Ethical Hacking NETLAB+ 13 - Testing Firewall Rules with Firewalking
Summary
TLDRIn this video, Barrett from C4 Cyber Club at Cypress College demonstrates how to use firewalking to test firewall rules. The lab explores how firewalking, a tool that leverages TTL (Time to Live) values in IP packets, can be used to identify open ports and detect firewall configurations. The video covers both passive and active reconnaissance, showcasing how firewalking helps in evading firewalls by gradually increasing TTL to bypass access control lists. The demonstration includes practical examples using a pfSense firewall and Kali Linux, highlighting the impact of different firewall rules on scan results.
Takeaways
- ๐ Firewalking is a network reconnaissance technique that uses TTL values in IP headers to determine firewall configurations and whether specific ports or protocols are blocked.
- ๐ Firewalking works by gradually increasing the TTL value of packets until they reach a target, helping identify blocked ports or firewall rules.
- ๐ When performing firewalking, the response (or lack thereof) helps determine whether traffic is being filtered or blocked by a firewall.
- ๐ In the lab setup, we used **pfSense** as the firewall and **Kali Linux** for conducting the firewalking scan.
- ๐ Initially, no firewall rules are set, meaning all traffic is allowed, which is confirmed by the open ports (53 for DNS and 80 for HTTP) in the **Nmap** scan.
- ๐ Firewalking can be used to test whether specific firewall rules, such as those for HTTP, HTTPS, or DNS traffic, are effectively blocking or allowing connections.
- ๐ Using **Nmap** first helps to identify open ports, but it doesnโt show whether firewall rules are in place, which is where firewalking is useful.
- ๐ After modifying the firewall rules to allow only ports 80 (HTTP), 443 (HTTPS), and 53 (DNS), firewalking shows how access is restricted for other ports, like port 23.
- ๐ In a defensive context, firewalking can help blue teams verify their firewall configurations by checking which ports and protocols are accessible.
- ๐ Firewalking is a useful tool in active reconnaissance for penetration testers, helping to identify potential weaknesses in network defenses.
Q & A
What is the purpose of using Firewalking in the lab?
-The purpose of using Firewalking in this lab is to test firewall rules, specifically to see how access control lists (ACLs) affect the ability to scan and access certain network ports. It helps identify what happens when firewall rules are set or not set.
How does Firewalking work?
-Firewalking works by sending packets with increasing time-to-live (TTL) values. When the TTL reaches zero, the router sends an ICMP time exceeded message back to the sender. Firewalking uses this process to scan beyond firewalls and identify blocked ports or protocols.
What are the key differences between a basic Nmap scan and Firewalking?
-A basic Nmap scan only tells you whether ports are open or closed. It does not provide information about firewall rules or access control lists. Firewalking, on the other hand, allows you to determine whether packets are being blocked by a firewall, making it a more advanced tool for identifying ACLs and other firewall configurations.
What is the significance of the TTL (Time to Live) value in Firewalking?
-The TTL value in Firewalking is crucial because it helps trace the path of a packet through routers. By manipulating TTL, Firewalking can bypass firewalls and detect which ports are blocked or open based on how the routers respond.
Why is Firewalking considered active reconnaissance?
-Firewalking is considered active reconnaissance because it involves sending packets to a target network to gather information about open ports, protocols, and firewall settings. Unlike passive scanning, which does not interact with the network, active reconnaissance directly engages with the target.
How does the OpenSUSE machine interact with the firewall during the lab?
-In the lab, the OpenSUSE machine is used to access the PFSense firewall's administrative interface via Firefox. The machine is used to modify firewall rules and test their effect by scanning the network with tools like Firewalking.
What kind of firewall configuration is initially set in the PFSense firewall in the lab?
-Initially, the PFSense firewall has no specific rules set, meaning all traffic is allowed, including all IPv4 and ICMP packets. This wide-open configuration serves as a baseline for testing Firewalking and understanding the impact of adding firewall rules.
How does Firewalking detect blocked ports after firewall rules are set?
-Once specific firewall rules are set (such as allowing only ports 53, 80, and 443), Firewalking detects blocked ports by sending scans to the target network. If a port is blocked, it does not receive a response. For example, a scan on port 23 returns no response, indicating the absence of a firewall rule for that port.
What does the 'ICMP Port Unreachable' message mean in the context of Firewalking?
-An 'ICMP Port Unreachable' message indicates that a firewall rule is in place, blocking communication on the target port. This message is returned when Firewalking attempts to scan a closed or restricted port, such as DNS (port 53) when scanned with the wrong protocol (TCP instead of UDP).
How can Firewalking be useful for both attackers and defenders?
-For attackers, Firewalking can be used to probe firewalls and uncover weaknesses in network defenses. For defenders (blue team), it serves as a tool to verify that firewall rules are properly configured and that unauthorized access is blocked, ensuring the network is secure.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
What is a Firewall?
Cara Konfigurasi Firewall (memblokir IP dan memblokir situs web) menggunakan Cisco Packet Tracer
Prรผfungsvorbereitung Fachinformatiker Firewallregeln
When to use Pre and Post Security Rules in Panorama
Types of Firewalls Explained | Proxy Firewalls, Traditional Firewalls, UTM Firewalls, NGFWs & MORE
Blok website tertentu berdasarkan user profile hotspot di Mikrotik
5.0 / 5 (0 votes)
