RE: [PEN-TEST] Detecting the presence of a firewall

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: railwayclubposse () hushmail com
> [mailto:railwayclubposse () hushmail com]
> Sent: Tuesday, May 15, 2001 10:49 AM
>
> You get the same results if the default Checkpoint ports are 
> closed. You 
> still need to find one or two open ports, but they don't have 
> to be on the 
> firewall itself. The giveaway is in how the headers are 
> rewritten for one-
> to-many NAT. 


Uhm... I'm confused. I assume you mean ports of statically natted
machines. I connect from the Internet through the FW-1 to a host
behind behind it. That is a one-to-one NAT. What is rewritten in the
headers that would identify the screening fw as a FW-1 machine? I
mean IP addresses are obviously changed. What other header
information (i.e. flags, options) are changed in the packet coming
form the host? I understand that I should expect a certain option set
in a response packet (depending on OS and my request packet), I
understand the process, I'm not question this. Just would like to
know what is reset/changed in the TCP or UDP packet. (Let's ignore
ICMP). Point me to an article or FAQ please.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOwGhf5ytSsEygtEFEQIvsACgoTtMFV/4RxlUGwGFKpzMVkGXkDMAmgMa
jgNg9+TBLNivSvLJZFdJHhex
=K0ok
-----END PGP SIGNATURE-----