Hi andrew,
I tried to scan my check point firewall using
nmap -v -O -p256-258 -g53 -P0 -sS w.x.y.z
without much success.
* Can I know what switch combination did you use to elicit the os
information ?
I'm actually doing a project on vulnerability assessment on my servers by
scanning
them from the external internet.
my tool of choice is Nmap.
But I found that even though nmap scan ( -sS ) a range of port e.g. 1-60000
(-p1-60000)
in a random order
it was always detected by the Firewall, in this case, Watchguard's Firebox
and has
its IP addressed blocked by the Watchguard which prevents it from further
scanning.
* Does Check point has a "blocked Site" feature like Watchguard ?
* Has anybody succesfully try a udp scan (-sU) thru a firewall (any type )?
For those who uses Nmap
* What is the most effective combination of switches you use to scan the
Firewall and it network behind.
my version : nmap -sS -F -o nmaplog.out -v -O x.w.y.z/24 -g53 -p1-60000
* I found the Fin, Null and Xmas scan not that effective against a
Checkpoint Firewall or
any other firewall for the matter.
Anybody has any opinion on it or better way to use nmap to enumerate the
firewall or network ?
I tried using other tools, like Firewalk 1.0, but I couldn't interpet the
results :
I entered a gateway host and a destination host :
The Firwalk Control Panel
53 source port 33434 Initial ramping port
0 network writing pause 1 redundancy count
2 network time out pause 1 intial IP TTL
1 expire vector 11-139,6000-6010 port scan list
Firewalk scanning protocol : tcp/udp ( tried both )
probe: 1 TTL : 1 port 33434: *
probe: 2 TTL : 2 port 33434:*
.
.
Hop count exceeded
0 ports open, 0 ports unknown
24 probes sent, 0 replies received
I was certain that the destination host has port 80 opend but why didn't
Firewalk detect it ?
There a a couple of Vulnerabiltiy scanner out in the wild, like saint, sara
e.g.
* Has anybody tried using that to scan a network protected by checkpoint
firewall or any other ?
* Is there any white paper /docs on how to probe test your network /firewall
?
Best Rgds,
Simon
Network Administrator
----- Original Message -----
From: "Mule, Andrew" <AMule_at_securify.com>
To: <PEN-TEST_at_securityfocus.com>
Sent: Tuesday, May 15, 2001 1:49 AM
Subject: Re: [PEN-TEST] Detecting the presence of a firewall
True. These ports do provide evidence of the host being a CPFW. However,
this assumes that mgmt is needed from a public location (ports 256,257,258).
Any company concerned about corporate network security would not run these
FW's with external mgmt ports enabled. So the new question is how do you ID
a CPFW with these ports closed? A good answer, stated below, was NMAP with
the -O option. This option will spit out something like this:
Host : X.X.X.X
OS : Check Point FireWall-1 4.0 SP-5 (IPSO build)
Nokia IPSO 3.2-fcs4 releng 783
NOKIA IPSO 3.2 Running Checkpoint Firewall-1
Nokia IPSO 3.2-fcs4 releng 783 (FreeBSD Based)
Ports : 53/tcp closed domain
256/tcp open rap
257/tcp closed set
258/tcp closed yak-chat
Host : X.X.X.X
OS : Nokia IPSO 3.2-fcs4 releng 783
Ports : 53/tcp closed domain
256/tcp open rap
257/tcp open set
258/tcp open yak-chat
Getting addresses behind a firewall can be difficult. Finding out where the
web, mail or ftp servers usually point to the external IP address of the FW
itself since arping is done by the FW for the client. I have been
experiementing with Firewalk as well as modified TOS fields within the ICMP
protocol to force identification of internal hosts but have not been
successful....YET. If anyone has something to add to my madness please do so
with care.
Andrew A Mulé
Network Security Architect
Securify Inc.
PGP: F2D5 54A4 F098 369E AA5E
A64E 0F6F DE52 13C6 BAC5
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Received on May 16 2001
Intro
