Jerry, maybe you are right but I think p0f is able to detect such
modification, this is
from p0f documentation:
NOTE: Some NAT devices, such as Linux iptables with --set-mss, will
modify MSS, but not WSS. As a result, MSS is changed to reflect
the MTU of the NAT device, but WSS remains a multiple of the original
MSS. Fortunately for us, the source device would almost always be
hooked up to Ethernet. P0f handles it automatically for the original
MSS of 1460, by adding "NAT!" tag to the result.
So I think that firewalls with packet-normalization only can fake os
fingerprinting (as described in p0f docs).
I dont know if there are other circumstances when a natting device
will change
syn's header values.
I've also something to add to my prev post:
If pf is configured to drop (not reject) SYNs (or if our kernel drops
RSTs) it's
possible to perform this kind of *authenication* without a real
packet rewriting
software. In fact it's not necessary that our original syn (the one
generated by
the kernel) avoids reaching its destination due to the firewall drop.
It's
sufficent a tool that sniffs our syn, applys the adjustment needed
and then
resends it. Doing that we'll have two SYNs per connection, the first is
generated by the kernel and the second is a rewrite of the first one
and will
match the p0f signature.
Anyway it'll result in a dirty and sospicious handshake and possibly
it'll add
entries to logfiles. The big advantage is that the rest of the tcp
stream is
totally independent from any supplementary code, in fact tools like
tripp or
fragroute need to rewrite the entire tcp stream (otherwise it's
possible to kill
such tools after the connection is estabilished and restart them when
a new
connection is needed).
A proof-of-concept is available at
http://tripp.dynalias.org/authsyn.tgz
poplix
On 24 Jan 2006, at 5:21 PM, Shenk, Jerry A wrote:
Another problem (challenge;) would be gaining access from behind a
NATting device. Sometimes, they'll modify the headers and make the
packets look like they originated on the NATting device. Some fields
would probably work better than others.
On Mon, Jan 23, 2006 at 10:44:52PM +0100, poplix wrote:
Hi there,
I wish to propose an alternative to port knoking that uses the native
OpenBSD's pf code only. The idea is to use the pf's passive os
fingerprinter to authenticate initial SYN packets.
With a tool (or kernel patch) able to rewrite packets header is
possible
to use a specific sequence of header fields as a key to validate
packets.
This is an interesting - albeit not exactly new - idea, but it has the
very real disadvantage over port knocking that it requires priviliges
(typically root) on the connecting host.
Joachim
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
