The 50 Ways Series
50 Ways to Defeat Your Firewalls
My firewalls course covers this and a lot more, and
has for many years, so I figured it was time for a 50-ways article.
- 1. Use one of the dial-in lines that doesn't go through the firewall.
- 2. Use a network connection via a partner that doesn't go through the firewall.
- 3. Use the maintenance ports from vendors that don't go through the firewall.
- 4. Send in a false update disk that initiates communication from inside the firewall to you.
- 5. #4 with a word virus as the delivery system.
- 6. #4 with a pornography pointer spread sheet as the delivery method.
- 7. #4 with a free CD as the delivery method.
- 8. #4 with a downloadable executable as the delivery mechanism.
- 9. #4 with a web page (< img gopher://another internal.computer.com/0[attack-code]>)
- 10. #4 with an automated update from Microsoft or Netscape.
- 11. #4 with a java applet.
- 12. #4 with an ActiveX program.
- 13. #4 with a new computer purchase (pre-installed attack).
- 14. #4 with a processor upgrade (the chip has a Trojan horse).
- 15. Pay off an insider to start the session to you on the outside.
- 16. Trick an insider into starting the session to you on the outside.
- 17. Hijack a TCP session that runs through the firewall (for
example using "hunt") and gain insider access.
- 18. Sniff traffic that passes through the firewall and steal a
password used to gain additional access.
- 19. Exploit a vulnerability in a bastion host and use it to
springboard attacks against the rest of the outside world.
- 20. #19 but use it to attack other bastion hosts.
- 21. #19 but use it to get into back-end processing systems.
- 22. #21 and use the back-end systems to get into the rest of the
- 23. #22 and use those systems to open up sessions to the outside
- 24. #20 or #21 and use those systems to sniff firewall management
traffic and forge firewall configuraiton changes.
- 25. #20 or #21 and use them to take over firewall management sessions.
- 26. Any of the last 10 examples and use them to corrupt
information in the firewall.
- 27. Any of the last 10 attacks and use them to change firewall
- 28. Flood the firewall with requests to deny service to the network.
- 29. Overwealm the bastion hosts in the firewall to deny services.
- 30. Corrupt the domain name system so the firewall can't deliver
- 31. Corrupt routing tables so the firewall can't route traffic.
- 32. Break into one of the systems used by insiders to connect
directly (via modem) to AOL and create a bridge that bypasses the
- 33. Forge IP addresses so the firewall thinks attacks are coming
from innocent locations and cuts off service.
- 34. Send mal-formed packets to the firewall and cause it to crash.
- 35. Set up a popular Web page as an anonymizer and redirect
outbound traffic through your site for observation.
- 36. Setup a free mail service and sniff all the email passing
through it from people behind the firewall.
- 37. #36 but alter the email to include Trojan Horses.
- 38. #36 and add free telnet service via the Web (port 80) so that
insiders can telnet even though it is not 'authorized'.
- 39. #37 with gopher.
- 40. #37 with file transfer.
- 41. #37 with real-audio.
- 42. #37 with any other service you want to provide as a firewall bypass.
- 43. Any of the last few with encrypted services to make it harder
for the people who run the firewall to tell what is hapenning.
- 44. Any of the last few but with Trojan horse download software
plug-ins to make it all work.
- 45. Send in a Trojan horse that dials out to bypass the firewall.
- 46. Send free 'radio-LAN cards to select insiders who experiment
with new technologies and use a Trojan horse to get into the Radio LAN.
- 47. Break into a wire closet and attack a radio-LAN to the inside LAN.
- 48. Break into the phone system and redirect telephonically
controlled digital traffic through your location.
- 49. Convince upper management that they need to day trade and
provide a free day-trading service with your custom (Trojan horse)
- 50. Provide firewall services to companies who don't want to or
have decided not to provide their own, and expliot at will.
Back to bed - another 20 minutes wasted.