RE: PIX and ttl

["Jason Lewis" <jlewis () jasonlewis net>]

I should have made myself clear.  I have scanned my PIX.  I know the hosts
that are behind it and I have never been able to identify the hosts with
NMAP.

I am running load balanced web servers behind a PIX.  I have never been able
to identify the server OS with NMAP.  Is there a secret?  I am aware of
doing banner checks.  The scenario would be someone doing automated scans
for Linux and using NMAP to put known Linux hosts into a file.

Jason Lewis
http://www.packetnexus.com
http://www.packetnexus.com/kb/greyarts/
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: Jacek Lipkowski [mailto:sq5bpf () acid ch pw edu pl]
Sent: Friday, May 25, 2001 2:17 PM
To: Jason Lewis
Cc: 'Fernando Cardoso'; PEN-TEST () securityfocus com
Subject: RE: PIX and ttl


On Thu, 24 May 2001, Jason Lewis wrote:

> I am not sure how you identify the PIX. How do you fingerprint servers
when

(this is just an example)
check for any open smtp ports, if they are behind a pix (any you have
'conduit smtp 25' or something like this in the config file, which most
people do), it will say:
220 SMAP (and some other crap)

> you don't know what the servers are or if they are behind a PIX?

usually you don't have to (if by fingerprinting you mean nmap -O), they
usually give out way too much information anyway. check the http server
banner for starters, see if there is any ssh installed, try to get some
mail relayed through their mailserver, like a mail delivery notofication,
preferably to postmaster or webmaster asking some stupid question. by now
you usually know if it is unix or nt. dig deeper...

jacek