August 21st, 2003, 10:49 AM
I would like to know, why it is considered to be a vulnerability if a firewall/host responds to a SYN/FIN packet?
Could someone please explain?
Thanks very much!
August 21st, 2003, 11:01 AM
Take a peek at the steps in a normal TCP/IP connection. There are many posts here on it and even a tutorial. Basically, to start this connection, you send a SYN packet to the machine you want to connect to. That machine sends back a SYN/ACK packet (these are flags). Your machine then sends an ACK packet back and the connection is now established. Once you are done, the FIN flag is sent to tear down the connection in a clean fashion.
Now, there is a very specific order to how, where and when flags are set and send. If your machine/firewall or anything else with a TCP/IP stack responds out of order or in a way not consistant with the corresponding RFC, it is a sign that the device may be vulnerable.
That's it in a nutshell. I tried to keep this basic so that you could follow the logic. Does this help you out?
If you want the entire nitty gritty on this, visit this link on the MS site. It will show you a captured session of a TCP/IP three way handshake.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
August 21st, 2003, 11:36 AM
that was super! Thanks for your explanation :-)
August 21st, 2003, 03:54 PM
but these OSes not following the RFCs are a blessing to the hacker community. testing small (and most of the time not important) differences in the stack is known as a tcp/ip fingerprinting. NMAP!!!!!