Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Firewall Discloses Information.

  1. #11
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Knowing when a firewall is installed is pretty easy. Firewalls tend to just drop the packets they receive. A regular non-firewalled host will return RST packets in response to SYN packets send to closed ports. If any of the ports are open (like your ftp port) they would return a SYN-ACK. Both the SYN-ACK and the RST packets will have a TTL. You can tell the difference between *nix and windows just by looking at the TTL value.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    If any of the ports are open (like your ftp port) they would return a SYN-ACK. Both the SYN-ACK and the RST packets will have a TTL. You can tell the difference between *nix and windows just by looking at the TTL value.
    But can't the TTLs be changed using the Firewall? (IIRC you can do this in iptables)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by MsMittens
    But can't the TTLs be changed using the Firewall? (IIRC you can do this in iptables)
    Yes that's possible. You can even change the TTL without the help of a firewall (it's a configuration option of the TCP/IP stack). But most people using personal firewalls aren't even aware there is such a thing as a TTL and AFAIK personal firewalls don't change it either. So chances are pretty slim that the TTL was modified.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Simple fact is that if you provide any service whatsoever then the firewall lets the OS answer rather than dropping the packets. Once you let the OS answer then the differing implementations of the TCP/IP stack can and will give away your OS to anyone that wants it unless you have done something to modify the stack..... Which I'm guessing you haven't.

    Then, you are on the same network segment. Well..... It's all too easy there really isn't it. I can use anything to sniff packets, and there are ways of doing it on a switched network. A quick look through the captures will tell me your OS if I know what I'm doing. Then, also, getting your email address etc. is fairly trivial..... maybe even your passwords especially if you use POP to the local mail server.

    He has physical access to your network, period. So unless you firewall, provide no services and only use an encrypted tunnel for everything you do then he will be able to glean an awful lot of info about you quite easily.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I have to agree with Tiger. He's gotta be another student on the network. I just did about 5 variations of Nmap scans. Sygate picked them all up. So the fact that your's didn't makes me think this is a passive OS fingerprint and that perhaps you have more serious issues to worry about (like passwords in the clear).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •