how to detect an external IPS or firewall

[sl33p]

Hi guys,

I am performing an authorized blackbox pentest (without any previous knowledge of the attacked network).

I need to know how to detect an external IPS/Firewall, because I think that it's blocking my scans.

I tried hping3 (XXX.XXX.XXX.XXX is the IP Address):

Code:

hping3 -S -p 25 --traceroute -V XXX.XXX.XXX.XXX

And noticed that there are 2 devices responding (different ID's on the TCP packet). Is this assumption correct? Here it goes the output:

Code:

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=29792 tos=0 iplen=44
sport=25 flags=SA seq=11 win=5840 rtt=17.3 ms
seq=3388072850 ack=224301 sum=eacf urp=0

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=55392 tos=0 iplen=44
sport=25 flags=SA seq=12 win=5840 rtt=19.1 ms
seq=3528531323 ack=1238135492 sum=413d urp=0

DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=56672 tos=0 iplen=44
sport=25 flags=SA seq=8 win=5840 rtt=4066.7 ms
seq=544745881 ack=979545101 sum=21b9 urp=0

DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=52577 tos=0 iplen=44
sport=25 flags=SA seq=11 win=5840 rtt=3463.8 ms
seq=3388072850 ack=224301 sum=eacf urp=0

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=1122 tos=0 iplen=44
sport=25 flags=SA seq=15 win=5840 rtt=14.1 ms
seq=3627026674 ack=2133064936 sum=6c8c urp=0

Could anyone with good TCP-IP knowledg help me out?

Thanks in advance!

[thorin]

Hi guys,

I am performing an authorized blackbox pentest (without any previous knowledge of the attacked network).

I need to know how to detect an external IPS/Firewall, because I think that it's blocking my scans.

1) If you're doing this work one would hope that you already posses this knowledge.
2) Tracerouting from multiple locations can give you a good idea.
3) Service/system identification scans can give you a good idea.
4) Observations of target behavior can give you a good idea.
5) Ask the client if they're blocking traffic from your source address.

I tried hping3 (XXX.XXX.XXX.XXX is the IP Address):

Code:

hping3 -S -p 25 --traceroute -V XXX.XXX.XXX.XXX

And noticed that there are 2 devices responding (different ID's on the TCP packet). Is this assumption correct? Here it goes the output:

Code:

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=29792 tos=0 iplen=44
sport=25 flags=SA seq=11 win=5840 rtt=17.3 ms
seq=3388072850 ack=224301 sum=eacf urp=0

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=55392 tos=0 iplen=44
sport=25 flags=SA seq=12 win=5840 rtt=19.1 ms
seq=3528531323 ack=1238135492 sum=413d urp=0

DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=56672 tos=0 iplen=44
sport=25 flags=SA seq=8 win=5840 rtt=4066.7 ms
seq=544745881 ack=979545101 sum=21b9 urp=0

DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=52577 tos=0 iplen=44
sport=25 flags=SA seq=11 win=5840 rtt=3463.8 ms
seq=3388072850 ack=224301 sum=eacf urp=0

len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=1122 tos=0 iplen=44
sport=25 flags=SA seq=15 win=5840 rtt=14.1 ms
seq=3627026674 ack=2133064936 sum=6c8c urp=0

Could anyone with good TCP-IP knowledg help me out?

Thanks in advance!

First the output you've provided does not match the command you've quoted. If you did --traceroute you should have hop counts and info.

I'm pretty sure those marked with DUP! are duplicates, retransmitted for whatever reason. In the results you've quoted it seems packet 4 is a duplicate of packet 1. id should be different for every packet, even those that are retransmitted. From just these limited hping3 results I don't see anything that would lead me to believe XXX.XXX.XXX.XXX is a IDS or FW, there are insufficient details to draw a conclusion.

PS - Your sig seems amusingly applicable in response to your post.

"If you can't describe what you are doing as a process, you don't know what you're doing."
W. Edwards Deming

[Gitsnik]

Ignoring the dup packets for a moment, my "assumption" at this point would actually be that the SMTP service is load balanced in hardware somewhere, or that it's really really doing a lot of network traffic. If the system is load balanced, you may be seeing two different machines responding on the same IP address. These sorts of systems tend to be identical anyway so it doesn't really matter. You should still be able to walk the firewall between.

[kill_box001]

have you run a nmap scan of the ip domain...without having to get technical you could just try an agressive nmap scan of the ipaddress and see what results are returned for the subnet...this might not achieve the results as an agressive scan will most likely trigger off IPS and IDS systems, but it will give a starting point

[purehate]

have you run a nmap scan of the ip domain...without having to get technical you could just try an agressive nmap scan of the ipaddress and see what results are returned for the subnet...this might not achieve the results as an agressive scan will most likely trigger off IPS and IDS systems, but it will give a starting point

If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.

[kill_box001]

If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.

my bad i kinda skipped over the Black Box part...dont use nmap in agressive mode

[Archangel-Amael]

If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.

I would say that if one is running nmap through proxies then running in aggressive mode might not be all that bad. First we are not worrying about the end host IP address, if it gets blocked by the IDS/IPS. Second the packets being blocked by the IPS should indicate that indeed an IPS is in place.
Granted there are different ways to go about this, this is just my opinion on the matter.
But what you need to do if you are worried is look into crafting ethernet frames for promiscuous NICS.
You could also check into "p0f" and "Xprobe". Check the sans IDS faq they have a huge amount of info on the subject.

[gunrunr]

a nice nmap scan that can be used by an attacker who has intimate knowledge of the network or company...through methods such as social engineering is the zombie host scan. This scan will let you hide your ip and if done correctly gives you a truly blind tcp port scan, through the use of a trusted ip address. More information can be found here TCP Idle Scan (-sI) or you can check it out in fyodor's awesome guide to nmap.