This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, everybody.

Please, if this is not the right place, tell me where I should send this question.

A TWAIN driver installed in a workstation uses remote shell (RSH) to connect to a multifunction printer in other subnet in order to scan through the network. A Checkpoint firewall routes packets between both networks and the right ACLs have been configured.

The first command sent by the workstation instructs the MFP to redirect standard error (stderr) console to port 1022. After exchanging usernames, then the next TCP stream appears:

No. Time           Source      Destination Protocol Length Info

  6 *REF*          MFP_Printer Scanning_WS TCP      74     1023 > 1022 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0

  7 0.000070000    Scanning_WS MFP_Printer TCP      74     1022 > 1023 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 TSval=175963 TSecr=0

  8 0.000778000    MFP_Printer Scanning_WS TCP      66     1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=0 TSecr=175963

 13 0.005591000    Scanning_WS MFP_Printer TCP      68     1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175963 TSecr=0

 15 0.310455000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175994 TSecr=0

 16 0.918846000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176055 TSecr=0

 17 2.135649000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176176 TSecr=0

 18 4.538069000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176417 TSecr=0

 19 9.358490000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176899 TSecr=0
 20 18.968060000   Scanning_WS MFP_Printer TCP      54     1022 > 1023 [RST, ACK] Seq=3 Ack=1 Win=0 Len=0

 21 18.968948000   MFP_Printer Scanning_WS TCP      66     [TCP Dup ACK 8#1] 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=38 TSecr=175963

 22 18.968985000   Scanning_WS MFP_Printer TCP      54     1022 > 1023 [RST] Seq=1 Win=0 Len=0

As you can see, TCP connection is created by MFP_Printer. After syncing, I would expect that frame 13 should be MFP_Printer transmitting data to Scanning_WS, but it is not, it's just the opposite.

The firewall (the IPS, I guess) is dropping this packet, reporting "Violated unidirectional connection". TCP Retransmissions work as expected until the connection is eventually reset.

So the questions are:

After correct TCP three-way handshake, the peer which sent the TCP SYN should be the peer transmiting data. Is it right?

Is this remote shell behaviour a non-standard behaviour?

Is it a wrong design related to the driver or to the linix running in the MFP?

I need to understand what's happening in order to provide some solution, so any information will be greatly appreciated.

Regards.

asked 27 Sep '13, 02:53

selecnor's gravatar image

selecnor
11224
accept rate: 0%

edited 30 Sep '13, 14:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


I'm not sure how the RSH protocol should look, but I suspect that the twain driver is not using the remote shell protocol, or at least not a compliant version of it. So if you instruct your checkpoint firewall (or the IDS) to interpret the data as RSH, then you might run into a violation.

Can you disable the protocol inspection and just let the traffic through based on the TCP ports.

permanent link

answered 30 Sep '13, 15:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hello, SYN-bit.

Thank you for your answer. Disabling the IPS for the related IP addresses was my first advice for the CheckPoint's administrator; I'm not really sure about his/her skills and if this was done. It's out of my scope.

Anycase, I was just curious and wanted to offer more information. Does somebody know where can I find documentation about the behaviour of Remote Shell from the TCP connections point of view?

Regards.

(02 Oct '13, 23:55) selecnor
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×4
×1

question asked: 27 Sep '13, 02:53

question was seen: 2,343 times

last updated: 02 Oct '13, 23:55

p​o​w​e​r​e​d by O​S​Q​A