Académique Documents
Professionnel Documents
Culture Documents
1998Schiffman
Synopsis
Introduction Overview Impetus Internals Implementation Risk Mitigation Futures
Introduction
Firewalking:
Firewalking uses a traceroute-like IP traceroutepacket analysis to determine whether or not a particular packet can pass from the attackers host to a destination host through a packet-filtering device. packet-
Terminology
ACL router/gateway firewall
Importance
Network Reconnaissance
Network mapping Security auditing
Base concepts
Traceroute Network discovery tool UDP packets IP TTL
Monotonic increments
Sample network
kerr mccone deutch colby destination casey source bush helms
turner
webster
Sample traceroute
kerr mccone deutch colby destination casey source bush helms
turner
IP TTL 12345
webster
Protocol subterfuge
zuul:~ >trac erout e 10 .0.0. 10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.54 0 ms 0.39 4 ms 0.3 97 2 10 .0.0. 2 (10 .0.0 .2) 2.45 5 ms 2.47 9 ms 2.5 12 3 10 .0.0. 3 (10 .0.0 .3) 4.81 2 ms 4.78 0 ms 4.7 47 4 10 .0.0. 4 (10 .0.0 .4) 5.01 0 ms 4.90 3 ms 4.9 80 5 10 .0.0. 5 (10 .0.0 .5) 5.52 0 ms 5.80 9 ms 6.0 61 6 10 .0.0. 6 (10 .0.0 .6) 9.58 4 ms 21.7 54 m s 20 .53 7 10 .0.0. 7 (10 .0.0 .7) 89.8 89 ms 79. 719 ms 8 5.9 8 10 .0.0. 8 (10 .0.0 .8) 92.6 05 ms 80. 361 ms 9 4.3 9 * * * 10 * * *
zuul:~ >trac erout e I 10.0. 0.10 tracer oute to 10 .0.0 .10 ( 10.0 .0.10 ), 30 hop s max , 4 0 byte packet s 1 10 .0.0. 1 (10 .0.0 .1) 0.54 0 ms 0.39 4 ms 0.3 97 ms 2 10 .0.0. 2 (10 .0.0 .2) 2.45 5 ms 2.47 9 ms 2.5 12 ms 3 10 .0.0. 3 (10 .0.0 .3) 4.81 2 ms 4.78 0 ms 4.7 47 ms 4 10 .0.0. 4 (10 .0.0 .4) 5.01 0 ms 4.90 3 ms 4.9 80 ms 5 10 .0.0. 5 (10 .0.0 .5) 5.52 0 ms 5.80 9 ms 6.0 61 ms 6 10 .0.0. 6 (10 .0.0 .6) 9.58 4 ms 21.7 54 m s 20 .53 0 ms 7 10 .0.0. 7 (10 .0.0 .7) 89.8 89 ms 79. 719 ms 8 5.9 18 ms 8 10 .0.0. 8 (10 .0.0 .8) 92.6 05 ms 80. 361 ms 9 4.3 36 ms 9 10 .0.0. 9 (10 .0.0 .9) 94.1 27 ms 81. 764 ms 9 6.4 76 ms 10 10 .0.0. 10 (1 0.0. 0.10) 96. 012 m s 98 .224 ms 99. 31 2 ms
Logical progression
Traceroute works at the IP layer
Any protocol on top of IP can be used
Firewalking basics 1
Firewalking requires 3 hosts
The firewalking host The gateway host
The waypoint host from above
Firewalking basics 2
A packet are sent to (towards) the destination host A timer is set
If we get a response before the timer expires, the port is open If we do not, the port is probably closed
Firewalk internals 1
2 phases
Network discovery phase Scanning phase
Firewalk internals 2
Scanning phase
Send a packet towards destination
Packet is set to expire 1 hop (by default) past the gateway
Firewalking diagram
Internet
packet filter
router
destination host
hop 0
hop n
hop n + m (m > 1)
turner turner
IP TTL 123
webster
TCP/25
turner
packet filter
destination host
packet filter
hop 0
hop n
hop n + m (m > 1)
Risk mitigation
Block egress ICMP TTL expired in transit messages NAT or proxy servers can remove the threat of firewalking
Futures
More protocols to scan with More intelligence on the part of the scan
Make the program understand different packet types and what types of terminal packets it might get
Web resources
http://www.packetfactory.net
firewalk tracerx libnet
mike@infonexus.com