![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: [PEN-TEST] Firewalking
From: Tom Vandepoel <tom.vandepoel () UBIZEN COM>
Date: Tue, 6 Mar 2001 21:31:52 +0100
Pepijn Vissers wrote:
Hi all, What would be the best way to determine what kind of firewall is running on a server? Especially one that does not give out any banners. TCP-fingerprinting is not possible because there are no obvious open ports.
But sometimes there are. Firewall-1 by default opens several ports (e.g. 256/tcp). Some firewalls (Raptor) have several ports open, that are immediately closed upon connecting to them (tcp-wrapper like). It's also important to look closely at the responses you get back: if you're seeing icmp unreach - admin prohibited by filter, you're probably dealing with IOS acl's. If you can query snmp on a router in front of the firewall, you can get the ARP table; from that you can get the ethernet vendor code of the firewall, which often gives away a lot. Ofcourse, a firewall that's configured well will not respond to anything at all and just swallow all your probe packets. Tom. -- Tom Vandepoel Ubizen Sr. Security Engineer We Secure e-Business Phone +32 16 28 70 00 http://www.ubizen.com Fax +32 16 28 71 00 http://www.securitywatch.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- [PEN-TEST] Firewalking Pepijn Vissers (Mar 06)
- Re: [PEN-TEST] Firewalking Tom Vandepoel (Mar 06)
- Re: [PEN-TEST] Firewalking Enno Rey (Mar 06)
- Re: [PEN-TEST] Firewalking Alberto Román (Mar 07)
- Re: [PEN-TEST] Firewalking honoriak (Mar 06)
- Re: [PEN-TEST] Firewalking Ivan Buetler (Mar 07)
- Re: [PEN-TEST] Firewalking Jan Muenther (Mar 07)
- [PEN-TEST] RES: [PEN-TEST] Firewalking Cristiano Lincoln Mattos (Mar 07)
- <Possible follow-ups>
- Re: [PEN-TEST] Firewalking Woch, Wojciech (Mar 08)