From: Paul Melson (pmelson@gmail.com)
Date: Wed Dec 13 2006 - 15:02:14 EST
-----Original Message-----
Subject: traceroute interpretations, where is the firewall ?
> I cannot find any plausible explanation about why web server's TTL in the
UDP traceroute is 55 (is it
> some kind of cloaking ?)
...
> 6 X.X.X.X 16.883 ms (250) 14.179 ms (250) 48.096 ms (250)
> 7 X.X.X.X 55.970 ms (249) 14.518 ms (249) 17.161 ms (249)
> 8 X.X.X.X 18.400 ms (247) 17.086 ms (247) 32.555 ms (247)
> 9 192.168.0.94 (not real address) 89.282 ms (247) 164.469 ms (247)
87.946 ms (247)
> 10 192.168.98.3 (not real address) 192.122 ms (55) 228.251 ms (55)
193.657 ms (55)
The firewall is between hops 9 and 10 - note the change in TTL in the UDP
traceroute. This is reproducible with several stateful firewalls - PIX,
Check Point, etc. This isn't "cloaking" or any attempt at stealth. In
fact, it's just the opposite - you can use this to identify the presence of
a firewall or a router performing NAT. It's due to the firewall having a
default TTL of 64 instead of 256 (which is what your host is using). The
firewall rewrites the traceroute packets without copying the original TTL
value.
> what do you think hop 10 in icmp traceroute is ?
Ho 10 would be 192.168.98.3, the NAT address of the web server.
> 192.168.0.94 is a firewall ?
Nope. Probably a router interface adjacent to the firewall. Stateful/NAT
firewalls don't usually show up as a hop in traceroute.
> I know that the firewall is a watchguard (social engineering), do u think
this can help (personally i
> don't know how, i didn't find any exploitable vuln on public databases) ?
A quick Google search reveals that admin/admin is the default login for a
Firebox X appliance. You might see if you can find open management services
like SSH and HTTPS. Or, if you penetrate a server behind the firewall, you
can try and connect to the firewall from that server, since default
configuration for most firewalls is to allow management connections from
behind the inside interface.
If nothing else, determining the make, model, and software version will tell
you what their capabilities are. It may be that the firewall can detect and
prevent some types of attacks over HTTP. Knowing this may explain some
results you have within the app and give you ideas as to how to evade the
firewall.
So, in short, it's definitely valuable knowledge.
> I used standard linux traceroute an tctrace. Any other suggestions about
tools to discover the firewall
> an its rules ?
http://www.wittys.com/files/mab/fwpentesting.html
It's an old article, but most of these tricks still work.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT