Bugtraq mailing list archives
Re: Checkpoint FW-1 identification
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Bauer)
Date: Sat, 17 Jul 1999 13:17:21 +0200
On Fri, Jul 16, 1999 at 08:26:52AM -0000, Tim Hirst wrote:
Hi all, This is not a bug but is instead a common procedural error. If a remote attacker performs a port scan on a network and finds a machine with ports 256, 257, and 258 open then it is a sure bet that they are running a Checkpoint FW-1 firewall.
Such a kind of firewall identification method also exists for AltaVista Firewall (at least for Firewall97). In the default configuration there are "traps" listening on ports 26/tcp, 27/tcp, 28/tcp and 29/tcp. /etc/services: [...] ftp 21/tcp telnet 23/tcp strafe1 26/tcp strafe2 27/tcp strafe3 28/tcp strafe4 29/tcp smtp 25/tcp time 37/tcp [...] If one connects to one of these ports, they generate the event of a "connection attempt on unused port". As these "traps" are started by inetd when a connection attempt occurs /etc/inetd.conf [...] strafe1 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe2 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe3 stream tcp nowait root /usr/dfws/etc/strafe strafe strafe4 stream tcp nowait root /usr/dfws/etc/strafe strafe [...] one can do a stealth scan on those ports to identify AltaVista Firewalls (you know what to try next, don't you?) without the firewall detecting the scan. Jochen Bauer ************************************************************ *Network Security Team * *Computer Center of the University of Stuttgart * *Germany * * * *Email: jtb () theo2 physik uni-stuttgart de * * jochen.bauer () rus uni-stuttgart de * * * *PGP Public Key: * * http://www.theo2.physik.uni-stuttgart.de/jtb.html * ************************************************************
Current thread:
- Checkpoint FW-1 identification Tim Hirst (Jul 16)
- Re: Checkpoint FW-1 identification Jochen Bauer (Jul 17)