Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 1998-1999 Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures.

Published byChloe Charles Modified over 9 years ago

Similar presentations

Presentation on theme: "© 1998-1999 Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures."— Presentation transcript:

1 © 1998-1999 Mike D. Schiffman

2 Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures

3 Introduction  Firewalking: “Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device.” “Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker’s host to a destination host through a packet-filtering device.”

4 Terminology  ACL  router/gateway  firewall

5 Slightly more detail  Map `pass-through` port Determine gateway ACLs Determine gateway ACLs Map hosts behind filtering gateways Map hosts behind filtering gateways

6 Importance  Network Reconnaissance Network mapping Network mapping Security auditing Security auditing

7 Base concepts  Traceroute  Network discovery tool  UDP packets  IP TTL Monotonic increments Monotonic increments

8 Sample network

9 IP TTL 12345 Sample traceroute

10 Info recon using traceroute  Protocol subterfuge  Nascent port seeding View hosts behind a firewall View hosts behind a firewall

11 Protocol subterfuge

12 Nascent port seeding 1 p0 = (p - (hops * probes)) - 1 28 = (53 - (8 * 3)) - 1

13 Nascent port seeding 2

14 Logical progression  Traceroute works at the IP layer Any protocol on top of IP can be used Any protocol on top of IP can be used  Prohibitive filter on a gateway Causes probes to be dropped Causes probes to be dropped  We can determine the last host that responded Different protocols Different protocols ‘Waypoint’ host ‘Waypoint’ host

15 Firewalking basics 1  Firewalking requires 3 hosts The firewalking host The firewalking host The gateway host The gateway host – The waypoint host from above The destination host The destination host – The host the sends the terminal packet in a traceroute scan – Must be ‘behind’ the gateway host – Used to direct the scan, never contacted

16 Firewalking basics 2  A packet are sent to (towards) the destination host  A timer is set If we get a response before the timer expires, the port is open If we get a response before the timer expires, the port is open If we do not, the port is probably closed If we do not, the port is probably closed  Repeat for all interesting ports/protocols

17 Firewalk internals 1  2 phases Network discovery phase Network discovery phase Scanning phase Scanning phase  Network discovery phase Required to get the correct TTL Required to get the correct TTL `TTL ramping` ala traceroute towards destination host `TTL ramping` ala traceroute towards destination host – This host is never contacted When gateway hopcount is determined, scan is `bound`. When gateway hopcount is determined, scan is `bound`.

18 Firewalk internals 2  Scanning phase Send a packet towards destination Send a packet towards destination – Packet is set to expire 1 hop (by default) past the gateway Set a timer and listen for response Set a timer and listen for response – If response is received before timer expires, protocol in question is allowed through – If not it is probably denied by the gateway (maybe)

19 Firewalking diagram

20 IP TTL 123 Sample firewalk: phase 1

21 IP TTL Bound at 3 hops Sample firewalk: phase 2 UDP/53 UDP/137 TCP/23 UDP/161 TCP/25

22 Nothing is ever as simple as it seems False negative scenario

23 False negative circumvention  `Slow walk` Firewalk each hop en route to the target Firewalk each hop en route to the target If a probe is shown to be filtered on an intermediate gateway, that protocol/port cannot be scanned any further on that route If a probe is shown to be filtered on an intermediate gateway, that protocol/port cannot be scanned any further on that route

24 Risk mitigation  Block egress ICMP TTL expired in transit messages  NAT or proxy servers can remove the threat of firewalking

25 Futures  More protocols to scan with  More intelligence on the part of the scan Make the program understand different packet types and what types of terminal packets it might get Make the program understand different packet types and what types of terminal packets it might get  Efficiency  Portability  A better, more stable GUI

26 Web resources  http://www.packetfactory.net firewalk firewalk tracerx tracerx libnet libnet mike@infonexus.com mike@infonexus.com

Download ppt "© 1998-1999 Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Examining IP Header Fields

Examining IP Header Fields
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Networking Components

Networking Components
1 ICMP – Using Ping and Trace CCNA Semester 2. 2 172.30.1.20 172.30.1.25.

1 ICMP – Using Ping and Trace CCNA Semester
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google