Re: [PEN-TEST] Detecting the presence of a firewall

["Mule, Andrew" <AMule () securify com>]

True. These ports do provide evidence of the host being a CPFW. However,
this assumes that mgmt is needed from a public location (ports 256,257,258).
Any company concerned about corporate network security would not run these
FW's with external mgmt ports enabled. So the new question is how do you ID
a CPFW with these ports closed? A good answer, stated below, was NMAP with
the -O option. This option will spit out something like this:

Host  : X.X.X.X
OS    : Check Point FireWall-1 4.0 SP-5 (IPSO build)
        Nokia IPSO 3.2-fcs4 releng 783
        NOKIA IPSO 3.2 Running Checkpoint Firewall-1
        Nokia IPSO 3.2-fcs4 releng 783 (FreeBSD Based)
Ports : 53/tcp     closed      domain                           
        256/tcp    open        rap                              
        257/tcp    closed      set                              
        258/tcp    closed      yak-chat 

Host  : X.X.X.X
OS    : Nokia IPSO 3.2-fcs4 releng 783
Ports : 53/tcp     closed      domain                            
        256/tcp    open        rap                              
        257/tcp    open        set                              
        258/tcp    open        yak-chat  

Getting addresses behind a firewall can be difficult. Finding out where the
web, mail or ftp servers usually point to the external IP address of the FW
itself since arping is done by the FW for the client. I have been
experiementing with Firewalk as well as modified TOS fields within the ICMP
protocol to force identification of internal hosts but have not been
successful....YET. If anyone has something to add to my madness please do so
with care.


Andrew A Mulé

Network Security Architect

Securify Inc.

PGP: F2D5 54A4 F098 369E AA5E
         A64E 0F6F DE52 13C6 BAC5