Discovering Firewalls

by suN8Hclf  (suN8Hclf@vp.pl)

0x00: Introduction

Setting up a firewall is one of the most important and basic elements of a security policy.

They are used used to prevent unauthorized users from accessing protected computers and networks.  Basically, firewalls can be divided into two groups: hardware firewalls and software ones.

Hardware firewalls are often placed on the route between a protected network and Internet.  Their task to analyze all network traffic.  Then, on the basis of rules defined by system administrator, they decide what to do with every packet.  These firewalls have also their own IP address.

Software firewalls are just computer programs which monitor other applications.  Such firewalls see if other programs want, for example, to establish a new connection, and then decide whether to allow them or not.  Software firewalls very often block incoming connections from the "outside" Internet.

I'll now describe a few techniques which can be used to determine if there is a firewall on the way to a target and then to discover the type and version of the firewall.

0x01: Discovering Firewalls

There are a few different methods you can use to see if there is a firewall between your computer and some remote host.

Basic Traceroute:  The traceroute program traces the route to a host using ICMP or UDP packets and the TTL field in the IP header.  Most firewalls block ICMP requests and responses.

Just type:

$ traceroute www.server.com ... 3. router1.main.com 4. router2.main.com 5. * * *

As you can see, Host 5 in the above examples has not sent us an ICMP response.  So this host might be a firewall.

TCP Traceroute:  Now, we'll try to determine the IP address of the firewall.  To do this, we have to go through the firewall, which is Host 5 in our case.  Most of them allow particular types of TCP traffic; therefore, we can try to send a TCP packet to a "popular" port such as 80, which is used for HTTP.

# hping2 -T -t 1 -S -p 80 www.server.com ... hop=4 TTL 0 during transmit from ip=10.1.1.225 name=router2.main.com hop=5 TTL 0 during transmit from ip=10.2.2.225 name=UNKNOWN ...

As you can see, we were able to go through, and we now know that the IP address of the firewall is 10.2.2.225 and that its name is unknown.

TTL Differences:  The TTL field is decremented every time an IP packet goes through a network device.  Therefore, we can assume that if a server is protected by a firewall, every packet that comes from this server will have an TTL value different from packets which come directly from the firewall.  To examine this, we can send one TCP packet to a port which we know that is open and one packet to a closed port.

The first packet will look like this:

# hping2 -S -p 80 -c 1 www.server.com ... len=46 ip=192.168.0.4 flags=SA DF seq=0 ttl=27 id=0 win=5820 rtt=9.2 ms ...

The second packet will look like this:

# hping2 -S -p 9999 -c 1 www.server.com ... len=46 ip=192.168.0.4 flags=SA DF seg=0 ttl=28 id=0 win=0 rtt=9.2 ms ...

The TTL value is 27 in the first example and 28 in the second.  This is the most important evidence that www.server.com is behind a hardware firewall.

0x02: Identifying Firewalls

Now that we know the IP address of the firewall, we can try to determine the type and version of the firewall.

Simple Banner Grabbing:  This is probably the best-known technique.  Just Telnet to the firewall and read all messages that sends in response.

You can also use Netcat:

# nc -vv firewall.main.com

TCP Footprinting:  Every operating system's IP stack differs in small ways from every other operating system's.  The presence of software firewalls also changes the behavior of the IP stack in small ways.  Knowing these differences can be a clue to determine the operating system or type of the firewall.  There are lots of programs which are useful during this process, such as Nmap, p0f, and Xprobe.

When we know the IP address of the firewall or simply the name of the server, we can use Nmap to fingerprint it:

# nmap -sS -O www.server.com # nmap -sS -O firewall.main.com

Default Ports:  Most firewalls use particular well-known ports for remote tasks such as remote administration, remote configuration, or remote logging.  Here are some default ports which can aid in identifying the firewall: The Symantec Enterprise Firewall listens on TCP ports 888 and 2456, and the (((Check Point FW1-NG))) listens on TCP ports 256, 257, 18181, and 18190.

0x03: Conclusion

This article is only a small introduction to the fingerprinting of firewalls.

This topic is very wide and, like port scanning or exploiting buffer overflows, very important to hackers.

Special thanks to Mr P. Sobczak, Mrs M. Domosud (for trust), M. Slaski, P. Jeda, P. Wieczorek, D. Zagalski, Oin, Die_Angel, and abwmiZ (for inspiration).