1.254) appears to be up ... good.
>Initiating SYN half-open stealth scan against (192.168.1.254)
>Adding TCP port 80 (state open).
>The SYN scan took 8 seconds to scan 1523 ports.
>For OSScan assuming that port 80 is open and port 1 is closed and neither
>are firewalled
>Interesting ports on (192.168.1.254):
>(The 1518 ports scanned but not shown below are in state: closed)
>Port State Service
>23/tcp filtered telnet
>67/tcp filtered bootps
>80/tcp open http
>137/tcp filtered netbios-ns
>514/tcp filtered shell
>
>TCP Sequence Prediction: Class=64K rule
> Difficulty=1 (Trivial joke)
>
>Sequence numbers: 3EC519BD 3EC613BD 3EC70DBD 3EC807BD 3EC901BD 3EC9FBBD
>Remote operating system guess: Accelerated Networks - High Speed Integrated
>Access VoDSL
>OS Fingerprint:
>TSeq(Class=64K)
>T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNW)
>T2(Resp=N)
>T3(Resp=Y%DF=N%W=2000%ACK=O%Flags=A%Ops=)
>T4(Resp=Y%DF=N%W=2000%ACK=O%Flags=R%Ops=)
>T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
>T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
>T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
>PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=0%ULEN=134%DAT=E)
>
>
>Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
