FIREWALKING

KNOW YOUR ENEMY: FIREWALLS

• What is a firewall?

• A device or set of devices designed to permit or deny network transmissions based upon a set of rules

• Used for protection of networks from external threats by denying unauthorized traffic

• Considered a first line of defense

• Some consider it the only defense necessary (lulz)

THE PAST AND PRESENT• Emerged during the late 80s during the wild west days of the Internet

• First paper published in 88 from Digital Equipment Corporation (DEC)

• First Gen – Packet Filters

• Inspect network packets using a metric

• Drops/rejects packets upon detection

• No concept of connection state

• Most work is between the network and physical layers with a splash of transport layer

• Filters packets based on protocol/port number

MORE PAST AND PRESENT

• Second Gen – Stateful Filters

• All the work of first gen firewalls but now with more transport layer

• Examine each packet as well as its position in the data stream

• Records the “state” of the connection

• Start of a new connection

• Ending a connection

• Somewhere between

EVEN MORE PAST AND PRESENT

• Third Gen – Application Layer

• Provides a great affinity for certain applications and protocol

• Unwanted protocol detection sneaking through a non-standard port

• Detection of protocol abuse i.e. DDOS

• Deep packet inspection

• Some integrate the identity of users into rule set

• Bind ID to IP or MAC address (Not the best way)

• Authpf on BSD systems loads firewall rules per user after SSH authentication

APPLICATION LAYER FIREWALLS CONT.

•Exist on the application layer of the TCP/IP stack

•Can detect network worms

• Hook socket calls to determine whether a process should accept a connection

•Allow/block on a process basis

•Most commonly seen with a packet filter

•Filtering is only determined via rule sets still

• Unable to defend against modification of the process via exploitation

FIREWALL SPECIES• Packet filters

• Can be stateless or stateful

• Application Layer

• Per process filtering

• Proxies

• Make life a little more difficult but can be dealt with

• NATs

• Firewalls use the “private address range” in NATs

• Used to hide the true address of a protected host

• Very annoying when doing network reconnaissance

PUTTING THE IP BACK IN HIP• Network layer protocol

• Used for host addressing and routing

• Consists of a header and a payload

• Header contains values for source and destination address, as well as other data including TTL

OUR MAN ON THE INSIDE: ICMP• One of the core protocols in the Internet Protocol Suite

• Exists in the Internet Layer

• Generally used for sending error messages

• Lots of great ways to do network recon with ICMP

PLANS FOR PLUNDERING• Goal – to determine which protocols a router or firewall will block and which are allowed

downstream

• Uses an IP expiry technique akin to the tracert program

• Manipulates the TTL field of the IP header

• Sets a TTL value one greater than the number of hops taken to target firewall.

• If packets are blocked by the firewall, they are dropped or rejected

• If allowed, we receive an ICMP time exceeded message

WEIGH ANCHOR AND HOIST THE MIZZEN!• First need to determine the number of hops taken to target gateway

• Utilize a Traceroute-style IP expiry scan

• TTL count is incremented at each hop until target is reached

AVAST! THAR BE FIREWALLS OFF THE PORT BOW!

• Time to start probing the firewall

• Set TTL to one more than the hops to the firewall so our scans can reach the metric host

• If the port is open, we receive ICMP TLL expired in transit message

• No response implies the port is closed

• Repeat for every host to determine the

network topology behind the firewall

SWASHBUCKLING CAN ONLY GO SO FAR• Firewalking is very noisy

• Router and firewall logs will pick up this kind of traffic

• Easily mitigated

• Simply disable outbound ICMP messages (Can be problematic)

• Techniques like Idle Scanning is the way of the modern network ninja

IMPROVING OUR SWAG• Targeted scans

• Don’t just knock on every port.

• Significant delay between scans

• Don’t need to know all the information immediately.

• Use other hosts to perform the scan

• Plenty of websites out there to perform the scan for you

• IP spoofing techniques

• Throw stealth out the window and blast the whole network with a billion other hazardous packets

• No SA has time to go through a hyper saturated log

QUESTIONS/COMMENTS

RESOURCES• http://en.wikipedia.org/wiki/Firewall_%28computing%29

• http://www.freesoft.org/CIE/Course/Section3/7.htm

• http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

• http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-check-firewall-rule-sets/5055357

• http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php

• http://www.Insecure.org/

• http://video.google.com/videoplay?docid=8220256903673801959