1 / 17

Firewalking

Firewalking. Know your enemy: firewalls. What is a firewall? A device or set of devices designed to permit or deny network transmissions based upon a set of rules Used for protection of networks from external threats by denying unauthorized traffic Considered a first line of defense

yan
Download Presentation

Firewalking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Firewalking

  2. Know your enemy: firewalls • What is a firewall? • A device or set of devices designed to permit or deny network transmissions based upon a set of rules • Used for protection of networks from external threats by denying unauthorized traffic • Considered a first line of defense • Some consider it the only defense necessary (lulz)

  3. The past and present • Emerged during the late 80s during the wild west days of the Internet • First paper published in 88 from Digital Equipment Corporation (DEC) • First Gen – Packet Filters • Inspect network packets using a metric • Drops/rejects packets upon detection • No concept of connection state • Most work is between the network and physical layers with a splash of transport layer • Filters packets based on protocol/port number

  4. More past and present • Second Gen – Stateful Filters • All the work of first gen firewalls but now with more transport layer • Examine each packet as well as its position in the data stream • Records the “state” of the connection • Start of a new connection • Ending a connection • Somewhere between

  5. Even more past and present • Third Gen – Application Layer • Provides a great affinity for certain applications and protocol • Unwanted protocol detection sneaking through a non-standard port • Detection of protocol abuse i.e. DDOS • Deep packet inspection • Some integrate the identity of users into rule set • Bind ID to IP or MAC address (Not the best way) • Authpf on BSD systems loads firewall rules per user after SSH authentication

  6. Application layer firewalls cont. • Exist on the application layer of the TCP/IP stack • Can detect network worms • Hook socket calls to determine whether a process should accept a connection • Allow/block on a process basis • Most commonly seen with a packet filter • Filtering is only determined via rule sets still • Unable to defend against modification of the process via exploitation

  7. Firewall species • Packet filters • Can be stateless or stateful • Application Layer • Per process filtering • Proxies • Make life a little more difficult but can be dealt with • NATs • Firewalls use the “private address range” in NATs • Used to hide the true address of a protected host • Very annoying when doing network reconnaissance

  8. Putting the ipback in hip • Network layer protocol • Used for host addressing and routing • Consists of a header and a payload • Header contains values for source and destination address, as well as other data including TTL

  9. Our man on the inside: icmp • One of the core protocols in the Internet Protocol Suite • Exists in the Internet Layer • Generally used for sending error messages • Lots of great ways to do network recon with ICMP

  10. Plans for plundering • Goal – to determine which protocols a router or firewall will block and which are allowed downstream • Uses an IP expiry technique akin to the tracert program • Manipulates the TTL field of the IP header • Sets a TTL value one greater than the number of hops taken to target firewall. • If packets are blocked by the firewall, they are dropped or rejected • If allowed, we receive an ICMP time exceeded message

  11. Weigh anchor and hoist the mizzen! • First need to determine the number of hops taken to target gateway • Utilize a Traceroute-style IP expiry scan • TTL count is incremented at each hop until target is reached

  12. AVAST! THAR BE FIREWALLS OFf THE PORT BOW! • Time to start probing the firewall • Set TTL to one more than the hops to the firewall so our scans can reach the metric host • If the port is open, we receive ICMP TLL expired in transit message • No response implies the port is closed • Repeat for every host to determine the network topology behind the firewall

  13. Swashbuckling can only go so far • Firewalking is very noisy • Router and firewall logs will pick up this kind of traffic • Easily mitigated • Simply disable outbound ICMP messages (Can be problematic) • Techniques like Idle Scanning is the way of the modern network ninja

  14. Improving our swag • Targeted scans • Don’t just knock on every port. • Significant delay between scans • Don’t need to know all the information immediately. • Use other hosts to perform the scan • Plenty of websites out there to perform the scan for you • IP spoofing techniques • Throw stealth out the window and blast the whole network with a billion other hazardous packets • No SA has time to go through a hyper saturated log

  15. Questions/comments

  16. Resources • http://en.wikipedia.org/wiki/Firewall_%28computing%29 • http://www.freesoft.org/CIE/Course/Section3/7.htm • http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol • http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-check-firewall-rule-sets/5055357 • http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php • http://www.Insecure.org/ • http://video.google.com/videoplay?docid=8220256903673801959

More Related