March 30th, 2004, 09:23 PM
Firewall Discloses Information.
I am running the Sygate firewall on my system, which is running Windows 2000 Professional. I have blocked nearly all the applications or put an 'Ask' option before any applicatoin starts, except for the generic ones.
I am on a LAN connection. However, recently, over an IP scan (don't know which scanner was used), all the IPs of my dorm were detected (most of us use Sygate et al). The person who did the scan was also able to tell us about whether we were using Linux or Windows. I thought that a firewall does not disclose the OS information to an outside scanner.
Also none of us, who are running Windows, got any attack logs in our firewall log files. Can you tell me how this is possible, what kind of scanner was the person using and what are the steps needed to block such information disclosure in future.
Thanks and Regards,
March 30th, 2004, 09:24 PM
your firewall logs didn't mention any "Port Scan Activity"?
March 30th, 2004, 09:36 PM
Nmap comes to mind. Why don`t you just ask the person what scanner they were using?
I use sygate and it picks up portscans. At least the ones i know about.
Signature image is too tall!
March 30th, 2004, 09:51 PM
Thanks for replying.
No portscan logs et al were found in the log files. This is what amazes me.
I also think that Nmap could have been used. I tried to run Nmap on my IP. It did not detect much but for the BFTP server that I am running. Could this be the reason for the Windows OS detection?
And how can this FTP server detection be taken care of, since I myself saw NMAP detecting the FTP server running on my comp. Though Sygate does not ask for trusted IPs, however I tried NMap on Keiro also, but again the FTP server is being detected.
We have no idea who this person is, who ran the scans on our IPs. We just got an email from a yahoo address with the IP and OS information in it. I think its someone on the campus only who is trying to be a little mischievous. But still, the whole thing makes the adequacy and efficiency of a firewall questionable.
March 30th, 2004, 09:55 PM
Get nmap and try it out on yourself.
 sorry, i just read your post again and saw that you already did this[/edit]
We have no idea who this person is, who ran the scans on our IPs. We just got an email from a yahoo address with the IP and OS information in it.
Signature image is too tall!
March 30th, 2004, 10:50 PM
Are your addresses public or private..... If you don't know the difference just post the first two octets such as 214.144.xxx.xxx
If they are private it's someone in college with you. And that's how they know your email address. if it's public then some naughty person went further than just scanning.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 31st, 2004, 12:31 AM
Our IPs are private IPs accessible only on the LAN. Access to our systems is not granted from outside the LAN so there is no chance of anyone trying this from outside the LAN network.
It has to be some guy on campus, but that is not the issue here. I wanted to know if such information can be avoided from disclosure. Till now, we only know that someone got to know our IPs (which he can do with any scanner) and also our OS (open port scans et al), but inspite of most of us having firewalls running on our systems. We don't know what else he has been able to gather from his scans, and thus the need to worry.
NMAP does show the presence of BFTP server, nearly with every firewall running. Is there any way of taking care of such anomalies. And also, does anyone have any idea what kind of scans this person might be running, which is bypassing the firewall itself, as no logs were found.
March 31st, 2004, 01:42 AM
Hrmm... I wonder if he's picking up the information through other methods. How do you know that he even did scans and what suggests to you that he did do any scanning? You said that he sent an email to "everyone" with their IP and OS, right? I can pick out what OSes are running using Ettercap (there is an option to do OS detection with this sniffer). That would mean that I have access to the local LAN and can detect the OS without you knowing it.
The firewall becomes a non-entity because I use existing connections. In addition, anything sent in cleartext (ie., user names and passwords) can be easily collected.
The fact that he sent you an email suggests he knows you.
Thought just occurred to me to add this because some may not realize it. There is a technique of detection referred to as "passive scanning". NMAP, Retina, Saint, SARA, etc. are all "active scanners". That is, they go and ask the target information.
Passive scanning or OS detection listens for packets and based on construction and TTLs determines the source OS (this has a far less reliable detection but can allow for detection of OS without being caught scanning).
The following might also help:
SecuriTeam Passive OS Detection Tool
Passive OS Detection Techniques and Details
Ofir Arkin's papers and work into OS Fingerprinting should also be reviewed. Visit Here
March 31st, 2004, 02:02 AM
once you allow access for a service (ftp) to the internet its no longer protected by the firewall unless your doing filtering by ip. does sygate give you the option to allow ftp access and log connections anyway? are the others that were all detected runnnig an ftp server?
have you tried using nmap to run a stealth scan to see if sygate picks it up? and no ones running any filesharing software?
you could probably change the banner info in bullet proof. run strings.exe against all its files until you find the one that contains the banner info. open that file in a hex editor and change what needs to be changed (ascii chars) making sure you leave the number of characters in the string the same.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 31st, 2004, 02:22 AM
Another way someone could gain this information, is if they were to place something like 'Site Meter' on a web site everyone visits.
You can get information, such as this (from every visitor to the site):
And it will even graph the different types of OS's and or browsers that visit the site. The attachment is a grafh of the different browsers used to visit a site I have.
Domain Name Level3.net ? (Network)
IP Address XX.XX.XX.XX (ARIN)
Language Setting English
Operating System Microsoft WinXP
Browser Internet Explorer 6.0
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 220.127.116.11; FunWebProducts)
Time of Visit Mar 30 2004 5:08:24 pm
Last Page View Mar 30 2004 5:08:24 pm
Visit Length 0 seconds
Page Views 1
Visit Entry Page http://yoursite.com
Visit Exit Page http://yoursite.com
Time Zone UTC-5:00
EST - Eastern Standard
EDT - Eastern Daylight Saving Time
Visitor's Time Mar 30 2004 8:08:24 pm
The only way I know of to defeat this is by using Proxomitron and not allowing counters to even detect your presents.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"