Results 1 to 8 of 8

Thread: how to detect an external IPS or firewall

Hybrid View

  1. #1
    Just burned his ISO sl33p's Avatar
    Join Date
    Jan 2010
    Posts
    19

    Default how to detect an external IPS or firewall

    Hi guys,

    I am performing an authorized blackbox pentest (without any previous knowledge of the attacked network).

    I need to know how to detect an external IPS/Firewall, because I think that it's blocking my scans.

    I tried hping3 (XXX.XXX.XXX.XXX is the IP Address):
    Code:
    hping3 -S -p 25 --traceroute -V XXX.XXX.XXX.XXX
    And noticed that there are 2 devices responding (different ID's on the TCP packet). Is this assumption correct? Here it goes the output:

    Code:
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=29792 tos=0 iplen=44
    sport=25 flags=SA seq=11 win=5840 rtt=17.3 ms
    seq=3388072850 ack=224301 sum=eacf urp=0
    
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=55392 tos=0 iplen=44
    sport=25 flags=SA seq=12 win=5840 rtt=19.1 ms
    seq=3528531323 ack=1238135492 sum=413d urp=0
    
    DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=56672 tos=0 iplen=44
    sport=25 flags=SA seq=8 win=5840 rtt=4066.7 ms
    seq=544745881 ack=979545101 sum=21b9 urp=0
    
    DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=52577 tos=0 iplen=44
    sport=25 flags=SA seq=11 win=5840 rtt=3463.8 ms
    seq=3388072850 ack=224301 sum=eacf urp=0
    
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=1122 tos=0 iplen=44
    sport=25 flags=SA seq=15 win=5840 rtt=14.1 ms
    seq=3627026674 ack=2133064936 sum=6c8c urp=0
    Could anyone with good TCP-IP knowledg help me out?

    Thanks in advance!
    "If you can't describe what you are doing as a process, you don't know what you're doing."
    W. Edwards Deming

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: how to detect an external IPS or firewall

    Quote Originally Posted by sl33p View Post
    Hi guys,

    I am performing an authorized blackbox pentest (without any previous knowledge of the attacked network).

    I need to know how to detect an external IPS/Firewall, because I think that it's blocking my scans.
    1) If you're doing this work one would hope that you already posses this knowledge.
    2) Tracerouting from multiple locations can give you a good idea.
    3) Service/system identification scans can give you a good idea.
    4) Observations of target behavior can give you a good idea.
    5) Ask the client if they're blocking traffic from your source address.

    I tried hping3 (XXX.XXX.XXX.XXX is the IP Address):
    Code:
    hping3 -S -p 25 --traceroute -V XXX.XXX.XXX.XXX
    And noticed that there are 2 devices responding (different ID's on the TCP packet). Is this assumption correct? Here it goes the output:

    Code:
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=29792 tos=0 iplen=44
    sport=25 flags=SA seq=11 win=5840 rtt=17.3 ms
    seq=3388072850 ack=224301 sum=eacf urp=0
    
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=55392 tos=0 iplen=44
    sport=25 flags=SA seq=12 win=5840 rtt=19.1 ms
    seq=3528531323 ack=1238135492 sum=413d urp=0
    
    DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=56672 tos=0 iplen=44
    sport=25 flags=SA seq=8 win=5840 rtt=4066.7 ms
    seq=544745881 ack=979545101 sum=21b9 urp=0
    
    DUP! len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=52577 tos=0 iplen=44
    sport=25 flags=SA seq=11 win=5840 rtt=3463.8 ms
    seq=3388072850 ack=224301 sum=eacf urp=0
    
    len=44 ip=XXX.XXX.XXX.XXX ttl=58 DF id=1122 tos=0 iplen=44
    sport=25 flags=SA seq=15 win=5840 rtt=14.1 ms
    seq=3627026674 ack=2133064936 sum=6c8c urp=0
    Could anyone with good TCP-IP knowledg help me out?

    Thanks in advance!
    First the output you've provided does not match the command you've quoted. If you did --traceroute you should have hop counts and info.

    I'm pretty sure those marked with DUP! are duplicates, retransmitted for whatever reason. In the results you've quoted it seems packet 4 is a duplicate of packet 1. id should be different for every packet, even those that are retransmitted. From just these limited hping3 results I don't see anything that would lead me to believe XXX.XXX.XXX.XXX is a IDS or FW, there are insufficient details to draw a conclusion.

    PS - Your sig seems amusingly applicable in response to your post.
    "If you can't describe what you are doing as a process, you don't know what you're doing."
    W. Edwards Deming
    Last edited by thorin; 07-06-2010 at 07:56 PM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: how to detect an external IPS or firewall

    Ignoring the dup packets for a moment, my "assumption" at this point would actually be that the SMTP service is load balanced in hardware somewhere, or that it's really really doing a lot of network traffic. If the system is load balanced, you may be seeing two different machines responding on the same IP address. These sorts of systems tend to be identical anyway so it doesn't really matter. You should still be able to walk the firewall between.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Junior Member
    Join Date
    Apr 2009
    Location
    not telling
    Posts
    26

    Default Re: how to detect an external IPS or firewall

    have you run a nmap scan of the ip domain...without having to get technical you could just try an agressive nmap scan of the ipaddress and see what results are returned for the subnet...this might not achieve the results as an agressive scan will most likely trigger off IPS and IDS systems, but it will give a starting point

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: how to detect an external IPS or firewall

    Quote Originally Posted by kill_box001 View Post
    have you run a nmap scan of the ip domain...without having to get technical you could just try an agressive nmap scan of the ipaddress and see what results are returned for the subnet...this might not achieve the results as an agressive scan will most likely trigger off IPS and IDS systems, but it will give a starting point
    If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.

  6. #6
    Junior Member
    Join Date
    Apr 2009
    Location
    not telling
    Posts
    26

    Default Re: how to detect an external IPS or firewall

    Quote Originally Posted by purehate View Post
    If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.
    my bad i kinda skipped over the Black Box part...dont use nmap in agressive mode

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: how to detect an external IPS or firewall

    Quote Originally Posted by purehate View Post
    If it is a Black Box pen test, the LAST thing you want to do is run nmap in Aggressive mode. Just my opinion though, YMMV.
    I would say that if one is running nmap through proxies then running in aggressive mode might not be all that bad. First we are not worrying about the end host IP address, if it gets blocked by the IDS/IPS. Second the packets being blocked by the IPS should indicate that indeed an IPS is in place.
    Granted there are different ways to go about this, this is just my opinion on the matter.
    But what you need to do if you are worried is look into crafting ethernet frames for promiscuous NICS.
    You could also check into "p0f" and "Xprobe". Check the sans IDS faq they have a huge amount of info on the subject.

  8. #8
    Good friend of the forums gunrunr's Avatar
    Join Date
    Jan 2010
    Location
    shining my spoon
    Posts
    265

    Default Re: how to detect an external IPS or firewall

    a nice nmap scan that can be used by an attacker who has intimate knowledge of the network or company...through methods such as social engineering is the zombie host scan. This scan will let you hide your ip and if done correctly gives you a truly blind tcp port scan, through the use of a trusted ip address. More information can be found here TCP Idle Scan (-sI) or you can check it out in fyodor's awesome guide to nmap.
    Wielder of the spoon of doom
    Summercon, Toorcon, Defcon, Bsides, Derbycon, Shmoocon oh my
    Come hang out with hackers on twitter @gunrunr556

Similar Threads

  1. XP - SP3 and windows firewall
    By automatica in forum Beginners Forum
    Replies: 6
    Last Post: 05-17-2010, 02:13 PM
  2. A Simple Firewall
    By adri_ht_ in forum OLD BackTrack3 Howtos
    Replies: 9
    Last Post: 11-06-2008, 01:26 PM
  3. firewall
    By ontherooftop in forum OLD Newbie Area
    Replies: 12
    Last Post: 06-19-2008, 09:48 AM
  4. Old PC For a Firewall - Suggestions
    By Dracula878 in forum OLD Newbie Area
    Replies: 28
    Last Post: 03-10-2008, 07:05 AM
  5. Firewall
    By digiuk in forum OLD Newbie Area
    Replies: 16
    Last Post: 07-19-2007, 09:27 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •