Firewall Discloses Information.
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Firewall Discloses Information.

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    20

    Firewall Discloses Information.

    Hi,

    I am running the Sygate firewall on my system, which is running Windows 2000 Professional. I have blocked nearly all the applications or put an 'Ask' option before any applicatoin starts, except for the generic ones.

    I am on a LAN connection. However, recently, over an IP scan (don't know which scanner was used), all the IPs of my dorm were detected (most of us use Sygate et al). The person who did the scan was also able to tell us about whether we were using Linux or Windows. I thought that a firewall does not disclose the OS information to an outside scanner.

    Also none of us, who are running Windows, got any attack logs in our firewall log files. Can you tell me how this is possible, what kind of scanner was the person using and what are the steps needed to block such information disclosure in future.

    Thanks and Regards,
    Bluzky.

  2. #2
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    your firewall logs didn't mention any "Port Scan Activity"?

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    Nmap comes to mind. Why don`t you just ask the person what scanner they were using?
    I use sygate and it picks up portscans. At least the ones i know about.
    NORML

    Signature image is too tall!

  4. #4
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    Hi,

    Thanks for replying.

    No portscan logs et al were found in the log files. This is what amazes me.

    I also think that Nmap could have been used. I tried to run Nmap on my IP. It did not detect much but for the BFTP server that I am running. Could this be the reason for the Windows OS detection?

    And how can this FTP server detection be taken care of, since I myself saw NMAP detecting the FTP server running on my comp. Though Sygate does not ask for trusted IPs, however I tried NMap on Keiro also, but again the FTP server is being detected.

    We have no idea who this person is, who ran the scans on our IPs. We just got an email from a yahoo address with the IP and OS information in it. I think its someone on the campus only who is trying to be a little mischievous. But still, the whole thing makes the adequacy and efficiency of a firewall questionable.

    Thanks.
    Bluzky.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    Get nmap and try it out on yourself.
    http://www.insecure.org/nmap/

    [edit] sorry, i just read your post again and saw that you already did this[/edit]

    We have no idea who this person is, who ran the scans on our IPs. We just got an email from a yahoo address with the IP and OS information in it.
    That`s strange...
    NORML

    Signature image is too tall!

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Are your addresses public or private..... If you don't know the difference just post the first two octets such as 214.144.xxx.xxx

    If they are private it's someone in college with you. And that's how they know your email address. if it's public then some naughty person went further than just scanning.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    Our IPs are private IPs accessible only on the LAN. Access to our systems is not granted from outside the LAN so there is no chance of anyone trying this from outside the LAN network.

    It has to be some guy on campus, but that is not the issue here. I wanted to know if such information can be avoided from disclosure. Till now, we only know that someone got to know our IPs (which he can do with any scanner) and also our OS (open port scans et al), but inspite of most of us having firewalls running on our systems. We don't know what else he has been able to gather from his scans, and thus the need to worry.

    NMAP does show the presence of BFTP server, nearly with every firewall running. Is there any way of taking care of such anomalies. And also, does anyone have any idea what kind of scans this person might be running, which is bypassing the firewall itself, as no logs were found.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm... I wonder if he's picking up the information through other methods. How do you know that he even did scans and what suggests to you that he did do any scanning? You said that he sent an email to "everyone" with their IP and OS, right? I can pick out what OSes are running using Ettercap (there is an option to do OS detection with this sniffer). That would mean that I have access to the local LAN and can detect the OS without you knowing it.

    The firewall becomes a non-entity because I use existing connections. In addition, anything sent in cleartext (ie., user names and passwords) can be easily collected.

    The fact that he sent you an email suggests he knows you.

    [edit]

    Thought just occurred to me to add this because some may not realize it. There is a technique of detection referred to as "passive scanning". NMAP, Retina, Saint, SARA, etc. are all "active scanners". That is, they go and ask the target information.

    Passive scanning or OS detection listens for packets and based on construction and TTLs determines the source OS (this has a far less reliable detection but can allow for detection of OS without being caught scanning).

    The following might also help:

    SecuriTeam Passive OS Detection Tool

    Passive OS Detection Techniques and Details

    Ofir Arkin's papers and work into OS Fingerprinting should also be reviewed. Visit Here

    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    once you allow access for a service (ftp) to the internet its no longer protected by the firewall unless your doing filtering by ip. does sygate give you the option to allow ftp access and log connections anyway? are the others that were all detected runnnig an ftp server?

    have you tried using nmap to run a stealth scan to see if sygate picks it up? and no ones running any filesharing software?

    you could probably change the banner info in bullet proof. run strings.exe against all its files until you find the one that contains the banner info. open that file in a hex editor and change what needs to be changed (ascii chars) making sure you leave the number of characters in the string the same.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Another way someone could gain this information, is if they were to place something like 'Site Meter' on a web site everyone visits.
    You can get information, such as this (from every visitor to the site):
    Domain Name Level3.net ? (Network)
    IP Address XX.XX.XX.XX (ARIN)
    Language Setting English
    Operating System Microsoft WinXP
    Browser Internet Explorer 6.0
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 5.0.2.6; FunWebProducts)
    Time of Visit Mar 30 2004 5:08:24 pm
    Last Page View Mar 30 2004 5:08:24 pm
    Visit Length 0 seconds
    Page Views 1
    Referring URL
    Visit Entry Page http://yoursite.com
    Visit Exit Page http://yoursite.com
    Time Zone UTC-5:00
    EST - Eastern Standard
    EDT - Eastern Daylight Saving Time
    Visitor's Time Mar 30 2004 8:08:24 pm
    And it will even graph the different types of OS's and or browsers that visit the site. The attachment is a grafh of the different browsers used to visit a site I have.

    The only way I know of to defeat this is by using Proxomitron and not allowing counters to even detect your presents.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •