SCANNING THROUGH FIREWALLS
 | ||
| | ||
| | ||
Don't worry, this section is not going to give the script kiddies some magical technique to render your firewalls ineffective . Instead, we will cover a number of techniques for dancing around firewalls and gather some critical information about the various paths through and around them.
Raw Packet Transmissions
| Popularity: | 3 |
| Simplicity: | 4 |
| Impact: | 8 |
| Risk Rating: | 5 |
hping, by Salvatore Sanfilippo (http://www.hping.org), works by sending ICMP, TCP (default mode), or UDP packets to a destination system/port and reporting the packets it gets back. hping returns a variety of responses depending on numerous conditions. Each packet in part or in whole can provide a fairly clear picture of the firewall's access controls. For example, by using hping, we can discover open , blocked, dropped, and rejected packets.
In the following example, hping reports that port 80 is open and ready to receive a connection. We know this because it received a packet with the SA flag set (a SYN/ACK packet).
[root]# hping2 192.168.0.2 -S -p 80 -n HPING www.example.com (eth0 172.16.1.20): S set, 40 data bytes 60 bytes from 192.168.0.2: flags=SA seq=0 ttl=242 id=65121 win=64240 time=144.4 ms
Now we know an open port exists on our target, but we don't know where the firewall is yet. In our next example, hping reports receiving an ICMP unreachable type 13 packet from 192.168.70.2. In Chapter 2, you learned that ICMP type 13 is an ICMP Admin Prohibited Filter packet, which is usually sent from a packet-filtering router such as Cisco's IOS.
[root]# hping2 192.168.0.2 -S -p 23 -n HPING 192.168.0.2 (eth0 172.16.1.20): S set, 40 data bytes ICMP Unreachable type 13 from 192.168.0.1
Now it is confirmed: 192.168.70.2 is most likely our firewall, and we know it is explicitly blocking port 23 to our target. In other words, if the system is a Cisco router, it probably has a line like the following in its config file:
access-list 101 deny tcp any any 23 ! telnet
In the next example, we receive an RST/ACK packet back, signifying one of two things: either that the packet got through the firewall and the host is not listening to that port, or that the firewall rejected the packet (such is the case with Check Point's reject rule).
[root]# hping2 192.168.0.2 -S -p 22 -n HPING 192.168.0.2 (eth0 172.16.1.20): S set, 40 data bytes 60 bytes from 192.168.0.2: flags=RA seq=0 ttl=59 id=0 win=0 time=0.3 ms
Because we received the ICMP type 13 packet earlier, we can deduce that the firewall (192.168.0.1) is allowing our packet through, but the host is just not listening on that port.
If the firewall you're scanning through is Check Point, hping will report the source IP address of the target, but the packet is really being sent from the external NIC of the Check Point firewall. The tricky thing about Check Point is that it will respond for its internal systems, sending a response and spoofing the target's address. When attackers hit one of these conditions over the Internet, however, they'll never know the difference, because the MAC address will never reach their machine (to tip them off).
Finally, when a firewall is blocking packets altogether to a port, you'll often receive nothing back:
[root]# hping 192.168.50.3 -S -p 22 -n HPING 192.168.50.3 (eth0 192.168.50.3): S set, 40 data bytes
In this scenario, the hping result can have two meanings: the packet couldn't reach the destination and was lost on the wire, or the target host was not turned off (it may not exist) or, more likely, a device (probably our firewall, 192.168.70.2) dropped the packet on the floor as part of its ACL rules.
Raw Packet Transmissions Countermeasure
Preventing an hping attack is difficult. Your best bet is to simply block ICMP type 13 messages (as discussed in the preceding nmap scanning prevention section).
Firewalk
| Popularity: | 3 |
| Simplicity: | 3 |
| Impact: | 8 |
| Risk Rating: | 4 |
Firewalk (http://www.packetfactory.net/projects/firewalk) is a nifty little tool that, like a port scanner, will discover ports open behind a firewall. Written by Mike Schiffman (a.k.a. Route) and Dave Goldsmith, the utility will scan a host downstream from a firewall and report back the rules allowed to that host, without actually touching the target system.
Firewalk works by constructing packets with an IP TTL calculated to expire one hop past the firewall. The theory is that if the packet is allowed by the firewall, it will be allowed to pass and will expire as expected, eliciting an "ICMP TTL expired in transit" message. On the other hand, if the packet is blocked by the firewall's ACL, it will be dropped, and either no response will be sent or an ICMP type 13 Admin Prohibited Filter packet will be sent. The following scenario assumes that ports 135 through 138 and 140 are open behind the firewall.
[root]# firewalk -pTCP -S135-140 10.22.3.1 192.168.1.1 Ramping up hopcounts to binding host... probe: 1 TTL: 1 port 33434: expired from [exposed.example.com] probe: 2 TTL: 2 port 33434: expired from [rtr.isp.net] probe: 3 TTL: 3 port 33434: Bound scan at 3 hops [rtr.isp.net] port 135: open port 136: open port 137: open port 138: open port 139: * port 140: open
The only problem we've seen when using Firewalk is that it can be highly unpredictable, because some firewalls will detect that the packet expires before checking their ACLs and send back an "ICMP TTL expired" packet anyway. As a result, Firewalk often assumes that all ports are open.
Firewalk Countermeasure
You can block "ICMP TTL expired" packets at the external interface level, but this may negatively affect its performance, because legitimate clients connecting will never know what happened to their connection.
Source Port Scanning
Traditional packet-filtering firewalls such as Cisco's IOS have one major drawback: They don't keep state! For many of you that seems obvious, right? But think about it for a moment. If the firewall cannot maintain state, it cannot tell whether the connection began outside or inside the firewall. In other words, it cannot completely control some transmissions. As a result, we can set our source port to typically allowed ports such as TCP 53 (zone transfers) and TCP 20 (FTP data) and then scan (or attack) to our heart's content.
To discover whether a firewall allows scans through a source port of 20 (FTP-data channel, for example), you can use nmap's -g feature:
nmap -S -P0 -g 20 -p 139 10.1.1.1
| Note | You'll need to use the SYN or half-scan technique when using the static source port feature of nmap. |
If ports come back as open, you will likely have a vulnerable firewall in your midst. To understand the scenario better, here's a diagram that details how the attack works:
You can now take advantage of the discovery that a firewall is not maintaining the state of its firewalled connections by launching attacks against vulnerable systems behind the firewall. Using a modified port redirector such as Fpipe from Foundstone, you can set the source port to 20 and then run exploit after exploit through the firewall. In addition, you can use the ever-popular netcat (http://netcat. sourceforge .net) to set your source port to 20 and then connect to open ports behind the firewall. Use the -s option to set your source port. As we have discussed in earlier chapters, netcat is your friend!
Source Port Scanning Countermeasure
The solutions to this vulnerability are simple but not all that glamorous. You'll need to either disable any communications that require more than one port combination (such as traditional FTP), switch to a stateful or application-based proxy firewall that keeps better control of incoming and outgoing connections, or employ firewall-friendly applications such as Passive FTP that do not violate the firewall rules.
EAN: N/A
Pages: 127