Penetration Testing mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Fri, 29 Sep 2000 07:30:59 -0700
How's this for an attack scenario... Since the firewall is not blocking any outbound traffic (bad move) I would make an effort to acquire the email addresses of internal users. That shouldn't be too hard to do if they do business with anyone. Once I had that I would send HTML email to those addresses and try to exploit this 'feature' of Windows: http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html. I would then crack the passwords for the accounts that viewed the email and try to logon to listening services using those accounts and passwords. Assumptions: 1. I am able to find a valid email address. 2. HTML mail is not cleaned before it reaches the user. 3. The email client does HTML mail. 4. The email client is residing on a MS OS. 5. The users who read the email have authenticated to an NT domain. 6. The users who read the email have the ability to log on to the listening services I am trying to access via open firewall ports. Any comments regarding this method of attack would be greatly appreciated. I am new to the process of penetration testing. -dave -----Original Message----- From: Leon Rosenstein To: PEN-TEST () SECURITYFOCUS COM Sent: 9/27/00 8:27 AM Subject: [PEN-TEST] NAT / Stateful Packet Inspection Questions Hi everyone. This is the first time I am posting to this list so please don't flame me if the question sounds insane or is out-of-line. If you feel forced to flame me at least have enough respect do it in private. I am just curious and seeking knowledge. I would like to set up a scenario and see what the group thinks. I was trying to help my friend audit his network through a penetration test. I found the firewall impenetrable (at least by me, which does not really say that much) (insert joke about newbies here). The network has no remote access points (it does not have a VPN or any Dial-Up Servers). It has only a sever, router, & firewall. The firewall is doing both NAT and Stateful Packet Inspection (SPI from here on in). There are no rules with the exception of the default (anything going out can go out but nothing can come in unless the firewall has cached or is aware of the potential incoming connection). If the connection comes back in on a different port then the firewall expects (assumes) it will drop the connection. Is there anyway to circumvent this firewall (or any firewalls that employ NAT and SPI as there primary defense mechanisms?) Is there anyway to get direct access to the server? I have port scanned the router and found listening ports and remote administration software but I am curious as to how one could circumvent the firewall (if this is done through hijacking the router I would be curious about that also). I know very talented people in the industry read this list so any help would be much appreciated. Oh and please feel free to respond on list or off. Thanks in advance Leon
Current thread:
- [PEN-TEST] NAT / Stateful Packet Inspection Questions Leon Rosenstein (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Jose Nazario (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions David Pick (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Deri Jones (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Andre Delafontaine (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Dug Song (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Loschiavo, Dave (Sep 29)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Fred Mobach (Sep 29)