Penetration Testing mailing list archives

Re: [PEN-TEST] Firewalking

From: Tom Vandepoel <tom.vandepoel () UBIZEN COM>
Date: Tue, 6 Mar 2001 21:31:52 +0100

Pepijn Vissers wrote:


Hi all,

What would be the best way to determine what kind of firewall is running on
a server? Especially one that does not give out any banners.
TCP-fingerprinting is not possible because there are no obvious open ports.


But sometimes there are. Firewall-1 by default opens several ports (e.g.
256/tcp). Some firewalls (Raptor) have several ports open, that are
immediately closed upon connecting to them (tcp-wrapper like).
It's also important to look closely at the responses you get back: if
you're seeing icmp unreach - admin prohibited by filter, you're probably
dealing with IOS acl's.
If you can query snmp on a router in front of the firewall, you can get
the ARP table; from that you can get the ethernet vendor code of the
firewall, which often gives away a lot.

Ofcourse, a firewall that's configured well will not respond to anything
at all and just swallow all your probe packets.



Tom.


--
Tom Vandepoel                 Ubizen
Sr. Security Engineer         We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

[PEN-TEST] Firewalking Pepijn Vissers (Mar 06)
- Re: [PEN-TEST] Firewalking Tom Vandepoel (Mar 06)
- Re: [PEN-TEST] Firewalking Enno Rey (Mar 06)
  - Re: [PEN-TEST] Firewalking Alberto Román (Mar 07)
- Re: [PEN-TEST] Firewalking honoriak (Mar 06)
- Re: [PEN-TEST] Firewalking Ivan Buetler (Mar 07)
- Re: [PEN-TEST] Firewalking Jan Muenther (Mar 07)
  - [PEN-TEST] RES: [PEN-TEST] Firewalking Cristiano Lincoln Mattos (Mar 07)
- <Possible follow-ups>
- Re: [PEN-TEST] Firewalking Woch, Wojciech (Mar 08)