Bypassing Firewalls

A firewall is a security buffer between two or more networks. Firewalls provide this security buffer by filtering unused ports and opening ports to allowed hosts. Some firewalls provide stateful packet inspection, which means they check addresses and ports and look inside the IP and TCP or UDP header to verify that it is an acceptable packet.

The first step you should take when performing a penetration test against a firewall device is determining which ports are allowed through a firewall and which ports are filtered. After you discover this information, you can begin to attempt attacks against those ports that are not filtered. Two popular methods of ascertaining the configuration of a firewall are as follows:

• ACK scan

• Firewalking

In an ACK scan, TCP packets are sent to each port, with the ACK bit set. Firewalls typically respond to unfiltered ports with a TCP packet that has the RST bit set. Most firewalls do not respond to filtered ports. By recording the RST packets that are returned from a firewall, you can assess what services might be running on the inside of a network. For example, if you get a RST packet for a scan of TCP port 80, you know that a web server is likely on the inside of the network because web traffic uses TCP port 80.

The second method of determining the firewall configuration is firewalking. Firewalking depends on the firewall generating an ICMP TTL expired message. As a packet goes through a firewall, the firewall decrements the IP TTL field by 1. When the TTL gets to 0, an ICMP TTL expired message is returned to the sender. Firewalking sends packets to a firewall with a TTL set to one more than the TTL necessary to get to the firewall. One packet is sent for each port you want to test. If a port is being filtered, you receive no response because the packet will be dropped. (Some firewalls might return a RST.) If a port is unfiltered, the firewall decrements the TTL by one. Because the packet is sent with a TTL one more than the firewall, the TTL decrements to zero. This causes the firewall to generate an ICMP TTL expired message back to you. By listening to the ICMP TTL messages, you can begin to map out the rule set on the firewall. For each ICMP TTL message you receive, you can list that port as being unfiltered.

A malicious hacker is concerned not only with the rules on a firewall, but also with how to bypass a firewall without being detected. A malicious hacker attempts to upload files or launch attacks by tunneling traffic through open ports. As a penetration tester, you should test these tunneling techniques to determine if the firewall is vulnerable to tunneling exploits.

You can use several tunneling methods to bypass a firewall, including these:

• Loki ICMP tunneling

• ACK tunneling

• HTTP tunneling

Loki ICMP tunneling was introduced in Volume Seven, Issue Forty-Nine of Phrack Magazine (http://www.phrack.org/phrack/49/P49-06). This type of tunneling allows you to tunnel a backdoor shell in the data portion of ICMP Echo packets. RFC 792, which delineates ICMP operation, does not define what should go in the data portion. Because the payload portion is arbitrary, most firewalls do not examine it. Therefore, you can put any data you want in the payload portion of the ICMP packet, including a backdoor application. Assuming that ICMP is allowed through a firewall, you can use Loki ICMP tunneling to execute commands of your choosing by tunneling them inside the payload of ICMP echo packets.

Some administrators like to keep ICMP open on their firewall because it is useful for tools like ping and traceroute. However, many attacks utilize ICMP. You should disable ICMP on your firewalls to prevent these types of attacks.

If ICMP is blocked on a firewall, do not assume that the firewall is safe from attack. A penetration tester or malicious hacker can also attempt ACK tunneling. This follows the same concept as ICMP tunneling in that your backdoor application is tunneling within allowed packets, but in ACK tunneling, you are tunneling with TCP packets with the ACK bit set.

You use the ACK bit to acknowledge receipt of a packet. Some firewalls and IDS devices do not check packets with the ACK bit set because ACK bits are supposed to be used in response to legitimate traffic that is already being allowed through.

One tool that implements ACK tunneling is AckCmd (http://ntsecurity.nu/toolbox/ackcmd/). AckCmd is a backdoor application that allows you to get a remote shell on a Windows computer (assuming AckCmd is running on the target host). The client component of AckCmd communicates with the server component entirely through the use of ACK segments.

Besides ICMP and ACK tunneling, you can attempt HTTP tunneling. If your target company has a public web server, it will have TCP port 80, the port used for HTTP traffic, unfiltered on its firewall. Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate HTTP traffic. Therefore, you can tunnel your traffic inside TCP port 80 because it is already allowed.

HTTPTunnel (http://www.nocrew.org/software/httptunnel.html) is a tool that uses this technique of tunneling traffic across TCP port 80. HTTPTunnel is a client/server application. The client application is called htc and the server is hts. You need to upload the server onto the target system and tell it which port you want to redirect through TCP port 80. For example, if you want to Telnet your target box, you can redirect TCP port 23 (the Telnet port) to port 80 (the HTTP port). You can accomplish this through the following command:

hts -F target.hackmynetwork.com:23 80

On the client machine, execute the client application with the following command:

htc -F 23 target.hackmynetwork.com:80

You can apply the same command to any application that you want to redirect to TCP port 80.

ICMP, ACK, and HTTP tunneling are all techniques to get around firewalls undetected. Next, you will learn about evading IDSs.