Transcript Firewalking

FIREWALKING
KNOW YOUR ENEMY: FIREWALLS
•
What is a firewall?
• A device or set of devices designed to permit or deny network transmissions based
upon a set of rules
•
Used for protection of networks from external threats by denying unauthorized traffic
• Considered a first line of defense
• Some consider it the only defense necessary (lulz)
THE PAST AND PRESENT
•
Emerged during the late 80s during the wild west days of the Internet
• First paper published in 88 from Digital Equipment Corporation (DEC)
•
First Gen – Packet Filters
• Inspect network packets using a metric
• Drops/rejects packets upon detection
• No concept of connection state
• Most work is between the network and physical layers with a splash of transport layer
• Filters packets based on protocol/port number
MORE PAST AND PRESENT
•
Second Gen – Stateful Filters
• All the work of first gen firewalls but now with more transport layer
• Examine each packet as well as its position in the data stream
• Records the “state” of the connection
• Start of a new connection
• Ending a connection
• Somewhere between
EVEN MORE PAST AND PRESENT
•
Third Gen – Application Layer
• Provides a great affinity for certain applications and protocol
• Unwanted protocol detection sneaking through a non-standard port
• Detection of protocol abuse i.e. DDOS
• Deep packet inspection
• Some integrate the identity of users into rule set
• Bind ID to IP or MAC address (Not the best way)
• Authpf on BSD systems loads firewall rules per user after SSH authentication
APPLICATION LAYER FIREWALLS CONT.
•
Exist on the application layer of the TCP/IP stack
•
Can detect network worms
•
Hook socket calls to determine whether a process should accept a connection
•
Allow/block on a process basis
•
Most commonly seen with a packet filter
•
Filtering is only determined via rule sets still
• Unable to defend against modification of the process via exploitation
FIREWALL SPECIES
•
Packet filters
• Can be stateless or stateful
•
Application Layer
• Per process filtering
•
Proxies
• Make life a little more difficult but can be dealt with
•
NATs
• Firewalls use the “private address range” in NATs
• Used to hide the true address of a protected host
• Very annoying when doing network reconnaissance
PUTTING THE IP BACK IN HIP
•
Network layer protocol
•
Used for host addressing and routing
•
Consists of a header and a payload
• Header contains values for source and destination address, as well as other data
including TTL
OUR MAN ON THE INSIDE: ICMP
•
One of the core protocols in the Internet Protocol Suite
•
Exists in the Internet Layer
•
Generally used for sending error messages
•
Lots of great ways to do network recon with ICMP
PLANS FOR PLUNDERING
•
Goal – to determine which protocols a router or firewall will block and which are allowed
downstream
•
Uses an IP expiry technique akin to the tracert program
• Manipulates the TTL field of the IP header
•
Sets a TTL value one greater than the number of hops taken to target firewall.
• If packets are blocked by the firewall, they are dropped or rejected
• If allowed, we receive an ICMP time exceeded message
WEIGH ANCHOR AND HOIST THE MIZZEN!
•
First need to determine the number of hops taken to target gateway
•
Utilize a Traceroute-style IP expiry scan
• TTL count is incremented at each hop until target is reached
AVAST! THAR BE FIREWALLS OFF THE PORT BOW!
•
Time to start probing the firewall
•
Set TTL to one more than the hops to the firewall so our scans can reach the metric host
•
If the port is open, we receive ICMP TLL expired in transit message
•
No response implies the port is closed
•
Repeat for every host to determine the
network topology behind the firewall
SWASHBUCKLING CAN ONLY GO SO FAR
•
Firewalking is very noisy
• Router and firewall logs will pick up this kind of traffic
•
Easily mitigated
• Simply disable outbound ICMP messages (Can be problematic)
•
Techniques like Idle Scanning is the way of the modern network ninja
IMPROVING OUR SWAG
•
Targeted scans
• Don’t just knock on every port.
•
Significant delay between scans
• Don’t need to know all the information immediately.
•
Use other hosts to perform the scan
• Plenty of websites out there to perform the scan for you
• IP spoofing techniques
•
Throw stealth out the window and blast the whole network with a billion other hazardous
packets
• No SA has time to go through a hyper saturated log
QUESTIONS/COMMENTS
RESOURCES
•
http://en.wikipedia.org/wiki/Firewall_%28computing%29
•
http://www.freesoft.org/CIE/Course/Section3/7.htm
•
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
•
http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-checkfirewall-rule-sets/5055357
•
http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php
•
http://www.Insecure.org/
•
http://video.google.com/videoplay?docid=8220256903673801959