The following article will deal with basics from the Technical OSINT Manual and teach you how to detect and enumerate firewalls and gateways of all sorts (FW, VPN or Application-Gateways). This article is aimed towards beginners in the OSINT game.

Btw, I'm using my favourite tool binaryedge for showcasing screenshots.

Discovery by Hostname

Lets say, your task is to recon a company/domain, and you are able to perform a basic passivedns-recon against a domain, collecting as much hostnames in use as possible. All you have to do is to look for names like

  • gw.example.com
  • vpn.example.com
  • secure.example.com
  • fw.example.com

Below are some real-world-examples, taken  from a recent scan.

here.com (vpn)

fra-a.ext.vpn.here.com (131.228.181.10)
fra-b-ext.vpn.here.com (131.228.181.11)
fra.vpn.here.com (131.228.181.12)
fra.vpn.here.com (131.228.181.9)

-----------------------------------------------

daimler.com (gw)

sagw.americas.daimler.com (141.113.144.21)
sagw.daimler.com (141.113.103.20)

-----------------------------------------------

various (secure)

secure.aov.de (193.28.21.10)
secure-bestsecret.noris.net (213.95.222.36)
secure-ccunirent-easyshare.noris.net (213.95.222.53)
secure.cinepostproduction.de (185.17.5.212)
secure-datev.noris.net (213.95.222.29)
secure-gw1-01.vocatus.de (213.155.79.108)
secure-nixdorf.noris.net (213.95.222.50)
secure.noris.net (213.95.222.6)
secure.qsc.de (195.158.160.6)
secure-vcenter.noris.net (213.95.222.13)
secure.vw-wecloud.de (213.95.222.42)

That method seems quite useful, but lets check, if there are gateways behind these IPs or not (you can always throw that IP into a OSINT-database of your choice though).

Discovery by Webinterface

So now you have some IPs/Hostnames, but you'd like to know if there is something to be found, and if so, what exactly.

Lets try this sagw.daimler.com and fire it up in a browser:

Et Voilá! There is something.

But what is it? Reading the sourcecode doesnt give a clue, but when i access the same source via IP, not hostname, it shows something different:

When i check the HTML-source i again, i get the info i wanted: a Pulse Secure VPN-Gateway

You'll recognize the "/dana-na/" - URL, and this information alone lets you search for all available Pulse-VPN-Gateways worldwide:

But Pulse is not alone with this, you can detect a lot of firewalls and gateways by their interfaces alone:

Discovery by Ports/Services

There are vendors, that really have an open heart for us OSINT-people.

  • Checkpoint for instance let us detect their firewalls by a custom port, 264 (sometimes 18264), even if no interface is exposed to the outside.

Discovery by Banners/Headers

Sometimes we can use service-headers/banners to detect various devices, and again cisco is very helpful here (many devices are not firewalls, but router/switches though):

debug1: Local version string SSH-3.14-OpenSSH_7.7-p42
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000

Discovery by TLS-Certs

During installation/setup, most firewalls and gateways, if available via TLS in any case, will setup a selfsigned certifcate. Since this process is automated for easier use, the most devices will have the name of its vendor  written into the certifictae-information (Issuer Common Name / Issuer Organization)

And since Binaryedge lets us search TLS-Certs as well ... lets do it!

Conclusion

You'll notice, some vendors are not mentioned here, and those are the ones who make it harder to recon their stuff and who will not show up in the average OSINT-databases like shodan, binarydge or zoomeye.

All the other examples above (without being complete), are helping an attacker with good OSINT-skills to enumerate the device, service and version, which can come in handy, if the device itself is not updated regularly and exploits exists.

Another problem should be mentioned: if you are a blue-teamer use a product that is easily detected, it WILL be indexed. If something like the latest PulseVPN/Fortigate Mayhem happens again, you'd better not have your company-access exploited.

Reduce your attack surface!

And last but not least, if i know which device is used by your company as firewall or gateway, i, as a red-teamer, can probably shoot some rubberbands on your firewall, allowing me to put you offline for 5$.

snippet!

And while OSINTing through the world, i found a Cisco-router/gateway with an open telnet; just wanted to share this little session with you.

$  telnet 123.45.67.89 1337

Connected to 123.45.67.89
Escape character is '^]'.
Connected to Dynamips VM "ISP" (ID 2, type c3725) - Console port
Press ENTER to get the prompt.
ash (Read/Write)
131072K bytes of ATA Slot0 CompactFlash (Read/Write)
Installed image archive



Press RETURN to get started!


*Mar  1 00:00:02.835:  AAA is disabled
*Mar  1 00:00:03.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Mar  1 00:00:03.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up
*Mar  1 00:00:03.651: %SYS-5-CONFIG_I: Configured from memory by console
*Mar  1 00:00:03.775: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar  1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down
*Mar  1 00:00:03.967: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Thu 23-Feb-06 00:26 by ccai
*Mar  1 00:00:03.975: %SNMP-5-COLDSTART: SNMP agent on host ISP is undergoing a cold start
*Mar  1 00:00:04.019: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Mar  1 00:00:04.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
*Mar  1 00:00:04.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
*Mar  1 00:00:04.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
*Mar  1 00:00:04.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Mar  1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Mar  1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Mar  1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down
*Mar  1 00:00:48.727: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.3 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar  1 00:00:53.583: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done

ISP>show ?
  aaa                   Show AAA values
  aal2                  Show commands for AAL2
  alarm-interface       Display information about a specific Alarm Interface
                        Card
  appfw                 Application Firewall information
  auto                  Show Automation Template
  backup                Backup status
  bcm560x               BCM560x HW Table
  bgp                   BGP information
  call                  Show call
  caller                Display information about dialup connections
  cca                   CCA information
  ccm-manager           Call Manager Application information
  cdapi                 CDAPI information
  cef                   Cisco Express Forwarding
  cem                   cem channel information
  class-map             Show QoS Class Map
  clock                 Display the system clock
  cns                   CNS agents
  compress              Show compression statistics
  connection            Show Connection
  context               Show context information about recent crash(s)
  control-plane         Control Plane information
          
ISP>show bgp
% BGP not active

ISP>show  controllers
Interface FastEthernet0/0
Hardware is GT96K FE ADDR: 665F2FCC, FASTSEND: 606E8924, MCI_INDEX: 0
DIST ROUTE ENABLED: 0Route Cache Flag: 11
GPIO 2 CONF= 0 GPIO 2 IO= 0  CIU arbit = 80000000 
 PHY add register = 0x0  PHY data register = 0x8000000 
 Port Conf Reg= 0x80 ENABLE HT8K HMOD0 
 Port Conf Ex Reg= 0x4CD00 
TX1:1 RXPRI=DE(00) ~FLCNTL ~FLNKP MFL64KB FE 
Port Com Reg= 0x0
 Port Status Reg= 0xF 100MB FDPX FCTL DIS LNK UP ~PAUSED TX oFF 
 Serial Param Reg= 0x0  Hash table pointer= 0xF5A5B60 
Source ADDR L= 0x0 Source ADDR H= 0x0 
SDMA conf reg= 0x223C RETX 15 RX BE TX BE FRINT BSIZE 4 
SDMA com reg= 0x30080 STP TXL STP TXH EN RX 
IMASK= 0x90003DCD ICause= 0x0 
Serial 0 mask 30000F3Serial 0 cause 0
IpDiffservP0L= 0x0 IpDiffservP0H= 0x0 IpDiffservP1L= 0x0 IpDiffservP1H= 0x0 
 IP VLAN TAG PRI= 0x0  IP VLAN TAG PRI= 0x0 
 First rxd Q0= 0xF5E5C20  Curr rxd Q0= 0xF5E5C20 
 First rxd Q1= 0xF5E6040  Curr rxd Q1= 0xF5E6040 
 First rxd Q2= 0xF5E64A0  Curr rxd Q2= 0xF5E64A0 
 First rxd Q3= 0xF5E6900  Curr rxd Q3= 0xF5E6900 
 First txd Q0= 0xF5E6E20  First txd Q1= 0xF5E75A0 
gt96kfe_instance=0x665F40AC, registers=0xB4084800
RxRing entries=64, tx ring entries=128
       RxR0=0x F5E5BE0, RxR1=0x F5E6040, RxR2=0x F5E64A0, RxR3=0x F5E6900 
Malloc RxR0=0x F5E5BE0, RxR1=0x F5E6040, RxR2=0x F5E64A0, RxR3=0x F5E6900 
SDOW RxR0=0x665F46A4, RxR1=0x665F47D8, RxR2=0x665F490C, RxR3=0x665F4A40 
HEAD RxR0=0x4, RxR1=0x0, RxR2=0x0, RxR3=0x0 
TAIL RxR0=0x0, RxR1=0x0, RxR2=0x0, RxR30x0 

...



ISP>show appfw ?
  configuration  Application Firewall Policy configuration
  dns            DNS Name Management
  name           Appfw name
          

ISP>show control-plane counters
Feature Path             Packets processed/dropped/errors                
Aggregate                  504953/0/0
Host                            0/0/0
Transit                    365512/0/0
Cef-exception              139441/0/0

ISP>show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp                 *:80                  *:0                HTTP CORE   LISTEN
 tcp               *:1720                  *:0                    H.225   LISTEN
 tcp               *:5060                  *:0                      SIP   LISTEN
 udp                 *:67                  *:0            DHCPD Receive   LISTEN
 udp               *:2887                  *:0                      DDP   LISTEN
 udp               *:5060                  *:0                      SIP   LISTEN
 udp               *:2517                  *:0                CCH323_CT   LISTEN

ISP>


ISP>show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.2.2            52   c204.604d.0010  ARPA   FastEthernet0/0
Internet  192.168.2.3            52   c203.61d4.0010  ARPA   FastEthernet0/0
Internet  192.168.2.1            51   c201.6508.0010  ARPA   FastEthernet0/0
Internet  192.168.2.254           -   c202.6371.0000  ARPA   FastEthernet0/0


ISP>exit

Happy Hunting!

The awesome GIF used in this article is called Pink Panther and was created by Lidia Parfivora.