[11063] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Checkpoint FW-1 identification

daemon@ATHENA.MIT.EDU (Jochen Bauer)
Sat Jul 17 23:54:44 1999

Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <19990717131720.A1850@luna.theo2.physik.uni-stuttgart.de>
Date:         Sat, 17 Jul 1999 13:17:21 +0200
Reply-To: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
From: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <19990716082652.63061.qmail@securityfocus.com>; from Tim Hirst on
              Fri, Jul 16, 1999 at 08:26:52AM -0000

On Fri, Jul 16, 1999 at 08:26:52AM -0000, Tim Hirst wrote:
> Hi all,
>
> This is not a bug but is instead a common procedural error.
> If a remote attacker performs a port scan on a network and
> finds a machine with ports 256, 257, and 258 open then it is
> a sure bet that they are running a Checkpoint FW-1 firewall.

Such a kind of firewall identification method also exists for AltaVista
Firewall (at least for Firewall97). In the default configuration there
are "traps" listening on ports 26/tcp, 27/tcp, 28/tcp and 29/tcp.

/etc/services:
[...]
ftp             21/tcp
telnet          23/tcp
strafe1         26/tcp
strafe2         27/tcp
strafe3         28/tcp
strafe4         29/tcp
smtp            25/tcp
time            37/tcp
[...]

If one connects to one of these ports, they generate the event of a
"connection attempt on unused port". As these "traps" are started by
inetd when a connection attempt occurs

/etc/inetd.conf
[...]
strafe1   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe2   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe3   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
strafe4   stream  tcp  nowait  root     /usr/dfws/etc/strafe      strafe
[...]

one can do a stealth scan on those ports to identify AltaVista Firewalls
(you know what to try next, don't you?) without the firewall detecting
the scan.


Jochen Bauer

************************************************************
*Network Security Team                                     *
*Computer Center of the University of Stuttgart            *
*Germany                                                   *
*                                                          *
*Email: jtb@theo2.physik.uni-stuttgart.de                  *
*       jochen.bauer@rus.uni-stuttgart.de                  *
*                                                          *
*PGP Public Key:                                           *
*     http://www.theo2.physik.uni-stuttgart.de/jtb.html    *
************************************************************


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[11063] in bugtraq

Re: Checkpoint FW-1 identification

daemon@ATHENA.MIT.EDU (Jochen Bauer)Sat Jul 17 23:54:44 1999

daemon@ATHENA.MIT.EDU (Jochen Bauer)
Sat Jul 17 23:54:44 1999