Posts Tagged ‘firewall’

Firewalking with nmap

Posted: March 30, 2013 in MemoToSelf
Tags: , , , , ,

uhh firewalking, what’s that?

To quote the original paper (1998):

A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists

Now that sounds pretty neat right or not if you usually only focus on open ports and ignore all other relevant information that a network scan can give you. The paper does a pretty good job of explaining the technique, so I’m not going to repeat that. Let’s just see if we understood it correctly by doing a manual test and then let’s see how we can use nmap to automate this. In case you are wondering why I don’t use the original Firewalking tool, it’s cause I prefer to not have a lot of fragmented tools unless I really need them. I mean nmap is a great tool and it just saves you a lot of time if you can just perform all (or as much as possible) of the network mapping with nmap.

Let’s setup a little lab which roughly looks like this:

basicsetup

So basically the attacker wants to enumerate the firewall rules that are in place on vyatta. As said, let’s start with grasping the concept of firewalking, by testing if we can proof the following configuration:

(more…)

Advertisements

Well this is new for me, further developing a working POC. Like you all know, I love new ideas and POC development, but hate the further development of POCs. This time the Firewall DNS POC just didn’t cut it, it did what I wanted it to do, but it lacked some “usability” features. These are the added features:

#Functionality
# – = done
# x = todo
###
# – Queries can either be full domain(www.google.com), or only base domain(google.com)
# – Block queries
# – relays queries
# – reads settings from config
# – reloads config
#   – on/off using -auto
# – drops privileges
# – reload config on key combo (ctrl+c)
###

The config file options are somewhat explained in the config file itself, other stuff you’ll have to read from the src. Here”s how it looks now:

sudo ./fw-dns.py
##############################################
new configuration:
reload time:
43200
dns server:
(‘192.168.2.254’, 53)
if listen:
127.0.0.1
allowed full domains:
[‘ubuntu.com’]
allowed partial domains:
[”]
##############################################
Starting fw-dns
Listening on localhost 127.0.0.1
Connected to remote DNS server (‘192.168.2.254’, 53)
Dropped privileges

You can download using bittorrent here:  fw-dns_v0.1
You can download from megaupload here:  http://www.megaupload.com/?d=D4WBLBQ8

Firewall DNS

Posted: April 19, 2010 in security
Tags: , , , , ,

So I’m trying to setup a really tight server and one of the things left to secure was DNS. How do I make sure that if the server gets rooted the backdoor will not be able to connect through DNS to it’s C&C? I decided to write a custom “firewall dns”, which would only allow DNS requests if they matched a certain host. You might now be yelling things like “YOU RETARD, never code something if there is an existing and probably working alternative”, true; thing is I’ve never really done anything with DNS on a coding level so it seemed like this was my opportunity.

(more…)

This idea popped in my head a while back and is still on my todo list (note: my todo list never shrinks). The following context/problem applies.

Suppose you want to steal information but the server you want to backdoor has got all ports ip restricted on an application level. Like a IIS instance which restricts users based on their ip address. How could this be bypassed without adjusting the IIS configuration or using a complicated rootkit. I thought of the following (note: this can also be implemented in ring0):

(more…)