FIREWALL PENETRATION TESTING
============================================
by MountAraratBlossom
11/20/2000
mountararatblossom@usa.net============================================
Introduction:
Application gateways and Packet filtering gateways are two types of firewalls basically available in market. Application gateways are those proxies and they are causing some computational problems in computers due to heavy CPU usage, therefore on busy networks Packet filtering devices are more preferable. However, the vendors are trying to embed these two inevitable characteristics of firewall into one.
Installing a firewall into a gateway is not a security panacea. Those who attended BlackHat (
www.blackhat.com) conference this July in Las Vegas still remember the presentations about FW-1 penetration. Security vulnerabilities are discovered every year with just about every firewall in the market. However, the worst thing might be the misconfigured, unattended and unmaintained ones. Is this laziness? Who knows, but it helps hackers.There are many tools out there to test the security of our applications. However penetrating into computer networks are sometimes bottleneck because of firewalls.
As those skilled hackers, we need some methodologies to intrude into systems in our pen-tests. I will basically try to cover the methods used widely at wild. We need to understand the ACLs(access control lists) of a firewall or a router, we need to map what is behind the firewall, we wanna know what is allowed in and so on.
As one of our main aim is not to trigger intrusion detection software, we don’t wanna deploy full connection (3-way handshake)port scanning. Because, port scanner’s triggers this systems easily because of the enormous amount of SYN/ACK packets sent back and forth to every port of the firewall just to check them. Therefore, we don’t like noisy staff in our pen-tests.
Moreover, we should know that, most of the firewalls do not respond to ICMP echo requests (ping), as long as it is configured with an expert firewall administrator.
==================================================
Firewall Identification & Traceroute:
Traceroute is a network debugging utility, which attempts to map all the hosts on a route to a certain destination host/machine. It sends UDP datagrams by default or ICMP ECHO Request packets with TTL (time to live) fields set to 1 just before reaching the final target. Once the target reached, as TTL field gets zero, the target will discard the datagram and generate an ICMP Time Exceeded packet back to its originator. By the way, Windows systems use ICMP ECHO Request by default and you can not use UDP method with Microsoft’s traceroute implementation, "tracert".
Lets assume that a network is protected by a access control device, a firewall or some sort, and it denies everything in but dns traffic. A regular traceroute will be as follows:
[willyhacker]#traceroute 10.10.0.10
traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets
1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms
2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms
3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms
4 * * *
5 * * *
As you see from the preceding example, we can not go beyond 10.10.0.6 which most probably means that there is a blocking device at hop 4. To understand this we have to dig a little deeper.
When traceroute is deployed with default UDP datagram option, it will increase the port number at every time it send a UDP datagram. Hence, we need a equation which will give the starting port number to reach to final target. So the starting port number is
(Target port – (number of hops * number of probes)) -1
where number of hops is from our probing box to the firewall, and number of probes is by default 3.
Knowing this, know lets look at our tracerouting
[willyhacker]#traceroute –p43 10.10.0.10
traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets
1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms
2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms
3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms
4 10.10.0.8 (10.10.0.8) 4.972 ms 4.980 ms 6.361 ms
5 * * *
BOOM !, we penetrated in to firewall, which is 10.10.0.8 and get into the network which is most probably a DMZ. However we could not get a reply from 10.10.0.10. The reason is basic, we did not hit to UDP port 53 of this box. As traceroute has incremented our port number again and it has got stuck to ACL on the firewall.
Don’t worry, Mike Shiffman (the author of famous firewalk), has a remedy for that. With his modified version of traceroute, traceroute 1.4a5 you can grab it from (www.packetfactory.net)
[willyhacker]#traceroute –S –p53 10.10.0.10
traceroute to 10.10.0.10 (10.10.0.10), 30 hops max, 40 byte packets
1 10.10.0.2 (10.10.0.2) 0.540 ms 0.394 ms 0.397 ms
2 10.10.0.4 (10.10.0.4) 2.455 ms 2.479 ms 2.512 ms
3 10.10.0.6 (10.10.0.6) 4.812 ms 4.780 ms 4.747 ms
4 10.10.0.8 (10.10.0.8) 4.972 ms 4.980 ms 6.361 ms
5 10.10.0.10 (10.10.0.10) 6.1022 ms 5.660 ms 8.531 ms
boom, there we go.. So, what we know is that, we know the IP address and an ACL of firewall (allow TCP/UDP port53 in), a box behind the firewall. This juicy information can help us for further penetration in our tests.
As a result, to test other open ports we can try other ports, with a home grown script, it can be done systematically.
============================================================
Firewalking:
Firewalk is just another utility written by Mike Schiffman, and can also be found at
www.packetfactory.net. The aim of this little handy tool is to find open ports on a filtering device, Firewall. It works by checking a live system behind a firewall, without touching this system to discover which services are permitted, which ports are open on that firewall.A second potential advantage of firewalk is mapping the unknown network behind the filtering device. By sending packets to every host behind the firewall, an attacker can generate accurate topology of the network behind the firewall.
The firewalk scan works by sending out TCP or UDP packets with an IP TTL evaluated to expire just one hop past the firewall. If the filtering device allows the traffic in, then it will send the packets to target where the TTL will get zero and the target will elicit a TTL exceeded on transit back to attacker. If the filtering device does not allow the traffic in, then we will not see any packet back which means the port is closed.
[willyhacker]#firewalk -n –P135-140 –pTCP 10.10.0.5 10.10.0.20
Firewalking through 10.10.0.5 (towards 10.10.0.20) with a maximum of 25 hops.
Ramping up hopcounts to binding host...
probe: 1 TTL: 1 port 33434: <response from> [10.10.0.4]
probe: 2 TTL: 2 port 33434: <response from> [10.10.0.6]
probe: 3 TTL: 3 port 33434: <response from> [10.10.0.8]
probe: 4 TTL: 4 port 33434: <response from> [10.10.0.10]
probe: 5 TTL: 5 port 33434: Bound scan: 5 hops <Gateway at 5 hops> [10.10.0.10]
port 135: open
port 136: *
port 137: open
port 138: *
port 139: open
port 140: *
However, what we see on our tests is that, some firewalls recognize that the packet will expire when they get to the target host before applying ACL rules. And they elicit an ICMP TTL Expired packet back to attacker and this leads to false-positives.
To learn more about firewalk, you can check the following URL
www.es2.net/research/firewalk
==================================================
Hpinging:
This tools is basically a TCP ping utility, however it has some additional functionality. You may grab it from
www.kyuzz.org/antirez It allows user to play with some options of the TCP packet which may let it pass through some filtering devices even if they are blocked, and reports the packets it gets back. . By using the –p switch, we can set a fixed destination port, as in the case of traceroute and pass through the firewall. We can even fragment TCP packets as well, but it is basically a TCP ping sweeping utility.[willyhacker]# hping 10.10.0.10 –S –p 53 –f
60 bytes from 10.10.0.10. flags=SA seq=0 ttl=124 id=17051 win=0 time 45.3
60 bytes from 10.10.0.10. flags=SA seq=1 ttl=124 id=19551 win=0 time 134.9
as you see whenever a port is open (TCP 53/DNS), we receive back SYN/ACK flags set packets.
Moreover, sometimes the filtering devices can not handle fragmented packets and let them in, thus we can map the network behind the filtering device.
==================================================
Stateless Firewalls & Source Port Scanning:
This method can apply to those filtering devices which does not keep the state of traffic. Namely, it wont work against stateful filtering devices. So what is the idea, basically think of such a device which will never remember if the connection has begun from inside or outside. Boom! I see your sparkling eyes. Right, FTP, or yes, DNS. Anyothers? Several… If we send a packet with the source port 20 in FTP, which is the default DATA port, we can check the system behind the firewall and map the network behind the firewall.
For this, we will use nmap, we will discover its features for other methods later on this paper. The –g switch of nmap will let us do that.
[willyhacker]# nmap –sS –P0 –g 20 –p 139 10.10.0.10
as you see, we use the SYN scan (-sS) without pinging (-P0) the target system.
If it comes out that the port is open, then it has two significant meanings, one the system probed is alive behind the firewall, which is good for network mapping, and second, FW ACL does not block TCP 139 port, which is a good starting point for hacking Windows based systems.
The authors of Hacking Exposed have also mentioned this method in their second edition and they got a very handy tool for utilizing this method to get into system, fpipe, you may grab it from
www.foundstone.com This utility is a modified port redirector and you can set the source port to 20 with the help of it.
============================================================
ICMP Enumerating with icmpenum:
Ping is maybe the most known ICMP packet ICMP ECHO REQUEST (type 8) and the reply is ICMP ECHO REPLY (type 0). Therefore most firewall admins blocks incoming pings, however they do not care about other types of ICMP packets, which can be handy for gathering juicy information from the target.
To do use the other options of ICMP, our favorite tool is icmpenum from Simple Nomad. You may grab it from his personal site
www.nmrc.orgRather than ICMP ECHO packets, we may send ICMP TIME STAMP REQUEST and ICMP INFO packets to the system. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks who block ICMP Echo packets but have failed to block Timestamp or Information packet, or for upstream sniffing of trusted addresses.
[willyhacker]#icmpenum –I 2 –v 10.10.0.0
10.10.0.2 is up
10.10.0.4 is up
10.10.0.6 is up
10.10.0.8 is up
10.10.0.10 is up
in this preceding example, we have enumerated all alive hosts by sending ICMP TIME STAMP requests in the 10.10.0.0 network.
As we have mentioned earlier, it can spoof packets with –s switch and can listen in promiscuous mode with –p option.
[willyhacker]#icmpenum –I 3 –s 10.10.0.50 –p –v 10.10.0.10
In this example, we have spoofed the IP address 10.10.0.50 with –s switch and we get to promiscuous mode with –p option with ICMP INFO packets.
To summarize, this tool allows us to determine alive hosts behind the filtering devices with the help of ICMP types ECHO, INFO, TIME STAMP REQUEST. In many of pen-tests, I deploy this little and handy utility for checking the alive hosts behind the firewall and it works most of the time.
==================================================
Playing with the ICMP Packages:
The folk Ofir Arkin, has released a whitepaper about the hazards of ICMP and its usage about operating system guessing and filtering device testing. I strongly suggest you guys to take a check his study. This part of our study heavily depends on his study and findings. I have tested his findings in a laboratory and used some ideas in my pen-tests. I found them especially handy in network topology mapping and in ACL discovery. You can find his detailed document from
www.blackhat.com, he has given a speech this year at BlackHat Europe.We can use various methods to elicit an ICMP error message back from a probed host and discover its existence. Some of the methods are as follows:
• Mangling IP headers
o Header Length Field
o IP Options Field
• Using non-valid field values in the IP header
o Using valid field values in the IP header
• Abusing Fragmentation
• The UDP Scan Host Detection method
With the first method we are using bad IP headers in the IP datagram that would generate an ICMP Parameter Problem error back from the probed machine to the source IP address of the probing datagram. The second method use non-valid field values in the IP header in order to force the probed machine to generate ICMP Destination Unreachable error message back to the malicious computer attacker. The third method discussed uses fragmentation to trigger an ICMP Fragment Reassembly Time Exceeded error message from the probed machine. The last method uses the UDP Scan method to elicit ICMP Port Unreachable error message back from a closed UDP port(s) on the probed host(s).
The tool we will be using for playing with the ICMP packages is called ISIC written by Mark Frantzen. You can grab it from
http://expert.cc.purdue.edu/~frantzen
the user can specify how often the packets will be fragmented, have IP options, TCP options and etc.
In the next example I have sent 20 IP Packets from a LINUX machine to a Microsoft Windows NT WRKS 4 SP4 machine. The datagrams were not fragmented nor bad IP version numbers were sent. The only weird thing sent inside the IP headers was random IP Header length, which have produced ICMP Parameter Problem Code 2 error message as I anticipated.
[root@stan packetshaping]# ./isic -s 192.168.5.5 -d 192.168.5.15 -p 20
-F 0 -V 0 -I 100
Compiled against Libnet 1.0
Installing Signal Handlers.
Seeding with 2015
No Maximum traffic limiter
Bad IP Version = 0% Odd IP Header Length = 100%
Frag'd Pcnt = 0%
Wrote 20 packets in 0.03s @ 637.94 pkts/s
tcpdump trace
:12:11:05.843480 eth0 > kenny.sys-security.com > cartman.sys-security.
com: ip-proto-110 226 [tos 0xe6,ECT] (ttl 110, id 119,
optlen=24[|ip])
12:11:05.843961 eth0 P cartman.sys-security.com > kenny.sys-security.
com: icmp: parameter problem - octet 21 Offending pkt:
kenny.sys-security.com > cartman.sys-security.com: ip-proto-110 226
[tos 0xe6,ECT] (ttl 110, id 119, optlen=24[|ip]) (ttl 128, id 37776)
If we probe the entire IP range of the targeted network with all combinations of protocols and ports, it would draw us the targeted network topology map, and will allow us to determine the access list (ACL) a Filtering Device (If present, and not blocking outgoing ICMP Parameter Problem Error messages) is forcing.
Moreover, if you wanna play with the low-level row TCP/IP packages in order to test your systems, firewalls and filtering devices, I do suggest using CASL (custom auditing and scripting language). Cybercop from NAI,
www.nai.com has a unique feature which allow us to play with the low-level packets in a GUI interface. We can create any choice of our packets as scripts and run them against the firewalls or whatever system we want. By combinig this tool to the findings of Ofir arkin, we can get the idea what is happening on the victim site and determine the ACL and map the network topology. By the way, don’t forget to run your choice of sniffer on your attacking box to review the packets elicited from the target.
==================================================
NMAPing: (network mapping)
I must mention about the nmap, which you can get from
www.insecure.org/nmap and it is such a wonderful tool, you cant do without it. It has many different switches, which eases our jobs from many different perspectives. Until recently this tool was mainly a UNIX tool, however the folks at eEye (www.eeye.com) has released an NT version which performs the same functions as in the UNIX version.Albeit, it is basically a port scanner, its features let us do some quiet scanning for port probes. Yet, I should mention that, there are some intrusion detection SW out there capable of catching nmap scans.
As I mentioned, most of the firewalls do not respond to ICMP echo requests (ping), thus we will use the –P0 switch which disables ICMP pinging. –sS switch will perform a TCP SYN stealth scanning and so on. To get all the features of nmap type
[wilyhacker]#
nmap –hfrom your box.
A filtered port in nmap signifies one of three things.
No SYN/ACK packet is received
No RST/ACK packet is received
An ICMP type 3 message (Destination Unreachable) is received.
Nmap pulls all three of this conditions and report it as "filtered" port. To understand this nmap gathers the ICMP packages sent back to the attacker box. ICMP packets houses all the data necessary to understand what is happening.
The "unfiltered" port is reported only when we scan a number of ports and receive an RST/ACK packet back. In this state, either our packets are passing through the filtering device, but the target box do not listen on that port, OR the firewall is responding on behalf of the target with IP spoofing with RST/ACK flags set.
Anyway, I don’t wanna get into details of nmap, as there are many papers out there explaining the details of nmap, however as it is understood, it can be handy for network mapping behind firewalls and we can discover filtering device ACLs.
============================================================
Conclusion:
The aim of this paper was to give some idea about firewall penetration testing and network topology mapping behind firewalls. We have touched many different salts of firewall scanning tools, and there are many more at wild.
This methods are deployed in pen-tests to discover what is behind the filtering device and to figure out the ACL of this device. To do a successful pen-test, we need to know what is happening behind the closed doors. Who is watching the door? , what is he/she checking? and so on. Harvesting a wealth of information is the main step for a successful hacking, and to gather this information we have to penetrate through firewalls.
Watch your servers at wild
Mab-