Hi andrew, I tried to scan my check point firewall using nmap -v -O -p256-258 -g53 -P0 -sS w.x.y.z without much success. * Can I know what switch combination did you use to elicit the os information ? I'm actually doing a project on vulnerability assessment on my servers by scanning them from the external internet. my tool of choice is Nmap. But I found that even though nmap scan ( -sS ) a range of port e.g. 1-60000 (-p1-60000) in a random order it was always detected by the Firewall, in this case, Watchguard's Firebox and has its IP addressed blocked by the Watchguard which prevents it from further scanning. * Does Check point has a "blocked Site" feature like Watchguard ? * Has anybody succesfully try a udp scan (-sU) thru a firewall (any type )? For those who uses Nmap * What is the most effective combination of switches you use to scan the Firewall and it network behind. my version : nmap -sS -F -o nmaplog.out -v -O x.w.y.z/24 -g53 -p1-60000 * I found the Fin, Null and Xmas scan not that effective against a Checkpoint Firewall or any other firewall for the matter. Anybody has any opinion on it or better way to use nmap to enumerate the firewall or network ? I tried using other tools, like Firewalk 1.0, but I couldn't interpet the results : I entered a gateway host and a destination host : The Firwalk Control Panel 53 source port 33434 Initial ramping port 0 network writing pause 1 redundancy count 2 network time out pause 1 intial IP TTL 1 expire vector 11-139,6000-6010 port scan list Firewalk scanning protocol : tcp/udp ( tried both ) probe: 1 TTL : 1 port 33434: * probe: 2 TTL : 2 port 33434:* . . Hop count exceeded 0 ports open, 0 ports unknown 24 probes sent, 0 replies received I was certain that the destination host has port 80 opend but why didn't Firewalk detect it ? There a a couple of Vulnerabiltiy scanner out in the wild, like saint, sara e.g. * Has anybody tried using that to scan a network protected by checkpoint firewall or any other ? * Is there any white paper /docs on how to probe test your network /firewall ? Best Rgds, Simon Network Administrator ----- Original Message ----- From: "Mule, Andrew" <AMuleat_private> To: <PEN-TESTat_private> Sent: Tuesday, May 15, 2001 1:49 AM Subject: Re: [PEN-TEST] Detecting the presence of a firewall True. These ports do provide evidence of the host being a CPFW. However, this assumes that mgmt is needed from a public location (ports 256,257,258). Any company concerned about corporate network security would not run these FW's with external mgmt ports enabled. So the new question is how do you ID a CPFW with these ports closed? A good answer, stated below, was NMAP with the -O option. This option will spit out something like this: Host : X.X.X.X OS : Check Point FireWall-1 4.0 SP-5 (IPSO build) Nokia IPSO 3.2-fcs4 releng 783 NOKIA IPSO 3.2 Running Checkpoint Firewall-1 Nokia IPSO 3.2-fcs4 releng 783 (FreeBSD Based) Ports : 53/tcp closed domain 256/tcp open rap 257/tcp closed set 258/tcp closed yak-chat Host : X.X.X.X OS : Nokia IPSO 3.2-fcs4 releng 783 Ports : 53/tcp closed domain 256/tcp open rap 257/tcp open set 258/tcp open yak-chat Getting addresses behind a firewall can be difficult. Finding out where the web, mail or ftp servers usually point to the external IP address of the FW itself since arping is done by the FW for the client. I have been experiementing with Firewalk as well as modified TOS fields within the ICMP protocol to force identification of internal hosts but have not been successful....YET. If anyone has something to add to my madness please do so with care. Andrew A Mulé Network Security Architect Securify Inc. PGP: F2D5 54A4 F098 369E AA5E A64E 0F6F DE52 13C6 BAC5 _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 08:41:39 PDT