Detecting and identifying a firewall (or, in general, an intrusion-detection system) in a timely manner guarantees a successful attack. In general, however, an intrusion-detection system is combined with a firewall. Before covering the topics of detecting and identifying a firewall and techniques of bypassing it, it is necessary to look at the IP (Fig. 23.3) and TCP (Fig. 23.4) headers.
Most firewalls, having analyzed the IP packet header, discard packets with an expired TTL, thus blocking route tracing. By doing so, they disclose their presence. Some routers behave in a similar way; however, as was already mentioned, there is no principal difference between a router and a packet filter.
As a rule, route tracing is carried out using the traceroute utility, which supports tracing using ICMP and User Datagram Protocol (UDP). Note that ICMP is blocked much more often. For example, the results of tracing a route to some host guaranteed to be protected with a firewall (for example, http://www.intel.ru ) will appear as shown in Listing 23.1. (Note that currently the site has been reconfigured and redirects to a different page.)
$traceroute -I www.intel.ru Route tracing to bouncer.glb.intel.com [198.175.98.50] With maximum number of hops equal to 30: 1 1352 ms 150 ms 150 ms 62.183.0.180 2 140 ms 150 ms 140 ms 62.183.0.220 3 140 ms 140 ms 130 ms 217.106.16.52 4 200 ms 190 ms 191 ms aksai-bbn0-po2-2.rt-comm.ru [217.106.7.25] 5 190 ms 211 ms 210 ms msk-bbn0-pol-3.rt-comn.ru [217.106.7.93] 6 200 ms 190 ms 210 ms spb-bbn0-po8-l.rt-comn.ru [217.106.6.230] 7 190 ms 180 ms 201 ms stockholm-bgw0-po0-3-0-0. rt-comm.ru [217.106.7.30] 8 180 ms 191 ms 190 ms POS4-0.GW7.STK3.ALTER.NET [146.188.68.149] 9 190 ms 191 ms 190 ms 146.188.5.33 10 190 ms 190 ms 200 ms 146.188.11.230 11 311 ms 310 ms 311 ms 146.188.5.197 12 291 ms 310 ms 301 ms so-0-0-0.IL1.DCA6.ALTER.NET [146.188.13.33] 13 381 ms 370 ms 371 ms 152.63.1.137 14 371 ms 450 ms 451 ms 152.63.107.150 15 381 ms 451 ms 450 ms 152.63.107.105 16 370 ms 461 ms 451 ms 152.63.106.33 17 361 ms 380 ms 371 ms 157.130.180.186 18 370 ms 381 ms 441 ms 192.198.138.68 19 * * * Time-out interval exceeded. 20 * * * Time-out interval exceeded.
When the tracing comes to host 192.198.138.68, it stops, which specifies the presence of either a firewall or a restrictive router. The ways of bypassing firewalls and restrictive routers will be covered in more detail later in this chapter. For the moment, consider another example. This time, another host, for example, http://www.zenon.ru , was chosen for tracing (Listing 23.2).
$traceroute -I www.intel.ru Tracing route to distributed.zenon.net [195.2.91.103] With maximum number of hops equal to 30: 1 2444 ms 1632 ms 1642 ms 62.183.0.180 2 1923 ms 1632 ms 1823 ms 62.183.0.220 3 1632 ms 1603 ms 1852 ms 217.106.16.52 4 1693 ms 1532 ms 1302 ms aksai-bbn0-po2-2.rt-comm.ru [217.106.7.25] 5 1642 ms 1603 ms 1642 ms 217.106.7.93 6 1562 ms 1853 ms 1762 ms msk-bgwl-ge0-3-0-0.rt-comm.ru [217.106.7.194] 7 1462 ms 411 ms 180 ms mow-bl-posl-2.telia.net [213.248.99.89] 8 170 ms 180 ms 160 ms mow-b2-geth2-0.telia.net [213.248.101.18] 9 160 ms 160 ms 170 ms 213.248.78.178 10 160 ms 151 ms 180 ms 62.113.112.67 11 181 ms 160 ms 170 ms css-rus2.zenon.net [195.2.91.103] Tracing completed successfully.
This time, the tracing completes normally. However, does this mean that Zenon hasn't been protected by a firewall? This is possible; however, for an unambiguous answer to this question it is necessary to have additional information. The node with address 195.2.91.193 belongs to a class C network (because the 3 most significant bits of this IP address are equal to 110). Thus, if this network is not protected by a firewall, most of its hosts must reply to the ping command (like in this example). Scanning has detected 65 open addresses. Consequently, either there is no router or this router or firewall freely passes the ping command.
If desired, the hacker might choose to scan ports. However, availability of open ports doesn't mean anything (possibly, the firewall blocks only one, but a vitally important, port). For instance, it might protect vulnerable RPC against external attacks. Second, port scanning is the procedure unlikely to allow the attacker to remain unnoticed. On the other hand, nowadays practically anyone can scan ports, and administrators do not pay serious attention to port scanning.
The nmap utility (a popular port scanner) allows detection of some firewalls by setting the port status to the "firewalled" value (Fig. 23.5). This happens any time the remote host replies to the SYN (synchronization) request using a type 3 ICMP packet with code 13 (admin prohibited filter) containing an actual IP address in the header. The nmap utility doesn't display this address; therefore, hackers must either write custom scanners or use any sniffer to analyze returned packets on their own. If SYN/ACK (synchronization acknowledged) is returned, the port being scanned is open. The RST/ACK (reset acknowledged ) return value means that the port is either closed or blocked by a firewall. Not all firewalls generate RST/ACK when attempting to connect to blocked ports. The Check Point firewall product generates RST/ACK, some firewalls send ICMP messages as shown previously, and some do not send anything.
Most firewalls support remote control over the Internet by opening one or more TCP ports unique for each firewall. For example, Check Point Firewall opens ports 256, 257, and 258, while Microsoft Proxy uses port 1080. Some firewalls explicitly specify the name and version of the software product when a connection is established to them using netcat or telnet . In particular, this behavior is typical for proxy servers. By sequentially polling all hosts located before the host being investigated, and scanning ports typical for firewalls, in most cases it is possible not only to detect the firewall's presence but also to determine its IP address. These ports might be closed either on the firewall itself (not all firewalls allow this) or on the preceding router (in this case, it is impossible to control the firewall over the Internet).