RE: NAT is present?

From: Philippe Bogaerts (xxradar@radarhack.com)
Date: Thu Sep 15 2005 - 03:22:15 EDT

• Next message: Luke Eckley: "Re: Pen test, tcp/1404 found - advice needed"
• Previous message: Marco Monicelli: "Re: Exploiting a Worm"
• In reply to: Volker Tanger: "Re: NAT is present?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.nta-monitor.com/ike-scan/ could reveal more accurately if this is
a checkpoint or not; whether secureremote/client is in use or not (IPSEC and
IKE, topology download.

If you want a test scenario, I once wrote it down,
http://www.radarhack.com/dir/papers/Scanning%20the%20Check%20Point%20VPN.pdf

Greetings,
xxradar

-----Original Message-----
From: Volker Tanger [mailto:vtlists@wyae.de]
Sent: Monday, September 12, 2005 11:59 PM
To: pen-test@securityfocus.com
Subject: Re: NAT is present?

Greetings!

On Mon, 12 Sep 2005 08:21:58 +0200
"xxradar" <xxradar@radarhack.com> wrote:

> Hey,
> .1 seems to be a checkpoint firewall (264 is a checkpoint port)
> I'm pretty sure that NAT rules in checkpoint can be configured to
> behave like this on purpose (or by mistake)
>
> -----Original Message-----
> From: pinoch0@gmail.com [mailto:pinoch0@gmail.com]
>
> *.*.*.1
>
> PORT STATE SERVICE
> 264/tcp open bgmp
> 500/tcp open isakmp
[...]
> All the host of the subnet seems to have http and https open but when

Sounds a lot like a CKP FW1 with the HTTP "security server" enabled,
which generally is allowing HTTP/HTTPS from the network you scanned
from. This "ports-open-to-all-servers-but-does-not-work" behaviour is
common among all proxy-based firewalls (e.g. Raptor, Symantec) or
firewall content servers (e.g. CheckPoint, Astaro, Innominate mGuard) as
the proxy generally has to accept all traffic and is deciding AFTER
initial connect wether the connection is allowed.

Technically this could be changed e.g. by packet filters that restrict
access *before* the traffic is redirected to the proxy, but this usually
is regarded as superfluous. Maybe the double management (PF *and* proxy
rules) is regarded as too complicated? I am not sure about the
performance impact of such double-filtering, but in high illegal load
scenarios the additional PF probably is preventing the system to get
into high(er) load compared to a "blank" proxy approach that is so
common. I know of one technical reason for this, though: traffic
redirection to the local proxy usually is done in the pre-routing PF
table, while "normal" PF rules follow later in the "forward" PF rules.
Adding PF rules in thw forward chain will never be reached of course,
and thus it is sensible to leave such PF rules out.

Back to CheckPoint:

264/tcp is another hint, while nominally reserved for BGMP
(http://netweb.usc.edu/bgmp/), here everything looks like Checkpoint.
They are using this port for the "Check Point VPN-1 SecuRemote Topology
Requests", which is used by the CheckPoint SecuRemote/SecureClient VPN
client program. Which usually is using IPSec internally nowadays - and
with it IKE/ISAKMP at port 500.

Have you run a UDP scan too? Then you should probably find ports 500
(IKE) and 4500 (IPSec NAT traversal for CKP) open on *.*.*.1, too if
this is a CKP firewall/VPN.

Bye

Volker

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.25/102 - Release Date: 9/14/2005
 
-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.25/102 - Release Date: 9/14/2005
 
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Luke Eckley: "Re: Pen test, tcp/1404 found - advice needed"
• Previous message: Marco Monicelli: "Re: Exploiting a Worm"
• In reply to: Volker Tanger: "Re: NAT is present?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:54 EDT