I would like to know, why it is considered to be a vulnerability if a firewall/host responds to a SYN/FIN packet?
Could someone please explain?
Thanks very much!
surreal
Printable View
I would like to know, why it is considered to be a vulnerability if a firewall/host responds to a SYN/FIN packet?
Could someone please explain?
Thanks very much!
surreal
Take a peek at the steps in a normal TCP/IP connection. There are many posts here on it and even a tutorial. Basically, to start this connection, you send a SYN packet to the machine you want to connect to. That machine sends back a SYN/ACK packet (these are flags). Your machine then sends an ACK packet back and the connection is now established. Once you are done, the FIN flag is sent to tear down the connection in a clean fashion.
Now, there is a very specific order to how, where and when flags are set and send. If your machine/firewall or anything else with a TCP/IP stack responds out of order or in a way not consistant with the corresponding RFC, it is a sign that the device may be vulnerable.
That's it in a nutshell. I tried to keep this basic so that you could follow the logic. Does this help you out?
If you want the entire nitty gritty on this, visit this link on the MS site. It will show you a captured session of a TCP/IP three way handshake.
http://support.microsoft.com/default.aspx?kbid=172983
--TH13
:p
that was super! Thanks for your explanation :-)
but these OSes not following the RFCs are a blessing to the hacker community. testing small (and most of the time not important) differences in the stack is known as a tcp/ip fingerprinting. NMAP!!!!!
=)