RE: penetrating a firewalled network

["David Ball" <lostinvietnam () hotmail com>]

> From my own post to SF some months back with a similar question. These 
resources helped me out. The full thread is at the following URL:

http://www.securityfocus.com/archive/101/421146/30/0/threaded

1. "Host Detection - Generating arbitrary responses to identify
inter-networked nodes".
http://www.zone-h.org/files/29/responses-tisc.txt

2. "Techniques to validate host connectivity"
http://packetstorm.linuxsecurity.com/papers/protocols/host-detection.txt

3. "Diggin em Walls - Detection of Firewalls, and Probing networks behind
firewalls".
http://neworder.box.sk/newsread.php?newsid=2914

4. "Host Discovery with Nmap"
http://www.l0t3k.net/biblio/fingerprinting/en/NMAP-mwdiscovery.pdf
Provides different enumeration scenarios (Firewall with Filtering, Firewall
with Generic Ruleset, Firewall with specific rules, Stateful Firewall with
specific rules) and describes how to customize nmap scans for best results
with each scenario. Provides example tcpdump output for each scan.

5. "Strategies for Defeating Distributed Attacks"
http://www.megasecurity.org/Dos/Simple_Nomad.txt
The title is a little misleading. Do a Find for the word "enumeration" and
read from there. Also a very interesting few paragraphs on using non-echo
ICMP messages for host enumeration. See especially the section titled "ICMP
Defense".

6. "Firewall Penetration Testing"
http://www.wittys.com/files/mab/fwpentesting.html
(Borrows heavily from the original Firewalk paper but still worth a read)

7. "Network Scanning Techniques" - Ofir Arkin
http://www.sys-security.com/archive/papers/Network_Scanning_Techniques.p
df

8. "Low Level enumeration with TCP/IP"
http://www.securitydocs.com/library/3012/2

TOOLS
---------

1. Mike Shiffman/David Goldsmith's Firewalk paper
http://www.packetfactory.net/projects/firewalk/firewalk-final.pdf

2. "Tcptraceroute examples"
http://michael.toren.net/code/tcptraceroute/examples.txt

3. "Paratrace Analysis and Defence" (SANS GIAC practical)
http://www.giac.org/certified_professionals/practicals/gcih/0392.php

Sincerely.

David Ball.

> "Mohit Agarwal" <mohitz () cse iitb ac in>
> No Phone Info Available
> 06/06/2006 02:10 AM
> Please respond to
> mohitz () cse iitb ac in
>
> To
> pen-test () securityfocus com
> cc
>
> Subject
> penetrating a firewalled network
>
>
>
>
>
>
> Hi,
>
> I want to do penetration tests on a firewalled network to find out the
> network structure and any other info that i can get. Can you suggest some
> resources to read for the same as i am a noob.
>
> --
> Mohit
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the
> Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise,
> you need to proactively protect your applications from hackers. Cenzic has
> the
> most comprehensive solutions to meet your application security penetration
>
> testing and vulnerability management needs. You have an option to go with
> a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
>
> results from other product. Contact us at request () cenzic com for details.
> ------------------------------------------------------------------------------

_________________________________________________________________
Learn English via Shopping Game, FREE! 
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------