© 1998-1999 Mike D. © 1998-1999 Mike D. SchiffmanSchiffman
SynopsisSynopsis
IntroductionIntroduction OverviewOverview ImpetusImpetus InternalsInternals ImplementationImplementation Risk MitigationRisk Mitigation FuturesFutures
IntroductionIntroduction
Firewalking:Firewalking:• ““Firewalking uses a traceroute-like IP Firewalking uses a traceroute-like IP
packet analysis to determine whether packet analysis to determine whether or not a particular packet can pass or not a particular packet can pass from the attacker’s host to a from the attacker’s host to a destination host through a packet-destination host through a packet-filtering device.”filtering device.”
TerminologyTerminology
ACLACL router/gatewayrouter/gateway firewallfirewall
Slightly more detailSlightly more detail
Map `pass-through` portMap `pass-through` port• Determine gateway ACLsDetermine gateway ACLs• Map hosts behind filtering gatewaysMap hosts behind filtering gateways
ImportanceImportance
Network ReconnaissanceNetwork Reconnaissance• Network mappingNetwork mapping• Security auditingSecurity auditing
Base conceptsBase concepts
TracerouteTraceroute Network discovery toolNetwork discovery tool UDP packetsUDP packets IP TTLIP TTL
• Monotonic incrementsMonotonic increments
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
Sample networkSample network
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
IP TTL 1 2 3 4 5
Sample tracerouteSample traceroute
Info recon using Info recon using traceroutetraceroute
Protocol subterfugeProtocol subterfuge Nascent port seedingNascent port seeding
• View hosts behind a firewallView hosts behind a firewall
Protocol subterfugeProtocol subterfugezuul:~> traceroute 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * *10 * * *
zuul:~> traceroute –I 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms 10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms
Nascent port seeding 1Nascent port seeding 1zuul :~> traceroute 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * *10 * * *
p0 = (p - (hops * probes)) - 128 = (53 - (8 * 3)) - 1
(53 - (8 * 3)) - 1 = 28
Nascent port seeding 2Nascent port seeding 2zuul :~> traceroute -p28 10.0.0.10traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 bytepackets 1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms 2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms 3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms 4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms 5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms 6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms 7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms 8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms 9 10.0.0.9 (10.0.0.9) 101.163 ms * *10 * * *
Logical progressionLogical progression
Traceroute works at the IP layerTraceroute works at the IP layer• Any protocol on top of IP can be usedAny protocol on top of IP can be used
Prohibitive filter on a gatewayProhibitive filter on a gateway• Causes probes to be droppedCauses probes to be dropped
We can determine the last host that We can determine the last host that respondedresponded• Different protocolsDifferent protocols• ‘‘Waypoint’ hostWaypoint’ host
Firewalking basics 1Firewalking basics 1
Firewalking requires 3 hostsFirewalking requires 3 hosts• The firewalking hostThe firewalking host• The gateway hostThe gateway host
– The waypoint host from aboveThe waypoint host from above
• The destination hostThe destination host– The host the sends the terminal packet in The host the sends the terminal packet in
a traceroute scana traceroute scan– Must be ‘behind’ the gateway hostMust be ‘behind’ the gateway host
– Used to direct the scan, never contactedUsed to direct the scan, never contacted
Firewalking basics 2Firewalking basics 2
A packet are sent to (towards) the A packet are sent to (towards) the destination hostdestination host
A timer is setA timer is set• If we get a response before the timer If we get a response before the timer
expires, the port is openexpires, the port is open• If we do not, the port is probably closedIf we do not, the port is probably closed
Repeat for all interesting Repeat for all interesting ports/protocolsports/protocols
Firewalk internals 1Firewalk internals 1 2 phases2 phases
• Network discovery phaseNetwork discovery phase• Scanning phaseScanning phase
Network discovery phaseNetwork discovery phase• Required to get the correct TTLRequired to get the correct TTL• `TTL ramping` ala traceroute towards `TTL ramping` ala traceroute towards
destination hostdestination host– This host is never contactedThis host is never contacted
• When gateway hopcount is determined, scan When gateway hopcount is determined, scan is `bound`.is `bound`.
Firewalk internals 2Firewalk internals 2
Scanning phaseScanning phase• Send a packet towards destinationSend a packet towards destination
– Packet is set to expire 1 hop (by default) Packet is set to expire 1 hop (by default) past the gatewaypast the gateway
• Set a timer and listen for responseSet a timer and listen for response– If response is received before timer If response is received before timer
expires, protocol in question is allowed expires, protocol in question is allowed throughthrough
– If not it is probably denied by the gateway If not it is probably denied by the gateway (maybe)(maybe)
Firewalking diagramFirewalking diagram
firewalking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
router
source
turner
helms
destinationcasey
bush
IP TTL 1 2 3
Sample firewalk: phase 1Sample firewalk: phase 1
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
source
turner
helms
destinationcasey
bush
IP TTL Bound at 3 hops
Sample firewalk: phase 2Sample firewalk: phase 2
UDP/53
UDP/137
TCP/23
UDP/161
TCP/25
Nothing is ever as simple Nothing is ever as simple as it seemsas it seems
firewalking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
packet filter
packets dropped here instead oftarget filter further down
False negative scenario
False negative False negative circumventioncircumvention
`Slow walk``Slow walk`• Firewalk each hop en route to the Firewalk each hop en route to the
targettarget• If a probe is shown to be filtered on If a probe is shown to be filtered on
an intermediate gateway, that an intermediate gateway, that protocol/port cannot be scanned any protocol/port cannot be scanned any further on that route further on that route
Risk mitigationRisk mitigation
Block egress ICMP TTL expired in Block egress ICMP TTL expired in transit messagestransit messages
NAT or proxy servers can remove NAT or proxy servers can remove the threat of firewalkingthe threat of firewalking
FuturesFutures
More protocols to scan withMore protocols to scan with More intelligence on the part of the More intelligence on the part of the
scanscan• Make the program understand different Make the program understand different
packet types and what types of terminal packet types and what types of terminal packets it might getpackets it might get
EfficiencyEfficiency PortabilityPortability A better, more stable GUIA better, more stable GUI
Web resourcesWeb resources
http://www.packetfactory.nethttp://www.packetfactory.net• firewalkfirewalk• tracerxtracerx• libnetlibnet
• [email protected]@infonexus.com