Penetration Testing mailing list archives
RE: Bypassing Firewalls
From: "Lars Troen" <Lars.Troen () sit no>
Date: Sat, 8 Apr 2006 19:27:13 +0200
I guess I understand, first you need to scan for any openings on the network (what is allowed through the firewall). Then scan IP addresses on those ports for alive machines. Once that is complete, try to gain root/admin privilege on one/many inside machines to launch your system(s), or I guess you could install your tools on the compromised host (if permitted) to further your scanning/testing. Please understand, I am very new to this and am looking to get as much advice as possible, so I can become an expert.
For scanning port and IP's on internal networks: The way you outline it is not optimal. Different hosts often have different ports open if they're offering different services. A clustered service will have the same ports open on all these hosts that are part of the same cluster. The same also applies for other types of "farms". But you normally figure this out. When doing port scans, I feel that you get a better hit rate when first scanning "often used ports" or a ping sweep to get a picture of the landscape. Be however aware that a portscan is like a light house to any IDS/IPS system and some firewalls might also have counter measures to this. This depends completely on the environment you're testing and you risk having your ip/switch port blocked out automaticly. It's important to make such things clear with the customer before you begin and try to get as much information as possible about subnets and services in order be able to do a good pen test that gives an as accurate picture as possible of the situation. Trying to find a way out of the network? Do you have access to an existing client pc? It would help you a lot to see what methods a normal user uses for contact with external networks. Typically these accesses involves http(s), smtp, icmp. In most cases (for larger environments) these services (except icmp) are proxied and you can only gain access through authenticated access. If you can ping hosts on the internet, the icmp requests are in many cases not masked/proxied. If you can't gain access to a client pc, then maybe you're connected to the same switch as a client pc that is being used? Then you can put the switch into "hub mode" and sniff it's activity and see how it communicates with the world. If you can gain access through any of these (or other) services you can setup a tunnel through these protocols. If you know what kind of firewalling technology (brand/version) they're using there are several default setups that you might want to check. If you don't know anything about the customer setup, and you're completely on your own it will be a much more time consuming task to locate the relevant values that can take you further (but still very possible). Good luck! Lars ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Bypassing Firewalls 09Sparky (Apr 07)
- Re: Bypassing Firewalls William Hancock (Apr 07)
- <Possible follow-ups>
- Re: Bypassing Firewalls 09sparky (Apr 07)
- Re: Bypassing Firewalls Alex Nordström (Apr 09)
- RE: Bypassing Firewalls Clement Dupuis (Apr 09)
- Re: Bypassing Firewalls sol (Apr 09)
- Re: Bypassing Firewalls Joachim Schipper (Apr 10)
- RE: Bypassing Firewalls Lars Troen (Apr 09)