The following article will deal with basics from the Technical OSINT Manual and teach you how to detect and enumerate firewalls and gateways of all sorts (FW, VPN or Application-Gateways). This article is aimed towards beginners in the OSINT game.
Btw, I'm using my favourite tool binaryedge for showcasing screenshots.
Discovery by Hostname
Lets say, your task is to recon a company/domain, and you are able to perform a basic passivedns-recon against a domain, collecting as much hostnames in use as possible. All you have to do is to look for names like
Below are some real-world-examples, taken from a recent scan.
here.com (vpn) fra-a.ext.vpn.here.com (18.104.22.168) fra-b-ext.vpn.here.com (22.214.171.124) fra.vpn.here.com (126.96.36.199) fra.vpn.here.com (188.8.131.52) ----------------------------------------------- daimler.com (gw) sagw.americas.daimler.com (184.108.40.206) sagw.daimler.com (220.127.116.11) ----------------------------------------------- various (secure) secure.aov.de (18.104.22.168) secure-bestsecret.noris.net (22.214.171.124) secure-ccunirent-easyshare.noris.net (126.96.36.199) secure.cinepostproduction.de (188.8.131.52) secure-datev.noris.net (184.108.40.206) secure-gw1-01.vocatus.de (220.127.116.11) secure-nixdorf.noris.net (18.104.22.168) secure.noris.net (22.214.171.124) secure.qsc.de (126.96.36.199) secure-vcenter.noris.net (188.8.131.52) secure.vw-wecloud.de (184.108.40.206)
That method seems quite useful, but lets check, if there are gateways behind these IPs or not (you can always throw that IP into a OSINT-database of your choice though).
Discovery by Webinterface
So now you have some IPs/Hostnames, but you'd like to know if there is something to be found, and if so, what exactly.
Lets try this sagw.daimler.com and fire it up in a browser:
Et Voilá! There is something.
But what is it? Reading the sourcecode doesnt give a clue, but when i access the same source via IP, not hostname, it shows something different:
When i check the HTML-source i again, i get the info i wanted: a Pulse Secure VPN-Gateway
You'll recognize the "/dana-na/" - URL, and this information alone lets you search for all available Pulse-VPN-Gateways worldwide:
But Pulse is not alone with this, you can detect a lot of firewalls and gateways by their interfaces alone:
- Fortinet-VPN-Gateways tends to redirect to /remote/login
- Cisco-VPN redirects to /+CSCOE+/logon.html
- Netscaler redirects to /vpn/index.html
- ... you get the clou.
Discovery by Ports/Services
There are vendors, that really have an open heart for us OSINT-people.
- Checkpoint for instance let us detect their firewalls by a custom port, 264 (sometimes 18264), even if no interface is exposed to the outside.
- Cisco-VPN (IPSEC iirc) is often found to have Port 500/udp open, as the following search on zoomeye shows:
Discovery by Banners/Headers
Sometimes we can use service-headers/banners to detect various devices, and again cisco is very helpful here (many devices are not firewalls, but router/switches though):
- Cisco-SSH advertises its own banner
debug1: Local version string SSH-3.14-OpenSSH_7.7-p42 debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
- Cisco IOS and telnet is very common
- Fortigate again helps us by using the Standard-Server-Header "xxxxxxxx-xxxxx", allowing us to find all servers with that header
Discovery by TLS-Certs
During installation/setup, most firewalls and gateways, if available via TLS in any case, will setup a selfsigned certifcate. Since this process is automated for easier use, the most devices will have the name of its vendor written into the certifictae-information (Issuer Common Name / Issuer Organization)
And since Binaryedge lets us search TLS-Certs as well ... lets do it!
You'll notice, some vendors are not mentioned here, and those are the ones who make it harder to recon their stuff and who will not show up in the average OSINT-databases like shodan, binarydge or zoomeye.
All the other examples above (without being complete), are helping an attacker with good OSINT-skills to enumerate the device, service and version, which can come in handy, if the device itself is not updated regularly and exploits exists.
Another problem should be mentioned: if you are a blue-teamer use a product that is easily detected, it WILL be indexed. If something like the latest PulseVPN/Fortigate Mayhem happens again, you'd better not have your company-access exploited.
Reduce your attack surface!
And last but not least, if i know which device is used by your company as firewall or gateway, i, as a red-teamer, can probably shoot some rubberbands on your firewall, allowing me to put you offline for 5$.
And while OSINTing through the world, i found a Cisco-router/gateway with an open telnet; just wanted to share this little session with you.
$ telnet 220.127.116.11 1337 Connected to 18.104.22.168 Escape character is '^]'. Connected to Dynamips VM "ISP" (ID 2, type c3725) - Console port Press ENTER to get the prompt. ash (Read/Write) 131072K bytes of ATA Slot0 CompactFlash (Read/Write) Installed image archive Press RETURN to get started! *Mar 1 00:00:02.835: AAA is disabled *Mar 1 00:00:03.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up *Mar 1 00:00:03.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up *Mar 1 00:00:03.651: %SYS-5-CONFIG_I: Configured from memory by console *Mar 1 00:00:03.775: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down *Mar 1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down *Mar 1 00:00:03.779: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down *Mar 1 00:00:03.967: %SYS-5-RESTART: System restarted -- Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Thu 23-Feb-06 00:26 by ccai *Mar 1 00:00:03.975: %SNMP-5-COLDSTART: SNMP agent on host ISP is undergoing a cold start *Mar 1 00:00:04.019: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *Mar 1 00:00:04.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up *Mar 1 00:00:04.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up *Mar 1 00:00:04.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up *Mar 1 00:00:04.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Mar 1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down *Mar 1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down *Mar 1 00:00:04.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down *Mar 1 00:00:48.727: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.3 on FastEthernet0/0 from LOADING to FULL, Loading Done *Mar 1 00:00:53.583: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done ISP>show ? aaa Show AAA values aal2 Show commands for AAL2 alarm-interface Display information about a specific Alarm Interface Card appfw Application Firewall information auto Show Automation Template backup Backup status bcm560x BCM560x HW Table bgp BGP information call Show call caller Display information about dialup connections cca CCA information ccm-manager Call Manager Application information cdapi CDAPI information cef Cisco Express Forwarding cem cem channel information class-map Show QoS Class Map clock Display the system clock cns CNS agents compress Show compression statistics connection Show Connection context Show context information about recent crash(s) control-plane Control Plane information ISP>show bgp % BGP not active ISP>show controllers Interface FastEthernet0/0 Hardware is GT96K FE ADDR: 665F2FCC, FASTSEND: 606E8924, MCI_INDEX: 0 DIST ROUTE ENABLED: 0Route Cache Flag: 11 GPIO 2 CONF= 0 GPIO 2 IO= 0 CIU arbit = 80000000 PHY add register = 0x0 PHY data register = 0x8000000 Port Conf Reg= 0x80 ENABLE HT8K HMOD0 Port Conf Ex Reg= 0x4CD00 TX1:1 RXPRI=DE(00) ~FLCNTL ~FLNKP MFL64KB FE Port Com Reg= 0x0 Port Status Reg= 0xF 100MB FDPX FCTL DIS LNK UP ~PAUSED TX oFF Serial Param Reg= 0x0 Hash table pointer= 0xF5A5B60 Source ADDR L= 0x0 Source ADDR H= 0x0 SDMA conf reg= 0x223C RETX 15 RX BE TX BE FRINT BSIZE 4 SDMA com reg= 0x30080 STP TXL STP TXH EN RX IMASK= 0x90003DCD ICause= 0x0 Serial 0 mask 30000F3Serial 0 cause 0 IpDiffservP0L= 0x0 IpDiffservP0H= 0x0 IpDiffservP1L= 0x0 IpDiffservP1H= 0x0 IP VLAN TAG PRI= 0x0 IP VLAN TAG PRI= 0x0 First rxd Q0= 0xF5E5C20 Curr rxd Q0= 0xF5E5C20 First rxd Q1= 0xF5E6040 Curr rxd Q1= 0xF5E6040 First rxd Q2= 0xF5E64A0 Curr rxd Q2= 0xF5E64A0 First rxd Q3= 0xF5E6900 Curr rxd Q3= 0xF5E6900 First txd Q0= 0xF5E6E20 First txd Q1= 0xF5E75A0 gt96kfe_instance=0x665F40AC, registers=0xB4084800 RxRing entries=64, tx ring entries=128 RxR0=0x F5E5BE0, RxR1=0x F5E6040, RxR2=0x F5E64A0, RxR3=0x F5E6900 Malloc RxR0=0x F5E5BE0, RxR1=0x F5E6040, RxR2=0x F5E64A0, RxR3=0x F5E6900 SDOW RxR0=0x665F46A4, RxR1=0x665F47D8, RxR2=0x665F490C, RxR3=0x665F4A40 HEAD RxR0=0x4, RxR1=0x0, RxR2=0x0, RxR3=0x0 TAIL RxR0=0x0, RxR1=0x0, RxR2=0x0, RxR30x0 ... ISP>show appfw ? configuration Application Firewall Policy configuration dns DNS Name Management name Appfw name ISP>show control-plane counters Feature Path Packets processed/dropped/errors Aggregate 504953/0/0 Host 0/0/0 Transit 365512/0/0 Cef-exception 139441/0/0 ISP>show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN tcp *:80 *:0 HTTP CORE LISTEN tcp *:1720 *:0 H.225 LISTEN tcp *:5060 *:0 SIP LISTEN udp *:67 *:0 DHCPD Receive LISTEN udp *:2887 *:0 DDP LISTEN udp *:5060 *:0 SIP LISTEN udp *:2517 *:0 CCH323_CT LISTEN ISP> ISP>show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.2.2 52 c204.604d.0010 ARPA FastEthernet0/0 Internet 192.168.2.3 52 c203.61d4.0010 ARPA FastEthernet0/0 Internet 192.168.2.1 51 c201.6508.0010 ARPA FastEthernet0/0 Internet 192.168.2.254 - c202.6371.0000 ARPA FastEthernet0/0 ISP>exit