April 18th, 2003, 01:43 PM
First - the identity of the firewall is not what is initially important, but what the firewall is doing.
Second - it isn't very polite to start off your first post by cursing
Get OpenSolaris http://www.opensolaris.org/
April 18th, 2003, 02:49 PM
Why has noone tried a fragment attack yet. Most firewalls will let packets pass if they are under 4 bytes small. That could help to determine the OS atleast, which would be start.
And also something else, that server does not seem to be running any real internet services. I i go online with my linux box, i have no open ports (in init 3 that is), and no rpcs', no smtp, pops' etc...... so that is very safe already. Any computer with no open ports is safe. Its their services (if they intend to put any) that will help make the entire box unsafe, cause most attacks are oriented towards the services (samba, http, ftp, mail, rpc, netbios, etc...).
Or is it truly so safe that i cannot detect any services?
Those may be well redirects from the firewall itself. To me this looks like some sort of honey pot. The fact that this target may be under very heavy logging is all to real. Dont let it confuse you witht the fact that honey pots normally have open weaknesses. Since all the ports are in state filtered tells me that there is no internet service running, or just that the firewall is blocking it. If it is a redirect how ever, then the idea of it being a honey pot increases.
Just in case you are interested:
# nmap -v -P0 220.127.116.11
Starting nmap V. 3.00 ( www.insecure.org/nmap/
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host (18.104.22.168) appears to be up ... good.
Initiating Connect() Scan against (22.214.171.124)
Strange error from connect (13):Permission denied
The Connect() Scan took 4 seconds to scan 1601 ports.
Interesting ports on (126.96.36.199):
(The 1582 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
37/tcp filtered time
43/tcp filtered whois
53/tcp filtered domain
63/tcp filtered via-ftp
70/tcp filtered gopher
79/tcp filtered finger
80/tcp filtered http
110/tcp filtered pop-3
113/tcp filtered auth
119/tcp filtered nntp
123/tcp filtered ntp
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
443/tcp filtered https
11371/tcp filtered pksd
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
It might be wasting time but.. let's say "they are" testing our skills...knowledge skills security computers in positive way
I will try sending some fragmented packages and see how they are handled.
Ubuntu-: Means in African : "Im too dumb to use Slackware"