RE: [PEN-TEST] Detecting the presence of a firewall

From: Geoghegan, Glyn (ISS London) (glyngat_private)
Date: Mon May 14 2001 - 13:53:00 PDT

Next message: railwayclubposseat_private: "Re: [PEN-TEST] Download fw1 topology"

Previous message: Mule, Andrew: "Re: [PEN-TEST] Detecting the presence of a firewall"
Maybe in reply to: priya subramanian: "[PEN-TEST] Detecting the presence of a firewall"
Next in thread: Frank Knobbe: "RE: [PEN-TEST] Detecting the presence of a firewall"
Next in thread: Magnus Bodin: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

nmap scans of poorly configured FW-1 boxes may also show UDP/53 and TCP/53
as 'closed' on the firewall and protected hosts, due to DNS lookups being
permitted in the 'Policy Properties' dialogues.

Whilst this is a relatively old mis-configuration (dates to early 4.0
deployments), it's still fairly common, and provides opportunities for an
attacker to probe hosts behind the firewall, or to abuse those hosts through
trojans or tunnelling.

http://www.phoneboy.com/faq/0131.html

G

--
~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~ ~~~ ~~ ~
G l y n   G e o g h e g a n                     Consultant
http://www.iss.net                         E:glyngat_private
T:+44 (0)20 7626 7070                F:+44 (0)20 7626 1114
Floor 6, Walbrook House, 23 Walbrook, London, EC4N 8BT, UK
Internet Security Systems        --  The Power to Protect!
UK Sales & Information Hotline   --    +44 (0)800 085 2976
See ISS at Internet World    --    www.internetworld.co.uk


-----Original Message-----
From: railwayclubposseat_private
[mailto:railwayclubposseat_private]
Sent: 14 May 2001 17:44
To: PEN-TESTat_private
Subject: RE: [PEN-TEST] Detecting the presence of a firewall


For Checkpoint, use nmap and do a TCP and OS detection scan. If they are 
doing one-to-many NAT the machines will be detected as "behind a Checkpoint 
Firewall-1 4.1 SP2 Server" or whatever. The firewall itself is likely to 
have some combination of  TCP ports 256-259, 264-265 open for management,
auth, key exchange, etc. 

>-----Original Message-----
>From: priya subramanian [mailto:pentestingat_private]
>Sent: Monday, May 07, 2001 5:11 AM
>To: PEN-TESTat_private
>Subject: [PEN-TEST] Detecting the presence of a firewall
>
>
>Pl clarify the following
>
>1. Are there any means of detecting the presence of a
>checkpoint firewall at a company's premises,  from a
>remote location.
>
>2.Knowing one interface of the firewall machine, is it
>possible for me to find the ip addresses of the other
>interfaces.
>
>Kindly reply at the earliest.
>
>Priya
>
>Free, encrypted, secure Web-based email at www.hushmail.com
>
Free, encrypted, secure Web-based email at www.hushmail.com

Next message: railwayclubposseat_private: "Re: [PEN-TEST] Download fw1 topology"
Previous message: Mule, Andrew: "Re: [PEN-TEST] Detecting the presence of a firewall"
Maybe in reply to: priya subramanian: "[PEN-TEST] Detecting the presence of a firewall"
Next in thread: Frank Knobbe: "RE: [PEN-TEST] Detecting the presence of a firewall"
Next in thread: Magnus Bodin: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 15:54:58 PDT