RE: [PEN-TEST] Detecting the presence of a firewall - Layer 2

[Lance Spitzner <lance () honeynet org>]

On Tue, 15 May 2001 railwayclubposse () hushmail com wrote:

> You get the same results if the default Checkpoint ports are closed. You
> still need to find one or two open ports, but they don't have to be on the
> firewall itself. The giveaway is in how the headers are rewritten for one-
> to-many NAT.

Let us not forget layer 2.  Another great way to detect a firewall (and you
have access to the local network) is to do a ping sweep of the local network.
Take the list of IPs that responded and compare that to your arp table.  Often
you will find more MAC addresses from the local network then you found IPs
form the local network.  If you could not connect/ping a system locally,
but its MAC exists in your ARP table, that system most likely has some
firewalling or ICMP disabled.  Just one more method of gathering information.

lance