Perimeter Security

[anban]

I am new to security, some one asked me this question. I thought you can help me.

Perimeter device identification

>> When ping is not working in the destination, and when you dont know the server is on/off, what do you do?

Try to
Telnet 21,23,25,80,110 etc.,
try nmap with various types of port scannig.,
try sniffing if it is local network and IDS is not present.,

If the the target is away in a different network with perimeter device installed, how do you find wether it is ON/OFF & the periemter device which is protecting it?

Is there any tool or tutorial, if there is something please help me.

anban

[cheyenne1212]

Usually you can scan for specific ports.

I have found that if you do a basic nmap command such as nmap -sS ip it comes back as no computer being there. But if you do a nmap -sS -P <port number here> ip it usually comes back as say


port 80 HTTP Filtered

Thats one way I know Port 80 is usually almost there so it should be active unless the administrator is blocking traffic on port 80 and routing it to a different port.

[anban]

When some perimeter device like firewall is present, it will block nmap (MS XP SP2). How do we go about it?

How do we find what firewall it is?

[chsh]

Originally posted here by anban
If the the target is away in a different network with perimeter device installed, how do you find wether it is ON/OFF & the periemter device which is protecting it?

Well, if it's properly done, there's no way, however you could play with a tool like hping2 to increase the TTL on a standard TCP packet until you see a difference between when it gets dropped and when it doesn't. You might also google 'network fingerprinting' and 'firewall fingerprinting' and such to see if you can find a tutorial on doing it without something like NMAP.

Originally posted here by cheyenne1212
Usually you can scan for specific ports.
I have found that if you do a basic nmap command such as nmap -sS ip it comes back as no computer being there. But if you do a nmap -sS -P <port number here> ip it usually comes back as say
port 80 HTTP Filtered
Thats one way I know Port 80 is usually almost there so it should be active unless the administrator is blocking traffic on port 80 and routing it to a different port.

If they are blocking pings, the above will probably not work, you'd need to add the -P0 flag to tell nmap to not try pinging the host first. If you use just a TCP/80 SYNSCAN it should probably work, or at least, tell you that it's filtered.

Scanning remote networks that are firewalled can be tricky. It's very difficult to know the network layout, and frequently a lot of assumptions are made during the enumeration process.