-
August 21st, 2003, 10:49 AM
#1
Member
Syn/fin
I would like to know, why it is considered to be a vulnerability if a firewall/host responds to a SYN/FIN packet?
Could someone please explain?
Thanks very much!
surreal
-
August 21st, 2003, 11:01 AM
#2
Take a peek at the steps in a normal TCP/IP connection. There are many posts here on it and even a tutorial. Basically, to start this connection, you send a SYN packet to the machine you want to connect to. That machine sends back a SYN/ACK packet (these are flags). Your machine then sends an ACK packet back and the connection is now established. Once you are done, the FIN flag is sent to tear down the connection in a clean fashion.
Now, there is a very specific order to how, where and when flags are set and send. If your machine/firewall or anything else with a TCP/IP stack responds out of order or in a way not consistant with the corresponding RFC, it is a sign that the device may be vulnerable.
That's it in a nutshell. I tried to keep this basic so that you could follow the logic. Does this help you out?
If you want the entire nitty gritty on this, visit this link on the MS site. It will show you a captured session of a TCP/IP three way handshake.
http://support.microsoft.com/default.aspx?kbid=172983
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 21st, 2003, 11:36 AM
#3
Member
that was super! Thanks for your explanation :-)
-
August 21st, 2003, 03:54 PM
#4
Member
but these OSes not following the RFCs are a blessing to the hacker community. testing small (and most of the time not important) differences in the stack is known as a tcp/ip fingerprinting. NMAP!!!!!
=)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|