Avoidance Of Network Firewalls

  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Avoidance Of Network Firewalls as PDF for free.

More details

  • Words: 616
  • Pages: 9
Avoidance of network firewalls - Summary overview Umgehung von Netzwerkfirewalls (O. Karow)

Jesus Montero

Contents

„ „ „ „

Field of discussion Recognition of existance of firewalls Identification of firewall & OS Avoidance & Attacks

Field of discussion „

„

Reliable defense against undesired accesses to our network Filter at OSI 3 & 4 layers, header analysis: „ „ „ „

Protocol IP addresses Ports TCP flags

Recognition of existance of firewalls

„ „ „

Traceroute: ICMP, UDP, TCP Response packet analysis TTL difference

Traceroute „ „ „

List of routers up to destination (path) Firewall in the middle: IP finding TTL field decreased on each router, when ‘0’ Æ TTL-expired message back „ „

„

ICMP echo request (Windows) UDP packets (most *NIX)

Use of TCP packets if ICMP & UDP blocked

Response analysis

„

„

Comparison of responses from open and closed ports Packet to closed port Æ forbidden Æ Firewall existance found

TTL Difference „ „

Valid if firewall placed before server Packets to open and closed ports Æ we get response from „ „

„ „

Open port (Server) Closed port (firewall)

TTL values in one unit different Firewall before server guaranteed

Identification of firewall & OS

„

TCP fingerprinting (ports scan): „ „ „

„

Firewall product & version Proxy-based firewall OS version

Banner checking

TCP fingerprinting „

„ „ „

IP stack has unique features depending on OS & firewall products Product standard ports Æ identification Many open ports Æ proxy-based Combination of tools for better results

Banner checking „

„

Banner notifications contain strings which correspond to certain products Not reliable by itself Æ combination „ „

Fingerprinting Standard ports scan

Avoidance & Attacks „ „

Source port attack FTP use „ „

„ „ „ „

Active modus Passive modus

HTTP proxy bouncing HTTP connect Overlapping of fragments Tunneling attack

Source port attack „ „

For simple packet filters (web browsing) Rules for in- & outcoming packets by „ „

„ „ „

Server port: > 1024/TCP (high port) Attacking port: 80/TCP (http response)

Other source ports: 53 (DNS), 20 (FTP)... Attack performed over permitted ports With TCP: SYN flag needed for each new setup Æ differentiation of sources

Active FTP „

Connection setup „ „

„

„ „

Client: command channel Server: data channel

The FTP server allows high ports directioning Æ attacking packets come in Source port is set to 20 (FTP client) Bouncing: data channel routed to target IP/port Æ status shown on command report

Passive FTP „

„

Connection setup: Client both data & command channels When data channel is set up the firewall does not know its ID Æ „

„

Allows comm. to indicated port/IP on command channel Chain of error responses to desired IP Æ firewall (mis)understands connection wish

HTTP proxy bouncing

„

HTTP proxy wrong configurated Æ access from outside allowed Æ private IP’s in local network reacheble

HTTP connect „

„

„

‘connect’ command makes proxy server set up tunnel TCP connection to target server IP/port If IP & port are not checked, “holes” can be opened from outside Administrative ports of firewall should only be reacheble from inside

Overlapping of fragments „

„ „

„ „

UDP/TCP header is to be overwritten, once the firewall allows packets through Packets are fragmented: first one allowed Negative offset achieves overwritting of header By reassembling target can be reached Hacking transparent to firewall: first packet is accepted

Tunneling attack (DNS) „ „ „

„

„

DSN server controlled by hacker Data on DNS client (target element) Client performs DNS request with encoded data by address DNS server decodes data string and acquires the valid target data ASCII-7 coding cannot be detected

Related Documents

Firewalls
November 2019 3
Firewalls
November 2019 2
Firewalls
June 2020 2
Leakage Avoidance
April 2020 10