Honeypots, IDSs, and Firewalls 387
An attacker can leverage this by sending packets with the ACK flag set using a tool such
as AckCmd.
HTTP Tunneling
An additional variation of the tunneling method involves exploiting the HTTP protocol.
This method may be one of the easiest ones to use mainly due to the fact that the HTTP
protocol is already allowed through many firewalls as part of normal operation. HTTP
traffic is considered normal due to the requirement for just about every company to have
Internet access or provide access to resources such as web servers and web applications to
the public and as such it does not appear abnormal.
One tool that may be used to exploit this situation is HTTPTunnel, which uses a client-
server architecture to facilitate its operation.
Testing a Firewall and IDS
With so many techniques and mechanisms at your disposal, you can now test your
defensive and monitoring capabilities.
Overview of Testing a Firewall
The following are the general steps and process for testing the integrity and capability of a
firewall, whether it is based on hardware or software:
- Footprint the target.
- Perform port scanning.
- Perform banner grabbing against open ports.
- Attempt firewalking.
- Disable trusted hosts.
- Perform IP address spoofing.
- Perform source routing.
- Substitute an IP address for a URL.
- Perform a fragmentation attack.
- Use an anonymizer.
- Make use of a proxy server to bypass a firewall.
- Use ICMP tunneling.
- Use ACK tunneling.
Overview of Testing an IDS
Much like testing a firewall, there is a general process for testing an IDS. It tends to be
something like the following:
- Disable trusted hosts.
- Attempt an insertion attack.
- Implement evasion techniques.