Avoidance of network firewalls

- Summary overview -

Umgehung von Netzwerkfirewalls (O. Karow)

Jesus Montero

Contents

„ Field of discussion
„ Recognition of existance of firewalls
„ Identification of firewall & OS
„ Avoidance & Attacks
 Field of discussion

„ Reliable defense against undesired accesses

to our network
„ Filter at OSI 3 & 4 layers, header analysis:
„ Protocol
„ IP addresses
„ Ports
„ TCP flags

Recognition of existance of firewalls

„ Traceroute: ICMP, UDP, TCP

„ Response packet analysis
„ TTL difference
 Traceroute

„ List of routers up to destination (path)

„ Firewall in the middle: IP finding
„ TTL field decreased on each router, when
‘0’ Æ TTL-expired message back
„ ICMP echo request (Windows)
„ UDP packets (most *NIX)
„ Use of TCP packets if ICMP & UDP blocked

Response analysis

„ Comparison of responses from open and

closed ports
„ Packet to closed port Æ forbidden Æ
Firewall existance found
 TTL Difference
„ Valid if firewall placed before server
„ Packets to open and closed ports Æ we
get response from
„ Open port (Server)
„ Closed port (firewall)
„ TTL values in one unit different
„ Firewall before server guaranteed

Identification of firewall & OS

„ TCP fingerprinting (ports scan):

„ Firewall product & version
„ Proxy-based firewall
„ OS version
„ Banner checking
 TCP fingerprinting

„ IP stack has unique features depending

on OS & firewall products
„ Product standard ports Æ identification
„ Many open ports Æ proxy-based
„ Combination of tools for better results

Banner checking

„ Banner notifications contain strings

which correspond to certain products
„ Not reliable by itself Æ combination
„ Fingerprinting
„ Standard ports scan
 Avoidance & Attacks
„ Source port attack
„ FTP use
„ Active modus
„ Passive modus
„ HTTP proxy bouncing
„ HTTP connect
„ Overlapping of fragments
„ Tunneling attack

Source port attack

„ For simple packet filters (web browsing)

„ Rules for in- & outcoming packets by
„ Server port: > 1024/TCP (high port)
„ Attacking port: 80/TCP (http response)
„ Other source ports: 53 (DNS), 20 (FTP)...
„ Attack performed over permitted ports
„ With TCP: SYN flag needed for each new
setup Æ differentiation of sources
 Active FTP
„ Connection setup
„ Client: command channel
„ Server: data channel
„ The FTP server allows high ports
directioning Æ attacking packets come in
„ Source port is set to 20 (FTP client)
„ Bouncing: data channel routed to target
IP/port Æ status shown on command report

Passive FTP
„ Connection setup: Client both data &
command channels
„ When data channel is set up the firewall
does not know its ID Æ
„ Allows comm. to indicated port/IP on command
channel
„ Chain of error responses to desired IP Æ
firewall (mis)understands connection wish
 HTTP proxy bouncing

„ HTTP proxy wrong configurated Æ access

from outside allowed Æ private IP’s in local
network reacheble

HTTP connect

„ ‘connect’ command makes proxy server set

up tunnel TCP connection to target server
IP/port
„ If IP & port are not checked, “holes” can
be opened from outside
„ Administrative ports of firewall should only
be reacheble from inside
 Overlapping of fragments
„ UDP/TCP header is to be overwritten, once
the firewall allows packets through
„ Packets are fragmented: first one allowed
„ Negative offset achieves overwritting of
header
„ By reassembling target can be reached
„ Hacking transparent to firewall: first packet is
accepted

Tunneling attack (DNS)

„ DSN server controlled by hacker

„ Data on DNS client (target element)
„ Client performs DNS request with
encoded data by address
„ DNS server decodes data string and
acquires the valid target data
„ ASCII-7 coding cannot be detected