Tuesday, January 25, 2022

PortScans and Firewalls

 >PortScans and Firewalls
>Written by: Paperghost [paperghost@vitalsecurity.net] Vital Security -
>irc.vitalsecurity.net - #vitalsecurity
>If this article scrolls off the edge of the page, go to Edit and select
>Word Wrap.

##  Important Note  ##

This article only touches briefly on the subject of PortScanning; its main
purpose is to show you some of the dangers inherent in using a Firewall.  If
you wish to know more about preventing/detecting PortScans, please read my
article "Windows Checklist".  It runs into slightly more detail about
avoiding PortScans, although I have yet to write an in-depth look at
PortScan Prevention.

##  Types of PortScan  ##

A portscanner is a device which simply scans PC's for open ports, so that
the hacker can begin to manipulate your system as they see fit.  Some are
configurable, allowing the user to scan a specific range; most have to go
from 0 to 65536.
PortScanning is the art of connecting to TCP and UDP ports on a system to
gather what services are either Running on a machine or in a Listening
state.  By doing this, the attacker can potentially compromise a service
that is known to have security vunerabilities.  Assuming your attacker knows
that your system is "alive" (which is an easy thing to do, using Ping
commands etc), they will now try to directly connect to your machine and
open up backdoors that they can exploit in the future.  When trying to do
this, their three main objectives are usually:

1) Identifying the Operating System of the target machine.

2) Identifying the TCP/UDP services running on the target system.

3) Identifying specific applications or versions of a particular service.

Of course, there will always be other information that your attacker will be
after, but for now we can concentrate on these three.  The main types of
scan are:

# TCP Connect Scan:  This scan connects to the target port and completes a
full "three way handshake" (SYN, SYN/ACK and ACK) but is easily detected by
the target system.

# UDP Scan:  Sends a UDP packet to the target port.  if the target responds
with an "ICMP Port Unreachable" message, the port is closed.  Obviously, if
this message is not received, it means the port is open.  Because UDP is
known as a "connectionless" protocol, the results of this type of scan can
be hugely unreliable.

# TCP ACK Scan:  This scan can be used to map out Firewall rulesets, helping
to determine if the Firewall is a simple packet filter allowing only
established connections, or a Firewall performing Advanced Packet Filtering.

# TCP SYN Scan:  This is commonly called half-open scanning, because a full
TCP connection is not made; all that happens is a SYN packet is sent to the
target port.  If a SYN/ACK is returned from the target, we can tell that it
is in the Listening state.  If RST/ACK is returned, it usually means the
port isn't listening.  A RST/ACK will be sent by the Port Scanner so that a
full connection is not established.  This obviously means that the scan is
harder to detect than a full TCP Connection, and so may not be picked up by
IDS Systems.

# TCP Windows Scan:  This scan can detect open and filtered/non filtered
ports on some Operating Systems due to a flaw in the way the TCP Windows
Size is reported.

# TCP RCP Scan:  On a scanned UNIX system, this scan will detect and
identify Remote Procedure Call Ports (RPC'S), as well as their associated
programs and version numbers.

Of course, a Firewall is a good thing to have when faced with PortScans; the
PortScan is usually the attacker's first tool, and so we should expect to be
protected from the first line of attack. The problem is, many Firewalls
offer up alarming security implications simply by using them.  They don't
make your computer MORE vunerable; rather, they secure it but leave a few
alarming windows open....

##  Firewalls are a Hazard  ##

IF....they're not configured properly.  You could have the greatest firewall
in the world, but if not set up right it may as well not be there at all.  
Don't get me wrong, a well designed and implemented firewall is nearly
impossible to get past, but vunerabilities are constantly being discovered
in all forms of online protection, and you need to make sure your firewall
is doing what it is supposed to; namely, protecting your machine.  When a
good firewall is in place, the attacker will have to try and work around it,
for example by using a dial-up account to attack, or exploiting common trust
relationships.  What YOU have to do is make sure your Firewall is absolutely
rock solid.  Put simply, if you know how to get past a firewall, then you'll
know exactly what to look for and how to react to potential attacks.

##  Identifying a Firewall  ##

Unfortunately, Firewalls are a little silly when it comes to maintaining
anonymity online.  With a quick port scan, a potential attacker can
determine what type of protection you have, what version of a firewall you
possess and the rules that it follows.  Often, when using telnet to connect
to a port that a firewall runs on, an advertisement banner will pop up
telling you about the "Great benifits of using their product".  This is,
obviously, very stupid indeed.  Now that they know what you're using, they
can begin to search for exploits and tricks to use against your protection.
Very silly attackers will use broad "sweep scans" which can be picked up by
many types of IDS (Intrusion Detection Systems), but more intelligent users
will attempt to be as stealthy as possible, and as soon as that happens,
most IDS systems will miss their probings entirely unless incredibly fine
tuned, as IDS programs are really only any use against crude, noisy attacks.
  Try some freeware and shareware IDS Programs to see which is the best for
you, and then go over the instructions with a fine tooth-comb, to make sure
that your IDS is as sensitive as possible; DON'T just expect it to run
"straight out of the box", so to speak.

#  UNIX and NT Attackers

If an attacker is using UNIX as their OS (which is quite likely), then more
often than not, they can run a simple Traceroute to deduce what kind of
Firewall you have (the same goes for users of NT).  In many cases, the
IP/target name etc that appears just before the target will be the Firewall,
but they will usually have to do a bit more clue-sniffing before they can
know this for certain.  Some Firewalls are configured not to respond to TTL
(Time-To-Live) data in IP Packets (which are the IP Packets used for
Tracerouting).  This is good, but you probably won't have any control over
preventing the Routers used to return data to the attacker, as these are
usually under your ISP's control.

# Banner Grabs

The previously mentioned banner grabbing exploits are quite worrying, as in
some cases there is nothing you can do about it.  By connecting to Port 21
(FTP) with Netcat, you can usually gain some information right away on
general pointers about the possible Firewall being used.  After that, a
common trick to confirm the Firewall's ID is to connect to Port 25 (Simple
Mail Transfer Protocol), and you will probably get a message saying
something like "Such-and Such a Firewall will not provide you with a mail
service".  Worrying, isn't it?
You can often alter the information on the Firewall's banner, but you would
need to get in touch with the Firewall's Creators to find out how to do this
correctly.  Remember, you would need to alter both the FTP and Telnet

# NMAP (Network Mapper)

An incredibly versatile tool, NMAP is used when all other measures have
returned no valuable information.  The biggest threat from NMAP is that,
unlike other scanners which usually return an "open" or "closed" result on
your scanned ports, NMAP will also tell you which ports are "blocked", which
can render stealthed modes on Firewalls completely useless when trying to
hide yourself online.  And, of course, the information returned all helps to
tell the attacker what you are running.  Again, the Router configuration
will probably be in the hands of your ISP, but you can at least detect these
attacks by using a decent Firewall which will log these attempts, or maybe
an "all in one" tool such as Genius.

# Firewalk

Another problematic tool, Firewalk works by scanning the host machine locked
away by the firewall, reporting back the rules allowed to the target machine
without actually touching it.  This is done by constructing packets with an
IP Time-To-Live calculated to expire one step past the firewall.  This is
because if the packet is allowed to pass the firewall, it will expire as
expected, giving up an "ICMP TTL Expired in Transit" message.  If the
packets are dropped, either no response will be sent or an ICMP type 13
admin prohibited filter packet will be sent.  The good news is, some
firewalls will detect that the packets have expired before checking its
Access Control Lists and return an ICMP TTL Expired packet in any case.  So,
more often than not, it will tell the attacker that ALL ports are open,
which obviously would not be the case.  It IS possible to block ICMP TTL
packets, but it isn't really advised as you can seriously mess up legitimate

# Poor ACL Rules

ACL stands for Access Control List, and these are the rules that determine
whether or not your Firewall will allow connections, what kind and from
whom.  Unfortunately, many firewalls are rather lax when it comes to giving
their users some sort of control over their ACL's, and misconfigurations can
give rise to glaring security holes which Crackers will be all too eager to
expose.  All you can do here is research exactly how much control over
aspects of security you have with your firewall.  Even the most "basic"
Firewall with regard to the options presented to you (such as ZoneAlarm)
gives you total control over what programs connect to the net, what programs
are trying to gain access etc.  Make sure you know exactly what is coming in
and out of your machine at all times, make use of Netstat every so often (if
you're really paranoid) to see what connections you have up and running and,
as I've mentioned many times before, occasionally switch between different
Firewall programs to keep attackers on their toes.

##  Summary  ##

I hope this article shows you the dangers of a poorly configured Firewall.  
I have only scratched the surface here, and there are many more devious and
complicated types of attack out there that can bring great harm to your
machine if left unchecked.  It must be worryingly clear to you just how much
information your supposed "line of defence" gives away to the very people
that it is trying to protect you from; more worrying still, there is
obviously a limit to the amount of control you can wield to tighten up these
security flaws.  Tools like NMAP, Netcat, Strobe and SATAN (now called
SAINT) are potentially lethal in the hands of someone who knows what they
are doing.  All I can say to you is contact your Firewall creators NOW and
ask them about these possible security implications, ESPECIALLY the Banner
Grab Technique and the threat posed by Firewalk.  New tools designed to get
around and exploit Firewalls are being developed all the time, and if your
Firewall is compromised, you effectively have lost your best (and
realistically, for a home user), ONLY line of defence.

The Internet is by no means as anonymous as some people think it is, and
although this is to the detriment of people's security online, this also
works both ways....it IS possible to find and stop even the most determined
of attackers, you just have to be patient and keep hunting for clues and
techiques which will help you put an end to their exploits.  Just remember:
You cannot hurt that which you cannot see.

>Article "PortScans and Firewalls" Copyright (C) 2001 Paperghost All Rights
>Loyalty and Protection for all our families
>email paperghost@vitalsecurity.net with comments.