Penetration Testing mailing list archives
RE: [PEN-TEST] Detecting the presence of a firewall
From: railwayclubposse () hushmail com
Date: Tue, 15 May 2001 21:52:09 -0500 (EDT)
I agree, I have not noticed this in the one-to-one NAT scenario you have. In the situations I am talking about, the most obvious difference is the source port of packets coming from protected hosts is changed. Each host sharing an address seems to get a different source port. Of course this is not specific to checkpoint. Im sorry I don't have the article you request, I don't have access to checkpoint support. I doubt they have useful information on this subject anyway. More useful is this nmap fingerprint which works for me a good deal of the time. It's included in recent versions of nmap: # Contributed by william.frogge () sus com Fingerprint NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1 TSeq(Class=TD%gcd=<8%SI=<154) T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T4(Resp=N) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E) At Tue, 15 May 2001 16:37:03 -0500, Frank Knobbe <FKnobbe () KnobbeITS com> wrote:
-----Original Message----- From: railwayclubposse () hushmail com [mailto:railwayclubposse () hushmail com] Sent: Tuesday, May 15, 2001 10:49 AM You get the same results if the default Checkpoint ports are closed. You still need to find one or two open ports, but they don't have to be on the firewall itself. The giveaway is in how the headers are rewritten for one- to-many NAT.Uhm... I'm confused. I assume you mean ports of statically natted machines. I connect from the Internet through the FW-1 to a host behind behind it. That is a one-to-one NAT. What is rewritten in the headers that would identify the screening fw as a FW-1 machine? I mean IP addresses are obviously changed. What other header information (i.e. flags, options) are changed in the packet coming form the host? I understand that I should expect a certain option set in a response packet (depending on OS and my request packet), I understand the process, I'm not question this. Just would like to know what is reset/changed in the TCP or UDP packet. (Let's ignore ICMP). Point me to an article or FAQ please. Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOwGhf5ytSsEygtEFEQIvsACgoTtMFV/4RxlUGwGFKpzMVkGXkDMAmgMa jgNg9+TBLNivSvLJZFdJHhex =K0ok -----END PGP SIGNATURE-----
Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- RE: [PEN-TEST] Detecting the presence of a firewall, (continued)
- RE: [PEN-TEST] Detecting the presence of a firewall Ansar Mohammed (May 14)
- RE: [PEN-TEST] Detecting the presence of a firewall railwayclubposse (May 14)
- Re: [PEN-TEST] Detecting the presence of a firewall Mule, Andrew (May 14)
- Re: [PEN-TEST] Detecting the presence of a firewall PinGer (May 16)
- RE: [PEN-TEST] Detecting the presence of a firewall Geoghegan, Glyn (ISS London) (May 14)
- RE: [PEN-TEST] Detecting the presence of a firewall Frank Knobbe (May 14)
- RE: [PEN-TEST] Detecting the presence of a firewall railwayclubposse (May 15)
- RE: [PEN-TEST] Detecting the presence of a firewall - Layer 2 Lance Spitzner (May 15)
- RE: [PEN-TEST] Detecting the presence of a firewall Balunos, Don (May 15)
- RE: [PEN-TEST] Detecting the presence of a firewall Frank Knobbe (May 15)
- RE: [PEN-TEST] Detecting the presence of a firewall railwayclubposse (May 16)