Firewall Penetration Testing: Steps, Methods, & Tools | PurpleSec

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
a firewall is one of the first lines of defense in preventing cyber attacks naturally this prevents an opportunity for penetration testers and threat actors alike to attempt exploits that would compromise a network's security in this video i'm going to show a methodology for performing a comprehensive firewall penetration test by the end you'll have a better understanding of how to holistically protect your business from cyber attacks what is a firewall a firewall is a software or hardware device that inspects incoming and outgoing traffic on a network based on a predetermined set of policies and rules or an access control list acl for short the firewall filters and restricts all connections that do not abide by those rules the main purpose of a firewall is to separate trusted networks from the external network or the internet in order to accomplish this a firewall is typically placed in the dmz or demilitarized zone additional firewalls may be placed in front of a business's internal network or intranet or in front of a supervisory control and data acquisition scada which supports systems that run industrial organizations such as nuclear power plants there are many types of firewalls and each model has different functionalities the main progress that has been made with regards to firewall capabilities is the introduction of next generation firewalls traditional firewalls couldn't engage in stateful packet inspection but were rather only analyzing network traffic based on the ip address and port number of the packets without taking into consideration previous traffic that passed through the firewall with the introduction of next generation firewalls dynamic packet filtering was a reality and enabled all active connections to be monitored along with the state of the connections this additional information is used in aiding in the process of determining access when deploying any firewall a certain set of policies and rules need to be configured in order to adequately ensure the security of the network perimeter policies and rules allow for certain type of network traffic to be blocked or allowed these policies can also be applied later on different firewalls throughout the network additionally the integration of active directory role-based access control could be enforced encompassing each user role and its permissions in the firewall firewall penetration testing is the process of locating investigating and penetrating a certain firewall in order to reach the internal trusted network of a certain system mostly considered to be a key part in external network penetration testing firewall testing is one of the most important types of network tests that can be conducted as firewalls represent the first line of defense against outside intrusions step 1 locating the firewall every firewall penetration test will begin with locating the firewall using any packet crafting software the tester crafts specific ip packets containing udp tcp or icmp payloads common firewall pin testing tools used are hping and nmap both tools have similar functionality with one small difference hping can scan one ip address of time compared to nmap which can scan a range of ip addresses depending on the level of aggressiveness of the scan one wishes to perform hping is a better choice to avoid any abnormal activity from being detected by repeating the scanning process one can map the list of allowed services on the firewall step 2 conducting traceroute network range can be identified by running a tracer command against the firewall located in the previous step this step will also provide information regarding the route packets take between systems and determine all routers and devices that are involved in the connection establishing process additionally certain information pertaining to devices that filter traffic and protocols used can be obtained step 3 port scanning the third step in firewall penetration testing methodology is port scanning the most commonly used tools in map due to the possibility of its wide customization of scans one wishes to perform in this step not only will you identify open ports on the firewall but also you'll identify the corresponding services that are running on those open ports using nmap one can craft a scan that encompasses the type of scan wanted options for that specific scan type the timing of the scan and much more for example nmap will send packets with syn flag raised to the first 1024 ports using aggressive timing depending on the preferences and requirements of the penetration tester a map can export the results of the scan in different formats after mapping all necessary ports and determining the ones that are open in the open state the penetration testers can run another nmap scan on the open ports to determine which services are running running the following nmap scan will provide that information after crafting and running different nmap scans the penetration tester will have a basic overview of the firewall open ports and surfaces running on those ports step 4 banner grabbing performing banner grabbing on the firewall provides information on the version of the firewall in question this information can later be used to find available exploits that can potentially compromise the firewall using netcat the penetration tester will craft a connection request which will provide the tester with the right information for example let's say that we want to identify port 80 on the firewall as open the following netcat command will retrieve the firewall banner and hopefully expose the web server version one of the most important steps in testing any firewall is crafting and scanning the firewall using custom made packets the purpose of this is to elicit different firewall responses and determine which type of firewall you're trying to bypass using hping or nmap a penetration tester should try many different variations of the scan in order to gather as much information as possible each scan should use different flags syn ack fin etc the different protocols tcp udp in order to establish a connection additionally testing different protocols with different connection attributes will elicit the most useful responses from the firewall step 5 access control enumeration every firewall employs access control lists in order to determine which traffic to allow or deny from the internal network the only indicator a penetration tester can observe while enumerating the access control list is the state of the ports on the firewall nmap can be used to accomplish this step with the following command nmap will send packets to the first 1024 ports with the ack flag raised this will return results indicating if the port is open filtered or unfiltered if the port is in an open state it is in listening mode if the port isn't filtered it indicates the port is blocked by the firewall finally if the port is unfiltered the firewall is passing through the port but the port is not open step 6 identifying firewall architecture to build on the previous step sending crafted packets to firewall ports that are already identified will provide a penetration tester with a complete list of port status by eliciting responses from the firewall on specific ports the tester will be able to determine the firewall reaction and aid in mapping open ports additionally responses from the firewall will let the tester know if the connection was rejected dropped or blocked as in the previous steps hpinghping2 or nmap can be used to accomplish this task after initiating the scan the firewall will send back specific packets indicating the action it took against the scan if the firewall returns a syn ack packet the port is in an open state if the firewall returns a wrist hack packet it means the firewall rejected the crafted packet from the tester's scan if no response is received the firewall dropped the crafted packet indicating a filtered port finally if the firewall returns an icmp type 3 code 13 packet the connection attempt was simply blocked step 7 testing the firewall policy considered to sometimes be a part of the internal network penetration test testing firewall policies can be done in two ways the penetration tester will either compare hard copies of the extracted firewall policy configuration and the expected configuration in order to identify potential gaps or the tester will perform actions on the firewall in order to confirm the expected configuration step 8 firewalking firewalking is a method of mapping the network devices that sit behind the firewall the firewalk network auditing tool analyzes packets returned by the firewall with the use of trace route techniques it will determine open ports on the firewall by checking devices behind the firewall and thus identify which traffic is able to pass the firewall the firewalk tool is considered to perform advanced network mapping as it's able to paint a picture of the network topology more specifically by crafting packets with a certain ttl values the penetration tester can identify open ports if the return message is received with the exceeded ttl if no response is received it can be concluded that the firewall filtered the packet and blocked the connection step 9 port redirection testing for port redirection is an important step that can allow further compromise of a given network if a desired port is not accessible directly port redirection techniques can be used to circumvent the denial of access if the tester manages to compromise a target system and wants to bypass the firewall he or she can install a port redirecting tool such as f-pipe or data pipe and listen to certain port numbers once the traffic to the ports is sniffed it can be redirected to the compromised machine step 10 external and internal testing performing external and internal penetration tests is not always required when testing the firewall however it does provide a more realistic approach of how a malicious actor may attack your systems an external penetration test researches and attempts to exploit vulnerabilities that could be performed by an external user without proper access and permissions an internal penetration test is similar to a vulnerability assessment however it takes a scan one step further by attempting to exploit the vulnerabilities and determine what information is actually exposed in order to cover both sides the tester will send packets from outside of the network and analyze the received packets inside the network step 11 test for covert channels a covert channel is a hidden communication connection that allows hackers to remain stealthy mostly used for concealing activities and extracting valuable or sensitive data from a company covert channels are created by installing a back door on a compromised machine inside the network once installed a reverse shell can be created to establish a connection with the outside machine belonging to the hacker one way of doing this is with the use of the popular hacking platform metasploit to test whether establishing a covert channel is doable the penetration tester will identify fire rules with the help of fire talk attempt to reach systems behind the firewall and examine the response of the arriving packets step 12 http tunneling http tunneling method consists of encapsulating traffic with the http protocol and is often used when there is restricted access to a device that sits behind a firewall or proxy in this scenario http port tool can be used to send post requests to the http server by specifying hostname port number and path as the nature of http reports functionality has the ability to bypass http proxies the only obstacle left is the enabled connect methods on the proxy itself if the connect http method is enabled creating an http tunnel is easy however if the connect method is disabled a remote host must be used but requires a significant amount of effort to accomplish step 13 identify firewall specific vulnerabilities if you're wondering how to ensure there are no vulnerabilities on your firewall the answer is making sure no misconfigurations are present as this is the main reason hackers manage to penetrate the network configuring your firewall properly is the most important step you can take in some cases printing or file sharing services are left enabled on certain open ports and allow the pen tester to bypass the firewall through that vector disabling services that are not needed and checking firewall configurations is the only way to ensure safety documenting penetration testing findings like with any other type of penetration test firewall testing also needs to be documented it is important to include all the findings from the test especially the methods of attack that worked on the target firewall in addition focusing on the methods that work and on the misconfigurations that were potentially found the penetration tester will narrow down the focus on the most important findings firewall penetration testing tools the most important tools needed for firewall penetration testing are scanners including nmap hping hp2 netcat and firewalk these scanners allow the tester to customize packets and elicit a response from the firewall by interpreting the responses from the firewall the tester can determine the state of ports services running and their version perform banner grabbing and find vulnerabilities finally f-pipe and data pipe tools can be used when attempting port redirection and http port tunneling tool can be used when attempting http tunneling the main purpose of performing firewall penetration testing is to prevent the unauthorized access to the internal network from the internet depending on the type of firewall most represent a traditional stateless firewall or a next generation firewall which remembers the state of all connections the success of any firewall penetration test depends on multiple factors making sure firewall policies and rules are configured properly will greatly reduce the attack success and prevent most unauthorized connection attempts using security scanners such as nmap hping and netcat to enumerate and fingerprint the firewall will provide various information about the firewall its access control list and the state of its ports most decisions and actions a penetration tester will take will depend on the firewall responses last but not least documenting everything is just as important as the test itself make sure to include all relevant findings and tools as you work through the process instead of waiting to the end of the test this will save a lot of time headaches and confusion once you're ready to deliver the report you
Info
Channel: PurpleSec Cyber Security
Views: 12,943
Rating: 4.9448276 out of 5
Keywords: firewall testing, firewall penetration testing, cybersecurity, PurpleSec, infosec
Id: 0Izu0J6iSoM
Channel Id: undefined
Length: 15min 46sec (946 seconds)
Published: Sun Jul 19 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.