You can use TTL to determine if the packets are making it downstream of the firewall.
http://www.packetfactory.net/projects/firewalk/
-Maestr0
Printable View
You can use TTL to determine if the packets are making it downstream of the firewall.
http://www.packetfactory.net/projects/firewalk/
-Maestr0
thatch, I think you got your answers, but I think everyone looked at this a little differently and answered accordingly.
Let me see if I can clarify:
Depends on how it is configured, but usually no. ( it would actually be silly to do so. )Quote:
Do firewalls when NATing take all traffic from the external IP and pass it to the internal nertwork and expect the server to have the remaing services closed down
For the purpose of this discussion, this is a more accurate statement. And, as you know, it may not be just one port to one machine. There may be additional services running on that box so there could be more then one port forwarded to it, and/or it could be to several different boxes for other services and/or load balancing.Quote:
do they only take traffic destined for a port and drop everything else.
Again, this has been answered, but yes, I think you have the idea.Quote:
if it's the later, when i scan am i only scaning the 1 port that is allowing traffic to be forward to it?
Yes and no.Quote:
Is there a way of determining if the firewall is blocking the traffic to the other ports or if the Server has been locked down and is blocking them?
No, because once the ports are blocked at the firewall the server will never see the scan if coming in that way.
You could have port 23 wide open on a server, but if you are scanning the perimeter ( from outside hitting the firewall box first ) and that port is blocked by the firewall, the port will appear closed from the outside when on the server it is actually wide open.
Yes, scan the servers from the other side of the firewall.
I am wondering here how you scanned the server and got the same results as scanning the firewall ( cisco device responding ) ... how did you scan the server, from inside, or still from the outside? If it was from the inside, is there another cisco device in between? Or, after understanding the other answers is this question now moot?Quote:
i fired up Wireshark and the set a scan going using another tool then looked at my responses in wireshark. i could see that the responses from closed ports were all coming from a source that was a cisco device (which i know to be my firewall). when i performed the same technique on another server i got the same.
I would say no, and leave you to think about this:Quote:
Is this technique sufficient to prove that i have identified that the servers are behind a cisco firewall that is NATing addresses and only allowing traffic through on certain ports? or am i missing something obvious that would mean this technique is only valid in this situation?
what if there actually is no firewall?