Firewalking
description
Transcript of Firewalking
FIREWALKING
KNOW YOUR ENEMY: FIREWALLS
• What is a firewall?
• A device or set of devices designed to permit or deny network transmissions based upon a set of rules
• Used for protection of networks from external threats by denying unauthorized traffic
• Considered a first line of defense
• Some consider it the only defense necessary (lulz)
THE PAST AND PRESENT• Emerged during the late 80s during the wild west days of the Internet
• First paper published in 88 from Digital Equipment Corporation (DEC)
• First Gen – Packet Filters
• Inspect network packets using a metric
• Drops/rejects packets upon detection
• No concept of connection state
• Most work is between the network and physical layers with a splash of transport layer
• Filters packets based on protocol/port number
MORE PAST AND PRESENT
• Second Gen – Stateful Filters
• All the work of first gen firewalls but now with more transport layer
• Examine each packet as well as its position in the data stream
• Records the “state” of the connection
• Start of a new connection
• Ending a connection
• Somewhere between
EVEN MORE PAST AND PRESENT
• Third Gen – Application Layer
• Provides a great affinity for certain applications and protocol
• Unwanted protocol detection sneaking through a non-standard port
• Detection of protocol abuse i.e. DDOS
• Deep packet inspection
• Some integrate the identity of users into rule set
• Bind ID to IP or MAC address (Not the best way)
• Authpf on BSD systems loads firewall rules per user after SSH authentication
APPLICATION LAYER FIREWALLS CONT.
•Exist on the application layer of the TCP/IP stack
•Can detect network worms
• Hook socket calls to determine whether a process should accept a connection
•Allow/block on a process basis
•Most commonly seen with a packet filter
•Filtering is only determined via rule sets still
• Unable to defend against modification of the process via exploitation
FIREWALL SPECIES• Packet filters
• Can be stateless or stateful
• Application Layer
• Per process filtering
• Proxies
• Make life a little more difficult but can be dealt with
• NATs
• Firewalls use the “private address range” in NATs
• Used to hide the true address of a protected host
• Very annoying when doing network reconnaissance
PUTTING THE IP BACK IN HIP• Network layer protocol
• Used for host addressing and routing
• Consists of a header and a payload
• Header contains values for source and destination address, as well as other data including TTL
OUR MAN ON THE INSIDE: ICMP• One of the core protocols in the Internet Protocol Suite
• Exists in the Internet Layer
• Generally used for sending error messages
• Lots of great ways to do network recon with ICMP
PLANS FOR PLUNDERING• Goal – to determine which protocols a router or firewall will block and which are allowed
downstream
• Uses an IP expiry technique akin to the tracert program
• Manipulates the TTL field of the IP header
• Sets a TTL value one greater than the number of hops taken to target firewall.
• If packets are blocked by the firewall, they are dropped or rejected
• If allowed, we receive an ICMP time exceeded message
WEIGH ANCHOR AND HOIST THE MIZZEN!• First need to determine the number of hops taken to target gateway
• Utilize a Traceroute-style IP expiry scan
• TTL count is incremented at each hop until target is reached
AVAST! THAR BE FIREWALLS OFF THE PORT BOW!
• Time to start probing the firewall
• Set TTL to one more than the hops to the firewall so our scans can reach the metric host
• If the port is open, we receive ICMP TLL expired in transit message
• No response implies the port is closed
• Repeat for every host to determine the
network topology behind the firewall
SWASHBUCKLING CAN ONLY GO SO FAR• Firewalking is very noisy
• Router and firewall logs will pick up this kind of traffic
• Easily mitigated
• Simply disable outbound ICMP messages (Can be problematic)
• Techniques like Idle Scanning is the way of the modern network ninja
IMPROVING OUR SWAG• Targeted scans
• Don’t just knock on every port.
• Significant delay between scans
• Don’t need to know all the information immediately.
• Use other hosts to perform the scan
• Plenty of websites out there to perform the scan for you
• IP spoofing techniques
• Throw stealth out the window and blast the whole network with a billion other hazardous packets
• No SA has time to go through a hyper saturated log
QUESTIONS/COMMENTS
RESOURCES• http://en.wikipedia.org/wiki/Firewall_%28computing%29
• http://www.freesoft.org/CIE/Course/Section3/7.htm
• http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
• http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-check-firewall-rule-sets/5055357
• http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php
• http://www.Insecure.org/
• http://video.google.com/videoplay?docid=8220256903673801959