International Research Journal of Computers and Electronics Engineering (URJCEE)

Vol. 1, Iss. 1, May 2013

NETWORK SECURITY WITH OPENSOURCE FIREWALL

ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 )
Vivek Kathayat,Dr Laxmi Ahuja HOST: Backtrack 4r2 (192.168.101.100)
FIREWALL: Pfsense Firewall (192.168.75.1,
AIIT 192.168.101.1)
Amity University,Noida
vivekkathayat@gmail.com

lahuja@amity.edu

ABSTRACT-Information technology changes constantly and it is very

important to protect our systems and network infrastructure from
compromising. So the main purpose of this educational research is to Fig 2 : SCENARIO 2 IMAGE
test the weaknesses of the secure and unsecured environments .The
methods used to test our environments is white box testing with the
help of backtrack tools . And with the help of sense firewall we analyse RESEARCH METHODS
the logs to make our network infrastructure more secure. The method used in this research is Whitebox Testing.
Whitebox testing is the part of the penetration testing

INTRODUCTION Penetration Testing [ 1 ][ 4 ]

Aim: The aim of this research is to analyse the system logs Penetration Testing is a process that is used to conduct audit of
that are generated in the virtual environment 2 (Which is the network or particular system .
secure with pfsense firewall). It can be of different type -
2. Black-box Testing
1. INTRODUCTION OF OUR LAB SCENARIOS 3. White-box Testing
Black-box Testing : In this testing a security expert is not
aware of the network of a company or the technologies that
SCENARIO 1 are used in target company or organization .
White-box Testing : In this testing ,security expert is aware of
LEVEL OF SECURITY: Low the network and the technologies that are used in the target
ATTACKER SYSTEM: Backtrack 5r3 (192.168.189.129) company or organization ..
HOST 1: Windows XP (192.168.189.128) Backtrack : To perform testing we use backtrack [2][3].
HOST 2: Backtrack 4r2 (192.168.189.130)
THE TOOL & SCRIPT USED IN THIS TESTING ARE
1. Nmap (Network Mapper)
Description It is a network mapper which is used to scan a
remote machine through various nmap scanning techniques
like TCP connect scan(TCP), Stealth scan (SYN), UDP
Scan ,Acknowledgement Scan (ACK), Operating System
Scan (-O) .
2. traceroute
Description traceroute is used to find the firewall on the
VLAN's . Here we can analyse the output of the command in
The Fig 1 : SCENARIO 1 IMAGE backtrack 5 and also analyse the pfsense firewall log .
3. tcptraceroute
Description While using traceroute we are unable to see
SCENARIO 2 behind the firewall , but now we use tcptraceroute to see
behind the firewall .
LEVEL OF SECURITY: High 4. Nmap Firewalk Script
 International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013

Description It is the special feature in the nmap that is used

to find the open ports behind the pfsense firewall .

5. XPROBE2
Description : It is the Operating System fingerprinting Tool .
From this tool we can detect which OS target host is
running . Tool is just a information gathering tool. While
scanning we also analyse the pfsense firewall logs and see
which packets are send to the target to do a OS
fingerprinting .
Fig.2.2
6. ARMITAGE
Description: This tool is used to do a target exploitation ,this
tool is developed by the rapd7 . Through this tool we exploit STEALTH SCAN (SYN SCAN)
the target according its weak hole or vulnerability in the It also known as half open scan because it never forms a complete
target machine and also check the what happen and connection between the target and the scanner machine .
importance of the firewall . Now let see the outcome of the stealth scan without a firewall
(scenario1) and with a pfsense firewall (scenario 2).
FINDING AND ANALYSIS
After setting labs we, we start our experiment, Our first step of WITHOUT FIREWALL
the experiment is Information Gathering . Command : nmap -sS 192.168.189.130
In this Information Gathering tool we use nmap to scan both the The below image shows the output of the Stealth scan .
scenarios.

INFORMATION GATHERING
We perform a scan through nmap(2),with this scan we get the
information about the host system , what ports are opened etc .

WITH FIREWALL
When we done same scanning on the scenario # 2 , it shows all Fig3.1
that port 21[ ftp ], 80[http],443 [ https ] are closed and rest of the
ports are filtered. WITH FIREWALL
BENEFIT OF FIREWALL: You can see that, the firewall filtered
all the ports and state as a close port.

Fig3.2
PFSENSE FIREWALL LOG FOR STEALTH SCAN

Fig 2.1 In the log we can analyse the what type of protocol used ,
scanning done from Source to destination and type of interface
PFSENSE FIREWALL LOG FOR TCP CONNECT SCAN and what time this scan is performed .
Now lets analyse the pfsense firewall log, here you can see that
the attack is start from the Source address (192.168.75.10) to
Destination (192.168.101.100) and also see the ports used in this
scanning .
The Protocol used in TCP connect scan is: TCP:S
 International Research Journal of Computers and Electronics Engineering (URJCEE)
Fig 3.3
4.UDP SCANNING
UDP scanning is used to check the remote target is open closed or
open/filtered .
In this scanning we used the UDP packets , we send the UDP
packets to the target host and according to the reply it can give the
result .
For example : when we send the udp packets to the target
machine a ICMP : Unreachable reply will come , it means that
the ports are closed .
If UDP packet reached to the target machine and no reply will
come back it means , port is open but filtered .
And if the proper reply is come back then it means the port is
closed .
WITH FIREWALL
Now in the firewall environment, when we done a UDP scan the
output will look as shown below
Fig.4.1 Shows that all the 1000 scanned ports on 192.168.101.100
are open/filtered.
PFSENSE FIREWALL LOG FOR UDP SCAN
Below the log is captured while we scan the host which is behind
the firewall.
In this log you can see that in the proto section it display the UDP
ports, It means the attacker used the UDP scan technique.
One more thing to analyse is the ports are constantly changing .
Fig.4.2
4. ACKNOWLEDGEMENT SCAN
Vol. 1, Iss. 1, May 2013
It shows weather the target ports are filtered or unfiltered .It sends
TCP ACK frames to remote port and if there is no response , then
it is considered to be filtered .
And if the response come in RST (RESET) then it means it is
unfiltered.
WITHOUT FIREWALL
Without a firewall, it normally shows all the 1000 ports are
unfiltered.
Fig.5.1
WITH FIREWALL
When we done a acknowledgement scan in scenario 2 , it display
that host is block the ping probes .
Basically this is done by the pfsense firewall that blocks the ping
probes, that's why this type of response will come.
See the below image for more details -
Fig.5.2
PFSENSE FIREWALL LOG FOR ACKNOWLEDGEMENT
SCAN
Now when we analyse the firewall logs we can see that the
acknowledgement scan is detected with the source and destination
ipv4 addresses.
See the below image for more details -
Fig.5.3
WITH -PN PARAMETERS
Now if we use a -Pn parameter with the our command , it
displayed that All 1000 scanned ports on 192.168.189.130 are
filtered .
This type of scanning helps the attacker to know which ports are
filtered and unfiltered on the network .
See the below image for more details -
Fig 5.4
FIREWALL LOG :
In this firewall log you will see the Acknowledgement packets
are detected and it very easy for the administrator to understand
 International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013

that the attacker is trying to get information about the filtered and WITH FIREWALL
unfiltered ports in the network . In this tcptraceroute example, without a lost transmission , our
See the below image for more details - packets successfully reached the target and gives all the route
information.

Fig.5.4
Fig 7.1
6.TRACEROUTE
It is a route analysis tool . which is used to trace the route of the
target host .
FIREWALL LOG FOR TCPTRACEROUTE
WITH FIREWALL
Below you can see that in the scenario 2 when we perform a
traceroute command on target ip address ,it shows packets are lost
during transmission ( reasoned could be the firewall filtering ).
See the below image for more details -
Fig.7.2

8. NMAP FIREWALK SCRIPT

nmap firewalker script is the easiest method to test all the
open ,closed and filtered ports on the firewall and also if you use
a traceroute option then it show the route using port 80/tcp.
See the below image for the output -

Fig.6.1
LOG FOR TRACEROUTE
Through the log analysis, we can see that the UDP protocol are
used .It means the the traceroute is used UDP packets.
See the below image for more details - Fig.8.1

FIREWALL LOG FOR NMAP SCRIPT

In the firewall log , it detects the TCP: Syn scanning method .
See the log for more details -

Fig.6.2

7. TCPTRACEROUTE (ROUTE ANALYSIS)

This is also used to detect the route of the target host , it uses
TCP SYN to send out the packets . The biggest advantage of
using this tool is if there is a firewall in between the network ,
the packet is able to reach the target.
Fig.8.2
9.XPROBE2
It is used to detect the Operating System running on the target
machine on the basis of the signatures based guessing of the OS .
 International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013

Below it shows the example images of performing this tool on

both the scenarios .
Scenario 1

WITHOUT FIREWALL
Here you can see that it detect the running OS as Linux kernel 2.4
which has a surety of 100% that it is a Linux Kernel .
See the below image for more details -

Fig.10.1

SCENARIO 2
When we trying to attack the target machine we are unable to
attack that machine . We try various techniques through Armitage
but all are unsuccessful because of filter device or firewall .
See the below image for more details -

Fig.9.1

LOG GENERATED AFTER BY PFSENSE FIREWALL

Here you can see that the UDP protocol are used by this tool. , to
confirm that check the firewall log.
Below the firewall shows the protocol used is UDP.
See the below image for more details -

Fig 10.2
Fig.9.2

10. TARGET EXPLOITATION

In this step of target exploitation we use armitage , its a GUI
based tool that is used to find the vulnerability in the target
machine and exploit that target machine.
SCENARIO 1 :
Using Armitage , we exploit the windows netapi_67 vulnerability .
Target is easily vulnerable because there is no firewall or any
other mechanism which protect the systems.
Below image shows the successful exploitation on the windows
machine through Backtrack 5r2 (attacker machine).
RESULT
Result shows the windows command shell on the linux machine.
See the below image for more details -
CONCLUSION
After the white box testing , from the pfsense firewall logs we can
understand that attacking pattern of a hacker or intruder .
Also we can understand the behaviour of attack . How, by
analysing those protocols, flags , ack, fin , ports and the ports
number .
Even administrator, security expert can study these attacking
pattern from the logs and he can secure its own network
infrastructure or after studying this type of virtual environments ,
he can redefine his secure physical infrastucture.
In short this whole research helps us to improve our network
security with the help of open source firewall .
FUTURE RESEARCH
 International Research Journal of Computers and Electronics Engineering (URJCEE)
Vol. 1, Iss. 1, May 2013

1. This research helps in the logical and practical

implementation of the firewall security to make network REFERENCES
environments more secure .
2. This research helps administrator to understand the attack.
3. He can analyse and trace attacker with the help of firewall logs. [1] Lee Allen , Advanced Penetration Testing for Highly Secured
4. It helps to make your system more secure and network Environments: The Ultimate Security Guide,Packt Publishing ,
infrastructure more secure. www.packetpub.com
5. It helps students to understand how things are actually going
behind the scenes. [2] www.wikipedia.org
6. We can test different types of attacks on virtual environment.
7. The logs analysis helps network administrator to understand [3] www.google.com
what happen when an attack is done. Like Ddos attack , Decoy
attack etc. Without breaking any cyber law . [4]Shakeel Ali,Tedi Hariyanto, Backtrack 4 : Assuring Security
8. Also we can analyse the log and see which Tcp ports are used by Penetration Testing , Packt Publishing
during the attacks so that in future we can close that ports . www.packetpub.com