Date: Sat, 17 Jul 1999 13:17:21 +0200
From: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE.>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Checkpoint FW-1 identification
On Fri, Jul 16, 1999 at 08:26:52AM -0000, Tim Hirst wrote:
> Hi all,
>
> This is not a bug but is instead a common procedural error.
> If a remote attacker performs a port scan on a network and
> finds a machine with ports 256, 257, and 258 open then it is
> a sure bet that they are running a Checkpoint FW-1 firewall.
Such a kind of firewall identification method also exists for AltaVista
Firewall (at least for Firewall97). In the default configuration there
are "traps" listening on ports 26/tcp, 27/tcp, 28/tcp and 29/tcp.
/etc/services:
[...]
ftp 21/tcp
telnet 23/tcp
strafe1 26/tcp
strafe2 27/tcp
strafe3 28/tcp
strafe4 29/tcp
smtp 25/tcp
time 37/tcp
[...]
If one connects to one of these ports, they generate the event of a
"connection attempt on unused port". As these "traps" are started by
inetd when a connection attempt occurs
/etc/inetd.conf
[...]
strafe1 stream tcp nowait root /usr/dfws/etc/strafe strafe
strafe2 stream tcp nowait root /usr/dfws/etc/strafe strafe
strafe3 stream tcp nowait root /usr/dfws/etc/strafe strafe
strafe4 stream tcp nowait root /usr/dfws/etc/strafe strafe
[...]
one can do a stealth scan on those ports to identify AltaVista Firewalls
(you know what to try next, don't you?) without the firewall detecting
the scan.
Jochen Bauer
************************************************************
*Network Security Team *
*Computer Center of the University of Stuttgart *
*Germany *
* *
*Email: jtb@theo2.physik.uni-stuttgart.de *
* jochen.bauer@rus.uni-stuttgart.de *
* *
*PGP Public Key: *
* http://www.theo2.physik.uni-stuttgart.de/jtb.html *
************************************************************
