Firewall penetration testing explained

Firewalls form the first line of defense in your organization’s IT infrastructure. As a result, the attackers are most likely to scan and exploit existing vulnerabilities. A firewall can be either software or hardware. It continuously inspects your organization’s incoming and outgoing traffic. Generally, firewalls have predetermined rules and policies to either grant or deny access. Moreover, it can also maintain an access control list to allow trusted networks to access the organizational network. Firewalls are placed inside the demilitarized zones (DMZs).
In most of the penetration testing that we have conducted over the years, firewalls are covered in the scope of a penetration testing exercise. In this article, we look at the steps involved in firewall penetration testing.

Gathering information about a firewall

.

1. Locating a firewall:The first step is to scan the network and locate the firewall(s). A penetration tester utilizes specially crafted packets containing TCP, UDP, or ICMP payloads. Nmap and Hping are commonly used tools for this purpose.
2. Traceroute: After locating a firewall, the tracert command can assist the tester in identifying the network range. Here, they can also gather information about the route taken by packets and determine devices and routers involved in the communication establishing process.
3. Port scanning: In this step, testers often prefer using Nmap due to a large number of scan customizations available. Nmap can help in finding open ports, services corresponding to each port, and their service versions. A penetration tester can customize a scan by selecting the scan type, options available for the selected scan type, timing of scan, aggressiveness, etc.
   For example,
   nmap -sS -p 0-1024 192.165.123.123 -T4 will send packets with SYN flag to the first 1024 ports using aggressive timing.
   This command can be followed by nmap -sV 192.165.123.123 to identify the services running on open ports.
4. Banner grabbing: Banner grabbing helps in the identification of a firewall’s version. This information is crucial in the later stages when penetration tests look for publicly available exploits. Here, the penetration tester crafts a connection request using Netcat for finding the firewall version. Further, a penetration tester may send various types of custom packets to elicit responses from a firewall. These responses help in understanding the type of firewall that needs to be bypassed. Variations can be due to protocols such as TCP or UDP and flags such as ACK, FIN, or SYN.
5. Access control enumeration: A firewall uses access control lists (ACLs) to deny or allow traffic to an organization’s network. While enumerating ACL, a penetration tester can observe the state of the firewall’s ports keenly. For example, using nmap -sA 192.165.123.123,
   It will send requests containing ACK flag to the first 1024 ports.
   If the results indicate that
   • A part is open: it is listening
   • Port state is filtered: firewall has blocked the port
   • Port state is unfiltered: firewall allows traffic through this port
6. Firewall architecture: In this step, a penetration tester uses tools such as Nmap, Hping, or Hping 2 for identifying the firewall architecture. If a firewall returns
   • RST/ACK packet: firewall rejected the packet
   • SYN/ACK packet: port is in the open state
   • No response: firewall dropped the packet
   • ICMP type 3 code 13 packets: firewall blocked the connection
7. Firewall policy:A penetration tester can test firewall policies in two possible ways:
   First, by sending a series of commands for confirming the expected behavior and configuration; and second, compare hard copies of policy configuration and compare with the expected configuration for finding the gaps.
8. Firewalking: Firewalking helps a penetration tester in mapping the network devices around a firewall in the network. It uses TTL (time-to-live) values and traceroute techniques for analyzing packets. This analysis helps in determining gateway ACL and network map.
9. Port redirection: At times, a tester cannot directly access specific open ports. In those cases, they use port redirection techniques using Fpipe or Datapipe tools. Once they’re able to sniff the traffic beyond the ports, they can compromise it to infected machines.
10. Testing (Network Penetration testing): A penetration tester may not always perform the actions in this step. However, these tests may provide detailed insights on how attackers may aim to attack an organization’s systems.
    An external test seeks to exploit vulnerabilities from the perspective of an external user without access and permissions. On the other hand, an internal test scans the target system by identifying vulnerabilities and assessing information exposure.
11. Covert channels: Covert channels allow the attackers to remain stealthy. It is a hidden communication connection, and attackers employ this to extract sensitive information. Successful installation of a backdoor may allow an attacker to establish a covert communication channel. Tools like Metasploit are used to create a reverse shell and facilitate the establishment of a covert channel.
12. HTTP tunneling: Organizations often use firewalls and proxies to hide their devices with restricted access. A penetration tester uses HTTP tunneling for encapsulating traffic by using tools such as HTTPPort.
    This tool allows a penetration tester to bypass HTTP proxies. It sends POST requests to an HTTP server and specifies hostname, port number, and request path.

Ending notes

As we have seen over the course of this article, there is no straightforward tool to perform penetration tests for firewalls. A penetration tester needs to employ an array of tools to gather information. Further, a detailed understanding of how different firewalls work and respond also helps during the exercise. If an organization has configured firewall rules and policies properly, the chances of a successful attack are substantially minimized.