Hi, I just found something odd when playing around with address translation in conjunction with an NT machine. It seems that Windows NT (v4, SP3) accepts any source IP in ICMP Echo Replies (Ping replies). For those of you that want clarification, here's a quick run-down. (The firewall is non-NT. In fact, the firewall make and model has nothing to do with this at all) - NT machine initiates a ping NT:SEND 10.20.250.3 -> 10.20.250.5 ICMP Echo - Gets sent via network to firewall FW:NAT 10.20.250.4 -> 10.20.250.3 ICMP Echo - Gets sent from firewall to NT machine, which responds NT:RESP 10.20.250.3 -> 10.20.250.4 ICMP EchoReply - Firewall (malconfigured) only changes the destination FW:NAT 10.20.250.3 -> 10.20.250.3 ICMP EchoReply This gets sent from firewall to NT machine, which sees a source address of 10.20.250.3 (itself), rather than what it originally pinged (10.20.250.5) but happily accepts it anyway and displays a ping response on screen. I don't see how you could really abuse this, and I don't know if this holds true if it sees any other IP address than itself, but this might be symptomatic of something larger and more evil? I don't know... On a side note: I think that the ICMP Echo ID/SeqNo needs to match for it to accept the ping reply. But.. Surprise! NT always sends out its Echos with ID=1. And the sequence number is just that, a sequence number, increased by one every time (yeah yeah in Intel byte order rather than network byte order, but that's beside the point :-) Regards, Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
