© 1998-1999 mike d. schiffman. synopsis introduction overview impetus internals implementation...
TRANSCRIPT
![Page 1: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/1.jpg)
© 1998-1999 Mike D. © 1998-1999 Mike D. SchiffmanSchiffman
![Page 2: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/2.jpg)
SynopsisSynopsis
IntroductionIntroduction OverviewOverview ImpetusImpetus InternalsInternals ImplementationImplementation Risk MitigationRisk Mitigation FuturesFutures
![Page 3: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/3.jpg)
IntroductionIntroduction
Firewalking:Firewalking:• ““Firewalking uses a traceroute-like IP Firewalking uses a traceroute-like IP
packet analysis to determine whether packet analysis to determine whether or not a particular packet can pass or not a particular packet can pass from the attacker’s host to a from the attacker’s host to a destination host through a packet-destination host through a packet-filtering device.”filtering device.”
![Page 4: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/4.jpg)
TerminologyTerminology
ACLACL router/gatewayrouter/gateway firewallfirewall
![Page 5: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/5.jpg)
Slightly more detailSlightly more detail
Map `pass-through` portMap `pass-through` port• Determine gateway ACLsDetermine gateway ACLs• Map hosts behind filtering gatewaysMap hosts behind filtering gateways
![Page 6: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/6.jpg)
ImportanceImportance
Network ReconnaissanceNetwork Reconnaissance• Network mappingNetwork mapping• Security auditingSecurity auditing
![Page 7: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/7.jpg)
Base conceptsBase concepts
TracerouteTraceroute Network discovery toolNetwork discovery tool UDP packetsUDP packets IP TTLIP TTL
• Monotonic incrementsMonotonic increments
![Page 8: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/8.jpg)
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
Sample networkSample network
![Page 9: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/9.jpg)
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
IP TTL 1 2 3 4 5
Sample tracerouteSample traceroute
![Page 10: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/10.jpg)
Info recon using Info recon using traceroutetraceroute
Protocol subterfugeProtocol subterfuge Nascent port seedingNascent port seeding
• View hosts behind a firewallView hosts behind a firewall
![Page 11: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/11.jpg)
Protocol subterfugeProtocol subterfugezuul:~> traceroute 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * *10 * * *
zuul:~> traceroute –I 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms 10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms
![Page 12: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/12.jpg)
Nascent port seeding 1Nascent port seeding 1zuul :~> traceroute 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * *10 * * *
p0 = (p - (hops * probes)) - 128 = (53 - (8 * 3)) - 1
(53 - (8 * 3)) - 1 = 28
![Page 13: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/13.jpg)
Nascent port seeding 2Nascent port seeding 2zuul :~> traceroute -p28 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms 2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms 3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms 4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms 5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms 6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms 7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms 8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms 9 10.0.0.9 (10.0.0.9) 101.163 ms * *10 * * *
![Page 14: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/14.jpg)
Logical progressionLogical progression
Traceroute works at the IP layerTraceroute works at the IP layer• Any protocol on top of IP can be usedAny protocol on top of IP can be used
Prohibitive filter on a gatewayProhibitive filter on a gateway• Causes probes to be droppedCauses probes to be dropped
We can determine the last host that We can determine the last host that respondedresponded• Different protocolsDifferent protocols• ‘‘Waypoint’ hostWaypoint’ host
![Page 15: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/15.jpg)
Firewalking basics 1Firewalking basics 1
Firewalking requires 3 hostsFirewalking requires 3 hosts• The firewalking hostThe firewalking host• The gateway hostThe gateway host
– The waypoint host from aboveThe waypoint host from above
• The destination hostThe destination host– The host the sends the terminal packet in The host the sends the terminal packet in
a traceroute scana traceroute scan– Must be ‘behind’ the gateway hostMust be ‘behind’ the gateway host
– Used to direct the scan, never contactedUsed to direct the scan, never contacted
![Page 16: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/16.jpg)
Firewalking basics 2Firewalking basics 2
A packet are sent to (towards) the A packet are sent to (towards) the destination hostdestination host
A timer is setA timer is set• If we get a response before the timer If we get a response before the timer
expires, the port is openexpires, the port is open• If we do not, the port is probably closedIf we do not, the port is probably closed
Repeat for all interesting Repeat for all interesting ports/protocolsports/protocols
![Page 17: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/17.jpg)
Firewalk internals 1Firewalk internals 1 2 phases2 phases
• Network discovery phaseNetwork discovery phase• Scanning phaseScanning phase
Network discovery phaseNetwork discovery phase• Required to get the correct TTLRequired to get the correct TTL• `TTL ramping` ala traceroute towards `TTL ramping` ala traceroute towards
destination hostdestination host– This host is never contactedThis host is never contacted
• When gateway hopcount is determined, scan When gateway hopcount is determined, scan is `bound`.is `bound`.
![Page 18: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/18.jpg)
Firewalk internals 2Firewalk internals 2
Scanning phaseScanning phase• Send a packet towards destinationSend a packet towards destination
– Packet is set to expire 1 hop (by default) Packet is set to expire 1 hop (by default) past the gatewaypast the gateway
• Set a timer and listen for responseSet a timer and listen for response– If response is received before timer If response is received before timer
expires, protocol in question is allowed expires, protocol in question is allowed throughthrough
– If not it is probably denied by the gateway If not it is probably denied by the gateway (maybe)(maybe)
![Page 19: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/19.jpg)
Firewalking diagramFirewalking diagram
firewalking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
router
![Page 20: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/20.jpg)
source
turner
helms
destinationcasey
bush
IP TTL 1 2 3
Sample firewalk: phase 1Sample firewalk: phase 1
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
![Page 21: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/21.jpg)
source
turner
helms
destinationcasey
bush
IP TTL Bound at 3 hops
Sample firewalk: phase 2Sample firewalk: phase 2
UDP/53
UDP/137
TCP/23
UDP/161
TCP/25
![Page 22: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/22.jpg)
Nothing is ever as simple Nothing is ever as simple as it seemsas it seems
firewalking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
packet filter
packets dropped here instead oftarget filter further down
False negative scenario
![Page 23: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/23.jpg)
False negative False negative circumventioncircumvention
`Slow walk``Slow walk`• Firewalk each hop en route to the Firewalk each hop en route to the
targettarget• If a probe is shown to be filtered on If a probe is shown to be filtered on
an intermediate gateway, that an intermediate gateway, that protocol/port cannot be scanned any protocol/port cannot be scanned any further on that route further on that route
![Page 24: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/24.jpg)
Risk mitigationRisk mitigation
Block egress ICMP TTL expired in Block egress ICMP TTL expired in transit messagestransit messages
NAT or proxy servers can remove NAT or proxy servers can remove the threat of firewalkingthe threat of firewalking
![Page 25: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/25.jpg)
FuturesFutures
More protocols to scan withMore protocols to scan with More intelligence on the part of the More intelligence on the part of the
scanscan• Make the program understand different Make the program understand different
packet types and what types of terminal packet types and what types of terminal packets it might getpackets it might get
EfficiencyEfficiency PortabilityPortability A better, more stable GUIA better, more stable GUI
![Page 26: © 1998-1999 Mike D. Schiffman. Synopsis Introduction Overview Impetus Internals Implementation Risk Mitigation Futures](https://reader035.vdocuments.net/reader035/viewer/2022062806/5697bf731a28abf838c7f367/html5/thumbnails/26.jpg)
Web resourcesWeb resources
http://www.packetfactory.nethttp://www.packetfactory.net• firewalkfirewalk• tracerxtracerx• libnetlibnet
• [email protected]@infonexus.com