Security 104 - Routers, Firewalls, DMZs, and Tunnels
Author: Bill Ricardi
Introduction: Some people think of security testing as a strictly client-server affair. But sometimes a client will give you free reign to test all aspects of their security. These clients want to see how a potential hacker might get in, because they realize that any rules that they impose upon testers will be utterly ignored by hackers! Companies such as this are usually realistic about expectations, and serious about their security.
If you're lucky enough to be testing for a client who lets you take the kid gloves off, then you need to be able to mount an attack on any potential weakness that you find. That means going after every network device on their side of the demarcation point (which is the point at which the upstream Internet provider hands responsibility off to the target company or to their web hosting company). It also means going after - or at least being aware of - any virtual security that they may have in place such as tunnels or VPN's (Virtual Private Networks).
Routers and switches are how signals get passed from device to device on the Internet. Without getting too bogged down in the details, gateway routers accept traffic from the border of a client's network, and pass it into their internal network (often through their DMZ and/or firewall). Additional routers and switches might be used internally to organize, streamline, and subdivide a company's network.
In terms of security, if you can take control of a router, you can perform some of the most sinister attacks in the world. You can reroute all of the traffic coming into a company. You can quietly snoop, filter, and morph incoming and outgoing packets. You can pharm user names and passwords quietly for months or years. The possibilities are endless.
The first thing to look for is the low hanging fruit. If you can determine the brand of router that you're trying to interface with (using automated tools or old fashioned research), you should attempt to log into it using the default root user name and password. There are many such lists on the Internet that you can consult (such as the one at http://www.phenoelit-us.org/dpl/dpl.html ). You can also try to break the various default accounts on the router with common password lists (like http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php ). You may have to research little tricks (control and escape combinations, for example) to get to the login prompt of certain routers. Other routers may be impossible to log into without physical access.
Finally, automated attacks on a router's authentication can be attempted, as well as sophisticated buffer overrun attempts. You will need to research the specific vulnerabilities of that type of router, and find the right tools to attempt to gain access. It should be noted, Denial of Service (DOS) attacks against a router are not a valid bug! Every router can die to denial of service (and Distributed Denial of Service, DDOS) attacks, its the nature of the beast.
Firewalls act as a buffer between the outside world and a client's internal network. A firewall covers a potential change in threat level, so when you see one, you can assume that there is something worth protecting on the other side. They're meant to safeguard against security breaches, act as a proxy, and be a filter. Sometimes they don't stop you from accomplishing your goals. Sometimes they can be worked around. And sometimes you just want to take them down. If you're using any kind of broad scanning or shotgun approaches, or if the client is using an extensive white-list system (where only hosts on a specific list have access to sensitive services) you may need to deal with the firewall first.
The first thing that you need to do is identify the make and model of the hardware firewall, or the version and patch level of the software firewall. Automated testing tools are the most effective way to do this. Then you need to do some research by looking up any potential vulnerability that you can take advantage of. Launch any attacks that might be available on this specific product. If you have a modern, up-to-date firewall, your best bet is to see if you can avoid the ports and services that the firewall is configured to filter. If you can't identify the firewall at all, attempt to at least figure out what kind of security it is providing.
DMZ is a military term adopted in network engineering. It stands for De-Militarized Zone. A company generally puts their border router, their firewall, and those servers that need to be accessed by the outside world (like mail, web, and proxy servers) within the DMZ. Then they lock down their corporate LAN as tightly as possible. Properly implemented, a DMZ can limit the amount of damage an intruder can do. Even if the attacker takes every machine in the DMZ, the personal hard drives and storage farms on the LAN itself will still be a challenge.
Most of your viable targets are going to be within the confines of the DMZ, but if you want to try to go that one step further, get a network topology map (see the Logical Topology primer) of the DMZ. You're looking for a border switch or firewall on the 'far end' of the DMZ. In other words, whatever device is protecting the gateway from the DMZ to the internal LAN is your target. Normally, you can figure this out once you've compromised a server, router, or firewall and put it into a promiscuous scanning mode. In this way you can snoop packets coming in from the secure LAN, record the MAC and IP addresses, and seek out more information that will allow you to map the internal network, seek ways to penetrate the internal security measures.
Tunneling and VPN's
Tunneling is a method of defense against your network traffic being snooped because it is 'in the clear', or unencrypted. It is also a method of attack, allowing you to encapsulate a stream of data in such a way that a firewall might ignore it, instead of filtering it. Without getting into the complexities of the OSI Networking Model (as seen at the Cisco website - http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Intro-to-Internet.html#wp1020627 ), tunneling means that you wrap the contents of one protocol within another. This disguises and protects (and in many cases encrypts) the data in transit. On the other end, the packet is deconstructed, and the usable data is retrieved.
One of the most common, useful, and flexible tunnels you can use is within a Secure Shell (SSH). The SSH protocol can wrap and encrypt all sorts of requests, such as Telnet, HTTP, and SOCKS. While this is usually a method used for breaking OUT of a company's restrictive firewall, in some rare cases you can use it to break in. Be on the lookout for the kinds of services that you might be able to use in order to tunnel in when you do your port scans.
Another common method that companies use in order to allow their employees to have full access to their network while blocking any potential attacks is to set up a Virtual Private Network (VPN). The goal of a VPN is to allow users to work from home, but have full access to internal network stores, shared drives, even remote printers. If you've had no experience with setting up a VPN and you want to see how they function, pick up some VPN software and start experimenting! Some of the most popular VPN software can be found here: http://lifehacker.com/5487500/five-best-vpn-tools
The bad news is that a well set up VPN is highly effective method of locking away all non-public services from the rest of the world. The normal method of breaking into a VPN is social engineering (tricking employees into divulging authentication information), which is usually out of bounds in a testing environment. The good news is that if you do manage to find some kind of back door in the VPN because of poor configuration or a well researched bug that you can take advantage of, you probably have run of the network! Or at least, you can gain the same level of access as a normal employee, and work your way up from there.
As you can see, the vast majority of attacks against secure network appliances are either via weak passwords, or an extensive amount of probing and research that results in a precious nugget of security gold that you can use to your advantage. So get on the ball and research which automated discovery and intrusion tools are right for you, and then get cracking!