firewalking
DESCRIPTION
Firewalking. Know your enemy: firewalls. What is a firewall? A device or set of devices designed to permit or deny network transmissions based upon a set of rules Used for protection of networks from external threats by denying unauthorized traffic Considered a first line of defense - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/1.jpg)
FIREWALKING
![Page 2: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/2.jpg)
KNOW YOUR ENEMY: FIREWALLS
• What is a firewall?
• A device or set of devices designed to permit or deny network transmissions based upon a set of rules
• Used for protection of networks from external threats by denying unauthorized traffic
• Considered a first line of defense
• Some consider it the only defense necessary (lulz)
![Page 3: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/3.jpg)
THE PAST AND PRESENT• Emerged during the late 80s during the wild west days of the Internet
• First paper published in 88 from Digital Equipment Corporation (DEC)
• First Gen – Packet Filters
• Inspect network packets using a metric
• Drops/rejects packets upon detection
• No concept of connection state
• Most work is between the network and physical layers with a splash of transport layer
• Filters packets based on protocol/port number
![Page 4: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/4.jpg)
MORE PAST AND PRESENT
• Second Gen – Stateful Filters
• All the work of first gen firewalls but now with more transport layer
• Examine each packet as well as its position in the data stream
• Records the “state” of the connection
• Start of a new connection
• Ending a connection
• Somewhere between
![Page 5: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/5.jpg)
EVEN MORE PAST AND PRESENT
• Third Gen – Application Layer
• Provides a great affinity for certain applications and protocol
• Unwanted protocol detection sneaking through a non-standard port
• Detection of protocol abuse i.e. DDOS
• Deep packet inspection
• Some integrate the identity of users into rule set
• Bind ID to IP or MAC address (Not the best way)
• Authpf on BSD systems loads firewall rules per user after SSH authentication
![Page 6: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/6.jpg)
APPLICATION LAYER FIREWALLS CONT.
•Exist on the application layer of the TCP/IP stack
•Can detect network worms
• Hook socket calls to determine whether a process should accept a connection
•Allow/block on a process basis
•Most commonly seen with a packet filter
•Filtering is only determined via rule sets still
• Unable to defend against modification of the process via exploitation
![Page 7: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/7.jpg)
FIREWALL SPECIES• Packet filters
• Can be stateless or stateful
• Application Layer
• Per process filtering
• Proxies
• Make life a little more difficult but can be dealt with
• NATs
• Firewalls use the “private address range” in NATs
• Used to hide the true address of a protected host
• Very annoying when doing network reconnaissance
![Page 8: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/8.jpg)
PUTTING THE IP BACK IN HIP• Network layer protocol
• Used for host addressing and routing
• Consists of a header and a payload
• Header contains values for source and destination address, as well as other data including TTL
![Page 9: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/9.jpg)
OUR MAN ON THE INSIDE: ICMP• One of the core protocols in the Internet Protocol Suite
• Exists in the Internet Layer
• Generally used for sending error messages
• Lots of great ways to do network recon with ICMP
![Page 10: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/10.jpg)
PLANS FOR PLUNDERING• Goal – to determine which protocols a router or firewall will block and which are allowed
downstream
• Uses an IP expiry technique akin to the tracert program
• Manipulates the TTL field of the IP header
• Sets a TTL value one greater than the number of hops taken to target firewall.
• If packets are blocked by the firewall, they are dropped or rejected
• If allowed, we receive an ICMP time exceeded message
![Page 11: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/11.jpg)
WEIGH ANCHOR AND HOIST THE MIZZEN!• First need to determine the number of hops taken to target gateway
• Utilize a Traceroute-style IP expiry scan
• TTL count is incremented at each hop until target is reached
![Page 12: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/12.jpg)
AVAST! THAR BE FIREWALLS OFF THE PORT BOW!
• Time to start probing the firewall
• Set TTL to one more than the hops to the firewall so our scans can reach the metric host
• If the port is open, we receive ICMP TLL expired in transit message
• No response implies the port is closed
• Repeat for every host to determine the
network topology behind the firewall
![Page 13: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/13.jpg)
![Page 14: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/14.jpg)
SWASHBUCKLING CAN ONLY GO SO FAR• Firewalking is very noisy
• Router and firewall logs will pick up this kind of traffic
• Easily mitigated
• Simply disable outbound ICMP messages (Can be problematic)
• Techniques like Idle Scanning is the way of the modern network ninja
![Page 15: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/15.jpg)
IMPROVING OUR SWAG• Targeted scans
• Don’t just knock on every port.
• Significant delay between scans
• Don’t need to know all the information immediately.
• Use other hosts to perform the scan
• Plenty of websites out there to perform the scan for you
• IP spoofing techniques
• Throw stealth out the window and blast the whole network with a billion other hazardous packets
• No SA has time to go through a hyper saturated log
![Page 16: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/16.jpg)
QUESTIONS/COMMENTS
![Page 17: Firewalking](https://reader036.vdocuments.net/reader036/viewer/2022070502/56814c5d550346895db97b7f/html5/thumbnails/17.jpg)
RESOURCES• http://en.wikipedia.org/wiki/Firewall_%28computing%29
• http://www.freesoft.org/CIE/Course/Section3/7.htm
• http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
• http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-check-firewall-rule-sets/5055357
• http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php
• http://www.Insecure.org/
• http://video.google.com/videoplay?docid=8220256903673801959