lptv4 module 21 firewall penetration testing_norestriction
DESCRIPTION
LPTv4 Module 21 Firewall Penetration Testing_NoRestrictionTRANSCRIPT
ECSA/LPTECSA/LPT
EC CouncilModule XXI
EC-Council Firewall Penetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
What is a Firewall?
A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.
A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network, such as the Internet.
Firewalls protect against hackers and malicious intruders.
It is a combination of hardware and software that separates a LAN into two or more parts for security purposes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LAN into two or more parts for security purposes.
What Does a Firewall Do?
A firewall examines all traffic routed between the two networks to see if it meets certain criterianetworks to see if it meets certain criteria.
It routes packets between the networks.p
It filters both inbound and outbound traffic.It filters both inbound and outbound traffic.
It manages public access to private networked resources h h li isuch as host applications.
It logs all attempts to enter the private network and triggers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
alarms when hostile or unauthorized entry is attempted.
Packet Filtering
Address filtering:
• Firewalls can filter packets based on their source and d ti ti dd d t b
Address filtering:
destination addresses and port numbers.
Network filtering:
• Firewalls can also filter specific types of network traffic.Th d i i f d j ffi i d d
Network filtering:
• The decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, FTP, or Telnet.
• Firewalls can also filter traffic by packet attribute or state.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What Can't a Firewall Do?
A firewall cannot prevent individual users with modems from dialing into or out of the network, bypassing the firewall altogether.
Employee misconduct or carelessness cannot be controlled by firewalls.
Policies involving the use and misuse of passwords and user accounts must be strictly enforced.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How Does a Firewall Work?
A firewall may allow all traffic through unless it meets certain criteria, or i d ll ffi l i i i i it may deny all traffic unless it meets certain criteria.
The type of criteria used to determine whether traffic should be allowed The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another.
Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports.
They may also use complex rule bases that analyze the application data to determine if the traffic should be allowed through.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Operations
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Logging Functionality
UNIX syslog application is the commonly UNIX syslog application is the commonly accepted logging functionality.
Scans and parses the logs to a centralized logging server.
Syslog-based logging environments supplies y g b gg g ppinputs to IDS and forensic analysis project.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Policy
Build a firewall that handles application traffic like web, email, or TelnetTelnet.
The policy should explain how the firewall is to be updated and managed.
• Step1: Identify the network applications that are of utmost
The steps involved in creating a firewall policy are as follows:
importance • Step2: Identify the vulnerabilities that are related to the network
applications • Step3: Prepare a cost-benefits analysis to secure the network • Step3: Prepare a cost-benefits analysis to secure the network
applications• Step4: Create a network application traffic matrix to identify the
protection method
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Step5: Create a firewall ruleset that depends on the application’s traffic matrix
Periodic Review of Information Security PoliciesSecurity Policies
Create periodic reviews for information security policies to achieve accuracy and timelinesstimeliness.
Review and update information security policies in every six months.
If a firewall’s application is upgraded, then the firewall’s ruleset must be formally changed.
Firewall installations along with systems and other resources should be audited on a regular basis.
• Actual audits and vulnerability assessments of production.• Backup infrastructure components
Periodic reviews should include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Backup infrastructure components.• Computer systems.
Firewall Implementation
Firewalls can be implemented in two different ways as follows:
• Appliance-based firewall.• Commercial operating system.
ways as follows:
• Is more secure than those implemented on top of the commercial operating
An appliance-based firewall:
p p p gsystem.
• Does not suffer from any security vulnerabilities associated with underlying operating system.
• Uses Application-Specific Integrated Circuit (ASIC) technology.pp p g ( ) gy
Commercial operating system:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Firewalls implemented on commercial operating system are highly scalable.
Build a Firewall Ruleset
Most firewall platforms use rulesets as their common system for p yimplementing security controls.
The contents of the firewall ruleset will establish the functionality of the firewall.
Based on the firewall’s platform architecture, firewall rulesets contain the following information:
• Source address of the packet.• Destination address of the packet.• Type of traffic.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Maintenance and Management of FirewallFirewall
The two mechanisms used by commercial firewall platforms for configuring and maintenance are:maintenance are:
• Command line interface (CLI) configuration.• Graphical user interface (GUI) configuration.
CLI configuration mode enables the administrator to configure the firewall by typing the commands in command prompt.
GUI configuration mode enables the administrator to configure the firewall through graphical user interface.
F b b d i t f it i id d th h S S k t L For web-based interfaces, security is provided through Secure Socket Layer (SSL) encryption, along with user id and password.
For non-web interfaces, security is implemented through custom transport
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
For non web interfaces, security is implemented through custom transport encryption.
Maintenance and Management of Firewall (cont’d)Firewall (cont d)
By monitoring the firewall, you can find suspicious activities like port h lf scans or half scans.
In order to perform these monitoring mechanisms, organizations must establish effective incident response proceduresestablish effective incident response procedures.
Both logs and alerts together form a monitoring system.
If logs as well as firewall alerts are properly monitored, it is easy to detect intrusion attempts in an organization.p g
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hardware Firewall
Secure Private Network
P bli N t kPublic Network
Private Local Area Network
PublicNetwork
Hardware Firewall
Private Local Area Network Usually part of a TCP/IP
Router
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Software Firewall
Secure Private Network
P bli N t kPublic Network
Private Local Area Network
PublicNetwork
Computer with Firewall
Private Local Area Network Software
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Firewall
Firewalls fall into four broad categories: g
Packet filters
Circuit level gatewaysg y
Application level gatewayspp cat o e e gate ays
Stateful multilayer inspection firewalls
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stateful multilayer inspection firewalls
Packet Filtering Firewall
Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).
They are usually part of a router.
In a packet filtering firewall each packet is compared to a set of criteria before it is In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded.
Depending on the packet and the criteria, the firewall can:
• Drop the packet.• Forward it or send a message to the originator.
Rules can include source and destination IP address, source and destination port number and protocol usedand protocol used.
The advantage of packet filtering firewalls is their low cost and low impact on network performance.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Most routers support packet filtering.
IP Packet Filtering Firewall
= Disallowed
All d
4 TCP
5 Application Traffic is filtered based on specified rules, including
= Allowed
2 Data Link
3 Internet Protocol (IP)
4source and destination IP address, packet type, and port number.
1 Physical Unknown traffic is only allowed up to level 3 of the network stack.
Incoming Traffic Allowed Outgoing Traffic
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Circuit Level Gateway
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IPlayer of TCP/IP.
They monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Information passed to remote computer through a circuit level gateway appears to have originated from the gateway.
Circuit level gateways are relatively inexpensive.
Th h th d t f hidi i f ti b t th i t t k th They have the advantage of hiding information about the private network they protect.
Circuit level gateways do not filter individual packets
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Circuit level gateways do not filter individual packets.
TCP Packet Filtering Firewall
= Disallowed
All d
4 TCP
5 Application Traffic is filtered based on specified session rules, such
= Allowed
2 Data Link
3 Internet Protocol (IP)
4as when a session is initiated by a recognized computer.
1 Physical Unknown traffic is only allowed up to level 4 of the network stack.
Incoming Traffic Allowed Outgoing Traffic
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application Level Firewall
Application level gateways are also called proxiesApplication level gateways are also called proxies.
They can filter packets at the application layer of the OSI model.y p pp y
Incoming or outgoing packets cannot access services for which there is no proxy.p y
In plain terms, an application level gateway that is configured to be a web proxy will not allow any FTP, gopher, Telnet or other traffic through.
Because they examine packets at application layer, they can filter application specific commands such as http:post and get.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application Packet Filtering FirewallFirewall
= Disallowed
All d
4 TCP
5 Application Traffic is filtered based on specified application rules,
= Allowed
2 Data Link
3 Internet Protocol (IP)
4such as specified applications (such as a browser) or a protocol, such as FTP or combinations
1 Physicalas FTP, or combinations.
Unknown traffic is only allowed up to the top of network stack
Incoming Traffic Allowed Outgoing Traffic
network stack.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stateful Multilayer Inspection FirewallFirewall
Stateful multilayer inspection firewalls combine the aspects of the other Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls.
They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer.
They are expensive and require competent personal to administer the y p q p pdevice.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multilayer Inspection Firewall
= Disallowed
All d
4 TCP
5 Application Traffic is filtered at three levels, based on a wide
= Allowed
2 Data Link
3 Internet Protocol (IP)
4range of specified application, session and packet filtering rules.
1 Physical Unknown traffic is allowed up to level 3 of the network stack.
Incoming Traffic Allowed Outgoing Traffic
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Conducting Firewall Penetration Testing
1 • Locate the firewall
Penetration Testing
2 • Traceroute to identify the network range
• Port scan the router3 • Port scan the router
4 • Grab the banner
5 • Create custom packets and look for firewall responses
6 • Test access control enumeration6
7 • Test to identify firewall architecture
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8 • Testing firewall policy
Steps for Conducting Firewall Penetration Testing (cont’d)
9 • Test firewall using firewalking tool
Penetration Testing (cont d)
10 • Test for port redirection
• Testing the firewall from both sides11 • Testing the firewall from both sides
12 • Overt firewall test from outside
13 • Test covert channels
14 • Covert firewall test from outside14
15 • Test HTTP tunneling
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
16 • Test firewall specific vulnerabilities
Step 1: Locate the Firewall
Craft an SYN packet using Hping or any other packet crafter send it toCraft an SYN packet using Hping or any other packet crafter send it tothe firewall.
If you get ICMP unreachable type 13 message (which is adminIf you get ICMP unreachable type 13 message (which is adminprohibited packet) with a source IP address of access control device,usually this is a packet filter firewall.
• hping2 www.xsecurity.com –c2 –S –p23 –nICMP Unreachable type 13 from 10 10 2 3
Tools:
• ICMP Unreachable type 13 from 10.10.2.3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Traceroute to Identify the Network Rangethe Network Range
Running traceroute against the router
• The path to that network
Running traceroute against the router will reveal:
• The path to that network.• Intermediate routers and/or devices• Information about filtering devices and protocols
allowed/denied./
Tool:
• tracert www.xsecurity.com
Tool:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Port Scan the Firewall
Most firewall implementations have default ports in use for remote Most firewall implementations have default ports in use for remote management purposes.
Example: user authentication, management, VPN connections, etc.
Tool: #nmap –n –vv –P0 –p256, 1080 <www.xsecurity.com>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Grab the Banner
Connect to the router and grab the banner.
• Symantec Enterprise Firewall 8.0 HTTP Proxy
Example:
y p y• C:\>nc -nvv 10.0.0.1 80• HEAD / HTTP/1.0• HTTP/1.1 503 Service Unavailable• MIME-Version: 1.0• Server: Simple, Secure Web Server 1.1• Date: Tue, 12 Dec 2005 19:08:35 GMT
Connection: close• Connection: close• Content-Type: text/html• <HTML>• <HEAD><TITLE>Firewall Error: Service
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
<HEAD><TITLE>Firewall Error: Service Unavailable</TITLE></HEAD>
Step 5: Create Custom Packets and Look for Firewall Responses
Creating custom packets that are sent towards the firewall can elicitunique responses from the fire allunique responses from the firewall.
This can also be used to determine the type of firewall.yp
Example:
• hping 10.0.0.5 –c 2 –S –p 23 –n• HPING 10.0.0.5 (eth0 10.0.0.5 ): S set, 40 data bytes• 60 bytes from 10.0.0.5 : flags=RA seg=0 ttl=59 id=0 win=0 by 5 g g 59
time=0.4 ms
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Test Access Control EnumerationEnumeration
Use Nmap to enumerate the firewall access control list.
• Open – port is listening• Filtered port is blocked by an access control device (Router/Firewall)
Nmap shows three states of ports:
• Filtered – port is blocked by an access control device (Router/Firewall)• Unfiltered – traffic is passing from access control devices (Firewall/Router) but the port
is not open
Example:
• #nmap –sA 192.168.0.1• Interesting ports on 192.168.0.1:• (The 65530 ports scanned but not shown below are in state: filtered)• PORT STATE SERVICE
p
• PORT STATE SERVICE• 110/tcp UNfiltered pop-3• 13701/tcp UNfiltered VeritasNetbackup• 13711/tcp UNfiltered VeritasNetbackup• 13721/tcp UNfiltered VeritasNetbackup
8 / UNfil d V i N b k
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• 13782/tcp UNfiltered VeritasNetbackup• Nmap run completed -- 1 IP address (1 host up) scanned in 12205.371 seconds
Step 7: Test to Identify Firewall ArchitectureArchitecture
Hping2 is a tool for custom packet crafting.p g p g
Use hping2 to identify packets that are:
• Open.• Blocked.
Dropped
are:
• Dropped.• Rejected.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Testing Firewall Policy
The two different methods to verify the
• In the first method get the hardcopies of the firewall
The two different methods to verify the firewall policy are as follows:
• In the first method, get the hardcopies of the firewall configuration and compare them with the hardcopies that are against the expected configuration.
• The second method involves actual in-place testing that The second method involves actual in place testing that determines the configuration of a device by attempting to perform operations that must be prohibited.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Test Firewall Using Firewalking ToolFirewalking Tool
Firewalk can be used to discover open ports behind a firewall and it can be used for access control list discoverycontrol list discovery.
Helps determine open ports on a firewall (packet filter).
Firewalk determines if a given port is allowed through a firewall.
Traceroute to any machine behind the firewall or the router before the firewall.
Once the hop count of the router is known, we can change our TTL value for our IP packet to be 1 more than the hop count of the router & perform a port scan on the firewall.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Thus, if a “TTL exceeded error” comes back, the port on the firewall is open.
Step 10: Test for Port Redirection
If you cannot get direct access to a port, then use port redirection.y g p , p
It is used to bypass port filtering.
Install a port redirector and make it listen on a selected port number.
Packets received on the listening port number are forwarded to desiredport on remote host.port on remote host.
• fpipe –l 80 –r 139 192.168.10.40• datapipe 80 139 192.168.10.40
Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Identification
Identify the firewall used to find out the vulnerability by:
• Type of firewall implemented.• Firewall model.• Firewall configuration
vulnerability by:
• Firewall configuration.
Two types of firewall identification techniques include:
• Covert firewall identification.• Overt firewall identification.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Testing the Firewall from Both SidesBoth Sides
Examine the firewall by simultaneously testing both sides of the firewall.
The firewall system that is tested outside will send packet and the firewall that is tested y pinside will analyze the packets that arrives and vice versa.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Testing the Firewall from Both Sides (cont’d)Both Sides (cont d)
The following are the steps to be performed for testing the fi ll f b th idfirewall from both sides:
Step1: Test whether (possibly using tunneled protocols) unauthorized connections from the internal t k t th I t t b t d
Step2: Execute a vulnerability scanner on the hosts of the firewall system (i.e., firewall host, internal l ) f i id
network to the Internet can be created.
Step3: Identify the firewall rules by using appropriate firewall tools (Like firewalking from both sides)
router, external router) from inside.
Step4: Check for the reaction of the firewall to fragmented and spoofed packets that can be generated
Step3: Identify the firewall rules by using appropriate firewall tools (Like firewalking from both sides).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p4 g p p gusing a packet generator.
Step 12: Overt Firewall Test from OutsideOutside
In overt firewall testing the tester will create network connection from outside In overt firewall testing, the tester will create network connection from outside to protect the network segment.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Overt Firewall Test from Outside (cont’d)
The following are the steps to be performed for overt firewall i f id
from Outside (cont d)
Step1: Execute a vulnerability scanner on the hosts of the firewall
testing from outside:
p ysystem (i.e., firewall host, internal router, external router)
Step2: Identify the firewall rules by using appropriate firewall tools (Like firewalking)
STEP 12: OVERT FIREWALL Step3: Try to reach the systems that are behind the firewall
TEST FROM OUTSIDEStep4: Check for the reaction of the firewall to fragmented and spoofed packets that can be generated using a packet generator
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Test Covert Channels
I t ll b kd i ti hi i id th t kInstall a backdoor on a victim machine inside the network.
Reverse connect to a machine outside the firewallReverse connect to a machine outside the firewall.
Tool:
• WWW Reverse Shell
Tool:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Covert Firewall Test from Outsidefrom Outside
In covert firewall testing, the testers create a network connection to the In covert firewall testing, the testers create a network connection to the secured network segment from the outside.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Covert Firewall Test from Outside (cont’d)from Outside (cont d)
The following are the steps to perform testing for covert firewall from outside:
Step1: Identify the firewall rules by using Step1: Identify the firewall rules by using appropriate firewall tools (like firewalking from outside).
Step2: Try to reach the systems that are behind the firewall.
Step3: Check for the reaction of the firewall to fragmented and spoofed packets that can be
t d i k t t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
generated using a packet generator.
Step 15: Test HTTP Tunneling
Test to connect to the inside network using HTTP tunneling h itechniques.
T lTools:
HTTPORT
HTTHOST
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Test Firewall Specific VulnerabilitiesVulnerabilities
Firewalls have specific vulnerabilities.
If a firewall is not patched up, then it i l bl kis vulnerable to attacks.
Send product specific exploits against firewall vulnerabilities and test for responses.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
test for responses.
Document Everything
Document all your findings from firewall y gtesting results.
D h f ll i
• Firewall logs.• Tools output
Document the following:
• Tools output.• Your analysis.• Recommendations (if any).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited