Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: IDS: Fw: blackice ignoring port 113
From: Talisker (Taliskernetworkintrusion.co.uk)
Date: Sun Jul 23 2000 - 07:14:13 CDT
- Next message: John S Flowers: "Re: IDS: kernel implementations"
- Previous message: Dug Song: "Re: IDS: kernel implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
Found this on Bugtraq this morning
| The geek shall |
| Inherit the earth |
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
----- Original Message -----
From: "vali" <valiiname.com>
Sent: Saturday, July 22, 2000 5:27 PM
Subject: blackice ignoring port 113
> It's as simple as that, blackice (a somehow popular windows firewall) is
> ignoring TCP trafic with destination port 113 (even with "paranoid"
> The most simple way to try this is
> nmap -sS -p 113 -P0 victim (victim's blackice is silent)
> nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").
> Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
> blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
> This is not much, but is a simple way to flood a computer without blackice
> reacting in any way. Also, if somebody is using a buggy ident server this
> fatal (irc clients install sometimes ident servers, without users
> Other comments regarding BlackIce:
> Blackice is doing a good job in stoping malformed packets "bad" for
> IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can
> nmap stealth scan but there is no simple way to tell from the interface
> port scaned (if the port is not a "standard" port). Anyway, it has
> extensive logging capabilities. In fact with "logging" and "evidence
> enabled sniffed sessions can linger in Blackice folder, alongside with
> sensitive information like passwords.
> Blackice can do (automatic) DNS reverse lookup and a Netbios scan for the
> atackers (wich can be a *very* bad thing). I think this feature is enabled
> Blackice seems to have some limits for the number of packets loged and for
> alerts displayed. This is a good thing and a bad thing. This limit the
> used but some packets can go unnoticed (and if someone send a lot of
> packets the real atack will go unnoticed).