Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Checkpoint FW-1 identification
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Bauer)
Date: Sat, 17 Jul 1999 13:17:21 +0200


On Fri, Jul 16, 1999 at 08:26:52AM -0000, Tim Hirst wrote:
Hi all,

This is not a bug but is instead a common procedural error.
If a remote attacker performs a port scan on a network and
finds a machine with ports 256, 257, and 258 open then it is
a sure bet that they are running a Checkpoint FW-1 firewall.

Such a kind of firewall identification method also exists for AltaVista
Firewall (at least for Firewall97). In the default configuration there
are "traps" listening on ports 26/tcp, 27/tcp, 28/tcp and 29/tcp.

/etc/services:
[...]
ftp             21/tcp
telnet          23/tcp
strafe1         26/tcp
strafe2         27/tcp
strafe3         28/tcp
strafe4         29/tcp
smtp            25/tcp
time            37/tcp
[...]

If one connects to one of these ports, they generate the event of a
"connection attempt on unused port". As these "traps" are started by
inetd when a connection attempt occurs

/etc/inetd.conf
[...]
strafe1   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe2   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe3   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe4   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
[...]

one can do a stealth scan on those ports to identify AltaVista Firewalls
(you know what to try next, don't you?) without the firewall detecting
the scan.

Jochen Bauer

************************************************************
*Network Security Team                                     *
*Computer Center of the University of Stuttgart            *
*Germany                                                   *
*                                                          *
*Email: jtb () theo2 physik uni-stuttgart de                  *
*       jochen.bauer () rus uni-stuttgart de                  *
*                                                          *
*PGP Public Key:                                           *
*     http://www.theo2.physik.uni-stuttgart.de/jtb.html    *
************************************************************


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]