[26946] in bugtraq
Re: Next-hop scanning for open firewall ports
daemon@ATHENA.MIT.EDU (Chris Brenton)
Sat Sep 7 12:34:33 2002
From: Chris Brenton <cbrenton@chrisbrenton.org>
To: "David G. Andersen" <dga@lcs.mit.edu>
In-Reply-To: <20020905233115.GE1702@lcs.mit.edu>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 07 Sep 2002 10:50:12 -0400
Message-Id: <1031410213.1744.13.camel@valhalla>
Mime-Version: 1.0
On Thu, 2002-09-05 at 19:31, David G. Andersen wrote:
> Thinking about ways to figure out how to get through firewalls,
> the following attack occurred to me.
I love stuff like this. Tweaking the rules and all of that. ;-)
> Start running an hping to watch the IPID at router1:
This is one of your first problems. The firewall has to also permit some
level of access to the router. *Hopefully* most environments know enough
not to permit this kind of access.
Now, it is possible that you could extract an IPID by firewalking, but
then you might as well firewalk from your own IP address anyway and not
bother spoofing.
Of course all of the above assumes the firewall is based on packet
filtering (SI included). If it's proxy based, this will not work.
> hping2 -r Router1
Problem #3, this is going to generate a consistent stream of firewall
log entries that will indicate you are up to something funky. Especially
trying to send ACK packets to port 0 which is the default. ;-)
> Nothing amazing, but it does point out another problem that can
> come from predictable IP IDs.
Totally agree. All OS's, including network hardware, should be running
random IPID's. This problem is just too well known to excuse.
HTH,
C
--
**************************************
cbrenton@chrisbrenton.org
find / -name \*yourbase\* -exec chown us:us {} \;
