Detecting and Identifying a Firewall

Detecting and identifying a firewall (or, in general, an intrusion-detection system) in a timely manner guarantees a successful attack. In general, however, an intrusion-detection system is combined with a firewall. Before covering the topics of detecting and identifying a firewall and techniques of bypassing it, it is necessary to look at the IP (Fig. 23.3) and TCP (Fig. 23.4) headers.

Figure 23.3: Contents of an IP header

Figure 23.4: Structure of a TCP header

Most firewalls, having analyzed the IP packet header, discard packets with an expired TTL, thus blocking route tracing. By doing so, they disclose their presence. Some routers behave in a similar way; however, as was already mentioned, there is no principal difference between a router and a packet filter.

As a rule, route tracing is carried out using the traceroute utility, which supports tracing using ICMP and User Datagram Protocol (UDP). Note that ICMP is blocked much more often. For example, the results of tracing a route to some host guaranteed to be protected with a firewall (for example, http://www.intel.ru ) will appear as shown in Listing 23.1. (Note that currently the site has been reconfigured and redirects to a different page.)

Listing 23.1: Tracing the route stops at the firewall

 $traceroute -I www.intel.ru Route tracing to bouncer.glb.intel.com [198.175.98.50] With maximum number of hops equal to 30:   1  1352 ms   150 ms   150 ms  62.183.0.180   2   140 ms   150 ms   140 ms  62.183.0.220   3   140 ms   140 ms   130 ms  217.106.16.52   4   200 ms   190 ms   191 ms  aksai-bbn0-po2-2.rt-comm.ru [217.106.7.25]   5   190 ms   211 ms   210 ms  msk-bbn0-pol-3.rt-comn.ru [217.106.7.93]   6   200 ms   190 ms   210 ms  spb-bbn0-po8-l.rt-comn.ru [217.106.6.230]   7   190 ms   180 ms   201 ms  stockholm-bgw0-po0-3-0-0. rt-comm.ru                                 [217.106.7.30]   8   180 ms   191 ms   190 ms  POS4-0.GW7.STK3.ALTER.NET [146.188.68.149]   9   190 ms   191 ms   190 ms  146.188.5.33  10   190 ms   190 ms   200 ms  146.188.11.230  11   311 ms   310 ms   311 ms  146.188.5.197  12   291 ms   310 ms   301 ms  so-0-0-0.IL1.DCA6.ALTER.NET [146.188.13.33]  13   381 ms   370 ms   371 ms  152.63.1.137  14   371 ms   450 ms   451 ms  152.63.107.150  15   381 ms   451 ms   450 ms  152.63.107.105  16   370 ms   461 ms   451 ms  152.63.106.33  17   361 ms   380 ms   371 ms  157.130.180.186  18   370 ms   381 ms   441 ms  192.198.138.68  19     *        *        *     Time-out interval exceeded.  20     *        *        *     Time-out interval exceeded. 

 

When the tracing comes to host 192.198.138.68, it stops, which specifies the presence of either a firewall or a restrictive router. The ways of bypassing firewalls and restrictive routers will be covered in more detail later in this chapter. For the moment, consider another example. This time, another host, for example, http://www.zenon.ru , was chosen for tracing (Listing 23.2).

Listing 23.2: Successful completion of tracing doesn't mean the firewall is missing

 $traceroute -I www.intel.ru Tracing route to distributed.zenon.net [195.2.91.103] With maximum number of hops equal to 30:   1  2444 ms  1632 ms  1642 ms  62.183.0.180   2  1923 ms  1632 ms  1823 ms  62.183.0.220   3  1632 ms  1603 ms  1852 ms  217.106.16.52   4  1693 ms  1532 ms  1302 ms  aksai-bbn0-po2-2.rt-comm.ru [217.106.7.25]   5  1642 ms  1603 ms  1642 ms  217.106.7.93   6   1562 ms  1853 ms  1762 ms  msk-bgwl-ge0-3-0-0.rt-comm.ru                                 [217.106.7.194]   7  1462 ms   411 ms   180 ms  mow-bl-posl-2.telia.net [213.248.99.89]   8   170 ms   180 ms   160 ms  mow-b2-geth2-0.telia.net [213.248.101.18]   9   160 ms   160 ms   170 ms  213.248.78.178  10   160 ms   151 ms   180 ms  62.113.112.67  11   181 ms   160 ms   170 ms  css-rus2.zenon.net [195.2.91.103] Tracing completed successfully. 

 

This time, the tracing completes normally. However, does this mean that Zenon hasn't been protected by a firewall? This is possible; however, for an unambiguous answer to this question it is necessary to have additional information. The node with address 195.2.91.193 belongs to a class C network (because the 3 most significant bits of this IP address are equal to 110). Thus, if this network is not protected by a firewall, most of its hosts must reply to the ping command (like in this example). Scanning has detected 65 open addresses. Consequently, either there is no router or this router or firewall freely passes the ping command.

If desired, the hacker might choose to scan ports. However, availability of open ports doesn't mean anything (possibly, the firewall blocks only one, but a vitally important, port). For instance, it might protect vulnerable RPC against external attacks. Second, port scanning is the procedure unlikely to allow the attacker to remain unnoticed. On the other hand, nowadays practically anyone can scan ports, and administrators do not pay serious attention to port scanning.

The nmap utility (a popular port scanner) allows detection of some firewalls by setting the port status to the "firewalled" value (Fig. 23.5). This happens any time the remote host replies to the SYN (synchronization) request using a type 3 ICMP packet with code 13 (admin prohibited filter) containing an actual IP address in the header. The nmap utility doesn't display this address; therefore, hackers must either write custom scanners or use any sniffer to analyze returned packets on their own. If SYN/ACK (synchronization acknowledged) is returned, the port being scanned is open. The RST/ACK (reset acknowledged ) return value means that the port is either closed or blocked by a firewall. Not all firewalls generate RST/ACK when attempting to connect to blocked ports. The Check Point firewall product generates RST/ACK, some firewalls send ICMP messages as shown previously, and some do not send anything.

Figure 23.5: The nmap utility

Most firewalls support remote control over the Internet by opening one or more TCP ports unique for each firewall. For example, Check Point Firewall opens ports 256, 257, and 258, while Microsoft Proxy uses port 1080. Some firewalls explicitly specify the name and version of the software product when a connection is established to them using netcat or telnet . In particular, this behavior is typical for proxy servers. By sequentially polling all hosts located before the host being investigated, and scanning ports typical for firewalls, in most cases it is possible not only to detect the firewall's presence but also to determine its IP address. These ports might be closed either on the firewall itself (not all firewalls allow this) or on the preceding router (in this case, it is impossible to control the firewall over the Internet).