In association with heise online


In preparing for an attack, hackers first collect all available information. A VPN gateway is relatively easy to identify. All you need is a port scanner like nmap, which will produce output such as the following:

# nmap -sSUV -O 
Starting nmap 3.70 (Interesting ports on
256/tcp open fw1-secureremote
257/tcp open fw1-log service
259/udp open|filtered firewall1-rdp
500/udp open|filtered isakmp
1701/udp open|filtered L2TP
Device type: firewall
Running: Checkpoint Windows NT/2K/XP
OS details: Checkpoint SecurePlatform NG FP3

The characteristics of the port reached shows that the firewall is from Checkpoint. The fingerprinting that nmap uses and the service discovery (not shown above) also suggest that a Firewall-1 NG was just detected on the SecurePlatform. The UDP Port 500 is a clear sign that this firewall also runs as a VPN gateway. VPNs use this port to process the protected exchange of keys via IKE (Internet Key Exchange), an essential part of IPSec.


Special tools can even detect the cryptographic methods and parameters that the gateway uses, providing even more indications of the vendor. The free program IKE-Scan [1] handles this task:

#ike-scan --trans=5,2,1,5 -o
Starting ike-scan 1.2 with 1 hosts
IKE Main Mode Handshake returned (1 transforms)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time 1 1092956328.817392 0.000000 2 1092956330.923392 2.106000 3 1092956332.885392 1.962000 4 1092956334.833392 1.948000 5 1092956336.836392 2.003000 6 1092956338.835392 1.999000 7 1092956340.844392 2.009000 8 1092956344.875392 4.031000 9 1092956348.882392 4.007000 10 1092956352.866392 3.984000 11 1092956356.902392 4.036000 12 1092956360.883392 3.981000 Implementation guess: Firewall-1 4.1/NG

The option "-trans=5,2,1,5 " indicates the parameters to be tested: 3DES, SHA, Preshared Key, Diffie Hellman group 5. The message "IKE Main Mode Handshake returned" indicates that the VPN gateway accepts these parameters, and the name of the vendor is displayed immediately. But these tools can only be used successfully if the VPN gateway is configured in a certain way and supports certain parameters. Here, it often helps to try out the IKE and IPSec parameters manually or by means of a script.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit