lptv4 module 21 firewall penetration testing_norestriction

ECSA/LPTECSA/LPT

EC CouncilModule XXI

EC-Council Firewall Penetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

What is a Firewall?

A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.

A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network, such as the Internet.

Firewalls protect against hackers and malicious intruders.

It is a combination of hardware and software that separates a LAN into two or more parts for security purposes



LAN into two or more parts for security purposes.

What Does a Firewall Do?

A firewall examines all traffic routed between the two networks to see if it meets certain criterianetworks to see if it meets certain criteria.

It routes packets between the networks.p

It filters both inbound and outbound traffic.It filters both inbound and outbound traffic.

It manages public access to private networked resources h h li isuch as host applications.

It logs all attempts to enter the private network and triggers



alarms when hostile or unauthorized entry is attempted.

Packet Filtering

Address filtering:

• Firewalls can filter packets based on their source and d ti ti dd d t b

Address filtering:

destination addresses and port numbers.

Network filtering:

• Firewalls can also filter specific types of network traffic.Th d i i f d j ffi i d d

Network filtering:

• The decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, FTP, or Telnet.

• Firewalls can also filter traffic by packet attribute or state.



What Can't a Firewall Do?

A firewall cannot prevent individual users with modems from dialing into or out of the network, bypassing the firewall altogether.

Employee misconduct or carelessness cannot be controlled by firewalls.

Policies involving the use and misuse of passwords and user accounts must be strictly enforced.



How Does a Firewall Work?

A firewall may allow all traffic through unless it meets certain criteria, or i d ll ffi l i i i i it may deny all traffic unless it meets certain criteria.

The type of criteria used to determine whether traffic should be allowed The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another.

Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports.

They may also use complex rule bases that analyze the application data to determine if the traffic should be allowed through.



Firewall Operations



Firewall Logging Functionality

UNIX syslog application is the commonly UNIX syslog application is the commonly accepted logging functionality.

Scans and parses the logs to a centralized logging server.

Syslog-based logging environments supplies y g b gg g ppinputs to IDS and forensic analysis project.



Firewall Policy

Build a firewall that handles application traffic like web, email, or TelnetTelnet.

The policy should explain how the firewall is to be updated and managed.

• Step1: Identify the network applications that are of utmost

The steps involved in creating a firewall policy are as follows:

importance • Step2: Identify the vulnerabilities that are related to the network

applications • Step3: Prepare a cost-benefits analysis to secure the network • Step3: Prepare a cost-benefits analysis to secure the network

applications• Step4: Create a network application traffic matrix to identify the

protection method



• Step5: Create a firewall ruleset that depends on the application’s traffic matrix

Periodic Review of Information Security PoliciesSecurity Policies

Create periodic reviews for information security policies to achieve accuracy and timelinesstimeliness.

Review and update information security policies in every six months.

If a firewall’s application is upgraded, then the firewall’s ruleset must be formally changed.

Firewall installations along with systems and other resources should be audited on a regular basis.

• Actual audits and vulnerability assessments of production.• Backup infrastructure components

Periodic reviews should include:



Backup infrastructure components.• Computer systems.

Firewall Implementation

Firewalls can be implemented in two different ways as follows:

• Appliance-based firewall.• Commercial operating system.

ways as follows:

• Is more secure than those implemented on top of the commercial operating

An appliance-based firewall:

p p p gsystem.

• Does not suffer from any security vulnerabilities associated with underlying operating system.

• Uses Application-Specific Integrated Circuit (ASIC) technology.pp p g ( ) gy

Commercial operating system:



• Firewalls implemented on commercial operating system are highly scalable.

Build a Firewall Ruleset

Most firewall platforms use rulesets as their common system for p yimplementing security controls.

The contents of the firewall ruleset will establish the functionality of the firewall.

Based on the firewall’s platform architecture, firewall rulesets contain the following information:

• Source address of the packet.• Destination address of the packet.• Type of traffic.



Maintenance and Management of FirewallFirewall

The two mechanisms used by commercial firewall platforms for configuring and maintenance are:maintenance are:

• Command line interface (CLI) configuration.• Graphical user interface (GUI) configuration.

CLI configuration mode enables the administrator to configure the firewall by typing the commands in command prompt.

GUI configuration mode enables the administrator to configure the firewall through graphical user interface.

F b b d i t f it i id d th h S S k t L For web-based interfaces, security is provided through Secure Socket Layer (SSL) encryption, along with user id and password.

For non-web interfaces, security is implemented through custom transport



For non web interfaces, security is implemented through custom transport encryption.

Maintenance and Management of Firewall (cont’d)Firewall (cont d)

By monitoring the firewall, you can find suspicious activities like port h lf scans or half scans.

In order to perform these monitoring mechanisms, organizations must establish effective incident response proceduresestablish effective incident response procedures.

Both logs and alerts together form a monitoring system.

If logs as well as firewall alerts are properly monitored, it is easy to detect intrusion attempts in an organization.p g



Hardware Firewall

Secure Private Network

P bli N t kPublic Network

Private Local Area Network

PublicNetwork

Hardware Firewall

Private Local Area Network Usually part of a TCP/IP

Router



Software Firewall

Secure Private Network

P bli N t kPublic Network

Private Local Area Network

PublicNetwork

Computer with Firewall

Private Local Area Network Software



Types of Firewall

Firewalls fall into four broad categories: g

Packet filters

Circuit level gatewaysg y

Application level gatewayspp cat o e e gate ays

Stateful multilayer inspection firewalls



Stateful multilayer inspection firewalls

Packet Filtering Firewall

Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).

They are usually part of a router.

In a packet filtering firewall each packet is compared to a set of criteria before it is In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded.

Depending on the packet and the criteria, the firewall can:

• Drop the packet.• Forward it or send a message to the originator.

Rules can include source and destination IP address, source and destination port number and protocol usedand protocol used.

The advantage of packet filtering firewalls is their low cost and low impact on network performance.



Most routers support packet filtering.

IP Packet Filtering Firewall

= Disallowed

All d

4 TCP

5 Application Traffic is filtered based on specified rules, including

= Allowed

2 Data Link

3 Internet Protocol (IP)

4source and destination IP address, packet type, and port number.

1 Physical Unknown traffic is only allowed up to level 3 of the network stack.

Incoming Traffic Allowed Outgoing Traffic



Circuit Level Gateway

Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IPlayer of TCP/IP.

They monitor TCP handshaking between packets to determine whether a requested session is legitimate.

Information passed to remote computer through a circuit level gateway appears to have originated from the gateway.

Circuit level gateways are relatively inexpensive.

Th h th d t f hidi i f ti b t th i t t k th They have the advantage of hiding information about the private network they protect.

Circuit level gateways do not filter individual packets



Circuit level gateways do not filter individual packets.

TCP Packet Filtering Firewall

= Disallowed

All d

4 TCP

5 Application Traffic is filtered based on specified session rules, such

= Allowed

2 Data Link


4as when a session is initiated by a recognized computer.

1 Physical Unknown traffic is only allowed up to level 4 of the network stack.




Application Level Firewall

Application level gateways are also called proxiesApplication level gateways are also called proxies.

They can filter packets at the application layer of the OSI model.y p pp y

Incoming or outgoing packets cannot access services for which there is no proxy.p y

In plain terms, an application level gateway that is configured to be a web proxy will not allow any FTP, gopher, Telnet or other traffic through.

Because they examine packets at application layer, they can filter application specific commands such as http:post and get.



Application Packet Filtering FirewallFirewall

= Disallowed

All d

4 TCP

5 Application Traffic is filtered based on specified application rules,

= Allowed

2 Data Link


4such as specified applications (such as a browser) or a protocol, such as FTP or combinations

1 Physicalas FTP, or combinations.

Unknown traffic is only allowed up to the top of network stack


network stack.



Stateful Multilayer Inspection FirewallFirewall

Stateful multilayer inspection firewalls combine the aspects of the other Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls.

They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer.

They are expensive and require competent personal to administer the y p q p pdevice.



Multilayer Inspection Firewall

= Disallowed

All d

4 TCP

5 Application Traffic is filtered at three levels, based on a wide

= Allowed

2 Data Link


4range of specified application, session and packet filtering rules.

1 Physical Unknown traffic is allowed up to level 3 of the network stack.




Steps for Conducting Firewall Penetration Testing

1 • Locate the firewall

Penetration Testing

2 • Traceroute to identify the network range

• Port scan the router3 • Port scan the router

4 • Grab the banner

5 • Create custom packets and look for firewall responses

6 • Test access control enumeration6

7 • Test to identify firewall architecture



8 • Testing firewall policy

Steps for Conducting Firewall Penetration Testing (cont’d)

9 • Test firewall using firewalking tool

Penetration Testing (cont d)

10 • Test for port redirection

• Testing the firewall from both sides11 • Testing the firewall from both sides

12 • Overt firewall test from outside

13 • Test covert channels

14 • Covert firewall test from outside14

15 • Test HTTP tunneling



16 • Test firewall specific vulnerabilities

Step 1: Locate the Firewall

Craft an SYN packet using Hping or any other packet crafter send it toCraft an SYN packet using Hping or any other packet crafter send it tothe firewall.

If you get ICMP unreachable type 13 message (which is adminIf you get ICMP unreachable type 13 message (which is adminprohibited packet) with a source IP address of access control device,usually this is a packet filter firewall.

• hping2 www.xsecurity.com –c2 –S –p23 –nICMP Unreachable type 13 from 10 10 2 3

Tools:

• ICMP Unreachable type 13 from 10.10.2.3



Step 2: Traceroute to Identify the Network Rangethe Network Range

Running traceroute against the router

• The path to that network

Running traceroute against the router will reveal:

• The path to that network.• Intermediate routers and/or devices• Information about filtering devices and protocols

allowed/denied./

Tool:

• tracert www.xsecurity.com

Tool:



Step 3: Port Scan the Firewall

Most firewall implementations have default ports in use for remote Most firewall implementations have default ports in use for remote management purposes.

Example: user authentication, management, VPN connections, etc.

Tool: #nmap –n –vv –P0 –p256, 1080 <www.xsecurity.com>



Step 4: Grab the Banner

Connect to the router and grab the banner.

• Symantec Enterprise Firewall 8.0 HTTP Proxy

Example:

y p y• C:\>nc -nvv 10.0.0.1 80• HEAD / HTTP/1.0• HTTP/1.1 503 Service Unavailable• MIME-Version: 1.0• Server: Simple, Secure Web Server 1.1• Date: Tue, 12 Dec 2005 19:08:35 GMT

Connection: close• Connection: close• Content-Type: text/html• <HTML>• <HEAD><TITLE>Firewall Error: Service



<HEAD><TITLE>Firewall Error: Service Unavailable</TITLE></HEAD>

Step 5: Create Custom Packets and Look for Firewall Responses

Creating custom packets that are sent towards the firewall can elicitunique responses from the fire allunique responses from the firewall.

This can also be used to determine the type of firewall.yp

Example:

• hping 10.0.0.5 –c 2 –S –p 23 –n• HPING 10.0.0.5 (eth0 10.0.0.5 ): S set, 40 data bytes• 60 bytes from 10.0.0.5 : flags=RA seg=0 ttl=59 id=0 win=0 by 5 g g 59

time=0.4 ms



Step 6: Test Access Control EnumerationEnumeration

Use Nmap to enumerate the firewall access control list.

• Open – port is listening• Filtered port is blocked by an access control device (Router/Firewall)

Nmap shows three states of ports:

• Filtered – port is blocked by an access control device (Router/Firewall)• Unfiltered – traffic is passing from access control devices (Firewall/Router) but the port

is not open

Example:

• #nmap –sA 192.168.0.1• Interesting ports on 192.168.0.1:• (The 65530 ports scanned but not shown below are in state: filtered)• PORT STATE SERVICE

p

• PORT STATE SERVICE• 110/tcp UNfiltered pop-3• 13701/tcp UNfiltered VeritasNetbackup• 13711/tcp UNfiltered VeritasNetbackup• 13721/tcp UNfiltered VeritasNetbackup

8 / UNfil d V i N b k



• 13782/tcp UNfiltered VeritasNetbackup• Nmap run completed -- 1 IP address (1 host up) scanned in 12205.371 seconds

Step 7: Test to Identify Firewall ArchitectureArchitecture

Hping2 is a tool for custom packet crafting.p g p g

Use hping2 to identify packets that are:

• Open.• Blocked.

Dropped

are:

• Dropped.• Rejected.



Step 8: Testing Firewall Policy

The two different methods to verify the

• In the first method get the hardcopies of the firewall

The two different methods to verify the firewall policy are as follows:

• In the first method, get the hardcopies of the firewall configuration and compare them with the hardcopies that are against the expected configuration.

• The second method involves actual in-place testing that The second method involves actual in place testing that determines the configuration of a device by attempting to perform operations that must be prohibited.



Step 9: Test Firewall Using Firewalking ToolFirewalking Tool

Firewalk can be used to discover open ports behind a firewall and it can be used for access control list discoverycontrol list discovery.

Helps determine open ports on a firewall (packet filter).

Firewalk determines if a given port is allowed through a firewall.

Traceroute to any machine behind the firewall or the router before the firewall.

Once the hop count of the router is known, we can change our TTL value for our IP packet to be 1 more than the hop count of the router & perform a port scan on the firewall.



Thus, if a “TTL exceeded error” comes back, the port on the firewall is open.

Step 10: Test for Port Redirection

If you cannot get direct access to a port, then use port redirection.y g p , p

It is used to bypass port filtering.

Install a port redirector and make it listen on a selected port number.

Packets received on the listening port number are forwarded to desiredport on remote host.port on remote host.

• fpipe –l 80 –r 139 192.168.10.40• datapipe 80 139 192.168.10.40

Tools:



Firewall Identification

Identify the firewall used to find out the vulnerability by:

• Type of firewall implemented.• Firewall model.• Firewall configuration

vulnerability by:

• Firewall configuration.

Two types of firewall identification techniques include:

• Covert firewall identification.• Overt firewall identification.



Step 11: Testing the Firewall from Both SidesBoth Sides

Examine the firewall by simultaneously testing both sides of the firewall.

The firewall system that is tested outside will send packet and the firewall that is tested y pinside will analyze the packets that arrives and vice versa.



Step 11: Testing the Firewall from Both Sides (cont’d)Both Sides (cont d)

The following are the steps to be performed for testing the fi ll f b th idfirewall from both sides:

Step1: Test whether (possibly using tunneled protocols) unauthorized connections from the internal t k t th I t t b t d

Step2: Execute a vulnerability scanner on the hosts of the firewall system (i.e., firewall host, internal l ) f i id

network to the Internet can be created.

Step3: Identify the firewall rules by using appropriate firewall tools (Like firewalking from both sides)

router, external router) from inside.

Step4: Check for the reaction of the firewall to fragmented and spoofed packets that can be generated

Step3: Identify the firewall rules by using appropriate firewall tools (Like firewalking from both sides).



p4 g p p gusing a packet generator.

Step 12: Overt Firewall Test from OutsideOutside

In overt firewall testing the tester will create network connection from outside In overt firewall testing, the tester will create network connection from outside to protect the network segment.



Step 12: Overt Firewall Test from Outside (cont’d)

The following are the steps to be performed for overt firewall i f id

from Outside (cont d)

Step1: Execute a vulnerability scanner on the hosts of the firewall

testing from outside:

p ysystem (i.e., firewall host, internal router, external router)

Step2: Identify the firewall rules by using appropriate firewall tools (Like firewalking)

STEP 12: OVERT FIREWALL Step3: Try to reach the systems that are behind the firewall

TEST FROM OUTSIDEStep4: Check for the reaction of the firewall to fragmented and spoofed packets that can be generated using a packet generator



Step 13: Test Covert Channels

I t ll b kd i ti hi i id th t kInstall a backdoor on a victim machine inside the network.

Reverse connect to a machine outside the firewallReverse connect to a machine outside the firewall.

Tool:

• WWW Reverse Shell

Tool:



Step 14: Covert Firewall Test from Outsidefrom Outside

In covert firewall testing, the testers create a network connection to the In covert firewall testing, the testers create a network connection to the secured network segment from the outside.



Step 14: Covert Firewall Test from Outside (cont’d)from Outside (cont d)

The following are the steps to perform testing for covert firewall from outside:

Step1: Identify the firewall rules by using Step1: Identify the firewall rules by using appropriate firewall tools (like firewalking from outside).

Step2: Try to reach the systems that are behind the firewall.

Step3: Check for the reaction of the firewall to fragmented and spoofed packets that can be

t d i k t t



generated using a packet generator.

Step 15: Test HTTP Tunneling

Test to connect to the inside network using HTTP tunneling h itechniques.

T lTools:

HTTPORT

HTTHOST



Step 16: Test Firewall Specific VulnerabilitiesVulnerabilities

Firewalls have specific vulnerabilities.

If a firewall is not patched up, then it i l bl kis vulnerable to attacks.

Send product specific exploits against firewall vulnerabilities and test for responses.



test for responses.

Document Everything

Document all your findings from firewall y gtesting results.

D h f ll i

• Firewall logs.• Tools output

Document the following:

• Tools output.• Your analysis.• Recommendations (if any).



lptv4 module 21 firewall penetration testing_norestriction

Documents

graphical user interface

bli network public

commercial operating system

access control device

destination ip address

circuit level gateways

overt firewall test

covert firewall test