An introduction to the kinds of firewalls that exist in the real-world, and a brief overview of what they do and how they function. Understanding the types of firewalls will can allow a penetration tester the ability of quickly gathering information from a host being scanned with the various techniques discussed in this segment.
Need to determine if a system or site is live? ICMP is not working? ICMP types 0 and 8 are not the only types that can be sent and many times, administrators will only block those packets. Attackers can utilize tools like icmpenum to gather additional details about a network by requesting timestamp or icmp info packets. This article describes how an attacker can abuse ICMP in order to determine if a remote system(s) is alive.
Similar to the likes of firewalk, traceroute has the ability to bypass misconfigured firewalls with similar technique. This article describes how an attacker can utilize firewalk in order test the firewall and determine it's effectiveness.
Firewalk is an older utility that allows the attacker to attempt to go one hop passed the firewall. This tool can be effective against improperly configured firewalls and has the potential of allowing the attacker to peer into the IP addressing scheme that is one hop passed the firewall.
Like nmap, hping3 can also be utilized to test firewall rules and allow an attacker to determine the firewall posture of an organization. This document covers hping as a method to scan the firewall and to determine it's effectiveness.
Article describing a few methods to scan a network for firewall posture. This article will discuss stateless scanning, this article will also be updated with various techniques as they become available and will show you how to utilize various techniques to creep around firewalls.
One of the major advantages of spoofing is that an attacker can make it appear as though he or she is coming from a source that is not their own. While this is true in many cases, it can also help with firewall scanning. Non-routable IP addresses that are in the range of 1-126, 128-191, 192-223; should the IP addresses bypass a firewall it provides the attacker the ability to hit address ranges past the DMZ. This article shows you how you can test firewalls that are improperly configured.
nmap is a network mapping application that can help identify which ports are open on a target host. While nmap is not only limited to port knocking, it can also be utilized to test the firewall and see which packets a firewall is willing to accept (only SYN packets to start connections, rejecting specific packets, etc). This article will walk you through some scans that you can perform against a firewall and what some of the intended results may be.
This article discusses some of the measures that an attacker can utilize to his/her advantage to drown out an actual attack. Utilizing a tool called sneeze the attacker can take snort rules and utilize them in order to generate a large number of false positives for the IDS while drowning out the actual attack.