-
March 31st, 2004, 12:22 PM
#11
Knowing when a firewall is installed is pretty easy. Firewalls tend to just drop the packets they receive. A regular non-firewalled host will return RST packets in response to SYN packets send to closed ports. If any of the ports are open (like your ftp port) they would return a SYN-ACK. Both the SYN-ACK and the RST packets will have a TTL. You can tell the difference between *nix and windows just by looking at the TTL value.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 31st, 2004, 12:26 PM
#12
If any of the ports are open (like your ftp port) they would return a SYN-ACK. Both the SYN-ACK and the RST packets will have a TTL. You can tell the difference between *nix and windows just by looking at the TTL value.
But can't the TTLs be changed using the Firewall? (IIRC you can do this in iptables)
-
March 31st, 2004, 12:39 PM
#13
Originally posted here by MsMittens
But can't the TTLs be changed using the Firewall? (IIRC you can do this in iptables)
Yes that's possible. You can even change the TTL without the help of a firewall (it's a configuration option of the TCP/IP stack). But most people using personal firewalls aren't even aware there is such a thing as a TTL and AFAIK personal firewalls don't change it either. So chances are pretty slim that the TTL was modified.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 31st, 2004, 12:45 PM
#14
Simple fact is that if you provide any service whatsoever then the firewall lets the OS answer rather than dropping the packets. Once you let the OS answer then the differing implementations of the TCP/IP stack can and will give away your OS to anyone that wants it unless you have done something to modify the stack..... Which I'm guessing you haven't.
Then, you are on the same network segment. Well..... It's all too easy there really isn't it. I can use anything to sniff packets, and there are ways of doing it on a switched network. A quick look through the captures will tell me your OS if I know what I'm doing. Then, also, getting your email address etc. is fairly trivial..... maybe even your passwords especially if you use POP to the local mail server.
He has physical access to your network, period. So unless you firewall, provide no services and only use an encrypted tunnel for everything you do then he will be able to glean an awful lot of info about you quite easily.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 31st, 2004, 01:51 PM
#15
I have to agree with Tiger. He's gotta be another student on the network. I just did about 5 variations of Nmap scans. Sygate picked them all up. So the fact that your's didn't makes me think this is a passive OS fingerprint and that perhaps you have more serious issues to worry about (like passwords in the clear).
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|