Firewall penetration testing

[roybatty]

Well, actually I'm the teacher.

And this is my firewall script:

Code:

      #!/bin/sh         
        iptables -F
        iptables -X
        iptables -Z
        iptables -t nat -F
        iptables -P INPUT ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT

An easy A+

So, be polite you guys ... (Otherwise we'll see the reloaded version of 'Why seniors here are so rude?')

[theysaid]

1) hping and nmap are your friends. But before using them, you need to acquire introductory TCP/IP knowledge. Fragmented packets, source address spoofing, dns queries, decoy hosts, crafted SYN+ACK packets, etc. you can implement these testing parameters via both nmap and hping.
You can use nmap's --reason parameter to see why your packet dropped or rejected. tcpdump is also good for this but if you want to interpret the results then you really need to understand the basics.
2) I recommend you reading Ftester's documentation from here.
3) This may also be useful to you if you want to enumerate IP hops.
4) If you want to check your CISCO firewall's rules automagically then flint is your cure, my friend.

[eyeheartlinux]

Maybe the "lesson" that needs to be learned is READING=LEARNING and SEARCHING=GREAT READING. Everything I have learned about Linux and Backtrack came from wiki's,tuts,README's etc. (there is a good defcon fyodor seminar out there for example on this very subject).

[pigtail]

@ tlingitsoldier
Is it possiable that the teacher has taught best secuirty practices, and just at the off chance on a test network, when all the gradeing has been done you can try to access gear behind the firewall...

Try mapping the network(NMAP) to get a picture
Try and see what passes throught the firewalls(hping,nemsis)
Try to exploit OS,software to disable firewall or foreward

[WolverineOD]

No need to be terribly cynical. I can see why everybody sighs and proceeds to hate on whoever posts these Oh So Imaginative stories. But there is a limit to how far you can take this before the mods start looking very unapproachable, in which case valid users will be 'frightened' off instead of asking perfectly acceptable questions. This is supposed to be a learning environment. But at the moment people are just being shut down before they are given a chance. His teacher is probably doing exactly the same thing as we do here. Trying to get their students to think for themselves, and then when they hit a road block, come ask some questions. We should at least point people in the right direction and the information itself will sort out the Script Kiddies out from the men, were not all seasoned Pentesting Experts. Id like to add that he has been pointed in the right direction, but this forum could still do to be a bit more friendly. Otherwise people wont be sticking around for long.

Usually, aslong as you notify the ISP before starting the test, and the times in which it will be happening they will be OK with it. Another idea might be to get your teacher to write an email on the matter to clarify that you are authorized to test the network. Good luck if your for real. Its not easy starting out, do the proper research (Google is your friend) and things will start to become clear.

[fancy]

So, be polite you guys ... (Otherwise we'll see the reloaded version of 'Why seniors here are so rude?')

Well, seniors are not rude by nature, they just may react harsh if someone wants to fool them, or they should do the homework for some lazy students. Do you have an idea how many homework requests or SE attempts are not making it past the moderator queue??? Moreover we are not here to teach somebody.
And honestly, if you really are a teacher then you should instruct your students to research things on their own - and what the OP asked for is everywhere available on the internet. A simple google research will reveal a myriad of valuable information.

[hhmatt]

I've always found the "senior's" to be very helpful and knowledgable as long as you follow the rules and don't try and b.s. them. I find it funny that people try to tell a story with their questions. It's completely unnecessary and irrelevant.

@OP
Backtrack is the perfect tool for what you're describing but only in the hands of an experienced tester. Penetration testing is not learned overnight or even in a few weeks. On top of that some things just can't be taught, for example: creativity, resourcefulness, ingenuity.
If you're interested in learning you need to start with the basics like everyone else. If you just want someone to do everything for you then you've come to the wrong place.

[roybatty]

Well, seniors are not rude by nature, they just may react harsh if someone wants to fool them, or they should do the homework for some lazy students.

I know that fancy, I was just kidding. However, we'll see that happening again, sooner than later.

Do you have an idea how many homework requests or SE attempts are not making it past the moderator queue??? Moreover we are not here to teach somebody.

Yep. I've been here for ages (old forum).

And honestly, if you really are a teacher then you should instruct your students to research things on their own - and what the OP asked for is everywhere available on the internet. A simple google research will reveal a myriad of valuable information.

No, I'm not. And yes, you're right.

[thorin]

Well, actually I'm the teacher.

And this is my firewall script:

Code:

      #!/bin/sh         
        iptables -F
        iptables -X
        iptables -Z
        iptables -t nat -F
        iptables -P INPUT ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT

An easy A+

So, be polite you guys ... (Otherwise we'll see the reloaded version of 'Why seniors here are so rude?')

Wow that's a boat load of failsauce.... It would almost be more effective to just "killall iptables" then you wouldn't be wasting RAM or CPU time doing nothing.

And honestly, if you really are a teacher then you should instruct your students to research things on their own - and what the OP asked for is everywhere available on the internet. A simple google research will reveal a myriad of valuable information.

No, I'm not. And yes, you're right.

Big surprise...

[skidmarq]

Hping is a great tool but I wouldn't recommend it here since you already have the advantage of knowing the hardware (PIX515). Cisco PIX firewalls use a a state table and HPING won't buy you much in this instance since the PIX will only listen for stateful connections. Now, if this were a a router using an old version of ACLs (the ones that used to say "permit x.x.x.x y.y.y.y 'established'") then you could normally circumvent the security using a custom crafted TCP packet with the ACK flag set.

You really won't be attacking the firewalls here, per se, you will want to focus more on services allowed through the firewalls. That is likely going to be your weak link...once you've compromised a host in the DMZ then you can use that as a launch pad internally using the same logic as above.