This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote shell troubleshooting

0

Hello, everybody.

Please, if this is not the right place, tell me where I should send this question.

A TWAIN driver installed in a workstation uses remote shell (RSH) to connect to a multifunction printer in other subnet in order to scan through the network. A Checkpoint firewall routes packets between both networks and the right ACLs have been configured.

The first command sent by the workstation instructs the MFP to redirect standard error (stderr) console to port 1022. After exchanging usernames, then the next TCP stream appears:

No. Time           Source      Destination Protocol Length Info

6 REF MFP_Printer Scanning_WS TCP 74 1023 > 1022 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0

7 0.000070000 Scanning_WS MFP_Printer TCP 74 1022 > 1023 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 TSval=175963 TSecr=0

8 0.000778000 MFP_Printer Scanning_WS TCP 66 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=0 TSecr=175963

13 0.005591000 Scanning_WS MFP_Printer TCP 68 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175963 TSecr=0

15 0.310455000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175994 TSecr=0

16 0.918846000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176055 TSecr=0

17 2.135649000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176176 TSecr=0

18 4.538069000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176417 TSecr=0

19 9.358490000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176899 TSecr=0 20 18.968060000 Scanning_WS MFP_Printer TCP 54 1022 > 1023 [RST, ACK] Seq=3 Ack=1 Win=0 Len=0

21 18.968948000 MFP_Printer Scanning_WS TCP 66 [TCP Dup ACK 8#1] 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=38 TSecr=175963

22 18.968985000 Scanning_WS MFP_Printer TCP 54 1022 > 1023 [RST] Seq=1 Win=0 Len=0

As you can see, TCP connection is created by MFP_Printer. After syncing, I would expect that frame 13 should be MFP_Printer transmitting data to Scanning_WS, but it is not, it’s just the opposite.

The firewall (the IPS, I guess) is dropping this packet, reporting “Violated unidirectional connection”. TCP Retransmissions work as expected until the connection is eventually reset.

So the questions are:

After correct TCP three-way handshake, the peer which sent the TCP SYN should be the peer transmiting data. Is it right?

Is this remote shell behaviour a non-standard behaviour?

Is it a wrong design related to the driver or to the linix running in the MFP?

I need to understand what’s happening in order to provide some solution, so any information will be greatly appreciated.

Regards.

asked 27 Sep ‘13, 02:53

selecnor's gravatar image

selecnor
11224
accept rate: 0%

edited 30 Sep ‘13, 14:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

0

I'm not sure how the RSH protocol should look, but I suspect that the twain driver is not using the remote shell protocol, or at least not a compliant version of it. So if you instruct your checkpoint firewall (or the IDS) to interpret the data as RSH, then you might run into a violation.

Can you disable the protocol inspection and just let the traffic through based on the TCP ports.

answered 30 Sep '13, 15:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hello, SYN-bit.

Thank you for your answer. Disabling the IPS for the related IP addresses was my first advice for the CheckPoint's administrator; I'm not really sure about his/her skills and if this was done. It's out of my scope.

Anycase, I was just curious and wanted to offer more information. Does somebody know where can I find documentation about the behaviour of Remote Shell from the TCP connections point of view?

Regards.

(02 Oct '13, 23:55) selecnor