Avoidance of network firewalls - Summary overview Umgehung von Netzwerkfirewalls (O. Karow)
Jesus Montero
Contents
Field of discussion Recognition of existance of firewalls Identification of firewall & OS Avoidance & Attacks
Field of discussion
Reliable defense against undesired accesses to our network Filter at OSI 3 & 4 layers, header analysis:
Protocol IP addresses Ports TCP flags
Recognition of existance of firewalls
Traceroute: ICMP, UDP, TCP Response packet analysis TTL difference
Traceroute
List of routers up to destination (path) Firewall in the middle: IP finding TTL field decreased on each router, when ‘0’ Æ TTL-expired message back
ICMP echo request (Windows) UDP packets (most *NIX)
Use of TCP packets if ICMP & UDP blocked
Response analysis
Comparison of responses from open and closed ports Packet to closed port Æ forbidden Æ Firewall existance found
TTL Difference
Valid if firewall placed before server Packets to open and closed ports Æ we get response from
Open port (Server) Closed port (firewall)
TTL values in one unit different Firewall before server guaranteed
Identification of firewall & OS
TCP fingerprinting (ports scan):
Firewall product & version Proxy-based firewall OS version
Banner checking
TCP fingerprinting
IP stack has unique features depending on OS & firewall products Product standard ports Æ identification Many open ports Æ proxy-based Combination of tools for better results
Banner checking
Banner notifications contain strings which correspond to certain products Not reliable by itself Æ combination
Fingerprinting Standard ports scan
Avoidance & Attacks
Source port attack FTP use
Active modus Passive modus
HTTP proxy bouncing HTTP connect Overlapping of fragments Tunneling attack
Source port attack
For simple packet filters (web browsing) Rules for in- & outcoming packets by
Server port: > 1024/TCP (high port) Attacking port: 80/TCP (http response)
Other source ports: 53 (DNS), 20 (FTP)... Attack performed over permitted ports With TCP: SYN flag needed for each new setup Æ differentiation of sources
Active FTP
Connection setup
Client: command channel Server: data channel
The FTP server allows high ports directioning Æ attacking packets come in Source port is set to 20 (FTP client) Bouncing: data channel routed to target IP/port Æ status shown on command report
Passive FTP
Connection setup: Client both data & command channels When data channel is set up the firewall does not know its ID Æ
Allows comm. to indicated port/IP on command channel Chain of error responses to desired IP Æ firewall (mis)understands connection wish
HTTP proxy bouncing
HTTP proxy wrong configurated Æ access from outside allowed Æ private IP’s in local network reacheble
HTTP connect
‘connect’ command makes proxy server set up tunnel TCP connection to target server IP/port If IP & port are not checked, “holes” can be opened from outside Administrative ports of firewall should only be reacheble from inside
Overlapping of fragments
UDP/TCP header is to be overwritten, once the firewall allows packets through Packets are fragmented: first one allowed Negative offset achieves overwritting of header By reassembling target can be reached Hacking transparent to firewall: first packet is accepted
Tunneling attack (DNS)
DSN server controlled by hacker Data on DNS client (target element) Client performs DNS request with encoded data by address DNS server decodes data string and acquires the valid target data ASCII-7 coding cannot be detected