RE: Bypassing Firewalls

From: Lars Troen (Lars.Troen@sit.no)
Date: Sat Apr 08 2006 - 13:27:13 EDT


> I guess I understand, first you need to scan for any openings
> on the network (what is allowed through the firewall). Then
> scan IP addresses on those ports for alive machines. Once
> that is complete, try to gain root/admin privilege on
> one/many inside machines to launch your system(s), or I guess
> you could install your tools on the compromised host (if
> permitted) to further your scanning/testing.
>
> Please understand, I am very new to this and am looking to
> get as much advice as possible, so I can become an expert.

For scanning port and IP's on internal networks: The way you outline it
is not optimal. Different hosts often have different ports open if
they're offering different services. A clustered service will have the
same ports open on all these hosts that are part of the same cluster.
The same also applies for other types of "farms". But you normally
figure this out. When doing port scans, I feel that you get a better hit
rate when first scanning "often used ports" or a ping sweep to get a
picture of the landscape.

Be however aware that a portscan is like a light house to any IDS/IPS
system and some firewalls might also have counter measures to this. This
depends completely on the environment you're testing and you risk having
your ip/switch port blocked out automaticly. It's important to make such
things clear with the customer before you begin and try to get as much
information as possible about subnets and services in order be able to
do a good pen test that gives an as accurate picture as possible of the
situation.

Trying to find a way out of the network? Do you have access to an
existing client pc? It would help you a lot to see what methods a normal
user uses for contact with external networks. Typically these accesses
involves http(s), smtp, icmp. In most cases (for larger environments)
these services (except icmp) are proxied and you can only gain access
through authenticated access.

If you can ping hosts on the internet, the icmp requests are in many
cases not masked/proxied.

If you can't gain access to a client pc, then maybe you're connected to
the same switch as a client pc that is being used? Then you can put the
switch into "hub mode" and sniff it's activity and see how it
communicates with the world.

If you can gain access through any of these (or other) services you can
setup a tunnel through these protocols.

If you know what kind of firewalling technology (brand/version) they're
using there are several default setups that you might want to check.

If you don't know anything about the customer setup, and you're
completely on your own it will be a much more time consuming task to
locate the relevant values that can take you further (but still very
possible).

Good luck!

Lars

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:49 EDT