Penetration Testing mailing list archives
RE: Firewall rulebase checking tool
From: "Hugo V. Garcia R." <hugo.garcia () infocenter com bo>
Date: Mon, 16 Aug 2010 09:27:47 -0400
Hello, You could try hping and tcpdump "hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features." http://www.hping.org/ There is no better way of doing it that by manually crafting the packets. There is an example on this web site: http://www.symantec.com/connect/articles/packet-crafting-firewall-amp-id s-audits-part-1-2 http://people.engr.ncsu.edu/txie/publications/srds08-firewalltest.pdf here are other examples using hping2 http://www.brandonhutchinson.com/testing_firewall_rules.html and there is the automated version of this tools: FTester Firewall tester from the tools web site at http://dev.inversepath.com/trac/ftester : The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the 'connection spoofing' option. A script called freport is also available for automatically parsing the log files. Of course this is not an automated process, ftest.conf must be crafted for every different situation. Below are some example lines from the ftest.conf file at server1 in our network. ftest sniffers must be running at the desktop and at the internet site 128.39.74.16 in order to detect which of the marked packets get through. 10.0.0.4:1025:10.0.2.2:3306:S:TCP:0 # server1 MySQL -> desktop A 10.0.0.4::10.0.2.2:::ICMP:3:5 # server1 ICMP -> desktop A 10.0.0.4:1025:10.0.2.2:22:S:TCP:0 # server1 ssh -> desktop D 10.0.0.4:1025:10.0.2.2:23:S:TCP:0 # server1 telnet -> desktop D 10.0.0.4:1025:128.39.74.16:80:S:TCP:0 # server1 www -> internet D 10.0.0.4:1025:128.39.74.16:22:S:TCP:0 # server1 ssh -> internet D Lines of the final report which freport makes by comparing the log files from the ftest site with those from the ftestd sites may look like this: 1 Authorized packets: 3 ------------------- 1 Modified packets (probably NAT): 2 -------------------------------- 5 1 - 10.0.0.4:1025 > 10.0.2.2:3306 S TCP 0 # server1 MySQL -> desktop A 4 11 - 10.0.0.4 > 10.0.2.2 ICMP 3 5 # server1 ICMP -> desktop A 1 Filtered or dropped packets: 2 ---------------------------- 5 16 - 10.0.0.4:1025 > 10.0.2.2:22 S TCP 0 # server1 ssh -> desktop D 5 21 - 10.0.0.4:1025 > 10.0.2.2:23 S TCP 0 # server1 telnet -> desktop D 5 26 - 10.0.0.4:1025 > 128.39.74.16:80 S TCP 0 # server1 www -> internet D This makes it possible to set up an automated system for systematically and periodically running extensive checks on firewalls also in rather complex configurations. Hope that helps Hugo Vinicius Garcia Razera
-----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Jirka Vejrazka Enviado el: viernes, 13 de agosto de 2010 10:18 Para: pen-test () securityfocus com Asunto: Firewall rulebase checking tool Hi all, I'm trying to figure out if there is a tool that would help
validating firewall
rulebase(s), if the configuration is available (i.e. no blind
pen-testing, more
like an audit) I know about Flint from Matasano security, looking for some other
options
too. Ability to recognize iptables and CheckPoint syntax would be
great.
Any hints appreciated Jirka
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical
examination in order to become certified. http://www.iacertification.org
------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Firewall rulebase checking tool Jirka Vejrazka (Aug 13)
- Re: Firewall rulebase checking tool Christopher A. Jarosz (Aug 16)
- Re: Firewall rulebase checking tool Michal Merta (Aug 16)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Message not available
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Re: Firewall rulebase checking tool Nikhil Wagholikar (Aug 16)
- RE: Firewall rulebase checking tool lgpm (Aug 16)
- RE: Firewall rulebase checking tool Hugo V. Garcia R. (Aug 16)
- Re: Firewall rulebase checking tool Scott (Aug 16)
- Re: Firewall rulebase checking tool Tracy Reed (Aug 17)
- Re: Firewall rulebase checking tool Jirka Vejrazka (Aug 17)
- RE: Firewall rulebase checking tool K K Mookhey (Aug 18)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)
- RE: Firewall rulebase checking tool Martinez, Daniel (Aug 18)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)
- Re: Firewall rulebase checking tool Jirka Vejrazka (Aug 17)