firewalk attack
TRANSCRIPT
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 1/26
© 1998© 1998--1999 Mike D.1999 Mike D.
SchiffmanSchiffman
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 2/26
SynopsisSynopsis
IntroductionIntroduction
OverviewOverview ImpetusImpetus
InternalsInternals
ImplementationImplementation Risk MitigationRisk Mitigation
FuturesFutures
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 3/26
IntroductionIntroduction
Firewalking:Firewalking:
³Firewalking uses a traceroute³Firewalking uses a traceroute--like IPlike IP
packet analysis to determine whether or packet analysis to determine whether or
not a particular packet can pass from thenot a particular packet can pass from the
attacker¶s host to a destination hostattacker¶s host to a destination host
through a packetthrough a packet--filtering device.´filtering device.´
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 4/26
TerminologyT
erminology
ACL ACL
router/gatewayrouter/gateway firewallfirewall
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 5/26
Slightly more detailSlightly more detail
Map `passMap `pass--through` portthrough` port
Determine gateway ACLsDetermine gateway ACLs
Map hosts behind filtering gatewaysMap hosts behind filtering gateways
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 6/26
ImportanceImportance
Network ReconnaissanceNetwork Reconnaissance
Network mappingNetwork mapping
Security auditingSecurity auditing
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 7/26
Base concepts
Base concepts
TracerouteTraceroute
Network discovery toolNetwork discovery tool UDP packetsUDP packets
IP TTLIP TTL
Monotonic incrementsMonotonic increments
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 8/26
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
Sample networkSample network
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 9/26
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
IP TTL1 2 3 4 5
Sample tracerouteSample traceroute
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 10/26
Info recon using tracerouteInfo recon using traceroute Protocol subterfugeProtocol subterfuge
Nascent port seedingNascent port seeding View hosts behind a firewallView hosts behind a firewall
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 11/26
Protocol subterfugeProtocol subterfugezuul:~>traceroute 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hops max,
packets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.0616 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.5
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.
9 * * *
10 * * *
zuul:~>traceroute ±I 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hop s max, 40 bytepackets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms
6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms
9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms
10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 12/26
Nascent port seeding 1Nascent port seeding 1zuul:~>traceroute 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10 ), 30 hops max, 40 byte
packets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms
9 * * *
10 * * *
p0 = ( p - (ho ps * pr obes)) - 128 = (53 - (8 * 3)) - 1
(53 - (8 * 3)) - 1 = 28
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 13/26
Nascent port seeding 2Nascent port seeding 2zuul:~>traceroute -p28 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10 ), 30 hops max, 40 byte
packets
1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms
2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms
3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms
4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms
5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms
7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms
8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms
9 10.0.0.9 (10.0.0.9) 101.163 ms * *
10 * * *
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 14/26
Logical progressionLogical progression Traceroute works at the IP layer Traceroute works at the IP layer
Any protocol on top of IP can be used Any protocol on top of IP can be used
Prohibitive filter on a gatewayProhibitive filter on a gateway
Causes probes to be droppedCauses probes to be dropped
We can determine the last host thatWe can determine the last host that
respondedresponded
Different protocolsDifferent protocols
µWaypoint¶ hostµWaypoint¶ host
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 15/26
Firewalking basics 1Firewalking basics 1 Firewalking requires 3 hostsFirewalking requires 3 hosts
The firewalking hostThe firewalking host
The gateway hostThe gateway host
± ± The waypoint host from aboveThe waypoint host from above
The destination hostThe destination host
± ± The host the sends the terminal packet in aThe host the sends the terminal packet in atraceroute scantraceroute scan
± ± Must be µbehind¶ the gateway hostMust be µbehind¶ the gateway host
± ± Used to direct the scan, never contactedUsed to direct the scan, never contacted
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 16/26
Firewalking basics 2Firewalking basics 2 A packet are sent to (towards) the A packet are sent to (towards) the
destination hostdestination host
A timer is set A timer is set
If we get a response before the timer If we get a response before the timer
expires, the port is openexpires, the port is open
If we do not, the port is probably closedIf we do not, the port is probably closed
Repeat for all interesting ports/protocolsRepeat for all interesting ports/protocols
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 17/26
Firewalk internals 1Firewalk internals 1 2 phases2 phases
Network discovery phaseNetwork discovery phase
Scanning phaseScanning phase
Network discovery phaseNetwork discovery phase
Required to get the correct TTLRequired to get the correct TTL
`TTL ramping` ala traceroute towards`TTL ramping` ala traceroute towardsdestination hostdestination host
± ± This host is never contactedThis host is never contacted
When gateway hopcount is determined,When gateway hopcount is determined,
scan is `bound`.scan is `bound`.
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 18/26
Firewalk internals 2Firewalk internals 2 Scanning phaseScanning phase
Send a packet towards destinationSend a packet towards destination
± ± Packet is set to expire 1 hop (by default) pastPacket is set to expire 1 hop (by default) pastthe gatewaythe gateway
Set a timer and listen for responseSet a timer and listen for response
± ± If response is received before timer expires,If response is received before timer expires,
protocol in question is allowed throughprotocol in question is allowed through
± ± If not it is probably denied by the gatewayIf not it is probably denied by the gateway
(maybe)(maybe)
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 19/26
Firewalking diagramFirewalking diagram
firew alking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
router
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 20/26
source
turner
helms
destinationcasey
bush
IP TTL1 2 3
Sample firewalk: phase 1Sample firewalk: phase 1
source
deutchmccone
tenetgates
turner
webster
dulles
helms
destination
colby
casey
bush
kerr
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 21/26
source
turner
helms
destinationcasey
bush
IP TTLBound at 3 ho ps
Sample firewalk: phase 2Sample firewalk: phase 2
UDP/53
UDP/137
TCP/23
UDP/161
TCP/25
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 22/26
Nothing is ever as simple as itNothing is ever as simple as it
seemsseems
firew alking host
Internet
packet filter
destination host
hop 0 hop n hop n + m (m > 1)
packet filter
packets dropped here instead of
target filter further down
False negative scenar io
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 23/26
False negative circumventionFalse negative circumvention `Slow walk``Slow walk`
Firewalk each hop en route to the targetFirewalk each hop en route to the target
If a probe is shown to be filtered on anIf a probe is shown to be filtered on an
intermediate gateway, that protocol/portintermediate gateway, that protocol/port
cannot be scanned any further on thatcannot be scanned any further on that
routeroute
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 24/26
Risk mitigationRisk mitigation Block egress ICMP TTL expired inBlock egress ICMP TTL expired in
transit messagestransit messages
NAT or proxy servers can remove theNAT or proxy servers can remove the
threat of firewalkingthreat of firewalking
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 25/26
FuturesFutures More protocols to scan withMore protocols to scan with
More intelligence on the part of the scanMore intelligence on the part of the scan Make the program understand differentMake the program understand different
packet types and what types of terminalpacket types and what types of terminal
packets it might getpackets it might get
EfficiencyEfficiency
PortabilityPortability
A better, more stable GUI A better, more stable GUI
5/13/2018 FireWalk Attack - slidepdf.com
http://slidepdf.com/reader/full/firewalk-attack 26/26
Web resourcesWeb resources http://www.packetfactory.nethttp://www.packetfactory.net
firewalkfirewalk
tracerxtracerx
libnetlibnet
[email protected]@infonexus.com