Question

Explain the security risks of Firewalk penetration testing in relationship to firewalls.

Answer 1

`Hey,

Note: Brother if you have any queries related the answer please do comment. I would be very happy to resolve all your queries.

Firewall penetration testing is the process of locating, investigating and penetrating a certain firewall in order to reach the internal trusted network of a certain system. Mostly considered to be a key part in external network penetration testing, firewall testing is one of the most important types of network tests that can be conducted as firewalls represent the first line of defense against outside intrusions.

Below you will find steps that a comprehensive firewall penetration test should include in the testing methodology.

Step 1. Locating The Firewall

Every firewall penetration test will begin with locating the firewall. Using any packet crafting software, the tester crafts specific IP packets containing UDP, TCP or ICMP payloads.

Common firewall pen-testing tools used are Hping and Nmap. Both tools have similar functionality with one small difference. Hping can only scan 1 IP address at a time compared to Nmap, which can scan a range of IP addresses.

Depending on the level of aggressiveness of the scan one wishes to perform, Hping is a better choice to avoid any abnormal activity from being detected. By repeating the scanning process, one can map the list of allowed services in the firewall.

Step 2. Conducting Traceroute

Network range can be identified by running a tracert command against the firewall located in the previous step. This step will also provide information regarding the route packets take between systems and determine all routers and devices that are involved in the connection establishing process.

Additionally, certain information pertaining to devices that filter traffic and protocols used can also be obtained.

Step 3. Port Scanning

The third step in the firewall penetration testing methodology is port scanning. The most commonly used tool is Nmap due to the possibility of its wide customization of scans one wishes to perform.

In this step, not only will you identify open ports on the firewall, but also you’ll also identify the corresponding services that are running on those open ports. Using Nmap, one can craft a scan that encompasses the type of scan wanted, options for that specific scan type, the timing of the scan and much more.

For example, Nmap -sS -p 0-1024 x.x.x.x -T4 will send packets with a SYN flag raised, to the first 1024 ports using aggressive timing. Depending on the preferences and requirements of the penetration tester, Nmap can export the results of the scan in different formats.

After mapping all necessary ports and determining the ones that are in an open state, the penetration testers can run another Nmap scan on the open ports to determine which services are running. Running the following Nmap scan will provide that information:

Nmap -sV x.x.x.x -T1.

After crafting and running different Nmap scans, the penetration tester will have a basic overview of the firewall, open ports, and services running on those ports.

Step 4. Banner Grabbing

Performing banner grabbing on the firewall will provide information on the version of the firewall in question. This information can later be used to find available exploits that can potentially compromise the firewall.

Using Netcat, the penetration tester will craft a connection request which will provide the tester with the right information.

For example, let’s say that we identified port 80 on the firewall as open. The following Netcat command will retrieve the firewall banner and hopefully expose the webserver version:

nc-nvv 10.0.0.1 80.

One of the most important steps in testing any firewall is crafting and scanning the firewall using custom made packets. The purpose of this is to elicit different firewall responses and determine which type of firewall you are trying to bypass.

Using Hping or Nmap, a penetration tester should try many different variations of the scan in order to gather as much information as possible. Each scan should use different flags (SYN, ACK, FIN etc.) and different protocols (TCP, UDP) in order to attempt connection establishment. Additionally, testing different protocols with different connection attributes will elicit the most useful responses from the firewall.

Step 5. Access Control Enumeration

Every firewall employs access control lists in order to determine which traffic to allow or deny from the internal network. The only indicator a penetration tester can observe while enumerating the access control list is the state of ports on the firewall.

Nmap can also be used to accomplish this step with the following command; Nmap -sA x.x.x.x.

Nmap will send packets to the first 1024 ports with the ACK flag raised. This will return results indicating if the port is open, filtered or unfiltered. If the port is in an “Open” state, it is in listening mode. If the state of the port Is “filtered”, it indicates the port is blocked by the firewall. Finally, if the port is “unfiltered”, the firewall is passing traffic through the port, but the port is not open.

Step 6. Identifying Firewall Architecture

To build on the previous step, sending crafted packets to firewall ports that were already identified will provide a penetration tester with a complete list of port status. By eliciting responses from the firewall on specific ports, the tester will be able to determine the firewall reaction and aid in mapping open ports. Additionally, responses from the firewall will let the tester know if the connection was rejected, dropped or blocked.

Like in the previous steps, Hping, Hping2 or Nmap can be used to accomplish this task. After initiating the scan, the firewall will send back specific packets indicating the action it took against the scan. If the firewall returns a SYN/ACK packet, the port is in an “Open” state.

If the firewall returns a RST/ACK packet, it means the firewall rejected the crafted packet from the tester’s scanner. If no response is received, the firewall dropped the crafted packet indicating a filtered port. Finally, if the firewall returns an ICMP type 3 code 13 packet, the connection attempt was simply blocked.

Step 7. Testing The Firewall Policy

Considered to sometimes be a part of the internal network penetration test, testing firewall policies can be done in two ways.

1. The penetration tester will either compare hard copies of the extracted firewall policy configuration and the expected configuration in order to identify potential gaps,
2. The tester will perform actions on the firewall in order to confirm the expected configuration.

Step 8. Firewalking

Firewalking is a method of mapping the network devices that sit behind the firewall. The Firewalk network auditing tool analyzes packets returned by the firewall with the use of traceroute techniques. It will determine open ports on the firewall by checking devices behind the firewall and thus identify which traffic is able to pass the firewall.

The Firewalk tool is considered to perform advanced network mapping and is able to paint a picture of the network topology.

More specifically, by crafting packets with certain TTL values, the penetration tester can identify open ports if the return message is received with the exceeded TTL. If no response is received, it can be concluded that the firewall filtered the packet and blocked the connection.

Step 9. Port Redirection

Testing for port redirection is an important step that can allow further compromise of a given network. If a desired port is not accessible directly, port redirection techniques can be used to circumvent the denial of access.

If the tester manages to compromise a target system and wants to bypass the firewall, he or she can install a port redirecting tools such as Fpipe or Datapipe and listen to certain port numbers.

Once the traffic to the ports is sniffed, it can be redirected to the compromised machine.

Step 10. External And Internal Testing

Depending on the type of penetration test being performed, this step might not be applicable. However, this doesn’t decrease the importance of this step as testing the firewall from both sides ensures nothing is missed by the penetration tester.

In order to cover both sides, the tester will send packets from outside of the network and analyze the received packets inside the network.

Step 11. Test For Covert Channels

A covert channel is a hidden communication connection that allows hackers to remain stealthy. Mostly used for concealing activities and extracting data from a company, covert channels are created by installing a backdoor on a compromised machine inside the network.

Once installed, a reverse shell can be created to establish a connection with the outside machine belonging to the hacker. One way of doing this is with the use of the popular hacking platform Metasploit.

To test whether establishing a covert channel is doable, the penetration tester will identify firewall rules with the help of Firewalk, attempt to reach systems behind the firewall and examine the response of the arriving packets.

Step 12. HTTP Tunneling

HTTP tunneling method consists of encapsulating traffic with HTTP protocol and is often used when there is restricted access to a device that sits behind a firewall or a proxy.

In this scenario, HTTPort tool can be used to send POST requests to the HTTP server by specifying hostname, port number and path. As the nature of HTTPort’s functionality has the ability to bypass HTTP proxies, the only obstacle left is the enabled connect methods on the proxy itself.

If the CONNECT HTTP method is enabled, creating a HTTP tunnel is easy. However, if the CONNECT method is disabled, a remote host mode must be used but requires a significant amount of effort to accomplish.

13. Identify Firewall Specific Vulnerabilities

If you were wondering how to ensure there are no vulnerabilities in your firewall, the answer is making sure no misconfigurations are present. As this is the main reason hackers manage to penetrate the network, configuring your firewall properly is the most important step you can take.

In some cases, printing or file-sharing services are left enabled on certain open ports and allow hackers to bypass the firewall through that vector. Disabling services that are not needed and checking firewall configuration is the only way to ensure safety.

Kindly revert for any queries

Thanks.