Ftest

Description

The Firewall Tester (FTest) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector and the listening sniffer
The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets.
The scripts both write a log file which is in the same form for both scripts.
A diff of the two produced files  shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall.
Stateful inspection firewalls are handled with the ‘connection spoofing’ option.
A script called freport is also available for automatically parse the log files.

The IDS (Intrusion Detection System) testing feature can be used either with this only
or with the additional support of ftestd for handling stateful inspection IDS, itcan also use common IDS evasion techniques.
Instead of using the configuration syntax currently the script can also process snort rule definition file.

Features:
– firewall testing
– IDS testing
– simulation of real tcp connections for stateful inspection firewalls and IDS
– connection spoofing
– IP fragmentation / TCP segmentation
– IDS evasion techniques

Usage

Options

Configuration options:
  -f <conf_file>
  -c <source_ip>:<source_port>:<dest_ip>:<dest_port>:<flags>:<protocol>:<tos>
  -v <verbose>

Timing options:
  -d <delay, 0.25 = 250 ms>
  -s <sleep time, 1 = 1 s>

Evasion options:
  -e <evasion method>
  -t <ids_ttl>

Connection options:
  -r <reset connection>
  -F <end connection>
  -g <IP fragments number, es. 4|IP fragments size, es. 16b>
  -p <TCP segments number, es. 4|TCP segments size, es 6b>
  -k <cksum value, es. 60000>
  -m <marker>

Example

Before starting it, we should be root and then start ftestd, from terminal:

cyborg@cyborg:~$ sudo ftestd -i eth0

Run ftest from terminal:

cyborg@cyborg:~$ sudo ftest -f ftest.conf

Finally we copy the two log files on the same host and we compare them using freport from terminal:

cyborg@cyborg:~$ sudo report ftest.log ftestd.log

You will see something like…

Authorized packets:
-------------------
21 - 192.168.0.10:1025 > 10.1.7.1:21 S TCP 0
22 - 192.168.0.10:1025 > 10.1.7.1:22 S TCP 0
23 - 192.168.0.10:1025 > 10.1.7.1:23 S TCP 0
25 - 192.168.0.10:1025 > 10.1.7.1:25 S TCP 0
80 - 192.168.0.10:1025 > 10.1.7.1:80 S TCP 0
110 - 192.168.0.10:1025 > 10.1.7.1:110 S TCP 0
113 - 192.168.0.10:1025 > 10.1.7.1:113 S TCP 0
1027 - 192.168.0.10:80 > 10.1.7.1:1025 PA TCP 0

Modified packets (probably NAT):
--------------------------------
443 - 192.168.0.10:1025 > 10.1.7.1:443 S TCP 0
443 - 192.168.0.10:1025 > 10.1.7.5:443 S TCP 0

Filtered or dropped packets:
----------------------------
1 - 192.168.0.10:1025 > 10.1.7.1:1 S TCP 0
2 - 192.168.0.10:1025 > 10.1.7.1:2 S TCP 0
3 - 192.168.0.10:1025 > 10.1.7.1:3 S TCP 0
...
...
...
1026 - 192.168.0.10:1025 > 10.1.7.1:3128 S TCP 0
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?