Introduction:
Ever since firewalls where first plugged in. They have protected countless networks from prying eyes and malicious attackers. But in today’s Internet community the are far from the security panacea. More and more security vulnerabilities are discovered every year with almost every firewall on the market today. But to top off all the vulnerabilities in the firewalls department you also got to take a look at something else. Misconfired or unmaintained and unmonitored firewalls make the situation even worse. Below I will go into types of firewalls and how to go about attacking your own personal firewalls to see exactly how secure they are.
Firewall Types:
There are two types of firewalls the dominant the Internet market today. Packet filtering gateways and Application Proxies. Widely considered more secure is the application proxies but it has many restrictive performance limitations which has constrained the ability to adopt traffic out of the company rather then traffic into a companies web server. Packet Filtering Gateways on the other hand are more sophisticated Stateful packet filtering gateways, you will find these in the more larger organizations these will contain high performance ground traffic requirements.
A well-configured and well-designed firewall will make your network almost impenetrable. Most of the attackers who have any skills will know this. They will try to simply try and work around the firewalls by simply trying to exploit trust relationships and weak links security vulnerabilities or will try and avoid the hassle of all this and attack a dialup account into the system. So as a system administrator you will have to be on top of your game because even though you have an impenetrable firewall up don’t mean the whity attacker wont just work his way around it.
Another key is working as a firewall administrator your going to want to know about the enemy attacking your system tools he will use and the techniques he will implode on your firewall. So I would recommend going out and downloading some “Hacking Text Files” such as “The Hackers Hand Books” and anything you can find on the internet on “Hacking” or “Security” in general a knowledgeable system administrator is a asset to a strong firewall configuration. Although you might not be able to stop every attacker from gaining access to your system you will cut down the chances for a newbie attack gaining unauthorized access. But the far more advanced attacks that call themselves “l33t” you might have a problem with. So remember to always keep a well-maintained firewall no mater what the circumstances are.
Firewall Identification:
Almost every firewall on the market today has its own unique marks. A little port scanning, firewalking and banner grabbing will allow the attacker to effectively determine the type and version of the firewall being used and almost all the rules of every firewall on the network. Identification is so important because once you have mapped out the targets firewalls you can begin to understands your target weaknesses and begin to launch exploit attacks against them.
The Noisy Technique:
This is known also as direct scanning, this is bay far the easiest way to look for target firewalls. Port scanning specific ports some firewalls on the market will uniquely identify themselves with a simple port scan, all you need to do is to know what to look for while port scanning. With knowledge of the default firewall ports you can configure your nmap to port scan for the selected firewall ports.
So you think your safe because you think your Intrusion Detection System (IDS) will detect these more whity attackers, wrong most Intrusion Detection Systems (IDS) will come configured to hear the most noisy and most clumsy attackers port scans. So most attackers running a port scan on your system with any knowledge doing port scans will remain unnoticed until its actually too late.
Route Tracing:
This is the more quite and subtle way of finding firewalls on a network. You can use the traceroute for Unix or for Windows NT the tracert.exe to find each hop along the path of the target. With Linux you will have the –I option which performances traceroutes by sending simple ICMP packets as opposed to its default UDP packet techniques. For those of you who don’t understand packets look for my “Understanding And Using Packets” tutorial it has a comprehensive list of packets and packeting techniques. Chances are when doing trace route you will see a Host right before your target host chances are this will be a firewall but you wont knows this for sure until you do a little more fingerprinting on the target system or systems.
Another thing you will have to take into your attack is that I have found some firewalls on bigger networks such as www.pixelmedia.com or www.dod.net will not respond to TTL expired packets. But some routers and firewalls are setup too not to return to ICMP TTL expired packets from both the (ICMP and UDP packet). In this cause you will have to try other techniques to find out more specifics on the target firewall or router this can cause for a longer time trying to attack the target system then planed on. On thing you will always want to remember to take your time because once on a target system you the attack have gained unauthorized access which in the united states if a federal offence which will often mean jail time. So it is key to map your moves precisely and always cover your tracks. You can never be to safe when it comes to keeping your identy unknown to the public.
Banner Grabbing:
Port scanning for Firewall ports is helpful when it comes to locating firewall information. But unfortunately most firewalls being used today you will not find listen on the default ports like Microsoft. I would recommend reading a text file on connection to a host with telnet to read there banners or also downloading a port scanner that will read the target banners for you such as 7th Sphere port scanner. Also you will have to take into consideration that many popular firewalls will announce their presents by simply connecting to them. So telneting to the firewall port will often give you the type of firewall running and version information. All this is information you will be able to use to search for exploits on the target. Also using netcat on port 21, which is known as the default File Transfer Protocol (FTP).
C:\>nc –v –n 208.179.244.10 21
(UNKNOWN) [208.179.244.10] 21 (?) open
220 Secure Gateway FTP server ready.
Conclusion:
Within this text file I have talked about the basics methods of finding out what types of firewalls a target host is running. I would also recommend go and downloading off the net a “port list” you can simply go to www.google.com and type in “Port Listings” or “Firewall Port Listings” and you will be amazed with the returned data. There are more advanced techniques to finding out what type of firewalls a target is running but nine times out of ten the techniques within this document will turn up the vulnerable information needed to being your attack on the target. I would also recommend of your reading this not to go out and try to attack www.microsoft.com or bigger sites such as. One you will get your ass arrested and two you will need a lot more information then you just a simple text file. Attacking bigger networks is fun yes, but start off small and build up your knowledge of systems and the applications running on system before you go and try to compress a 250 computer network. If you have any questions you can find me on the mirc channels listed below.
MIRC - irc.dal.net #Antilamer, #cctc, #h4ckerz, #crystalz, #hackalot, #Hackfest, #Hack-i, #Hacku
E.Mail - gbrooks@mcintoshstudent.com
AOL IM: Myst1kal One
Other Documents I Have Written:
In depth Guide Too Hacking Windows Using NetBIOS – February 7, 2003
A complete users guide to port scanning – February 06, 2003
A Quick Unix Command Guide – January 30, 2003
A
Basics On How To Identify A Firewall – January 23, 2003
The Common Gateway Interface (CGI) – November 28, 2002
Microsoft IIS Unicode Exploit Explained - November 13, 2002
Tidak ada komentar:
Posting Komentar