Penetration Testing mailing list archives

RE: Firewall rulebase checking tool

From: "Hugo V. Garcia R." <hugo.garcia () infocenter com bo>
Date: Mon, 16 Aug 2010 09:27:47 -0400

Hello,

You could try hping and tcpdump

"hping is a command-line oriented TCP/IP packet assembler/analyzer. The
interface is inspired to the ping(8) unix command, but hping isn't only
able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP
protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features." http://www.hping.org/

There is no better way of doing it that by manually crafting the
packets.

There is an example on this web site: 
http://www.symantec.com/connect/articles/packet-crafting-firewall-amp-id
s-audits-part-1-2 

http://people.engr.ncsu.edu/txie/publications/srds08-firewalltest.pdf 

here are other examples using hping2
http://www.brandonhutchinson.com/testing_firewall_rules.html 


and there is the automated version of this tools: FTester Firewall
tester

from the tools web site at http://dev.inversepath.com/trac/ftester  :
The tool consists of two perl scripts, a packet injector (ftest) and the
listening sniffer (ftestd). The first script injects custom packets,
defined in ftest.conf, with a signature in the data part while the
sniffer listens for such marked packets. The scripts both write a log
file which is in the same form for both scripts. A diff of the two
produced files (ftest.log and ftestd.log) shows the packets that were
unable to reach the sniffer due to filtering rules if these two scripts
are ran on hosts placed on two different sides of a firewall. Stateful
inspection firewalls are handled with the 'connection spoofing' option.
A script called freport is also available for automatically parsing the
log files. Of course this is not an automated process, ftest.conf must
be crafted for every different situation.

Below are some example lines from the ftest.conf file at server1 in our
network. ftest sniffers must be running at the desktop and at the
internet site 128.39.74.16 in order to detect which of the marked
packets get through.

10.0.0.4:1025:10.0.2.2:3306:S:TCP:0   # server1 MySQL  -> desktop A
10.0.0.4::10.0.2.2:::ICMP:3:5         # server1 ICMP   -> desktop A
10.0.0.4:1025:10.0.2.2:22:S:TCP:0     # server1 ssh    -> desktop D
10.0.0.4:1025:10.0.2.2:23:S:TCP:0     # server1 telnet -> desktop D
10.0.0.4:1025:128.39.74.16:80:S:TCP:0 # server1 www    -> internet D
10.0.0.4:1025:128.39.74.16:22:S:TCP:0 # server1 ssh    -> internet D

Lines of the final report which freport makes by comparing the log files
from the ftest site with those from the ftestd sites may look like this:

     1 Authorized packets:
      3 -------------------
      1 Modified packets (probably NAT):
      2 --------------------------------
      5 1 - 10.0.0.4:1025 > 10.0.2.2:3306 S TCP 0   # server1 MySQL  ->
desktop A
      4 11 - 10.0.0.4 > 10.0.2.2 ICMP 3 5           # server1 ICMP ->
desktop A
      1 Filtered or dropped packets:
      2 ----------------------------
      5 16 - 10.0.0.4:1025 > 10.0.2.2:22 S TCP 0     # server1 ssh ->
desktop D
      5 21 - 10.0.0.4:1025 > 10.0.2.2:23 S TCP 0     # server1 telnet ->
desktop D
      5 26 - 10.0.0.4:1025 > 128.39.74.16:80 S TCP 0 # server1 www  ->
internet D

This makes it possible to set up an automated system for systematically
and periodically running extensive checks on firewalls also in rather
complex configurations.


Hope that helps

Hugo Vinicius Garcia Razera

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
En nombre de Jirka Vejrazka
Enviado el: viernes, 13 de agosto de 2010 10:18
Para: pen-test () securityfocus com
Asunto: Firewall rulebase checking tool

Hi all,

  I'm trying to figure out if there is a tool that would help

validating firewall

rulebase(s), if the configuration is available (i.e. no blind

pen-testing, more

like an audit)

  I know about Flint from Matasano security, looking for some other

options

too. Ability to recognize iptables and CheckPoint syntax would be

great.


  Any hints appreciated

    Jirka

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually

do a proper penetration test. IACRB CPT and CEPT certs require a full

practical

examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Firewall rulebase checking tool Jirka Vejrazka (Aug 13)
- Re: Firewall rulebase checking tool Christopher A. Jarosz (Aug 16)
- Re: Firewall rulebase checking tool Michal Merta (Aug 16)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Message not available
  - Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Re: Firewall rulebase checking tool Nikhil Wagholikar (Aug 16)
- RE: Firewall rulebase checking tool lgpm (Aug 16)
- RE: Firewall rulebase checking tool Hugo V. Garcia R. (Aug 16)
- Re: Firewall rulebase checking tool Scott (Aug 16)
- Re: Firewall rulebase checking tool Tracy Reed (Aug 17)
  - Re: Firewall rulebase checking tool Jirka Vejrazka (Aug 17)
    - RE: Firewall rulebase checking tool K K Mookhey (Aug 18)
    - Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)
  - RE: Firewall rulebase checking tool Martinez, Daniel (Aug 18)
  - Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)