FireWalk Attack

1998-1999 Mike D.
1998Schiffman
Synopsis
Introduction Overview Impetus Internals Implementation Risk Mitigation Futures
Introduction
Firewalking:
Firewalking uses a traceroute-like IP traceroutepacket analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. packet-
Terminology
ACL router/gateway firewall
Slightly more detail

Map `pass-through` port `pass Determine gateway ACLs Map hosts behind filtering gateways
Importance
Network Reconnaissance
Network mapping Security auditing
Base concepts
Traceroute Network discovery tool UDP packets IP TTL
Monotonic increments
Sample network
kerr mccone deutch colby destination casey source bush helms
turner
dulles tenet gates
webster
Sample traceroute
kerr mccone deutch colby destination casey source bush helms
turner
dulles tenet gates
IP TTL 12345
webster
Info recon using traceroute

Protocol subterfuge Nascent port seeding
View hosts behind a firewall
Protocol subterfuge
zuul:~ >trac erout e 10 .0.0. 10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.54 0 ms 0.39 4 ms 0.3 97 2 10 .0.0. 2 (10 .0.0 .2) 2.45 5 ms 2.47 9 ms 2.5 12 3 10 .0.0. 3 (10 .0.0 .3) 4.81 2 ms 4.78 0 ms 4.7 47 4 10 .0.0. 4 (10 .0.0 .4) 5.01 0 ms 4.90 3 ms 4.9 80 5 10 .0.0. 5 (10 .0.0 .5) 5.52 0 ms 5.80 9 ms 6.0 61 6 10 .0.0. 6 (10 .0.0 .6) 9.58 4 ms 21.7 54 m s 20 .53 7 10 .0.0. 7 (10 .0.0 .7) 89.8 89 ms 79. 719 ms 8 5.9 8 10 .0.0. 8 (10 .0.0 .8) 92.6 05 ms 80. 361 ms 9 4.3 9 * * * 10 * * *
zuul:~ >trac erout e I 10.0. 0.10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 0 byte packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.54 0 ms 0.39 4 ms 0.3 97 ms 2 10 .0.0. 2 (10 .0.0 .2) 2.45 5 ms 2.47 9 ms 2.5 12 ms 3 10 .0.0. 3 (10 .0.0 .3) 4.81 2 ms 4.78 0 ms 4.7 47 ms 4 10 .0.0. 4 (10 .0.0 .4) 5.01 0 ms 4.90 3 ms 4.9 80 ms 5 10 .0.0. 5 (10 .0.0 .5) 5.52 0 ms 5.80 9 ms 6.0 61 ms 6 10 .0.0. 6 (10 .0.0 .6) 9.58 4 ms 21.7 54 m s 20 .53 0 ms 7 10 .0.0. 7 (10 .0.0 .7) 89.8 89 ms 79. 719 ms 8 5.9 18 ms 8 10 .0.0. 8 (10 .0.0 .8) 92.6 05 ms 80. 361 ms 9 4.3 36 ms 9 10 .0.0. 9 (10 .0.0 .9) 94.1 27 ms 81. 764 ms 9 6.4 76 ms 10 10 .0.0. 10 (1 0.0. 0.10) 96. 012 m s 98 .224 ms 99. 31 2 ms
Nascent port seeding 1

zuul:~ >trac erout e 10 .0.0. 10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 0 byte packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.54 0 ms 0.39 4 ms 0.3 97 ms 2 10 .0.0. 2 (10 .0.0 .2) 2.45 5 ms 2.47 9 ms 2.5 12 ms 3 10 .0.0. 3 (10 .0.0 .3) 4.81 2 ms 4.78 0 ms 4.7 47 ms 4 10 .0.0. 4 (10 .0.0 .4) 5.01 0 ms 4.90 3 ms 4.9 80 ms 5 10 .0.0. 5 (10 .0.0 .5) 5.52 0 ms 5.80 9 ms 6.0 61 ms 6 10 .0.0. 6 (10 .0.0 .6) 9.58 4 ms 21.7 54 m s 20 .530 ms 7 10 .0.0. 7 (10 .0.0 .7) 89.8 89 ms 79. 719 ms 8 5.918 ms (53 ms * 3)) = 28 8 10 .0.0. 8 (10 .0.0 .8) 92.6 05 - (880. 361 ms 19 4.336 ms 9 * * * 10 * * *
p0 = (p - (hops * probes)) - 1 28 = (53 - (8 * 3)) - 1
Nascent port seeding 2

zuul:~ >trac erout e -p 28 10 .0.0 .10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 0 byte packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.50 1 ms 0.39 9 ms 0.3 95 ms 2 10 .0.0. 2 (10 .0.0 .2) 2.43 3 ms 2.94 0 ms 2.4 81 ms 3 10 .0.0. 3 (10 .0.0 .3) 4.79 0 ms 4.83 0 ms 4.8 85 ms 4 10 .0.0. 4 (10 .0.0 .4) 5.19 6 ms 5.12 7 ms 4.7 33 ms 5 10 .0.0. 5 (10 .0.0 .5) 5.65 0 ms 5.55 1 ms 6.1 65 ms 6 10 .0.0. 6 (10 .0.0 .6) 7.82 0 ms 20.5 54 m s 19 .525 ms 7 10 .0.0. 7 (10 .0.0 .7) 88.5 52 ms 90. 006 ms 9 3.447 ms 8 10 .0.0. 8 (10 .0.0 .8) 92.0 09 ms 94. 855 ms 8 8.122 ms 9 10 .0.0. 9 (10 .0.0 .9) 101. 163 m s * * 10 * * *
Logical progression
Traceroute works at the IP layer
Any protocol on top of IP can be used
Prohibitive filter on a gateway

Causes probes to be dropped
We can determine the last host that responded

Different protocols Waypoint host
Firewalking basics 1
Firewalking requires 3 hosts
The firewalking host The gateway host
The waypoint host from above
The destination host

The host the sends the terminal packet in a traceroute scan Must be behind the gateway host
Used to direct the scan, never contacted
Firewalking basics 2
A packet are sent to (towards) the destination host A timer is set
If we get a response before the timer expires, the port is open If we do not, the port is probably closed
Repeat for all interesting ports/protocols
Firewalk internals 1
2 phases
Network discovery phase Scanning phase
Network discovery phase

Required to get the correct TTL `TTL ramping` ala traceroute towards destination host
This host is never contacted
When gateway hopcount is determined, scan is `bound`.
Firewalk internals 2
Scanning phase
Send a packet towards destination
Packet is set to expire 1 hop (by default) past the gateway
Set a timer and listen for response

If response is received before timer expires, protocol in question is allowed through If not it is probably denied by the gateway (maybe)
Firewalking diagram
Internet
firew alking host
packet filter
router
destination host
hop 0
hop n
hop n + m (m > 1)
Sample firewalk: phase 1

kerr mccone deutch colby destination destination casey casey source source bush bush helms helms
turner turner
dulles tenet gates
IP TTL 123
webster
Sample firewalk: phase 2

UDP/137 UDP/161 UDP/53 TCP/23
destination casey source bush helms
TCP/25
turner
IP TTL Bound at 3 hops
Nothing is ever as simple as it seems

False negative scenario
Internet
firew alking host
packet filter
destination host
packets dropped here instead of target filter further down
packet filter
hop 0
hop n
hop n + m (m > 1)
False negative circumvention

`Slow walk`
Firewalk each hop en route to the target If a probe is shown to be filtered on an intermediate gateway, that protocol/port cannot be scanned any further on that route
Risk mitigation
Block egress ICMP TTL expired in transit messages NAT or proxy servers can remove the threat of firewalking
Futures
More protocols to scan with More intelligence on the part of the scan
Make the program understand different packet types and what types of terminal packets it might get
Efficiency Portability A better, more stable GUI
Web resources
http://www.packetfactory.net
firewalk tracerx libnet
mike@infonexus.com

FireWalk Attack

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

FireWalk Attack

Transféré par

Droits d'auteur :

Formats disponibles

1998-1999 Mike D.

Slightly more detail

dulles tenet gates

dulles tenet gates

Info recon using traceroute

Nascent port seeding 1

p0 = (p - (hops * probes)) - 1 28 = (53 - (8 * 3)) - 1

Nascent port seeding 2

Prohibitive filter on a gateway

We can determine the last host that responded

The destination host

Repeat for all interesting ports/protocols

Network discovery phase

When gateway hopcount is determined, scan is `bound`.

Set a timer and listen for response

firew alking host

Sample firewalk: phase 1

dulles tenet gates

Sample firewalk: phase 2

IP TTL Bound at 3 hops

Nothing is ever as simple as it seems

firew alking host

packets dropped here instead of target filter further down

False negative circumvention

Efficiency Portability A better, more stable GUI

Vous aimerez peut-être aussi