* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Firewalking
Survey
Document related concepts
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Wireless security wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transcript
FIREWALKING KNOW YOUR ENEMY: FIREWALLS • What is a firewall? • A device or set of devices designed to permit or deny network transmissions based upon a set of rules • Used for protection of networks from external threats by denying unauthorized traffic • Considered a first line of defense • Some consider it the only defense necessary (lulz) THE PAST AND PRESENT • Emerged during the late 80s during the wild west days of the Internet • First paper published in 88 from Digital Equipment Corporation (DEC) • First Gen – Packet Filters • Inspect network packets using a metric • Drops/rejects packets upon detection • No concept of connection state • Most work is between the network and physical layers with a splash of transport layer • Filters packets based on protocol/port number MORE PAST AND PRESENT • Second Gen – Stateful Filters • All the work of first gen firewalls but now with more transport layer • Examine each packet as well as its position in the data stream • Records the “state” of the connection • Start of a new connection • Ending a connection • Somewhere between EVEN MORE PAST AND PRESENT • Third Gen – Application Layer • Provides a great affinity for certain applications and protocol • Unwanted protocol detection sneaking through a non-standard port • Detection of protocol abuse i.e. DDOS • Deep packet inspection • Some integrate the identity of users into rule set • Bind ID to IP or MAC address (Not the best way) • Authpf on BSD systems loads firewall rules per user after SSH authentication APPLICATION LAYER FIREWALLS CONT. • Exist on the application layer of the TCP/IP stack • Can detect network worms • Hook socket calls to determine whether a process should accept a connection • Allow/block on a process basis • Most commonly seen with a packet filter • Filtering is only determined via rule sets still • Unable to defend against modification of the process via exploitation FIREWALL SPECIES • Packet filters • Can be stateless or stateful • Application Layer • Per process filtering • Proxies • Make life a little more difficult but can be dealt with • NATs • Firewalls use the “private address range” in NATs • Used to hide the true address of a protected host • Very annoying when doing network reconnaissance PUTTING THE IP BACK IN HIP • Network layer protocol • Used for host addressing and routing • Consists of a header and a payload • Header contains values for source and destination address, as well as other data including TTL OUR MAN ON THE INSIDE: ICMP • One of the core protocols in the Internet Protocol Suite • Exists in the Internet Layer • Generally used for sending error messages • Lots of great ways to do network recon with ICMP PLANS FOR PLUNDERING • Goal – to determine which protocols a router or firewall will block and which are allowed downstream • Uses an IP expiry technique akin to the tracert program • Manipulates the TTL field of the IP header • Sets a TTL value one greater than the number of hops taken to target firewall. • If packets are blocked by the firewall, they are dropped or rejected • If allowed, we receive an ICMP time exceeded message WEIGH ANCHOR AND HOIST THE MIZZEN! • First need to determine the number of hops taken to target gateway • Utilize a Traceroute-style IP expiry scan • TTL count is incremented at each hop until target is reached AVAST! THAR BE FIREWALLS OFF THE PORT BOW! • Time to start probing the firewall • Set TTL to one more than the hops to the firewall so our scans can reach the metric host • If the port is open, we receive ICMP TLL expired in transit message • No response implies the port is closed • Repeat for every host to determine the network topology behind the firewall SWASHBUCKLING CAN ONLY GO SO FAR • Firewalking is very noisy • Router and firewall logs will pick up this kind of traffic • Easily mitigated • Simply disable outbound ICMP messages (Can be problematic) • Techniques like Idle Scanning is the way of the modern network ninja IMPROVING OUR SWAG • Targeted scans • Don’t just knock on every port. • Significant delay between scans • Don’t need to know all the information immediately. • Use other hosts to perform the scan • Plenty of websites out there to perform the scan for you • IP spoofing techniques • Throw stealth out the window and blast the whole network with a billion other hazardous packets • No SA has time to go through a hyper saturated log QUESTIONS/COMMENTS RESOURCES • http://en.wikipedia.org/wiki/Firewall_%28computing%29 • http://www.freesoft.org/CIE/Course/Section3/7.htm • http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol • http://www.techrepublic.com/article/use-firewalk-in-linuxunix-to-verify-acls-and-checkfirewall-rule-sets/5055357 • http://www.vesaria.com/Firewall/Testing/eye_of_hacker.php • http://www.Insecure.org/ • http://video.google.com/videoplay?docid=8220256903673801959