First of all, we need to understand some basic firewall implementation principles. The firewall currently mainly subcontract filtering, and state detection packet filtering, and application-layer proxy firewall. But their basic implementations are similar.
│ │---Router---Network Card│Firewall│Network Card│--------------------------Internal Network│ │
Firewalls generally have more than two network cards, one connected to the external router and the other connected to the internal network. When the host network forwarding function is turned on, network communication between the two network cards can be directly passed. When there is a firewall, it is like plugging it between network cards to control all network communications.
Speaking of access control, this is the core of the firewall:), the firewall is mainly judged by an access control table, and its form is generally a series of the following rules:
1 accept from+ source address, port to+ destination address, port+ actions taken
2 deny .........(deny means rejection..)
3 nat .........(nat is address conversion. It is said later)
After the firewall receives network packets at the network layer (including the following road refining layer), it matches the table one by one from the above rules. If it meets the rules, the pre-arranged actions will be performed! If you discard the packet. . . .
However, different firewalls have implementation differences when judging attack behavior. The following is a possible attack based on the implementation principle.
2. Attack packet filtering firewall
Packet filtering firewall is the easiest type. It intercepts network packets at the network layer and detects attack behavior based on the firewall's rule table. It filters according to the source IP address of the packet; destination IP address; TCP/UDP source port; TCP/UDP destination port! ! It is very vulnerable to the following attacks:
1 ip Spoofing Attack:
This kind of attack mainly modifies the source, destination address and port of the data packet, imitating some legitimate data packets to deceive the firewall detection. For example, an external attacker changes his datagram source address to an internal network address, and the firewall releases it when it sees that it is a legal address:). However, if the firewall can match the interface and address, this kind of attack will not be successful: (
2 Denial of Service Attack
A simple packet filtering firewall cannot track the state of tcp and is easily vulnerable to denial of service attacks. Once the firewall is attacked, he may be busy with processing and forgetting his own filtering function. :) You can spare it, but there are very few attacks like this. !
3 shard attack
The principle of this attack is: in the IP shard packet, all shard packets use a shard offset field to mark the order of shard packets, but only the first shard contains information about the TCP port number. When the IP shard packet filters the firewall through the packet, the firewall only determines whether it is allowed to pass based on the Tcp information of the first shard packet, while other subsequent shards do not detect the firewall, and let them pass directly.
In this way, the attacker can first send the first legitimate IP shard to deceive the firewall's detection, and then encapsulate the subsequent shard packets of malicious data, and directly penetrate the firewall and reach the internal network host, thus threatening the security of the network and host.
4 * Attack
The most effective attack on packet filtering firewalls is *s. Once you install *s on the internal network, the firewall is basically powerless.
The reason is: the packet filtering firewall generally only filters low ports (1-1024), while high ports cannot be filtered (because some services need to use high ports, so the firewall cannot close high ports), so many *s are open and waited on high ports, such as Glacier, Subseven, etc. . .
However, the premise of * attack is that it must be uploaded first and run *s. It is easy to do for a simple package filtering firewall. I won't write this here. It probably takes advantage of service vulnerabilities that are open to internal network hosts.
Early firewalls were all of this simple packet filtering type, and there are few yet, but there are also. Nowadays, packet filtering uses state detection technology. Let’s talk about the packet filtering firewall for state detection.
3. Packet filtering for attack status detection
The state detection technology was first proposed by checkpoint, and many firewalls in China claim to implement state detection technology.
But:) Many are not implemented. What exactly is status detection?
In a word, state detection is a technology that tracks and detects everything from the establishment of tcp connection to the termination.
The original packet filtering was used to match the rules by using separate packets. But we know that for the same tcp connection, its data packet is related before and after, first the syn packet, -》 packet =》fin packet. The before and after sequence numbers of the packet are related.
If these relationships are split, individual filtered packets can easily be deceived by carefully created attack packets! ! ! For example, nmap's attack scanning uses syn packets, fin packets, and reset packets to detect the network behind the firewall. !
On the contrary, when a complete state detection firewall is initiated, it determines that if the rules are met, the status information of the connection (address, port, option.) of the connection is registered in memory, and subsequent data packets belonging to the same connection do not need to be detected. Pass directly. Some carefully constructed attack packets have been discarded because they do not register the corresponding status information in memory. In this way, these attack packets cannot be spared from the firewall.
Speaking of state detection, dynamic rule technology must be mentioned. In state detection, dynamic rule technology is used to solve the problem of the original high-port. The implementation principle is: Usually, the firewall can filter all ports of the internal network (1-65535), and it is difficult for external attackers to find the entry point for intrusion. However, in order not to affect normal services, once the firewall detects that the service must open high-ports, such as (ftp protocol, irc, etc.), the firewall can dynamically add a rule in the memory to open the relevant high-ports. After the service is completed, this rule will be deleted by the firewall again. This not only ensures safety, but also does not affect normal service, and is also fast. !
Generally speaking, the state detection technology firewall is fully implemented, and the intelligence is relatively high. Some scanning attacks can also respond automatically. Therefore, the attacker must be very careful not to be discovered.
However, there are also many attack methods to deal with such firewalls.
1 Protocol tunnel attack
The attack idea of protocol tunnel is similar to the implementation principle of VPN. The attacker hides some malicious attack packets at the head of some protocol packets, thereby penetrating the firewall system to attack the internal network.
For example, many firewalls that simply allow ICMP retroretrorequests, ICMP retroretroresponses, and UDP packets to pass are vulnerable to ICMP and UDP protocol tunnels. Loki and lokid (the client and server of the attack) are effective tools for implementing such attacks. In actual attacks, the attacker must first try to install the lokid server on a system of the internal network, and then the attacker can embed the attack commands (corresponding IP packets) that he wants to execute remotely through the loki client, and then send them to the internal network server lokid, which executes the commands therein, and returns the result in the same way. Depend on
Many firewalls allow ICMP and UDP packets to enter and exit freely, so the attacker's malicious data can be attached to normal packets, bypassing the firewall authentication, and successfully reach the target host. The following command is used to start the lokid server program:
lokid-p CI Cvl
The loki client program is started as follows:
loki Cd172.29.11.191 (attack the target host)-p CI Cv1 Ct3
In this way, lokid and loki jointly provide a backdoor for penetrating the firewall system to access the target system.
2. Using FTP-pasv to bypass firewall authentication attacks
FTP-pasv attack is one of the important means of intrusion against firewalls. At present, many firewalls cannot filter this attack method. For example, CheckPoint's Firewall-1, during the process of monitoring the packets sent to the client by the FTP server, it looks for the string "227" in each package. If such a packet is found, the target address and port will be extracted from it and the target address will be verified. After passing, a TCP connection to that address will be allowed to be established.
This feature allows an attacker to manage to connect to servers and services protected by a firewall.
3. Rebound * Attack
The rebound * is the most effective way to deal with such a firewall. The attacker regularly connects to the host controlled by the external attacker in the rebound * on the internal network. Since the connection is initiated from the inside, the firewall (any firewall) is considered a legitimate connection, so basically the blind spot of the firewall is here. Firewalls cannot distinguish between * connections and legitimate connections.
But the limitation of this attack is: this * must be installed first! ! ! The first step of all *s is the key!
4. Attack Agent
A proxy is a firewall running at the application layer. It essentially starts two connections, one is a client to a proxy, and the other is a proxy to the destination server.
The implementation is relatively simple, and just like the previous one, it is filtered according to the rules. Because the speed of running in the application layer is slower/1
There are many ways to attack the agent.
Let’s take wingate as an example here and briefly talk about it. (Too tired)
WinGate is a Windows 95/NT proxy firewall software that is widely used. Internal users can access external networks through a host installed with WinGate, but it also has several security vulnerabilities.
Hackers often exploit these security vulnerabilities to gain access to WinGate's unauthorized Web, Socks, and Telnet, thereby masquerading as the WinGate host's identity to launch an attack on the next target of attack. Therefore, such attacks are very difficult to track and record.
Most of the reasons for WinGate security vulnerabilities are that administrators do not properly set up the WinGate proxy firewall software based on the actual situation of the network, but simply let the software run after the default settings are installed, which gives attackers an opportunity to take advantage of it.
1 Unauthorized Web Access
Some WinGate versions (such as version 2.1d running on NT systems) allow external hosts to access the Internet completely anonymously in case of misconfiguration. Therefore, external attackers can use the WinGate host to launch various web attacks on the web server (such as CGI vulnerability attacks, etc.). At the same time, since all packets of the web attack pass through Tcp port No. 80, it is difficult to trace the attacker's source.
Test
The methods to detect whether the WinGate host has this security vulnerability are as follows:
1) Connect to the Internet with a connection that will not be filtered out (such as a dial-up connection).
2) Point the browser's proxy server address to the WinGate host to be tested.
If the browser can access the Internet, there is an unauthorized web access vulnerability on the WinGate host.
2 Unauthorized Socks access
In the default configuration of WinGate, the Socks proxy (Tcp port No. 1080) also has a security vulnerability. Like the open web proxy (Tcp port 80), external attackers can use Socks proxy to access the Internet.
Prevention
To prevent attacks on this security vulnerability in WinGate, administrators can limit the bundling of specific services. On a multi-homed system, perform the following steps to define how proxy services are provided.
1Select Socks or WWWProxyServer properties.
2Select the Bindings tag.
3 Press the ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly button and specify the internal interface of this WinGate server.
Unauthorized Telnet access
It is WinGate's most threatening security vulnerability. By connecting to a misconfigured inGate server Telnet service, an attacker can use other people's host to hide his own traces and launch an attack at will.
Test
The methods to detect whether the WinGate host has this security vulnerability are as follows:
1. Use telnet to try to connect to a WinGate server.
[root@happy/tmp]#telnet172.29.11.191
Trying172.29.11.191….
Connectedto172.29.11.191.
Escapecharacteris‘^]'.
Wingate>10.50.21.5
2. If you receive the response text as above, enter the website to be connected to.
3. If you see the login prompt for the new system, the server is fragile.
Connectedtohost10.50.21.5…Connected
SunOS5.6
Login:
Countermeasures
The method to prevent this security vulnerability is similar to that to prevent unauthorized Socks access. Simply restricting bundling of specific services in WinGate can solve this problem. Generally speaking, multihomed system administrators can complete it by performing the following steps:
1. Select the TelnetSever property.
2. Select the Bindings tag.
3. Press the ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly button and specify the internal interface of this WinGate server.
5. Later stories
An attack with a firewall is not just the above point. I have any wrong writing, please correct me.
Hackers have always been studying the technologies and means of attacking firewalls, and the attack methods and technologies are becoming more and more intelligent and diversified. However, from the process of hackers attacking firewalls, they can be roughly divided into three types of attacks.
The first type of firewall attack is to detect what kind of firewall system is installed on the target network and find out which services this firewall system allows. We call it a detection attack on a firewall.
The second type of firewall attack is to bypass the authentication mechanism of the firewall by using address spoofing, TCP serial number attack and other methods, thereby corruption of the firewall and internal network.
The third type of attack on firewalls is to find and use the security vulnerabilities implemented and designed by the firewall system, so as to launch targeted attacks. This kind of attack is quite difficult, but it is very destructive.
│ │---Router---Network Card│Firewall│Network Card│--------------------------Internal Network│ │
Firewalls generally have more than two network cards, one connected to the external router and the other connected to the internal network. When the host network forwarding function is turned on, network communication between the two network cards can be directly passed. When there is a firewall, it is like plugging it between network cards to control all network communications.
Speaking of access control, this is the core of the firewall:), the firewall is mainly judged by an access control table, and its form is generally a series of the following rules:
1 accept from+ source address, port to+ destination address, port+ actions taken
2 deny .........(deny means rejection..)
3 nat .........(nat is address conversion. It is said later)
After the firewall receives network packets at the network layer (including the following road refining layer), it matches the table one by one from the above rules. If it meets the rules, the pre-arranged actions will be performed! If you discard the packet. . . .
However, different firewalls have implementation differences when judging attack behavior. The following is a possible attack based on the implementation principle.
2. Attack packet filtering firewall
Packet filtering firewall is the easiest type. It intercepts network packets at the network layer and detects attack behavior based on the firewall's rule table. It filters according to the source IP address of the packet; destination IP address; TCP/UDP source port; TCP/UDP destination port! ! It is very vulnerable to the following attacks:
1 ip Spoofing Attack:
This kind of attack mainly modifies the source, destination address and port of the data packet, imitating some legitimate data packets to deceive the firewall detection. For example, an external attacker changes his datagram source address to an internal network address, and the firewall releases it when it sees that it is a legal address:). However, if the firewall can match the interface and address, this kind of attack will not be successful: (
2 Denial of Service Attack
A simple packet filtering firewall cannot track the state of tcp and is easily vulnerable to denial of service attacks. Once the firewall is attacked, he may be busy with processing and forgetting his own filtering function. :) You can spare it, but there are very few attacks like this. !
3 shard attack
The principle of this attack is: in the IP shard packet, all shard packets use a shard offset field to mark the order of shard packets, but only the first shard contains information about the TCP port number. When the IP shard packet filters the firewall through the packet, the firewall only determines whether it is allowed to pass based on the Tcp information of the first shard packet, while other subsequent shards do not detect the firewall, and let them pass directly.
In this way, the attacker can first send the first legitimate IP shard to deceive the firewall's detection, and then encapsulate the subsequent shard packets of malicious data, and directly penetrate the firewall and reach the internal network host, thus threatening the security of the network and host.
4 * Attack
The most effective attack on packet filtering firewalls is *s. Once you install *s on the internal network, the firewall is basically powerless.
The reason is: the packet filtering firewall generally only filters low ports (1-1024), while high ports cannot be filtered (because some services need to use high ports, so the firewall cannot close high ports), so many *s are open and waited on high ports, such as Glacier, Subseven, etc. . .
However, the premise of * attack is that it must be uploaded first and run *s. It is easy to do for a simple package filtering firewall. I won't write this here. It probably takes advantage of service vulnerabilities that are open to internal network hosts.
Early firewalls were all of this simple packet filtering type, and there are few yet, but there are also. Nowadays, packet filtering uses state detection technology. Let’s talk about the packet filtering firewall for state detection.
3. Packet filtering for attack status detection
The state detection technology was first proposed by checkpoint, and many firewalls in China claim to implement state detection technology.
But:) Many are not implemented. What exactly is status detection?
In a word, state detection is a technology that tracks and detects everything from the establishment of tcp connection to the termination.
The original packet filtering was used to match the rules by using separate packets. But we know that for the same tcp connection, its data packet is related before and after, first the syn packet, -》 packet =》fin packet. The before and after sequence numbers of the packet are related.
If these relationships are split, individual filtered packets can easily be deceived by carefully created attack packets! ! ! For example, nmap's attack scanning uses syn packets, fin packets, and reset packets to detect the network behind the firewall. !
On the contrary, when a complete state detection firewall is initiated, it determines that if the rules are met, the status information of the connection (address, port, option.) of the connection is registered in memory, and subsequent data packets belonging to the same connection do not need to be detected. Pass directly. Some carefully constructed attack packets have been discarded because they do not register the corresponding status information in memory. In this way, these attack packets cannot be spared from the firewall.
Speaking of state detection, dynamic rule technology must be mentioned. In state detection, dynamic rule technology is used to solve the problem of the original high-port. The implementation principle is: Usually, the firewall can filter all ports of the internal network (1-65535), and it is difficult for external attackers to find the entry point for intrusion. However, in order not to affect normal services, once the firewall detects that the service must open high-ports, such as (ftp protocol, irc, etc.), the firewall can dynamically add a rule in the memory to open the relevant high-ports. After the service is completed, this rule will be deleted by the firewall again. This not only ensures safety, but also does not affect normal service, and is also fast. !
Generally speaking, the state detection technology firewall is fully implemented, and the intelligence is relatively high. Some scanning attacks can also respond automatically. Therefore, the attacker must be very careful not to be discovered.
However, there are also many attack methods to deal with such firewalls.
1 Protocol tunnel attack
The attack idea of protocol tunnel is similar to the implementation principle of VPN. The attacker hides some malicious attack packets at the head of some protocol packets, thereby penetrating the firewall system to attack the internal network.
For example, many firewalls that simply allow ICMP retroretrorequests, ICMP retroretroresponses, and UDP packets to pass are vulnerable to ICMP and UDP protocol tunnels. Loki and lokid (the client and server of the attack) are effective tools for implementing such attacks. In actual attacks, the attacker must first try to install the lokid server on a system of the internal network, and then the attacker can embed the attack commands (corresponding IP packets) that he wants to execute remotely through the loki client, and then send them to the internal network server lokid, which executes the commands therein, and returns the result in the same way. Depend on
Many firewalls allow ICMP and UDP packets to enter and exit freely, so the attacker's malicious data can be attached to normal packets, bypassing the firewall authentication, and successfully reach the target host. The following command is used to start the lokid server program:
lokid-p CI Cvl
The loki client program is started as follows:
loki Cd172.29.11.191 (attack the target host)-p CI Cv1 Ct3
In this way, lokid and loki jointly provide a backdoor for penetrating the firewall system to access the target system.
2. Using FTP-pasv to bypass firewall authentication attacks
FTP-pasv attack is one of the important means of intrusion against firewalls. At present, many firewalls cannot filter this attack method. For example, CheckPoint's Firewall-1, during the process of monitoring the packets sent to the client by the FTP server, it looks for the string "227" in each package. If such a packet is found, the target address and port will be extracted from it and the target address will be verified. After passing, a TCP connection to that address will be allowed to be established.
This feature allows an attacker to manage to connect to servers and services protected by a firewall.
3. Rebound * Attack
The rebound * is the most effective way to deal with such a firewall. The attacker regularly connects to the host controlled by the external attacker in the rebound * on the internal network. Since the connection is initiated from the inside, the firewall (any firewall) is considered a legitimate connection, so basically the blind spot of the firewall is here. Firewalls cannot distinguish between * connections and legitimate connections.
But the limitation of this attack is: this * must be installed first! ! ! The first step of all *s is the key!
4. Attack Agent
A proxy is a firewall running at the application layer. It essentially starts two connections, one is a client to a proxy, and the other is a proxy to the destination server.
The implementation is relatively simple, and just like the previous one, it is filtered according to the rules. Because the speed of running in the application layer is slower/1
There are many ways to attack the agent.
Let’s take wingate as an example here and briefly talk about it. (Too tired)
WinGate is a Windows 95/NT proxy firewall software that is widely used. Internal users can access external networks through a host installed with WinGate, but it also has several security vulnerabilities.
Hackers often exploit these security vulnerabilities to gain access to WinGate's unauthorized Web, Socks, and Telnet, thereby masquerading as the WinGate host's identity to launch an attack on the next target of attack. Therefore, such attacks are very difficult to track and record.
Most of the reasons for WinGate security vulnerabilities are that administrators do not properly set up the WinGate proxy firewall software based on the actual situation of the network, but simply let the software run after the default settings are installed, which gives attackers an opportunity to take advantage of it.
1 Unauthorized Web Access
Some WinGate versions (such as version 2.1d running on NT systems) allow external hosts to access the Internet completely anonymously in case of misconfiguration. Therefore, external attackers can use the WinGate host to launch various web attacks on the web server (such as CGI vulnerability attacks, etc.). At the same time, since all packets of the web attack pass through Tcp port No. 80, it is difficult to trace the attacker's source.
Test
The methods to detect whether the WinGate host has this security vulnerability are as follows:
1) Connect to the Internet with a connection that will not be filtered out (such as a dial-up connection).
2) Point the browser's proxy server address to the WinGate host to be tested.
If the browser can access the Internet, there is an unauthorized web access vulnerability on the WinGate host.
2 Unauthorized Socks access
In the default configuration of WinGate, the Socks proxy (Tcp port No. 1080) also has a security vulnerability. Like the open web proxy (Tcp port 80), external attackers can use Socks proxy to access the Internet.
Prevention
To prevent attacks on this security vulnerability in WinGate, administrators can limit the bundling of specific services. On a multi-homed system, perform the following steps to define how proxy services are provided.
1Select Socks or WWWProxyServer properties.
2Select the Bindings tag.
3 Press the ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly button and specify the internal interface of this WinGate server.
Unauthorized Telnet access
It is WinGate's most threatening security vulnerability. By connecting to a misconfigured inGate server Telnet service, an attacker can use other people's host to hide his own traces and launch an attack at will.
Test
The methods to detect whether the WinGate host has this security vulnerability are as follows:
1. Use telnet to try to connect to a WinGate server.
[root@happy/tmp]#telnet172.29.11.191
Trying172.29.11.191….
Connectedto172.29.11.191.
Escapecharacteris‘^]'.
Wingate>10.50.21.5
2. If you receive the response text as above, enter the website to be connected to.
3. If you see the login prompt for the new system, the server is fragile.
Connectedtohost10.50.21.5…Connected
SunOS5.6
Login:
Countermeasures
The method to prevent this security vulnerability is similar to that to prevent unauthorized Socks access. Simply restricting bundling of specific services in WinGate can solve this problem. Generally speaking, multihomed system administrators can complete it by performing the following steps:
1. Select the TelnetSever property.
2. Select the Bindings tag.
3. Press the ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly button and specify the internal interface of this WinGate server.
5. Later stories
An attack with a firewall is not just the above point. I have any wrong writing, please correct me.
Hackers have always been studying the technologies and means of attacking firewalls, and the attack methods and technologies are becoming more and more intelligent and diversified. However, from the process of hackers attacking firewalls, they can be roughly divided into three types of attacks.
The first type of firewall attack is to detect what kind of firewall system is installed on the target network and find out which services this firewall system allows. We call it a detection attack on a firewall.
The second type of firewall attack is to bypass the authentication mechanism of the firewall by using address spoofing, TCP serial number attack and other methods, thereby corruption of the firewall and internal network.
The third type of attack on firewalls is to find and use the security vulnerabilities implemented and designed by the firewall system, so as to launch targeted attacks. This kind of attack is quite difficult, but it is very destructive.