Penetration Testing mailing list archives
RE: traceroute interpretations, where is the firewall ?
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 13 Dec 2006 15:02:14 -0500
-----Original Message----- Subject: traceroute interpretations, where is the firewall ?
I cannot find any plausible explanation about why web server's TTL in the
UDP traceroute is 55 (is it
some kind of cloaking ?)
...
6 X.X.X.X 16.883 ms (250) 14.179 ms (250) 48.096 ms (250) 7 X.X.X.X 55.970 ms (249) 14.518 ms (249) 17.161 ms (249) 8 X.X.X.X 18.400 ms (247) 17.086 ms (247) 32.555 ms (247) 9 192.168.0.94 (not real address) 89.282 ms (247) 164.469 ms (247)
87.946 ms (247)
10 192.168.98.3 (not real address) 192.122 ms (55) 228.251 ms (55)
193.657 ms (55) The firewall is between hops 9 and 10 - note the change in TTL in the UDP traceroute. This is reproducible with several stateful firewalls - PIX, Check Point, etc. This isn't "cloaking" or any attempt at stealth. In fact, it's just the opposite - you can use this to identify the presence of a firewall or a router performing NAT. It's due to the firewall having a default TTL of 64 instead of 256 (which is what your host is using). The firewall rewrites the traceroute packets without copying the original TTL value.
what do you think hop 10 in icmp traceroute is ?
Ho 10 would be 192.168.98.3, the NAT address of the web server.
192.168.0.94 is a firewall ?
Nope. Probably a router interface adjacent to the firewall. Stateful/NAT firewalls don't usually show up as a hop in traceroute.
I know that the firewall is a watchguard (social engineering), do u think
this can help (personally i
don't know how, i didn't find any exploitable vuln on public databases) ?
A quick Google search reveals that admin/admin is the default login for a Firebox X appliance. You might see if you can find open management services like SSH and HTTPS. Or, if you penetrate a server behind the firewall, you can try and connect to the firewall from that server, since default configuration for most firewalls is to allow management connections from behind the inside interface. If nothing else, determining the make, model, and software version will tell you what their capabilities are. It may be that the firewall can detect and prevent some types of attacks over HTTP. Knowing this may explain some results you have within the app and give you ideas as to how to evade the firewall. So, in short, it's definitely valuable knowledge.
I used standard linux traceroute an tctrace. Any other suggestions about
tools to discover the firewall
an its rules ?
http://www.wittys.com/files/mab/fwpentesting.html It's an old article, but most of these tricks still work. PaulM ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- traceroute interpretations, where is the firewall ? sami seclist (Dec 11)
- RE: traceroute interpretations, where is the firewall ? John Babio (Dec 12)
- Re: traceroute interpretations, where is the firewall ? sami seclist (Dec 12)
- RE: traceroute interpretations, where is the firewall ? MARTIN Benoni (Dec 13)
- RE: traceroute interpretations, where is the firewall ? Paul Melson (Dec 16)
- RE: traceroute interpretations, where is the firewall ? John Babio (Dec 12)