Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Real connection spoofing (Firewall Tester)

From: Andrea Barisani <lcars () infis univ trieste it>
Date: Mon, 24 Sep 2001 14:01:53 +0200 (CEST)
Hi!

I'm currently tring to implement real connection spoofing in my simple
firewall testing scripts (ftester.sourceforge.net) in order to test
stateful inspection firewalls like iptables and ipfilter. Currently my
tool is useless with such firewalls when injecting packets like a Push/Ack
response because they aren't related with any ongoing connection. So this
is the idea (feel free to criticize ;) :

Client (ftest.pl) ---> Firewall ---> Sniffer (ftestd.pl)

1 - The client (ftest.pl) send a Syn packet with a custom payload
(Question:  is inserting data in a Syn packet legal?)
2 - The sniffer (ftestd.pl) sniff the packet and the stack response
3 - The sniffer send a Syn packet to the client with the Seq number equal
to the stack response
4 - Based on this information the client send the correct response in
order to complete the handshake
5 - Now we can test some flags (like Push/Ack)

The problem is that between step 2 and step 3 the spoofed address will
send a valid RST back to the sniffer, the firewall will see it and we
can't proceed. The only solutions to that problem are making the stack
silent (patching the kernel in some way I suppose), or make sure that the
stack responses are seen only by the firewall and not by the spoofed host,
maybe setting a low TTL in /proc/sys/net/ipv4/ip_default_ttl. Another idea
could be using a very low default TTL in order to 'hide' stack replies and
entirely craft the right replies with the correct TTL, in this way I can
simulate real responses even if the target port is a closed one (step 2
implies a Syn/Ack response, so an open port).

Anyone got a better idea?

Thanks.

------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics       - University of Trieste
lcars () infis univ trieste it - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: