Your SlideShare is downloading. ×
  • Like
Bypassing firewalls
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Bypassing firewalls

  • 157 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
157
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Adam GowdiakTechniques usedfor bypassingfirewall systemspresented by9th TF-CSIRT Meeting, 29-30th May 2003, WarsawCopyright@2003PoznanSupercomputingandNetworkingCenter,Poland
  • 2. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT2§ POL34-CERT is part of Poznan Supercomputing andNetworking Center, the operator of the Polish ScientificBroadband Network POL34/155§ It has been established in 2000 to provide effective incidentresponse service to members and users of the POL34/155network§ The primary goal was to provide active incident handling withhigh quality technical support which can be guaranteed byseven years of experience acquired by the Security Team ofPSNCAbout POL34-CERTWho we are?
  • 3. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT3§ An adequate technical support while handling securityincidents and recovering from their consequences§ Complex co-ordination of all responses to an incident withspecial emphasis on exchanging information between variousinterested parties§ Valuable educational materials aimed at increasing theawareness of security as well as improving the overallknowledge of security techniques among the members ofthe constituencyAbout POL34-CERTMission statement
  • 4. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT4The declared constituency ofPOL34-CERT contains all thosesystems connected to POL34/155network i.e. networks of mostacademic and scientific institutionsin PolandAbout POL34-CERTConstituency
  • 5. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT5§ Security administration of the POL34/155 networkinfrastructure and PSNC’s supercomputing resources§ Performing real-life, large scale penetration tests for thirdparties (both commercial and educational ones)§ Participation as security consultants in research projectsfounded by Polish Academy of Sciences and EC§ Extensive knowledge of attack methodologies and techniques§ Continuous security vulnerability researchPSNC Security TeamOur experience
  • 6. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT6IntroductionPresentation motivations§ Practical security is based both on knowledge aboutprotection as well as about threats§ If one wants to attack a computer system, he needsknowledge about its protection mechanisms and theirpossible limitations§ If one wants to defend his system, he should be aware ofattack techniques, their real capabilities and theirpossible impact
  • 7. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT7IntroductionPresentation thesisn The difficulty of securing a given networkinfrastructure goes along with its size and complexityn Securing a network infrastructure is a continuousprocess, that should have its beginning in the designphasen Security is not a product, (Bruce Schneier)n Firewalls are not the end-all, be-all solution toinformation securityn You can never feel 100% secure...
  • 8. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT8Firewall systemsIntroductionn They got particularly popular around 1996 - the timewhere some new attack techniques emerged (bufferoverflows, remote exploits)n Their primary goal was to provide traffic control andmonitoringn They enforce the security policy represented by a setof rules, specifying what is explicitly permitted/deniedn They usually interconnect two or more logical networks- public and a private ones
  • 9. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT9Firewall systemsEvolutioncorporate networkcorporate networkInternetInternetFIREWALLFIREWALLcorporatecorporatenetworknetworkInternetInternetBastionBastionInternalInternalrouterrouterExternalExternalrouterroutercorporatecorporatenetworknetworkInternetInternetBastionBastiondemilitariseddemilitarisedzone (DMZ)zone (DMZ) FIREWALLFIREWALLFIREWALLFIREWALL
  • 10. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT10Firewall systemsTypes and operationNetworkApplicationPresentationSessionTransportData LinkPhysicalApplicationPresentationSessionTransportData LinkPhysicalData LinkPhysicalNetwork NetworkNetworkApplicationPresentationSessionTransportData LinkPhysicalApplicationPresentationSessionTransportData LinkPhysicalData LinkPhysicalNetwork NetworkApplicationPresentationSessionTransportPacket level filteringApplication level filteringTransportTelnet Ftp Http
  • 11. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT11Firewall systemsState of the artn They run as part of the OS kernel (KLM)n They use some advanced algorithms for stateful trafficanalysis (Adaptive Security Analysis, Stateful Inspection)n They can hide information from the outside about theinternal logic of the protected network (NAT, PAT, DNSProxy)n They can authenticate users with the use of differentauthentication methods (SecureID, RADIUS, AXENT,TACACS, Vasco, S/Key)n They can do some limited content filtering (Java,ActiveX)
  • 12. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT12Firewall systemsState of the art (2)n They can be extended by 3rd party products (OSPF)n They can transparently proxy some commonapplication services (FTP, telnet)n They provide support for:• SNMP (Simple Network Management Protocol),• LDAP (Lightweight Directory Access Protocol) ,• ODBC (integration with relational databases),• X.509 (certificates exchange)n They also include support for implementing VPN (DES,RC-4, MD5, SHA-1, SKIP, IPSec, IKE)
  • 13. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT13Firewall systemsState of the art (3)They are able to analyze most of the common:n applications protocols:dns, echo, finger, ftp, irc, NetBeui, ras, rexec, rlogin, rsh, smb, snmp, syslog,telnet, tftp, time, uucp, X11, smtp, pop2, pop3, Microsoft Exchange, gopher,http, nntp, wais, egp, ggp, grp, ospf, ripn multimedia protocols:Cooltalk, Partners, CU-SeeMe, FreeTel, H.323, Internet Phone, NetMeeting,NetShow, RealAudio/Video, StreamWorks, Vosaic, Web Theatern database protocols:Cooltalk, Partners, CU-SeeMe, FreeTel, H.323, Internet Phone, NetMeeting,Lotus Notes, MS SQL Server, SQLNet* by Oracle, SQL Server by Sybase
  • 14. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT14Firewall systemsThe risksn They are pretty complex piece of software!!! (the LinuxKLM binary of Checkpoint FW 1 NW is 1.2 MB byteslong)n Commercial firewall systems are closed software,which means that no one has really put them underthe glass in a search for security problems...n Over the last couple of years there has been justseveral bugs found in them...n Do you still believe they are bug free ??
  • 15. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT15Firewall systemsThe risks (2)n They just filter traffic coming from/to your networkn They can handle dozens of application protocols, butunfortunately cannot protect you against maliciouscontentn Security level of a network protected by a firewallsystem depends on many factors (DNS, routinginfrastructure, security of client software...)n There is always a great risk associated with the socalled „human error”
  • 16. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT16Introduction to attack techniquesThe usual firewall deployment modelIntranetIntranetserverserverWWWWWWDatabaseDatabaseserverserverCommunicationCommunicationserverserverINTERNETINTERNETCorporate networkCorporate networkDemilitarised zone (DMZ)Demilitarised zone (DMZ)
  • 17. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT17Introduction to attack techniquesThe rules people usually forget aboutn „The weakest point” rule - your network is as secure asits weakest pointn „The defense in depth” rule - the security of yournetwork should not rely on the efficacy of a one and agiven security mechanismn „Choke points” rule - any security mechanism iscompletely useless if there exist a way to bypass it
  • 18. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT18Introduction to attack techniquesThe myths people usually believen I am not going to be the target of a hack attackn Even if so, attackers are not skilled enough to get intomy network (NEVER, but NEVER UNDERESTIMATEYOUR OPPONENT)n My 10k$ worth firewall system is unbeatable, I haveput it at my front door and I am sure that it providesme with a high level of securityIf you believe any of the above, sooner or laterYOU WILL BE LOSTYOU WILL BE LOST!
  • 19. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT19Firewall attack techniquesAttackers goalsTo be able to communicate with/access services ofsystems located in a corporate network.To run code of attackers choice at some workstation/server located inside the attacked corporate network.
  • 20. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT20Firewall attack techniquesAttackers goals (2)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)AttackerscodeINTERNETINTERNETAttackerBackward connection to attackershost through HTTP (port 80)
  • 21. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT21Firewall attack techniquesThe pastn Packet fragmentationn Source porting (can be still used occasionally)n Source routingn Vulnerabilities in TCP/IP stackn FTP PASV related application proxy vulnerabilities(dynamic rules were created without properly assuringthat the PASV response string was part of a legitimateFTP connection)
  • 22. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT22Firewall attack techniquesThe presentn Attacks through external systemsThe goal: to use some trust relationship between theinternal network’s systems and systems from theoutside in order to get access to the internal network.n Attacks through content (passive attacks)The goal: to provide user with a content that whendealt with (opened) will execute attacker’s providedcoden Man in the middle attacksThe goal: to inject content into user traffic in such away so that attack through content will occur
  • 23. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT23Firewall attack techniquesAttacks through external systemsGetting in through trusted external systems can beaccomplished by first compromising the machines fromwhich access to the internal network is permitted.This might include:n home machine of the workers of the companyn the network of the 3rd party that does remoteadministration/outsourcing for the attacked companyn the network of the company’s office in some otherlocation/country
  • 24. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT24Firewall attack techniquesAttacks through external systems (2)Getting in through non trusted external systems can beaccomplished in several ways:n throughout the exploitation of a vulnerability in a clientsoftware (SecureCRT, ftp, ...)n by obtaining user credential information/othersensitive data from the user X screen grabbingn throughout the combination of the above, Netscape/Mozilla remote control capabilities and a JVMvulnerability
  • 25. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT25Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemUser works (SSH session, Xforward)with some external system
  • 26. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT26Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemAttacker steals user’sX-MIT-MAGIC-COOKIE
  • 27. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT27Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemAttacker connects to user’sXDisplay
  • 28. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT28Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemAttacker finds WindowID ofthe running Netscape 4.x/Mozilla process on user’s system
  • 29. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT29Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemAttacker issues openURL() commandto the found window
  • 30. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT30Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemUser’s web browser connects withthe attacker’s WWW server
  • 31. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT31Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETcompromised systemAttacker inserts malicious payloadinto the requested web page(Java applet)
  • 32. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT32Firewall attack techniquesAttacks through external systems(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW CommunicationCommunicationserverserverDemilitarised zone (DMZ)Demilitarised zone (DMZ)AttackerscodeINTERNETINTERNETAttackerAttacker’s code gets executedon the user’s machine
  • 33. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT33Firewall attack techniquesAttacks through contentSending mail to the victim user containing:n an executable filen Microsoft Office document exploiting the macro bypassvulnerabilityn HTML mail body exploiting a flaw in InternetExplorer/Outlook Express or Netscape leading to thecode executionDEMONSTRATION
  • 34. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT34Firewall attack techniquesFile formats vulnerable to the “infection”There are many file formats used for holding text,graphics or multimedia data that can be used as acarrier of a malicious content.EXE,COM,BAT,PS, PDF CDR (Corel Draw)DVB,DWG (AutoCad) SMM (AMI Pro)DOC,DOT,CNV,ASD (MS Word) XLS,XLB,XLT (MS Excel)ADP, MDA,MDB,MDE,MDN,MDZ (MS Access) VSD (Visio)MPP,MPT (MS Project) PPT,PPS,POT (MS PowerPoint)MSG,OTM (MS Outlook) WPD,WPT (WordPerfect)
  • 35. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT35Firewall attack techniquesAttacks through content (2)n software installation files (RealPlayer, Winamp, webbrowsers, ...)n software for mobile phonesn screen saversn „funny” content in an executable formHacking some highly popular WWW/FTP server andputting a trojan horse file on itBackdooring source code of some very popular andcritical Internet service (apache, bind, sendmail, ...)
  • 36. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT36Firewall attack techniquesMan in the middle attacksYou cannot look at the security of your network only fromthe LAN/firewall perspectiveThere are also many other things you should take intoaccount because they may influence the security of yournetwork:n DNS servicen routing/security of routes
  • 37. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT37Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackerAttacker owns corporate DNSserver or can spoof DNS replies to it
  • 38. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT38Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackerUser enters www.yahoo.comaddress in his web browseryahoo
  • 39. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT39Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackerWeb browser requests the name ofwww.yahoo.com from thecorporate DNS serveryahoo
  • 40. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT40Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackerThe reply he gets points tothe attacker’s machineyahoo
  • 41. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT41Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackeryahooUser’s web browser connects withthe attacker’s WWW server
  • 42. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT42Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackeryahooAttacker connects with the real hostIt tunnels user’s HTTP trafficto www.yahoo.com
  • 43. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT43Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackeryahooAttacker inserts malicious payloadinto the requested web page(Java applet)
  • 44. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT44Firewall attack techniquesMan in the middle attacks(case study)IntranetIntranetserverserverDatabaseDatabaseserverserverCorporate networkCorporate networkWWWWWW DNSDNS ServerServerDemilitarised zone (DMZ)Demilitarised zone (DMZ)INTERNETINTERNETAttackeryahooAttackerscodeAttacker’s code gets executedon the user’s machine
  • 45. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT45Firewall attack techniquesDNS attacks are still the real threatDNS can be quite successfully manipulated through theuse of DNS spoofing („birthday attack” in particular)
  • 46. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT46Firewall attack techniquesDNS attacks are still the real threat (2)Although the CERT® Advisory CA-2002-31 from November 2002(Multiple Vulnerabilities in BIND) was issued there are still manyBIND servers that are vulnerable to the „cached SIG record”buffer overflow attackAs of February 2003, there were more than 40% of them...Why ?? Do we have such a situation because there was noofficial exploit code published for this issue ??THE CODE FOR THIS ISSUE EXIST
  • 47. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT47Firewall attack techniquesShort digressionWhich Web Browser is in your opinion the most secure?Which one do you use:- Internet Explorer- Netscape- Mozilla- Opera- any other ?
  • 48. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT48Firewall attack techniquesShort digression (2)This page contained information about not-yet disclosedsecurity vulnerability.Vendor has been provided with technical details of the bugon June 2nd 2003.DEMONSTRATION
  • 49. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT49Firewall attack techniquesFinal wordsn Attacker needs to find only one weakness in yoursecurity infrastructuren You are required to have none of them/all of thempatchedn Your security depends on the security of many, manycomponents...n Skilled, motivated attackers are the real threat andthey are really out there...
  • 50. Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT50FinallyThe EndThank you for your attention!adam.gowdiak@man.poznan.plPoznan Supercomputing and Networking Centerhttp://www.man.poznan.plCERT-POL34http://cert.pol34.pl