Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: firewall detection

  1. #1

    firewall detection

    guys ... could you suggest any good techniques (apart from traceroute ttl) for detecting a firewall (including its name version os etc...) on a wire


  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Ummm...I see questions like this and I don't know how to respond any more...but here goes

    Chances are that you will have to clarify your question a little more before you get your answers. Being as this is a security related site, questions like this tend to be taken with a little sceptacism.

    If your purpose is not to identify a firewall in order to throw an exploit at it, then a little more explanation is in order.

    Welcome to AO...

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    One word. NMap.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    It's easier to just always assume a firewall is present on the system. As for OS detection,

    nmap -O 127.0.0.1

    If your trying to scan and see if you can trick your firewall, read the manual for Nmap, you need to set the scanning low enough that a firewall wont pick it up as an attack. You can set them fairly easily in nmap when you use it. Just read the manual and find how to set different options and use the one that scans VERY slow. Most firewalls don't pick up a port scan unless you have it set where it is sending the packet in a time frame that is not long enough apart.

    Most scanning I do usually is basic TCP scanning.

    nmap -sS 127.0.0.1 does this. It's a fairly basic scan.

    However this scan WILL show up on a firewall.

    nmap -d decoy addy and so on will make the scan seem as though it is coming from someone else. If you work for a company, scan one of your web servers using a competition's address if you want to see management shake up.

    If you need just a certain port scanned:

    nmap -p port address

    Works fine.

    Sometimes you may want an ACK scan, this is done by doing this:

    nmap -sA address

    Or, for UDP scans:

    nmap -sU address

    If you want to try out IP protocol scans:

    nmap -sO address.

    Your best bet is going to be:

    Set up a small network....Or just buy a router and another computer. Set the other computer up and the router and scan your systems. Set up a firewall on the system you use for a test box, and then have fun. Another good idea is to get as many firewalls as you possibly can and install them one at a time, uninstalling the one you had before and popping a new one on.
    This is a nice way to learn how each firewall reacts to each type of scanning.

    If you're serious about learning how to actually secure a box, take notes on how each firewall reacted, and when you are done testing your firewalls, make a note of which one was the all around best wall and use that one.

    Don't use Zone Alarm. You'll just be back posting in 3 weeks that the ****ing thing won't leave your system.

    Don't be a lamer.

  5. #5
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    guys ... could you suggest any good techniques (apart from traceroute ttl) for detecting a firewall (including its name version os etc...) on a wire
    I used my RedHat v9 with nmap v3.00 to see what kind of information I could pull up on my other computer system which is running Windows XP and zonealarm v4.5 on a small LAN at my home. When you see this message with nmap and see 0.0.0.0 appears to be down. Skipping it. Host seems down. If it is really up. but blocking our ping probes. Means you found a firewall.

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by Computernerd22
    I used my RedHat v9 with nmap v3.00 to see what kind of information I could pull up on my other computer system which is running Windows XP and zonealarm v4.5 on a small LAN at my home. When you see this message with nmap and see 0.0.0.0 appears to be down. Skipping it. Host seems down. If it is really up. but blocking our ping probes. Means you found a firewall.
    Yea...A shitty one.

  7. #7
    Originally posted here by cgkanchi
    One word. NMap.
    Cheers,
    cgkanchi

    Stole the words right out of my mouth....

    For some great tutorials about using NMap, check these links from thehorse13:

    http://www.antionline.com/showthread...hreadid=250265 - Lesson 1
    http://www.antionline.com/showthread...hreadid=250492 - Lesson 2
    http://www.antionline.com/showthread...hreadid=250612 - Lesson 3
    http://www.antionline.com/showthread...hreadid=250793 - Lesson 4
    http://www.antionline.com/showthread...hreadid=251423 - Lesson 5

  8. #8
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    adding on to gores first post...the best way to detect if its a firewall is do the -sT switch to ping it while it scans...like he said this will show up on there logs and most likely block it. If it blocks it...do the P0 command...it doesnt ping. It will still scan and will show open ports...so then u know its a firewall.

  9. #9
    in order to map out the acls of the firewall I usually use tools such as hping2, traceroute -I, Firewalk etc...

    but i need some tecdhniques to detect it...... between host a --------|(fw)--------host b

    thanks to u guys, I found some good onece!!!

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    I would really suggest reading up on IP; read _a_lot about IP. Firewalls are limited by two basic things,
    what IP can/can't do, and what Administrators do and don't know. Also remember that the worst firewall
    products can be configured in an adequate way, and likewise the very best solutions can wind up totally
    borked and useless in the wrong hands.

    While it may be nice to I.D. the firewall solution (FW1, PIX, PF, NetFilter, IP Tables, SunScreen, etc.), what
    is more important to an attacker is what the firewall is doing with the traffic. Does it let DNS queries by,
    but block ICMP/IGMP? Can you send traffic to high numberd ports, but low number ports are dropped? Et.c.

    Anyway, best of luck

    Happy Holidays

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •