Since nmap recognizes a lot of routers and switches it is probably or an exotic router, a vpn or a printer. (I recently came up at a bunch of HP printers not recognized by nmap...) But I'm not aware of canned scripts/exploits to exploit TCP sequence numbers vulnerability but I don't think it would be of much resort for you apart if there are servers denying service to external networks...
And it could be of some help if you used SolarWinds's scanner to find SNMP daemons running, I already came up across an entire company's B network with _all_ ciscos snmp and tftp enabled... :p Hope my post was helpful! >From: "Ralph Los" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Auditing boxes with predictable IP Sqeuence(s) >Date: Mon, 25 Feb 2002 11:47:36 -0500 >MIME-Version: 1.0 >Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id >MHotMailBE4429700088400432564226971BAF7B0; Mon, 25 Feb 2002 17:01:37 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid >413D5A324C; Mon, 25 Feb 2002 14:08:01 -0700 (MST) >Received: (qmail 6826 invoked from network); 25 Feb 2002 16:46:51 -0000 >From pen-test-return-1705-acr872k Mon, 25 Feb 2002 17:02:42 -0800 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <pen-test.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >X-Server-Uuid: 09D2A061-A64D-4587-8E3B-1712D61989F3 >Message-ID: <[EMAIL PROTECTED]> >Sensitivity: Company-Confidential >X-Mailer: Internet Mail Service (5.5.2653.19) >X-WSS-ID: 1064B56212791-01-01 > >Hello, > > On a network I've recently had the pleasure :) to audit I came up >with a bunch of hosts which nMap classifies as 'unknown', but with >predictable TCP Sqeuence(s). Now...are there any tools out there for >either >Linux/Win2k that will allow me to exploit this type of 'vulnerability'? >These hosts don't return any other open port information, so I'm guessing >they're either switches, or routers or VPN concentrators...is there any way >to determine which of those it most likely is? Are there any patterns to >look for, when determining router/switch/vpn box?? > >Thanks in advance.....something I don't know and I figured I'd ask... > > >Cheers! > > > >----------------------------------------| >Ralph M. Los >Sr. Security Consultant and Trainer > EnterEdge Technology, L.L.C. > [EMAIL PROTECTED] > (770) 955-9899 x.206 >----------------------------------------| > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
