7 - Network Pen Test Perimeter Flashcards
What are the steps for Firewall Pen Testing?
- Find info about FW
- Locate the firewall by conducting Traceroute
- Detect Open Ports and Services Allowed through FW using Firewalking
- Try to pass through FW using Hping
- Enumerate Firewall Access Control List Using Nmap
- Scan the FW for vulnerabilities
- Map FW Make and Version with Associated vulnerabilities
- Try to Bypass the Firewall using Fragmented Packets (-f)
- Try to Bypass the Firewall by Spoofed Packets (-D)
- Decoy must be online
- Try to Bypass Firewall by Spoofed Source Port (-g)
- Try to Bypass Firewall by MAC Address Spoofing (–spoof-mac)
- Try to Bypass Firewall by IP Address Spoofing (-S)
- Try to Bypass Firewall by Varying Packet Size (–data-length)
- Try to Bypass Firewall by Sending Bad Checksums (–badsum)
- Try to Bypass Firewall using Port Redirection
- Try to Bypass Firewall using Anonymous Website Surfing Sites
- Try to Bypass Firewall using a Proxy Server
- Try to Bypass Firewall using Source Routing
- Try to Bypass Firewall using HTTP Tunneling Method
- Try to Bypass Firewall using ICMP Tunneling Method
- Try to Bypass Firewall using ACK Tunneling Method
- Try to Bypass Firewall using SSH Tunneling Method
- Try to Bypass Firewall through MitM Attack
- Try to Bypass Firewall using Malicious Contents
What are the steps for IDS Pen Testing?
- Test IDS for Resource Exhaustion
- Send ARP Flood
- MAC Spoofing
- IP Spoofing
- Sending SYN Floods
- Editing and Replaying Captured network Traffic
- DoS Attack
- Anonymous Website Surfing Sites and a Proxy Server
- Using a Botnet
- Insertion on the IDS
- Send packets whose TTL is crafted to reach IDS but not target. IDS and end system reconstruct two different strings
- Sending a Packet to the Broadcast Address
- Sending Inconsistent Packets
- IP Packet Fragmentation
- Overlapping Fragments
- Ping of Death
- Unicode Evasion
- Polymorphic Shellcode
- Obfuscating or Encoding the Attack Payload
- False Positive Generation
- URL encoding
- Double Slashes
- TTL Evasion
- Sending a Packet to Port 0
- UDP Checksum
- TCP Retransmission
- TCP Flag Manipulation
- Urgency flag
- Initial Sequence Number Prediction
- Backscatter
- Flood of messages returned by a host when it is flooded by a particular type of message
- Covert Channels
- Hidden communication mechanism
- Method Matching
- Reverse Traversal
- Self-Referencing Directories
- Premature Request Ending
- Parameter Hiding
- HTTP Misformatting
- Long URLs
- Win Directory Syntax
- Null Method Processing
- Case Sensitivity
- Using Compressed Media Files
- Session Splicing
- Adding delays between packets to bypass reassembly checking
- Bypass Invalid RST Packets through the IDS
What are some steps for Router Pen Testing?
- Identify Router Hostname
- Port Scan the Router
- Identify Router OS and version (-sS -sV)
- Identify Protocols Running
- Testing for Package Leakage at the Router
- Test for TFTP Connections
- TFTP is used to push config files to routers
- Try to Retrieve the Router Config File
- Test for Router Misconfigurations
- Try to recover Router Passwords from Config File
- Test for VTY/TTY Connections
- Requires physical access
- Try to Gain Access to the Router
- Test for Router Running Modes
- Privileged Mode Attacks
- Test for SNMP Brute-forcing
- v1 is insecure and cleartext
- Try to log in using default SNMP Community String
- Test if Finger is Running on the Router
- Finger is a protocol (port 79)
- Test for CDP (Cisco Discovery Protocol) Protocol Running on the Router
- Test for NTP Protocol
- A lot of companies use border routers to synchronize internal servers
- Test for Access to Router Console Port
- Test for Loose and Strict Source Routing
- Loose Source: Some hops in the path are defined,
- Strict Source: Every hop in the path is defined, from start to end
- Test for IP Spoofing
- Possible if ACL’s are not used on border/gateway routers
- Test for IP Handling Bugs
- Test ARP Attacks
- Test for Routing Protocol (RIP)
- Test for OSPF (Open Shortest Path First) Protocol
- Test BGP Protocol
- Susceptible to hijacking
- Test for EIGRP Protocol
- Test Router DoS
- Test Router’s HTTP Capabilities
- Web server might be running on router and/or router can be managed by browser
- Test for HTTP Config Vulnerabilities in Cisco Routers
- Test through HSRP Attack
- Sends packets with high priority so that the active router network slows down.
What are some steps for Switch Pen Testing?
- Look for Security Misconfigurations in Cisco Switch Config
- Test for Address of Cache Size
- Test for Data Integrity and Error Checking
- Test for Back-to-Back Frame Capacity
- The number of frames in the longest burst that the switch will handle without the loss of any frames.
- Test for Frame Loss
- ((input_count - output_count)*100)/input_count
- Test for Latency
- Test for Throughput
- Test for Frame Error Filtering
- Test for Fully Meshed Condition
- Checks the total # of IP frames that the switch can handle when it receives frames on all its ports
- Functional Test for Stateless QoS
- Performance Test for Spanning Tree Network Convergence
- Test for OSPF Performance
- Test for VLAN Hopping
- Test for MAC Table Flooding
- Testing for ARP Attack
- Check for VTP (VLAN Trunking Protocol) Attack
How to test Firewalls from both sides?
Test from outside by sending packets from outside and see if they pass through. Test inside by analyzing packets that arrive and check whether the FW allows packets to pass against the firewall config.
- Test whether unauthorized connections can be created to internal network from outside.
- Identify Firewall rules by firewalking
- Check for reaction of FW to fragmented and spoofed packets that can be generated using a packet generator.
- Execute a vulnerability scanner on the hosts of firewall system from inside
- Conduct Traceroute to find out if FW is in place
- ‘Request Timed Out’ means packet could not make it there and back
What is Firewalking?
Determines if a given port is allowed through a firewall. Helps determine open ports on a firewall.
- If ‘TTL Exceeded Error’ comes back the port on the firewall is open
What are the 3 states of ports?
- Open: Port is listening
- Filtered: Port is blocked by an access control device (router/firewall)
- Unfiltered: Traffic is passing from access control devices (firewall/router)
What are the tunneling methods doing?
- HTTP Tunneling: Using port 80 to tunnel malicious traffic
- ICMP Tunneling: Using the data portion of ICMP Echo packets to tunnel malicious activity
- ACK Tunneling: Flagging ACK bit set since some FW’s do not check these types of packets
- SSH Tunneling: Hiding malicious activity in encrypted traffic
What are some common techniques used to evade IDS systems?
- Pattern Matching
- Unicode Evasion: Convert attack strings to Unicode to avoid pattern and signature matching
- Crash central log server with DoS attack
- Trigger alerts with specially crafted packets
- Flood network with noise traffic to exhaust its resources
What modes are routers configured to run?
- User mode: The router displays the hostname followed by ‘>’
- Privileged mode: also known as Enable mode.
What methods of authentication does OSPF support?
- Plain Text
- MD5
What are some router DoS attacks?
- Malformed Packet: Uses malformed packet to cause DoS
- Packet Flood Packet: When attacker sends too many packets to destination
What are some common switch misconfigurations?
- Default vulnerable configurations
- Unused ports
- Port Security
- Correct Timestamp
What are some illegal frames that a switch would receive?
- Undersized frames
- Dribble Errors
- Oversized frames
- Frames with CRC Errors
- Fragmented Frames
- Alignment Errors
What are some FW countermeasures?
- Don’t allow FW to send packets before the drop rule
- Don’t allow firewall to send out ICMP error messages
- Restrict FW from sending out packets (prevent revealing its IP address)
- Implement IDS
- Allow traffic based on service access policy
- Block scans on the gateway router itself