Re: [PEN-TEST] Detecting the presence of a firewall / identifying firewalls

[david.hyams () eycom ch]

A number of people have mentioned ports 256-258, 264, etc. Another good
port to try is 900, if it's open then try pointing your browser to it, i.e.

http://<ip of firewall>:900

Also, try telnet'ing to the SMTP port of the MAIL SERVER (not firewall). If
the SMTP security server is configured then you might be lucky enough to
see the default banner: "CheckPoint Firewall-1 secure SMTP Server". Hmmm,
smells a bit like a Firewall-1...

Incidentally, I just put an article "Identifying Firewalls" on my web site,
try http://www.kmu-security.ch/identifyingfirewalls.htm (The checkpoint
stuff is near the end of the article).
This article was intended as a non-technical guide showing how an attacker
can identify the company firewall. Having written it I now realise that
I've only scraped the surface, and that numerous additional methods must
exist for most firewalls. If there's sufficient demand, then maybe I'll
write a second, more technical version, with more details and additional
firewalls.

regards

David Hyams
http://www.kmu-security.ch

P.S. My site has only been up for a couple of days so please be gentle! If
you've got any comments / criticisms then please let me know!