FIREWALKING KNOW YOUR ENEMY: FIREWALLS • What is a firewall? • A device or set of devices designed to permit or deny network transmissions based upon a set of rules • Used for protection of networks from external threats by denying unauthorized traffic • Considered a first line of defense • Some consider it the only defense necessary (lulz) THE PAST AND PRESENT • Emerged during the late 80s during the wild west days of the Internet • First paper published in 88 from Digital Equipment Corporation (DEC) • First Gen – Packet Filters • Inspect network packets using a metric • Drops/rejects packets upon detection • No concept of connection state • Most work is between the network and physical layers with a splash of transport layer • Filters packets based on protocol/port number MORE PAST AND PRESENT • Second Gen – Stateful Filters • All the work of first gen firewalls but now with more transport layer • Examine each packet as well as its position in the data stream • Records the “state” of the connection • Start of a new connection • Ending a connection • Somewhere between EVEN MORE PAST AND PRESENT • Third Gen – Application Layer • Provides a great affinity for certain applications and protocol • Unwanted protocol detection sneaking through a non-standard port • Detection of protocol abuse i.e. DDOS • Deep packet inspection • Some integrate the identity of users into rule set • Bind ID to IP or MAC address (Not the best way) • Authpf on BSD systems loads firewall rules per user after SSH authentication APPLICATION LAYER FIREWALLS CONT. • Exist on the application layer of the TCP/IP stack • Can detect network worms • Hook socket calls to determine whether a process should accept a connection • Allow/block on a process basis • Most commonly seen with a packet filter • Filtering is only determined via rule sets still • Unable to defend against modification of the process via exploitation FIREWALL SPECIES • Packet filters • Can be stateless or stateful • Application Layer • Per process filtering • Proxies • Make life a little more difficult but can be dealt with • NATs • Firewalls use the “private address range” in NATs • Used to hide the true address of a protected host • Very annoying when doing network reconnaissance PUTTING THE IP BACK IN HIP • Network layer protocol • Used for host addressing and routing • Consists of a header and a payload • Header contains values for source and destination address, as well as other data including TTL OUR MAN ON THE INSIDE: ICMP • One of the core protocols in the Internet Protocol Suite • Exists in the Internet Layer • Generally used for sending error messages • Lots of great ways to do network recon with ICMP PLANS FOR PLUNDERING • Goal – to determine which protocols a router or firewall will block and which are allowed downstream • Uses an IP expiry technique akin to the tracert program • Manipulates the TTL field of the IP header • Sets a TTL value one greater than the number of hops taken to target firewall. • If packets are blocked by the firewall, they are dropped or rejected • If allowed, we receive an ICMP time exceeded message WEIGH ANCHOR AND HOIST THE MIZZEN! • First need to determine the number of hops taken to target gateway • Utilize a Traceroute-style IP expiry scan • TTL count is incremented at each hop until target is reached AVAST! THAR BE FIREWALLS OFF THE PORT BOW! • Time to start probing the firewall • Set TTL to one more than the hops to the firewall so our scans can reach the metric host • If the port is open, we receive ICMP TLL expired in transit message • No response implies the port is closed • Repeat for every host to determine the network topology behind the firewall SWASHBUCKLING CAN ONLY GO SO FAR • Firewalking is very noisy • Router and firewall logs will pick up this kind of traffic • Easily mitigated • Simply disable outbound ICMP messages (Can be problematic) • Techniques like Idle Scanning is the way of the modern network ninja IMPROVING OUR SWAG • Targeted scans • Don’t just knock on every port. • Significant delay between scans • Don’t need to know all the information immediately. • Use other hosts to perform the scan • Plenty of websites out there to perform the scan for you • IP spoofing techniques • Throw stealth out the window and blast the whole network with a billion other hazardous packets • No SA has time to go through a hyper saturated log QUESTIONS/COMMENTS RESOURCES • http://en.wikipedia.org/wiki/Firewall_%28computing%29 • http://www.freesoft.org/CIE/Course/Section3/7.htm • http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol • http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-checkfirewall-rule-sets/5055357 • http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php • http://www.Insecure.org/ • http://video.google.com/videoplay?docid=8220256903673801959