Calling TCP/IP geeks.

Discussion in 'Computer Audiophile: Software, Configs, Tools' started by purr1n, Jan 24, 2019.

  1. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    I'm stumped here. Getting a TCP RST from port 443. Spent too long on this one already. Any suggested ideas or any tools to examine more closely? I suspect IP white listing on the firewall/host so my IP queries are being bumped. Already did a tcpdump, and in process of enumerating domain names and reverse lookup to see if I need to type in a URL. I'm probably overthinking it.

    I know there are people here who know this shit.
     
  2. winders

    winders boomer

    Banned
    Joined:
    Feb 13, 2017
    Likes Received:
    1,596
    Trophy Points:
    113
    Location:
    San Martin, CA
  3. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    Yes, I already know that. I don't need a tutorial to do what I just did. As I said, I was getting RSTs which were evident from tcpdump. Looking for insight for those who have experience with webservers or firewalls and how blocking might affect probes.
     
  4. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    Nevermind. It turns out the firewall's IPS blocked my IP temporarily. I will need to be more stealthy now.
     
  5. Kernel Kurtz

    Kernel Kurtz Friend

    Pyrate Contributor
    Joined:
    May 19, 2018
    Likes Received:
    1,680
    Trophy Points:
    93
    Location:
    Winnipeg, Canada
    On the bright side, sending an RST (reject as opposed to drop) is proper behavior as the IP stack at the client knows not to keep trying till all the timeouts expire. Drops are usually harder to troubleshoot.
     
  6. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    Yeah, that's why it stumped me. Normally, I get black hole of nothingness which allows me to move on. But nooo... if it responds, then I have to look into it. This is a firewall I am not familiar with. Now I got to waste more time to run a SLOW port scan.
     
  7. Kernel Kurtz

    Kernel Kurtz Friend

    Pyrate Contributor
    Joined:
    May 19, 2018
    Likes Received:
    1,680
    Trophy Points:
    93
    Location:
    Winnipeg, Canada
    Not sure what scanner you are using, but nmap rocks.
     
  8. Kernel Kurtz

    Kernel Kurtz Friend

    Pyrate Contributor
    Joined:
    May 19, 2018
    Likes Received:
    1,680
    Trophy Points:
    93
    Location:
    Winnipeg, Canada
    Thing is, with active IPS you can't assume that black hole of nothingness really means all your ports are closed either. If you get blacklisted after the first few tries, you are not really seeing the real results of the scan of the next ports. So yes, slow is the only way to get accurate results with an IPS, regardless of whether it drops or rejects you.
     
  9. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    Nmap.

    I do tell these guys to turn off IPS / whitelist me in the interests of saving time, getting more done. A real attacker can wait, months even.

    This IPS was tricky. It shut me down fast, usually I can tell because everything stops responding after some initial responses.
     
  10. Kernel Kurtz

    Kernel Kurtz Friend

    Pyrate Contributor
    Joined:
    May 19, 2018
    Likes Received:
    1,680
    Trophy Points:
    93
    Location:
    Winnipeg, Canada
    Whitelisting certainly makes life much easier, but good to test from outside now and then too. A properly functioning IPS is a great thing.
     
  11. purr1n

    purr1n Desire for betterer is endless.

    Staff Member Pyrate BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    89,778
    Trophy Points:
    113
    Location:
    Padre Island CC TX
    The problem is most clients want stuff for cheap and no one qualified monitors IDS. Companies buy IDS to tick off a checkbox.
     
  12. Kernel Kurtz

    Kernel Kurtz Friend

    Pyrate Contributor
    Joined:
    May 19, 2018
    Likes Received:
    1,680
    Trophy Points:
    93
    Location:
    Winnipeg, Canada
    Yup, you got that right. I've sadly seen expensive appliances bought and never really used.
     
  13. Cryptowolf

    Cryptowolf Repping Chi Town - Friend

    Pyrate Contributor
    Joined:
    Sep 27, 2015
    Likes Received:
    1,450
    Trophy Points:
    93
    Location:
    Rural Illinois
    Like you, I've seen expensive appliances purchased, turned on, and plugged into a hub/switch that's not connected to anyting else, just to check the box and get a green light.

    Yep, we've got a IPS/IDS/FW/Turnip Twadler (TM). It's right there auditor.
     
  14. bongshanks

    bongshanks New

    Joined:
    Sep 24, 2017
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Atlanta GA
    I know I'm late to the game, but did this get resolved? I do this kind of work for a living. I need to see the TCPDUMP to really help you out. There are several factors at play here:

    Is the firewall truly performing SSL offloading?
    Is this affecting you or everyone?
    What exactly are you probing? Are you just trying to reach a server on SSL?

    When you get an immediate reset on an SSL connection, It could that the load balancer in front of the server has been misconfigured.
     

Share This Page