Penetration testing is a vital component of a Threat Management Solution and is now used widely as an effective method of detecting vulnerabilities in an organization’s systems, applications, and infrastructures. During a penetration test, the pen tester utilizes various assessment techniques to detect vulnerabilities in the network, and various other methodologies to exploit them and gain the full picture of the extent of damage that could be done. These vulnerabilities are then assessed, prioritized, and fixed accordingly.
Carrying out a pen test is not an easy task and requires training and experience. This six-part series will focus on how to improve your pen testing skills.
Don’t Forget Firewalls
Firewalls sit quietly between the outside world (you) and your target (client’s network). You may find them inside a network too, but for now, we are focusing on the external or perimeter firewall.
Firewalls come in all shapes and sizes, but they basically all do the same thing; control and monitor the traffic flow into and out of a network. The device has a set of rules that allows or denies traffic. As traffic enters a port on the firewall, it reads the packet header information and begins to compare the traffic with its list of rules. Line by line, rule by rule, the firewall will compare the traffic until it finds a rule that allows or denies the traffic. If no rule is found the firewall will use its default rule for that direction of flow; which is usually deny all-for-inbound and allow all-for-outbound (unless you are doing egress filtering but that is another post).
Let’s break that down a bit. First, there is the interface of origin. In the diagram, we see a simple two interface firewall. ETH0 is labeled as the Outside and ETH1 is labeled as the Inside. Most modern firewalls allow for you to rename the interface in the config. Giving an interface a name helps a great deal when you are crafting rules and looking at logs as ‘Inside’ is more meaningful than ETH1. This feature is even more valuable when dealing with a firewall with 8 interfaces. The interface of origin is the location of where the packet first arrived at the firewall. The packet header includes the destination IP address. With this information, the firewall maps the source and destination interfaces; thus establishing a direction or route. This directional based traffic flow is important to understand as it is a vital part of firewall rules. Firewall rules are crafted to allow, deny, and inspect traffic based on the source, destination, and content of the packet(s). Traffic from networks with low trust levels (for example, the outside) is considered more dangerous than traffic from networks with high trust levels (for example, the inside).
This logic is something you already understand. For example, take a look at your home. You apply different levels of trust between the inside and the outside and even within the various sections of the house. Someone who is standing on the outside of your door has a lower trust level than a person standing in your kitchen. Likewise, people moving from room to room in your home carry a different risk and trust level than someone leaving the house. Much like how a mother, although busy in the next room, always has her eyes and ears open, so that she knows when her toddler is up and about, ensuring that she knows where the little one moves and more importantly, ensuring that the little one does not walk out the door or that no one enters.
The direction of travel and source/destination IP addresses are just the beginning of how a firewall looks at traffic. There’s also port and protocol. TCP and UDP ports are also used to restrict and monitor traffic through a firewall. Looking at the source and destination IP address is akin to asking the question ‘where are you going?’. Looking at TCP and UDP ports is the next logical question which is ‘what are you going to do when you get there?’.
Take a look at the following incomplete packet header:
We already know where the packet is (the source is on our own network). Now we ask the questions ‘where are you going and what are you going to do when you get there?’. According to the header, we’re going to 220.127.116.11 and are going to do some DNS work (UDP port 53) when we get there. If the firewall is only concerned with packet headers, and there is a corresponding permit rule for this, then off the packet goes. However, some firewalls are able to apply additional logic rules to allow based on time of day, data payload, and geography.
Some firewalls look at the payload or data section of a packet. This extra bit of oversight is like a shakedown from mom. The packet claims to be going somewhere to do DNS work…but according to the data portion you have CNC commands made to look like DNS. This last piece of analysis verifies that the packet is actually going to do what it says it’s going to do. This helps ensure no malicious traffic is traveling through allowed data streams.
That’s what a firewall does; it looks at traffic and decides if it is allowed or not. So what does this have to do with pen testing? Glad you asked, the answer: there are two critical pieces of the firewall that need to be assessed, the rules and the device itself. Both require special skills and attention to detail.
Firewalls are dropped at the network perimeter, configured and then left in place. Rules are added and removed (sometimes rarely) to accommodate the changing needs of the network and the current risk and threat vectors. Large organizations with a formal change management process may have a decent handle of what each rule in the config does, who authorized it and when it was implemented. Unfortunately, it is very quick and easy for a firewall admin to make changes to the config. On the upside, this allows an admin to respond very quickly to threats and attacks. On the other hand, it can lead to a bloated list of rules that no one is really sure if each rule is necessary.
Testing firewalls before hackers are able to discover and exploit them is highly important. Testing the policy and bypassing firewalls using IP address spoofing, IP addresses in place of the URLs, proxy servers, tunneling methods like HTTP tunneling and ACK tunneling, port scanning and redirection, and attack firewalls using trojans and social engineering methods are various ways that you crack a firewall.
This edition is the first in a six-part series on ways to be a better pentester. So, if you are a pentester, then don’t forget to keep an eye out for the next edition of this series!