Firewall testing

Magic Foundry · Oct 25, 2008, 18:25:34

Anyone know of a good, safe site for testing firewalls. I tend to use shields up https://www.grc.com/x/ne.dll?bh0bkyd2 but it always tells me everything is super stealthed and locked down etc. I suspect everyone gets the same answer though.

Rik · Oct 25, 2008, 18:31:20

You could try this:

http://www.auditmypc.com/firewall-test.asp

Magic Foundry · Oct 25, 2008, 19:13:39

Thanks, just tried it, same result. I suppose it's possible that my firewall is on top of things. I'm getting more paranoid as I get older.

Sebby · Oct 25, 2008, 19:20:10

It's not a bad thing, MF. There are so many nasties out there these days that you can never be too careful.

somanyholes · Oct 25, 2008, 22:44:58

my fav can't beat it. worth readin the manual though http://nmap-online.com/

madasahatter · Oct 25, 2008, 23:23:59

Hmmmmmm - I get this mate:

Starting Nmap 4.75 ( http://nmap.org ) at 2008-10-26 00:19 St�edn� Evropa (letn� �as)
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.10 seconds

is that good, bad or indifferent?

Magic Foundry · Oct 26, 2008, 00:41:12

Same result as madasahatter. Interesting site though http://nmap.org/ will go back there later for further reading I think.

somanyholes · Oct 27, 2008, 10:44:14

it's basically giving advice that ping is being blocked. You can do fully customisable scans by selecting the custom option. So you could add -PN to the list.

something like

-F -T5 -sS -PN 195.92.70.130

Some of my brief notes for nmap are listed below. You can do a lot more with it than this but it covers the basics.

NMAP Features
pings sweeps
port scanning
service identification
ip address detection
operating system detection

Nmap port states are
open = open
filtered = firewalled
unfiltered = closed

Nmap scan types

TCP connect The attacker makes a full TCP connection to the target system.

XMAS tree scan The attacker checks for TCP services by sending XMAS-tree packets,which are named as such because all the "lights" are on meaning theFIN,URG and PSHflags are set (the meaning of the flags will be discussed later in this chapter).

SYN stealth scan
This is also known as half-open scanning. The hacker send a SYN packet and receives a SYN-ACK back from the server. It's stealthybecause a full TCP connection isn't opened.

Null scan This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on UNIX systems.

Windows scan
This type of scan is similar to the ACK scan and can also detect open ports.

ACK scan
This type of scan is used to map out firewall rules. ACK scan only works on UNIX.

-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Windows scan
-sR RPC scan
-sL List / DNS scan
-sI Idle scan
-sV service scan

-Po Don't ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB TCP and ICMP ping
-PB ICMP timestamp
-PM ICMP netmask

-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Paranoid Serial scan; 300 sec between scans
-T Sneaky Serial scan; 15 sec between scans
-T Polite Serial scan; .4 sec between scans
-T Normal Parallel scan
-T Aggressive Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane Parallel scan, 75 sec timeout, and .3 sec/probe

Understand SYN, Stealth, XMAS, NULL, IDLE,
and FIN Scans
SYN A SYN or stealth scan is also called a half-open scan because it doesn't complete the TCP three-way handshake. The TCP/IP three-way handshake will be covered in the next section.A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it's assumed the target would complete the connect and the port is listening. If a RST isreceived back from the target, then it's assumed the port isn't active or is closed. The advantage
of the SYN stealth scan is that fewer IDS systems log this as an attack or connection attempt.XMAS XMAS scans send a packet with the FIN, URG, and PSH flags set. If the port is open,there is no response; but if the post is closed, the target responds with a RST/ACK packet. XMAS scans work only on target systems that follow the RFC 793 implementation of TCP/IP and don'twork against any version of Windows.FIN A FIN scan is similar to an XMAS scan but sends a packet with just the FIN flag set. FINscans receive the same response and have the same limitations as XMAS scans.NULL A NULL scan is also similar to XMAS and FIN in its limitations and response, butit just sends a packet with no flags set.IDLE An IDLE scan uses a spoofed IP address to send a SYN packet to a target. Dependingon the response, the port can be determined to be open or closed. IDLE scans determine portscan response by monitoring IP header sequence numbers.

Flag types

SYN—Synchronize. Initiates a connection between hosts.
ACK—Acknowledge. Established connection between hosts.
PSH—Push. System is forwarding buffered data.
URG—Urgent. Data in packets must be processed quickly.
FIN—Finish. No more transmissions.
RST—Reset. Resets the connection.

XMAS scan All flags set (ACK, RST, SYN, URG, PSH, FIN)
FIN scan FIN
NULL Scan No flags set
TCP connect / full-open scan SYN, then ACK
SYN scan / half-open scan SYN, then RST

Rik · Oct 27, 2008, 10:55:49

Thanks, So.

Ted · Oct 27, 2008, 16:07:23

Make some deliberate holes in your firewall and test it again. If the tester picks them up you'll know your firewall is doing its job.

Oh! and don't forget to plug your firewall back up afterwards