hi,
here some quick&dirty ideas from me:
there are several tricks to "bypass" a firewall. Some of them are not
working anymore, or only working on special kind of FWs, and some of them
are due to configuration mistakes.
a) Source-Port-Attack
Example: for aktive-ftp, it is necessary to have a rule allowing incoming
traffic from Source Port 20 to a high-dest-port of the internal system.
Some packetfilters are configured to have a rule like:
"IP:Externernal/SrcPort:20 -> IP:Internal/DestPort >1024 - Allow".
In this case, an attacker can establish TCP-Connections to all Ports > 1024
on internal systems, if he sets ths src-port to 20.
Check this with "nmap -sS -g 20 <IP>".
Checkpoint had some similar thing with its "implied rules" for the protocols
DNS and ICMP.
b) Fragmentation
There was also f.e. a bug in some paketfilters, with overwriting the
destination port with overlapping fragments, to make the following
ip-fragments passing the firewall.
Because only the first packet in a fragmented stream contains the
tcp-header, the firewall accepted each following packet, that has the same
ip-id as the first one.
There are some different fragmentation attacks, so just use google to find
some others.
c) Passive FTP-Bug
Another bug in some firewalls was to enforce a special error message within
the ftp PASSV handshake, to make the firewall opening a specified port
for the data channel. The trick was to enforce an error message that is to
long to fit into one ip-packet, and therefore will be split into two
packets.
F.e. sending the command to the ftp-server [some-garbageXXXXPASSV
10,0,0,0,0,22]
should give an server response like [500 Command not
understood:some-garbageXXXX][PASSV 10,0,0,0,0,22]
The firewall will now open the port 22 for the ip 10.0.0.0, because the fw
thinks this is the negotiated port for the data-channel.
AFAIK Dug Song wrote a small tool for this.
d) Proxy/Connect-Vulnerability
On some proxy-based firewalls it is/was possible to connect to the external
port, and establish a connection into the internal network, using the
HTTP-Connect Method, or
simply using the firewall as a proxy. Simple test for proxying vuln. is to
set the external interface as the proxy for your browser and try to reach an
internal system. AFAIK Checkpoint and Raptor had this
bugs in the past.
e) Bypassing Traceroute filter
using TTL-manipulation inside a tcp-packet instead of icmp or udp, enables
"tracerouting" through the firewall, because most traceroute-filters only
block udp/icmp based traceroute.
the tool of your choice is hping2.
f) Tunneling
There are also many tunneling tricks. DNS, ICMP and HTTP-Tunneling are the
most used protocols for tunneling. It is important to be rfc-compliant, when
using tunneling techniques.
ok, hope that helps you a little bit.
Regards,
Oliver Karow
----- Original Message -----
From: "Tarek Naja" <sectraq@gmail.com>
To: <firewalls@securityfocus.com>
Sent: Tuesday, March 15, 2005 4:05 AM
Subject: Bypassing Firewalls
hello,
am considering bypassing firewalls as a topic for my MSc. project. If any1
can provid me with some detailed papers/resouces about different
techniques for bypassing all differnet kinds FWs. the more technical the
better. Your help is appriciated.
Thank You!
--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
