.

Router and Firewall questions

<<

dasecretzofwar

Newbie
Newbie

Posts: 10

Joined: Wed Apr 14, 2010 10:55 am

Post Wed Apr 21, 2010 4:19 pm

Router and Firewall questions

I was trying to figure out at my house here i have 3 different computers hooked up with different flavors of linux as well as windows and different vm's within those I am trying to more or less set up my own network and then seeing if the different firewalls and what not i have set up work. I have a router obviously for this and am not forwarding any ports to any computer so when i use nmap everything is stuck in filtering for all the ports per the router firewall. Which is normal i want it to be as realistic as possible but i can't seem to get past the router to my actual machine itself. So my question is how to proceed from there. If anyone could point me in the right direction i would greatly appreciate it.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Apr 21, 2010 4:31 pm

Re: Router and Firewall questions

What is it you're trying to accomplish?

If your router (NAT device/firewall) does not forward traffic, then you can't get beyond it to your network.

Typically the border device (router or firewall) forwards traffic it receives per its ruleset to the correct internal server.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 21, 2010 4:38 pm

Re: Router and Firewall questions

Is this all internal or are you trying to get through your router from the internet?

You're not going to be able to do a great deal without having anything available.

Does the router have any known vulnerabilities?

You might be able to do an ack scan, but those should be stopped by a stateful firewall.

You could also experiment with client-side attacks (as if a user opened a malicious web site, email, PDF, etc.).
The day you stop learning is the day you start becoming obsolete.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Apr 22, 2010 4:33 am

Re: Router and Firewall questions

i must say that your post isnt really clear. Are you trying to scan through the internal network or through the internet? if you cant see any ports your firewall does its work good. you must open them to connect to the other system. remember that there has to be a service behind it also!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Apr 22, 2010 9:05 am

Re: Router and Firewall questions

As stated, your router is blocking the traffic.  If you want to test the security of each of the different distributions you may want to invest a few bucks on a cheap 10/100 hub.  A router will only send traffic out to specific ports, unless you flood it and make it fail back to be a hub, or you use ARP spoofing, or any number of other tricks.  But if you are just doing it for testing, then get a hub which sends traffic to all ports, regardless of which computer it is destined for.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

JollyJokker

Post Mon Apr 26, 2010 9:10 am

Re: Router and Firewall questions

@unsupported

you mentioned that one could flood a router or do ARP poisoning in order to capture the traffic. But doesn't a router operate in Layer-3? As far as I am concerned a router is not affected by such an attack?

or am I wrong?
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Apr 26, 2010 12:58 pm

Re: Router and Firewall questions

@JollyJokker

A lot of the routers out there now days have switches built into them, and there layer 2/3 devices. I know of a couple of places using Cisco layer 2/3 devices as their edge routers, and connecting servers or other switches off of them at the same time.

Haven't tried arp poisoning something like that yet (don't have any in my labs), but would be interested in seeing what happens.
OSWP, Sec+
<<

dasecretzofwar

Newbie
Newbie

Posts: 10

Joined: Wed Apr 14, 2010 10:55 am

Post Fri Apr 30, 2010 2:52 pm

Re: Router and Firewall questions

i'm scanning through the internet remote computer so for instance i'm on my laptop going into my router i have a dyndns account set up so it's straight through i'm not forwarding any ports and nmap reads the following:

PORT    STATE    SERVICE    VERSION
21/tcp  filtered ftp
22/tcp  filtered ssh
53/tcp  filtered domain
80/tcp  filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https

so everything is filtered at the router itself is there anyway through that or would you say it's pretty secure?
<<

dasecretzofwar

Newbie
Newbie

Posts: 10

Joined: Wed Apr 14, 2010 10:55 am

Post Fri Apr 30, 2010 3:30 pm

Re: Router and Firewall questions

also the ARP poisioning i understand most of it but more or less what is happening with the router i know the dhcp service is going to submit an ip address to the router based upon the router's mac address. And then the router essentially is the new dhcp server for the local network. But essentially is the ARP poisioning doing?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Apr 30, 2010 8:32 pm

Re: Router and Firewall questions

In a rather generic nutshell -

ARP poisoning basically tricks devices on the network into associating an IP address from a valid host (or router) to another host or router, by propagating the secondary device's MAC address into the ARP tables.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Apr 30, 2010 10:35 pm

Re: Router and Firewall questions

It's not really a DHCP attack.  ARP poisoning basically tells the victim, "Forget what you know about your default gateway (router).  I am  your default gateway.  Send all your traffic to me."  You don't need DHCP on the network to accomplish this.  Once the victim believes that the attacker's MAC address belongs to the default gateway (router), he will send all Internet bound traffic to the attacker.  The attacker will sniff the traffic and forward it to the actual router.  This is why it is called a man-in-the-middle attack.
~~~~~~~~~~~~~~
Ketchup
<<

dasecretzofwar

Newbie
Newbie

Posts: 10

Joined: Wed Apr 14, 2010 10:55 am

Post Sat May 01, 2010 9:16 am

Re: Router and Firewall questions

ok so I get that now and the man in the middle attack and sniffing the data. But what i'm trying to figure out is ok so we have this router I use ettercap or whatever tool to do the arp poisoning and route the packets through my computer first and then to the router so i see the packets all in pretty much hex and really doesn't make much sense i can read and binary but not sure what i'm looking at with the sniffing here but then how from there how would i select the specific computer and ultimately get a shell on it which is my ultimate goal to learn to do? Like I said i'm kinda new to this and more of a hands on type of learner which is why i set the network up in my house like this and pretty much closed everything to see if what i read in several books and what not i could put to actual use and then go from there to secure it more and then try to break it again LOL.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat May 01, 2010 9:20 am

Re: Router and Firewall questions

You should Google a few sniffing articles so that you understand what kind of data goes over the wire.  There are many ways to compromise your victim once you are able to sniff traffic.  Think about how many protocols send authentication data in plain-text.  Think about all the web attacks, XSS, particularly.  You should take a look at tools like dsniff and BeEF. 
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat May 01, 2010 9:23 am

Re: Router and Firewall questions

It depends on what the data is, that you sniff.  You can read the ascii text in packets, so if you happen to be sniffing, for example, traffic going to an html login page that isn't ssl encrypted, you might see plaintext passwords, and the like.  You might also see, as Ketchup noted, a relevant filename, xss vulnerabilities, or exploitable php script being accessed, etc.  Consequently, you might see other ports and services show up in the trace, that you weren't aware of, that are open on the server being queried, so you can then banner grab or research and target attacks that are relevant to the services running on those ports.  This is all a learning process, and there are often times, when I'm scanning in this fashion, that I spot new services and ports that I wasn't previously aware of (new stuff, yay!) and I can learn what those services are, and how to exploit them.

It's a process, but one worth learning, as, even if you DON'T pursue security, in the end, you will have a much better knowledge of what goes on within the network in question.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dasecretzofwar

Newbie
Newbie

Posts: 10

Joined: Wed Apr 14, 2010 10:55 am

Post Sat May 01, 2010 1:07 pm

Re: Router and Firewall questions

OK I will definitely look into the sniffing portion but how do i still get around this router?
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software