From: Mariusz Burdach (M_Burdach@compfort.pl)
Date: Tue Aug 26 2003 - 05:10:15 EDT
Some useful techniques in firewall assessment
1. Detecting IP address of the firewall
To perform this test we can use hping tool.
Before finding open ports on a firewall machine, it's worth trying to detect the firewall itself. A few conditions are obligated. We have to know the IP address of host with at least one open port on this host. And, of course this host has to be protected by firewall machine. Next, we have to find out how many hops is to the border router or to the router, which is located just before the firewall machine from our testing machine. We look at ttl value of packet - this value is decreased on each router on the path between our testing machine and destination host.
For instance we have 10 hops to the router. Now, using hping we send one package with SYN flag set and TTL set to 11. Sometimes firewall machines are decreasing TTL value and send ICMP message with IP address of itself. (If we set TTL to 12 we should have a response from the destination machine)
2. Tests of firewall rules
To perform this test we can use hping tool, nmap with -g option or scripts like Firewall Tester from http://www.infis.univ.trieste.it/~lcars/ftester/.
a) We just send packets to the destination host behind the firewall machine. Packets have to be set source port to 20, 80, 53, etc. (If possible, it's worth putting sniffer behind the firewall machine to see which packets pass by firewall rules)
b) We have to test the whole range of destination ports from 1 to 65535.
3. Detecting the type of firewall - in some firewall configurations this method doesn't work
To perform this test we can use nmap with -sP option
Instead of sending packets with SYN flag set through the firewall machine we set ACK flag. Of course we have to know at least one destination host behind the firewall. If we receive packet with RST flag set it probably means that the firewall is not working in stateful technology. More information can be found here: http://moonpie.org/writings/discovery.pdf.
Regards,
Mariusz Burdach
-----Original Message-----
From: Sasa Jusic [mailto:sjusic@pamela.zesoi.fer.hr]
Sent: Monday, August 25, 2003 4:18 PM
To: 'pen-test@securityfocus.com'
Subject: Firewall assessment
Hi everyone,
This interesting discussion about firewall enumeration tools, made me ask
one closely related question.
I would like to know what are the usual steps when doing a pen test on the
firewall?
Besides looking for potential vulnerabilities in the actual firewall device
(by running some of the vulnerability scanning tools like Nessus, ISS,
Retina etc), I am also interested in other automated or manual tests which
could be useful for finding other potential security weaknesses
(configuration errors, VPN services etc.).
I know that this is very general question, and that it depends on the
situation and environment where the tests are made, but I would like to hear
some general ideas and techniques from people with experience in this area.
Thanks,
Sasa Jusic
e-mail:sasa.jusic@zesoi.fer.hr
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT