.

Bypassing Firewalls with simple scans

<<

Kev

Post Wed Jun 27, 2007 3:08 pm

Bypassing Firewalls with simple scans

What is one of the first things to do in a ethical hack?  Ec-council suggests information gathering. While that is very true, that is becoming less requested. Usually you are given your target information from the get go. Seems like more and more organizations want you to get right to it and dont want to spend money on what they perceive  as "extras".  A good place to start is to inspect the firewall rules of your target. There are some simple tests to do right at the start. These tests are old school and work mostly if its an improperly configured iptables firewall.

Depending on the test enviroment, we are not going to be too worried about being stealth, so we will begin with the traditional traceroute or tracert command to the target. Simply "traceroute victims ip."  This in return should give you a return of astericks. This usually is a sign that the firewall is preventing packets from leaving the target. This is normal because most firewalls filter diagnostic ICMP packets.

We attempt to "fool" the firewall by using TCP packets and Hping2 is great for that. We enter "hping2 -T -t 1 -S -p 80 victims IP"  With a little luck we get a response. 

The next scans we perform are with nmap.  For a fast scan we use nmap -sS -F -n -O victimsIP. We might try just a simple test of the firewall rules with "nmap -v -sA -ff -r -n victimsIP" If we have the time and this can sometimes take an hour or so but is very complete, we use nmap -v -g53 -sS -sR -P0 -O -p1-65000 -o nmap.out victimsIP.  I like the -g switch, which lets you set the source port.  You can test for misconfigured rules that allow packets based on source ports, such as ftp data (port 20), dns lookups (port 53) or return http traffic (port 80). This is an important scan because one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20.  Other switches I like are -sA and -PO for firewall scanning. If you are trying to avoid IDS logging, use the default -rH, which is a randomized port order. This, combined with slow timing options, will make network monitoring hard to detect the scan. As an example we might try, nmap -sS --scan-delay 500 -f -rH victimsIP.

We might even be able to slip through if the organization  has devices connecting to the internet. This scan will test for devices like routers, printers,switches,etc.. map -vv -sS -O -n victimsIP/24 -oA inventory. With a little luck you might get an inventory of devices.

Ok now that we have managed to discover active ports we might be able to breach the server with a simple tool like Fpipe with fpipe -l 53 -s 53 -r 80 victimsIP. Its rare to work but when it does its sweet because it can be shocking to an organization when they have just implemented their new shiny firewall that was never configured to be breached by a couple of free tools.

The idea of these scans is to test for misconfigured firewalls. If the rules are in place correctly we wont get results. Auditing the firewall is a very crucial and good first place to start your ethical hacking session.
Last edited by Kev on Wed Jun 27, 2007 3:15 pm, edited 1 time in total.
<<

BiotiC

Newbie
Newbie

Posts: 15

Joined: Thu Mar 22, 2007 7:04 am

Post Wed Jun 27, 2007 4:06 pm

Re: Bypassing Firewalls with simple scans

Great post Kev - succinct and to the point. Food for thought.

One for my little black book.

Thanks
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Jun 27, 2007 5:47 pm

Re: Bypassing Firewalls with simple scans

Awesome tutorial, thanks Kev. This scans will work for misconfigured packet filter firewalls. To mitigate this problem use a well configured stateful or proxy firewall. Because stateful firewalls keep track of the state of network connections, using these simple scans will usually not work.
Security+, OSCP, CEH
<<

jimbob

Post Thu Jun 28, 2007 3:09 am

Re: Bypassing Firewalls with simple scans

Good stuff Kev. Even some well configured firewalls will often send TTL expired messages in response to a good TCP traceroute. hping is one of the tools that seems to get the least hype and does a whole host of tricks. Perhaps the prerequisite knowledge needed to use it well is a barrier to its use.... I feel a cheat sheet idea coming on :-)

Jim
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Thu Jun 28, 2007 5:02 am

Re: Bypassing Firewalls with simple scans

Nice tutorial. Kudos to Kev (and also to Fyodor and Antirez).
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

LSOChris

Post Thu Jun 28, 2007 9:18 am

Re: Bypassing Firewalls with simple scans

great post.  working  hard for that ticket to blackhat :-)


good part on the source port scanning, might be a good idea to script that to shove in commonly allowed ports besides the 3 your mentioned to let that run and come back later and check the results

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software