Security Basics mailing list archives
RE: How to detect whether firewall service is provided by server or by ISP?
From: "Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>
Date: Mon, 20 Sep 2010 09:15:22 +0300
Martin hi, There are several methods available that can help you detect the location of the firewall. However, they may not always be applicable or may provide you with very limited information. One method is to fire up Wireshark and observe the different response packets that you get from the target machine or any intermediate hosts (i.e. TCP SYN/ACK, TCP RST, ICMP Unreachable messages). Field values such as the TCP Window Size, IP TTL can help you identify if certain responses are generated by the host itself or the intermediate firewall. The TLL field can also help you identify how far away the responding host is. For example, if you get a response with a TTL value of 61, you can deduce that the host is 3 hops away and its initial TLL was 64. A simple method to detect if the firewall is on the router or the server/host machine is using the traceroute method. This method assumes that outgoing ICMP TTL exceeded messages are not blocked by the firewall. Let's say that you have the following network: 172.16.1.1 ---- 10.1.1.1 ---- 10.2.2.1. ---- 192.168.1.1 172.176.1.1: Attacker (you) 192.168.1.1: Server/Host machine You perform a TCP traceroute to an open/closed port on the target (e.g. 80)
nmap -vv -n -sS -p80 -PN --traceroute 192.168.1.1
TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.00 10.1.1.1 2 16.00 10.2.2.1 3 24.00 192.168.1.1 You can see from the nmap results that the target is 3 hops away. Now if you perform a traceroute against a filtered port (UDP/TCP) / ICMP type & code you will observe one of two things. Please note that the MS Windows tracert command sends ICMP Echo Requests (Ping)
tracert -d 192.168.1.1
Tracing route to [192.168.1.1] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.1.1.1 2 <13 ms <18 ms <15 ms 10.2.2.1 3 * * * 4 * * *
tracert -d 192.168.1.1
Tracing route to [192.168.1.1] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.1.1.1 2 * * * 3 * * * 4 * * * In the first case the router 10.2.2.1 responded with an ICMP TLL Exceeded message whereas the target host did not respond. Hence, we can deduce that filtering is performed on the target host. In the second case the router 10.2.2.1 did not respond hence we can deduce that filtering is performed on that machine. This is not a 100% full proof method as there are many variables that are not assessed. For example there might be a firewall between the router and the target host which operates in bridge mode or the router 10.2.2.1 is filtering packets destined to hosts but allows pings destined to it (this messes up the above scenario which is based on Ping requests). A good alternative to Pings is to use TCP ACK packets. If the firewall is a stateful one then it will automatically block them. In fact no method is 100% accurate. They just provide you with more information so that you can guess more accurately which machine is filtering packets. Tip: First you need to gather as much information about the hosts, routers, the network topology, etc and then attempt to locate the firewall. Demetris Papapetrou -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of martin Sent: Thursday, September 16, 2010 2:23 PM To: security-basics () securityfocus com Subject: How to detect whether firewall service is provided by server or by ISP? I have two servers behind different networks. First network is protected with firewall provided by the router and there is no firewall in the server: [root@martin ~]# nmap --reason -n -PN -p445 192.168.217.73 Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:57 EEST Interesting ports on 192.168.217.73: PORT STATE SERVICE REASON 445/tcp filtered microsoft-ds no-response Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds [root@martint ~]# The other server is in the second network and there is no firewall service provided by the router, but firewall is activated in the server: [root@martin ~]# nmap --reason -n -PN -p9731 192.168.13.19 Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:56 EEST Interesting ports on 192.168.13.19: PORT STATE SERVICE REASON 9731/tcp filtered unknown no-response Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds [root@martin ~]# Is there somehow possibility to detect, whether firewall is active in the server or in the router? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- How to detect whether firewall service is provided by server or by ISP? martin (Sep 16)
- Re: How to detect whether firewall service is provided by server or by ISP? TAS (Sep 16)
- Re: How to detect whether firewall service is provided by server or by ISP? Ansgar Wiechers (Sep 17)
- Re: How to detect whether firewall service is provided by server or by ISP? Paul Johnston (Sep 17)
- Re: How to detect whether firewall service is provided by server or by ISP? Nikhil Wagholikar (Sep 17)
- RE: How to detect whether firewall service is provided by server or by ISP? Demetris Papapetrou (Sep 20)
- Re: How to detect whether firewall service is provided by server or by ISP? TAS (Sep 16)