From: Oliver Karow (Oliver.karow@gmx.de)
Date: Wed Aug 27 2003 - 07:58:50 EDT
Sasa Jusic wrote:
>Hi everyone,
>
>
>This interesting discussion about firewall enumeration tools, made me ask
>one closely related question.
>
>I would like to know what are the usual steps when doing a pen test on the
>firewall?
>
>Besides looking for potential vulnerabilities in the actual firewall device
>(by running some of the vulnerability scanning tools like Nessus, ISS,
>Retina etc), I am also interested in other automated or manual tests which
>could be useful for finding other potential security weaknesses
>(configuration errors, VPN services etc.).
>
>I know that this is very general question, and that it depends on the
>situation and environment where the tests are made, but I would like to hear
>some general ideas and techniques from people with experience in this area.
>
>
>Thanks,
>
>Sasa Jusic
>e-mail:sasa.jusic@zesoi.fer.hr
>
>---------------------------------------------------------------------------
>Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
>technical IT security event. Modeled after the famous Black Hat event in
>Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
>Symantec is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
>----------------------------------------------------------------------------
>
>
>
>
Hi,
some thoughts of me about (pen-)testing firewalls:
- Does the firewall a hardening of the operating system? If yes, is this
enough. If no, think about what
should be hardened? (f.e. IP-Stack)
- Does the firewall support remote administration? if yes, is this done
encrypted via a well known alogrithm?
Is there a strong authentication for the remote administrator?
- Does the firewall support alarming via Mail, snmp, popup etc?
And now some technical stuff:
- do a port scan on all ports (tcp/udp) to see if there are any services
running
- Check ip-fragmentation attacks (fragrouter)
- do a protocol scan (nmap)
- do source-port attacks (using source ports like 53 for your scanning)
- play with icmp (f.e. icmp-redirect, netmask request etc.)
- try ip-source-routing
- play with ip-options
- if the fw is a proxy, try to "bounce" into the internal network. Check
if the firewall is filtering "dangerous" commands.
- do an ackscan and synscan to see if the firewall is statefull or not
(or at least looks at the SYN-Flag ;)
- Check handling of TTL (using hping2)
- have a look at securityfocus.com and the homepage of the manufacturer
for known vulnerabilities
- Check for ISN-Vulns (if the FW replaces the ip-stack of the os)
- SYN-Flooding, IP-Spoofing
- etc...etc..etc.. There can be done much more tests......
regards,
Oliver Karow
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT