SEED Labs - Firewall Evasion Lab Firewall Evasion Lab Copyright © 2022 by Wenliang Du. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. If you remix, transform, or build upon the material, this copyright notice must be left intact, or reproduced in a way that is reasonable to the medium in which the work is being re-published. 1 Overview There are situations where firewalls are too restrictive, making it inconvenient for users. For example, many companies and schools enforce egress filtering, which blocks users inside of their networks from reaching out to certain websites or Internet services, such as game and social network sites. There are many ways to evade firewalls. A typical approach is to use the tunneling technique, which hides the real purposes of network traffic. There are a number of ways to establish tunnels. The two most common tunneling techniques are Virtual Private Network (VPN) and port forwarding. The goal of this lab is to help students gain hands-on experience on these two tunneling techniques. The lab covers the following topics: • Firewall evasion • VPN • Port forwarding • SSH tunneling Readings and videos. Detailed coverage of the tunneling technology and how to use it to evade firewalls can be found in the following: Chapter 9 of the SEED Book, Internet Security: A Hands-on Approach, 3rd Edition, by Wenliang Du. See details at https://www.handsonsecurity.net. Lab environment. This lab has been tested on our pre-built Ubuntu 20.04 VM, which can be downloaded from the SEED website. Since we use containers to set up the lab environment, this lab does not depend much on the SEED VM. You can do this lab using other VMs, physical machines, or VMs on the cloud. 2 Task 0: Get Familiar with the Lab Setup We will conduct a series of experiments in this chapter. These experiments need to use several computers in two separate networks. The experiment setup is depicted in Figure 1. We use docker containers for these machines. Readers can find the container setup file from the website of this lab. In this lab, the network 10.8.0.0/24 serves as an external network, while 192.168.20.0/24 serves as the internal network. The host 10.8.0.1 is not a container; this IP address is given to the host machine (i.e., the VM in our case). This machine is the gateway to the Internet. To reach the Internet from the hosts in both 192.168.20.0/24 and 10.8.0.0/24 networks, packets must be routed to 10.8.0.1. The routing has already been set up. SEED Labs - Firewall Evasion Lab 10.8.0.1 Internet A1 #ip -br address lo 10.8.0.5 ethl@if1907 eth0@if1909 B UP UP A2 UNKNOWN 10.8.0.0/24 10.8.0.6 A 192.168.20.99 10.8.0.99 192.168.20.0/24 Figure 1: Network setup Identify which services are running on each of the inside and outside hosts B1 192.168.20.5 Router configuration: setting up NAT. The following iptables command is included in the router configuration inside the docker-compose.yml file. This command sets up a NAT on the router for the traffic going out from its eth0 interface, except for the packets to 10.8.0.0/24. With this rule, for packets going out to the Internet, their source IP address will be replaced by the router's IP address 10.8.0.11. Packets going to 10.8.0.0/24 will not go through NAT. iptables -t nat -A POSTROUTING ! -d 10.8.0.0/24 -j MASQUERADE -o eth0 127.0.0.1/8 192.168.20.11/24 10.8.0.11/24 10.8.0.11 (eth0) In the above command, we assume that eth0 is the name assigned to the interface connecting the router to the 10.8.0.0/24 network. This is not guaranteed. The router has two Ethernet interfaces; when the router container is created, the name assigned to this interface might be eth1. You can find out the correct interface name using the following command. If the name is not eth0, you should make a change to the command above inside the docker-compose. yml file, and then restart the containers. Router (Firewall) // Ingress filtering: only allows SSH traffic iptables -A FORWARD -i eth0 -p tcp -m conntrack \ --ctstate ESTABLISHED, RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i eth0 -p tcp -j DROP 192.168.20.11 (eth1) // Egress filtering: block www.example.com iptables -A FORWARD -i eth1 -d 93.184.216.0/24 -j DROP B2 192.168.20.6 2 Router configuration: Firewall rules. We have also added the following firewall rules on the router. Please make sure that eth0 is the interface connected to the 10.8.0.0/24 network and that eth1 is the one connected to 192.168.20.0/24. If not, make changes accordingly. SEED Labs - Firewall Evasion Lab The first rule allows TCP packets to come in if they belong to an established or related connection. This is a stateful firewall rule. The second rule allows SSH, and the third rule drops all other TCP packets if they do not satisfy the first or the second rule. The fourth rule is an egress firewall rule, and it prevents the internal hosts from sending packets to 93.184.216.0/24, which is the network for www.example.com. Lab task. Please block two more websites and add the firewall rules to the setup files. The choice of websites is up to you. We will use them in one of the tasks. Keep in mind that most popular websites have multiple IP addresses that can change from time to time. After adding the rules, start the containers, and verify that all the ingress and egress firewall rules are working as expected. Block the following: www.miami.edu (has multiple addresses) and www.fpl.com 3 Task 1: Static Port Forwarding 3 The firewall in the lab setup prevents outside machines from connecting to any TCP server on the internal network, other than the SSH server. In this task, we would like to use static port forwarding to evade this restriction. More specifically, we will use ssh to create a static port forwarding tunnel between host A (on the external network) and host B (on the internal network), so whatever data received on A's port X will be sent to B, from where the data is forwarded to the target T's port Y. In the following command, we use ssh to create such a tunnel. you do not need the in your command, these just indicate a field that you must fill in $ ssh -4NT -L : : : @ // -4: use IPv4 only, or we will see some error message. // -N: do not execute a remote command. // -T: disable pseudo-terminal allocation (save resources). run the command on A Regarding A's IP, typically we use 0.0.0.0, indicating that our port forwarding will listen to the connection from all the interfaces on A. If want to limit the connection from a particular interface, we should use that interface's IP address. For example, if we want to limit the connection to the loopback interface, so only the program on the local host can use this port forwarding, we can use 127.0.0.1: or simply omit the IP address (the default IP address is 127.0.0.1). 4 Task 2: Dynamic Port Forwarding use 0.0.0.0 for A's ip address and 9000 for A's port number, the Target, T, is B1 so B1_address:telnet_port_number Lab task. Please use static port forwarding to create a tunnel between the external network and the internal network, so we can telnet into the server on B1. Please demonstrate that you can do such telnet from hosts A, A1 and A2. Moreover, please answer the following questions: (1) How many TCP connections are involved in this entire process. You should run wireshark or tcpdump to capture the network traffic, and then point out all the involved TCP connections from the captured traffic. (2) Why can this tunnel successfully help users evade the firewall rule specified in the lab setup? Draw a diagram of the connections and the tunnel between the machines In the static port forwarding, each port-forwarding tunnel forwards the data to a particular destination. If we want to forward data to multiple destinations, we need to set up multiple tunnels. For example, using port forwarding, we can successfully visit the blocked example.com website, but what if the firewall blocks many other sites, how do we avoid tediously establishing one SSH tunnel for each site? We can use dynamic port forwarding to solve this problem. In the lab setup, the router already blocks example.com, so hosts on the internal network cannot access the example.com website. Please add firewall rules to the router, so two more websites are blocked. Remember to shutdown the port forwarding between each task SEED Labs - Firewall Evasion Lab The choice of the websites is up to individual students. Please provide evidences to show that the websites are indeed blocked. Block the following: www.miami.edu (has multiple addresses) and www.fpl.com 4.1 Task 2.1: Setting Up Dynamic Port Forwarding We can use ssh to create a dynamic port-forwarding tunnel between B and A. We run the following com- mand on host B. In dynamic port forwarding, B is often called proxy. $ ssh -4NT -D : @ Regarding B's IP, typically we use 0.0.0.0, indicating that our port forwarding will listen to the connection from all the interfaces on B. After the tunnel is set up, we can test it using the curl command. We specify a proxy option, so curl will send its HTTP request to the proxy B, which listens on port X. The proxy forwards the data received on this port to the other end of the tunnel (host A), from where the data will be further forwarded to the target website. The type of proxy is called SOCKS version 5, so that is why we specify socks5h. $ curl --proxy socks5h:// : Lab task. Please demonstrate that you can visit all the blocked websites using curl from hosts B, B1, and B2 on the internal network. Please also answer the following questions: (1) Which computer establishes the actual connection with the intended web server? (2) How does this computer know which server it should Draw a diagram of the connections and the tunnel between the machines connect to? 4.2 Task 2.2: Testing the Tunnel Using Browser We can also test the tunnel using a real browser, instead of using curl. Although it is hard to run a browser inside a container, in the docker setup, by default, the host machine is always attached to any network created inside docker, and the first IP address on that network is assigned to the host machine. For example, in our setup, the host machine is the SEED VM; its IP address on the internal network 192.168.20.0/24 is 192.168.20.1. To use the dynamic port forwarding, we need to configure Firefox's proxy setting. To get to the setting page, we can type about:preferences in the URL field or click the Preference menu item. On the General page, find the "Network Settings" section, click the Settings button, and a window will pop up. Follow Figure 2 to set up the SOCKS proxy. Lab task. Once the proxy is configured, we can then browse any website. The requests and replies will go through the SSH tunnel. Since the host VM can reach the Internet directly, to make sure that our web browsing traffic has gone through the tunnel, you should do the following: (1) run tcpdump on the router/- firewall, and point out the traffic involved in the entire port forwarding process. (2) Break the SSH tunnel, and then try to browse a website. Describe your observation. Cleanup. After this task, please make sure to remove the proxy setting from Firefox by checking the "No proxy" option. Without a proper cleanup, future labs may be affected. SEED Labs - Firewall Evasion Lab Configure Proxy Access to the Internet No proxy Auto-detect proxy settings for this network Use system proxy settings Manual proxy configuration HTTP Proxy OOO HTTPS Proxy FTP Proxy req SOCKS Host SOCKS v4 #!/bin/env python3 import socks Also use this proxy for FTP and HTTPS Connection Settings » B SOCKS V5 Figure 2: Configure the SOCKS Proxy s = socks.socksocket () s.set_proxy (socks.SOCKS5, " ", ) s.connect ((" ", )) print (response.split (b"\r\n") ) response s.recv (2048) Port Port Port 0 0 4.3 Task 2.3: Writing a SOCKS Client Using Python For port forwarding to work, we need to specify where the data should be forwarded to (the final destination). In the static case, this piece of information is provided when we set up the tunnel, i.e., it is hard-wired into the tunnel setup. In the dynamic case, the final destination is dynamic, not specified during the setup, so how can the proxy know where to forward the data? Applications using a dynamic port forwarding proxy must tell the proxy where to forward their data. This is done through an additional protocol between the application and the proxy. A common protocol for such a purpose is the SOCKS (Socket Secure) protocol, which becomes a de facto proxy standard. Since the application needs to interact with the proxy using the SOCKS protocol, the application soft- ware must have a native SOCKS support in order to use SOCKS proxies. Both Firefox and curl have such a support, but we cannot directly use this type of proxy for the telnet program, because it does not provide a native SOCKS support. In this task, we implement a very simple SOCKS client program using Python. 0 Port E hostname = "www.example.com" b"GET / HTTP/1.0\r\nHost: + hostname.encode('utf-8′) + b″\r\n\r\n" s.sendall (req) response = s.recv (2048) while response: this is what we discussed in class 5

Solved: SEED Labs - Firewall Evasion Lab Firewall Evasion Lab Copyright © 202

Home
questions and answers
you need to submit a detailed lab report with screenshots to describe

Question

SEED Labs - Firewall Evasion Lab Firewall Evasion Lab Copyright © 2022 by Wenliang Du. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. If you remix, transform, or build upon the material, this copyright notice must be left intact, or reproduced in a way th