firewalk attack

5/13/2018 FireWalk Attack - slidepdf.com

http://slidepdf.com/reader/full/firewalk-attack 1/26

© 1998© 1998--1999 Mike D.1999 Mike D.

SchiffmanSchiffman



SynopsisSynopsis

IntroductionIntroduction

OverviewOverview ImpetusImpetus

InternalsInternals

ImplementationImplementation Risk MitigationRisk Mitigation

FuturesFutures



IntroductionIntroduction

Firewalking:Firewalking:

³Firewalking uses a traceroute³Firewalking uses a traceroute--like IPlike IP

packet analysis to determine whether or packet analysis to determine whether or

not a particular packet can pass from thenot a particular packet can pass from the

attacker¶s host to a destination hostattacker¶s host to a destination host

through a packetthrough a packet--filtering device.´filtering device.´



TerminologyT

erminology

ACL ACL

router/gatewayrouter/gateway firewallfirewall



Slightly more detailSlightly more detail

Map `passMap `pass--through` portthrough` port

Determine gateway ACLsDetermine gateway ACLs

Map hosts behind filtering gatewaysMap hosts behind filtering gateways



ImportanceImportance

Network ReconnaissanceNetwork Reconnaissance

Network mappingNetwork mapping

Security auditingSecurity auditing



Base concepts

Base concepts

TracerouteTraceroute

Network discovery toolNetwork discovery tool UDP packetsUDP packets

IP TTLIP TTL

Monotonic incrementsMonotonic increments



source

deutchmccone

tenetgates

turner

webster

dulles

helms

destination

colby

casey

bush

kerr

Sample networkSample network



source

deutchmccone

tenetgates

turner

webster

dulles

helms

destination

colby

casey

bush

kerr

IP TTL1 2 3 4 5

Sample tracerouteSample traceroute



Info recon using tracerouteInfo recon using traceroute Protocol subterfugeProtocol subterfuge

Nascent port seedingNascent port seeding View hosts behind a firewallView hosts behind a firewall



Protocol subterfugeProtocol subterfugezuul:~>traceroute 10.0.0.10

traceroute to 10.0.0.10 (10.0.0.10), 30 hops max,

packets

1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397

2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512

3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747

4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980

5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.0616 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.5

7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.

8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.

9 * * *

10 * * *

zuul:~>traceroute ±I 10.0.0.10

traceroute to 10.0.0.10 (10.0.0.10), 30 hop s max, 40 bytepackets

1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms

2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms

3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms

4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms

5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms

6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms

7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms

8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms

9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms

10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms



Nascent port seeding 1Nascent port seeding 1zuul:~>traceroute 10.0.0.10

traceroute to 10.0.0.10 (10.0.0.10 ), 30 hops max, 40 byte

packets

1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms

2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms

3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms

4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms

5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms

7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms

8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms

9 * * *

10 * * *

p0 = ( p - (ho ps * pr obes)) - 128 = (53 - (8 * 3)) - 1

(53 - (8 * 3)) - 1 = 28



Nascent port seeding 2Nascent port seeding 2zuul:~>traceroute -p28 10.0.0.10

traceroute to 10.0.0.10 (10.0.0.10 ), 30 hops max, 40 byte

packets

1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms

2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms

3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms

4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms

5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms

7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms

8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms

9 10.0.0.9 (10.0.0.9) 101.163 ms * *

10 * * *



Logical progressionLogical progression Traceroute works at the IP layer Traceroute works at the IP layer

Any protocol on top of IP can be used Any protocol on top of IP can be used

Prohibitive filter on a gatewayProhibitive filter on a gateway

Causes probes to be droppedCauses probes to be dropped

We can determine the last host thatWe can determine the last host that

respondedresponded

Different protocolsDifferent protocols

µWaypoint¶ hostµWaypoint¶ host



Firewalking basics 1Firewalking basics 1 Firewalking requires 3 hostsFirewalking requires 3 hosts

The firewalking hostThe firewalking host

The gateway hostThe gateway host

± ± The waypoint host from aboveThe waypoint host from above

The destination hostThe destination host

± ± The host the sends the terminal packet in aThe host the sends the terminal packet in atraceroute scantraceroute scan

± ± Must be µbehind¶ the gateway hostMust be µbehind¶ the gateway host

± ± Used to direct the scan, never contactedUsed to direct the scan, never contacted



Firewalking basics 2Firewalking basics 2 A packet are sent to (towards) the A packet are sent to (towards) the

destination hostdestination host

A timer is set A timer is set

If we get a response before the timer If we get a response before the timer

expires, the port is openexpires, the port is open

If we do not, the port is probably closedIf we do not, the port is probably closed

Repeat for all interesting ports/protocolsRepeat for all interesting ports/protocols



Firewalk internals 1Firewalk internals 1 2 phases2 phases

Network discovery phaseNetwork discovery phase

Scanning phaseScanning phase

Network discovery phaseNetwork discovery phase

Required to get the correct TTLRequired to get the correct TTL

`TTL ramping` ala traceroute towards`TTL ramping` ala traceroute towardsdestination hostdestination host

± ± This host is never contactedThis host is never contacted

When gateway hopcount is determined,When gateway hopcount is determined,

scan is `bound`.scan is `bound`.



Firewalk internals 2Firewalk internals 2 Scanning phaseScanning phase

Send a packet towards destinationSend a packet towards destination

± ± Packet is set to expire 1 hop (by default) pastPacket is set to expire 1 hop (by default) pastthe gatewaythe gateway

Set a timer and listen for responseSet a timer and listen for response

± ± If response is received before timer expires,If response is received before timer expires,

protocol in question is allowed throughprotocol in question is allowed through

± ± If not it is probably denied by the gatewayIf not it is probably denied by the gateway

(maybe)(maybe)



Firewalking diagramFirewalking diagram

firew alking host

Internet

packet filter

destination host

hop 0 hop n hop n + m (m > 1)

router



source

turner

helms

destinationcasey

bush

IP TTL1 2 3

Sample firewalk: phase 1Sample firewalk: phase 1

source

deutchmccone

tenetgates

turner

webster

dulles

helms

destination

colby

casey

bush

kerr



source

turner

helms

destinationcasey

bush

IP TTLBound at 3 ho ps

Sample firewalk: phase 2Sample firewalk: phase 2

UDP/53

UDP/137

TCP/23

UDP/161

TCP/25



Nothing is ever as simple as itNothing is ever as simple as it

seemsseems

firew alking host

Internet

packet filter

destination host

hop 0 hop n hop n + m (m > 1)

packet filter

packets dropped here instead of

target filter further down

False negative scenar io



False negative circumventionFalse negative circumvention `Slow walk``Slow walk`

Firewalk each hop en route to the targetFirewalk each hop en route to the target

If a probe is shown to be filtered on anIf a probe is shown to be filtered on an

intermediate gateway, that protocol/portintermediate gateway, that protocol/port

cannot be scanned any further on thatcannot be scanned any further on that

routeroute



Risk mitigationRisk mitigation Block egress ICMP TTL expired inBlock egress ICMP TTL expired in

transit messagestransit messages

NAT or proxy servers can remove theNAT or proxy servers can remove the

threat of firewalkingthreat of firewalking



FuturesFutures More protocols to scan withMore protocols to scan with

More intelligence on the part of the scanMore intelligence on the part of the scan Make the program understand differentMake the program understand different

packet types and what types of terminalpacket types and what types of terminal

packets it might getpackets it might get

EfficiencyEfficiency

PortabilityPortability

A better, more stable GUI A better, more stable GUI



Web resourcesWeb resources http://www.packetfactory.nethttp://www.packetfactory.net

firewalkfirewalk

tracerxtracerx

libnetlibnet

[email protected]@infonexus.com

firewalk attack

Documents