Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bypassing Firewalls

from [v3x] Network Security [Permanent Link]
Subject: Re: Bypassing Firewalls
Date: Thu, 26 May 2005 23:39:04 -0600 
Do not forget about SQL Injection and so forth. Check out this site:
http://www.spidynamics.com/support/whitepapers/index.html
These guys did some great demos at DallasCon.

On 5/16/05, greyhat <oliver@greyhat.de> wrote:

hi,

here some quick&dirty ideas from me:

there are several tricks to "bypass" a firewall. Some of them are not
working anymore, or only working on special kind of FWs, and some of them
are due to configuration mistakes.

a) Source-Port-Attack

Example: for aktive-ftp, it is necessary to have a rule allowing incoming
traffic from Source Port 20 to a high-dest-port of the internal system.
Some packetfilters are configured to have a rule like:
"IP:Externernal/SrcPort:20 -> IP:Internal/DestPort >1024 - Allow".
In this case, an attacker can establish TCP-Connections to all Ports > 1024
on internal systems, if he sets ths src-port to 20.
Check this with "nmap -sS -g 20 <IP>".

Checkpoint had some similar thing with its "implied rules" for the protocols
DNS and ICMP.

b) Fragmentation

There was also f.e. a bug in some paketfilters, with overwriting the
destination port with overlapping fragments, to make the following
ip-fragments passing the firewall.
Because only the first packet in a fragmented stream contains the
tcp-header, the firewall accepted each following packet, that has the same
ip-id as the first one.
There are some different fragmentation attacks, so just use google to find
some others.

c) Passive FTP-Bug

Another bug in some firewalls was to enforce a special error message within
the ftp PASSV handshake, to make the firewall opening a specified port
for the data channel. The trick was to enforce an error message that is to
long to fit into one ip-packet, and therefore will be split into two
packets.
F.e. sending the command to the ftp-server [some-garbageXXXXPASSV
10,0,0,0,0,22]
should give an server response like [500 Command not
understood:some-garbageXXXX][PASSV 10,0,0,0,0,22]
The firewall will now open the port 22 for the ip 10.0.0.0, because the fw
thinks this is the negotiated port for the data-channel.
AFAIK Dug Song wrote a small tool for this.

d) Proxy/Connect-Vulnerability

On some proxy-based firewalls it is/was possible to connect to the external
port, and establish a connection into the internal network, using the
HTTP-Connect Method, or
simply using the firewall as a proxy. Simple test for proxying vuln. is to
set the external interface as the proxy for your browser and try to reach an
internal system. AFAIK Checkpoint and Raptor had this
bugs in the past.

e) Bypassing Traceroute filter

using TTL-manipulation inside a tcp-packet instead of  icmp or udp, enables
"tracerouting" through the firewall, because most traceroute-filters only
block udp/icmp based traceroute.
the tool of your choice is hping2.

f) Tunneling

There are also many tunneling tricks. DNS, ICMP and HTTP-Tunneling are the
most used protocols for tunneling. It is important to be rfc-compliant, when
using tunneling techniques.


ok, hope that helps you a little bit.

Regards,

Oliver Karow




----- Original Message -----
From: "Tarek Naja" <sectraq@gmail.com>
To: <firewalls@securityfocus.com>
Sent: Tuesday, March 15, 2005 4:05 AM
Subject: Bypassing Firewalls





hello,
am considering bypassing firewalls as a topic for my MSc. project. If any1
can provid me with some detailed papers/resouces about different
techniques for bypassing all differnet kinds FWs. the more technical the
better. Your help is appriciated.
Thank You!

--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now

NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ISA 2004 - professional opinion, Casey DeBerry
Next by Date:  Re: ISA 2004 - professional opinion, v3x
Previous by Thread:  Re: Bypassing Firewalls, Brendan Murray
Next by Thread:  Re: Bypassing Firewalls, v3x
Indexes:  [Date] [Thread] [Top] [All Lists]