This work describes new procedures for fingerprinting widely used Windows personal firewalls that are integrated into endpoint security system solutions. In order to represent majority of the market, we chose the most widespread solutions for testing. Free open source tool Nmap was used for this research. All tests were designed in order to be easily repeated. We describe two approaches to personal firewall fingerprinting-port state based and time based. Both approaches exploit various

more »

... encies between IPv4 and IPv6 ports of certain firewalls. The port state based method observes in which states are top 1000 used ports reported by Nmap. It observes various differences between "open", "open|filtered", "unfiltered", "filtered" and "closed" ports detected by network probes. Special attention is given to TCP/0 port states. Scanning the TCP/0 port can separate firewalls into 4 groups. The time based method exploits differences on how long it takes for different Nmap scanning techniques to finish. More "exotic" Nmap techniques, for example SCTP cookie echo, TCP Maimon, or IP protocol scans are used with both approaches. We will show that it is rather easy to fingerprint all 18 personal firewalls selected in our testbed.