Norton PF Vulnerability

Discussion in 'other firewalls' started by Paul Wilders, Apr 17, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands

    Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also if you activate "detect portscan".

    The windows machine answers the same way with or without NPF.

    open TCP port answer (hping output):
    len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms
    close TCP port answer (hping output):
    len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms

    This way, you can check which ports are listening and you don't get blacklisted. When NPF detects a port scan, it filters all packets from the source IP for the next 30 mins.After some tests NPF stops ONLY SYN packets FROM the blacklisted IP. This means that you can
    STILL perform a SYN/FIN scan while blacklisted and also that you can go on with an established connection from a blacklisted IP. You just can't start a new connection
    FROM the blacklisted machine (but you can start it from the "protected" PC).

    Moreover, since you can't change the 30 mins default blacklist time, this can help a lot in fingerprinting Norton Personal Firewall making your IP blacklisted and then trying to send again SYN packets on an open port after 30 mins.

    Vendor URL:
    You can visit the vendors webpage here:

    Vendor response:
    The vendor was contacted on the 5th of April, 2002 using a web form at feedback

    No reply so far.
Thread Status:
Not open for further replies.