-
December 24th, 2003, 02:45 AM
#1
Member
firewall detection
guys ... could you suggest any good techniques (apart from traceroute ttl) for detecting a firewall (including its name version os etc...) on a wire
-
December 24th, 2003, 02:54 AM
#2
Ummm...I see questions like this and I don't know how to respond any more...but here goes
Chances are that you will have to clarify your question a little more before you get your answers. Being as this is a security related site, questions like this tend to be taken with a little sceptacism.
If your purpose is not to identify a firewall in order to throw an exploit at it, then a little more explanation is in order.
Welcome to AO...
-
December 24th, 2003, 12:58 PM
#3
One word. NMap.
Cheers,
cgkanchi
-
December 24th, 2003, 02:09 PM
#4
It's easier to just always assume a firewall is present on the system. As for OS detection,
nmap -O 127.0.0.1
If your trying to scan and see if you can trick your firewall, read the manual for Nmap, you need to set the scanning low enough that a firewall wont pick it up as an attack. You can set them fairly easily in nmap when you use it. Just read the manual and find how to set different options and use the one that scans VERY slow. Most firewalls don't pick up a port scan unless you have it set where it is sending the packet in a time frame that is not long enough apart.
Most scanning I do usually is basic TCP scanning.
nmap -sS 127.0.0.1 does this. It's a fairly basic scan.
However this scan WILL show up on a firewall.
nmap -d decoy addy and so on will make the scan seem as though it is coming from someone else. If you work for a company, scan one of your web servers using a competition's address if you want to see management shake up.
If you need just a certain port scanned:
nmap -p port address
Works fine.
Sometimes you may want an ACK scan, this is done by doing this:
nmap -sA address
Or, for UDP scans:
nmap -sU address
If you want to try out IP protocol scans:
nmap -sO address.
Your best bet is going to be:
Set up a small network....Or just buy a router and another computer. Set the other computer up and the router and scan your systems. Set up a firewall on the system you use for a test box, and then have fun. Another good idea is to get as many firewalls as you possibly can and install them one at a time, uninstalling the one you had before and popping a new one on.
This is a nice way to learn how each firewall reacts to each type of scanning.
If you're serious about learning how to actually secure a box, take notes on how each firewall reacted, and when you are done testing your firewalls, make a note of which one was the all around best wall and use that one.
Don't use Zone Alarm. You'll just be back posting in 3 weeks that the ****ing thing won't leave your system.
Don't be a lamer.
-
December 24th, 2003, 02:22 PM
#5
guys ... could you suggest any good techniques (apart from traceroute ttl) for detecting a firewall (including its name version os etc...) on a wire
I used my RedHat v9 with nmap v3.00 to see what kind of information I could pull up on my other computer system which is running Windows XP and zonealarm v4.5 on a small LAN at my home. When you see this message with nmap and see 0.0.0.0 appears to be down. Skipping it. Host seems down. If it is really up. but blocking our ping probes. Means you found a firewall.
-
December 24th, 2003, 02:28 PM
#6
Originally posted here by Computernerd22
I used my RedHat v9 with nmap v3.00 to see what kind of information I could pull up on my other computer system which is running Windows XP and zonealarm v4.5 on a small LAN at my home. When you see this message with nmap and see 0.0.0.0 appears to be down. Skipping it. Host seems down. If it is really up. but blocking our ping probes. Means you found a firewall.
Yea...A shitty one.
-
December 24th, 2003, 03:36 PM
#7
-
December 24th, 2003, 05:20 PM
#8
adding on to gores first post...the best way to detect if its a firewall is do the -sT switch to ping it while it scans...like he said this will show up on there logs and most likely block it. If it blocks it...do the P0 command...it doesnt ping. It will still scan and will show open ports...so then u know its a firewall.
-
December 24th, 2003, 06:05 PM
#9
Member
in order to map out the acls of the firewall I usually use tools such as hping2, traceroute -I, Firewalk etc...
but i need some tecdhniques to detect it...... between host a --------|(fw)--------host b
thanks to u guys, I found some good onece!!!
-
December 25th, 2003, 04:27 AM
#10
I would really suggest reading up on IP; read _a_lot about IP. Firewalls are limited by two basic things,
what IP can/can't do, and what Administrators do and don't know. Also remember that the worst firewall
products can be configured in an adequate way, and likewise the very best solutions can wind up totally
borked and useless in the wrong hands.
While it may be nice to I.D. the firewall solution (FW1, PIX, PF, NetFilter, IP Tables, SunScreen, etc.), what
is more important to an attacker is what the firewall is doing with the traffic. Does it let DNS queries by,
but block ICMP/IGMP? Can you send traffic to high numberd ports, but low number ports are dropped? Et.c.
Anyway, best of luck
Happy Holidays
-- spurious
Get OpenSolaris http://www.opensolaris.org/
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|