Calling TCP/IP geeks.

Discussion in 'Computer Audiophile: Software, Configs, Tools' started by purr1n, Jan 24, 2019.

  1. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    I'm stumped here. Getting a TCP RST from port 443. Spent too long on this one already. Any suggested ideas or any tools to examine more closely? I suspect IP white listing on the firewall/host so my IP queries are being bumped. Already did a tcpdump, and in process of enumerating domain names and reverse lookup to see if I need to type in a URL. I'm probably overthinking it.

    I know there are people here who know this shit.
     
  2. winders

    winders Compensating for micropenis

    Friend CBC
    Joined:
    Feb 13, 2017
    Likes Received:
    1,495
    Dislikes Received:
    306
    Trophy Points:
    93
    Location:
    San Martin, CA
    jexby and bazelio dislike this.
  3. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    Yes, I already know that. I don't need a tutorial to do what I just did. As I said, I was getting RSTs which were evident from tcpdump. Looking for insight for those who have experience with webservers or firewalls and how blocking might affect probes.
     
  4. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    Nevermind. It turns out the firewall's IPS blocked my IP temporarily. I will need to be more stealthy now.
     
  5. Kernel Kurtz

    Kernel Kurtz Friend

    Friend
    Joined:
    May 19, 2018
    Likes Received:
    288
    Dislikes Received:
    1
    Trophy Points:
    63
    Location:
    Winnipeg, Canada
    On the bright side, sending an RST (reject as opposed to drop) is proper behavior as the IP stack at the client knows not to keep trying till all the timeouts expire. Drops are usually harder to troubleshoot.
     
    Cryptowolf and purr1n like this.
  6. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    Yeah, that's why it stumped me. Normally, I get black hole of nothingness which allows me to move on. But nooo... if it responds, then I have to look into it. This is a firewall I am not familiar with. Now I got to waste more time to run a SLOW port scan.
     
  7. Kernel Kurtz

    Kernel Kurtz Friend

    Friend
    Joined:
    May 19, 2018
    Likes Received:
    288
    Dislikes Received:
    1
    Trophy Points:
    63
    Location:
    Winnipeg, Canada
    Not sure what scanner you are using, but nmap rocks.
     
  8. Kernel Kurtz

    Kernel Kurtz Friend

    Friend
    Joined:
    May 19, 2018
    Likes Received:
    288
    Dislikes Received:
    1
    Trophy Points:
    63
    Location:
    Winnipeg, Canada
    Thing is, with active IPS you can't assume that black hole of nothingness really means all your ports are closed either. If you get blacklisted after the first few tries, you are not really seeing the real results of the scan of the next ports. So yes, slow is the only way to get accurate results with an IPS, regardless of whether it drops or rejects you.
     
  9. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    Nmap.

    I do tell these guys to turn off IPS / whitelist me in the interests of saving time, getting more done. A real attacker can wait, months even.

    This IPS was tricky. It shut me down fast, usually I can tell because everything stops responding after some initial responses.
     
    Cryptowolf likes this.
  10. Kernel Kurtz

    Kernel Kurtz Friend

    Friend
    Joined:
    May 19, 2018
    Likes Received:
    288
    Dislikes Received:
    1
    Trophy Points:
    63
    Location:
    Winnipeg, Canada
    Whitelisting certainly makes life much easier, but good to test from outside now and then too. A properly functioning IPS is a great thing.
     
  11. purr1n

    purr1n Finding his inner redneck

    Staff Member Friend BWC
    Joined:
    Sep 24, 2015
    Likes Received:
    41,383
    Dislikes Received:
    66
    Trophy Points:
    113
    Location:
    Antarctica
    The problem is most clients want stuff for cheap and no one qualified monitors IDS. Companies buy IDS to tick off a checkbox.
     
  12. Kernel Kurtz

    Kernel Kurtz Friend

    Friend
    Joined:
    May 19, 2018
    Likes Received:
    288
    Dislikes Received:
    1
    Trophy Points:
    63
    Location:
    Winnipeg, Canada
    Yup, you got that right. I've sadly seen expensive appliances bought and never really used.
     
  13. Cryptowolf

    Cryptowolf Repping Chi Town - Friend

    Friend
    Joined:
    Sep 27, 2015
    Likes Received:
    232
    Dislikes Received:
    0
    Trophy Points:
    43
    Location:
    Chicago, Il
    Like you, I've seen expensive appliances purchased, turned on, and plugged into a hub/switch that's not connected to anyting else, just to check the box and get a green light.

    Yep, we've got a IPS/IDS/FW/Turnip Twadler (TM). It's right there auditor.
     

Share This Page