Pepijn Vissers wrote:
>
> Hi all,
>
> What would be the best way to determine what kind of firewall is running on
> a server? Especially one that does not give out any banners.
> TCP-fingerprinting is not possible because there are no obvious open ports.
>
But sometimes there are. Firewall-1 by default opens several ports (e.g.
256/tcp). Some firewalls (Raptor) have several ports open, that are
immediately closed upon connecting to them (tcp-wrapper like).
It's also important to look closely at the responses you get back: if
you're seeing icmp unreach - admin prohibited by filter, you're probably
dealing with IOS acl's.
If you can query snmp on a router in front of the firewall, you can get
the ARP table; from that you can get the ethernet vendor code of the
firewall, which often gives away a lot.
Ofcourse, a firewall that's configured well will not respond to anything
at all and just swallow all your probe packets.
Tom.
--
Tom Vandepoel Ubizen
Sr. Security Engineer We Secure e-Business
Phone +32 16 28 70 00 http://www.ubizen.com
Fax +32 16 28 71 00 http://www.securitywatch.com
Received on Mar 06 2001
Intro
