On Fri, Jul 16, 1999 at 08:26:52AM -0000, Tim Hirst wrote: > Hi all, > > This is not a bug but is instead a common procedural error. > If a remote attacker performs a port scan on a network and > finds a machine with ports 256, 257, and 258 open then it is > a sure bet that they are running a Checkpoint FW-1 firewall. Such a kind of firewall identification method also exists for AltaVista Firewall (at least for Firewall97). In the default configuration there are "traps" listening on ports 26/tcp, 27/tcp, 28/tcp and 29/tcp. /etc/services: [...] ftp 21/tcp telnet 23/tcp strafe1 26/tcp strafe2 27/tcp strafe3 28/tcp strafe4 29/tcp smtp 25/tcp time 37/tcp [...] If one connects to one of these ports, they generate the event of a "connection attempt on unused port". As these "traps" are started by inetd when a connection attempt occurs /etc/inetd.conf [...] strafe1 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe2 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe3 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe4 stream tcp nowait root /usr/dfws/etc/strafe strafe [...] one can do a stealth scan on those ports to identify AltaVista Firewalls (you know what to try next, don't you?) without the firewall detecting the scan. Jochen Bauer ************************************************************ *Network Security Team * *Computer Center of the University of Stuttgart * *Germany * * * *Email: jtbat_private-stuttgart.de * * jochen.bauerat_private-stuttgart.de * * * *PGP Public Key: * * http://www.theo2.physik.uni-stuttgart.de/jtb.html * ************************************************************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:37 PDT