RE: How to detect whether firewall service is provided by server or by ISP?

["Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>]

Martin hi,

There are several methods available that can help you detect the location of
the firewall. However, they may not always be applicable or may provide you
with very limited information. 

One method is to fire up Wireshark and observe the different response
packets that you get from the target machine or any intermediate hosts (i.e.
TCP SYN/ACK, TCP RST, ICMP Unreachable messages). Field values such as the
TCP Window Size, IP TTL can help you identify if certain responses are
generated by the host itself or the intermediate firewall. The TLL field can
also help you identify how far away the responding host is. For example, if
you get a response with a TTL value of 61, you can deduce that the host is 3
hops away and its initial TLL was 64.   

A simple method to detect if the firewall is on the router or the
server/host machine is using the traceroute method. This method assumes that
outgoing ICMP TTL exceeded messages are not blocked by the firewall. 
Let's say that you have the following network:

172.16.1.1 ---- 10.1.1.1 ---- 10.2.2.1. ---- 192.168.1.1
                                                        
172.176.1.1: Attacker (you)
192.168.1.1: Server/Host machine


You perform a TCP traceroute to an open/closed port on the target (e.g. 80)
> nmap -vv -n -sS -p80 -PN --traceroute 192.168.1.1
TRACEROUTE (using port 80/tcp)
HOP RTT   ADDRESS
1   0.00  10.1.1.1
2   16.00 10.2.2.1
3   24.00 192.168.1.1
  
You can see from the nmap results that the target is 3 hops away.
Now if you perform a traceroute against a filtered port (UDP/TCP) / ICMP
type & code you will observe one of two things. Please note that the MS
Windows tracert command sends ICMP Echo Requests (Ping) 
> tracert -d 192.168.1.1
Tracing route to [192.168.1.1]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms   10.1.1.1
  2    <13 ms   <18 ms   <15 ms  10.2.2.1
  3    *        *        *
  4    *        *        *

> tracert -d 192.168.1.1
Tracing route to [192.168.1.1]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms   10.1.1.1
  2    *        *        *
  3    *        *        *
  4    *        *        *

In the first case the router 10.2.2.1 responded with an ICMP TLL Exceeded
message whereas the target host did not respond. Hence, we can deduce that
filtering is performed on the target host. 

In the second case the router 10.2.2.1 did not respond hence we can deduce
that filtering is performed on that machine. 

This is not a 100% full proof method as there are many variables that are
not assessed. For example there might be a firewall between the router and
the target host which operates in bridge mode or the router 10.2.2.1 is
filtering packets destined to hosts but allows pings destined to it (this
messes up the above scenario which is based on Ping requests). A good
alternative to Pings is to use TCP ACK packets. If the firewall is a
stateful one then it will automatically block them.

In fact no method is 100% accurate. They just provide you with more
information so that you can guess more accurately which machine is filtering
packets. 

Tip: First you need to gather as much information about the hosts, routers,
the network topology, etc and then attempt to locate the firewall. 


Demetris Papapetrou


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of martin
Sent: Thursday, September 16, 2010 2:23 PM
To: security-basics () securityfocus com
Subject: How to detect whether firewall service is provided by server or by
ISP?

I have two servers behind different networks. First network is
protected with firewall provided by the router and there is no
firewall in the server:

[root@martin ~]# nmap --reason -n -PN -p445 192.168.217.73

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:57 EEST
Interesting ports on 192.168.217.73:
PORT    STATE    SERVICE      REASON
445/tcp filtered microsoft-ds no-response

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
[root@martint ~]#

The other server is in the second network and there is no firewall
service provided by the router, but firewall is activated in the
server:

[root@martin ~]# nmap --reason -n -PN -p9731 192.168.13.19

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:56 EEST
Interesting ports on 192.168.13.19:
PORT     STATE    SERVICE REASON
9731/tcp filtered unknown no-response

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
[root@martin ~]#

Is there somehow possibility to detect, whether firewall is active in
the server or in the router?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------