|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: FIN Scanning through all kind of packet-filtering firewalls?
Darren Reed (avalon
coombs.anu.edu.au)
Sat, 8 Nov 1997 20:09:37 +1100 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Darren Reed: "Re: Facts, not Fiction"
- Previous message: Marcus J. Ranum: "Re: Additional TPC/IP stack"
- In reply to: Franco RUGGIERI: "Additional TPC/IP stack"
In some mail from gary flynn, sie said:
>
> > From: <robert.stahlbrandnmac.ericsson.se>
> >
> > The FIN scanning method (presented in Phrack Magazine 49, article 15)
> > where you can scan for open ports on a host behind a packet-filtering
> > firewall even though your rules denys it is certainly working on
> > Checkpoint ver. 2.1(a)
[...]
> I'm not familiar with Checkpoint but any packet filter that is
> filtering on a destination port is going to toss the packet
> regardless of the SYN or any other flag unless there is some
> special programming.
I wouldn't be so sure about that. Checkpoint's FW-1 will pass all
packets through with the ACK flag set (except, I think SYN-ACK)
but will strip the body of any data. They do this so that they can
rebuild state for a connection which has remained open over (say)
the firewall rebooting or connection information expiring. If the
reply packet was returned, anyway, there's your scan!
Darren
- Next message: Darren Reed: "Re: Facts, not Fiction"
- Previous message: Marcus J. Ranum: "Re: Additional TPC/IP stack"
- In reply to: Franco RUGGIERI: "Additional TPC/IP stack"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT