RE: [PEN-TEST] Detecting the presence of a firewall - Layer 2

From: Lance Spitzner (lanceat_private)
Date: Tue May 15 2001 - 10:35:20 PDT

Next message: Frank Knobbe: "RE: [PEN-TEST] Detecting the presence of a firewall"

Previous message: Vladimir Kraljevic: "RE: Access a remote registry"
In reply to: railwayclubposseat_private: "RE: [PEN-TEST] Detecting the presence of a firewall"
Next in thread: Balunos, Don: "RE: [PEN-TEST] Detecting the presence of a firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 May 2001 railwayclubposseat_private wrote:

> You get the same results if the default Checkpoint ports are closed. You
> still need to find one or two open ports, but they don't have to be on the
> firewall itself. The giveaway is in how the headers are rewritten for one-
> to-many NAT.

Let us not forget layer 2.  Another great way to detect a firewall (and you
have access to the local network) is to do a ping sweep of the local network.
Take the list of IPs that responded and compare that to your arp table.  Often
you will find more MAC addresses from the local network then you found IPs
form the local network.  If you could not connect/ping a system locally,
but its MAC exists in your ARP table, that system most likely has some
firewalling or ICMP disabled.  Just one more method of gathering information.

lance

Next message: Frank Knobbe: "RE: [PEN-TEST] Detecting the presence of a firewall"
Previous message: Vladimir Kraljevic: "RE: Access a remote registry"
In reply to: railwayclubposseat_private: "RE: [PEN-TEST] Detecting the presence of a firewall"
Next in thread: Balunos, Don: "RE: [PEN-TEST] Detecting the presence of a firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 17:17:00 PDT