Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: [PEN-TEST] Detecting the presence of a firewall

RE: [PEN-TEST] Detecting the presence of a firewall

From: <railwayclubposse_at_hushmail.com>
Date: Tue, 15 May 2001 21:52:09 -0500 (EDT)

I agree, I have not noticed this in the one-to-one NAT scenario you have.
In the situations I am talking about, the most obvious difference is the
source port of packets coming from protected hosts is changed. Each host
sharing an address seems to get a different source port.
Of course this is not specific to checkpoint.

Im sorry I don't have the article you request, I don't have access to checkpoint
support. I doubt they have useful information on this subject anyway. More
useful is this nmap fingerprint which works for me a good deal of the time.
It's included in recent versions of nmap:

# Contributed by william.frogge_at_sus.com
Fingerprint NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1
TSeq(Class=TD%gcd=<8%SI=<154)
T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=N)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E)

At Tue, 15 May 2001 16:37:03 -0500, Frank Knobbe <FKnobbe_at_KnobbeITS.com>
wrote:

>> -----Original Message-----
>> From: railwayclubposse_at_hushmail.com
>> [mailto:railwayclubposse_at_hushmail.com]
>> Sent: Tuesday, May 15, 2001 10:49 AM
>>
>> You get the same results if the default Checkpoint ports are
>> closed. You
>> still need to find one or two open ports, but they don't have
>> to be on the
>> firewall itself. The giveaway is in how the headers are
>> rewritten for one-
>> to-many NAT.
>
>
>Uhm... I'm confused. I assume you mean ports of statically natted
>machines. I connect from the Internet through the FW-1 to a host
>behind behind it. That is a one-to-one NAT. What is rewritten in the
>headers that would identify the screening fw as a FW-1 machine? I
>mean IP addresses are obviously changed. What other header
>information (i.e. flags, options) are changed in the packet coming
>form the host? I understand that I should expect a certain option set
>in a response packet (depending on OS and my request packet), I
>understand the process, I'm not question this. Just would like to
>know what is reset/changed in the TCP or UDP packet. (Let's ignore
>ICMP). Point me to an article or FAQ please.
>
>Regards,
>Frank
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Personal Privacy 6.5.8
>Comment: PGP or S/MIME encrypted email preferred.
>
>iQA/AwUBOwGhf5ytSsEygtEFEQIvsACgoTtMFV/4RxlUGwGFKpzMVkGXkDMAmgMa
>jgNg9+TBLNivSvLJZFdJHhex
>=K0ok
>-----END PGP SIGNATURE-----
>
Free, encrypted, secure Web-based email at www.hushmail.com

IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
Received on May 16 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos