To determine a type of firewall and even a brand, you can use your experience with port scanning and tools to build information about the firewall your target is running. By identifying certain ports, you can link the results to a specific firewall and from that point determine the type of attack or process to take in order to compromise or bypass the device.
Fortunately we you can perform banner grabbing with Telnet to identify the service running on a port. If you encounter a firewall that has specific ports running, that may help in identification. It is possible to banner grab and see what is reported back.
Another effective way to determine the configuration of a firewall is through firewalking. Firewalking may sound like a painful process and test of courage, but it is actually the process of probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall. The key to making this successful is the fact that the packets are set to have one more hop in their time to live (TTL) in order to get them past the firewall or elicit a response stating otherwise.
To perform a firewalk against a firewall, you need three components:
- Firewalking Host The system, outside the target network, from which the data packets are sent to the destination host, in order to gain more information about the target network
- Gateway Host The system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network
- Destination Host The target system on the target network that the data packets are addressed to
Once you have used firewalking to gain information about the firewall and how it responds to traffic and probes, the next step is to plan your attack. You may find it possible to use tools such as packet crafters and port redirection to evade the configuration in place.